WLAN Access Point General Standards - JETT

Ref.
W1
Rule Title
The network element must not have any
default manufacturer passwords.
W2
A service or feature that calls home to

the vendor must be disabled.
W7
The network elements OOBM interface

must be configured with an OOBM
network address.
W8
The network elements management

interface must be configured with both
an ingress and egress ACL.
W10 The network element must time out

access to the console port after 10
minutes or less of inactivity.
W11 The network elements auxiliary port

must be disabled unless it is connected
to a secured modem providing
encryption and authentication.
W12 The network device must require

authentication prior to establishing a
management connection for
administrative access.
W13 The network element must only allow

management connections for
administrative access from hosts
residing in the management network.
W16 The network element must timeout

management connections for
administrative access after 10 minutes
or less of inactivity.
W17 The network element must log all

attempts to establish a management
connection for administrative access.
W18 The network element must be

configured to timeout after 60 seconds
or less for incomplete or broken SSH
sessions.
W19 The network element must be

configured for a maximum number of
unsuccessful SSH login attempts set at 3
before resetting the interface.
W20 The network element must not allow
SSH Version 1 to be used for
administrative access.
W22 WLAN SSIDs must be changed from the

manufacturers default to a pseudo
random word that does not identify the
unit, base, organization, etc.
W23 The WLAN inactive session timeout must
be set for 30 minutes or less.
W24 WLAN signals must not be intercepted

outside areas authorized for WLAN
access.
W26 The password configured on the WLAN

Access Point for key generation and
client access must be set to a 14
character or longer complex password
W30 Wireless access points and bridges

must be placed in dedicated subnets
outside the perimeter.
Vulnerability Discussion
Network elements not protected with strong
password schemes provide the opportunity for
anyone to crack the password thus gaining access
to the device and causing network outage or denial
of service. Many default vendor passwords are well
known; hence, not removing them prior to deploying
Call home services or features will routinely send
data such as configuration and diagnostic
information to the vendor for routine or emergency
analysis and troubleshooting. The risk that
transmission of sensitive data sent to unauthorized
The OOBM access switch will connect to the
management interface of the managed network
elements. The management interface of the
managed network element will be directly
connected to the OOBM network. An OOBM interface
does not forward transit traffic; thereby, providing
complete separation of production and management
traffic. Since all management traffic is immediately
forwarded into the management network, it is not
exposed to possible tampering. The separation also
ensures that congestion or failures in the managed
network do not affect the management of the
device. If the OOBM interface does not have an IP
address from the managed network address space,
it will not have reachability from the NOC using
scalable and normal control plane and forwarding
mechanisms.
The OOBM access switch will connect to the

elements. The management interface can be a true
OOBM interface or a standard interface functioning
as the management interface. In either case, the
element will be directly connected to the OOBM
network.
Terminating an idle session within a short time

period reduces the window of opportunity for
unauthorized personnel to take control of a
management session enabled on the console or
console port that has been left unattended. In
addition quickly terminating an idle session will also
free up resources committed by the managed
network element. Setting the timeout of the session
to 10 minutes or less increases the level of
protection afforded critical network components.
The use of POTS lines to modems connecting to

network devices provides clear text of
authentication traffic over commercial circuits that
could be captured and used to compromise the
network. Additional war dial attacks on the device
could degrade the device and the production
network.
Network devices with no password for
administrative access via a management connection
provide the opportunity for anyone with network
access to the device to make configuration changes
enabling them to disrupt network operations
resulting in a network outage.
Remote administration is inherently dangerous
because anyone with a sniffer and access to the
right LAN segment, could acquire the device
account and password information. With this
intercepted information they could gain access to
the infrastructure and cause denial of service
attacks, intercept sensitive information, or perform
other destructive actions.
Terminating an idle session within a short time
period reduces the window of opportunity for
unauthorized personnel to take control of a
management session enabled between the
managed network element and a PC or terminal
server when the later has been left unattended. In
addition quickly terminating an idle session will also
free up resources committed by the managed
network element as well as reduce the risk of a
management session from being hijacked. Setting
the timeout of the session to 10 minutes or less
increases the level of protection afforded critical
network components.
Audit logs are necessary to provide a trail of

