Home > Wireless LAN > Monitoring and Reporting > Air Marshal Containment

Air Marshal Containment

Cisco Meraki Access Points feature powerful Air Marshal technology that can assist with mitigating wireless threats to your network. Access points feature the ability to contain rogue access points that can put your network at risk. This Knowledge Base article covers the following:

  • Overview of Air Marshal containment

  • Configuring containment

  • Types of containment

Overview of Air Marshal containment

Rogue access points can be contained once they have been identified. When a rogue access point is contained, clients will be unable to connect to the rogue AP. Additionally, any currently associated clients will lose their connection to the rogue AP.

 

A Cisco Meraki AP accomplishes containment by sending deauthentication packets with the spoofed MAC address of the rogue access point (the BSSID of the rogue wireless network). The deauthentication packets force any clients that are connected to the rogue access point to disconnect. If a client attempts to connect to the rogue network, they will be immediately forced off by the Air Marshal. Figure 1 below shows a Cisco Meraki AP performing containment on a rogue SSID.

 

3c8f0d67-1b53-4db4-80ac-15c3459be349

 

 

Configuring containment

 

Containment can be configured in three ways:

  • Containing an identified rogue SSID

  • Containing rogues that are seen on the LAN

  • Containing an SSID by keyword

 

When a rogue SSID has been identified by an AP, it can be manually contained from the Air Marshal page. Follow the steps below to manually contain an SSID.

  1. Navigate to Wireless > Monitor > Air Marshal .

  2. Locate the SSID that you want to contain under the Rogue SSIDs or Other SSIDs tab.

  3. Set the Containment to contain or whitelist , as seen below.


 

When a rogue SSID has been seen on the LAN, it can be automatically contained. For more information about how Air Marshal classifies a rogue, please consult the Air Marshal Rogue SSIDs Knowledge Base article. Follow the steps below to automatically contain rogue APs that are seen on the LAN.

 

 

  1. Navigate to Wireless > Monitor > Air Marshal .

  2. Set the LAN containment drop-down menu to Contain rogue APs seen on the LAN , as seen below.

  3. Click Save changes .

 

Air Marshal is also capable of automatically containing SSIDs that contain specific keywords. This can help to prevent users from connecting to an illegitimate network that may have been set up by an attacker. Follow the steps below to automatically contain SSIDs that contain specific keywords.

 

  1. Navigate to Monitor > Air Marshal .

  2. Enter the keywords that you want to contain in the Keyword containment box. Enter one keyword per line, as seen below.

  3. Click Save changes .

Note: APs in other networks within the same Dashboard organization will not appear as a rogue or interfering APs. However, they can still be contained by using keyword containment.

 

Types of containment

There are 5 types of containment:

  • Uncontained rogue  - This is a rogue wireless network that has been identified as a possible threat to your network, but is not currently contained. Upon evaluating the threat, you may wish to either contain or whitelist the rogue.
  • Contained - This is a rogue wireless network that your Cisco Meraki AP is currently containing. Whenever a client attempts to connect to the rogue wireless network, they will be forced off via the deauthentication process described earlier.
  • Partially contained - This is a rogue wireless network that can not be completely contained because some of the rogue APs may be on a different channel. This can occur when a non-Air Marshal AP notices the rogue on a different channel during a channel scan. The AP can not fully contain the rogue wireless network because of the channel difference. Deploying APs with a dedicated third Air Marshal radio can help to mitigate these types of threats.
  • Whitelisted - This is a wireless network that has been manually whitelisted. You may choose to whitelisted a wireless network when you have identified it as being a legitimate part of your infrastructure. Whitelisted networks will not be contained in any way.
  • Uncontained other - This is a wireless network that was noticed during a scan, but has not been determined to be a threat to your network.

Additional Resources

For more information about Cisco Meraki Air Marshal, consult the following articles:

You must to post a comment.
Last modified
16:05, 26 Jul 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 2216

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community