Wireless network setup for a school

Hi There

I have the following scenario:-

School with approx 55 classrooms/offices. I need to setup wireless connectivity throughout the school. The school has 3 floors and the futhest distance from the server room will be approx 100metres.

I have been doing some research on using a radius server which seems to be the best way to go.

1. What would I need in terms of hardware and software to set this up?
2. Do i need to put an access point in each classroom?

Please advise on best possible solution.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
You should definitely go for Radius and 802.1X authentication.
But will the school provide PCs for the students, and will PCs be domain joined? Or will they only have username and password in domain and bring their own equipment?
That will limit if you should use EAP-TLS or PEAP-MsChapV2 as authentication, the first is with certificates, and the second one is with Domain Username and Password.
YOu can also choose wether you want to authenticate computers AND users, or only one of them. All these settings is done on Radius server (WIn2008R2 or 2012 server i hope??), and settings on client device.

For the wireless, go for a controller-based solution, where all access point is managed and monitored centrally.
Hardware Setup:
Buy swithces with PoE - i use either Cisco Catlyst 2960 or HP ProCurve 2520 -- remember to buy a swicth with Gbps ports for the wireless (!)
I'd recommend Aruba Networks hardware, controllerbased and with 802.11n access points. If your budget is limited you can buy Instant Access Points, where the first AP will become a master for the rest and settings done on AP1 will replicate to all other APs.
With the controllerbased you will get a full stateful firewall, application visibility, roles and role derivation, bandwidth limitiation, user visibility and advanced radio and spectrum monitoring and management.

When it comes to the amount of APs:
- Coverage in terms of range (getting a radio signal to cover a certain area) is no longer the issue.
- You need to plan for users, and remeber - a user most likely have more than one device. Many wireless networks where deployed based on employees or students - but for one device each. Now users have PC, SmartPhones and tablets that need access aswell.
- plan for around 25 - 30 users per AP ---
TimotiStDatacenter TechnicianCommented:
The number of access point depends on user/client numbers (as @jakob_di says, expect 2+ devices/human being), coverage depends on the physical attributes of the buildings.
Do some coverage testing with some old AP, just to get a feel for the building.

- I can cover 3-4 classrooms with one AP in our new building, where walls are drywall.
- I can only cover one classroom with one AP in our old buildings, where we have 1m thick solid stone walls...

For a controller based solution, the more APs you have, the better. You can't really have too many, the controller will manage channels and power levels dynamically.

A cheap controller-based solution is the Ubiquiti Unify system: the controller runs on a PC/server, the APs do layer2 bridging without much layer2 security. POE is not standard, which is a pain, and the system sometimes has issues. But, it's cheap.
If you can afford an Aruba, definitely go with that.
Not much personal experience with other wifi vendors, like Ruckus, HP, Juniper or Cisco. I did hear something about Ruckus giving very nice prices for schools, though.

ltradingAuthor Commented:
Thanks for the feedback.

1. some pc's will be on the domain and some won't.
2. Will a 2008 r2 Server surfice as a RADIUS Server or do I need a seperate pc loaded with Radius software?
3. Thanks, I will look at the Aruba Solution. Will I still need a radius server if I go controller based?
4. classrooms have thick walls so it will probbaly be 1 AP per classroom.
5. I will look into Ruckus as well.

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

TimotiStDatacenter TechnicianCommented:
1. No problem, you can define multiple networks and SSIDs. Define one with good security for the domain members, others for logged in users, and another for guests.
2. As long as you can install IAS on it, it should be okay. Some versions (like SBS) may not be able to run IAS; also not sure about licensing.
3. The Aruba can do authentication on an internal username-password database, but it's fairly basic. If you want advanced stuff, you'll need a Radius server.
Jakob DigranesSenior ConsultantCommented:
1. for domain joined computers, use machine authentication with user re-authentication, for non-domain joined - user user authentication. All should use PEAP-MsChapV2 - which is unbreakable
2. Radius server, NPS in 2008 - is best practice to collocate with DC - i.e on same server :-)
3. Yes
4. if you budget allows is - buy an Aruba IAP105 - which is a AP105 from Aruba that can run without a controller. Move this from room to room to see what coverage you'll get. BUT - remember to plan for at least 2 devices per user - and try to get a max of 30-40 users on an AP (PEAK numbers of course)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TimotiStDatacenter TechnicianCommented:
"unbreakable": there is no such animal. :)
Jakob DigranesSenior ConsultantCommented:
with todays available technology - there is no way to crack either encrypted PEAP tunnel or the dynamic WPA keys assigned to each user --- so if you go wireless - use PEAP-MsChapV2 or EAP-TLS with WPA2-AES keys
no way anyone today will break that.
apart from the social engineering/stealing password part
TimotiStDatacenter TechnicianCommented:
Jakob DigranesSenior ConsultantCommented:
that's why put the ms-chap-v2 inside an encrypted PEAP tunnel ;-)
TimotiStDatacenter TechnicianCommented:
Okay, that makes sense.
Back to OP's problem, I don't think the schoolkids will hack any kind of serious EAP/PEAP.
ltradingAuthor Commented:
I have been in contact with Aruba Network suppliers in my country and we are working on a suitable solution.

Thanks for pointing me in the right direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.