6.2r1 Hidden SSID's, not hidden

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We are using AP models 230 and 170, our previously hidden networks are no longer hidden on HiveOS 6.2r1.
Photo of Trevor Voth

Trevor Voth

  • 5 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
First, Hidden SSIDs is a poor practice in general. They are as secure as TSA-approved luggage locks; they only keep honest people honest.

Examine your SSID settings. Do you still have "Hide SSID (Stealth)" checked, in the Optional Settings section?

 
Photo of Trevor Voth

Trevor Voth

  • 5 Posts
  • 1 Reply Like
It appears the temporary or current fix is to unhide them via the check box shown in the previous reply, upload the config then re-hide the ssid's and re-upload the config.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
A complete configuration upload rather than a differential delta configuration upload may have worked too. Did you try this?
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like
I have had the same problem with hidden SSID after upgrading to 6.2r1 and the solution you provided has fixed that.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you read the rest of this post about why you likely should not be hiding SSIDs? I am curious about your perceived use case.
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like
Yes I have, and I agree that I should change the way I use the SSIDs. I need to get my head round how to use PPSK and implement it.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Why would you want to weaken the privacy of your clients by doing this?

http://blogs.technet.com/b/networking...
Photo of Trevor Voth

Trevor Voth

  • 5 Posts
  • 1 Reply Like
The purpose of this post was to find out if others were having the same issue I had, which was after updating to 6.2r1 our previously Hidden or Stealth SSID's were no longer set as such, they were being broadcast, despite the configuration showing that they were still hidden. My previous post already states how to fix this issue if you also run into it.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I appreciate that your question is more tightly scoped, however, it is important to once in a while take a step backwards to ask ourselves what we are trying to achieve. I just wanted to ask that here as not hiding SSIDs is likely to be the more desirable outcome. I didn't want you to be doing this under a misapprehension.
(Edited)
Photo of Trevor Voth

Trevor Voth

  • 5 Posts
  • 1 Reply Like
Not a problem, the purpose for hidden ssid's in my case I work for a school and we're hidding a couple ssid's we use for AV Management. Networks which only a select number of staff use to connect to Audio/Video resources as well as another ssid we use for Apple TV's to connect to. We chose to hide these ssid's both for aesthetic purposes (not to flood student/visitor devices with connection options) as well as to keep the inquisitive students from trying to mess with what they couldn't see. (Though that wouldn't stop the determined ones, I'm aware of that, haha.)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you considered that by using PPSKs or 802.1X, you could decouple the network you put clients in to (VLAN and user profile) from the SSIDs you offer allowing the number of them to be kept to a minimum? There are tangible and significant performance implications the more SSIDs you offer and you don't get any security benefit or indeed any separation with more.
(Edited)
Photo of Trevor Voth

Trevor Voth

  • 5 Posts
  • 1 Reply Like
We are currently using 802.1x for our main ssid which both students and staff use to connect to wireless with. The A/V network is only being used on access points near the devices pertinent to these resources, currently only 3 APs. Our Apple TV ssid is strictly for those in locations where we weren't able to pull wired connections to. Are there still performance implications for solely adding another ssid, even if it isn't being connected to?
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hidden SSIDs do not have the same performance implications but are unnecessary and have reliability and privacy issues for all clients that connect to them, privacy issues that persist long after they have connected to the SSID if-and-until the settings for that connection are removed.

For any SSIDs that are not hidden, take a look here to understand the nature of the performance issues: http://www.revolutionwifi.net/2013/10...

It sounds like all you would need for your environment is a SSID for 802.1X, a SSID for PPSK and perhaps a third SSID if you have an open network with a CWP for guest access.

Try to think about SSIDs needing to be about the authentication method only and nothing more.

There is never any need for SSIDs like School-Student, School-Staff etc.
(Edited)
Photo of Robert Martin

Robert Martin

  • 4 Posts
  • 0 Reply Likes
I had the same issue.  We use a hidden network when we are testing out new settings within our office area.  I pushed a complete config with reboot to our AP 230 and the issue went away.
Photo of Chris Phillips

Chris Phillips

  • 8 Posts
  • 0 Reply Likes
I just got off the phone with Aerohive tech support.  They are aware of this issue and are hoping to have a fix in the next software release.  (No ETA on the release.)  Until then, if the workaround mentioned at the beginning of this thread doesn't work for you (it didn't for me) then they said you can roll back your software until the fix/next release is pushed out.  Or leave it visible until then.

I still feel there is a need to hide your SSID.  If you're just running a vanilla WPA2 PSK wireless network, then yeah, there really isn't a need.  But our wireless needs to be setup manually, buy an IT staff member.  It's a WPA2 Enterprise connection using radius authentication.  Since the end user doesn't need to set this connection up, a hidden SSID doesn't add to any complexity in them trying to connect.  Also, we're a local government agency that has a large university just blocks away.  Yes, hidden SSIDs can still be hacked, but if hiding the SSID prevents some novice, knuckhead script kiddie, college kid from seeing the SSID and moving along, then even this thin, extra layer of security has it's use.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The point I was making is that you abstractly compromise privacy in a known way for no security benefit, the tangible implications of that will always be case specific.

Knowing a SSID exists does not affect the security of your network. This is because there are no additional attack vectors that you expose yourself to when you broadcast one. Casual discovery of a SSID is not something any of us need to 'protect' against. Hiding a SSID is therefore nearly always a mistake.
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
I respectfully disagree with the generalizations. If all one is trying to do is not advertise an ssid to prevent an ignorant employee or student from connecting to their network through obscurity, then so be it. Of course this is no substitute for proper security measures, but it does keep the general population from attempting to connect to a network, or worse yet, have credential sharing within an organization when it is realized there is a network out there.

In our case, I was able to use the security by obscurity method for over a year before I had people asking me how to connect to our network.

I do understand the risks that the client is now sending beacons, but if you're in an airport and see your company SSID out there, hopefully you might think twice before connecting. 
Photo of Erik Korthof

Erik Korthof

  • 2 Posts
  • 0 Reply Likes
Does anyone know if this issue has been fixed? We downgraded the firmware of our APs to work around this issue, but now I want to know if upgrading to the current version will bring back this problem.

Hiding an SSID does not add any security to a wireless environment. But by limiting the amount of visible SSIDs you can prevent users from trying to connect to SSIDs they will never get access to. So, you might use hidden SSIDs to reduce the risk of people not being able to access services they need.
Photo of Manoah Coenraad

Manoah Coenraad, Champ

  • 72 Posts
  • 67 Reply Likes
Hello Erik,

This problem is solved in HiveOS version 6.4r1.

With regards,

Manoah coenraad
Photo of Erik Korthof

Erik Korthof

  • 2 Posts
  • 0 Reply Likes

Thanks!

Photo of Chris Phillips

Chris Phillips

  • 8 Posts
  • 0 Reply Likes
What happens if 6.4r1 isn't available for your APs?  Then what?  Do we have to continue having unhidden SSIDs?  (Using AP models AP120 and AP340.)  I've already loaded 6.4r1 onto our HIvemanager appliance (weeks ago) and it made no difference to visibility of our APs, even after pushing down a full config.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You should raise this issue with your support provider and ask for bug fixed firmware in the 6.2r1 branch for the AP120.

I still don't believe there is a legitimate use case for hidden SSIDs.

The latest version of HiveOS that that AP320/AP340 can run is 6.1r6 so there should not be an issue with those APs.
(Edited)