I am personally about to get my first MT system (from Eje) to enhance the security of my network.
With that said, I have found that the internal MAC authentication works VERY well. I obviously have WEP enabled as well...together is very effective. I don't care what people say about airSnort breaking WEP and such. The fact is, most freeloaders will just keep moving along looking for the open networks (plenty of them in my area). So...why would they care to break my WEP, and then spoof someone's MAC and IP??? Too much work. BTW...I used airSnort on my pure sB network for 4 days. I captured 1 interesting packet (you need thousands, if not millions to break WEP). Back to internal MAC. As long as you are NOT using the very old airBridge firmware (that passes the single internal MAC), then only the MAC of the airBridge will show up at the aPPo-AP mode. If your clients are using aPindoors or aPPo-CB mode then the MAC address of the internal clients will show in your ARP on your gateway, but still only the MAC of the sB device need be in the aPPo's MAC authentication table. I have 53 clients with 53 MAC addresses in my internal MAC table. All works VERY well. However...being that I am finishing up my comp sci masters with emphasis in Wireless Security, I have to acknowledge the weakness of WEP, and therefore am migrating to PPPoE, then eventually purely VPNs (maybe). Another reason to migrate off of internal MAC authentication is to save processor time. I just want the aPPo to worry about being an AP and that's it. Sully -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson Sent: Saturday, September 06, 2003 10:24 PM To: Greg Sims Subject: Re: [smartBridges] Internal Mac Authorization yes the aPPo should be provided with the MAC of the aB. that list is used to specify WHO are allowed to associate with your APPo and the APPo only care about the remote radios mac address and not the mac address of any systems BEHIND the remote radio. However important to keep in mind is that MAC addresses are easily spoofed and the only really good way to secure your network is to use a pppoe or hotspot server. This way you can do MAC address based on your aPPO then username/password/mac combination on your gateway unit. MikroTik is a good pppoe server that is not extremely hard to get going and works with most radius servers or you can start by using the internal database however you might consider using a radius server that way you can use the radius server for the aPPO as well as for the PPPoE server to allow connections. I have a radius server solution and administration system that I offer for "sale" (I will install it configure it and help you get going with it) if your interested or you can of course do it yourself. If you decide you want a MikroTik unit and do pppoe or just simple mac authentication then well you need not to look any futher then to me as well. I'm a MikroTik OEM solutions provider and I have helped numerous people on this list as well as many other wisps not on this list to improve their performance of their networks as well secure their networks from freeloaders and hackers. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231-7777 Fax : 620-231-4066 - Your Full Time Professionals - MikroTik OEM - Online Store http://www.fament.net/ -- GS> We're starting to see a number of freeloaders on our network so it is time GS> to tighten security. I'm considering use the Internal Mac Authorization GS> feature to get started. GS> I read the aPPO documentation section on this subject. It is not clear what GS> set of Mac addresses need to be entered into the aPPO. Let's say you enter GS> the Mac addresses of all the client devices on the network (aBOs in our GS> case). This should allow communication between the aPPO and the aBOs. I GS> hope this will also allow communications with the client PCs that are GS> attached to the wired side of the aBOs. Is this in fact the case? GS> I can't imaging using Internal Mac Authorization if you need to specify the GS> Mac address of each PC attached to the wired side of the aBOs. It would GS> really be a hassle keeping the table up-to-date each time a client buys a GS> new PC -or- a guest attaches to a client network while staying overnight. GS> Please help me understand how this feature works in the aPPO. GS> Thanks, Greg GS> ----------ANNOUNCEMENT---------- GS> Don't forget to register for WISPCON IV GS> http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm GS> The PART-15.ORG smartBridges Discussion List GS> To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> GS> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) GS> Archives: http://archives.part-15.org -- [This E-mail scanned for viruses by Declude Virus] ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
