Hi Lorenzo,
I tend to agree with @mloraditch on this one, the design is unfortunate but I understand it sounds like you are limited to adjustments at this time.
That being said, I just wanted to touch on Air Marshall, as we do support the ability to 'Contain' SSIDs however this is typically designed around environments with potential Rouge APs that are not owned by the organization.
This feature works by sending deauthentication packets with the spoofed MAC address of the rogue access point (the BSSID of the rogue wireless network). The deauthentication packets force any clients that are connected to the rogue access point to disconnect (but does not affect coverage/roaming from a client perspective.)
If a client attempts to connect to the rogue network, they will be immediately forced off by the Air Marshal. More on this in the below article:
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Overview_of_Air_Marshal_Containment
- Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments.
- Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment.
The only other potential solution outside of an SSID change or coverage adjustments would be an additional authentication such as RADIUS on both SSIDs to prevent association unless allow listed on the RADIUS server - such as below:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise#Add_APs_as_RADIUS_Clients_on_the_NPS_Server
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
