Hi Alemabrahao,

thanks for the link, but this document is exactly what causes confusion. Meraki does specify "rogue SSID" as every SSID, that is not being broadcasted by itself. So if I select "Block clients from connecting to rogue SSIDs by default", Meraki clients will not be able to connect to our Conf Room System. Should I then add a whitelisting for this particular SSID? And how can an access point forbid a client to connect to other SSIDs (if that is the purpose of "blocking")? Isn't it an autonomous decision by every client, which SSID to connect to?

Thanks again and regards,

Stefano

In fact this is a resource that should be used if in fact there is someone who wants to do some kind of spoofing or DDOS, otherwise you can respond legally.

Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 
Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.

Hello,

sorry, I still have difficulties in understanding. I still don't know who blocks which device *when* blocking is used.

1. Why would a block list apply to SSID that are seen "on the LAN"? Does that mean you are blocking SSIDs sent from your own APs?

2. How to block SSIDs from neighbors? Is my Meraki AP able to tell a cell phone "If you see the SSID 'Bad_Neighbor_Company', do not connect"?

3. There are no "rogue devices" in our neighborhood. Usually there are legitimate wifi signals from others (parked cars, neighbor wifi, etc.) and our own non-Meraki devices (e.g. soundbars). But our employees can't connect to those SSIDs anyway because they don't know the credentials and because their phones automatically connect to the company SSID they already know. What exactly would be the gain of blocking "rogue" devices/SSIDs?

Thank you very much for your efforts!

With kind regards
Stefano

>Why would a block list apply to SSID that are seen "on the LAN"?

For this to happen, someone has to have connected up another AP not part of your infrastructure and created a security whole in the network.

>How to block SSIDs from neighbors?

If you are referring to people who operate WiFi networks other than yours - and you configure blocking against them - you will be breaking the law.

>Is my Meraki AP able to tell a cell phone "If you see the SSID 'Bad_Neighbor_Company', do not connect"?

What it can do is send a de-authentication messages to the cell phone, as though it came from the SSID you don't want it to connect to, and it will disconnect.

Hi Philip,

this makes it clearer to me.

>What it can do is send a de-authentication messages to the cell phone...

Ok, that's the mechanism to block or contain a SSID, it's obvious that you should be sure that this SSID is "rogue" before blocking it.

>For this to happen, someone has to have connected up another AP not part of your infrastructure and created a security whole in the network.

Could you please elaborate this a bit more? Is it like someone installs an unwanted AP and sends out my own SSID to spoof clients? As far as I can see I could not contain this SSID since it is legitimate, only the AP is "rogue".

Thanks a lot for your efforts, Philip...

Regards,

Stefano

A rogue access point is an access point (AP) that has been installed on a secure network without authorization from a system administrator. Rogue APs pose a security threat because anyone with access to the premises can install a wireless AP that can allow unauthorized parties to access the network.

Use the Rogue AP Detection page to enable your device to display information about all APs detected by the device in the vicinity of the network. If the access point listed as a rogue is actually a legitimate access point, you can add it to the Authorized AP Table

> Not quite - everyone - a Meraki user or not - will be blocked from connecting to the SSID.

Ok, that does mean, that Meraki is sending a sort of interference signal?

> ...you can use an AD group policy to prevent users from connecting to certain SSIDs.

I was not aware of any need for this. I always thought you handle this with hiding of SSIDs or with handing out credentials only for the wanted SSIDs. But yes, for mobile computers with Windows this makes sense.

> a device can only connect to a single SSID at a time

This of course is perfectly right. 🙂

Thanks for your efforts,

Stefano

>Ok, that does mean, that Meraki is sending a sort of interference signal?

It sends a de-authentication request to the client trying to connect to the rouge SSID.