Wi-Fi Solution Design and Architecture - Step by Step Guide
The evolution of wireless communication systems and network, particularly "wireless fidelity" Wi-Fi, has been explosive nowadays. Wi-Fi is a term for types of wireless local area network (WLAN) that use specifications in the 802.11 family of standards. Wireless technology turns out to be a truly revolutionary paradigm shift, a global phenomenon, which presently is outstripping the ability of many public transit organisations to deploy, initiate and manage new emerging technologies in networks and wireless systems.
One of UltraVista's most prominent clients has already broken the wireless grounds in recent years. This development is being driven primarily by the transformation of what has been largely a medium for supporting cellular technology into a medium for supporting other services, such as the transmission of video, images, text, and data. Some of initiatives deserve the full credit for exploring this novel wireless networking approach, particularly in-vehicle camera system that utilizes digital video recording (DVR) with wireless 802.11g module, the IVS communications netwroks "wireless fiber" backhaul that bridges distances to remote vehicles dispatch locations and in-vehicle wireless gateway that streamlines vehicle network connectivity to wayside servers.
Driven by a dynamic senior management decisions to explore wireless local area network (WLAN) solutions capable of greater intelligence at the network's edge to optimise traffic flow without compromising security or quality of service and driving up cost, our client has undertaken a wireless pilot project to develop a primer of wireless networking essential information and to develop a WLAN blueprint for corporate-wide roll outs.
This WLAN initiative should overcome traditional wireless controller solution which is becoming the bottleneck for throughput and security enforcement as throughput needs rise. Trying to address this bottleneck using traditional WLAN solutions ultimately leads to a trade-off: either a significant initial investment in additional wireless controllers and wired switches or a greatly reduced quality of service (QoS) and user experience. A step in the right direction would be a "win-win" solution without compromise, one that helps unleash the full advantages of the new 802.11n investment. Such architecture could maximise network performance and traffic without compromising QoS for data, video and voice features, security, mobility or survivability, while at the same time minimising both capital and operational expenditures for a lower total cost of ownership (TCO).
Through a pilot project, the WLAN initiative looks to create secure, pervasive, manageable, reliable, high-performance best-in-class enterprise secure wireless network that could be rolled into corporate conference rooms. The pilot project should overcome a conservative approach seeing a Wi-Fi network as a convenience that's casually overlaid on the wired line infrastructure, but an opportunity to achieve big gains in network performance and security, creating a reliable wireless network with optimal throughput for data, video and voice.
The pilot project will be prototyped in the 2nd floor conference room at 1910 Yonge Street, shown on Figure 6: 1910 Yonge Street 2nd Floor Corporate Meeting Room with Guest Access. The wireless conference room will accommodate three profiles of wireless clients – the TTC authorized users, contractors (vendors) and guests (visitors or outside companies). Considering a single instance of the access point installation, the corporate room's wireless mobility will not be addressed. The prototype utilizes an IEEE 802.11n access point mounted on either wall or ceiling based on site-survey mapping of RF fluctuations, identifying trouble spots and planning infrastructure changes. The access point is going to have spectrum monitoring and intrusion detection and blocking capabilities mitigating WLAN security vulnerabilities.
The access point will be connected to the building network access switch separated from other TTC networks by a statefull or deep-packet inspection firewaal and over corporate secured wired network infrastructure to the basic technology building blocks for WLANs: new WLAN controller, new or existing RADIUS server and existing Active Directory.
Regular site assessments, ITS staff wireless security training and certification, and security awareness education for the wireless end users will be an integral part of the pilot project.
And last but not least, since the equipment sourcing is a critical for the network planning, the market leadership and vision together with actual vendor's ability to deliver are very important. For years Gartner Group provides an annual "Magic Quadrant" report effectively comparing wirelesses networking vendors. The vendors profiled in that research can provide standards-based connectivity from access points to a wide variety of clients, support for 802.11a/b/g/n, a network management application and standards-based security with 802.1X through WPA2. The 2013 Gartner Wired and Wireless Access LAN Magic Quadrant is shown on the following picture.
Because it puts third-party objective matrix before biased preference, the pilot project should use the Magic Quadrant as a guide in selecting infrastructure providers with far-reaching vision and executing capacity to deliver WLAN network services (such as data, voice, video and location) and seamlessly integrate with corporate wired networking products. Following the 2013 Magic Quadrant findings, the pilot project design and implementation should evaluate and may utilize network components from Cisco, Aruba Networks and HP Networking.
