I've read through the Air Marshall documentation and several posts on the subject.
I'm trying to understand the identification and deauthentication process of Air Marshall better as it relates to my environment.
Questions, in my Meraki environment:
1. Would a personal Mi-Fi or cell phone Hotspot service be identified as a Rogue AP/SSID?
2. If I sublet space within my Meraki environment and the leasee of that space setup their own AP/SSID for their business, would my Air Marshall identify their AP/SSID as Rogue?
3. If the networks were identified as Rogue, at what point or how long would Air Marshall take to start sending deauthentication packets the the clients on those networks?
4. Once deauthenticated, would the clients permanently stay deauthenticated from that SSID/AP? If not, how long before they could reconnect?
5. Would new clients entering the area be allowed to attached to the Rogue AP/SSID or would they immediately be sent deauthentication packets?
From what I read, Air Marshalling could have unintended consequences if not carefully managed (whitelisting/alarming) - correct?
Thanks,
Gil