To Next Page

To Previous Page

Chapter 3: System planning Security planning

Page

3-49

Planning for RADIUS operation

Configure RADIUS where remote authentication is required for users of the web-based interface.

Remote authentication has the following advantages:

• Control of passwords can be centralized.

• Management of user accounts can be more sophisticated. For example; users can be prompted by a

network manager to change passwords at regular intervals. As another example, passwords can be

checked for inclusion of dictionary words and phrases.

• Passwords can be updated without reconfiguring multiple network elements.

• User accounts can be disabled without reconfiguring multiple network elements.

Remote authentication has one significant disadvantage in a wireless link product such as 450 Platform

Family. If the wireless link is down, a unit on the remote side of the broken link may be prevented from

contacting a RADIUS Server, with the result that users are unable to access the web-based interface.

One useful strategy would be to combine RADIUS authentication for normal operation with a single

locally-authenticated user account for emergency use.

PMP 450 Platform Family SM provides a choice of the following authentication methods:

• Phase 1:

o EAP-MSCHAPv2

o EAP-TTLS

o EAP PEAP

• Phase 2:

o PAP

o CHAP

o MSCHAPv2

Ensure that the authentication method selected in 450 Platform Family is supported by the RADIUS

server.

Filtering protocols and ports

Configure filters for specified protocols and ports from leaving the AP/BHM and SM/BHS and entering

the network. This protects the network from both intended and inadvertent packet loading or probing

by network users. By keeping the specified protocols or ports off the network, this feature also provides

a level of protection to users from each other.

Protocol and port filtering is set per AP/SM/BH. Except for filtering of SNMP ports, filtering occurs as

packets leave the AP/SM/BH.

For example, if SM is configured to filter SNMP, then SNMP packets are blocked from entering the SM

and, thereby, from interacting with the SNMP portion of the protocol stack on the SM.

Port Filtering with NAT Enabled

Where NAT is enabled on the SM/BHS, the filtering can be enabled for only the user-defined ports. The

following are examples for situations where the configure port can be filtered where NAT is enabled:

Cambium Networks PMP 450i Planning And Installation Guide

Other manuals for Cambium Networks PMP 450i