Question I have is, will I be able to have both fixed subs, and Radius supported subs on the same AP?
I'd like to turn ALL my AP's into hotspots, but I don't want my fixed subs to have to authenticate with a username password . I kist want them on 24/7
Some of my subs are office networks using a star-os as the coe and router.
George

This is on schedule for the next release, which will allow certain MAC addresses unrestricted access to the system. (for routers behind the hotspot system, etc).

Thanks!

MUltiple essid's?
Wouldn't this be a good reason for multiple essid's on the same AP?
One for fixed and one for hotspot subs?
If I was to turn all my AP's into hotspots, and I wanted roaming access for those that are visiting town and wanting to buy a weeks worth of access, but at diferent locations, wouldn't it be easier done if all the hotspots had the same essid?
George

This is an interesting idea, however Intersil and Agere (Hermes / Ruby) cards do not support multiple ESSIDs. It may be may be able to be done with multiple cards however.

Turn all your AP units into Hotspot enabled and simply MAC authenticate the user for their login. Anybody who does not have a MAC entry in the radius must login with a username and password.

This allows all your long term customers to get access if you know their card's MAC. If they want to roam they require a username and password, or take their card with them.

I've been looking at the mac authentication as a last resort. But if someone snoops the traffic, it is going to be fairly easy for them to find a mac address to spoof. If they are crafty, they will discover that a mac off of a backhaul radio or fixed user can be used on a different hotspot.

Obviously some intrusion detection could come in handy. I know I could scan syslog, but that is a lot of work and can't be done in real time without a lot of work. Mac collisions, dual logins at multiple AP's, as well as detecting someone that is hacking are all things it would be handy to detect...

Though I'm not sure what you would do about someone hacking... but I'd like to know it was happening...

Mac authentication is scary... Too many devices let me set arbitrary mac addresses.

You can enable IP-MAC verification in radius. I realize it is not perfect, but it would keep at least them on the same tower - at least if you have a routed LAN. If the LAN is bridged they can hit you from anywhere since that IP works everywhere.

I guess my question would be - "Is there anything you can do to keep a determined and knowledgeable hacker out?".

This code makes it so much easier to get control of your customer base. All you have to do is configure a few settings on the remote AP and it talks to your central radius database for username or MAC, password, CBQ, and IP testing. Now it is close to an automated system. When the accounting people disable a user for nonpayment they can skip the step of phoning me to disable the wireless users at the AP, and of course phoning me again to reconnect.

We have other great things planned, but like everything we have done, this is a step in the right direction. It takes you farther along the path than you were in version 1.12.4

I think it is a great set of features you have added... Encrypted passwords of any kind will slow the hackers down, but the denial of service attacks may be an issue that can never be fully solved. If I have those sort of problems, I hope to be able to track the person down some other way.

But the thing I'm hoping to be able to do is to secure the backhaul radio as well as the customers.