Wi-Fi 6 is designed to support a modern world of hyper-connectivity. While exciting, this digital world will also see more challenges such as high client density, IoT everywhere, and more high-bandwidth requirements. This leads to increasing demands on the network, and organizations relying on connectivity more than ever before. One of the most important challenges a network faces is maintaining the relationship between the clients and the wireless network.
Many will agree that a great relationship is built on a strong foundation. For the wireless network, this foundation might be careful capacity planning and a proper site survey. But, even with a strong foundation, relationships between wireless clients and the network can hit rough patches. Without knowing the root-cause of the problem, it can be hard to improve that relationship.
Many wireless network engineers today spend at least a day every week troubleshooting Wi-Fi. This can be due to lack of visibility, increased network complexity, and human error. Time spent troubleshooting is a missed opportunity, as those countless hours could have been spent transitioning IT to meet modern organizational needs.
Visibility beyond wireless
This week, we are adding new capabilities and visibility to the Meraki dashboard to help simplify troubleshooting. Users can now pinpoint issues more quickly, and ensure excellent connectivity for clients. These updates are designed to not only provide insights about the health of Wi-Fi clients, but also to provide end-to-end visibility. Enhanced visibility will now allow for immediate identification of whether wireless is problematic, or if, for example, an upstream device is misconfigured.
Cisco research reveals that 63% of users blame the wireless network for problems, while the issue could be elsewhere. Now, network admins can gain insight and focus precious time on the actual root cause.
Once problematic clients or access points are identified, new snapshots are available to help quickly remedy the root cause. Users can now view wireless health metrics as they navigate through their dashboard. From an individual client’s page, a user can immediately assess the health of that specific client.
Below is an example of how to troubleshoot a troublesome wireless client with Meraki:
The end-to-end visibility snapshot, health snapshots for individual access points and clients, as well as updated event logs are all available today for Meraki Wireless users. These new metrics and capabilities, along with the centralized Wireless Health engine make the process of optimizing connectivity simple.
The last decade has seen Wi-Fi grow to reach shocking milestones, with over $2 trillion of economic value delivered. This new decade is on track to be the era of Wi-Fi dominance, as 59% of all internet traffic will use the technology. The next 10 years will see new device types, and diverse high-density wireless environments, which is why we want to offer an expanded range of Wi-Fi 6 options. The Meraki Wi-Fi 6 portfolio, combined with Wireless Health and our recent security innovations, will help organizations prepare for a reliable and secure wireless future.
Today, we are introducing three new wireless access points to the Cisco Meraki lineup:
The MR56 is our best-in-class 8×8 Wi-Fi 6 access point, designed for ultra high-density, and ultra high-performance.
MR46 is our newest 4×4 Wi-Fi 6 access point, which will serve high-density, high-performance environments.
MR36 is Cisco’s first 2×2 Wi-Fi 6 access point, designed for high-performance requirements, and large scale deployments with an eye on value.
The three Wi-Fi 6 models feature all of the newest 802.11ax capabilities, including OFDMA and MU-MIMO for both downlink and uplink. These features are critical for environments with large amounts of wireless clients and high bandwidth requirements. For example, Meraki access points at the U.S. Open last year saw vast amounts of uplink traffic, as 200,000 attendees uploaded photos and videos to social media and iCloud.
The Meraki cloud will help deliver Wi-Fi 6 at scale across distributed sites and large quantities of mobile devices. Armed with Wi-Fi 6, IT admins can meet performance levels across a broad range of challenging Wi-Fi environments. For example, 4K video or new applications such as VR and AR require extremely low latency wireless. These new access points will provide an immersive wireless experience for those using these emerging technologies. Wi-Fi 6 delivers this performance, even in dense environments such as corporate headquarters, auditoriums, event halls, or retail stores.
We are excited to see what new possibilities await for device mobility across a broad range of use cases and environments. New decade, new possibilities!
To learn more, join us on an upcoming wireless webinar, or try out one of the new Wi-Fi 6 devices via free trial.
We may not see it or feel it, but it’s happening. IoT devices are growing in number all around us, and improving our lives. Sensors help organizations streamline operations at a hospital, and point-of-sale devices improve our experience at the local coffee shop. But, securing IoT can be complicated, especially when contending with outdated devices, and deploying them across multiple sites. IoT devices typically lack 802.1X support and can be hacked in 5 minutes on average. In our recent “Security Made Simple” launch, we discussed a new feature called Identity PSK that simplifies IoT security.
A better way of securing IoT
Many IoT devices are not compatible with 802.1X, leaving IT admins no choice but to use WPA2 or a pre-shared key for authentication. Unfortunately, both methods come with well-documented security flaws. Identity PSK provides a way to assign users and devices unique keys, build identity-based groups, and scale them across the network. For example, a hospital might have wireless infusion pumps and patient monitoring tools for which they would like to apply different group policies. With IPSK, the hospital IT administrator can now assign those devices unique groups and separate VLANs. The IT admin will also be able to reset or change the keys on entire groups of devices at the same time.
With IPSK, it will become easier to secure devices across multiple industries. An IT admin at a manufacturing plant will segment barcode scanners and sensors into different groups. Retail point-of-sale devices and smart thermostats will connect to one SSID, yet have different security policies. On a college campus, gaming devices, RFID card readers, and printers are easily segmented when connecting to Wi-Fi. Hotels can onboard wireless users quickly and provide granular control over their access in a more simple and secure way.
Configuring Identity PSK
Identity PSK provides the simplicity of PSK with the benefits of 802.1X, and is available today in the Meraki dashboard. Configuration is located in the wireless access control section of the dashboard. The current implementation uses a RADIUS server for authentication, allowing organizations to leverage existing services such as Cisco ISE. When a client associates to a Meraki access point, the AP will send the MAC address of the device to the RADIUS server. The RADIUS server is able to respond with the PSK, which then allows the access point to authenticate the device.
You can learn more here about how Meraki is simplifying security for every layer of the network, from client to application. For a further deep dive on Meraki Wireless, join us for an upcoming live webinar.
The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.
It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).
Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing. Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.
There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.
Enabling Umbrella integration
So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.
Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.
Enabling Meraki + Umbrella integration within the Meraki dashboard.
Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.
To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.
Linking an Umbrella policy to a Meraki SSID.
By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.
To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.
Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.
Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.
An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.
Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.
Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.
Many of you have expressed interest in our new Location Services, which allow enterprise customers to determine the location of WiFi clients without additional hardware. We’re therefore holding a quick, informal webinar on Friday, during which we’ll talk a bit about how this feature works under the covers, do a live demo, and hold Q&A. The webinar runs just 15 minutes, so it’s a great quick way to learn about this new feature. You can register (for free, of course) here.