Large scale Wi-Fi WPA deployment
Dear Experts,
I would like to get an answer from someone with actual experience on WPA deployment and support on large networks...
Background info:
I'm in the process of deploying WPA on a network which includes approx. 50 APs.
We use this network to provide internet access at meetings we host in different countries, 5 times a year, for approx. 300 users, hence the setting I apply will have to be compatible to different networks, countries and clients.
This network used to be configured with no-security and SSID not broadcasted and was working fine.
We've decided to change it to SSID Broadcasted / WPA-PSK because hidden SSID was not secure enough and it often caused connectivity issues among users (where is the network? How do I create a profile? etc.)
I don't think WPA-Enterprise can be applied to our scenario because our end-users come from different companies and we have no database with user info/passwords.
My question is:
What are the risks (a part from security which we are not concerned about) of implementing WPA-PSK on a complex network (multiple switches, maybe fiber connected, Cisco Firewall, single DHCP/DNS) with 50 APs? Which are the limitations?
One more question:
Last meeting we tried this configuration for the first time and we had several people who could connect fine but they were unable to get an ip address. Could WPA cause difficulties for DHCP IP assignment?
I'm adding this info at the end because the problem could have been caused as well by a terrible network infrastructure provided by the hotel
Thanks in advance for your help,
Robert.
I would like to get an answer from someone with actual experience on WPA deployment and support on large networks...
Background info:
I'm in the process of deploying WPA on a network which includes approx. 50 APs.
We use this network to provide internet access at meetings we host in different countries, 5 times a year, for approx. 300 users, hence the setting I apply will have to be compatible to different networks, countries and clients.
This network used to be configured with no-security and SSID not broadcasted and was working fine.
We've decided to change it to SSID Broadcasted / WPA-PSK because hidden SSID was not secure enough and it often caused connectivity issues among users (where is the network? How do I create a profile? etc.)
I don't think WPA-Enterprise can be applied to our scenario because our end-users come from different companies and we have no database with user info/passwords.
My question is:
What are the risks (a part from security which we are not concerned about) of implementing WPA-PSK on a complex network (multiple switches, maybe fiber connected, Cisco Firewall, single DHCP/DNS) with 50 APs? Which are the limitations?
One more question:
Last meeting we tried this configuration for the first time and we had several people who could connect fine but they were unable to get an ip address. Could WPA cause difficulties for DHCP IP assignment?
I'm adding this info at the end because the problem could have been caused as well by a terrible network infrastructure provided by the hotel
Thanks in advance for your help,
Robert.
the only problem with WPA-PSK used instead of - like 802.1x, is the processing power it takes to en- and decrypt the keys every time.
Other than that - not many.
You have Cisco you said? Than the back end infrastructure is no part of your connectivity problem, as the Cisco APs, both managed stand-alone or by controller, decrypt the sessions on the APs themselves. Though - speed and other concerns might kick in.
You say you have 50 APs? In how large area? what band do you run (802.11b/g or 802.11a?) you easily run into channel intereference with 50 APs.
When looking for error with DHCP - try looking into if all users are on same AP og same VLAN. WEP errors gives no DHCP address, but wrong WPA-PSK normally discconects you from the AP, as opposed to the WEP where users are connected - but not authenticated
What you could look into - when supporting large networks with mixed clients, out of your management: Open network - but authenticate users via Captive Portal - a web page where users need to enter a username/password to gain access to internet
Other than that - not many.
You have Cisco you said? Than the back end infrastructure is no part of your connectivity problem, as the Cisco APs, both managed stand-alone or by controller, decrypt the sessions on the APs themselves. Though - speed and other concerns might kick in.
You say you have 50 APs? In how large area? what band do you run (802.11b/g or 802.11a?) you easily run into channel intereference with 50 APs.
