Slashdot Mirror
Ask Slashdot: How Do You Deploy Small Office Wi-Fi SSIDs?
First time accepted submitter junkfish writes "I am not able to install a controller based Wi-Fi solution in my office due to cost, but I like presenting my users with a single SSID rather than an array of four or five differently named SSIDs from different access points. What is your experience deploying multiple wireless access points with the same SSID and password? I have been doing this with Cisco 1040 series Access Points this year, and have had good success. It seems like the client is able to determine which AP is best to connect to, and is able to roam around the office without too much of an interruption when it connects to a different AP. Is this sloppy practice? Or does the general state of the 802.11 provide for this sort of resiliency? I am really interested in your opinion because I have not seem too much documented on this subject."
I've seen it work with multiple AP's in an office that all had the same SSID. Just cloned the boxes (some cheap Cisco thing, can't remember the part number) and never had any issues with conflicts.
Do not mock my vision of impractical footwear
I thought that was the standard way of doing it anyway. Is it not?
The Airport Extreme's seem to handle this fine. I setup several using the same SSID to extend the signal.
I would highly encourage you to look at the Ubiquiti UniFi system. Software based centralized computer and basic APs are only $66. We're switching to them from Cisco and have been very happy.
http://www.ubnt.com/unifi
I would be fine with the multiple APs and single SSID but I would prefer you not deploy them with a PSK. 802.1x with a Radius implement of some sort would be a good starting point.
It's rather simple to do - we have 3 access points in our home. All you have to do is give them all the same SSID, and put each individual one on separate channels. Also, give each router a static IP address and remember to turn off DHCP.
Alternatively, you can use wifi extenders.
What you are talking about will work fine in smaller offices. As far as I can tell, though, there is no handover when a signal is poor, only when it is lost. The laptop will stay connected to whatever the original access point is until it can not contact it anymore. If the distance increases after initial connection and the signal becomes crappy, it won't automatically connect to a closer AP until the original connection drops completely.
That said, Cisco does make some equipment that handles that, I believe. In my environment, I only need 2 APs to cover my building, so I decided I didn't need that more expensive solution.
The airport express/airport extreme will do this as well. I have a two story house and I have a airport express and two extremes all on the same SSID and password. I don't know if apple makes a windows version of the airport utility however.
I've set a few up and it's relatively simple. Make sure they have the same SSID - Passphrase and Security type (WPA2-PSK is what i use). Just make sure you have one doing DHCP or atleast a box on your network doing it and just kick the rest into bridge mode.
Is there another way to do it? I've always set office (and my home) Wifi networks up like this -- as long as the AP's are all on the same subnet, roaming among them should be fairly transparent.
Try to use non-overlapping channels as much as possible. (i.e. channel 1 at the east end of the office, channel 6 in the middle and channel 11 at the west end). If you can't use non-overlapping channels, some tuning of power levels to prevent interference between nodes can help -- i.e. if you have a long office with 4 nodes on 3 channels: [1, 6, 11, 1] you may see better performance if you turn down the transmit levels on the two channel 1 nodes so they don't interfere with each other as much. And dual-band 802.11n can help even more both because there's more channels on 5Ghz, and because the 5Ghz signals will be attenuated more.
In my current office, I have about 120 Wifi nodes (through a Cisco WLAN controller), all are broadcasting the same SSID.
This problem has been solved already, it's called WDS. http://en.wikipedia.org/wiki/Wireless_distribution_system
I hate sigs.
Answered already but it is build into the protocol.
http://superuser.com/questions/122441/multiple-access-points-for-the-same-ssid
check out cloudtrax.com, the open-mesh gear might be a good candidate for you, it's cheap and pretty easy to deploy. it's also one time licensing (included in hardware cost)
Why not install pfSense on an old PC (Pentium 4-class is more than enough) with a couple of NICs and the FreeRADIUS 2 module? Put the APs in bridged mode and set up 802.1x authentication.
