Are BSSIDs that are not associated with any particular network and using WEP the "security radios?"

MOT
Here to help

Are BSSIDs that are not associated with any particular network and using WEP the "security radios?"

I have a network with one MX65W and one MR32. During this holiday break, I was able to move my MR32 to a central location and turn off the MX65W SSIDs. The MR32 appears to not have quite the range of the MX65W, but is close and is working better in the sense that it has a richer feature set. (This seems to make great sense to me: A small business might use one MX65W to cover the entire store and therefore not need multiple APs, hence, a greater range on the MX65W is perfect. An MR32 might be more likely to be used with additional APs and therefore need the additional features that include seamless roaming and meshing, etc.) One thing that I am still puzzled about that I wonder if I've made some mistake on, but haven't figure out yet: When I use the WIreless Diagnostics on my MacBook Pro, and do a scan, I see that there are multiple wireless networks coming from the Merakis (either the MR32 or MX65W or both) (with no network names, but BSSID's that indicate that the Security is WEP)! What might those be? Are those the 3rd radios used for rogue AP protection? Are they okay that they are WEP?
17 REPLIES 17
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure you only have one SSID enabled?

PhilipDAth
Kind of a big deal
Kind of a big deal

Also if you are not running 25.9, I would upgrade to that.

BHC_RESORTS
Head in the Cloud

The WEP SSIDs are the AP to AP communication for the meshing. It uses a 1mbps/6mbps per band (2.4/5) signal, which is kind of a bummer because that takes up a LOT of airtime. If you have meshing turned off, it is supposed to disable the SSID from being broadcast, but for a while it wasn't. It may have been fixed by a firmware upgrade, I haven't looked in a while. Even though the communication is just some basic info about the mesh, WPA2 should really be used and not WEP. It's possible there is an attack vector in there yet to be undiscovered, but with such a weak keyspace, it would be pretty easy to start looking. Edit: I'm pretty sure the data within the mesh communication is encrypted, but, still.

 

TLDR; It's the meshing communication between access points.

 

As a side note, there really isn't much different in range between access points (even between vendors). They are all locked to a maximum output RF strength. The difference is probably in the antennas - the MX65W whip antennas probably work a bit better in your environment than the integrated radio on the MR32. You can view the RF coverage charts from the documentation to show how each AP/antenna type distributes the signal. The mounting plate also has a 5% or so reduction in signal going that way, so YMMV.

BHC Resorts IT Department

Ha, funny timing, @BHC_RESORTS and I just overlapped pretty much the same feedback which I did not see before giving mine.  Anyway, keep us posted on this thread if/when you get with Support!

MerakiDave
Meraki Employee
Meraki Employee

This goes back to the early days when Meraki was born as a zero-touch cloud-managed wifi company over a decade ago, and is related to the automatic meshing algorithm that runs in the background, which is both proprietary and pretty much undocumented.  It was all about the self-configuring and auto-healing properties of Roofnet at MIT. 

 

In the latest versions of 25.x firmware, Meraki Support should be able to enable (unlock) a feature on your dashboard to disable meshing (on the Network Wide > Configure > General page) and you should hopefully see those unwanted SSIDs go away when you disable meshing.  If you need meshing, you may be stuck with this, but if all APs are gateway APs, turn it off.  And if you did have a small one-off need for mesh, you could perhaps do that in a separate wireless Dashboard network for a small pocket of your deployment.  Check with Support to scrub your configuration and firmware version for your best options.

 

As for the range, the minor difference could just be internal antennas on the MR32 versus external dipole antennas on the MX65W, as well as the physical placement and RF environment.  You'd very likely get better range results with the higher end APs like MR42 and MR52/53 since they are 3x3:3 and 4x4:4 and you'll generally get better SNR and perhaps better range, before having to deploy an additional AP.

 

Please tell us that the WEP key is different for each client ...