evidence in case the network is compromised.
Without an audit trail that provides a when, where,
who and how set of information, repeat offenders
could continue attacks against the network
indefinitely. With this information, the network
administrator can devise ways to block the attack
and possibly identify and prosecute the attacker.
An attacker may attempt to connect to the device
using SSH by guessing the authentication method,
encryption algorithm, and keys. Limiting the amount
of time allowed for authenticating and negotiating
the SSH session reduces the window of opportunity
for the malicious user attempting to make a
connection to the network element.
An attacker may attempt to connect to the device
using SSH by guessing the authentication method
and authentication key or shared secret. Setting the
authentication retry to 3 or less strengthens against
a Brute Force attack.
SSH Version 1 is a protocol that has never been
defined in a standard. Since SSH-1 has inherent
design flaws which make it vulnerable to attacks,
e.g., man-in-the-middle attacks, it is now generally
considered obsolete and should be avoided by
explicitly disabling fallback to SSH-1.
An SSID identifying the unit, site or purpose of the
WLAN or is set to the manufacturer default may
cause a security vulnerability.
A WLAN session that never terminates due to

inactivity may allow an opening for an adversary to
highjack the session to obtain access to the
network.
Vulnerability Discussion: Most commerciallyavailable WLAN equipment is pre-configured for

signal power appropriate to most applications of the
WLAN equipment. In some cases, this may permit
the signals to be received outside the physical areas
for which they are intended. This may occur when
the intended area is relatively small, such as a
conference room, or when the access point is placed
near or window or wall, thereby allowing signals to
be received in neighboring areas. In such cases, an
adversary may be able to compromise the sites
security posture by measuring the presence of the
signal and the quantity of data transmitted to obtain
information about when personnel are active and
what they are doing. Furthermore, if the signal is not
appropriately protected through defense-in-depth
mechanisms, the adversary could possibly use the
connection to access networks and sensitive
information.
If the organization does not use a strong passcode

for client access, then it is significantly more likely
that an adversary will be able to obtain it. Once this
occurs, the adversary may be able to obtain full
network access, obtain sensitive information, and
attack other information systems.
If an adversary is able to compromise an access
point or controller that is directly connected to an
internal network, then the adversary can easily
surveil and attack other devices from that
beachhead. A defense-in-depth approach requires
an additional layer of protection exist between the
WLAN and the internal network. This is particularly
important for wireless networks, which may be
vulnerable to attack from outside physical perimeter
of the facility or base given the inherent nature of
radio communications to penetrate walls, fences,
and other physical boundaries.
RouterOS command
REMARKS
# oct/09/2014 13:25:03 by RouterOS 5.24

# software id = NK7I-3JCM
#
/interface bridge
/interface bridge
/interface bridge
/interface bridge
/interface bridge
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet
/interface ethernet switch
/interface wireless security-profiles
/interface
/interface
/interface
/interface
/interface
/interface
/interface
wireless
wireless
wireless
wireless
wireless
wireless
wireless
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
security-profiles
security-profiles
security-profiles
security-profiles
manual-tx-power-table
nstreme
nstreme
nstreme
/ip hotspot profile

/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot user profile
/ip ipsec proposal
/ip ipsec proposal
/ip ipsec proposal
/ip pool
/ip pool
/ip pool
/ip pool
/ip pool
/ip pool
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip dhcp-server
/ip hotspot
/ip hotspot
/ip hotspot
/ip hotspot
/ppp profile
/ppp profile
/ppp profile
/ppp profile
/ppp profile
/ppp profile
/ppp profile
/interface pptp-client
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/routing bgp instance
/routing ospf instance
/routing ospf area
/routing ospf area
/routing ospf area
/snmp community
/snmp community
/snmp community
/snmp community
/system logging action
/user group
/user group
/user group
/user group
/user group
/user group
/user group
/interface bridge port
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge settings
bridge settings
bridge settings
ethernet switch port
l2tp-server server
l2tp-server server
l2tp-server server
l2tp-server server
ovpn-server server
ovpn-server server
ovpn-server server
ovpn-server server
pptp-server server
pptp-server server
pptp-server server
sstp-server server
sstp-server server
/interface sstp-server server