If you didn't want to use self-signed certs and a private CA, your only cost would be for certificate purchases/renewals. The cost is negligible if you count your staff IT hours as costing you nothing.
just tried "wireless network multiple access points" on google and no information at all :(
http://superuser.com/questions/122441/multiple-access-points-for-the-same-ssid
http://www.dummies.com/how-to/content/wireless-network-routing-with-multiple-access-poin.html
afaik you need to choose one SSID and one password for all the access point, but you should configure them to different channels so they dont interfere with each other. With this setup the client should choose automatically the best access point and roam to the next when he moves to another room.
Part of the wireless standard is the clients chooses what ap they connect to, this maybe improve with updating the wireless drivers. High capacity wireless can have problems also make sure your Cisco AP are channel stage as in one is channel 1 the next one is channel 6 the next its channel 11 it's will help with SNR the only company I know that can fix a lot of these problems is Meru where the whole system can run single channel and makes decisions on the clients behalf but it needs s controller to do this.
...Cisco stand-alone 1040 AP's then set one as the master and configure the others as wireless repeaters. I did that to the first floor of our office building and now roaming between APs is working much smoother than when they were all wired up as individual APs bearing the same SSID. It's almost as good as having Cisco LWAP AP's with a wireless controller.
Maybe Apple AirPort(s) managed via MacOS X Server?
If even that is out of budget, maybe look at OpenMesh? http://www.open-mesh.com
from the wiki:
WPA and WEP are thoroughly broken and are not even an option if you care at all about security, the state of WiFi security in this decade is a fricken joke.
We have a dozen Aruba AP's deployed w/ a virtual controller which floats between the various AP's. the AP's are a bit pricy $600, however I have no complaints supporting close to a 100 clients in our small environment.
I believe this is the preferred Cisco method, or something similar.
Check out PowerCloud (see, http://powercloudsystems.com). They will do what you want at a very reasonable fraction of the cost of a Cisco or Aruba system. They can even provide replacement firmware for a few APs mentioned in the thread.
check out meraki gear. they pretty much are using routerboards running busybox (or were, at least) to create a wireless mesh network. if meraki doesn't look proper, i'd generalize a bit and look around for other mesh networking gear. you pretty much hang access points, including a base station, connect your uplink for the wan on the base station, and the other ap's act as extenders for your wan.
If the only think keeping you from a controller based solution is cost try Ubiquiti's Unifi. You can run without a controller and if you need one you can use any old embedded box. http://www.ubnt.com/unifi
One of my hobbies is messing around with dd-wrt and OpenWrt on various hardware platforms. At home, I have 6 APs in use (3 on 2.4GHz and 3 on 5GHz). I've found that wireless clients will not roam between APs even when all are configured with identical SSID and encryption settings. The clients tend to stay connected until the AP is completely gone, even if you're 10ft from another AP (unless you cycle the radio off/on so it starts looking for the best AP again). So I did some research and found you could build an OpenWrt image that would allow the APs to communicate and deassociate the client when the signal is better elsewhere, but this requires some real messing around. I gather this is where Cisco gained some check marks for Cisco clients roaming between Cisco APs.
https://forum.openwrt.org/viewtopic.php?id=10353
https://forum.openwrt.org/viewtopic.php?id=26290
So you can do this for free but it requires some moderate geekery.
I thought this was inherent in, for example, extended wireless networks (e.g., Airport Extreme / Time Capsule plus Airport Express(es)).
the options are limited. You can use the same SSID on the various APs (separating channels as mentioned). So long as the clients are all on the same vlan (usually a DHCP scope), it will work reasonably well. Most of the protocols are fairly forgiving. If you have WDS capability, by all means use it.
802.1x adds complications, but if you have a RADIUS type server a WLAN controller should be a more realistic consideration.
We are replacing our 12 Cisco APs that have a 4400 wireless controller with 16 Aruba IAP 105's.
they are really cool devices. You can run multiple ssid's if needed and they all pull their info from 1 AP.
Ubiquity networks provide a product line that are centrally managed and support up to 4 SSID's per access point / network. The management software is a little messy, however the access points are less that $100 each, and come with PoE injectors and mounting brackets for wall mount, or ceiling mount. A really nice clean product.
