This article gives an introduction to the software applications that manage multi-vendor access points, controllers and other Wi-Fi devices on a huge disparate network. We look at the user, device monitoring, visual heat maps offering live coverage of the Wi-Fi network, security features like rogue access point detection etc. that can be uniformly applied to a large network of multi-vendor access points.

Any large Wi-Fi network has existing investments in Thin and Thick Access Points (For differences between the two, click on this link). So, upgrading the wireless network from thick access points to thin access points for better management does not always require companies to abandon all their existing thick access points and going in for a total thin access point – controller based wireless network. There are software applications available that manage multi-vendor (thick and thin) access points from a central location allowing organizations to retain their thick existing access points (at least in places like remote branch offices / retail stores etc) and expand with controller based thin access points but still manage the whole wireless network through a single management interface. These applications do not exactly provide all the features of a controller based thin access point (single vendor) network, but they provide a surprisingly lot of management functionalities for multi-vendor access points when compared to the controllers, which often only manage the access points from the same vendor. Let us see some of them.

Multi-vendor Wireless network management:

These multi-vendor wireless network management software applications allow the organizations to manage both individual devices and individual users (in the Wi-FI network). So, they help in monitoring how many wireless devices (Some of them can monitor even up to 5000+ wireless devices) are connected in a network/ segment, how many users are connected to each segment, a visual representation of the same for each network segment etc. In the same way, they help in monitoring individual wireless user level parameters like the bandwidth utilized by individual users or signal strength with which they connect to the access points etc. over a period of time (perhaps hourly, daily averages). These are very important parameters for monitoring a wireless network that is physically in disparate locations across the world.

Both Thin and Thick access points can be managed by them. In fact, the vendors put up a list of access point companies that can be managed by their software applications in their websites. Most of them monitor only enterprise grade thick access points and not the home grade thick access points.

The firmware upgrades for individual access points are uniformly applied from their respective vendors to all the access points supplied by that particular vendor across the network automatically, without manual intervention, which is a boon in a huge wireless network.

Heat Maps:

Some such multi-vendor access point management applications allow the floor plans of an organization to be uploaded and integrated with them so that the users can view the wireless network in real time. They can see the devices, their location, the number of people connected to each device, RF signal strength at all the locations (This may be indicated by varying colour levels – brighter colours indicating stronger signal strengths etc.). The wireless network can be viewed on a real time, making it possible for organizations to see not only their signal strengths but also the signal strengths from the neighbouring access points which may interfere with their wireless network. This is also useful on a maintenance perspective – if a user complains of slow connections – the administrator can first see the signal levels in his location, change the position of access points to see the results of such a change in his location, and if satisfied with the results, he can arrange to change the location of the access point physically.

Some multi-vendor access point management vendors also give a site plan tool. This is basically a software module which can take the floor plans and dimensions of a new area that needs wireless coverage and gives an estimate on the number of access points required in that place based on parameters like minimum assured bandwidth required per user etc. This helps in a bigger network.

Security:

One of the major concerns for such organizations having a large number of multi-vendor access points is the mis-configuration of individual access points. There are, many such mis-configured individual access points in a large network opening the door for intruders to get in to the wireless network easily. So, these management applications help verify the configuration of each and every access point and report them or if possible repair them. Another common wireless threat is the rogue access point that is the home grade access point brought by employees in non-wireless areas or the ones brought by visitors/ external intruders (honey pots) to make employees connect to them to gain network access. Such rogue access points are generally monitored over the wireless network and wired network (in places where wireless network is not available) and reported to the adminstrator, if any of them are found.

excITingIP.com

In case you have any questions, you could get in touch with us via the contact form or you can leave a comment below. You could also participate in the discussions in the Forum.

This article discusses the difference between Stand-Alone Access Points (Thick) and Controller based Access Points (Thin) in a wireless network. We discuss the basic structural difference, authentication, radio management, security, access control and other management features in both of them.