Thank you to everyone who has responded to me, and for this note to request that Meraki enable the configuration option for me to disable meshing. I've filed a case and will report back my findings after they've done so and I've tried that. I did upgrade to MR 25.9, too. I REALLY LOVE the Meraki products! -Mike
MOT
Here to help

In less than an hour after I submitted my case, Meraki support responded and added the meshing enable/disable. I disabled meshing, but I'm still seeing extra networks. I see my four expected SSIDs, and 10 BSSIDs. My understanding is that the four of the 8 are for the 5GHz channels, one for each SSID, and four are for the 2.4GHz channels - one for each SSID. The channels match with what my radios indicate the channels should be: 48 and 11 is what it has auto-picked. Then I have one BSSID at 5GHz on channel 157 that has WEP, and one BSSID at 2.4GHz on channel 1 that has WEP I figure that those are for the meshing, which implies that the disable of the meshing failed. If that blog Nolan Wifi posted (that @pjc) linked is correct that at one time this was fixed, then it is now broken in the MR25.9. Should I file a case, or can any of your tell me that my thinking above is incorrect, because I'm not very familiar with WiFi. (I know so very little.)
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@MOTCan you PM me your case number so we can take a look?

@DCooper, The support engineer responded: "Unfortunately, the disable mesh feature simply stops the APs from meshing, but will not stop the broadcasted traffic. This is not a bug but would actually be a feature request. If you have any questions, please feel free to reach out to us again. " I'm actually okay with this response (in *my* case) as long as these wireless interfaces with WEP are not attack surfaces from which a malefactor can snoop, do something malicious or cause a denial-of-service to either the data plane or command-and-control. I don't want an attacker to pivot. I really love my Meraki products, hence, I'd love for them to be as secure as possible, too! I'll also PM you. Most sincere thanks! -Mike
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Great! Thanks for the feedback. I believe there is an existing FR I’ll make sure it gets attached to.

BHC_RESORTS
Head in the Cloud


@MOT wrote:
@DCooper, The support engineer responded: "Unfortunately, the disable mesh feature simply stops the APs from meshing, but will not stop the broadcasted traffic. This is not a bug but would actually be a feature request. If you have any questions, please feel free to reach out to us again. " I'm actually okay with this response (in *my* case) as long as these wireless interfaces with WEP are not attack surfaces from which a malefactor can snoop, do something malicious or cause a denial-of-service to either the data plane or command-and-control. I don't want an attacker to pivot. I really love my Meraki products, hence, I'd love for them to be as secure as possible, too! I'll also PM you. Most sincere thanks! -Mike

It is a problem though because 1mbps/6mbps SSIDs take up a HUGE amount of airtime. In a dense environment, that's a bummer.

BHC Resorts IT Department

@BHC_RESORTS, I happen to not have a dense environment, hence, I am not burdened by the broadcasts. For someone like me who is not a networking expert but has *some experience*, the Meraki products make it SO easy to do sophisticated configurations with little effort! (eg... Multiple VLANs, Enterprise WPA authentication, VPNs if desired and more!) Best wishes!
MilesMeraki
Head in the Cloud

How are you identifying that these are coming from the MX and MR devices and not another AP? Are you sure this isn't just a Hidden WEP SSID by another device in your area?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

I recently raised a support ticket as I was seeing these WEP encrypted networks used for meshing all over my network (each AP was broadcasting these hidden mesh networks on both 2.4 and 5 ghz band)

 

I asked support to enable the dashboard feature to turn off meshing as we don't or have any plans to use it, which they did.  I then turned off meshing, but I was still seeing these hidden networks still broadcasting.  When I enquired further, and after about 3 weeks back and forth, support informed me that " Unfortunately, it is not possible to stop broadcasting the mesh SSID channels due to technical/design limitations "

 

Pretty unimpressed to be honest

 

This explains the issue further, however, certainly current stable version 24.12 does not stop the networks broadcasting

 

https://nolanwifi.com/2017/02/06/merakis-mesh-mess/

 

 

BHC_RESORTS
Head in the Cloud

@pjc What firmware version are you on? I'm not seeing it on my networks right now. But like that article, it could be possible when turned off the beacons only go out sometimes.

BHC Resorts IT Department

Is WEP still the encryption for mesh networking between the APs?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels