Canopy Authentication

jvvelas · December 1, 2004, 9:26pm

Hi, is there any way to do authentication to the SM without the BAM? how should I avoid every SM to register in my APs?

Any ideas?

Best Regards,

JV

mattmann72 · December 1, 2004, 9:58pm

Your question is a bit unclear. If you want the SM to authenticate before registering to the AP then you have to use BAM. If you want to authenticate devices behind the SM, like routers or computers, so they can pass traffic you would have to use a different program, like NoCatAuth from www.nocat.net. This program would run on a server that sits between the AP and your backbone line. You could run both BAM and NoCat on the same lnux server to accompish both options.

Matt

jvvelas · December 1, 2004, 10:17pm

What I’m looking for is another way to do SM authentication without the BAM, I’m wondering may be a radius server could work, or I must die with BAM?

Thanks in advance

mattmann72 · December 1, 2004, 11:20pm

BAM is capable of using a radius server for authentication, but you cannot use a radius server without BAM. The BAM engine is what talks to the AP If the MAC address and key code recieved by the BAM, from the SM through the AP, match that which BAM sees in either the database or radius then the AP lets the SM unit authenticate. There is no other program that can take the place of BAM.

As long as ALL SM’s are in NAT mode they will tag all packets that pass through them with the MAC of the SM. With this you could use IPTables in a linux or unix server to allow or deny traffic on all packets based on MAC address. This would require stateful packet inspection of all traffic accross your network through a single server. Or with proper network layout this could be accomplished using multiple servers to improve latency. The drawback of this method vs using bam is any SM can still register to your AP’s.

Im sure if you look around at other projects and products such as:
Allot Netenforcer, NoCatAuth, or A linux kernel with IPtables you might be able to figure out some other method. All other methods will not be as effective as using BAM.

Our setup currently uses BAM for SM authentication and an Allot Netenforcer for bandwidth management. We cannot solely use BAM for bandwidth management because we have cases where customers have multiple Subscriber modules at one location but all SM’s at that location share the same bandwidth package.

So in simple terms. there is only 1 way to prevent an SM from registering to an AP. Use BAM.
To prevent passing traffic out your backbone connection there are alternatives, but they will be significantly slower than BAM.

Matt