/interface wireless align
/interface wireless sniffer
/interface wireless snooper
/ip accounting
/ip accounting
/ip accounting web-access
/ip address
/ip address
/ip address
/ip address
/ip address
/ip address
/ip address
/ip address
/ip address
/ip address
/ip dhcp-client
/ip dhcp-client
/ip dhcp-client
/ip dhcp-client
/ip dhcp-server config
/ip dhcp-server network
/ip dns
/ip dns
/ip dns
/ip dns static
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
dns static
firewall connection tracking
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall service-port
hotspot service-port
hotspot service-port
hotspot walled-garden
hotspot walled-garden ip
/ip hotspot walled-garden

/ip proxy
/ip proxy
/ip proxy
/ip proxy
/ip proxy
/ip proxy
/ip route
/ip route
/ip route
/ip service
/ip service
/ip service
/ip service
/ip service
/ip service
/ip service
/ip service
/ip smb
/ip smb
/ip smb
/ip smb shares
/ip smb shares
/ip smb shares
/ip smb users
/ip smb users
/ip socks
/ip socks
/ip traffic-flow
/ip traffic-flow
/ip traffic-flow
/ip upnp
/ip upnp
/mpls
/mpls
/mpls interface
/mpls interface
/mpls ldp
/mpls ldp
/mpls ldp
/mpls ldp
/port firmware
/port firmware
ip
ip
ip
ip
ip
/ppp aaa
/ppp aaa
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/radius
/radius
/radius
/radius
/radius incoming
/radius incoming
/routing bfd interface
/routing mme
/routing mme
/routing mme
/routing mme
/routing rip
/routing rip
/routing rip
/routing rip
/routing rip
/snmp
/snmp
/snmp
/system clock
/system clock
/system clock manual
/system identity
/system identity
/system leds
/system leds
/system logging
/system logging
/system logging
/system logging
/system logging
/system logging
/system note
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
note
ntp client
ntp client
ntp client
resource irq
resource irq
resource irq
resource irq
resource irq
routerboard settings
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system upgrade mirror
/system watchdog
/system watchdog
/system watchdog
/tool bandwidth-server
/tool e-mail
/tool e-mail
/tool graphing
/tool graphing
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server mac-winbox
/tool mac-server ping
/tool sms
/tool sms
/tool sniffer
/tool sniffer
/tool sniffer
/tool sniffer
/tool sniffer
/tool traffic-generator
/user aaa
/user aaa
/user aaa
/user aaa
/interface bridge
add admin-mac=D4:CA:6D:9F:3D:25 ageing-time=5m arp=enabled auto-mac=no \
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1504 \
name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=\
6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:9F:3D:24 mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:25 \
master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
master-port=none mtu=1500 name=ether3-slave-local speed=100Mbps
set 0 mirror-source=none mirror-target=none name=switch1
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none \
name=default radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
"" wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=\
dynamic-keys name=password radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
password wpa2-pre-shared-key=1e090e7e4e6807
/interface wireless
set 0 adaptive-noise-immunity=client-mode allow-sharedkey=no antenna-gain=0 \
antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=\
36Mbps basic-rates-b=11Mbps bridge-mode=enabled channel-width=20mhz \
compression=no country=no_country_set default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=no-radar-detect disable-running-check=no disabled=no \
disconnect-timeout=3s distance=indoors frame-lifetime=0 frequency=2412 \
frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no \
ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
ht-basic-mcs=mcs-5,mcs-7 ht-guard-interval=long ht-rxchains=0 \
ht-supported-mcs=mcs-5,mcs-7,mcs-12,mcs-15 ht-txchains=0 \
hw-fragmentation-threshold=disabled hw-protection-mode=rts-cts \
hw-protection-threshold=255 hw-retries=7 l2mtu=2290 mac-address=\
D4:CA:6D:9F:3D:29 max-station-count=2007 mode=ap-bridge mtu=1500 \
multicast-helper=default name=wlan1 noise-floor-threshold=-90 \
nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" \
nv2-qos=default nv2-queue-count=2 nv2-security=disabled \
on-fail-retry-time=100ms periodic-calibration=default \
periodic-calibration-interval=60 preamble-mode=both \
proprietary-extensions=post-2.9.25 radio-name=D4CA6D9F3D29 \
rate-selection=advanced rate-set=configured scan-list=default \
security-profile=default ssid="_WF SMART" station-bridge-clone-mac=\
00:00:00:00:00:00 supported-rates-a/g=36Mbps,54Mbps supported-rates-b=\
11Mbps tdma-period-size=2 tx-power=1 tx-power-mode=all-rates-fixed \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wireless-protocol=any wmm-support=enabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
3200 framer-policy=none
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
add dns-name=pow.portal.ph hotspot-address=192.168.88.1 html-directory=\
pow_wifun http-proxy=0.0.0.0:0 login-by=https,http-pap name=POWProfile \

