Home > Wireless LAN > Monitoring and Reporting > Air Marshal

Air Marshal

Wireless Security Threats in an Enterprise Environment

Secure WiFi access has become a critical component of enterprise networking. WiFi Internet access is critical for corporate communication in verticals including financial services, retail, and distributed enterprise. Due to the widespread use of WiFi and variety of use cases (e.g., point-ofsale (POS) communications, corporate access, warehouse inventory, asset tracking, WiFi services for targeted advertising), the wealth of information transmitted across the wireless medium has skyrocketed. Data transmitted over wireless increasingly contains sensitive personal and financial data. Unfortunately, the tremendous growth in wireless has been accompanied with an increasingly widespread ability to obtain open-source hacking tools that can compromise a wireless network through impersonation of client devices and access points.


Examples of common threats in a modern WiFi environment include:


Network impersonation: achievable by purchasing any consumer-grade access point and copying an SSID, “tricking” clients into thinking that this SSID is available and snooping on their information transactions. 


Wired network compromise: achieved by an unsuspecting employee or student plugging in a consumer-grade access point into the wired infrastructure and exposing the LAN to hackers.


To successfully protect an enterprise network, a Wireless Intrusion Prevention System (WIPS) should provide powerful wireless intrusion scanning capabilities, enabling detection and classification of different types of wireless threats, including rogue access points and wireless hackers. Additionally, a WIPS system should be configurable with intuitive auto-containment policies to facilitate pre-emptive action against rogue devices. Once a threat has been detected, the WIPS platform should kick into gear to enact powerful policies, including intelligent auto-disablement of APs matching a pre-defined criteria and generating different tiers of e-mail alarms based on the type of threat in your airspace. 


In addition to protecting airspace against hackers with malicious intent, it is valuable to be able to mark or group high-value ‘VIP’ wireless clients into a special category, where they can be tracked, to ensure they never leave the wireless network. Examples of VIP clients include highvalue corporate assets — these devices belong to the organization and should never associate to a wireless network other than your own (e.g., corporate issued laptops, point-of-sale registers or barcode scanners in a retail environment, etc.) These VIP clients should only associate to the corporate network. If they do stray to a foreign network, it would be classified as an ‘accidental association.’ The ability to detect and generate alerts when a VIP client strays over to a rogue infrastructure can be invaluable in security conscious environments.


Cisco Meraki’s Air Marshal mode allows network administrators to meet these requirements and design an airtight network architecture that provides an industry-leading WIPS platform in order to completely protect the airspace from wireless attacks. The remainder of this document describes in greater depth wireless threats and the necessary security measures required to remediate against these threats; the conclusion then summarizes the setup and configuration process for Meraki’s Air Marshal WIPS platform in order to achieve the highest security protection possible. 

Wireless Threats

Understanding the wireless airspace around you can help to take effective measures, both preventive and reactive, to ensure that the wireless airspace is secure and interference-free from other wireless networks. A number of different threats exist in the modern enterprise environment, facilitated by easy access to cheap consumer-grade 802.11 equipment, along with open-source hacking tools that can be used to simulate and spoof devices and generate traffic floods. Leading enterprise WLAN providers such as Cisco provide built-in WIPS features to ensure detection and remediation against these threats.

Threat classifications

Visibility and classification of potential wireless threats is an important first step in securing the wireless network and network infrastructure as a whole. Once classified, remediation can be taken against confirmed threats and innocuous alerts can be dismissed. Cisco Meraki Air Marshal automatically classifies threats into the following categories to provide the greatest visibility and overall protection for your network.

Rogue SSIDs

SSID and AP spoofs: the malicious impersonation of a legitimate AP by either spoofing the SSID name or, even worse, the SSID name and the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).

Rogue SSID seen on LAN: SSIDs that are broadcast by rogue APs and seen on wired LAN; this could suggest compromise of the wired network.

Other SSIDs

Interfering SSIDs: wireless networks that are broadcasting and could be causing RF interference, as well as attracting accidental associations from clients who are supposed to be connecting to your own network.

Ad-Hoc SSIDs: modern smartphones and mobile devices are capable of associating to WiFi networks and then re-broadcasting the SSID, essentially acting as a wireless bridge. Devices in ad-hoc mode can connect to a client AP and create a gateway for wireless hackers.


