Meraki

Community

iPhones/iPad can't locate Hidden SSID?

Marc_Abaya
Getting noticed
‎May 6 2019 3:24 PM
‎May 6 2019 3:24 PM

iPhones/iPad can't locate Hidden SSID?

I set-up a hidden SSID using WPA2. My plan is to use it for select devices only and increase security by using MAC address whitelisting on the Meraki Radius. I use "Add Client" to add the MAC add on the dashboard.

 

It works but my problem is if the device has been away for a while, it can no longer connect to the hidden SSID by itself. I would need to choose "Other Neworks" and type the SSID and the password in there. Is this a normal behavior for  hidden SSID?

 

Also I need to add the client once more using "Add Client" on the Dashboard since I can no longer see that device in there. How long will they stay there?

0 Kudos
3 Replies 3
cta102
Building a reputation
‎May 7 2019 2:49 AM
‎May 7 2019 2:49 AM

What channel are you using.

 

If it's on a used on a 5GHz DFS channel then it may be worth moving to other channels.

 

A lot of clients won't send probes on DFS channels therefore the SSID won't be seen unless there is other traffic already there.

 

Of course this may not be your issue, but it's one worth being aware of and a quick thing to check.

 

I discovered this when a client insisted that their card payment terminal SSID had to be hidden for PCI compliance, but certain firmware versions simply wouldn't roam to APs using the DFS channels

In response to cta102
BrechtSchamp
Kind of a big deal
‎May 7 2019 6:41 AM
‎May 7 2019 6:41 AM

A hidden SSID still sends out beacon frames, it just doesn't contain the SSID name. Note that hidden SSIDs don't add much security. You just have to wait untill an actual client comes by and connects to know the SSID name:

https://ethicalhackingblog.com/uncovering-hidden-ssids/

 

For my understanding, your SSID is set to WPA2 (preshared key) and you enabled Sign-on splash with Meraki RADIUS in the dropdown?

 

Does the client not connect or does it connect and doesn't get access to the internet making it disconnect again?

 

The clients you add manually don't expire afaik.

0 Kudos
In response to BrechtSchamp
cta102
Building a reputation
‎May 7 2019 7:22 AM
‎May 7 2019 7:22 AM

@BrechtSchamp wrote:

A hidden SSID still sends out beacon frames, it just doesn't contain the SSID name. Note that hidden SSIDs don't add much security. You just have to wait untill an actual client comes by and connects to know the SSID name:

https://ethicalhackingblog.com/uncovering-hidden-ssids/

 

The problem is (particularly for roaming) is that some drivers (some Intel ones for sure) will not send probe packets on DFS channels, so unless there is a device already using the channel in question the client device will simply never find the SSID on that channel.

On it's own that's enough reason never use a hidden SSID, the fact that they are useless is (now to me) fairly minor compared with the strange issue they can cause.

I think I still have my logs from back in 2005 when I used to log Access points (including the hidden ones) from the top deck of a London bus and that was when the hide your SSID and limit to known MAC addresses made you super secure.


BTW the customer made up the bit about requiring the SSID to be hidden to get PCI compliance in the EU.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.