Definitive list of BSSID's / calculation for all Meraki OIU's?

jamesw
Getting noticed

Definitive list of BSSID's / calculation for all Meraki OIU's?

Is there a definitive and up to date list of how BSSID's are being calculated for the various Meraki OUI's below?

 

CC:03:D9
AC:17:C8
98:18:88
2C:3F:0B
4C:C8:A1
B8:07:56
F8:9E:28
38:84:79
A8:46:9D
6C:DE:A9
E4:55:A8
CC:9C:3E

 

The others are documented here:

 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Calculating_Cisco_Meraki_BSSID_MA...

 

I realise there is an API to retrieve them on a live Meraki network but as a WiFi service provider we need to know in advance what all the combinations might be, as we run a RADIUS server and need to know what the Called-Station-Id's might be for these requests. For the ones already documented we have some code which works out all the possible BSSID's based off the detail provided, but for the newer ones we haven't got any way to know...

 

Does anyone have any idea?

 

Thanks,

 

J

 

12 Replies 12
BrandonS
Kind of a big deal

I wondered who manages MAC address registrations and it seems to be ieee. Maybe this helps?  I am not sure how current it is: https://standards.ieee.org/products-services/regauth/index.html

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal

I searched bit more on the ieee site and this is what comes up for "Meraki"

 

Registry

Assignment

Organization Name

Organization Address

MA-L

881544

Cisco Meraki

660 Alabama St San Francisco CA US 94110

MA-L

A8469D

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

6CDEA9

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

0C8DDB

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

CC03D9

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

CC9C3E

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

2C3F0B

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

00180A

Cisco Meraki

99 Rhode Island St. San Francisco, CA US 94103

MA-L

B80756

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

3456FE

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

F89E28

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

388479

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

E0CBBC

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

683A1E

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

E455A8

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

E0553D

Cisco Meraki

500 Terry A. Francois Blvd San Francisco California US 94158

MA-L

AC17C8

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

981888

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

MA-L

4CC8A1

Cisco Meraki

500 Terry A. Francois Blvd San Francisco  US 94158

- Ex community all-star (⌐⊙_⊙)

Sorry, wrong end of the stick I think.

 

The list I posted are Meraki registered - what I am looking for, from Meraki, is how they are generating the BSSID's from the given AP MAC's, just like they publish for their other ranges in that article...

 

Thanks

 

J

BrandonS
Kind of a big deal

I see.  You definitely need to get someone from Meraki to update that documentation then.  If no one sees your post here I would just put it into support and try to follow it through there.  I suppose this needs to flow through at least a couple different teams at Cisco to get sorted and finally an updated document.

 

Best.

- Ex community all-star (⌐⊙_⊙)

I'll send the request to our documentation team but it can't hurt to also put in a support ticket 🙂

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here

Thanks! I'm concerned that they won't "update" it, as per the note on the article:

 

Status information about each SSID advertised by an access point, including each BSSID, can also be found using the Dashboard API or using the AP details page. Please use APIs/dashboard as a primary way to retrieve BSSID information.
No new BSSID values will be added to this article moving forward.

 

But, this needs consideration, as Wi-Fi operators need to know how these BSSID's are being calculated. Why Meraki can't just send the real AP MAC in the RADIUS Called-Station-Id attribute, like other vendors, is beyond me. (They do for captive portal splash sign on, just not for MAC authentication/802.1x where they send the BSSID instead)...

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm curious, why would you want to do that?

Basically, we are a service provider, so our customers/partners sign up to our service and configure their Meraki APs (via the dashboard) to point to our splash page and RADIUS etc.

 

Wi-Fi providers often license per AP, so the unique identifier of an AP is it's real MAC address. Therefore, a customers  Meraki AP MAC addresses are registered on our RADIUS server and we only allow traffic from these.

 

So, when an end user connects to the SSID on the AP, it will perform RADIUS authentication against our RADIUS server. For some reason, Meraki decided to send the BSSID instead of the real AP MAC, in the Called-Station-Id attribute, and thus we cannot authenticate the user because this BSSID is unknown to us, we only know the AP MAC of our customer APs.

 

However, when a customer adds their Meraki AP MAC addresses to our system, we run a script that automatically generates all the possible BSSID combinations for each real AP MAC address. Thus, when we receive this BSSID in the RADIUS request, we can allow it because we know it.

 

The problem arises for us now, because Meraki are no longer sharing how the BSSIDs on their newer MAC address ranges (in the original post) are being calculated, so we can't whitelist them on our RADIUS server.

 

I hope this makes sense 🙂

 

I just wish Meraki would send the real AP MAC address in the Called-Station-Id attribute like everyone else, and then we don't have to care about BSSID's full stop.

 

jamesw
Getting noticed

Just wondering if anyone can find out this for me?

 

Thanks!

 

J

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Unfortunately the KB is unlikely to be updated. I personally have gone in and done the calculation several times manually to update the kb. The problem is that when we come out with a new range of OUI the calculation changes. As the number of AP that we sell as well as new models increases, we can’t keep up with a definitive list. I would like to think that my nagging about the BSSID calculation always changing is why we came out with the API for it (but probably not). 

This is in beta and the behavior WILL change and it might not even work for your particular use case. But, you might want to check out the new MR28 beta. Still probably a way out for being the stable. But the cool thing is that you can now customize the called-station-ID and NAS-ID for 802.1X connections. Now instead of using the BSSID you can specify the MAC address of the AP. (In a case of this being beta BSSID can’t be configured for the time being). 

 

Again it’s still in beta so I would report any bugs to support but it could take a while to resolve (but better to test now than to wait for stable). 

8661C973-A719-4BAA-A71B-521C63C61A69.jpeg

jamesw
Getting noticed

Thanks for your reply, and appreciate you updating the article in the past.

 

So, if what you're saying is correct, this would affect MAC authentication requests too, or just 802.1x (WPA-enterprise)? What about captive portal authentication, which already sends the real AP MAC address as Called-Station-Id?

 

What is the purpose of the option to add multiple choices for the Called-Station-Id and NAS-ID? Is this to append more than one to the attribute value (with a delimiter?), e.g. if I select #1 as AP MAC address and then #2 as SSID name it would send:

 

Called-Station-Id = 00-18-0A-11-22-33:SSIDName

 

This is definitely welcomed news, providing it doesn't mess up the existing Captive portal Called-Station-Id setup which is already good.

 

Finally, I just wish Meraki are able to send some better attributes in the 802.1x/Mac auth Access-Request, as it's so basic. Even the accounting packet has a lot more, but not the Access-Request:

 

 

Access-Request (1), id: 0xdd, Authenticator: f07ee2f820b20568bd6bc3fdd7625fc2
          User-Name Attribute (1), length: 14, Value: 001122334455
          User-Password Attribute (2), length: 18, Value:
          NAS-IP-Address Attribute (4), length: 6, Value: 192.168.96.6
          Called-Station-Id Attribute (30), length: 44, Value: 8A-15-14-AF-9A-A8:SSID
          NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
          Calling-Station-Id Attribute (31), length: 19, Value: 00-11-22-33-44-55-66

 

 

If it could include some of the same attributes like the Accounting request, for example the Meraki Vendor Specific like AP Name or even something that at least tells me its from a Meraki AP that would be good. This way I don't have to rely on figuring out BSSID's.

 

Thanks!

 

J

jamesw
Getting noticed

Having tested the new MR28 release it now sets the Called-Station-Id to the AP MAC address, and also includes a couple of extra attributes by default so that's great.

Get notified when there are additional replies to this discussion.