There is always a question of which is better: Stand alone access points or Controller based access points for Wi-Fi access. While the obvious answer would be ‘Controller based access points’ for its centralized management, configuration, encryption, updates and policy settings through a centralized controller, they come with a cost. You would be surprised at how much a small enterprise grade Stand alone Wi-Fi access point (Not the home/SOHO access point) can do, at a very low price. Hence, the Stand alone access points maybe sufficient for certain small deployments. They could be used even in larger deployments along with a multi-vendor Wireless LAN Management software which gives centralized control interface. We will see the differences between thin and thick access points, with respect to the following parameters.

Authentication: Enterprise grade Stand alone (thick) access points support MAC authentication as well as 802.1x authentication through a Radius server or both, much like the controller based (thin) ones. Except maybe for a guest access, where a separate captive portal can be integrated in to the controller to authenticate the guests and keep them on a separate network (different from the internal network) without having to create a profile for them or making any changes on the Radius server.

Encryption: Stand alone access points encrypt the communication between themselves and the laptop/PC but controller based access points encrypt the entire line – PC to access points to controller. WPA2, which is the latest encryption standard, would be supported by most of the controllers, while some stand alone access points may be using WEP or its equivalents, which are weaker. A stand alone access point may store encryption keys, and if they are stolen, those keys could be retrieved.

SSID/VLAN: While there can be a number of SSID’s and VLAN’s in stand alone access points for grouping the number of users, generally the wired VLAN needs to be extended over the wireless too, and the VLAN settings depend on the wired VLAN parameters. With controller based access points, there could be just one SSID and separate wireless VLAN’s under it, which is totally independent of the wired VLAN settings. The controller acts as a layer 3 device and hence is able to by-pass the layer 2 VLAN settings of the switch.

Radio Management/ Channel Management: While the controller based access points can provide very good radio management via the controller by making sure no two neighbouring access points are transmitting in the same channel (frequency) as that might result in interference, Stand alone access points can also monitor the neighbouring access points by themselves to ensure this automatically. Like the controller based access points, the stand alone ones can also reduce power levels dynamically in order to reduce interference in some situations.

Group configuration: Group configuration and centralized management, updates of firmware is easier with controller based access points. Very few stand alone access points can also do this by the process of “Clustering” or “Grouping” where there is a master access point which intimates all the slave access points if any changes in configuration are made. But the number of such access points that can group together is limited.

Bandwidth/ Load balancing: Some controller based access points can limit the maximum bandwidth that can be used by individual station/ group to make sure that one station/group would not overload the whole network. This cannot be done by stand alone access points. Controller based access points can also balance the load across the access points in that area. Suppose if there are 15 stations associated with one access point, and a neighbouring access point has only five, five stations from the first access point are sent to the second automatically so that the load in each of them is almost similar and the performance of the wireless network is optimum. But stand alone access points cannot do this.

Redundancy: Well, the controller is a single point of failure and the access points attached to it may not work if the controller is down. That is one reason why the High Availability mode always has a back up controller, sitting passively. But however, if any access points attached to this controller fails, the clients are automatically forwarded to the nearest access point without a dis-connect. If a stand alone access point fails, the users could still connect to the neighbouring access point (provided there is one in the vicinity) but only after the current session is terminated and after re-authentication and sometimes an administrator may need to give permission in the ACL of that access point.

Network Access Control: Some controllers can control the network access on a per user basis. For example, individual user/group could be denied access to use certain applications like internet/SAP or any other service. Basically policies could be set in the controller to restrict them to certain applications only. The users could also be integrated with the existing NAC policies of the wired network. Many stand alone access points cannot do this.

Security: While most of the stand alone access points can identify a rogue access point and provide some basic IDS functions, controller based access points can do much more. They can dedicate a radio (or whole access points) for wireless intrusion detection and monitor the network for wireless threats like MAC spoofing, honey pot attacks, Denial of Service attacks, Ad-hoc networks etc.

Quality of Service: Both stand alone access points and controller based access points can support prioritization of data packets based on applications/protocols like voice, video etc. to ensure that the delay sensitive voice/video packets are processed before the data traffic like mails etc. according to the IEEE WMM – Wireless Multimedia Standard. Controller based access points can go one step ahead and give true roaming by handing over the voice sessions between the access points for the Wi-Fi voice clients.

