Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rogue AP/SSID Identification and Deauthentication - Air Marshall

Solved
gcarmich
Getting noticed
‎Oct 29 2023 6:18 AM
‎Oct 29 2023 6:18 AM

Rogue AP/SSID Identification and Deauthentication - Air Marshall

I've read through the Air Marshall documentation and several posts on the subject.  

 

I'm trying to understand the identification and deauthentication process of Air Marshall better as it relates to my environment.

 

Questions, in my Meraki environment:

 

1. Would a personal Mi-Fi or cell phone Hotspot service be identified as a Rogue AP/SSID?

 

2. If I sublet space within my Meraki environment and the leasee of that space setup their own AP/SSID for their business, would my Air Marshall identify their AP/SSID as Rogue?

 

3. If the networks were identified as Rogue, at what point or how long would Air Marshall take to start sending deauthentication packets the the clients on those networks?

 

4. Once deauthenticated, would the clients permanently stay deauthenticated from that SSID/AP?  If not, how long before they could reconnect?

 

5. Would new clients entering the area be allowed to attached to the Rogue AP/SSID or would they immediately be sent deauthentication packets?

 

From what I read, Air Marshalling could have unintended consequences if not carefully managed (whitelisting/alarming) - correct?

 

Thanks,
Gil

 

 

 

 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to gcarmich
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 10:18 AM
‎Oct 29 2023 10:18 AM

No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Subscribe
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 6:43 AM
‎Oct 29 2023 6:43 AM

In short, any access points that are not part of your Meraki infrastructure will be identified as a Rogue AP, but no action will be taken unless you say what you want to do.

 

So an infrastructure that is not part of your environment can coexist even with Air marshal enabled.

 

Take a look at this.

 

https://meraki.cisco.com/blog/2017/09/rogue-access-point/

 

Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 

Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Overview_of_Air_Marshal_Con...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 6:54 AM
‎Oct 29 2023 6:54 AM

By default  the clients are allowed to connect on the rogue SSID.

 

IMG_20231029_105249.jpg

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
gcarmich
Getting noticed
‎Oct 29 2023 7:09 AM
‎Oct 29 2023 7:09 AM

If Block is enabled, how long does it take for the Meraki network to start sending deauthentication packets to the clients?

0 Kudos
Subscribe
In response to gcarmich
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 7:26 AM
‎Oct 29 2023 7:26 AM

There is no information about this, when enabled a scan of your network starts, so it is something that can vary, it is not an exact science.

 

All necessary information is in the documentation. If you need more information, I suggest opening a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 7:37 AM
‎Oct 29 2023 7:37 AM

Just to reinforce, you should not use this deliberately, this is a tool to help detect possible malicious rogues on your network, so the recommendation is that as soon as the source of the rogue is identified, you contain it and remove the rogue immediately.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
gcarmich
Getting noticed
‎Oct 29 2023 10:04 AM
‎Oct 29 2023 10:04 AM

So an always on Block status is not good?  Is the idea to turn it on and scan for Rogues then to Block back off?

0 Kudos
Subscribe
In response to gcarmich
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 10:18 AM
‎Oct 29 2023 10:18 AM

No, it's not a good practice, this will end up taking up air time and can generate performance problems, the ideal is to keep monitoring and sending alerts so that you can evaluate and contain it if necessary until you discover the source of the "problem".

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
gcarmich
Getting noticed
‎Oct 29 2023 10:19 AM
‎Oct 29 2023 10:19 AM

thank you!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.