Solved

Large scale Wi-Fi WPA deployment

Posted on 2010-11-21
8
709 Views
Last Modified: 2012-05-10
Dear Experts,
I would like to get an answer from someone with actual experience on WPA deployment and support on large networks...

Background info:
I'm in the process of deploying WPA on a network which includes approx. 50 APs.
We use this network to provide internet access at meetings we host in different countries, 5 times a year, for approx. 300 users, hence the setting I apply will have to be compatible to different networks, countries and clients.
This network used to be configured with no-security and SSID not broadcasted and was working fine.
We've decided to change it to SSID Broadcasted / WPA-PSK because hidden SSID was not secure enough and it often caused connectivity issues among users (where is the network? How do I create a profile? etc.)
I don't think WPA-Enterprise can be applied to our scenario because our end-users come from different companies and we have no database with user info/passwords.

My question is:
What are the risks (a part from security which we are not concerned about) of implementing WPA-PSK on a complex network (multiple switches, maybe fiber connected, Cisco Firewall, single DHCP/DNS) with 50 APs? Which are the limitations?

One more question:
Last meeting we tried this configuration for the first time and we had several people who could connect fine but they were unable to get an ip address. Could WPA cause difficulties for DHCP IP assignment?
I'm adding this info at the end because the problem could have been caused as well by a terrible network infrastructure provided by the hotel

Thanks in advance for your help,
Robert.
0
Comment
Question by:martineit
  • 3
  • 3
  • 2
8 Comments
 
LVL 11

Expert Comment

by:yarwell
ID: 34184063
"Could WPA cause difficulties for DHCP IP assignment?"

yes, in my experience. Authentication failure often looks like a failure to get an IP address on windows clients. Obviously if it can't associate to the AP it cannot get an IP address but windows XP for example won't say "unable to associate" you just get a more generic failure and an obvious lack of an IP address.

There will be some clients that simply won't connect due to interoperability issues, often WPA / WPA2 mixed mode is used to help with this but in some clients it does the opposite as they try and fail to connect using WPA2 if both are offered but will succeed with WPA if it is the only choice.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 34184260
the only problem with WPA-PSK used instead of - like 802.1x, is the processing power it takes to en- and decrypt the keys every time.
Other than that - not many.
You have Cisco you said? Than the back end infrastructure is no part of your connectivity problem, as the Cisco APs, both managed stand-alone or by controller, decrypt the sessions on the APs themselves. Though - speed and other concerns might kick in.

You say you have 50 APs? In how large area? what band do you run (802.11b/g or 802.11a?) you easily run into channel intereference with 50 APs.

When looking for error with DHCP - try looking into if all users are on same AP og same VLAN. WEP errors gives no DHCP address, but wrong WPA-PSK normally discconects you from the AP, as opposed to the WEP where users are connected - but not authenticated

What you could look into - when supporting large networks with mixed clients, out of your management: Open network - but authenticate users via Captive Portal - a web page where users need to enter a username/password to gain access to internet
0
 
LVL 1

Author Comment

by:martineit
ID: 34194772
Hello,
thanks for all your comments, following my answers:
@Yarwell: I tried connecting to a WPA wireless network specifying a wrong PSK and I did get an error that looked like a generic DHCP Client error. The question is... How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?

@Jakob_di: the number of APs varies on the number of meeting rooms we get and the number of attendees. We use 802.11b/g (we disabled n since it's not really used at the moment and we were afraid of possible incompatibilities). We are now trying to spread the APs across multiple channels.
Captive Portal unfortunately is not an option for the moment (we did test it) as its implementation would imply an excessive administrative effort (we would have to create a DB with all usernames and passwords).
For you the same question as for Yarwell: How would you configure a Wi-Fi network knowing Captive Portal and no-security are not an option?

Thank you guys,

Roberto.
0
 
LVL 11

Accepted Solution

by:
yarwell earned 250 total points
ID: 34204734
How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?


With no wireless encryption. Yes, really. Like many hotels and retail outlets providing free wifi is good but put security on the wireless link itself and you're asking for hassle at the front desk.

I've just returned from a big conference centre and the setup there, and one that I would suggest you consider, is a "captive portal" where the wireless is not encrypted but the web browser is pushed to an authentication screen. The authentication details were displayed within the meeting room - user nov10 and password  poppy11 in this case - and users just hooked up and authenticated themselves using these via an https browser.

BT Openzone who provide hotspots in the UK take the same approach.

I just read your captive portal statement in the second part, but look at how the ICC in Birmingham UK did it and see if that fits the bill.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:martineit
ID: 34205205
Hello Yarwell,
I admit that Captive Portal is appealing for many different reasons but my customer for the moment doesn't like it because of:
1. Cost
2. One more device/service to administer, transport and configure on the network
3. possible bottlenecks if we go for a Software based Captive Portal (e.g.: FirstSpot)

I don't follow when you say
but look at how the ICC in Birmingham UK did it and see if that fits the bill
.

I want to see if anyone else gives me an answer which allows me to put WPA back on the table... I'm going to leave the question open for 3-4 more days, if I get no answer I'll give you the points.

Thanks,
Robert.
0
 
LVL 11

Expert Comment

by:yarwell
ID: 34205655
"but look at how the ICC in Birmingham UK did it and see if that fits the bill" - sorry that was what I was describing from earlier in the week ie insecure wireless and captive portal.

You can use dd-wrt firmware on a low cost router to provide a captive portal facility.
http://www.dd-wrt.com/wiki/index.php/Captive_Portal

I agree it would be nice to have an encrypted network if practical.
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 250 total points
ID: 34211694
The captive portal is already integrated into most enterprise solutions, and it's not your worst bottleneck in the network.

Putting encryption to an unencrypted network might pose greater stress to the network than captive portal.

Almost all conferencing scenarios go for the unencrypted captive portal based solutions, and yes - you can have only one user and password as all users use, or one for each conference and so forth.
the challenge with conferences is that you have no control over what clients might show up.
it can be all 802.11a's , b/g's or 802.11a/b/g/n's --- it can be Macs, Linux, Windows 2000/XP/Vista and Seven. And Win XP with SP1 and no more, supports only WEP.

My suggestion:
configure all AP's as 802.11a/n using different channels for all AP's within range of each other - disable HT-40Mhz channels for 802.11n (as it "steals" channels) and configure some AP's as 802.11b/g to support clients that do not have support for 802.11a or n
no security and use captive portal

The one problem with this, is users that come with corporate laptops that do not support connecting to an unencrypted network ...
0
 
LVL 1

Author Closing Comment

by:martineit
ID: 34211728
Ok Ok... enough already... I got it :-).
I will push the customer to go for a Captive Portal solution.
If you could suggest the Best Captive Portal solution (that you know of) for Quality/price, it would help me choosing.

Thanks,
Roberto.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now