Mesh Networking: Both controller based and stand alone access points can support mesh networking – the connectivity between two or more access points through wireless mode (in addition to the connectivity to the laptops/stations). Normally all the access points are connected in the back end through a wire, but they can also connect to one another using dedicated radios with dual radio access points. Mesh networking might be required where data cables cannot be taken or taking them becomes very expensive. However, mesh networks reduce the amount of bandwidth supported with each hop.

Live monitoring of Wireless network and location based services: The controller based access points can allow floor plans (of the area covered with Wi-Fi) to be integrated with the controller and the power levels (signal strength) of the Wi-Fi network at different places can be viewed Live (pictorially with different colour levels indicating different signal strengths) for network and performance monitoring,. Stand alone access points cannot do this. Some controllers also integrate location based services which can identify any active wireless client in the floor plan (through its MAC address, for example) within a range of 3-5 meters.

The points mentioned in this article are not comprehensive and they are supposed to serve as a guidance only. It should also be remembered that these parameters change from vendor to vendor for both stand alone and controller based access points.

Related Article: Why is a controller required for a large wireless network and what are the features of the wireless controller

excITingIP.com

In case you have any questions, you could get in touch with us through the contact form or leave a comment below. You could also participate in the discussions in the Forum.

This article gives an introduction to the Wi-Fi based RFID Tags, how the location of assets can be identified by the combination of Enterprise Wi-Fi and RFID technologies, what can be accomplished by such a system, advantages and limitations of Wi-Fi based RFID Location tracking technology.

Tracking Active Wi-Fi Devices: Location Tracking is not a new technology. Certain Wireless LAN vendors have Location engine built in to their Wi-Fi solution or have a separate dedicated device to perform the function of a Location engine. This used to track active Wi-Fi devices in the organization (with an accuracy of 3 to 5 meters) and report it in the floor plans that were previously integrated with the Wireless Controller. Some Wi-Fi solutions can also indicate a live coverage of RF signal levels in the organization. Here, the Wireless controller decides the probable location of the active Wi-Fi device by measuring the time taken for the signals to reach the Wi-Fi device from at least three neighbouring Access Points, whose location is already known. This is used to locate Laptops, Voice Over Wireless LAN handsets and other active Wi-Fi based devices in the network. Of course, the laptops need to be ‘On’ for tracking them.

Tracking Non Wi-Fi devices through RFID and Wi-Fi Network: But Active Radio Frequency Identification Tags (RFID Tags) that comply with 802.11 WLAN standard are currently used with Real Time Location Systems (RTLS Engines) to monitor the location of Non Wi-FI based devices like crates, vehicles etc. The RFID Tags come with a in-built battery and they keep sending 802.11 WLAN based information periodically to the access points, which communicate the same to the Location Engine(Which is generally a server with RTLS software) over the Wi-Fi / IP Network to locate moving and stationary objects within a warehouse that have been tagged with the Wi-Fi RFID Tags, for example.

Since, these messages are being transmitted periodically to Access Points, the WLAN infrastructure needs to identify them to pass them on to the RTLS Engines. So, the RTLS vendors work with the WLAN vendors at the firmware level to identify and integrate their Wi-Fi network/ Access Points with Wi-Fi based RFID Tags.

These Wi-Fi based RFID Tags are battery operated devices which may be an inch long, and their battery life is expected to be around 4 years. The Tags are optimised not to send information to the Access Points when the objects to which they are attached to are stationary, to save battery power. Optional temperature/ heat sensors can be integrated to these Tags to make them communicate specific information to the RTLS Engine based on real time temperature/heat parameters. These tags can have an accuracy of 3-5 meters when determining the location and a large number of tags can communicate simultaneously with a single access point without choking the Wi-Fi network. These tags are generally capable of bi-directional data exchange.

There could also be certain choke points, like the entry and exit gate of the main door of a warehouse, which can be connected with readers such that when objects containing these tags pass through them, the tags automatically intimate the Wi-Fi infrastructure and hence the RTLS engine about the movement of goods outside the warehouse, which can inturn integrate with an alarm system to trigger an alarm.

Advantages and Dis-advantages: The advantages are obvious: Security automation, monitoring and location tracking for high cost devices that don’t have built in Wi-Fi sensors, reduce costs by using the existing 802.11 based WLAN infrastructure for communication instead of having an RFID reader network (with its own frequencies) which can be very costly to set up over a huge area. The disadvantages include the high cost of active RFID Tags and changing batteries after a certain number of years for all the tags.

excITingIP.com

In case you have any questions, you could get in touch with us using the contact form or leave a comment below. You could also participate in the discussions in the Forum.

