I searched bit more on the ieee site and this is what comes up for "Meraki"

Sorry, wrong end of the stick I think.

The list I posted are Meraki registered - what I am looking for, from Meraki, is how they are generating the BSSID's from the given AP MAC's, just like they publish for their other ranges in that article...

Thanks

J

I see.  You definitely need to get someone from Meraki to update that documentation then.  If no one sees your post here I would just put it into support and try to follow it through there.  I suppose this needs to flow through at least a couple different teams at Cisco to get sorted and finally an updated document.

Best.

I'll send the request to our documentation team but it can't hurt to also put in a support ticket 🙂

Thanks! I'm concerned that they won't "update" it, as per the note on the article:

Status information about each SSID advertised by an access point, including each BSSID, can also be found using the Dashboard API or using the AP details page. Please use APIs/dashboard as a primary way to retrieve BSSID information.
No new BSSID values will be added to this article moving forward.

But, this needs consideration, as Wi-Fi operators need to know how these BSSID's are being calculated. Why Meraki can't just send the real AP MAC in the RADIUS Called-Station-Id attribute, like other vendors, is beyond me. (They do for captive portal splash sign on, just not for MAC authentication/802.1x where they send the BSSID instead)...

Basically, we are a service provider, so our customers/partners sign up to our service and configure their Meraki APs (via the dashboard) to point to our splash page and RADIUS etc.

Wi-Fi providers often license per AP, so the unique identifier of an AP is it's real MAC address. Therefore, a customers  Meraki AP MAC addresses are registered on our RADIUS server and we only allow traffic from these.

So, when an end user connects to the SSID on the AP, it will perform RADIUS authentication against our RADIUS server. For some reason, Meraki decided to send the BSSID instead of the real AP MAC, in the Called-Station-Id attribute, and thus we cannot authenticate the user because this BSSID is unknown to us, we only know the AP MAC of our customer APs.

However, when a customer adds their Meraki AP MAC addresses to our system, we run a script that automatically generates all the possible BSSID combinations for each real AP MAC address. Thus, when we receive this BSSID in the RADIUS request, we can allow it because we know it.

The problem arises for us now, because Meraki are no longer sharing how the BSSIDs on their newer MAC address ranges (in the original post) are being calculated, so we can't whitelist them on our RADIUS server.

I hope this makes sense 🙂

I just wish Meraki would send the real AP MAC address in the Called-Station-Id attribute like everyone else, and then we don't have to care about BSSID's full stop.

Unfortunately the KB is unlikely to be updated. I personally have gone in and done the calculation several times manually to update the kb. The problem is that when we come out with a new range of OUI the calculation changes. As the number of AP that we sell as well as new models increases, we can’t keep up with a definitive list. I would like to think that my nagging about the BSSID calculation always changing is why we came out with the API for it (but probably not). 

This is in beta and the behavior WILL change and it might not even work for your particular use case. But, you might want to check out the new MR28 beta. Still probably a way out for being the stable. But the cool thing is that you can now customize the called-station-ID and NAS-ID for 802.1X connections. Now instead of using the BSSID you can specify the MAC address of the AP. (In a case of this being beta BSSID can’t be configured for the time being). 

Again it’s still in beta so I would report any bugs to support but it could take a while to resolve (but better to test now than to wait for stable). 

Thanks for your reply, and appreciate you updating the article in the past.

So, if what you're saying is correct, this would affect MAC authentication requests too, or just 802.1x (WPA-enterprise)? What about captive portal authentication, which already sends the real AP MAC address as Called-Station-Id?

What is the purpose of the option to add multiple choices for the Called-Station-Id and NAS-ID? Is this to append more than one to the attribute value (with a delimiter?), e.g. if I select #1 as AP MAC address and then #2 as SSID name it would send:

Called-Station-Id = 00-18-0A-11-22-33:SSIDName

This is definitely welcomed news, providing it doesn't mess up the existing Captive portal Called-Station-Id setup which is already good.

Finally, I just wish Meraki are able to send some better attributes in the 802.1x/Mac auth Access-Request, as it's so basic. Even the accounting packet has a lot more, but not the Access-Request:

Access-Request (1), id: 0xdd, Authenticator: f07ee2f820b20568bd6bc3fdd7625fc2
          User-Name Attribute (1), length: 14, Value: 001122334455
          User-Password Attribute (2), length: 18, Value:
          NAS-IP-Address Attribute (4), length: 6, Value: 192.168.96.6
          Called-Station-Id Attribute (30), length: 44, Value: 8A-15-14-AF-9A-A8:SSID
          NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
          Calling-Station-Id Attribute (31), length: 19, Value: 00-11-22-33-44-55-66

If it could include some of the same attributes like the Accounting request, for example the Meraki Vendor Specific like AP Name or even something that at least tells me its from a Meraki AP that would be good. This way I don't have to rely on figuring out BSSID's.

Thanks!

J

Having tested the new MR28 release it now sets the Called-Station-Id to the AP MAC address, and also includes a couple of extra attributes by default so that's great.