An AP copying your MAC address as well your SSID. An AP spoof means that someone is deliberately impersonating your network and should be treated with the highest level of severity.

Malicious Broadcasts

Denial of Service (DoS) attacks are attempts to prevent clients from associating to the legitimate AP by sending an excessive number of broadcast messages to clients. DoS attacks could be from malicious clients, APs, or even another WIPS system in the area that considers the corporate network a threat and is attempting to remediate.


Packet Floods

Clients or APs that are sending an excessive number of packets to your AP. Packets are monitored and classified based on multiple categories including beacon, authentication and association frames. An excessive number of any category of packets seen within a short time interval will be marked in Air Marshal as a packet flood. 



Client Straying Threats

Accidental associations: Client devices that belong to your infrastructure associating to a wireless network in your airspace that has not been sanctioned by your corporation. Straying clients could accidentally connect to Rogue SSIDs or spoofed SSIDs if proper action is not taken to protect the wireless airspace. 




PCI Compliance

Understanding and remediating against wireless threats is also a requirement under the Payment Card Industry Data Security Standard (PCI DSS), a standard required for retailers to follow when processing credit card data over WLAN networks. Examples of WIPS requirements under PCI DSS include:

Section 9.1.3 Physical Security:

Restrict physical access to known wireless devices.

Section 10.5.4 Wireless Logs:

Archive wireless access centrally using a WIPS for 1 year.

Section 11.1 Quarterly Wireless Scan:

Scan all sites with card dataholder environments (CDE) whether or not they have known WLAN APs in the CDE. Sampling of sites is not allowed. A WIPS is recommended for large organizations since it is not possible to manually scan or conduct a walk-around wireless security audit of all sites on a quarterly basis 

Section 11.4 Monitor Alerts:

Enable automatic WIPS alerts to instantly notify personnel of rogue devices and unauthorized wireless connections into the CDE. 

Section 12.9 Eliminate Threats:

Prepare an incident response plan to monitor and respond to alerts from the WIPS. Enable automatic containment mechanism on WIPS to block rogues and unauthorized wireless connections. 

Threat Remediation using Air Marshal

A careful study of the common wireless security threats has led to the development of Meraki’s Air Marshal platform, which allows access points to act as WIPS sensors on a dedicated radio while serving clients. Air Marshal is a WIPS platform which comes equipped with security alerting and threat remediation mechanisms. This includes the following:

Monitoring and alerting

A robust and intuitive display of all of the threats for a particular network, including auto-alerting based on the network administrator’s preferences. Monitoring techniques include:

Rogue AP monitoring

Meraki APs scan across all 2.4 GHz and 5 GHz channels to build a list of rogue access points in the nearby vicinity. In addition, further mechanisms are in place to track APs on the wired LAN network by inspecting traffic on the wired port of the Meraki AP, and using this to build a list of rogue APs that may be on the wired LAN. E-mail alerts will be triggered and sent based on parameters predefined by the network admin. 

Tracking ‘client straying’ of VIP clients

Air Marshal allows tagging of VIP clients and an alert is sent if those clients connect to a unsanctioned SSID. Air Marshal does this by monitoring traffic with the source MAC address of the VIP clients. Wireless devices communicate with three types of 802.11 frames: management frames are used during the probing and association process. Control and data frames are used when the client is actually connected. If Air Marshal sees data frames originating from VIP clients which are not connected to the corporate wireless network, an alert can be sent to administrators for remediation. 

Note: This feature is currently in beta and can be enabled via reaching out to support.

Remediation mechanisms

Air Marshal APs come equipped with the ability to automatically ‘contain’ rogue APs and alert on rogue APs and accidental associations, allowing for administrators to take physical action to remove rogue APs and recover straying devices.

What is containment?

‘Containment’ is a common mechanism that calls for the Air Marshal AP to impersonate or spoof the rogue AP in order to render it ineffective. Air Marshal does this by generating a large number of 802.11 packets and using the BSSID of the rogue AP as the the source MAC address. Air Marshal APs also provides more sophisticated containment methods including spoofing clients attempting to associate to the rogue by generating packets with the source MAC of the clients; this allows for a ‘two-way’ spoof and ensures a fool-proof shutdown of the rogue AP. 