nas-port-type=wireless-802.11 radius-accounting=no radius-default-domain=\
pow.wifun.ph radius-location-id="" radius-location-name="" \
radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no ssl-certificate=none use-radius=yes
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
shared-users=unlimited status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=port3 ranges=10.5.30.2-10.5.30.254
add name=wifi ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=bridge-local lease-time=3d name=default
add address-pool=port3 authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether3-slave-local lease-time=3d name=port3dhcp
add address-pool=wifi authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=personal lease-time=3d name=wifidhcp
/ip hotspot
add address-pool=default-dhcp addresses-per-mac=2 disabled=no idle-timeout=5m \
interface=bridge-local keepalive-timeout=none name=POWHotspot profile=\
POWProfile
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
default use-encryption=default use-mpls=default use-vj-compression=\
default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
use-compression=default use-encryption=yes use-mpls=default \
use-vj-compression=default
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment=pow_vpn \
connect-to=65.181.120.40 dial-on-demand=no disabled=no max-mru=1460 \
max-mtu=1460 mrru=disabled name=pow_vpn password=b1946ac92492d2347c6235b4d2611184
default-encryption user=0b53719b1ade59b556b62b5b5560512b
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5

set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
set default as=65530 client-to-client-reflection=yes disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0 routing-table=""
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
backbone type=default
/snmp community
set [ find default=yes ] addresses="" authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote
add bsd-syslog=no name=WebProxy remote-port=514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
winbox,password,web,sniff,sensitive,api" skin=default
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2-master-local path-cost=10 point-to-point=auto priority=\
0x80
interface=wlan1 path-cost=10 point-to-point=auto priority=0x80

interface=wlan3 path-cost=10 point-to-point=no priority=0x80
interface="wlan wep 64" path-cost=10 point-to-point=auto priority=0x80
interface=wlanWPA2 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=\
1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:A5:57:72:9D:EC \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\

disabled port=443 verify-client-certificate=no
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no \
interface=bridge-local network=192.168.88.0
add address=10.5.30.1/24 disabled=no interface=ether3-slave-local network=\
10.5.30.0
10.5.40.0
10.5.60.0
add address=10.5.50.1/24 disabled=no interface=personal network=10.5.50.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" \
default-route-distance=1 disabled=no interface=ether1-gateway \
use-peer-dns=yes use-peer-ntp=yes
set store-leases-disk=5m
add address=10.5.30.0/24 dhcp-option="" dns-server="" gateway=10.5.30.1 \
ntp-server="" wins-server=""
add address=192.168.88.0/24 comment="default configuration" dhcp-option="" \
dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no src-address=10.5.30.0/24
add action=dst-nat chain=dstnat comment=OpenDNS disabled=no dst-port=53 \
protocol=udp src-address=192.168.88.0/24 to-addresses=208.67.222.123 \
to-ports=53
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
add action=allow comment="place hotspot rules here" disabled=yes dst-port=""
add action=allow disabled=no dst-host=*.wifun.ph dst-port=""
add action=allow disabled=no dst-host=pow.portal.ph dst-port=""
/ip hotspot walled-garden ip
add action=accept comment=allow_source disabled=no src-address=\
106.186.124.211
add action=accept comment=allow_destination disabled=no dst-address=\
106.186.124.211
add action=accept comment=allow_source disabled=no src-address=65.181.120.40
add action=accept comment=allow_destination disabled=no dst-address=\
65.181.120.40
add action=accept disabled=no dst-address=192.168.88.1
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=pow_vpn scope=\
30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius
add accounting-backup=no accounting-port=1813 address=106.186.124.211 \
authentication-port=1812 called-id="" comment=pow_radius disabled=no \
domain=pow.wifun.ph realm="" secret=4332wurx service=hotspot timeout=5s
/radius incoming
set accept=no port=3799
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
trap-target="" trap-version=1
/system clock
set time-zone-name=Asia/Singapore
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=Wifun_d4ca6d9f3d24
/system leds
set 0 disabled=no interface=wlan1 leds=wlan-led type=wireless-status
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add action=WebProxy disabled=no prefix="" topics=web-proxy
/system note
set note="" show-at-login=yes