I'm running this configuration in a small office right now with two WRT-54GL routers running DDWRT.
Really great setup, and works seamlessly as I go back and forth between the two offices.
One of the wireless units acts as the router, the other acts as simply an access point and forward's it's traffic to the router over an ethernet cable.
Super simple to setup, the only trick is to make sure that the two units are on different channels.
The cost for both units was less than $100 and the hardest thing was having the building super route the ethernet cable through the ceiling.
Good luck
All WiFi base stations on the same subnet (routing disabled except for the one unit that is connected to broadband; often done by turning off DHCP), each unit has the same SSID, each unit has the same encryption (WPA2 preferred), and each unit has the same password.
Set the SSID the same for each AP. Set them on different channels so that the AP's don't "step on" each other's bandwidth. Roaming is a station-side (client in common usage) decision, so your PCs will automatically pick the AP with the best signal strength.
As far as authentication goes, this all depends on the AP. All should support PSK (preshared secret keys, aka passwords) and in that scenario, set them all to the same value on each AP. The PSK should be at least 24 characters long, and the SSID for the net unique to keep the security at acceptable levels and reduce the possibility of offline dictionary attacks against the PSK.
Assuming the APs support it, Enterprise grade authentication with individual per-user passwords is within reach at little to no cost. You can tie into Active Directory or set up a free AS (Authentication Server) using FreeRadius on a linux box. The definitive reference for doing this with an MS server is a book titled "Deploying Secure 802.11 Wireless Networks with Microsoft Windows". Make sure you check for updates to the book online, and there is an appendix which details how to set it all up in a lab environment, which will let you prove principle without screwing with the production network.
Google around and you will find loads of information on how to do this with Open Source, the key articles being some from Linux Journal from about 6-8 years ago.
Hope this Helps......
Why anyone would bother to post such an utterly basic question on here and why it would get posted is beyond me.
If you spend 20 seconds on google you wouldnt need to post stuff that took over a minute to write and then who knows how many minutes to wait for a response that helps you. Basically you took atleast an hour to find something out you could have discovered within just a few minutes on google. Or hell, here is an idea, call cisco. Most companies have support for their products that can be helpful to you.
So Ill go with the old addage "google it". Or do you always need constant hand holding?
its worth looking at the controller-less or virtual controller options from Aruba, they are very cost effective and very easy to deploy.
Controllers came well after AP's were invented, so people had to solve this problem for years without them as an option at all. Multiple AP's sharing the same SSID and key is exactly how the standard was designed, and was the best practice for deployment for many years. The short answer is, it works great, and is how you should be deploying.
For the long answer, you have to understand what happens when a user needs to switch AP's, and how the controllers improve that process. When a client wants to switch from one AP to another it must dissociate from the first, associate with the second which includes exchanging new session keys, gratuitous ARP to inform the L2 network, and then carry on. This process typically takes between 100-500ms, depending on the client, AP, and random luck. For most users doing most things this is all fine, if you're browsing the web and chatting on IM it's a non-issue.
However, for some clients like VoIP phones and video chat a 100-500ms pause is a disaster. Enter the controller solution. The WiFi protocol was divided between things that require hardware (transmitting at the right time, rf modulation, etc) and things that were all in software, just on the AP like exchanging key material. The hardware kept doing the hardware things, but the software activities were moved to the controller. The advantage is that the entire session does not need to be torn down, the radio can switch AP affinity (BSSID) while using the same key material since the key material is tunned back to the controller from both AP's. A client can now switch AP's in 10-50ms, which for most VoIP apps and video conferencing means seamless connections.
Note to the pedantic: yes, there are some other details, controllers enable triangulation features and some other RF analysis, there are a few protocol nits I omitted, and this omits a lot of important design considerations like proper AP placement and channel selection.
Now, go back to the requirements. If you don't deploy WiFi VOIP phones, and don't have other real time streams, controllers may be a total waste of your money. If the goal is to get users e-mail and web access when sitting in the conference room or courtyard, vendors are selling something not needed when they push controllers.
