Rogue AP/SSID Identification and Deauthentication - Air Marshall

Solved
gcarmich
Getting noticed

Rogue AP/SSID Identification and Deauthentication - Air Marshall

I've read through the Air Marshall documentation and several posts on the subject.  

 

I'm trying to understand the identification and deauthentication process of Air Marshall better as it relates to my environment.

 

Questions, in my Meraki environment:

 

1. Would a personal Mi-Fi or cell phone Hotspot service be identified as a Rogue AP/SSID?

 

2. If I sublet space within my Meraki environment and the leasee of that space setup their own AP/SSID for their business, would my Air Marshall identify their AP/SSID as Rogue?

 

3. If the networks were identified as Rogue, at what point or how long would Air Marshall take to start sending deauthentication packets the the clients on those networks?

 

4. Once deauthenticated, would the clients permanently stay deauthenticated from that SSID/AP?  If not, how long before they could reconnect?

 

5. Would new clients entering the area be allowed to attached to the Rogue AP/SSID or would they immediately be sent deauthentication packets?

 

From what I read, Air Marshalling could have unintended consequences if not carefully managed (whitelisting/alarming) - correct?

 

Thanks,
Gil

 

 

 

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

In short, any access points that are not part of your Meraki infrastructure will be identified as a Rogue AP, but no action will be taken unless you say what you want to do.

 

So an infrastructure that is not part of your environment can coexist even with Air marshal enabled.

 

Take a look at this.

 

https://meraki.cisco.com/blog/2017/09/rogue-access-point/

 

Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 

Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Overview_of_Air_Marshal_Con...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

By default  the clients are allowed to connect on the rogue SSID.

 

IMG_20231029_105249.jpg

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
gcarmich
Getting noticed

If Block is enabled, how long does it take for the Meraki network to start sending deauthentication packets to the clients?

alemabrahao
Kind of a big deal
Kind of a big deal

There is no information about this, when enabled a scan of your network starts, so it is something that can vary, it is not an exact science.

 

All necessary information is in the documentation. If you need more information, I suggest opening a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Just to reinforce, you should not use this deliberately, this is a tool to help detect possible malicious rogues on your network, so the recommendation is that as soon as the source of the rogue is identified, you contain it and remove the rogue immediately.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
gcarmich
Getting noticed

So an always on Block status is not good?  Is the idea to turn it on and scan for Rogues then to Block back off?

alemabrahao
Kind of a big deal
Kind of a big deal

No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
gcarmich
Getting noticed

thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels