Guest access is being spoofed

network1215 · ‎02-01-2018

our wifi guest access is getting spoofed and malicious attacks through the meraki APs that is masking itself as a meraki AP – the mac address is just similar the our AP but just one character is different.

how do I troubleshoot this scenario ?

Philip D'Ath · ‎02-01-2018

Go "Wireless/Air Marshall" and "contain" the rogue AP. This will prevent users attaching to it.

Also if you have not upgraded to 25.9 I would upgrade to that as well. It was numerous improvements.

Saravanan Lakshmanan · ‎02-05-2018

General approach!

Detect the source device to absolutely make sure its actual Rogue AP or Client with bad driver, otherwise we're following an incorrect target.

Once source confirmed and its neighbor/next door AP, just talk to them to disable containment, its violation to contain the rogues.

Client with bad driver can send packet as if it were an AP - Src/Dst traffic flipped by client causing unnecessary issues. in this case, we need to work with client vendor.

Check the performance impact - Many clients do ignore broadcast deauth. If spoofer sending bcast deauth and found no impact then there is no need to counter-attack.

Also, counter-attack/Rogue-containment will have impact on client connected to that containing AP-radio.