Wireless Encryption and Authentication Overview
Learn more with these free online training courses on the Meraki Learning Hub:
The MR supports a wide variety of encryption and authentication methods— from simple, open access to WPA2-Enterprise with 802.1X authentication. Encryption and authentication are configured in the MCC under the Configure tab on the Access Control page. Generally speaking, the encryption method is configured under “Association requirements”, while the authentication method is configured under “Network sign-on method”.
To associate to a wireless network, a client must have the correct encryption keys (association requirements). Once associated the wireless client may need to enter information (network sign-on method) before accessing resources on the wireless network.
The combinations of encryption and authentication methods that are supported are as follows:
Network sign-on method | |||||||
Association requirements |
Open (direct access) |
Click-through splash page |
Sponsored guest login |
Billing (paid access) |
SMS |
ISE |
Endpoint management enrollment |
Open (no encryption) | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | |
Opportunistic Wireless Encryption (OWE) | ✔ | ✔ | ✔ | ✔ | ✔ | ||
Pre-shared key (PSK) | ✔ | ✔ | ✔ | ✔ | ✔ | ||
MAC-based access control (no encryption) | ✔ | ✔ | ✔ | ✔ | |||
WPA 2 Enterprise with 802.1x authentication | ✔ | ✔ | ✔ | ✔ | |||
Identity PSK with RADIUS | ✔ | ✔ | ✔ | ✔ | ✔ | ||
Identity PSK without RADIUS | ✔ | ✔ | ✔ | ✔ | ✔ |
Open System Authentication
Open mode allows any device to connect to the wireless network. The major advantage of open mode is its simplicity: Any client can connect easily and without complex configuration. Open mode is recommended when there are guests who need to get onto the network, or more generally, when ease of connectivity is paramount and access control is not required.
In most environments, the administrator should ensure that wireless clients associated on an open network cannot access LAN resources, such as file shares. Administrators can control access using VLAN tagging, or Firewall Rules.
Opportunistic Wireless Encryption
Opportunistic wireless encryption (OWE) provides a secure integration for clients without requesting the user to input credentials or a password. This is accomplished through a Diffie-Hellman Key exchange. After a client association with the AP is complete the Diffie-Hellman key exchange allows the client and AP to create the PMK and the PMK identifier (PMKID). The PMK is used in the 4-way handshake to generate encryption keys to secure client traffic. Detailed in RFC 8110, OWE offers clients protection similar to SAE.
As a replacement for "Open" authentication, there are a few items to take into consideration when using OWE. End devices will still not see the SSID with any security identifiers like a lock pad icon on the SSID/wireless connection. The encryption of data is behind the scenes and not expressly presented on the client device. As OWE does not provide authentication there is still no authenticated identity from the client to the access point and vice-versa. This is still an inherent trust that each device participating is who they say they are.
See our WPA3 Encryption and Configuration Guide on how to configure OWE.
Pre-Shared Keys
A pre-shared key (PSK) allows anyone who has the key to use the wireless network.
Wired Equivalent Privacy (WEP) is the original 802.11 pre-shared key mechanism, utilizing RC4 encryption. WEP is vulnerable to being hacked; the encryption key can be derived by an eavesdropper who sees enough traffic. Only use WEP if it is not possible to utilize more advanced security—for instance, when there are legacy client devices in the network that do not support WPA/WPA2.
See the WEP Configuration guide on how to configure WEP encryption on a SSID.
WPA- and WPA2-Personal (Wi-Fi Protected Access) use stronger encryption than WEP. (WPA-Personal uses TKIP with RC4 encryption, while WPA2- Personal uses AES encryption.) WPA2-Personal is preferred.
Though it requires some client-side configuration, a PSK is relatively easy to configure. It can be a good choice when there is a small number of users or when clients do not support more sophisticated authentication mechanisms, such as WPA2-Enterprise. A deployment based on a PSK does not scale well, however. With a large number of users, it becomes more difficult to change the PSK, an operation that should be performed periodically to ensure that the PSK has not been shared with unwanted users.
See the WPA Configuration guide on how to configure WPA encryption on a SSID.
MAC-based Access Control
MAC-based access control admits or denies wireless association based on the connecting device’s MAC address. When a wireless device attempts to associate, the Meraki AP queries a customer-premise RADIUS server with an Access-Request message. The RADIUS server can admit or deny the device based on the MAC address, responding to the Meraki AP with either an Access-Accept message or an Access-Reject message, respectively.
This authentication method requires no client-side configuration. However, it suffers from a poor user experience. Wireless clients that are denied wireless association simply cannot connect to the SSID, and they do not receive any explicit notification about why they cannot connect.
If this authentication method is selected, at least 1 RADIUS server must be configured on the Access Control page in the “RADIUS for MAC-based access control” section. This section includes a test tool that simulates the wireless device connecting to every Meraki AP in the network.
See the MAC-based Access Control Configuration guide on how to get started with MAC-based access control.
WPA2-Enterprise with 802.1X Authentication
802.1X is an IEEE standard framework for encrypting and authenticating a user who is trying to associate to a wired or wireless network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption.
802.1X can be transparent to wireless users. For example, Windows machines can be configured for single sign-on, such that the same credentials that a user enters to log into his machine are passed automatically to the authentication server for wireless authentication. The user is never prompted to re-enter his credentials.
802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange. The MR supports multiple EAP types, depending on whether the network is using a Meraki-hosted authentication server or a customer-hosted authentication server. The following table shows the EAP types supported by the MR access points:
WPA2-Enterprise with 802.1X authentication is configured to use a customer-hosted on-premises Custom RADIUS server. The RADIUS server must be configured to allow authentication requests from the IP addresses of the Meraki access points.
802.1X is typically only performed once a user’s credentials have been entered into the machine.
Identity PSK with RADIUS
Please refer to this document which explains IPSK with RADIUS in detail.
Identity PSK without RADIUS
Please refer to this document which explains IPSK without RADIUS in detail.
Identity Sources
WPA2-Enerprise requires a identity source in order to authenticate users when they connect to the network. The Access points each interface with the identity source at time of the client association. Below are the identiity sources that can be used with WPA2-Enterprise.
- Meraki RADIUS - Cloud Hosted
- Network-wide Users can connect and login with PEAP and EAP-TTLS
- Systems Manager Sentry WiFi Security configures endpoint devices to connect with EAP-TLS
- Custom RADIUS - Customer Hosted
- Cisco Identity Services Engine (ISE)
- FreeRADIUS
- Juniper Steel-Belted RADIUS or UAC
- ForeScout CounterACT
- Aruba Clearpass