Second note to the pedantic: Controllers can make networks scale better, so if you're deploying 25+, or more likely 100+ AP's my previous paragraph doesn't apply, but that's not what most people reading this are doing.
So to the OP, yes, put them on the same channel. For less than 10 AP's with no real time requirements it is the best practice, and a perfectly valid way to deploy a WiFi network. A controller may be able to get some advanced features (auto-channel management, threat detection, triangulation), but in most small businesses they are features that would rarely if ever be used. There are thousands of WiFi networks deployed without controllers that work quite well. Do read a good document on how to place AP's and select channels, you'll want to use non-overlapping channels in a grid pattern and try and get it to where clients can always see 2-3 AP's, no more, no less.
If you really want a controller, there are some lower cost options than the big players. Ubiquity has a nice solution in their UniFi line, and Netgear now offers an appliance based controller. Aruba has several mid priced offerings. They don't all have the features of say high end Cisco gear, but offer a lower cost solution.
This right here is my instructions on a box of toothpicks. The fact that they come in several vendor defined languages only serves to reinforce the painful insanity here.
There is no way setting up an n APs, with n ESSIDs, and n keys will ever be a better solution performance-wise than n APs, with 1 ESSID, and 1 key.
This will hold true whenever n is constant across both scenarios, and those APs are otherwise configured the same.
This isn't to say that this would be a great solution above a particular density (power density, station density, bandwidth density, whichever crosses the line first), but that line isn't necessarily easy to define. Just mind your design, output, power and channel plan.
Why write off a proper wireless network right away?
http://www.ubnt.com/unifi I can put in a 4 AP managed system with a cheap PC as the controller for less than the cost of ONE stand alone Cisco AP.
Plus it's better quality that anything you can buy from Dlink, Cisco, etc...
Do not look at laser with remaining good eye.
I am not seeing in the oft-repeated scenario here of multiple AP's with the same SSID and pasword/key how DHCP serving is managed.
Would each AP be a DHCP server for whichever client connects? Should each offer an IP from a unique range within the same subnet? Any other guidelines related to that?
TIA
For a nice little channel range checker, consider the "Wifi Analyzer" Android app (maybe it has iOS version, too?). It has a nice graphical display of strength of multiple AP's within range, and the channels they use. On an Android tablet or phone with good wifi hardware it is much more convenient than lugging a notebook PC around.
HTH
--
RO
We use a product from Aruba Networks called Aruba Intant AP for wireless access at our offices. They call it "controllerless" but really you configure the first AP with SSID and security settings then just plug more APs into the same network and they auto-configure and adjust to minimize interference. If the controller AP goes down the other APs elect a new controller and service continues uninterrupted. It is for small deployments (I think a max of 16 APs) but has worked well for our purposes (WiFi bar code scanners, several laptops and some WiFi printers).
as everyone's stated, what you've done so far is correct.. IMHO, controllers are well worth the money - though shop around, cause (again, IMHO) juniper and cisco are way too expensive for what they are.
What a controller will give you is a unified simple way of managing it all. I.e. configure it in one spot rather then every AP. They also often include things like portals, authentication services and firewalls. I.e. a central CA for using certificate based auth, a captive wifi portal for open access points that go to the internet or stuff like that.
Where that becomes GREAT is trying to debug stuff, when you get past 4 AP's it starts to get a little tedious making sure every AP is configured correctly (i.e. same SSID, same authentication info), and gets really hard to maintain channel separation effectively. Alot of controller based systems will distribute the channels well based on the topology of your AP network, and that is very handy.
All of this is doable manually, what a controller can do that you cant do anywhere else is force handoff from one AP to another. AP Clients typically head for the closest AP based on signal strength alone and that can get a little annoying because you'll often end up with several AP's that are flooded and others that are barely used, controllers can manage that and push clients off one AP and tell them to use a different one.
