Review of the ZyXEL ZyAIR B-3000 Intelligent Wireless LAN Access Point: The ZyAIR B-3000 piqued my interest: an inexpensive, full-featured 802.11b access point that could provide 802.1X authentication directly without a back-end RADIUS server? Had to be seen to be understood fully. The company graciously loaned me a unit to run through its paces.
The ZyAIR’s goal is obviously to be as multi-talented as possible. It allows you to create several network names (extended service set IDs or ESSIDs) to which you can assign different virtual LAN (VLAN) tags to restrict network traffic. Each VLAN can have its own set of WEP keys, but you can’t set firewall or IP routing parameters.
It can also handle up to 32 user accounts manually entered and perform 802.1X/EAP (Encapsulated Authentication Protocol) negotiation directly for those accounts. The B-3000 can also pass-through EAP messages to back-end RADIUS servers for more robust user authentication.
Configuring the B-3000 is extremely simple and straightforward. They’ve designed the interface well, and the manual, while a little scanty, has practically all of the necessary detail. I had to spend just a little time playing trial and error.
Because the unit can be set to only allow access via authentication and because it can support user accounts directly, it seems like an ideal secure small office access point and gateway.
But it does have a few provisos. First, the only 802.1X/EAP type supported is EAP-MD5 which, although it secures the password, is not considered robust enough for an enterprise solution because of the potential of various attacks that could allow others to gain access to the network.
Worse, Windows XP's original release supported EAP-MD5, but alert reader Eddie Rowe wrote in to note that service pack 1 (SP1) disables EAP-MD5 over 802.1X. A technical note I found from a third party cites the failure to secure the transmission of hashed passwords in EAP-MD5 over 802.1X as the reason for it not being allowed. So using EAP-MD5 is actually a higher bar for Windows XP users than PEAP (Protected EAP)! They would require third-party client software. (Mac OS X 10.3 includes EAP-MD5 as a valid 802.1X type.)
The company said that it was looking into supporting PEAP inside the B-3000, but hadn’t made a decision about this yet because of engineering issues. They said that EAP-TLS and EAP-TTLS aren’t feasible in a stand-alone device.
Second, the B-3000 only supports WEP encryption at the moment, and its dynamic WEP key exchange only works with a RADIUS server, not its internal authentication database. A company spokesperson said that WPA should be available by the end of the year.
Third, only 32 users can access the B-3000 at a time, with or without user accounts. This could be a limitation for offices that would otherwise be good candidates.
For a suggested retail price of $150, the B-3000 should have enough admirable features to make it an easy choice for a small network trying to dramatically improve its security without reaching government-grade levels, deterring all but the most determined crackers.
Unfortunately, the built-in support for just EAP-MD5 and the lack of current WPA support mean that the B-3000 can't live up to its potential as a stand-alone device. Without the firewall features to make the unique SSID/VLAN feature useful and without PEAP support to handle up-to-date Windows XP users, the B-3000 is just an expensive also-ran that handles pass-through AAA; a Linksys WRT54G would cost less and offers greater security and compatibility right now.