SM Access control with out BAM

I bought a used Canopy AP and a couple of SMs recently. We are thinking about moving from Tranzeo to Canopy on some new towers that are being deployed this summer. I’ve been playing around with the AP and two SMs in the office. I can connect and pass traffic but I can’t figure out how to restrict access. Pretty much if you can guess the color code then you are in business which is a 1 in 254 chance. Without spending a few grand on BAM for our test network is there any other way to restrict SMs from connecting to the AP?

If we proceed beyond the test network then we will buy a copy of BAM but for testing it seems to be quite expensive.

Richey

battleop wrote:
if you can guess the color code then you are in business which is a 1 in 254 chance. Without spending a few grand on BAM for our test network is there any other way to restrict SMs from connecting to the AP?


Hi Richey
it seems strange but there isn't any way to restrict the access to the AP except from using Prizm/BAM software.
Actually, you can do something to hide your AP (Color code different from 0, Disable Security -> SM Display of AP Evaluation Data) but if you don't want to use BAM you will have to implement your own authentication system... i.e. using PPPoE or any VPN tunnel.

Ciao
Massimo

Wow, I guess the Moto way is to nickel and dime you to death.

V9 allow authentication through PPPoE now. A step in the right direction if you ask me. I personally never would have thought they would include it because they might jeopardized Prizm sales.

Yes, but that doesnt solve the rogue SM problem. PPPoE is only an option for the SM (at least as explained to me).

IF they set an option the AP to FORCE the SM to have be PPPoE, that would be something else.

Back to other alternatives.

the cheap way is to get a $200 linksys RV042 on your WAN side then turn DHCP off then the only way anyone can get online is if you your self put the IP and MAC of the radio in the router no resean for BAM or Radius

900mhzdude wrote:
the cheap way is to get a $200 linksys RV042 on your WAN side then turn DHCP off then the only way anyone can get online is if you your self put the IP and MAC of the radio in the router no resean for BAM or Radius


Not sure how that would block all attempts. Someone can use their neighbors MAC address (cloned to their own router as most easily do) and it would take you a long time trying to figure where it was coming from.

Dont get me wrong.. I dont like or use BAM. but, that one thing it does that requires the SM MAC itself to be defined as a valid user is only contained in that.

But, using the other methods like you describe, and/or zero our all BW on your BW control device goes a long way at blocking things

Paul

Supposidly a combination of SM isolation, managed switches forwarding traffic out a trunked port, and a mac authentication server should prevent anyone from passing traffic on the network if their mac address does not allow it. However if they did successfully clone a MAC address that could cause a major problem.

If only motorola would offer BAM 2 without prism for free…

yes, they should offer some form of basic MAC control for free or at least low cost. Motorola just doesnt think straight… I mean charge $ 1000 even, for up to 500 customers. I’d pay that.

Look at all the $ 1000 checks they would be getting.

Paul