Packet types generated by WIPS during containment: 

  1. 802.11 Broadcast deauthorizations with source = Rogue AP, destination = broadcast
  2. 802.11 Deauthorization messages with source = Rogue AP, destination MAC = client
  3. 802.11 Deauthorization and disassociate messages with source = client, destination = Rogue AP


#3 ensures that more sophisticated 802.11 clients with battery-saving capabilities are also unable to connect to the rogue, as they may ignore deauthorization messages from the Rogue AP if they are ‘sleeping’ in order to save battery life. 



As containment renders any standard 802.11 network completely ineffective, extreme caution should be taken to ensure that containment is not being performed on a legitimate network nearby and, action should only be taken as a last resort. Please see the Cisco Guidance Note on de-authentication technology for more information.


Configuring Meraki’s Air Marshal WIPS platform

Dual-radio Meraki APs will run wireless scans opportunistically while also serving clients; this means they will scan the channel on which they are serving clients. It is possible to schedule ‘mandatory’ scans to be run at pre-specified time intervals that can be set as frequently as once a day. Older dual-radio APs can be set into a dedicated Air Marshal mode where it will scan using both the 2.4GHz and 5GHz frequencies. Current Meraki access points include a third radio which comes pre-configured for permanent Air Marshal scanning. These APs do not require any dedicated Air Marshal configuration and will scan and remediate against threats in real-time. 


For older, two-radio Meraki access points: Air Marshal mode can be switched on by selecting the relevant APs on the Access Points page. By clicking the relevant AP and selecting ‘On’ under the Air Marshal scanning section, it is possible to designate this AP as a dedicated WIPS scanner. This Air Marshal AP will now be a dedicated sensor performing scans of the surrounding environments for threats, the results of which will be displayed on the WIPS page in real-time. 


A note on hybrid vs. dedicated scanners

APs with two radios running in client-serving mode will only scan the airspace opportunistically; this means they will scan the client-serving channel in real-time, and will scan across all channels either once a day or when no clients are being served. Most WLAN vendors recommend having dedicated scanning sensors (with no clients being served) in securityconscious environments, to ensure real-time security alerting and protection. Some vendors offer ‘time slicing’ which allows cross-channel scans while serving clients, but this sacrifices performance of latency-sensitive applications such as VoIP and is generally not recommended in the industry. For this reason, Meraki recommends placing at least one two-radio AP in dedicated Air Marshal mode (or utilizing newer 3-radio APs) for real-time scanning.





On the Wireless > Air Marshal page, a number of manual actions of automated policies can be set as a response to the detection of certain types of wireless threats based on administrator preferences:

Manual rogue containment

When choosing to ‘contain’ a rogue SSID, the Meraki AP will perform containment (as described in ‘Threat Remediation’ section of this document) to render the rogue AP ineffective. Certain rogue SSIDs known as friendly APs can also be whitelisted to avoid confusion in the future. 

Automated LAN and Keyword Containment

Automated policies can also be set to contain rogues seen on the wired network, as well as rogue APs matching a certain keyword. For example, if “Acme” is specified as a keyword and a Rogue SSID begins broadcasting an SSID named “AcmeCorp”, it will automatically be contained and clients will not be able to associate with it. This can be helpful in detecting people who are trying to copy the network with similar names and ‘trick’ clients into associating with their own AP.

Mandatory scan schedule

Set time and days of the week where non-Air Marshal APs should scan all channels to ensure daily scanning. 


Air Marshal AP

The datasheet for a particular AP model will outline if the access point has a dedicated scanning radio. For APs that do not consist of a dedicated radio, the access point may be configured to be a dedicated scanning AP.


To enable dedicated full-time scanning, an AP must be placed in dedicated full-time Air Marshal mode. This Air Marshal AP will continuously scan your wired and wireless networks for intrusions.  Meraki's Air Marshal preemptive protection can automatically contain unauthorized AP's on your wired network and contain unauthorized SSID's containing user specified keywords.  To configure an AP as a full time, dedicated intrusion scanner, add the AP tag 'AirMarshal' to a specific AP, or turn on Air Marshal from the AP details page.

Setup Alerts

Generic alerts for Rogue APs can be set on the ‘Alerts and Administration’ page, allowing administrators to receive automatic alerts when rogue APs are detected that either match specified keywords or are seen to be on the wired LAN. 


