I recently bought this product and my query is regarding Fast Roaming Threshold option in advanced settings.
I wanted to disable Broadcast ESSID and IAPP options, but when I clicked on apply it gave an error message about Fast Roaming Threshold option. By default, this option is set to zero, but it has to be set between 10 to 90. I looked up in the online manual but couldn't find an entry about Fast Roaming Threshold.
Could anyone please explain what Fast Roaming Threshold is and what is the recommended value for this option? I have a small home network with no more than three computers. Only one laptop is moved once or twice a day from one room to another.
On 1 May 2007 03:14:49 -0700, snipped-for-privacy@gmail.com wrote in :
Why would you want to disable Broadcast ESSID and IAPP options? That would add nothing to your security, and worse, just make problems more likely. The only thing that will really make you secure is WPA with a strong passphrase.
"If you enable "Broadcast ESSID", every wireless station located within the coverage of this access point can discover this access point easily. If you are building a public wireless network, enabling this feature is recommended. Disabling "Broadcast ESSID" can provide better security."
My network is a private home network, so I want to disable it.
As for IAPP, this is what the manual says:
"If you enable "IAPP", the access point will automatically broadcast information of associated wireless stations to its neighbors. This will help wireless station roaming smoothly between access points. If you have more than one access points in your wireless LAN and wireless stations have roaming requirements, enabling this feature is recommended. Disabling "IAPP" can provide better security."
I have only one access point, and my wireless stations do not have any roaming requirements. That's why I turned it off.
As for encryption and security, both WPA (with a strong passphrase) and MAC access control are enabled.
Could you also explain what Fast Roaming Threshold is? What value is recommended for this option? There is no mention in the manual for this!
On 1 May 2007 07:45:41 -0700, snipped-for-privacy@gmail.com wrote in :
That's just plain wrong, written by someone with no real knowledge of security. See
"The six dumbest ways to secure a wireless LAN (Wireless LAN security hall of shame)"
"Debunking the Myth of SSID Hiding" at
.
All SSID hiding really accomplishes is making it harder for your legitimate neighbors to see your network, and thus more likely to jump on the same channel you're using, degrading your network with interference. It can also cause problems with some wireless adapters.
Again, that's just plain wrong.
MAC access control is likewise a bad idea. See first citation above.
The _only_ thing that really works, and thus the _only_ thing you really need, is WPA with a strong passphrase.
Don't mess with defaults of advanced settings -- you'll only make things worse.
On 1 May 2007 08:06:51 -0700, snipped-for-privacy@gmail.com wrote in :
How about before making any more posts? Likewise the wikis below.
Actually I do, your childish insinuation notwithstanding, and I know it has no relevance to your situation, which is why I didn't waste time going into it. You could know too if you spent your time checking (my citations, the wikis below, and searching with Google) instead of trying to insult those trying to help you. (I only put up with insults from people paying for the privilege, and even then not so much.)
O dear! What a sensitive person you are! It was not my intention to insult you in anyway. It was a straightforward question. Before this post, I only found one article on this subject through Google:
formatting link
As you can see, people avoided this question throughout the thread. I just wanted to know if someone really knows what Fast Roaming Access means. Anyway, I'll find out.
Security by obscurity is not a good idea. Anyone with a decent wireless sniffer (Kismet on Linux) can find your SSID. If someone were interested in breaking into your network, or sniffing the traffic, it is trivial to extract the SSID from a capture file. However, what hiding the SSID does is prevent neighbors and other users from easily detecting your system. If someone moves in next door, and sets up a network on your channel, both will get interference, but your system will not show up on their "site survey".
Whether you decide to broadcast your SSID or not is entirely your decision. To a knowledgeable hacker, it is not a problem and will not slow them down in the slightest. To the neighboring systems, it's a common source of confusion.
It doesn't matter as IAPP requires that the neighboring access points MAC address be inscribed in the configuration files so that the roaming client can keep the same IP address and successfully re-authenticate with 802.1x from any access point in the system. Without multiple access points, IAPP is useless. On or off doesn't matter as it's not going to generate any traffic with only one access point in the system.
WPA is your primary security method. Avoid dictionary words in the passphrase.