When looking for error with DHCP - try looking into if all users are on same AP og same VLAN. WEP errors gives no DHCP address, but wrong WPA-PSK normally discconects you from the AP, as opposed to the WEP where users are connected - but not authenticated
What you could look into - when supporting large networks with mixed clients, out of your management: Open network - but authenticate users via Captive Portal - a web page where users need to enter a username/password to gain access to internet
ASKER
Hello,
thanks for all your comments, following my answers:
@Yarwell: I tried connecting to a WPA wireless network specifying a wrong PSK and I did get an error that looked like a generic DHCP Client error. The question is... How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?
@Jakob_di: the number of APs varies on the number of meeting rooms we get and the number of attendees. We use 802.11b/g (we disabled n since it's not really used at the moment and we were afraid of possible incompatibilities). We are now trying to spread the APs across multiple channels.
Captive Portal unfortunately is not an option for the moment (we did test it) as its implementation would imply an excessive administrative effort (we would have to create a DB with all usernames and passwords).
For you the same question as for Yarwell: How would you configure a Wi-Fi network knowing Captive Portal and no-security are not an option?
Thank you guys,
Roberto.
thanks for all your comments, following my answers:
@Yarwell: I tried connecting to a WPA wireless network specifying a wrong PSK and I did get an error that looked like a generic DHCP Client error. The question is... How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?
@Jakob_di: the number of APs varies on the number of meeting rooms we get and the number of attendees. We use 802.11b/g (we disabled n since it's not really used at the moment and we were afraid of possible incompatibilities). We are now trying to spread the APs across multiple channels.
Captive Portal unfortunately is not an option for the moment (we did test it) as its implementation would imply an excessive administrative effort (we would have to create a DB with all usernames and passwords).
For you the same question as for Yarwell: How would you configure a Wi-Fi network knowing Captive Portal and no-security are not an option?
Thank you guys,
Roberto.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Yarwell,
I admit that Captive Portal is appealing for many different reasons but my customer for the moment doesn't like it because of:
1. Cost
2. One more device/service to administer, transport and configure on the network
3. possible bottlenecks if we go for a Software based Captive Portal (e.g.: FirstSpot)
I don't follow when you say
I want to see if anyone else gives me an answer which allows me to put WPA back on the table... I'm going to leave the question open for 3-4 more days, if I get no answer I'll give you the points.
Thanks,
Robert.
I admit that Captive Portal is appealing for many different reasons but my customer for the moment doesn't like it because of:
1. Cost
2. One more device/service to administer, transport and configure on the network
3. possible bottlenecks if we go for a Software based Captive Portal (e.g.: FirstSpot)
I don't follow when you say
but look at how the ICC in Birmingham UK did it and see if that fits the bill.
I want to see if anyone else gives me an answer which allows me to put WPA back on the table... I'm going to leave the question open for 3-4 more days, if I get no answer I'll give you the points.
Thanks,
Robert.
"but look at how the ICC in Birmingham UK did it and see if that fits the bill" - sorry that was what I was describing from earlier in the week ie insecure wireless and captive portal.
You can use dd-wrt firmware on a low cost router to provide a captive portal facility.
http://www.dd-wrt.com/wiki/index.php/Captive_Portal
I agree it would be nice to have an encrypted network if practical.
You can use dd-wrt firmware on a low cost router to provide a captive portal facility.
http://www.dd-wrt.com/wiki/index.php/Captive_Portal
I agree it would be nice to have an encrypted network if practical.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok Ok... enough already... I got it :-).
I will push the customer to go for a Captive Portal solution.
If you could suggest the Best Captive Portal solution (that you know of) for Quality/price, it would help me choosing.
Thanks,
Roberto.
I will push the customer to go for a Captive Portal solution.
If you could suggest the Best Captive Portal solution (that you know of) for Quality/price, it would help me choosing.
Thanks,
Roberto.
yes, in my experience. Authentication failure often looks like a failure to get an IP address on windows clients. Obviously if it can't associate to the AP it cannot get an IP address but windows XP for example won't say "unable to associate" you just get a more generic failure and an obvious lack of an IP address.
There will be some clients that simply won't connect due to interoperability issues, often WPA / WPA2 mixed mode is used to help with this but in some clients it does the opposite as they try and fail to connect using WPA2 if both are offered but will succeed with WPA if it is the only choice.