EW-7206APg Wireless LAN Access Point

Hi

I recently bought this product and my query is regarding Fast Roaming
Threshold option in advanced settings.

I wanted to disable Broadcast ESSID and IAPP options, but when I
clicked on apply it gave an error message about Fast Roaming Threshold
option. By default, this option is set to zero, but it has to be set
between 10 to 90. I looked up in the online manual but couldn't find
an entry about Fast Roaming Threshold.

Could anyone please explain what Fast Roaming Threshold is and what is
the recommended value for this option? I have a small home network
with no more than three computers. Only one laptop is moved once or
twice a day from one room to another.

Thanks

On 1 May 2007 03:14:49 -0700, yousaf.hassan@gmail.com wrote in
<1178014489.816253.63180@y5g2000hsa.googlegroups.c om>:

>I recently bought this product and my query is regarding Fast Roaming
>Threshold option in advanced settings.
>
>I wanted to disable Broadcast ESSID and IAPP options, but when I
>clicked on apply it gave an error message about Fast Roaming Threshold
>option. By default, this option is set to zero, but it has to be set
>between 10 to 90. I looked up in the online manual but couldn't find
>an entry about Fast Roaming Threshold.
>
>Could anyone please explain what Fast Roaming Threshold is and what is
>the recommended value for this option? I have a small home network
>with no more than three computers. Only one laptop is moved once or
>twice a day from one room to another.

Why would you want to disable Broadcast ESSID and IAPP options? That
would add nothing to your security, and worse, just make problems more
likely. The only thing that will really make you secure is WPA with a
strong passphrase.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Thanks for your reply.

Could you please explain why disabling ESSID broadcast would add
nothing to security? The manual says:

"If you enable "Broadcast ESSID", every wireless station located
within the coverage of this access point can discover this access
point easily. If you are building a public wireless network, enabling
this feature is recommended. Disabling "Broadcast ESSID" can provide
better security."

My network is a private home network, so I want to disable it.

As for IAPP, this is what the manual says:

"If you enable "IAPP", the access point will automatically broadcast
information of associated wireless stations to its neighbors. This
will help wireless station roaming smoothly between access points. If
you have more than one access points in your wireless LAN and wireless
stations have roaming requirements, enabling this feature is
recommended. Disabling "IAPP" can provide better security."

I have only one access point, and my wireless stations do not have any
roaming requirements. That's why I turned it off.

As for encryption and security, both WPA (with a strong passphrase)
and MAC access control are enabled.

Could you also explain what Fast Roaming Threshold is? What value is
recommended for this option? There is no mention in the manual for
this!

Regards
Yousaf

On 1 May 2007 07:45:41 -0700, yousaf.hassan@gmail.com wrote in
<1178030741.228389.72340@q75g2000hsh.googlegroups. com>:

>Could you please explain why disabling ESSID broadcast would add
>nothing to security? The manual says:
>
>"If you enable "Broadcast ESSID", every wireless station located
>within the coverage of this access point can discover this access
>point easily. If you are building a public wireless network, enabling
>this feature is recommended. Disabling "Broadcast ESSID" can provide
>better security."

That's just plain wrong, written by someone with no real knowledge of
security. See

* "The six dumbest ways to secure a wireless LAN
(Wireless LAN security hall of shame)"
<http://blogs.zdnet.com/Ou/index.php?p=43>

* "Debunking the Myth of SSID Hiding" at

<http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0149&file=wp_ssid_hiding.pdf>.

>My network is a private home network, so I want to disable it.

All SSID hiding really accomplishes is making it harder for your
legitimate neighbors to see your network, and thus more likely to jump
on the same channel you're using, degrading your network with
interference. It can also cause problems with some wireless adapters.

>As for IAPP, this is what the manual says:
>
>"If you enable "IAPP", the access point will automatically broadcast
>information of associated wireless stations to its neighbors. This
>will help wireless station roaming smoothly between access points. If
>you have more than one access points in your wireless LAN and wireless
>stations have roaming requirements, enabling this feature is
>recommended. Disabling "IAPP" can provide better security."

Again, that's just plain wrong.

>I have only one access point, and my wireless stations do not have any
>roaming requirements. That's why I turned it off.
>
>As for encryption and security, both WPA (with a strong passphrase)
>and MAC access control are enabled.

MAC access control is likewise a bad idea. See first citation above.

The _only_ thing that really works, and thus the _only_ thing you really
need, is WPA with a strong passphrase.

>Could you also explain what Fast Roaming Threshold is? What value is
>recommended for this option? There is no mention in the manual for
>this!

Don't mess with defaults of advanced settings -- you'll only make things
worse.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

OK, I'll have a look at these articles.

> >Could you also explain what Fast Roaming Threshold is? What value is
> >recommended for this option? There is no mention in the manual for
> >this!
>
> Don't mess with defaults of advanced settings -- you'll only make things
> worse.

So, you don't know what Fast Roaming Threshold is?

Anyway, thanks again for your response.

