Ask Slashdot: How Do You Deploy Small Office Wi-Fi SSIDs?

First time accepted submitter junkfish writes "I am not able to install a controller based Wi-Fi solution in my office due to cost, but I like presenting my users with a single SSID rather than an array of four or five differently named SSIDs from different access points. What is your experience deploying multiple wireless access points with the same SSID and password? I have been doing this with Cisco 1040 series Access Points this year, and have had good success. It seems like the client is able to determine which AP is best to connect to, and is able to roam around the office without too much of an interruption when it connects to a different AP. Is this sloppy practice? Or does the general state of the 802.11 provide for this sort of resiliency? I am really interested in your opinion because I have not seem too much documented on this subject."

I've seen it work

[Nefarious+Wheel]

I've seen it work with multiple AP's in an office that all had the same SSID. Just cloned the boxes (some cheap Cisco thing, can't remember the part number) and never had any issues with conflicts.

Re:I've seen it work

[redfox2012]

Indeed, you should be fine! A single SSID across all access points is the way to go but, as the Cisco 1040 series seem to be 802.11n your choice of channels is limited.

Make sure you only use channel 1, 6 or 11 as the others overlap which can confuse clients; you are better off having two of your five arrays on identical channels than overlapping them. Just try to keep the access points with identical channels a reasonable distance apart, so that there is an obvious difference in signal strength.

I thought it was standard

[pclminion]

I thought that was the standard way of doing it anyway. Is it not?

Re:I thought it was standard

[Dishwasha]

Yes, that is the biggest mistake no-name wireless installers and IT consultants (i.e. the guy installed a wireless AP in his house and now he's an expert) do with small businesses is they use different SSIDs and WEP keys for each access point. It is extremely annoying. Use the same SSID and the same WEP/WAP key for each access point. In the 802.11X standard, it is the responsibility of the wireless client to automatically determine which AP is best and automatically switch and potentially hop channels. You will want slight overlap of the wireless zones, but don't place them too far away or to close to each other. Be aware of any areas where a "firewall" is installed (not an electronic firewall, but a wall with extra insulation that protects different areas from spreading fire) and plan APs accordingly. One you place the APs with approximate locations, do a slow walk-around with your laptop and use airsnort to get signal strengths and tweak AP location before physically installing them in the ceiling or walls or wherever. A popular thing for businesses with the removable ceiling tiles is to cut a small hole in the tile and let the APs antenna(e) point downwards in to the actual normal airspace. Of course, this typically requires running power in to the crawlspace somehow.

Re:I thought it was standard

[DigiShaman]

It will work headless using a bunch of random APs with the same SSID, but reliability is iffy at best. The point of a wired controller managing APs is so it can intelligently manage WiFi channel allocation and load based on all sorts of factors including SNR levels and channel usage overlap.

Re:I thought it was standard

[hawguy]

I do it this way with two cheap Linksys access points. Same SSID, same pass-phrase, different channels. MAC filtering enabled.

Having to occasionally update the MAC filter list twice isn't much of a labor. Thou depending on how many access points you have and how often you have to make changes would depend on how boring that might get.

Why use MAC filtering?

It does nothing to stop someone that's interested in joining your network - if they can hack your WPA key (or steal it from someone's desk), the MAC is not an impediment at all -- it's broadcast in plain text.

All MAC filtering does is keep honest users off your network, but if they are that honest, they probably aren't going to get on your network in the first place.

If you're looking for security, setup a RADIUS server and use 802.1x authentication instead of PSK.

Re:I thought it was standard

[GlobalEcho]

Be aware of any areas where a "firewall" is installed (not an electronic firewall, but a wall with extra insulation that protects different areas from spreading fire) and plan APs accordingly.

You know a website (viz Slashdot) is geeky when quotation marks have to go around the original meaning of the word firewall.

Re:I thought it was standard

[jfanning]

Something that doesn't seem to have been mentioned explicitly is that DHCP has to be turned off on all access points/wireless routers. There must be only one central DHCP server for the entire network.

But as mentioned, this is part of the spec. I only realised the same thing last year though, so it was nice to be able to remove my 4 different SSIDs from my home network and just use one.

The only down side is that it isn't obvious which AP is in use by any particular device (g or n) or if any AP has died. But unless it causes noticeable problems I don't really care.

Ubiquiti Wireless

I would highly encourage you to look at the Ubiquiti UniFi system. Software based centralized computer and basic APs are only $66. We're switching to them from Cisco and have been very happy.

http://www.ubnt.com/unifi

Re:Ubiquiti Wireless

[jaseuk]

They are pretty good, but really work just the same way as the OP described.

Unifi offers a pretty convenient way to monitor and configure a larger number of access points without anywhere near the cost or infrastructure required with a controller.