This article explores the ways in which the guests can be given access to wireless networks, whether they could be authenticated, whether their access can be restricted to certain services in the network and whether usage statistics and logs can be generated for guests.

A wireless network, in the context of this article consists of three components: Controller, Access Points and laptops/clients with Wi-Fi adaptors. So, we assume that wireless access is already given for the employees using such a system in the network, and we will restrict our discussion to handling the guest access – people who may require temporary network access for a short duration of time.

In the past, the networks were kept open and anyone in the vicinity could access the internet etc. As you can guess, this is not a very good idea! So, people started to have strict authentication through LDAP/AD etc. However there was one issue that was bothering people, how to give temporary guest access to certain people which will restrict them to certain services in the network without creating a profile for them in the AD etc. This can now be solved through most of the existing wireless controllers.

The controller lets you set up a separate SSID for guests (probably in a separate VLAN too). So, when the guests come to your office, they see Guest SSID when they scan for available networks. The controller allows you to set up a captive portal (browser based) – in some controllers, this is an external service where it interacts with an external server to bring it up, in some of them the captive portal is built in. So, now the guest gets a customized captive portal (like a web-page interface) where he sees your company logo, terms of network usage and a user name and password field prompting them to enter them to continue. This user name and password can be a common one or can be generated by the receptionist (who has their own mini-admin page for doing them. These passwords can be set up to be automatically de-activated at the end of the day, for example. One important reason why the passwords must be unique for every guest is that, their activity can be logged and usage stats reported based on it.

So, now the guest has entered their user names and passwords and entered the network. The controller at this point of time ensures that the guest is restricted to the separate network and given access only to certain services like http and https. That is what is required by most of the guests, and more services can be added if required. The guest access can be restricted to a certain timing – from 8 AM in the mornings to 8 PM in the evenings – most of the controllers let you do this. A few controllers also let the administrator to limit the bandwidth available for guests, as they should not choke the internet bandwidth which is currently being used by the employees.

In most of the guest access solutions provided by the wireless controller vendors, there would not be any need to re-configure the guest laptops or modify the LDAP/AD settings etc. But this might be added as an additional module requiring a separate server (or a software license upgrade) that has an additional cost to it.

excITingIP.com

In case you have any questions, you could contact us via the contact form or leave a comment below. You could also participate in the discussions in the Forum.

Wireless Multi-Media (WMM):

This is an IEEE standard (Subset of IEEE 802.11e) for QoS – Quality of Service in wireless networks. So, why is it so important, you may ask. It is, because it enables real time applications like voice and video on the wireless network by prioritizing those packets at the client level, Access Point level and Controller level – for both upload and download of wireless packets.

In a wireless network, the latency is high as the access points are a shared medium of connectivity. At any given point of time, only one computer/laptop can connect to the access point but the access point claims to simultaneously connect 15-20 clients (for a decent performance). How is that possible? Simple, it keeps switching between the clients, but fast enough that we feel that all the PC’s are connected simultaneously. So, which clients can associate to it, how long and which channel they associate to, is decided based on a number of factors.

Generally, IEEE 802.11 compliant products implement the DCF – Distributed Coordination Function. So, the clients using DCF would monitor whether someone else is transmitting. If no one is, then it will transmit, otherwise it will wait for a prescribed period and monitor again. While this avoids collision, it is vulnerable when the network load is high. That is, when some one is downloading a huge file, it might slow down the access time for real time applications like voice and video.

So, IEEE decided to implement a standard protocol (WMM) for all the Wi-Fi devices (Helps in multi vendor scenario where the different vendors certify their products for this standards with the Wi-Fi alliance) which would ensure that the real time applications like voice and video are processed before the other non-critical network traffic like mail traffic, etc. The IEEE 802.11e Enhanced Distributed Channel Access (EDCA) uses 802.1d user priority to classify traffic in to four categories:

¤ Voice (With highest priority of 7 or 6)
¤ Video (With next higher priority of 5 or 4)
¤ Best effort (3 or 0, for latency sensitive multimedia applications)
¤ Background (2 or 1 for batch data transfer like email)

These tags are generally set by the applications (like VOIP or Video application) and sent to the access point. When they reach the controller, the controller can either allow the respective tags to remain as such and process according to the priority, or change the tags (for applications which are non-critical but still want to be processed with the highest priority). If the data packets are not tagged by the applications, some controllers can identify the application and tag them accordingly.

