Cisco Meraki Access Points have a feature known as Air Marshal that allows administrators to quickly and easily identify threats and maintain a secure wireless network. This feature can be monitored and configured on the Monitor > Air Marshal page. More information on this feature can be found here or here.
When a Beacon Frame for an SSID is detected by a Access Point in Air Marshal mode, it is classified as either a 'Rogue SSID' or as an 'Other SSID'. To determine if an SSID is originating locally, we look at the MAC address of local devices, and the BSSID of the broadcasted SSID. When a wireless access point of any brand generates a beacon packet, it uses a BSSID, which is virtual physical address. More information on this behavior can be found here.
Note: A “hidden SSID” on the Air Marshal page is an SSID name that is not included in the beacons and probe responses for a particular BSSID. These can usually be ignored during common network operation, and are unlikely to result in noticeable RF interference.
When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. If a wired MAC and the broadcasted BSSID MAC match on the 3rd and 4th bytes of the MAC, and the rest of the bytes differ by 5 bits or less, it is classified as a Rogue SSID.
This comparison is done with an Xor of the MAC address in binary notation. Below is an example of a wired MAC compared to the Broadcasted MAC in the SSID. This example was detected by AirMarshal:
When the MAC addresses are written out in binary, you can see that very few of the bits are different. When performing an Xor, you see that only 4 bits are different between the two MAC addresses.
In another easier example, in the below image, both of these are classified as a rogue SSID for the reason 'Seen on LAN'. In the first entry, there is a match on the 03:37 portion of the address. Since the rest of the bytes differ by only 1 bit, it is classified as coming from a device on the LAN. In the second entry, they match exactly, and the SSID is classified in the same way.
Air Marshal will detect rogues on all vlans if the Meraki AP is connected to a upstream trunk port given that all VLANs are allowed.
With the ability to locate Rogue SSIDs, administrators are better equipped to prevent unauthorized access points from operating on their local network. After detection, an administrator is able to take action, either containing the SSID using Air Marshal, or using the gathered information to find the offending device and remove it from the network.