Mesh Security & Association Frequency

FlyingFrames
Building a reputation

Mesh Security & Association Frequency

What security & frequency does the mesh repeater choose to talk to the mesh gateway?

 

e.g. is it WPA2 PSK & 5GHz?

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Mesh Probes

Each Meraki AP sends out link probe packets (known as mesh probes) at different bit rates and varying sizes. Because these packets are sent as broadcast frames, no ACK frames are needed from receiving stations. Four different types of probes at different data rates are sent in a batch of 15 seconds on both (2.4 /5 GHz) bands. All APs listen to the mesh probes and depending on the number of mesh probes correctly received, come up with a link quality metric as shown in dashboard.

 

Mesh Encryption Improvements

MR 29.1 firmware supports robust WPA3 equivalent encryption with SHA256 key for data packets between the mesh peers in 2.4/5/6GHz bands, while previous MR firmware versions (MR 27.X MR 28.X) support AES-CCM (SHA1) for mesh encryption. 

 

Full doc.

 

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Wireless_Mesh_Networking

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for the kind information.

 

So the probes are sent on both 2.4 & 5GHz. Does that mean the repeater can send association on any of the two frequencies?

 

Also, this does not explain the EAP method used. is it WPA2-PSK or based on certificates?

Mesh is secured via AES.  This has nothing to do with you client serving SSIDs. The mesh entropy depends on model of AP and FW revision, see within the same document further down:

 

TBHPTL_0-1692134207368.png

 

FlyingFrames
Building a reputation

Great. that helps me understand that the mesh link can happen on any 2.4GHz or 5GHz. But what is the authentication in play here? EAP-TLS, PEAP-MSCHAPv2 or PSK?

What's the matter the authentication? Can you explain better?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

There is no authentication between APs if that's what you want to know.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Exactly, that is what i could conclude from the packet captures.

 

There is no authentication at all between the APs. Our company wants to make sure that all wireless authentications are atleast EAP-TLS. And i have been tasked to find this for the authentication between Mesh repeaters & gateways.

 

How does this work if there is no authentication!

If your are using EAP TLS for your users that traffic is encapsulated even across the mesh link and yes the MESH link between Merkai devices is proprietary and encrypted.  The AP's mesh link and encryption has nothing to do with end user authentication and encryption. Read the document again and then set up your cipher and encryption on the SSID.  Ill bet you will see it is encrypted 

FlyingFrames
Building a reputation

Thanks for the kind help everyone. This has been amazing.

 

I am assured about the encryption. However the concern is about authenticating the Mesh repeater to the Mesh gateway.

 

Is there a possibility to upload certificates on the repeater, so that the authentication can be EAP TLS? 

 

When looking into the packets, there are no association or auth frames.

 

First there are some beacons from both ends

Then some frames of "Meraki Discovery Protocol" 300 bytes in size from the repeater

Finally some unrecognizable frames packets of 1578 bytes sent to broadcast address of ff:ff:ff:ff:ff:ff by both mesh repeater & gateway.

 

The big size of 1578 bytes makes me think its a certificate.

Is Meraki already using certificates to authenticate the mesh APs in the background?

 

If yes, we can get pass by the requirement of having them authenticate via EAP-TLS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels