Let's talk enterprise wireless

[spidey07]

Well wireless is not my strong suit but I'm being thrown into it more and more. It still seems like everything is up in the air so to speak on compatability and security on an Enterprise scale (meaning 100s of access points at a single location)

Right now we're sticking with Cisco's layer3 mobility solution using 6500 switches with Wireless Lan Service Module. The WLSM handles all the client GRE tunnels and what not. Access points are B/G and A/B/G.

For clients it is using LEAP (per user, per session WEP keys rotated every 10 minutes) authenticated by RADIUS which is back-ended by Active Directory. CCX extensions are required as we're doing radio management/rogue access point detection with a WLSE.

For the most part it works really well, but the clients can be a pain. Driver issues, roaming behavior, etc.

so is it just me or have things not really stabalized in the wireless arena? How are others handling large scale, secure, managed rollouts?

 

[nweaver]

Spidey, check the CCX compatibility lists. If you are using Leap with WEP/BKR I would suggest V1 or greater. I would also push for CCKM Fast roaming with TKIP encryption and EAP-Fast. That would require V2 or greater h/w. We use 1200 series AP's for our testing, and they work great. WLSE is a very nice thing once created as well. Setting up WDS with CCKM yeilds roam times under 125 milliseconds for a roam from one AP to another, with no reath. (Use reauth timeout with your BKR, btw)

Scaled rollouts need thought through, and I would standardize on a single card (if possible) or a single chip maker (Atheros is my choice, followed by Intel) and a single client config.

One nice thing about Intel is you can use Single Sign on in an admin tool, so users can't bork their settings, and wireless users still login to the domain (so reset/locked accounts function)

 

[spidey07]

Thanks a bunch for the insight.

TKIP encryption with LEAP is what is being used.

The intel cards work great (single sign-on, leap support, CCX v2 or something like that). I'm not a desktop guy.

As far as roaming, yeah we are doing "fast secure layer 3 roaming" so no matter what AP they hit, even if that AP is on a different subnet the client maintains their IP address and loses no connectivity roaming seamless between APs. This is a requirement as some clients are vehicles with mission critical apps on them. That is what the WLSM is for, it maintains/manages the WDS.

Unfortunately the laptops are all over the place model wise and cards vary. We're pushing really hard for Intel only. Have about 6 different sites like this (just did another one last weekend), each with a few hundred APs.

 

[dphantom]

Anybody looking at the Cisco 1000 series nee Airespace and the 4100/4400 controllers. With the WSC software, looks like a possible good solution to those of us who do not have the 6500 infrastructure.

Any thoughts??

 

[spidey07]

Originally posted by: dphantom
Anybody looking at the Cisco 1000 series nee Airespace and the 4100/4400 controllers. With the WSC software, looks like a possible good solution to those of us who do not have the 6500 infrastructure.

Any thoughts??

I've had a deep long discussion with both wireless product managers on Cisco's long term strategy. They are two very different solutions, aimed at different markets. Their (now rebadged airespace) solution looks very nice. No direct experience with it.

 

[dphantom]

Originally posted by: spidey07

Originally posted by: dphantom
Anybody looking at the Cisco 1000 series nee Airespace and the 4100/4400 controllers. With the WSC software, looks like a possible good solution to those of us who do not have the 6500 infrastructure.

Any thoughts??

I've had a deep long discussion with both wireless product managers on Cisco's long term strategy. They are two very different solutions, aimed at different markets. Their (now rebadged airespace) solution looks very nice. No direct experience with it.

Yes, they are. One "thin" (Airespace) and the traditional fat with the WLSE. We have many remote locations with no IT staff at them. And only 1 Cisco guy (me) and I qualify my Cisco experience as basic admin only (vlan, access list, port config type stuff).

So I like the ability to push an image to the 4100/4400 and let it do its job with the 10XX WAPs.

Still evaluating both options, but leaning toward the airespace currently.

 

[SaigonK]

Hope this helps Spidey...

My rollout has consisted of Cisco 1200 series AP's (running IOS of course) we use b/g (no A, who needs that... )
I have in the building I am in about 16 units right now, I use WLSE to manage them all. All units sit in a dirty lan seperated from the production lan via a vpn box, which is needed for access.

As such i use no WEP, or MAC/TKIP/ LEAP security as it isnt needed...the vpn client gives me more than any of those ever will.

 

[spidey07]

good approach.

I'm faced with making it seemless, meaning plugged or unplugged the end user shouldn't know any difference.

Intel's single sign-on makes that happen. I like the approach of using a VPN client, but quite frankly users have a hard enough time just logging in...

As far as who needs A?

Its much faster and provides much better coverage/bandwidth. But these are the kinds of discussions I was looking for. Current trends seems to be dual-mode wireless (A and G)...A for business and G for legacy stuff like PDAs, non PC based clients and what not.

 

[SaigonK]

My users already use their vpn client for rmeote access, so they didnt have a hard time using it for wireless.
We simply added a conneciton for the wireless AP's and they logon like they would when travelling, it works very well. We successfully implemented LDAP to our Novell id tree, so they now use the same id/pass for the lan (novell) and their vpn accounts inside and outside.

I use b for the simple reason that some users still ahve older embedded b cards, A isnt anything we use at all. I have about 20 units deployed ain our building around the corner with A, but it was way back in the beginning and no one uses it now since the Dell laptops we order come with b/g by default.

I also found that the Cisco units cover a great distance, so the need for A isnt even an issue for me. G covers 90% of our user base. Mostly they use it for conference rooms, etc.
In our manufacturing facilities, we are going with G as well, for use with barcode scanners and PDA setups for our egineers...Symbol handhelds...very nice.

The VPN road is nice if you can get the users to accept it, we sold it to them as being the best security model available, which it is. (IMHO)

 

[nightowl]

The only issue that I see with the thin APs that Cisco has is that they only scale to 100 APs for the 4400 controller. Also, the current IOS (fat) APs will have a software upgrade that will allow them to work with the Airespace/Cisco controllers. Spidey, who do you work for in Louisville? I was down there on Wed talking with someone about the WLSM.

 

[spidey07]

Originally posted by: nightowl
The only issue that I see with the thin APs that Cisco has is that they only scale to 100 APs for the 4400 controller. Also, the current IOS (fat) APs will have a software upgrade that will allow them to work with the Airespace/Cisco controllers. Spidey, who do you work for in Louisville? I was down there on Wed talking with someone about the WLSM.

Kinda sorta, live in Louisville but work elsewhere.

As far as scale goes, that's where the WLSM comes into play. Word is new software will support 600 access points. The number of APs and roams per second it can support is code limited, not hardware.