I've read through the Air Marshall documentation and several posts on the subject.
I'm trying to understand the identification and deauthentication process of Air Marshall better as it relates to my environment.
Questions, in my Meraki environment:
1. Would a personal Mi-Fi or cell phone Hotspot service be identified as a Rogue AP/SSID?
2. If I sublet space within my Meraki environment and the leasee of that space setup their own AP/SSID for their business, would my Air Marshall identify their AP/SSID as Rogue?
3. If the networks were identified as Rogue, at what point or how long would Air Marshall take to start sending deauthentication packets the the clients on those networks?
4. Once deauthenticated, would the clients permanently stay deauthenticated from that SSID/AP? If not, how long before they could reconnect?
5. Would new clients entering the area be allowed to attached to the Rogue AP/SSID or would they immediately be sent deauthentication packets?
From what I read, Air Marshalling could have unintended consequences if not carefully managed (whitelisting/alarming) - correct?
Thanks,
Gil
Solved! Go to solution.
No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".
In short, any access points that are not part of your Meraki infrastructure will be identified as a Rogue AP, but no action will be taken unless you say what you want to do.
So an infrastructure that is not part of your environment can coexist even with Air marshal enabled.
Take a look at this.
https://meraki.cisco.com/blog/2017/09/rogue-access-point/
Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment.
Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.
By default the clients are allowed to connect on the rogue SSID.
If Block is enabled, how long does it take for the Meraki network to start sending deauthentication packets to the clients?
There is no information about this, when enabled a scan of your network starts, so it is something that can vary, it is not an exact science.
All necessary information is in the documentation. If you need more information, I suggest opening a support case.
Just to reinforce, you should not use this deliberately, this is a tool to help detect possible malicious rogues on your network, so the recommendation is that as soon as the source of the rogue is identified, you contain it and remove the rogue immediately.
So an always on Block status is not good? Is the idea to turn it on and scan for Rogues then to Block back off?
No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".
thank you!