/system ntp client
set enabled=yes mode=unicast primary-ntp=121.58.193.100 secondary-ntp=\
121.58.193.100
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
400MHz force-backup-booter=no silent-boot=no
/system scheduler
add disabled=no interval=5m name=CloudCheck on-event=CloudPing policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jan/02/1970 start-time=08:08:59
add disabled=no interval=5m name=FTP on-event=WebWatcher policy=\
add disabled=no interval=5m name=Updater on-event=UpdateFiles policy=\
/system script
add name=WiFunOnline policy=\
source="/ip hotspot profile set [/ip hotspot profile find name=POWProfile]\
\_html-directory=pow_wifun login-by=http-pap,https"
add name=WiFunBypass policy=\
source="/ip hotspot profile set [/ip hotspot profile find name=POWProfile]\
\_html-directory=pow_wifun_down login-by=http-chap,trial trial-uptime=1h/1\
s"
add name=CloudPing policy=\
source=":local i 0; \r\
\n:do {:set i (\$i+1)} while=((\$i<3) && [/ping 8.8.8.8 interval=2 count=3\
]<1); \r\
\n:log info \$i;\r\
\n:if (\$i<3) do { /ip hotspot profile set 1 html-directory=pow_wifun logi\
n-by=http-pap,https };"
add name=WebWatcher policy=\
source=":local int;\r\
\n:global oldlist;\r\
\n:global newlist;\r\
\n:local actusrlist \"\$[/system identity get name]\";\r\
\n:local wlanID;\r\
\n:local bandwidth;\r\
\n:local txAll;\r\
\n:local rxAll;\r\
\n\r\
\n:local count [:tonum [/ip hotspot active print count-only]];\r\
\n\r\
\n:local txbps;\r\
\n:local rxbps;\r\
\n\r\
\n/interface monitor wlan1 once do={\r\
\n:set txbps \$(\"tx-bits-per-second\");\r\
\n:set rxbps \$(\"rx-bits-per-second\");\r\
\n}\r\
\n\r\
\n:set wlanID [/interface find name=wlan1];\r\
\n\r\
\n:set txAll \"\$txAll\$[/interface get \$wlanID tx-byte]\";\r\
\n:set rxAll \"\$rxAll\$[/interface get \$wlanID rx-byte]\";\r\
\n\r\
\n:set newlist \"\$actusrlist;\$count;\$txbps;\$rxbps;\$txAll;\$rxAll\";\r\
\n\r\
\n:log error \$newlist;\r\
\n\r\
\n:local localFilename;\r\
\n:set localFilename \"\$[/system identity get name].txt\";\r\
\n/file print file=\$localFilename;\r\
\n/file set \$localFilename contents=\"\$newlist\";\r\
\n\r\
\n:log info \"Uploading file\";\r\
\n/tool fetch address=cp1.wifun.org src-path=\$localFilename user=active m\
ode=ftp password=activewurx dst-path=\$localFilename upload=yes;\r\
\n\r\
\n:set oldlist \$newlist;\r\
\n:log error \"Active list sent\";"
add name=WiFunUpdate policy=\
source=":log info \"WiFun Version Updater\";\r\
\n:local update;\r\
\n:local mac;\r\
\n:local password;\r\
\n:local list ;\r\
\n:local newList;\r\
\n\r\
\n:log info \"Checking Files\";\r\
\n:set update \"\$[/file find where name~\"updates/\"]\";\r\
\n\r\
\n:set mac \"\$[/system identity get name] \";\r\
\n:set password \"\$[put [:pick \$mac 6 [:find \$mac \" \"]]]\";\r\

