wireless access point -- business

Posted on 2014-03-16
Medium Priority
Last Modified: 2014-03-31
Currently the business I work for is all WIRED, but I want to plug some wireless access points into each building since some buildings are 2,000+ feet away from each other.

Possible Requirements
   1. setup GUEST network with individual user/pass for each GUEST
   2. setup WORKER network with individual user/pass for each WORKER
   3. possible RIGHTS to LIMIT each wireless users so they don't take up ALL my bandwidth
   4. ONE "website management" interface for the 10+ access points across buildings

What "access points" do you recommend ?
Question by:finance_teacher
LVL 17

Accepted Solution

pergr earned 500 total points
ID: 39933543
Since you do not want to manually configure each AP for each guest, you should consider a system with a central controller.

Also, if you use a central controller, then you can "tunnel" all the guest connections to the controller, and give them internet from there, so that you do not need to create a guest VLAN across the campus.

One option is to get a FortiGate firewall, since these can also function as controllers for FortiAP access points. Then you get to configure both firewall and APs in one place.

Since it is a small deployment, any other controller based system should probably have the controller running as a VM on VMWare, in order to keep the costs down. I know Juniper does this - perhaps others too.

Other options are "cloud based" controllers, like the service from ADTRAN.
LVL 66

Assisted Solution

btan earned 1000 total points
ID: 39933628
you likely are segmenting out the various segment within the Wireless for different purpose and I supposed you have some sort of different SSID associated with those segment - I dont think it is optimal for each segment n/w to have one user, or one guest or one worker/vendor, tough to scale up. Also needed one WLAN controller to aggregate and manage all the APs which has minimally have PEAP/CHAPv2 for user/password , it is more secure for EAP/TLS1.2...

Wireless controller can have their internal user database to check identity but likely you are looking at external identity user db. So RADIUS will comes in minimally (or something like Microsoft NPS) is needed for the the authentication part which then help to assign the necessary segment n/w lan. Most of the time is web portal to key in credential and from there spawn off to various segments..

Some candidate for quick deployment include
 - Cisco Unified Wireless Guest Access Services that is self-contained and does not require any external platforms to perform access control, web portal, or AAA services. Also external RADIUS server can be used to authenticate guest users in place of creating and storing guest credentials locally. The cisco wireless faq helps to list the various components necessary including making the router wireless etc and also other controllers that can be used to support guest access in the unsecured network area

Other on WLC  feature are available in here

Q. What are the various options available to access the WLC?
    A. This is the list of options available to access the WLC:
        GUI access with HTTP or HTTPS
        CLI access with Telnet, SSH, or console access
        Access through service port

Q. How are guest users handled by WLC?
    A. Guest users are third-party network users, who needs limited access to the network resources and internet connectivity. WLC provides wireless and wired guest access using the existing wireless network infrastructure. Usually a separate SSID is provided for wireless guest users. Guest users on both the wired and wireless networks are assigned a separate VLANs, which provides isolation of guest traffic from the rest of the data traffic. This provides better control over the guest traffic and greater network security. Guest users are usually authenticated through Web authentication.

Q. Does the wireless LAN controller (WLC) locally support EAP-PEAP authentication?
    A. Through version 4.1, PEAP is not supported locally on the WLC. You need an external RADIUS server. With WLC version 4.2 and later versions, local EAP now supports PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication.
in term of rate limiting, there is the basic QoS role to limit the bandwidth of guest clients. There is certain Cisco IOS version that support micro policing that allows for granular rate limiting in both the upstream and downstream directions.
LVL 38

Assisted Solution

lherrou earned 500 total points
ID: 39934201

I'd take a look at the products offered by Open-Mesh (http://www.open-mesh.com/) in combination with the free Cloudtrax (https://www.cloudtrax.com) to managed your wireless net.

The Open-Mesh access points are inexpensive, and can be powered locally at each access point or by passive PoE (if you are already using PoE, make sure your injector is compatible with the Open-Mesh products).

Cloudtrax allows you to set up both a public and a private wireless net, both running through the same access points. The private net will be configured with standard single password for any user, the public one can be configured to require accepting "terms and conditions", or force users to obtain unique tokens (by purchase or provided by you) to access the network. You can set the total up/down bandwidth for each public user, duration they may use the net without reaccepting terms and conditions / providing new token, etc, etc.

LVL 66

Assisted Solution

btan earned 1000 total points
ID: 39934283
Something I missed out is the use of Wireless Bridge or Outdoor Access Point/Bridge, (some examples) and also the meshed AP network connected that consists mainly Root access point (RAP)  and Mesh access point (MAP). Normally all access points are configured and shipped as mesh access points. To use an access point as a root access point, you must reconfigure the mesh access point to a root access point. In all mesh networks, ensure that there is at least one root access point.

The RAPs have wired connections to their controller, and the MAPs have wireless connections to their controller. MAPs communicate among themselves and back to the RAP using wireless connections over the 802.11a radio backhaul. MAPs will have to determine the best path through the other mesh access points to the controller to avoid loops and latency esp critical for long range n/w.
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39934427
For hardware I prefer software based controllers like unifi http://www.ubnt.com/unifi
Or meraki

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
The Summer 2017 Scholarship Winners have been announced!
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question