Large scale Wi-Fi WPA deployment

Dear Experts,
I would like to get an answer from someone with actual experience on WPA deployment and support on large networks...

Background info:
I'm in the process of deploying WPA on a network which includes approx. 50 APs.
We use this network to provide internet access at meetings we host in different countries, 5 times a year, for approx. 300 users, hence the setting I apply will have to be compatible to different networks, countries and clients.
This network used to be configured with no-security and SSID not broadcasted and was working fine.
We've decided to change it to SSID Broadcasted / WPA-PSK because hidden SSID was not secure enough and it often caused connectivity issues among users (where is the network? How do I create a profile? etc.)
I don't think WPA-Enterprise can be applied to our scenario because our end-users come from different companies and we have no database with user info/passwords.

My question is:
What are the risks (a part from security which we are not concerned about) of implementing WPA-PSK on a complex network (multiple switches, maybe fiber connected, Cisco Firewall, single DHCP/DNS) with 50 APs? Which are the limitations?

One more question:
Last meeting we tried this configuration for the first time and we had several people who could connect fine but they were unable to get an ip address. Could WPA cause difficulties for DHCP IP assignment?
I'm adding this info at the end because the problem could have been caused as well by a terrible network infrastructure provided by the hotel

Thanks in advance for your help,
Who is Participating?
How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?

With no wireless encryption. Yes, really. Like many hotels and retail outlets providing free wifi is good but put security on the wireless link itself and you're asking for hassle at the front desk.

I've just returned from a big conference centre and the setup there, and one that I would suggest you consider, is a "captive portal" where the wireless is not encrypted but the web browser is pushed to an authentication screen. The authentication details were displayed within the meeting room - user nov10 and password  poppy11 in this case - and users just hooked up and authenticated themselves using these via an https browser.

BT Openzone who provide hotspots in the UK take the same approach.

I just read your captive portal statement in the second part, but look at how the ICC in Birmingham UK did it and see if that fits the bill.
"Could WPA cause difficulties for DHCP IP assignment?"

yes, in my experience. Authentication failure often looks like a failure to get an IP address on windows clients. Obviously if it can't associate to the AP it cannot get an IP address but windows XP for example won't say "unable to associate" you just get a more generic failure and an obvious lack of an IP address.

There will be some clients that simply won't connect due to interoperability issues, often WPA / WPA2 mixed mode is used to help with this but in some clients it does the opposite as they try and fail to connect using WPA2 if both are offered but will succeed with WPA if it is the only choice.
Jakob DigranesSenior ConsultantCommented:
the only problem with WPA-PSK used instead of - like 802.1x, is the processing power it takes to en- and decrypt the keys every time.
Other than that - not many.
You have Cisco you said? Than the back end infrastructure is no part of your connectivity problem, as the Cisco APs, both managed stand-alone or by controller, decrypt the sessions on the APs themselves. Though - speed and other concerns might kick in.

You say you have 50 APs? In how large area? what band do you run (802.11b/g or 802.11a?) you easily run into channel intereference with 50 APs.

When looking for error with DHCP - try looking into if all users are on same AP og same VLAN. WEP errors gives no DHCP address, but wrong WPA-PSK normally discconects you from the AP, as opposed to the WEP where users are connected - but not authenticated

What you could look into - when supporting large networks with mixed clients, out of your management: Open network - but authenticate users via Captive Portal - a web page where users need to enter a username/password to gain access to internet
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

martineitAuthor Commented:
thanks for all your comments, following my answers:
@Yarwell: I tried connecting to a WPA wireless network specifying a wrong PSK and I did get an error that looked like a generic DHCP Client error. The question is... How would you configure a wireless network for meetings hosted around the world for users coming from different companies? Which is the configuration you believe would cause less problems?

@Jakob_di: the number of APs varies on the number of meeting rooms we get and the number of attendees. We use 802.11b/g (we disabled n since it's not really used at the moment and we were afraid of possible incompatibilities). We are now trying to spread the APs across multiple channels.
Captive Portal unfortunately is not an option for the moment (we did test it) as its implementation would imply an excessive administrative effort (we would have to create a DB with all usernames and passwords).
For you the same question as for Yarwell: How would you configure a Wi-Fi network knowing Captive Portal and no-security are not an option?

Thank you guys,

martineitAuthor Commented:
Hello Yarwell,
I admit that Captive Portal is appealing for many different reasons but my customer for the moment doesn't like it because of:
1. Cost
2. One more device/service to administer, transport and configure on the network
3. possible bottlenecks if we go for a Software based Captive Portal (e.g.: FirstSpot)

I don't follow when you say
but look at how the ICC in Birmingham UK did it and see if that fits the bill

I want to see if anyone else gives me an answer which allows me to put WPA back on the table... I'm going to leave the question open for 3-4 more days, if I get no answer I'll give you the points.

"but look at how the ICC in Birmingham UK did it and see if that fits the bill" - sorry that was what I was describing from earlier in the week ie insecure wireless and captive portal.

You can use dd-wrt firmware on a low cost router to provide a captive portal facility.

I agree it would be nice to have an encrypted network if practical.
Jakob DigranesSenior ConsultantCommented:
The captive portal is already integrated into most enterprise solutions, and it's not your worst bottleneck in the network.

Putting encryption to an unencrypted network might pose greater stress to the network than captive portal.

Almost all conferencing scenarios go for the unencrypted captive portal based solutions, and yes - you can have only one user and password as all users use, or one for each conference and so forth.
the challenge with conferences is that you have no control over what clients might show up.
it can be all 802.11a's , b/g's or 802.11a/b/g/n's --- it can be Macs, Linux, Windows 2000/XP/Vista and Seven. And Win XP with SP1 and no more, supports only WEP.

My suggestion:
configure all AP's as 802.11a/n using different channels for all AP's within range of each other - disable HT-40Mhz channels for 802.11n (as it "steals" channels) and configure some AP's as 802.11b/g to support clients that do not have support for 802.11a or n
no security and use captive portal

The one problem with this, is users that come with corporate laptops that do not support connecting to an unencrypted network ...
martineitAuthor Commented:
Ok Ok... enough already... I got it :-).
I will push the customer to go for a Captive Portal solution.
If you could suggest the Best Captive Portal solution (that you know of) for Quality/price, it would help me choosing.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.