https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485368#M296439 <P>Exactly, that is what i could conclude from the packet captures.</P><P>There is no authentication at all between the APs. Our company wants to make sure that all wireless authentications are atleast EAP-TLS. And i have been tasked to find this for the authentication between Mesh repeaters &amp; gateways.</P><P>How does this work if there is no authentication!</P> Wed, 16 Aug 2023 02:49:04 GMT flyingframes 2023-08-16T02:49:04Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485361#M296432 <P>What security &amp; frequency does the mesh repeater choose to talk to the mesh gateway?</P><P>e.g. is it WPA2 PSK &amp; 5GHz?</P> Tue, 15 Aug 2023 16:46:58 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485361#M296432 flyingframes 2023-08-15T16:46:58Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485362#M296433 <H3 id="toc-hId-1448194753">Mesh Probes</H3><P>Each Meraki AP sends out link probe packets (known as mesh probes) at different bit rates and varying sizes. Because these packets are sent as broadcast frames, no ACK frames are needed from receiving stations. Four different types of probes at different data rates are sent in a batch of 15 seconds on both (2.4 /5 GHz) bands. All APs listen to the mesh probes and depending on the number of mesh probes correctly received, come up with a link quality metric as shown in dashboard.</P><H3 id="toc-hId--1103962208">Mesh Encryption Improvements</H3><P>MR 29.1 firmware supports robust WPA3 equivalent encryption with SHA256 key for data packets between the mesh peers in 2.4/5/6GHz bands, while previous MR firmware versions (MR 27.X MR 28.X) support AES-CCM (SHA1) for mesh encryption. </P><P>Full doc.</P><P><A href="https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Wireless_Mesh_Networking" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Wireless_Mesh_Networking</A></P> Tue, 15 Aug 2023 16:59:16 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485362#M296433 aleabrahao 2023-08-15T16:59:16Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485363#M296434 <P>Thanks for the kind information.</P><P>So the probes are sent on both 2.4 &amp; 5GHz. Does that mean the repeater can send association on any of the two frequencies?</P><P>Also, this does not explain the EAP method used. is it WPA2-PSK or based on certificates?</P> Tue, 15 Aug 2023 17:27:45 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485363#M296434 flyingframes 2023-08-15T17:27:45Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485364#M296435 <P>Mesh is secured via AES. This has nothing to do with you client serving SSIDs. The mesh entropy depends on model of AP and FW revision, see within the same document further down:</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TBHPTL_0-1692134207368.png" style="width: 400px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/271944i373AEE303175F676/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P> Tue, 15 Aug 2023 21:19:41 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485364#M296435 DainBrammage 2023-08-15T21:19:41Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485365#M296436 <P>Great. that helps me understand that the mesh link can happen on any 2.4GHz or 5GHz. But what is the authentication in play here? EAP-TLS, PEAP-MSCHAPv2 or PSK?</P> Wed, 16 Aug 2023 00:44:24 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485365#M296436 flyingframes 2023-08-16T00:44:24Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485366#M296437 <P>What's the matter the authentication? Can you explain better?</P> Wed, 16 Aug 2023 00:50:14 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485366#M296437 aleabrahao 2023-08-16T00:50:14Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485367#M296438 <P>There is no authentication between APs if that's what you want to know.</P> Wed, 16 Aug 2023 01:08:27 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485367#M296438 aleabrahao 2023-08-16T01:08:27Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485368#M296439 <P>Exactly, that is what i could conclude from the packet captures.</P><P>There is no authentication at all between the APs. Our company wants to make sure that all wireless authentications are atleast EAP-TLS. And i have been tasked to find this for the authentication between Mesh repeaters &amp; gateways.</P><P>How does this work if there is no authentication!</P> Wed, 16 Aug 2023 02:49:04 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485368#M296439 flyingframes 2023-08-16T02:49:04Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485369#M296440 <P>If your are using EAP TLS for your users that traffic is encapsulated even across the mesh link and yes the MESH link between Merkai devices is proprietary and encrypted. <U><EM><STRONG>The AP's mesh link and </STRONG><SPAN><STRONG>encryption</STRONG></SPAN><STRONG> has nothing to do with end user authentication and encryption.</STRONG> </EM></U>Read the document again and then set up your cipher and encryption on the SSID. Ill bet you will see it is encrypted </P> Wed, 16 Aug 2023 04:14:46 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485369#M296440 DainBrammage 2023-08-16T04:14:46Z https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485370#M296441 <P>Thanks for the kind help everyone. This has been amazing.</P><P>I am assured about the encryption. However the concern is about authenticating the Mesh repeater to the Mesh gateway.</P><P>Is there a possibility to upload certificates on the repeater, so that the authentication can be EAP TLS? </P><P>When looking into the packets, there are no association or auth frames.</P><P>First there are some beacons from both ends</P><P>Then some frames of "Meraki Discovery Protocol" 300 bytes in size from the repeater</P><P>Finally some unrecognizable frames packets of 1578 bytes sent to broadcast address of ff:ff:ff:ff:ff:ff by both mesh repeater &amp; gateway.</P><P>The big size of 1578 bytes makes me think its a certificate.<BR /><BR />Is Meraki already using certificates to authenticate the mesh APs in the background?</P><P>If yes, we can get pass by the requirement of having them authenticate via EAP-TLS.</P> Wed, 16 Aug 2023 04:32:32 GMT https://community.cisco.com/t5/wireless/mesh-security-association-frequency/m-p/5485370#M296441 flyingframes 2023-08-16T04:32:32Z