Implementing a WIFI network

[ixy]

Hello all,

About to implement a wireless network at work but never done it before. I've read and re-read a lot of tutorials and papers etc on the best way to do it and I've come up with the following.

I create WAPs at various points around the offices (using 802.11 a,b or g (not sure what yet). Set up a network access server running RADIUS which will interface with a server running AAA. Employ WEP/WPA and TKIP for encryption. I know this seems a bit clumsy, apologies, I'm in a hurry but do the basic elements make sense?? Can anyone recommend a better way to do this?? I basically want to give my users access to the internet to download POP mail if required but also allow authenticated users access to shares and printers on the LAN.

Many thanks for any input!

Edited March 25, 2008 by ixy

[Mordac85]

Sounds like a decent basic plan, but here are a few other common sense items you may want to add if you haven't already:

• Get an actual site survey to determine the optimum AP placement and make sure they provide you a good diagram of signal strength for those points.
  
• Disable SSID broadcast
  
• Use a unique SSID and not something that's easily identifiable as related to your company
  
• Use anything but channel 6, since it's the default it's quite noisy
  
• Use anything but WEP. WPA2-AES or WPA-TKIP is much better. If you need to use WEP, plan on changing the key every few days
  
• Use MAC address filtering if the administrative overhead is acceptable
  
• Restrict DHCP scope to match the number of users as closely as possible
  

[ixy]

Many thanks for the pointers mordac85! Regarding the DHCP scope, I guess that might need to be dynamic as the business need changes (which it does frequently ) Would you recommend using a win2003 server to run DHCP or would it make more sense to allow whatever router I employ to dish out the ip's??? Like I said, I'm pretty new to networking so apologies if these are dumb quzzies :DD Thanks again mate! Also, can I change my default flag to a Scottish one???? :DD not so important @D

[Mordac85]

The DHCP depends on what you're comfortable with, and whether you can absorb the admin overhead to configure a static IP for each wireless user (most secure) if you don't use dynamic assignments. But if you're using a Radius server, I'll assume you already have some kind of DHCP server so I'd just stick with that and make a new scope for wireless there. As for DHCP servers, I prefer dhcpd on linux since it's easier to configure and I can manage it all from scripts. At work I have to deal with Windows, but at least they have the MMC snap-in to make it just as easy to manage, just thru a GUI.

If you have the wireless node that can act as a router as well as an AP, then if you use your existing DHCP server just use it as an AP. You cut down on the points of failure and make troubleshooting much easier, but you have more work on the configuration end to get it up and running (like changing the router to handle the new subnet).

As for the flag, I didn't see an option for Scotland. But maybe if you PM a mod, they can tell you if it's possible to add it.

[ixy]

Ok, many thanks for that! There seems to be a lot of conflicting views on how best to do this but I guess thats par for the course I'll read a bit more and see how it goes. Thanks again.

[cluberti]

If you have a laptop (or can borrow one) with a wireless card, you may also want to view the wireless levels in the area you want to see what kinds of interference you're likely to encounter on the different channel bandwidths - I suggest netstumbler for this as well. It'll help you use the best channel and perhaps choose the best location for your WAP as well.

[ixy]

Thanks Cluberti, I'll have a look at that.

[ixy]

Another thought occured to me. Say a user comes in to the office in the morning, connects to our wireless LAN and then wants to join the wired network back at their desk. I guess there is no slick way of doing this other than logging off the laptop and then logging back onto the domain once redocked? I thought about access connections from lenovo but it relies on the user being capable of selecting the correct profile etc. Appreciate any thoughts

[Mordac85]

As long as the wireless connection is not configured to automatically connect, restarting on the wired network is the easiest way for the users to switch between the two w/o having to explain what a layer 2 loop is and why that's a bad thing.

We run a customized XP install and have a custom service running so it has been extended to include monitoring the connections and switching between the two as needed. I'm not sure if there is a commercial alternative for that, but afaik something like that would be your alternative if you didn't want to have the users shutdown.

[ixy]

Thanks Mordac. I'll see what else is out there but the log off might be the best path of least resistance for the moment.

Edited April 1, 2008 by ixy

[ixy]

Well, Lenovo's access connections application is not too bad afterall. I think this might be practical. Looking at a fortwifi router/AP or two as well. I hope this stuff is usefull to other peeps that find themselves landed with a big first project involving WIFI :DDD I'll keep posting what i try and the results etc. Am I getting this point correct: Bridging AP's will enable users to roam from one location to another as well as access printers or such on a different subnet?? This is hard, I wanna play falcon instead

[Mordac85]

Since the 802.11 standard doesn't define a wireless bridge you have to assume it's just your normal network bridge. But if you configure your AP's to overlap coverage area, but on different channels, you can cover a large area that will be seemless to the connected users (dependant on signal strength of course). If you have something like a wireless point to point link, like between buildings, then you could use a bridge to connect to the LAN.

[ixy]

Ok, that sounds fair. The company will occupy just one building so that simplifies it a bit. I'm looking at a couple of wireless dualband bridging kits as I think there might be a requirement to cross subnets. Am I right in thinking that I cant do that because we will be using 802.11i (probably) which doesnt yet support bridging?? Really appreciate the input by the way!

[Mordac85]

I learned a lot when we put in our WLAN so I'm glad to help. Actually, I wouldn't get so creative on connectivity on the wireless side. I'd setup a separate subnet for the clients and then handle the connectivity to other subnets/devices internally through the router the same way you would if the network was wired. Much easier solution and all you have to deal with are AP's and their physical placement and channel overlays.

That's also why I recommended hiring a professional to come in and do a full site survey, rather than run around w/netstumbler on your laptop. For a business, the cost vs the quality of the information gathered is well worth it. We paid $2500 and rcvd recommendations on AP placement, channel selections, a signal strength diagram and radiation pattern, plus they also reviewed external signal strength to see how much was accessible outside of the building skin and much more that I hadn't even thought of. Things like that take time for one person to do.

Just to clarify, 802.11i is a security amendment to the standard, not an entire communication methodology like a, b or g, and replaced WEP. WPA is a subset of 802.11i and the full implementation is known as WPA2 (which uses the AES cipher). Definately go with this if the clients and AP's can use it!

[ixy]

Yeah, we have a service provider doing a LAN and infrastructure survey and they have agreed to do a wifi survey also. I now need to wait until that is performed before any piloting is done. Actually still waiting for our vendor to confirm they have the ap/router we want. Need to find an ADSL capable PCMCIA card also so we can route traffic out onto the internet and between sites if needs be. Was looking at a fortigate 60 b adsl but its out of production now. Actually might have found an alternative! I'll post details.