Regards
Yousaf

On 1 May 2007 08:06:51 -0700, yousaf.hassan@gmail.com wrote in
<1178032011.560243.157390@u30g2000hsc.googlegroups .com>:

>OK, I'll have a look at these articles.

How about before making any more posts? Likewise the wikis below.

>> >Could you also explain what Fast Roaming Threshold is? What value is
>> >recommended for this option? There is no mention in the manual for
>> >this!
>>
>> Don't mess with defaults of advanced settings -- you'll only make things
>> worse.
>
>So, you don't know what Fast Roaming Threshold is?

Actually I do, your childish insinuation notwithstanding, and I know it
has no relevance to your situation, which is why I didn't waste time
going into it. You could know too if you spent your time checking (my
citations, the wikis below, and searching with Google) instead of trying
to insult those trying to help you. (I only put up with insults from
people paying for the privilege, and even then not so much.)

>Anyway, thanks again for your response.

You have a curious way of expressing thanks.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

> Actually I do, your childish insinuation notwithstanding, and I know it
> has no relevance to your situation, which is why I didn't waste time
> going into it. You could know too if you spent your time checking (my
> citations, the wikis below, and searching with Google) instead of trying
> to insult those trying to help you. (I only put up with insults from
> people paying for the privilege, and even then not so much.)

O dear! What a sensitive person you are! It was not my intention to
insult you in anyway. It was a straightforward question. Before this
post, I only found one article on this subject through Google:

http://forums.wi-fiplanet.com/printt...p?t=6928&pp=15

As you can see, people avoided this question throughout the thread. I
just wanted to know if someone really knows what Fast Roaming Access
means. Anyway, I'll find out.

Thanks (without insinuations or undertones)

Yousaf

yousaf.hassan@gmail.com hath wroth:

>Thanks for your reply.
>
>Could you please explain why disabling ESSID broadcast would add
>nothing to security? The manual says:
>
>"If you enable "Broadcast ESSID", every wireless station located
>within the coverage of this access point can discover this access
>point easily. If you are building a public wireless network, enabling
>this feature is recommended. Disabling "Broadcast ESSID" can provide
>better security."
>
>My network is a private home network, so I want to disable it.

Security by obscurity is not a good idea. Anyone with a decent
wireless sniffer (Kismet on Linux) can find your SSID. If someone
were interested in breaking into your network, or sniffing the
traffic, it is trivial to extract the SSID from a capture file.

However, what hiding the SSID does is prevent neighbors and other
users from easily detecting your system. If someone moves in next
door, and sets up a network on your channel, both will get
interference, but your system will not show up on their "site survey".

Whether you decide to broadcast your SSID or not is entirely your
decision. To a knowledgeable hacker, it is not a problem and will not
slow them down in the slightest. To the neighboring systems, it's a
common source of confusion.

>As for IAPP, this is what the manual says:
>
>"If you enable "IAPP", the access point will automatically broadcast
>information of associated wireless stations to its neighbors. This
>will help wireless station roaming smoothly between access points. If
>you have more than one access points in your wireless LAN and wireless
>stations have roaming requirements, enabling this feature is
>recommended. Disabling "IAPP" can provide better security."
>
>I have only one access point, and my wireless stations do not have any
>roaming requirements. That's why I turned it off.

It doesn't matter as IAPP requires that the neighboring access points
MAC address be inscribed in the configuration files so that the
roaming client can keep the same IP address and successfully
re-authenticate with 802.1x from any access point in the system.
Without multiple access points, IAPP is useless. On or off doesn't
matter as it's not going to generate any traffic with only one access
point in the system.

>As for encryption and security, both WPA (with a strong passphrase)
>and MAC access control are enabled.

WPA is your primary security method. Avoid dictionary words in the
passphrase.

MAC address filtering has been somewhat of a problem for my customers.
The problem is that someone shows up with a new computer or game
machine and wants to connect. So, the owner has to dig into the AP or
wireless router configuration in order to add the new device. After
doing this about 5 times, I'm usually asked by the customer how to
defeat this non-feature. It's also not a very useful security feature
as MAC addresses are sent un-encrypted in 802.11 packets. They're
there for everyone to see, no matter how much encryption you have
configured. MAC addresses are also very easy to spoof.
<http://en.wikisource.org/wiki/Changing_MAC_addresses>
I wouldn't bother with MAC address filtering.

>Could you also explain what Fast Roaming Threshold is? What value is
>recommended for this option? There is no mention in the manual for
>this!

That's a bit complicated as there are multiple proposed
implementations of fast roaming available.
<http://en.wikipedia.org/wiki/IEEE_802.11r>
If I knew which one the Edimax EW-7206APg supported, I could possibly
give a sane answer, but I'm late for lunch. Basically, it determines
how aggressively the access point holds onto a connection. Usually,
this is the responsibility of the client software, but 802.11r
transfers the responsibility to the access point. What happens is
that the access point try's to determine if the client is moving out
of range and should roam to a different access point in the system.
The threshold is probably related to some signal quality metric that
determines if the access point should give up trying to stay connected
and issue a disconnect message, which will cause the client to scan
for a better connection. Again, it's only applicable if you have
multiple access points in your WLAN system and should probably be left
at the default value.