The other bit that is mighty hard to do with out a controller is running multiple SSID's from the same AP's connected to different networks (and often the firewall in the controller plays a part in this too). It can be handy in some situations to have a "visitor" SSID thats open access but only gets internet along side an "internal" SSID that gets on your internal network and maybe authenticated via certificates. Controllers handle that very well.
Also be sure to use channels that are spaced far enough apart so as to not interfere at all. (E.g. 1, 6, & 11)
I did it with cheap Linksys APs once. All I did was to see the SSID to be the same on all three Linksys APs but with different channels broadcast channels. I was then able to seamlessly transition from one AP to the next hoping from one to the other with no issues.
Because the power to run a Pentium 4 for 2 years would cost more than getting a modern little embedded box.
It is in some countries with heavily subsidized electricity and high import tarifs.
If an office network mixes brands, models, and 802.11g access points with 802.11n access points, is it still best practice to have them share SSIDs?
Multiple AP with same SSID just works, and moving client switch from an AP to another smoothly. You just have to take care about channels used by your AP: try to have as few overlap as possible.
One of the things that worries me is that people walking around in a way that gets them to overload a single AP. Let's say that the normal limit of an AP is 25 to 30 clients. In this case, how do I make sure that a client chooses an AP based on signal, but that existing connections/load of an AP is also taken into consideration.
I am not able to install a controller based Wi-Fi solution in my office due to cost...
Yes, you are.
Check out UniFi by Ubiquity Networks - they're cheaper than you think (in the same ballpark as premium consumer wifi gear) and the controller is a software instance you can run on just about anything. Management is through a web browser and is dead easy.
The wifi networks have great throughput, the Pro access points have 3x3 MIMO, and they're stable and reliable.
You also get some other good features, such as traffic analysis and reporting, a captive portal for guests that can either use tickets (generated in the controller software) or via a PayPal gateway if you want to start charging people for access and plug-and-play for adding new APs to the network.
Disclaimer - I have deployed a number of Ubiquity networks for my clients, and they're all working successfully.
Specialist Mac support for creative pros, Melbourne
If you're not up to controller scale, Aruba Networks has a little system called "Instant" which may meet your needs. Several APs essentially talk amongst themselves and one of them is designated as a virtual controller for the others (with some contingency for failover if that one goes down). You still get good enterprise-grade APs that can handle tens of clients each without failling over, and it looks like they've substantially expanded the line of equipment that this is offered for. Worth a look?
Alternatively, Meraki, if you're willing to buy their whole "cloud-managed" side of things.
Why not considering using Aruba instant solution? http://www.arubanetworks.com/products/instant/
We've started using Open-Mesh https://www.open-mesh.com/ . It's cloud controlled which means the AP require internet access. It's also a mesh so it can be used for areas without a network connection or the mesh can continue working in the event a line does dead. For our budget conscious clients it definitely fits the bill.
You could have a look at FortiWifi ( http://www.fortinet.com ).
A FortiWifi that acts both AP and controller and additional Forti AP's to get the coverage needed.
All generalizations are false
You can try ubiquiti solutions. They provide controller which you can install on any PC (Linux or Windows) and run cheap APs. We do it for our hotspots and it works great
Nobody has mentioned Aerohive yet so I thought I would throw it in there. Aerohive make the best controller-less access points and they are a great fit for branch offices.
Use OpenWRT assuming you have compatible wifi routers, then you can set up seamless single-SSID with ease.
SURELY NOT!!!!!
Have a look at these - virtual controller APs - first one installed acts as a master and copies setup to any other APs it finds.
With POE, adding more APs is a two minute job
Good luck
We have upgrade our office wifi to Meraki: trouble free, all centrally managed and professional not overly expensive hardware
I think they have recently been bought my Cisco
And no, I do not work for Meraki or Cisco or any other tech company ;-)
Post-it.
I'm with you right up to using the same channel. Hell no! This is suicide. Avoid co-channel interference.
Lay out your wifi install and figure out your channel plan. Survey for placement. I have several sites where RRM did a horrid job, and I've had to statically assigned channels to get performance up. Cisco design docs are available, google is your friend.