Re:Ubiquiti Wireless

[lebean]

It's available for linux, go to the forums at their site, the UniFi section and look at any version announcement. They even have a Debian/Ubuntu repo, if you're on RHEL/CentOS you just grab a tarball and install the mongodb bits yourself.

Is there any other way?

[hawguy]

Is there another way to do it? I've always set office (and my home) Wifi networks up like this -- as long as the AP's are all on the same subnet, roaming among them should be fairly transparent.

Try to use non-overlapping channels as much as possible. (i.e. channel 1 at the east end of the office, channel 6 in the middle and channel 11 at the west end). If you can't use non-overlapping channels, some tuning of power levels to prevent interference between nodes can help -- i.e. if you have a long office with 4 nodes on 3 channels: [1, 6, 11, 1] you may see better performance if you turn down the transmit levels on the two channel 1 nodes so they don't interfere with each other as much. And dual-band 802.11n can help even more both because there's more channels on 5Ghz, and because the 5Ghz signals will be attenuated more.

In my current office, I have about 120 Wifi nodes (through a Cisco WLAN controller), all are broadcasting the same SSID.

Re:Is there any other way?

[postbigbang]

You can stagger on the low bands to avoid overlapping channels, or if the machines are modern, and support N-high, then use the non-adjacent N channels for even wider, non-overlapping support. Using N-high as your propose is a great idea, and forcing users to N if their hardware uniformly supports it, will speed the hell out of the network; make sure you have sufficient backhaul for the traffic, which could get huge. Also make sure you stagger DHCP IP address ranges to help preserve sessions.

Sadly, some RPCs will destroy sessions when you change APs, as will certain IPSec VPN-based connections during AP roaming. Session roaming often can work seamlessly, but some apps will balk, including printing/scanner/shared-network-peripheral apps and others. Have users stand still if they're using them if their sessions are getting hosed. Finish printing, then walk out of the conference room, etc.

Unifi

[ProfessionalCookie]

If the only think keeping you from a controller based solution is cost try Ubiquiti's Unifi. You can run without a controller and if you need one you can use any old embedded box. http://www.ubnt.com/unifi

Re:Unifi

This guy has it. I think the Unifi setup rivals the cost of their other ap's, too, like the Bullet M2 HP and the PicoStation (best outdoor AP for the $). Even better is that as of AirOS 5.5, multiple VLANs are supported. This gets a bit whacky thanks to their vague user-manual and uninformative GUI but is well worth it given the cost and good customer service. It takes some playing around with to understand how they do the VLAN tagging.

To properly configure client roaming between the AP's, simply name them all with the same SSID and scale their power output to have about 10% overlap. This will give allow the client's to make the best decisions when roaming from one AP to another but also helps conserve your client's battery life. Be sure to keep adjacent AP's on separate channels.

Jeremy Cioara does a good job of explaining this in his CCNP Switch series over at CBTNuggets.

Re:Unifi

[mokomull]

This is only marginally different from separate access-points, though. Their "controller" is only for management -- it doesn't do anything for helping users roam between the APs, for instance. You need actual enterprise-class equipment if you want that.

Re:Unifi

[Nimloth]

+1 for Ubiquiti Unifi. I run the controller on my Macbook, the APs are spread across several locations and some locations have several. Roaming is seemless, quality and features are impressive and they are dirt cheap. 3 packs are 250$, that comes to about 85$ / AP. The controller is included and there is no license to pay or recurring fees.

Re:Old PC + pfSense

[ProfessionalCookie]

Because the power to run a Pentium 4 for 2 years would cost more than getting a modern little embedded box.

Without a controller

[Kernel+Kurtz]

the options are limited. You can use the same SSID on the various APs (separating channels as mentioned). So long as the clients are all on the same vlan (usually a DHCP scope), it will work reasonably well. Most of the protocols are fairly forgiving. If you have WDS capability, by all means use it.

802.1x adds complications, but if you have a RADIUS type server a WLAN controller should be a more realistic consideration.

Re:WDS

[pjr.cc]

WRONG!

This is *NOT* what WDS was designed to do. There seems to be quite a lot of people under the impression that if you want multiple access points co-operating with one another such that clients can roam between them seemlessly, you need WDS. Not sure where that came from but its got nothing to do with that.

WDS is about peer-to-peer AP connections such the data is travelling wirelessly between access points, and while WDS can be the "backbone" of a seemlessly-roaming SSID-consistent WiFi network, its an inherently flawed system. This is typically used for places where you need to bridge networks wirelessly when you cant put down a cable (for eg, you might have two offices across the road from one another).

WDS will also chew up a considerable amount of wifi bandwidth doing this (and the problem gets exponentially worse as you add more AP's/clients).

The point being though that WDS wasnt designed for the purposes of providing distributed access to a wifi network with a single SSID, but to allow AP's to also be clients to each other while still being AP's.