WMM prioritizes both uplink and downlink traffic (If all the devices in the chain are WMM certified). There are also some proprietary protocols and methodologies to implement priority, but in a multi-vendor network, it is advisable to go according to the standard. Though it may seem quite normal, the WMM based priority queuing is very critical to enable real time applications in the wireless network. Some wireless controllers also help restrict the maximum bandwidth utilized per client/ group of clients so that the wireless network can perform optimally, especially for real time applications. WMM-SA (WMM – Sch

Wireless Multi-Media Scheduled Access (WMM-SA):

There is one more method of allocating the airtime connectivity to stations called the PCF (Point Coordination Function). In this, the controller/AP gives access to all the stations for equal durations. While this ensures equal sharing, it fails to address the priority queuing which is required for real time applications.

So, a standard called HCCA (HCF Controlled Channel Access) also called WMM-SA, implements parameterized QOS in such scenarios. Instead of giving equal access to all stations, it polls the stations as to what application and priority level data that it is transmitting. Based on this information obtained from all the stations, the Controller/Access Point decides how much time to give to which station and channel allotment, instead of the stations deciding for themselves. This technique requires the stations to know a lot about the application that it is transmitting, but nevertheless offers more control over real time applications. It is good in handling multiple high density voice queues and video streaming applications also as the data rate/access can be controlled. But this standard has not been adopted on a large scale by the industry, perhaps because of the complexity it introduces.

Since Wi-Fi has become a very popular standard now for network access at the edge level, this article looks to ponder if an all wireless office is a possibility. We will look at what all can be made wireless and what cannot, what are the advantages and dis-advantages of having wireless as a primary network. We will look at the following factors:

First, we will have to discuss to what level a wireless access can be implemented in an organization. Can we totally remove all the cables? No. Wireless, as of today is popular only in the edge network – For the end users to access the network through their laptops, PDA’s, PC’s etc. The backbone network is still wired. You need access points to be placed in ceilings for nearby users to access the wireless network. But these access points need to be connected to the wired LAN, a wired backbone. These LAN connections perhaps go to a distribution switch (which is again wired) and that is in turn connected to a Wireless controller and a Core switch in a data centre which is totally wired. So, in the whole enterprise, only the access layer can become fully wireless. But there are certain mesh networks which allow the access points to connect to each other through wireless – making the distribution layer wireless as well, but they are not very commonly seen.

Wireless (Wi-Fi) network have thus far been a secondary network – an overlay on the primary network which is essentially wired. So, it has been optional in a lot of organizations. Can the wireless network become the primary network at least in the access layer, thereby eliminating a huge part of the cables to your desktop? Let us see…

Cost: Wireless networks have an advantage of reduced cost. Not considering the running cost (which is also reduced), if you look at only the initial set up costs, every desk today has at least three ports – 2 for voice, data and one for redundancy. So, there are not only three cables coming to the desk but there are also three switch ports being allocated per desk. This will result in a large number of edge switches and consequently higher configuration of distribution switches as well. There are also the associated set up costs and passive components cost(racks, patch panels etc.) as well. Contrast this with the wireless network – You may need one access point every 15 to 20 desks. And perhaps one cable going back to a single port of the distribution switch. So, the cost reduction of a wireless network is huge. But there is one factor we need to include – the cost of the controllers and extra functionalities in a wireless network. This could run into considerable amounts, but will still be lesser than what it would take to implement the same functionalities in a wired network.

Redundancy(Edge level): Though one redundant port is provisioned for most of the desks, when there is a failure in cable or switch port, some manual intervention is required for the PC to connect back to the network. Contrast this with the wireless network: Mostly the wireless networks are over-configured and the users establish themselves dynamically to the access point with the maximum power and lower users. And, when an access point goes down, the user automatically re-establishes with another access point in the range. And there are always more than one AP in the range of every user as the access points have a good area of coverage – around 30 meters indoor(They can expand their coverage or contract it based on other access points).