MAC address filtering has been somewhat of a problem for my customers. The problem is that someone shows up with a new computer or game machine and wants to connect. So, the owner has to dig into the AP or wireless router configuration in order to add the new device. After doing this about 5 times, I'm usually asked by the customer how to defeat this non-feature. It's also not a very useful security feature as MAC addresses are sent un-encrypted in 802.11 packets. They're there for everyone to see, no matter how much encryption you have configured. MAC addresses are also very easy to spoof.
I wouldn't bother with MAC address filtering.
That's a bit complicated as there are multiple proposed implementations of fast roaming available.
If I knew which one the Edimax EW-7206APg supported, I could possibly give a sane answer, but I'm late for lunch. Basically, it determines how aggressively the access point holds onto a connection. Usually, this is the responsibility of the client software, but 802.11r transfers the responsibility to the access point. What happens is that the access point try's to determine if the client is moving out of range and should roam to a different access point in the system. The threshold is probably related to some signal quality metric that determines if the access point should give up trying to stay connected and issue a disconnect message, which will cause the client to scan for a better connection. Again, it's only applicable if you have multiple access points in your WLAN system and should probably be left at the default value.
Suggestion: Use WPA-2 to secure your network. Change the router config and guest passwords. Get a RADIUS server if you don't like shared WPA keys (probably overkill for a home system). Learn how to read the log files to check for anything funny. Never mind the other dumb ideas on securing your WLAN.
On Tue, 01 May 2007 10:25:21 -0700, Jeff Liebermann wrote in :
Good advice.
Not such good advice (IMnsHO at least).
There's no need to avoid dictionary words given enough passphrase length
-- it just means the passphrase needs to be longer (20+ characters) than with random characters (14+ characters).
Like the downside of SSID hiding (the likelihood of increased interference from neighbors), not using words makes passphrases much harder to use, a disincentive and source of grief.
Diceware words are a good way to build a strong but easy to use passphrase, and the Diceware Passphrase FAQ gives good advice on how many words are needed:
I personally consider 6 words (20+ characters) sufficient for home users and even for most business users.
Overkill.
Yes.
Or more practically:
Get a ZyXEL G-2000 Plus, which has its own authentication server.
Use an external RADIUS service; e.g., Radiuz (free)
Thanks, Jeff. I was just discussing the same issues with a friend of mine.
Disabling the broadcast of SSID makes sense to me. Not that I am totally relying on this feature for my overall network security, I have WPA2 enabled for that. I feel that if my neighbour, a complete novice, turns on his laptop and sees my network, although he is unable to do any harm but he can let other people know that a network xyz exists. And by word of mouth it can reach a knowledgable hacker. For example, in my area everyone can see the network of the local council. This means that everyone knows there is a network there to hack into. I don't want anyone to know the existence of my wireless lan apart from a couple of machines that I use at home. Even if I have to sacrifice a bit of performance as a result.
Totally understand your point on IAPP.
Regarding MAC address filtering, my point of view is that even though it is easy to hack into but at least it is bit of an effort. Again, performance is not an issue here and I don't get too many people visiting me with their laptops every day.
On 1 May 2007 12:06:34 -0700, snipped-for-privacy@gmail.com wrote in :
What makes you think your assessment is better than those of security experts?
That's not something to actually worry about for at least two reasons:
WPA2 with a strong passphrase will stop even a knowledgable hacker.
Knowledgable hackers don't find networks that way -- they use tools able to find networks even with SSID broadcast turned off.
Irrelevant. Everyone knows where your house is. What stops them is whatever real security you have (locks, alarms), your neighbors, and the local police. Throwing a huge tarp over your house wouldn't help.
The point is that the people who matter _will_ still know you have a wireless LAN. What the people who don't matter know is irrelevant, and it's likewise irrelevant what the people who matter know _if_ you have strong WPA security.
It's actually no effort at all to those who matter.
What may be an issue is forgetting what you've done, and somewhere down the road wasting hours or even days troubleshooting it. Before you say that won't happen to you, I'll tell you I've heard that claim lots of times from people that did then forget and had to get my help fixing their own problem.
You're making bad judgements. The reasons are that you don't really understand the issues, and aren't willing to take the advice of experts that do. Unless you're going to take the time to learn and really understand the issues, you should rely on expert advice. Going against such advice is just sooner or later going to get you into trouble.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.