Ultimately the way the guy describes his setup is the correct method of deployment, multiple AP's with the same SSID and encryption parameters, thats all there is to it.

It'll Just work.....

[RedLeg]

It's part of the standard, and I know, cause I helped write it.

Set the SSID the same for each AP. Set them on different channels so that the AP's don't "step on" each other's bandwidth. Roaming is a station-side (client in common usage) decision, so your PCs will automatically pick the AP with the best signal strength.

As far as authentication goes, this all depends on the AP. All should support PSK (preshared secret keys, aka passwords) and in that scenario, set them all to the same value on each AP. The PSK should be at least 24 characters long, and the SSID for the net unique to keep the security at acceptable levels and reduce the possibility of offline dictionary attacks against the PSK.

Assuming the APs support it, Enterprise grade authentication with individual per-user passwords is within reach at little to no cost. You can tie into Active Directory or set up a free AS (Authentication Server) using FreeRadius on a linux box. The definitive reference for doing this with an MS server is a book titled "Deploying Secure 802.11 Wireless Networks with Microsoft Windows". Make sure you check for updates to the book online, and there is an appendix which details how to set it all up in a lab environment, which will let you prove principle without screwing with the production network.

Google around and you will find loads of information on how to do this with Open Source, the key articles being some from Linux Journal from about 6-8 years ago.

Hope this Helps......

Re:It'll Just work.....

[TechyImmigrant]

It's part of the standard, and I know, cause I helped write it.

A-HA! There's the culprit!

It's not just him. I was there as well. The difference is that over several years roaming IEEE 802, I managed to remove more text from the specs than I added. This is probably my biggest contribution to society.

One SSID is best practice.

[Above]

Controllers came well after AP's were invented, so people had to solve this problem for years without them as an option at all. Multiple AP's sharing the same SSID and key is exactly how the standard was designed, and was the best practice for deployment for many years. The short answer is, it works great, and is how you should be deploying.

For the long answer, you have to understand what happens when a user needs to switch AP's, and how the controllers improve that process. When a client wants to switch from one AP to another it must dissociate from the first, associate with the second which includes exchanging new session keys, gratuitous ARP to inform the L2 network, and then carry on. This process typically takes between 100-500ms, depending on the client, AP, and random luck. For most users doing most things this is all fine, if you're browsing the web and chatting on IM it's a non-issue.

However, for some clients like VoIP phones and video chat a 100-500ms pause is a disaster. Enter the controller solution. The WiFi protocol was divided between things that require hardware (transmitting at the right time, rf modulation, etc) and things that were all in software, just on the AP like exchanging key material. The hardware kept doing the hardware things, but the software activities were moved to the controller. The advantage is that the entire session does not need to be torn down, the radio can switch AP affinity (BSSID) while using the same key material since the key material is tunned back to the controller from both AP's. A client can now switch AP's in 10-50ms, which for most VoIP apps and video conferencing means seamless connections.

Note to the pedantic: yes, there are some other details, controllers enable triangulation features and some other RF analysis, there are a few protocol nits I omitted, and this omits a lot of important design considerations like proper AP placement and channel selection.

Now, go back to the requirements. If you don't deploy WiFi VOIP phones, and don't have other real time streams, controllers may be a total waste of your money. If the goal is to get users e-mail and web access when sitting in the conference room or courtyard, vendors are selling something not needed when they push controllers.

Second note to the pedantic: Controllers can make networks scale better, so if you're deploying 25+, or more likely 100+ AP's my previous paragraph doesn't apply, but that's not what most people reading this are doing.

So to the OP, yes, put them on the same channel. For less than 10 AP's with no real time requirements it is the best practice, and a perfectly valid way to deploy a WiFi network. A controller may be able to get some advanced features (auto-channel management, threat detection, triangulation), but in most small businesses they are features that would rarely if ever be used. There are thousands of WiFi networks deployed without controllers that work quite well. Do read a good document on how to place AP's and select channels, you'll want to use non-overlapping channels in a grid pattern and try and get it to where clients can always see 2-3 AP's, no more, no less.

If you really want a controller, there are some lower cost options than the big players. Ubiquity has a nice solution in their UniFi line, and Netgear now offers an appliance based controller. Aruba has several mid priced offerings. They don't all have the features of say high end Cisco gear, but offer a lower cost solution.

Re:DHCP Server?

[chris234]

Generally you'd want to use some other device for DHCP, probably your router in a SOHO setup.

Re:One SSID is best practice.- make a channel plan

[Above]

Oh crap, totally missed that in my proof reading. It should have said "put them on the same SSID", not channel.

I 100% agree that a proper channel plan is necessary using non-overlapping channels. And you're right that 802.1x caching can help.

Folks, mod up, not down the AC post I'm replying to, he's right and I made an important typo.