Mobility: There are more mobile users now, than ever and they will keep increasing. These are the users who keep going from one office to another, one building to another, one floor to another etc. And people want to work from the canteen, lawn and what not. The higher management wants their desk to be free of cables, and many people work from multiple cubicles taking their laptops with them. These requirements are already met by the Wi-Fi networks. And port based VLAN’s of the wired network has always been slower to adopt to mobile personnel. Convenience has always been an important factor for adopting wireless networks.

Network Access Control: With wired network, one can group people and apply certain network access controls per group. You can decide who can browse the internet, who cannot, who can access the SAP server, who cannot and other such stuff. Some wireless networks also offer such controls for the wireless users. This was a challenge previously as one port provides access to many users but wireless networks have fast progressed and include such functionalities.

Inaccessible places: In a factory, for example, there have always been some places where it is tedious to get the wires into. There have also been some places like a security cabin where there is only one PC but a fiber cable needs to be run only for that purpose. In these places, the wireless network has always been advantageous and much cheaper.

Security: This is a tricky question. Even though the wireless vendors have integrated a lot of security mechanisms like centralized 802.1x authentication, encryption(WPA2), wireless intrusion/rogue access points detection and prevention, etc. people are very much bothered about their internal wireless signals going to the road. In a wired network, there are only a few points through which an intruder can take unauthorized access, but a wireless network is not so. But wireless security is getting better and safer with every passing day.

Bandwidth: This is another tricky question. I say tricky because, it is obvious that wired network can provide up to 1000 Mbps of bandwidth per system while wireless access points can provide a maximum of 300 Mbps (That too on a shared half duplex basis, IEEE 802.11n). Let us take the normal standard – IEEE 802.11a/g. The access points in this standard can provide up to 54 Mbps (practically around 27 Mbps) that is shared between around 15 systems. So, approximately 2 Mbps per user. The interesting point to note here is, even this bandwidth is enough for most of the applications that run today. Add IEEE802.11n – 300 Mbps per access point and you get much more with wireless networks. Isn’t that enough? All the 1GE ports to the desktop is an overkill. At Least now.

Printers / Fax / Photo copiers: Basically multi-function devices. These devices are commonly used with a cable, and perhaps need one too. But many vendors support Wi-Fi enabled multi function printers too. Users can connect to these printers (Print, scan, copy – three in ones) over the wireless network. But they are not very popular.

Real time applications (Video/Voice): Voice is always a challenge. IP phones just need a cable to the desk. Most of the IP phones come with a two port in-built switch which can be used to connect the PC as well. But to counter this challenge – wireless vendors are advocating Voice over Wireless LAN handsets which are like your cell phones, but work with your IP PBX and Wi-FI network. It is actually a carry-able desk phone. There is another interesting solution being proposed – FMC (Fixed Mobile Convergence) where the dual-mode handsets (Cellular and Wi-Fi) would be used and when the employee is in the company, they would connect to the Wi-Fi/IP PBX network but once outside, they would connect to the cellular network. The switch over could take place automatically. But these approaches are quite expensive(as everyone needs to have a dual mode cell phone, and not all phones are compatible in some cases) and we don’t know how much of this the users would prefer.

Video has always been accepted more readily. The IP Surveillance cameras have long since been wireless (Wi-Fi) enabled and wireless systems incorporate QOS (Quality of Service) parameters for delay sensitive traffic which ensures priority for voice and video packets. Companies are trying out the wireless surveillance system as it could save a lot of cabling expenditure. But it still has a long way to go. Professional video conferencing applications have not supported Wi-Fi connectivity (except for connecting your laptop to make presentation) to the network. So maybe some cables need to come in after all.

Dense deployment: Wireless networks performed poorly in dense deployments such as a class room or a huge conference hall because of radio/channel interference. But today’s wireless networks are handling this issue in a much more controlled way, and doing a good job enabling them.

excITingIP.com

In case you have any specific questions, you could contact us using the contact form or leave a comment below. You could also participate in the discussions in the Forum.