To enable rogue alarms, take the following steps:

  1. Access the Network Wide Settings > Alerts and Administration
  2. Select the checkbox to send an email alert when "An access point detects rogue APs".


Alarms will be sent any time a rogue comes onto the network, matching one of the following criteria:

  • Wired LAN rogue 
  • SSID-Keyword matching rogue

Client straying

On the Wireless > Group policies page, a special policy can be created to track accidental associations by VIP clients; simply select the ‘track clients straying’ policy attribute and save the policy. The policy can then be applied to specific clients on the Clients page, and devices can also be pre-staged with their MAC addresses to have this policy automatically applied upon association by using the ‘Add devices’ function on the page. 


Containment Status


This is a rogue or other wireless network that is not currently contained. Upon evaluating the threat, you may wish to either contain or whitelist the SSID.


This is a rogue wireless network that your Cisco Meraki AP is currently containing. Whenever a client attempts to connect to the rogue wireless network, they will be forced off via the deauthentication process described earlier.

Partially contained

This is a rogue wireless network that can not be completely contained because some of the rogue APs may be on a different channel. This can occur when a non-Air Marshal AP notices the rogue on a different channel during a channel scan. The AP can not fully contain the rogue wireless network because of the channel difference. Deploying more APs with dedicated scanning radios can help mitigate these issues.


This is a wireless network that has been manually whitelisted. You may choose to whitelisted a wireless network when you have identified it as being a legitimate part of your infrastructure. Whitelisted networks will not be contained in any way.

Creating a WIPS response plan 

By configuring alerts and utilizing Meraki’s Air Marshal view to monitor these threats retroactively and in real-time, it is possible to build a robust security plan that can be enforced. An example of a complete security methodology is as follows:

  1. Create a WIPS plan as per your company’s security policies
    • Configure mandatory scanning intervals or designate APs to run in Air Marshal mode
    • Configure auto-containment policies for rogue SSID keyword matches or rogues on the wired LAN
    • Configure client straying policies to track batches of VIP clients
    • Configure WIPS alerts
  2. Proactive monitoring of Air Marshal
    • Visit Air Marshal page weekly or quarterly and mark known rogues as ‘whitelisted’, contain dangerous rogues
    • Physically contain rogues that may be a threat
  3. Reactive monitoring of Air Marshal alerts
    • Receive alert and react accordingly (set containment, find and contain rogue, etc). 

Physically Deploying Air Marshal APs

APs that are designated as full-time Air Marshals for WIPS scanning can be deployed using exactly the same methodology as a regular client-serving AP in terms of wall mounting, using PoE, etc. 


An Air Marshal AP has a wider effective radius than a regular AP, as it can detect and contain rogues at a lower bitrate than what is required for sustained client connectivity. The coverage radius of an Air Marshal AP for sensing and remediating against rogue access points is approximately twice as large as the coverage area for serving clients; therefore, the total coverage area for WIPS scanning is approximately 4 times as large as the area for serving clients. When planning for full WIPS coverage, the approximate ratio of Air Marshal APs to client serving APs will be 1:4, but could vary from 1:3 to 1:5 depending on the parameters of the deployment and WIPS coverage density required. 


By understanding the spectrum of wireless security threats in today’s environment and creating a comprehensive response plan, network administrators can preclude the possibility of a serious compromise of critical network assets — including access to secure network devices that belong to the enterprise. A best-in-class WIPS platform should be capable of delivering intuitive reporting and monitoring, along with a robust suite of tools allowing for automatic alerts and security enforncement.


Meraki’s Air Marshal system includes real-time detection, remediation and alerting capabilities, including the ability to define pre-emptive policies that will intelligently take action to contain rogue APs using sophisticated containment mechanisms. Meraki’s wireless portfolio contains both dual-radio APs which can be converted into full-time sensors running in Air Marshal mode, and three-radio APs with dedicated scanning radios permanently running as Air Marshal scanners. By utilizing Meraki access points and Meraki’s intuitive web-based Dashboard interface, network administrators can create a robust WIPS policy plan, and easily deploy an airtight network to deliver enterprise-grade security in a WLAN environment.

You must to post a comment.
Last modified
13:03, 20 Jan 2017


This page has no custom tags.


This page has no classifications.

Article ID

ID: 3972

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case