Suggestion: Use WPA-2 to secure your network. Change the router
config and guest passwords. Get a RADIUS server if you don't like
shared WPA keys (probably overkill for a home system). Learn how to
read the log files to check for anything funny. Never mind the other
dumb ideas on securing your WLAN.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Tue, 01 May 2007 10:25:21 -0700, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<v5se33t60dv3k8j7eane07loahfuso5fkr@4ax.com>:

>WPA is your primary security method.

Good advice.

>Avoid dictionary words in the passphrase.

Not such good advice (IMnsHO at least).

There's no need to avoid dictionary words given enough passphrase length
-- it just means the passphrase needs to be longer (20+ characters) than
with random characters (14+ characters).

Like the downside of SSID hiding (the likelihood of increased
interference from neighbors), not using words makes passphrases much
harder to use, a disincentive and source of grief.

Diceware words <http://world.std.com/~reinhold/diceware.html> are a good
way to build a strong but easy to use passphrase, and the Diceware
Passphrase FAQ gives good advice on how many words are needed:
<http://world.std.com/~reinhold/dicewarefaq.html#howlong>
I personally consider 6 words (20+ characters) sufficient for home users
and even for most business users.

>Suggestion: Use WPA-2 to secure your network.

Overkill.

>Change the router
>config and guest passwords.

Yes.

>Get a RADIUS server if you don't like
>shared WPA keys (probably overkill for a home system).

Or more practically:
* Get a ZyXEL G-2000 Plus, which has its own authentication server.
<http://us.zyxel.com/products/model.php?indexcate=1076902407&indexcate1=&>
* Use an external RADIUS service; e.g., Radiuz <http://radiuz.net/>
(free)

>Learn how to
>read the log files to check for anything funny.

Beyond most users.

>Never mind the other
>dumb ideas on securing your WLAN.

Yes.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Thanks, Jeff. I was just discussing the same issues with a friend of
mine.

Disabling the broadcast of SSID makes sense to me. Not that I am
totally relying on this feature for my overall network security, I
have WPA2 enabled for that. I feel that if my neighbour, a complete
novice, turns on his laptop and sees my network, although he is unable
to do any harm but he can let other people know that a network xyz
exists. And by word of mouth it can reach a knowledgable hacker. For
example, in my area everyone can see the network of the local council.
This means that everyone knows there is a network there to hack into.
I don't want anyone to know the existence of my wireless lan apart
from a couple of machines that I use at home. Even if I have to
sacrifice a bit of performance as a result.

Totally understand your point on IAPP.

Regarding MAC address filtering, my point of view is that even though
it is easy to hack into but at least it is bit of an effort. Again,
performance is not an issue here and I don't get too many people
visiting me with their laptops every day.

Thanks ever so much for explaining fast roaming.

Regards
Yousaf

On 1 May 2007 12:06:34 -0700, yousaf.hassan@gmail.com wrote in
<1178046394.443935.103190@n76g2000hsh.googlegroups .com>:

>Thanks, Jeff. I was just discussing the same issues with a friend of
>mine.
>
>Disabling the broadcast of SSID makes sense to me.

What makes you think your assessment is better than those of security
experts?

>Not that I am
>totally relying on this feature for my overall network security, I
>have WPA2 enabled for that. I feel that if my neighbour, a complete
>novice, turns on his laptop and sees my network, although he is unable
>to do any harm but he can let other people know that a network xyz
>exists. And by word of mouth it can reach a knowledgable hacker.

That's not something to actually worry about for at least two reasons:
1. WPA2 with a strong passphrase will stop even a knowledgable hacker.
2. Knowledgable hackers don't find networks that way -- they use tools
able to find networks even with SSID broadcast turned off.

>For
>example, in my area everyone can see the network of the local council.
>This means that everyone knows there is a network there to hack into.

Irrelevant. Everyone knows where your house is. What stops them is
whatever real security you have (locks, alarms), your neighbors, and the
local police. Throwing a huge tarp over your house wouldn't help.

>I don't want anyone to know the existence of my wireless lan apart
>from a couple of machines that I use at home. Even if I have to
>sacrifice a bit of performance as a result.

The point is that the people who matter _will_ still know you have a
wireless LAN. What the people who don't matter know is irrelevant, and
it's likewise irrelevant what the people who matter know _if_ you have
strong WPA security.

>Regarding MAC address filtering, my point of view is that even though
>it is easy to hack into but at least it is bit of an effort.

It's actually no effort at all to those who matter.

>Again,
>performance is not an issue here and I don't get too many people
>visiting me with their laptops every day.

What may be an issue is forgetting what you've done, and somewhere down
the road wasting hours or even days troubleshooting it. Before you say
that won't happen to you, I'll tell you I've heard that claim lots of
times from people that did then forget and had to get my help fixing
their own problem.

You're making bad judgements. The reasons are that you don't really
understand the issues, and aren't willing to take the advice of experts
that do. Unless you're going to take the time to learn and really
understand the issues, you should rely on expert advice. Going against
such advice is just sooner or later going to get you into trouble.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>