https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34193#M1304 Hi Ilia , as I remember , those ports are used by controller (some of them can be disabled) :<BR /> - ssh (22) - for the ssh<BR /> - https (5825) - for the GUI management<BR /> - 13910/13907 - for AP registration . That can be changed to 4500 (typical GRE port) for the IPSec registration<BR /> - 161 - snmp - for security you need to change it to snmpV3<BR /> <BR /> - all encryption types (WEP/WPA/WPA2 PSK and ENT) are all standard based , not a proprietary. For now we do not support PPSK (which can be considered proprietary).<BR /> - CAPWAP tunnel - we do not use this standard , insted we are using our proprietary tunnel type (WASSP) . That can be used for both AP registration/management as well as user traffic (data plane) if traffic goes back to the controller. <BR /> - RADIUS communication between controller and RADIUS server is used as everybody else using it - with MD5 (shared secret), which is not very secure . But that is the standard for now , and so far I never seen any other RADIUS server which would support something different. Thu, 26 Oct 2017 02:19:00 GMT Ostrovsky__Yury 2017-10-26T02:19:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34191#M1302 Hello, everybody,<BR /> <BR /> what could I aswer to security guys:<BR /> <BR /> They've asked:<BR /> <BR /> - list of opened port at V2110 by default;<BR /> - does V2110 have standard (RFC) realisation of WEP, WPA and WPA2 or there is something vendor-specific?<BR /> - how CAPWAP tunnel between V2110 and AP works and what kind of encryption does it provide? Does Identify use RFC CAPWA or something vendor-specific?<BR /> - how safe RADIUS (Active Directory over NPS) authorization? Is there any encryption?<BR /> <BR /> Many thanks in advance for your comments,<BR /> <BR /> Ilya<BR /> <BR /> Thu, 26 Oct 2017 01:56:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34191#M1302 Ilya_Semenov 2017-10-26T01:56:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34192#M1303 1) Ports<BR /> are listed in the release notes page#43<BR /> <A href="http://documentation.extremenetworks.com/release_notes/extremewireless/9035197_ExtremeWireless_v10.41.01.0080_RelNotes.pdf" target="_blank" rel="nofollow noreferrer noopener">http://documentation.extremenetworks.com/release_notes/extremewireless/9035197_ExtremeWireless_v10.4...</A><BR /> <BR /> 2) 802.11<BR /> yes that is per standard or clients wouldn't be able to connect<BR /> <BR /> 3) CAPWAP<BR /> As per the datasheet "Pre-standard (CAPWAP)"<BR /> <A href="http://bit.ly/2kP8vjG" target="_blank" rel="nofollow noreferrer noopener">http://bit.ly/2kP8vjG</A><BR /> <BR /> 4) RADIUS<BR /> as per RFC<BR /> <A href="https://tools.ietf.org/html/rfc6614" target="_blank" rel="nofollow noreferrer noopener">https://tools.ietf.org/html/rfc6614</A><BR /> Thu, 26 Oct 2017 02:13:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34192#M1303 Ronald_Dvorak 2017-10-26T02:13:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34193#M1304 Hi Ilia , as I remember , those ports are used by controller (some of them can be disabled) :<BR /> - ssh (22) - for the ssh<BR /> - https (5825) - for the GUI management<BR /> - 13910/13907 - for AP registration . That can be changed to 4500 (typical GRE port) for the IPSec registration<BR /> - 161 - snmp - for security you need to change it to snmpV3<BR /> <BR /> - all encryption types (WEP/WPA/WPA2 PSK and ENT) are all standard based , not a proprietary. For now we do not support PPSK (which can be considered proprietary).<BR /> - CAPWAP tunnel - we do not use this standard , insted we are using our proprietary tunnel type (WASSP) . That can be used for both AP registration/management as well as user traffic (data plane) if traffic goes back to the controller. <BR /> - RADIUS communication between controller and RADIUS server is used as everybody else using it - with MD5 (shared secret), which is not very secure . But that is the standard for now , and so far I never seen any other RADIUS server which would support something different. Thu, 26 Oct 2017 02:19:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34193#M1304 Ostrovsky__Yury 2017-10-26T02:19:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34194#M1305 Thanks, gentlemen! Thu, 26 Oct 2017 13:02:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/bank-s-security-team-asks-about-identify/m-p/34194#M1305 Ilya_Semenov 2017-10-26T13:02:00Z