Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2114
Views
10
Helpful
2
Replies

Cisco Meraki Air Marshal Questions

scross1
Level 1
Level 1

‎11-29-2021 01:11 PM

Hi,

 

I was hoping some people in the community could help me understand better the function of the Air Marshal features in Meraki. From what I can tell from my testing with it, it can only block internal rogue SSIDs, but is there any thing we can do about external threats? From what I can tell the only thing to do would be walk around and find the external threat and neutralize it that way.

 

Another issue I'm having is that it will only alert once when it sees a rogue SSID or spoof. I get an email at the start and then it wont email me again even if it goes offline and then comes back online. I assume it remembers that spoof and then wont notify again based on that, but is there anyway around this? Say if we think we get rid of it but then it comes up again 2 days later we will have no way of knowing unless we are checking every day.

 

Thanks for any help!

Labels:
0 Helpful
2 Replies 2

JPavonM
VIP
VIP

‎11-30-2021 12:34 AM

From my past experience playing around with Meraki APs, and from a more recent experience defending my Cisco WLAN Infrastructure, enabling AirMarshall to prevent rogue devices is a very intensive admin task. I mention this because if you do not take care of the feature, and rely on the easyness of "Meraki's magic" (but also all "Enterprise" platforms that are out there with such label), APs could be creating a DDoS over any neighbour WLAN.

Let me further explain myself. A couple of years ago I noticed that some devices connected to an office with Cisco APs were being deauthenticated. After some packet captures I realized that there was a deauth attack in progress, and my APs were receiving deauth packets for all connected clients. Further investigation on the MAC OUIs in the vicinity lead me to think there were some Meraki APs that maybe had the AirMashall feature enabled with anti-rogue measures enabled.

At the end my suspicious was right and we found a neighbour company where the admins enabled that feature thinking it was magic as Meraki sell, but not taking care about the alerts and the logs, nor reviewing the AirMarshall dashboard. After explaining them the episode and the technology they turned it off and all problems dissapeared.

My recommendation, take special care about WIPS features, specially in easy-to-manage solutions such as in Meraki, as you could be maybe impacting neighbours, and you could be fined becuase of this.

HTH
-Jesus
*** Please rate helpful responses ***

Rich R
VIP
VIP
In response to JPavonM

‎11-30-2021 06:35 AM

We had a very similar experience at a customer site (a major hotel). One of their neighbours enabled Air Marshall (without understanding what they were doing) and 'contained' our customer's Cisco WiFi network.

After we identified the cause and had a friendly chat with the neighbour to explain what they were doing they turned it off.

Note that in most countries jamming somebody else's radio network is ILLEGAL except in very specific circumstances where you may be required to protect your own network.  Indiscriminate use of containment can land you in trouble.

Just because you see a 'rogue' does not make it a threat.

Unless someone is intentionally trying to impersonate your SSID or attack your clients they are not a threat - they're just another WiFi network/user.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card