While WPA2/PSK works, and I use it at home for a 3 AP network, you actually can get faster roaming using 802.1X with key caching between APs.
Many clients do not fast roam. They drop and reassociate. This can lead to performance issues, but you can't solve it at the AP. it is a clien side issue. I've worked with Dell/Broadcom to fix drivers roaming issues plaguing our fleet deployment, and it is a pain. Finding a USB stick adapter that roams well is very hard.
I've installed something like this on some hotels and hospitals with Zyxel NWA-3160, they are very good, and allow for decent VOIP Roaming between AP.
One Ap is configured as the master controller and replicates settings and logons on all the others,it's also farly quick with roaming computers and VOIP Handsets.
I actually did something like this a couple of years ago with Apple Extreme APs and pfSense. Apple Extremes & Expresses both have the built in ability to create a homogenized network. Set them in bridge mode and have pfSense handle the firewall/DHCP/DNS stuff. easy peasy. I did a building with 5 floors and 3-4 APs per floor for about $4000. Plus Apple extremes will happily run in the plenum and can be managed from a central location and single program interface.
I'm surprised that nobody has yet mentioned Ruckus wifi systems.
But since the OP already has the Cisco Aironet AP-1040 access points, the best way is to set one as master and the rest as wireless repeaters, as was mentioned earlier. Make sure you set the channels differently on each (1,6, 11) and don't re-use channels on APs that are too close physically to each other.
Use a central DHCP server. I use a pfSense box for mine.
This really isn't that difficult and you can do it on the cheap if wireless isn't critical to your small business. Just buy 1 wired router with a built in DHCP server, and 4 or 5 wireless ones. Unless you need them to be powered by PoE, I wouldn't bother with the Cisco Aironet APs, just buy some cheap Linksys/Cisco wireless routers. Once you have all that, setup your wired router to connect to your network and then configure the wireless routers in the following way:
1. Disable the WAN/Internet interface on each one, you won't need it.
2. Give each one a static IP inside your network on the LAN interface (for example: 192.168.1.200 - 192.168.1.205) with a gateway equal to the LAN IP of your wired router (for example: 192.168.1.1).
3. Set each wireless router to have the same SSID, encryption, password and channel (disable automatic channel selection).
4. Connect one of the LAN interfaces on each wireless router back to your network.
Because all your APs have the same SSID and password, the wireless clients should automatically connect to the one with the strongest signal strength. Your connection may temporarily drop if you are downloading a file and start walking across the office but for most people this solution should work. If you require monitoring, use a ping script or network monitoring tool to make sure all the APs are up. PRTG is actually free for less than 10 sensors so I'd recommend that if you don't already have one.
Oh crap, totally missed that in my proof reading. It should have said "put them on the same SSID", not channel.
I 100% agree that a proper channel plan is necessary using non-overlapping channels. And you're right that 802.1x caching can help.
Folks, mod up, not down the AC post I'm replying to, he's right and I made an important typo.
Check out Aerohive. They have very affordable branch office products, and you get a wireless IPS, too.
Aruba has a controllerless solution which is mainly for remote offices or store wifi (think starbucks). They provide an ability to have multiple access points broadcast the same SSID. Also they communicate together wirelessly to simulate a "controller" which makes office installations lower cost.
Works great for me. Had shaky coverage in one half of the house, so I put in another (older, g only) router on the same wired network as a bridge, and if I wanted to, I could use WPA2 enterprise and use RADIUS authentication with LDAP or whatnot for extra auditing and even bandwidth quotas per user (eg, admins have first dibs via laptop). This type of infrastructure can be setup on the wired ports if needed as well, so you can have complete auditing in the event someone puts up a rouge AP on your wire, and even succeeds (hey look who's login credentials got that router in!), and prevents the average idiot from even succeeding (but I need pandora, so I needed to put my ipod on a wireless router!).
TL;DR: YMMV, but it works for me, with 2 consumer routers running ddwrt and bridge mode, and also WPA2 enterprise is pretty cool.