Questions about AAA user authentication

I have been tasked with setting up some proper user authentication on our APs, I am not concerned about Authenticating the SMs (yet), but we just need a way to control who can mess around the AP. I have a Radius server setup and working, but the AP only lets me select EAP-MD5 as the authentication method, which requires passwords to be stored plain text (unsuitable for production environment). I’m I missing something here or is that really the only option?

As of now only EAP-MD5 is supported for User Authentication. However in upcoming releases we will be supporting more secure protocol like PEAP-MSCHAPv2. Keep a watch.

What radio(s) and what firmware release(s)?

j

450 onward and as for release, Please check next beta whenever posted.

while we are working on phaseing out our FSK network, we still have  ~100 FSK APs out there, are those going to be updated with the new authentication methods or just the 450's? 

And what sort of time table are expecting? what version is planed to include it?

I am really shocked that a mature product such as these are not capable of anything other then such rudimentry authentication.

I hate bumping thread like this but can I get a better awnser then "sometime in the future"? I really need tell my boss something here.


@Sama wrote:

while we are working on phaseing out our FSK network, we still have  ~100 FSK APs out there, are those going to be updated with the new authentication methods or just the 450's? 

And what sort of time table are expecting? what version is planed to include it?

I am really shocked that a mature product such as these are not capable of anything other then such rudimentry authentication.


PMP100/FSK is EOL'd and the last firmware revision available for it is 13.4.1. There are no new firmware images planned for this series.

1 Like

I'm not asking for a new feature, this is a serious security issue. If I understand this correctly, then there is absolutely no way to securely authenticate users with these products? FSK is abandoned (EOL general still gets security patches), 450 might get that sometime in the future (although it sounds like it’s not being actively developed).

That leaves two options for user authentication.

Option One: All AP's are left with a single login that must be changed (one-by-one) on a regular basis.

Option Two: The AP's use per-user authentication but everyone’s credentials are exposed.

Am I understanding this correctly?

I apologize if I might sound hostile, but it’s like finding out that every car in your fleet of vehicles is keyed the same.

There are a number of things you can do to lock down management access on AP's and SM's...

- You can enable just HTTPS access

- You can enable access from trusted networks via IP access filtering at the AP

- You can use VLAN's to segment mgmt traffic and user traffic. Use private IP space for mgmt

- You can use SNMPv3 (which supports encryption) and make scripts to periodically change the admin password

If you do all the above, it's going to be very very difficult for anyone to get into any of the radios. So, while you may not have AAA, you do have options to make your network very secure.

1 Like

Thank you, we already do most of those, although our network admins are convinced that SNMPv3 does not work on Cambium equipment. The biggest issue is former (possibly disgruntled) employees who know the system.


@Sama wrote:

Thank you, we already do most of those, although our network admins are convinced that SNMPv3 does not work on Cambium equipment. The biggest issue is former (possibly disgruntled) employees who know the system.


We use SNMPv3 extensively on both PMP100 and PMP450 equipment... works great. Our network admin did miss one vital tidbit when configuring SNMPv3 on these devices for the first time... he swore up and down he had everything configured properly, could not get it to work right, thought something was broken with firmware... ended up opening a ticket with Cambium and they found the issue... by default SNMPv3 isn't enabled. You have to go to the 'Security' tab, and enable SNMPv3. After that, all of the settings on the SNMP tab worked fine.

1 Like