\n\r\
\n:foreach i in \$update do { \r\
\n :set list \"\$[/file get \$i name] \";\r\
\n :set newList \"\$[put [:pick \$list 8 [:find \$list \" \"]]]\";\r\
\n :log info \"Uploading \$newList..\";\r\
\n \r\
\n :if condition=(\$newList != \"css\" and \$newList != \"img/upload\"\
\_and \$newList !=\"img\") do={ /tool fetch address=127.0.0.1 src-path=\"u\
pdates/\$newList\" user=admin mode=ftp password=\$password dst-path=\"test\
/\$newList\" upload=yes; /file remove \"updates/\$newList\"}\r\
\n \r\
\n :log info \"Done\";\r\
\n}\r\
\n"
add name=UpdateFiles policy=\
source=":local file;\r\
\n:local images;\r\
\n:set file \"\$[/file find where name~\"updates/\"]\";\r\
\n\r\
\n:log info \$file;\r\
\n\r\
\n:foreach i in \$file do {:set images \"\$images\$[/file get \$i name],\$\
[/file get \$i size]\\n\"}\r\
\n\r\
\n:local localFilename ;\r\
\n:set localFilename \"\$[/system identity get name]_updates.txt\"\r\
\n/file print file=\$localFilename;\r\
\n/file set \$localFilename contents=\"\$images\"\r\
\n\r\
\n/tool fetch address=65.181.120.40 src-path=\$localFilename \\\r\
\nuser=active mode=ftp password=activewurx dst-path=\$localFilename upload\
=yes\r\
\n\r\
\n:log error \"File sent\"\r\
\n\r\
\n"
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
"" filter-mac-address="" filter-mac-protocol="" filter-port="" \
filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
only-headers=no streaming-enabled=no streaming-server=0.0.0.0
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
REF.
WPA-PSK, WPA2-PSK, AP will relay

authentication to Radius
AES-CCM WPA en cryption protocol
WPA2-Pre-shared key
W5
Remarks
W25
W29
Radius Authentication for Hotspot users
RADIUS server
Shared secret for authentication reply only of
router, not authentication used by RADIUS
No user authentication via RADIUS

WLAN Access Point General Standards - JETT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WLAN Access Point General Standards - JETT

Uploaded by

Copyright:

Available Formats

Ref.

A service or feature that calls home to

The network elements OOBM interface

The network elements management

W10 The network element must time out

W11 The network elements auxiliary port

W12 The network device must require

W13 The network element must only allow

W16 The network element must timeout

W17 The network element must log all

W18 The network element must be

W19 The network element must be

W22 WLAN SSIDs must be changed from the

W24 WLAN signals must not be intercepted

W26 The password configured on the WLAN

W30 Wireless access points and bridges

The OOBM access switch will connect to the

Terminating an idle session within a short time

The use of POTS lines to modems connecting to

Audit logs are necessary to provide a trail of

A WLAN session that never terminates due to

Vulnerability Discussion: Most commerciallyavailable WLAN equipment is pre-configured for

If the organization does not use a strong passcode

# oct/09/2014 13:25:03 by RouterOS 5.24

/ip hotspot profile

/interface sstp-server server

/ip hotspot walled-garden

pow_wifun http-proxy=0.0.0.0:0 login-by=https,http-pap name=POWProfile \

set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5

interface=wlan1 path-cost=10 point-to-point=auto priority=0x80

default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\

add address=192.168.88.1 disabled=no name=router ttl=1d

set note="" show-at-login=yes

\n:set password \"\$[put [:pick \$mac 6 [:find \$mac \" \"]]]\";\r\

WPA-PSK, WPA2-PSK, AP will relay

Radius Authentication for Hotspot users

No user authentication via RADIUS

You might also like