Hi all,

at the present, our "last mile" setup involves the use of Nv2 and OSPF to manage routing with CPEs (all of them are SXT); I'm a bit worried about the possibility of someone breaking into the CPE (they're at customers houses, not physically-secure), stealing our nv2 psk and begin fiddling with our routing. OSPF is active only on the wireless side of CPE, which, in turn, is unmanageable by the LAN side due to firewall; but - I learned - if you have physical access to the device it's possible to reset it, recover the configuration, and even get the passwords.
The network is already partitioned into several areas, typically one for each AP...the first thing I'm going to do, is to setup route-filters, in order to keep unwanted updates out of the backbone.

Now a couple of questions:
Is it possible to have, with nv2, per-customer psk ? It wouldn't solve the problem completely, but will allow a better manageability in the event of a...well, bad event
We thought about switching to PPPoE, to avoid CPEs talking OSPF with AP; this would also give us the possibility to disable client-forwarding, which is quite convenient. Is someone using it ? How well it performs in terms of overhead and CPU utilization ?

Best regards,
Simone.

You can set per client keys in the access list.

You can set per client keys in the access list.

Does it works with nv2 as well? According to documentation:

Being proprietary protocol Nv2 does not use security mechanisms of 802.11, therefore security configuration is different. Interface using Nv2 protocol ignores security-profile setting. Instead, security is configured by the following interface settings:

Nv2-security - this setting enables/disables use of security in Nv2 network. Note that when security is enabled on AP, it will not accept clients with disabled security. In the same way clients with enabled security will not connect to unsecure APs.
Nv2-preshared-key - preshared key to use for authentication. Data encryption keys are derived from preshared key during 4-way handshake. Preshared key must be the same in order for 2 devices to establish connection. If preshared key will differ, connection will time out because remote party will not be able to correctly interpret key exchange messages.

It's unclear to me whether this will work within our environment...anyone using per-client psk in access-list? I can't give it a try, at the moment

Best Regards,
Simone.

Everyone can use the same NV2 security but a different WPA2 password.

Hi all,

at the present, our "last mile" setup involves the use of Nv2 and OSPF to manage routing with CPEs (all of them are SXT); I'm a bit worried about the possibility of someone breaking into the CPE (they're at customers houses, not physically-secure), stealing our nv2 psk and begin fiddling with our routing. OSPF is active only on the wireless side of CPE, which, in turn, is unmanageable by the LAN side due to firewall; but - I learned - if you have physical access to the device it's possible to reset it, recover the configuration, and even get the passwords.
The network is already partitioned into several areas, typically one for each AP...the first thing I'm going to do, is to setup route-filters, in order to keep unwanted updates out of the backbone.

Now a couple of questions:
Is it possible to have, with nv2, per-customer psk ? It wouldn't solve the problem completely, but will allow a better manageability in the event of a...well, bad event
We thought about switching to PPPoE, to avoid CPEs talking OSPF with AP; this would also give us the possibility to disable client-forwarding, which is quite convenient. Is someone using it ? How well it performs in terms of overhead and CPU utilization ?

Best regards,
Simone.

I use pppoe to CPE and find it very good as regards security since most customer may have used a browser to config their internal router, I just disable port 80 and sometimes it's enough when a login page doesn't appear in the browser but having said that no matter how much level of security you have it will only just slow down a determined person from hacking into your network.

I use pppoe to CPE and find it very good as regards security since most customer may have used a browser to config their internal router, I just disable port 80 and sometimes it's enough when a login page doesn't appear in the browser but having said that no matter how much level of security you have it will only just slow down a determined person from hacking into your network.

Thank you at first, how many resources PPPoE will take ? How many users a 411AH (680Mhz/64MB) can handle, for example?

Everyone can use the same NV2 security but a different WPA2 password.

Thank you, I'll try that ASAP

Best Regards,
Simone.

I use pppoe to CPE and find it very good as regards security since most customer may have used a browser to config their internal router, I just disable port 80 and sometimes it's enough when a login page doesn't appear in the browser but having said that no matter how much level of security you have it will only just slow down a determined person from hacking into your network.

Thank you at first, how many resources PPPoE will take ? How many users a 411AH (680Mhz/64MB) can handle, for example?


Best Regards,
Simone.

Just did a quick check on a AP 433AH with 20 clients CPU load constantly varies from between 9 to 30%

Everyone can use the same NV2 security but a different WPA2 password.

Thank you, I'll try that ASAP

Best Regards,
Simone.

I just tried, it doesn't work with nv2:

Access-list:
13 ;;; XXXXXXX
mac-address=00:0C:42:XX:XX:C3 interface=all signal-range=-120.120 authentication=yes forwarding=yes ap-tx-limit=0 client-tx-limit=0
private-algo=none private-key="" private-pre-shared-key="sasdfadfasdfasdf" management-protection-key=""

Reg-table:
12 ;;; XXXXXXXX
wlan1 000C42XXXXC3 00:0C:42:XX:XX:C3 no -84dBm 6.5Mbps 1s

The client can connect, even if the key defined in access-list is wrong. May I ask if you tried this setup (per-client PSK with nv2) before? Would you mind sharing your configuration ?

Regards,
Simone.

Nv2 does not use standard security options, only the Nv2 options listed.
It WILL ignore the security profile setting.

Nv2 does not use standard security options, only the Nv2 options listed.
It WILL ignore the security profile setting.

That's what I always thought, thanks for confirming my supposition.

Best Regards,
Simone