Rogue SSID issues

macontech
New here

Rogue SSID issues

Last week all of a sudden, I'm starting to see teacher laptops show up under Rogue SSID contained, all start with "direct". with the "seen on lan" message. I am whitelisting them as they come in but wonder why this started happening, Happening with the old and new firmware. No blocked rules in place and they are on wireless only, no wired connection also in use.

 

I ran across an old thread mentioning screen mirroring and false positives. Most machines do run Air Server to project their ipads through the laptop then projector. I can troubleshoot that by disabling air server on a few machines with the issue but we still need to use it. What seems to be happening when it captured by air marshall, it deauthenticates the user and makes them log back into our wifi.

 

Any ideas or suggestions? Thanks.

15 Replies 15
alemabrahao
Kind of a big deal
Kind of a big deal

How is Air Marshal configured?
 
First we need to have an idea of how it is configured to be able to analyze it.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

Block clients from connecting to rogue SSIDs by default

 

Nothing in the blocklist, do have items whitelisted

 

alemabrahao
Kind of a big deal
Kind of a big deal

Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 
Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.


In your place, I would not configure it to block by default, but rather create rules to block in specific cases, such as if they are using the same SSID name as yours.
 
Even this way you can cause problems for your neighbors connecting to their network.
 
Never use block by default.
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

I don't have anything in the block list, no block rules. Not containing anything.

alemabrahao
Kind of a big deal
Kind of a big deal

You said it's blocking by default, change it to allow to see if the problem continues.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

I've done that, but I don't want to leave it that way. I would like to use air marshal. Even meraki documentation was using that option give you a more secure network when set to block. I want to know why its all of a sudden containing teacher laptops? Never has in the past.  They dont have a ssid that can be spoofed. I am assuming its because they are broadcasting air server connections. But that has never been an issue either until now.

alemabrahao
Kind of a big deal
Kind of a big deal

As I informed you.
 
In your place, I would not configure it to block by default, but rather create rules to block in specific cases, such as if they are using the same SSID name as yours.
 
Even this way you can cause problems for your neighbors connecting to their network.
 
Never use block by default.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Here is an example:

 

alemabrahao_0-1699894796038.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

Why is meraki saying different? Its literally on the Air Marshall page

 

"Your Meraki access points will block clients from connecting to all rogue SSIDs by default. This setting is appropriate when you have all Meraki access points at your site and is better for security. You can allow connections to individual SSIDs by using the Allow list below."

 

I am all meraki other than two aps we use for other stuff and they are whitelisted.

alemabrahao
Kind of a big deal
Kind of a big deal

Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 

 

But you can do whatever you want, my advice is still: don't do it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

You arent reading my posts, you are just copying and pasting stuff. 

 

Why are my teacher machines all of a sudden being caught by air marshall? That's what we need to fix. 

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, I read it, and I'm emphasizing not to block it by default, what the documentation says is not always absolute.
 
I'm speaking from experience that it's not a good idea to block everything by default, but rather to create blocking policies as mentioned.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
macontech
New here

This setting is appropriate when you have all Meraki access points at your site and is better for security. 

 

So Meraki is wrong with this statement?

alemabrahao
Kind of a big deal
Kind of a big deal

It's neither right nor wrong. I just think you shouldn't blindly trust everything you read in the documentation.
Air Marshal is an excellent tool, but sometimes it can have unexpected behaviors, hence my suggestion to create specific rules.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

An SSID with "direct" in its name is related to screen sharing and WiFi Direct.

 

More than likely some kind of driver has been updated which has added or enabled this functionality.

 

I've not looked into WiFi Direct and weather it is a secure protocol or not.  If Air Marshall is able to identify it is a rogue - then it is probably not secure.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels