Meraki

Community

Access Point traffic encryption

AKR
Here to help
‎Mar 14 2019 12:52 PM
‎Mar 14 2019 12:52 PM

Access Point traffic encryption

Hello,

 

In Cisco WLC after version 8.3 the traffic can be encrypted at L2 by using a Pre-Shared key and this feature can be used for ISE guest portal. Could this be done using Meraki Access Points?

 

Thanks,

 

Aravind.

0 Kudos
7 Replies 7
ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 14 2019 1:42 PM
‎Mar 14 2019 1:42 PM

Not that I'm aware of but as the portal itself is recommended as using SSL and any credentials sent to said portal encapsulated within that encryption, what is the requirement driving the need for L2 encryption to ISE for guest portal services?

 

In most deployments both the AP IP's and Radius server are on the internal networks and therefore encryption isn't a requirement.

 

 

In response to ChrisKemsley
AKR
Here to help
‎Mar 14 2019 2:34 PM
‎Mar 14 2019 2:34 PM

This is one of my customers concern. They dont want someone to sniff the traffic.

 

thanks,

 

Aravind,

0 Kudos
In response to AKR
ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 14 2019 5:28 PM
‎Mar 14 2019 5:28 PM

A good way to prevent someone from sniffing the traffic would be to segment the network the AP's sit in from the one users attach to on the wire. Simple ACL or firewall rules would prevent users from being able to sniff anything on the management vlan. If it's a concern over sniffing the air - the portal is no different security wise than what people put credit card transactions on with SSL. 

 

If they must have AP to ISE traffic double encrypted (Radius MD5 Hash plus another) they could use a Cisco-Meraki MX and tunnel all AP traffic to it, then from it to ISE would be the only single encryption. The MX could sit in the same data center as the ISE server. 

In response to ChrisKemsley
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 14 2019 5:31 PM
‎Mar 14 2019 5:31 PM

If they are worried about the RADIUS traffic being sniffed then they should use PEAP, EAP-TLS or EAP-TTLS to protect the authentication.  I would not be sending authentication details over clear text.

 

I don't see much point in adding another layer encryption over the top again.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 14 2019 3:55 PM
‎Mar 14 2019 3:55 PM

Specifically - what traffic are you referring to?

 

All traffic to and from the Meraki cloud is encrypted.

 

Are you referring to client traffic being bridged to the local LAN?  In which case, why can't the local LAN be trusted?

 

If you are wanting to securely tunnel traffic to a perimeter network then you could consider using an MX, and have the AP send the traffic over a VPN.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#SSID_Tunneli...

In response to PhilipDAth
PQR
Comes here often
‎Mar 10 2023 10:12 AM
‎Mar 10 2023 10:12 AM

Hi @PhilipDAth 

Is there any way that the data traffic from the AP to the client is encrypted?

0 Kudos
In response to PQR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 10 2023 12:18 PM
‎Mar 10 2023 12:18 PM

Anything using WPA2 will result in the traffic being encrypted between the AP and client.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.