Solved

Wireless network setup for a school

Posted on 2013-01-25
11
675 Views
Last Modified: 2013-02-06
Hi There

I have the following scenario:-

School with approx 55 classrooms/offices. I need to setup wireless connectivity throughout the school. The school has 3 floors and the futhest distance from the server room will be approx 100metres.

I have been doing some research on using a radius server which seems to be the best way to go.

1. What would I need in terms of hardware and software to set this up?
2. Do i need to put an access point in each classroom?


Please advise on best possible solution.

Thanks
0
Comment
Question by:ltrading
  • 5
  • 4
  • 2
11 Comments
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 250 total points
Comment Utility
You should definitely go for Radius and 802.1X authentication.
But will the school provide PCs for the students, and will PCs be domain joined? Or will they only have username and password in domain and bring their own equipment?
That will limit if you should use EAP-TLS or PEAP-MsChapV2 as authentication, the first is with certificates, and the second one is with Domain Username and Password.
YOu can also choose wether you want to authenticate computers AND users, or only one of them. All these settings is done on Radius server (WIn2008R2 or 2012 server i hope??), and settings on client device.

For the wireless, go for a controller-based solution, where all access point is managed and monitored centrally.
Hardware Setup:
Buy swithces with PoE - i use either Cisco Catlyst 2960 or HP ProCurve 2520 -- remember to buy a swicth with Gbps ports for the wireless (!)
I'd recommend Aruba Networks hardware, controllerbased and with 802.11n access points. If your budget is limited you can buy Instant Access Points, where the first AP will become a master for the rest and settings done on AP1 will replicate to all other APs.
With the controllerbased you will get a full stateful firewall, application visibility, roles and role derivation, bandwidth limitiation, user visibility and advanced radio and spectrum monitoring and management.

When it comes to the amount of APs:
- Coverage in terms of range (getting a radio signal to cover a certain area) is no longer the issue.
- You need to plan for users, and remeber - a user most likely have more than one device. Many wireless networks where deployed based on employees or students - but for one device each. Now users have PC, SmartPhones and tablets that need access aswell.
- plan for around 25 - 30 users per AP ---
0
 
LVL 17

Assisted Solution

by:TimotiSt
TimotiSt earned 250 total points
Comment Utility
The number of access point depends on user/client numbers (as @jakob_di says, expect 2+ devices/human being), coverage depends on the physical attributes of the buildings.
Do some coverage testing with some old AP, just to get a feel for the building.

Example:
- I can cover 3-4 classrooms with one AP in our new building, where walls are drywall.
- I can only cover one classroom with one AP in our old buildings, where we have 1m thick solid stone walls...

For a controller based solution, the more APs you have, the better. You can't really have too many, the controller will manage channels and power levels dynamically.

A cheap controller-based solution is the Ubiquiti Unify system: the controller runs on a PC/server, the APs do layer2 bridging without much layer2 security. POE is not standard, which is a pain, and the system sometimes has issues. But, it's cheap.
If you can afford an Aruba, definitely go with that.
Not much personal experience with other wifi vendors, like Ruckus, HP, Juniper or Cisco. I did hear something about Ruckus giving very nice prices for schools, though.

Tamas
0
 

Author Comment

by:ltrading
Comment Utility
Thanks for the feedback.


1. some pc's will be on the domain and some won't.
2. Will a 2008 r2 Server surfice as a RADIUS Server or do I need a seperate pc loaded with Radius software?
3. Thanks, I will look at the Aruba Solution. Will I still need a radius server if I go controller based?
4. classrooms have thick walls so it will probbaly be 1 AP per classroom.
5. I will look into Ruckus as well.

Thanks
0
 
LVL 17

Assisted Solution

by:TimotiSt
TimotiSt earned 250 total points
Comment Utility
1. No problem, you can define multiple networks and SSIDs. Define one with good security for the domain members, others for logged in users, and another for guests.
2. As long as you can install IAS on it, it should be okay. Some versions (like SBS) may not be able to run IAS; also not sure about licensing.
3. The Aruba can do authentication on an internal username-password database, but it's fairly basic. If you want advanced stuff, you'll need a Radius server.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 250 total points
Comment Utility
1. for domain joined computers, use machine authentication with user re-authentication, for non-domain joined - user user authentication. All should use PEAP-MsChapV2 - which is unbreakable
2. Radius server, NPS in 2008 - is best practice to collocate with DC - i.e on same server :-)
3. Yes
4. if you budget allows is - buy an Aruba IAP105 - which is a AP105 from Aruba that can run without a controller. Move this from room to room to see what coverage you'll get. BUT - remember to plan for at least 2 devices per user - and try to get a max of 30-40 users on an AP (PEAK numbers of course)
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
"unbreakable": there is no such animal. :)
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
with todays available technology - there is no way to crack either encrypted PEAP tunnel or the dynamic WPA keys assigned to each user --- so if you go wireless - use PEAP-MsChapV2 or EAP-TLS with WPA2-AES keys
no way anyone today will break that.
apart from the social engineering/stealing password part
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
that's why put the ms-chap-v2 inside an encrypted PEAP tunnel ;-)
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Okay, that makes sense.
Back to OP's problem, I don't think the schoolkids will hack any kind of serious EAP/PEAP.
0
 

Author Comment

by:ltrading
Comment Utility
I have been in contact with Aruba Network suppliers in my country and we are working on a suitable solution.

Thanks for pointing me in the right direction.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now