Wireless "OPEN" Authentication Layer 2

We have created an SSID, We need to have some kind of security now, as for the one created anyone can connect with no password or encryption. This means if anyone wants to do a packet capture over the air, they can actually see all the packets clearly.

But, authentication? Authentication with what, or where? Fear not, We will explain everyone.

There are different kind of authentication and encryption, They don't always go together, meaning we can have authentication in Layer 2 and Layer 3 but this does not mean we will have encryption.

There are use cases for everything.

As for this entry We are going to focus on "OPEN" Layer 2 authentication first.

Meraki has done things easy for us in some of this authentications.

First we need to head to "Wireless > Access Control". Once there, the first block presented on the page is our Layer 2 authentication, I have remark it below just for it to be clear.

As you can see Meraki has actually put the word "(no encryption)" in layer 2 authentication that do not have any encryption.

The first authentication we can see is "Open", this is the default setting an SSID created is made with.

In the wireless world we need to understand the association to the access point itself, therefore, I will explain below how 802.11 protocol works.

When the SSID we created is "enabled" the access point will start sending beacons, this packet is meant to tell the stations (our client devices), there is an SSID available, announcing its own properties, as for example, bitrate, encryption, name, channels and more.

I have created an SSID with open authentication called "J-VALENTINE" and below, I will show you the beacon it is broadcasting.

Once We have our SSID announcing over the air, thanks to the beacons, the client will do the next process as for 802.11 protocol.

I have used a "me" as a STA (station) since it can be anything that supports wireless, this is not attach to a cellphone or pc, it is every wireless client that wants to associate. 

In order to associate and start sending and receiving data at least this process needs to complete. 

Step 1.- Probe request (STA). This packet is actually saying: "Hey, I see your beacon and I support the following data rates and have the following capabilities, can we talk?

Step 2.- Probe response (AP). The access point see this request and the question and if everything is matching and have values in common it says "Of course, we can talk my dear friend, since we are using the same language, however, let's make sure every word means the same and we are not talking at the same time, and other stuffs".

Step 3.- Authentication request (STA), This is just as part of the protocol, As you can see below, the sequence sent is "1".

Step 4.- Authentication response (AP). The STA has sent a 1 so we should send a "2" just to say, it is ok, let's continue.

It is very important for us not to confuse this first authentication on association with the encryption authentication.

This authentication is just per protocol and it has a null value, it usually just uses sequence 1 on request and 2 on response. 

Step 5.- Association request (STA). Ok, so we are good, let's talk here is the time I am going to use to talk and how often I am going to sleep, just to save power, also I can support the following features.

Step 6.- Association response (AP). Ok, looks like everything match, I will try not to bother you while you sleep, Also, we can talk using this method and speed, I will use or not use the following features.

Everyone is happy now, we are able to send DATA

As always, official Meraki Documentation is here.

Cheers!.

Creating an SSID

So, We need a wireless network.

First of all we need to create, or in Meraki world, actually, name and enable an SSID.

An SSID, you say? What is that?

Well, SSID stands for "Service Set IDentifier" and basically, it is what You would see in your wireless networks, when you are looking on your phone or on your PC. It is so much more than that, but I will try to make it simple.

In Meraki dashboard, once We have added an Access Point we can see on the left part it says "Wireless", hover on it and You will see "SSIDs"

Click on it and we will see the following:

Meraki, has a maximum of 15 SSIDs to be configured.

In here, just select one of them, click on rename, and type a name for your SSID, this will be name to be broadcast by your access point.

Once done that, click on the drop-down menu where it says "Disable" and you can actually enable this SSID.

With only these steps, by default, You can get a Wireless Local Area Network (WLAN), where you can connect with no password (Open authentication), and get an IP (NAT mode). 

So if you do not require any kind of security and you just want access to the internet, with only these simple steps you can achieve it.

The WLAN will be broadcasted in all the access point by default.

By the way, I have not found anyway to delete an SSID, you can always reconfigure it, but it would be nice to have a "make it default" button or something like that, so I will just make a wish for that, and who knows, maybe, I will be listened.

But if You require, a bit more settings and a ton more of security, check out our next entry.

As always here is the official Meraki doc.

Creating a network.

So, We are done with the dashboard account.

In Meraki they have the concept of networks within organizations, so what We did on the dashboard was actually create an organization.

Within that organization, We will create networks.

But what is a network?

Well, here is where you will put all your devices, the only restriction is that you can only have a single security appliance... which make sense, right? Since this will represent a single network We will only have a single last hop equipment before our internet access. 

Having said that, you can add as many access points, switches and cameras as you want, I am not including System Manager, since that is handled in its own network.

So let's get to it.

Log into your dashboard, on the left you will see "Network", you need to click on that drop-down menu and select "Create a new network" (pretty straightforward, inst it?)

You will be presented with the following:

So, if You want to have all your devices on this network, just select on network type, "combined", this will represent some challenges only for the security appliance, but I will not talk much about this until later posts. For your access points, switches and cameras, it should be fine. 

Also, a combined network will require for you to add a security appliance.

Since this is your first network, just select the default Meraki Configuration, otherwise, there is the existence of templates where you can get similar settings for different networks, or you can too clone all settings from an existing one. 

At the bottom you can either, add devices you have already claimed to your network or claim them in this moment. If you did not choose a combined or security appliance network, you can click on create network and get redirected to your new network, otherwise, adding the appliance is a must before continuing.

I created a blank wireless one, just to show how it would look like.

That should get us going, We are just missing the fun part, that is right! the devices itself.

But that will be in the next entry.

As always, you can find Meraki documentation here.

Cheers!

Let's get started.

So you have gotten your equipment!

Well once You get your equipment, We are ready to start right?

Well.. Not quite yet.

First of all, this is a cloud managed technology, so there must be a way to get to the cloud...

The first thing We want to do is to go to https://dashboard.meraki.com.

You will get presented a web-page like the one shown below.

At this point, must likely you will have no account for the dashboard, so We will create a new one.

Click on "Create an account".

Select the right server for your region, basically the closest to You I would say.

We will be presented with the next web-page, just  fill every box and make sure you will remember your password. Also your email is important since you will get a confirmation email over there.

So, once You've verified You are not a robot ready to take over mankind, You should see the following window :

Go to your email, a new e-mail will be in your inbox from meraki, in my case I could not directly click the link, so just copied it and paste it on a browser to confirm mail.

And.. We are ready!, go back to https://dashboard.meraki.com and if You are not logged in yet, just type the provided email and password and click log in.

Tah da! 

We got our dashboard now!, but We are not ready yet....

We need to create a network to start having some fun, I will explain that in the next entry.

Here is the official guide, by the way.

Cheers!

So... a little about me.

My name is Rodrigo Osorio Porras, I actually studied an engineering in electronics. 

I was not in touch with networking until my professional life required it, and there I fell in love of it.

I have always been self-taught, and of course, the way to start in this world would be CCNA R&S, so in 2016 I got it :).

Later, I changed employer and started getting into the world of wireless, so in 2017 I got the CCNA Wireless. 

And with the gained expertise and hunger to learn a bit more, on August 2018, I finally I achieved my CCIE wireless.

Right now I am working with Meraki technology, which is a fascinating world. 

That is the reason of this blog, to help me learn, and I will do my best so You might  find it of any help.

Anyway I will try to make a post any chance I get, starting with basics and going as deep as I can.

I will start with wireless since I feel more comfortable in that area, but my intention is to understand Meraki Security application and switches solution.

Wish you the best, and hope you don't get bored in this journey.