The wireless conference room pilot successful implementation could be a prevailing beacon in raising corporate-wide acceptance of wireless culture above the digital din.
Technical Architecture Requirements
- Hi-Availability , Cluster Based Wi-Fi solution
- High RF Power Performance - transmit power of at least 20 dBm (0.1 W) and superior receive sensitivity to provide excellent range, coverage and application performance, though power will be limited to restrict range of RF transmission only for personnel in the conference rooms to be able to connect. The Transmit Power Control feature of 802.11h standard must be enabled to dynamically regulate power levels of devices so the power is just strong enough to communicate while minimizing interference risks
- IEEE 802.11n support with minimum 2x2 MIMO
- Support for virtually any enterprise data, voice and video application
- Band-unlocked dual band design - dedicate multiple radios to multiple functions increases security without increasing costs; band-unlocked radios enable 24x7 dual band Wireless IPS sensing on both 2.4GHz and 5GHz with concurrent 802.11a/b/g/n client access and mesh
- Rogue AP detection - on-channel, mobile unit and dedicated radio dual-band scanning
- Spectrum Analysis – placing an AP in a spectrum analysis mode enabling remote identification of local RF interference, remote troubleshooting and issue resolution from a centralized location
- IEEE 802.3af dual-radio support – support for standard Power-over-Ethernet (PoE) for radios and intelligent power management enabling self-configuration based on available power
- Integration of ubiquitous network services – integrated router, DHCP server, Stateful Packet Inspection Firewall, AAA server, NAT, and Hotspot Gateway
- Mesh networking that allows wireless extension of existing wired or wireless networks in remote or outdoor locations, enables centralized management of mesh access points at remote sites including automatic firmware upgrades;
- IEEE 802.11i, WPA2, WPA and IPSec encryption – enabling seamless end-to-end enterprise class wired and wireless security
Technical Architecture Model for the Wireless Conference Room Pilot
Wi-Fi based networks have proliferated in recent years. The built-in Wi-Fi capabilities are ubiquitous nowadays; even devices like MP3 players and smart phones have Wi-Fi built-in.
The technical architecture mode for the wireless conference rooms pilot has been depicted on picture below. The figure shows major network modules and components for building WLAN, while highlighting new elements of the network topology with amber coloured blocks.
In the corporate architecture with separate network services and aggregation layers, master controllers should not terminate any access points or air monitors. The master controllers should be deployed in pairs for redundancy, as depicted on the figure below.
Throughout this scenario, two controllers are used at the network services layer: one controller is configured as the active master and the other controller acts as standby master. This setup is known as "hot standby" redundancy. The two controllers run an instance between them and the database and RF planning diagram is synchronized periodically. The VIP address that is configured in the instance is used by local mobility controllers, wired APs, and wireless
APs that attempt to discover a mobility controller. That VIP address is also used for network administration. The DNS query made by APs to find the master controller resolves to this VIP. The synchronization period is a configurable parameter with a recommended setting of 30 minutes between synchronizations.
The master controller should be given adequate bandwidth connections to the network, preferably a minimum of a Gigabit Ethernet LAN connection. A general best practice is to configure each master controller in a full mesh with redundant links to separate data center distribution switches. Since the network uses a master/local design, configuration is performed only on the master and it is pushed down to the local controllers.
Local Controller (optional)
Optional local controllers reside at the aggregation layer of the TTC overlay architecture. They handle AP termination, user authentication, and policy enforcement. During the configuration of any local controller, one must know the IP address of the master and the pre-shared key (PSK) that was used to encrypt communication between the controllers. The control channel between local and master controllers is protected by an IP Security (IPsec) connection.
The typical local controllers at the aggregation layer use a different redundancy model called active-active redundancy is used. In this model, the two local controllers terminate APs on two separate VIP addresses. Each Aruba controller is the active local controller for one VIP address and the standby local controller for the other VIP. The controllers share a set of APs and divide the load among them. The APs are configured in two different AP groups, each with a different VIP as the LMS IP address, as shown on Figure 4: Local Controllers Active – Active Redundancy.
As stated in the introduction of this document, the local controller can be a WLAN bottleneck. A better solution would be to utilize access points capable of running software that virtualizes local controller capabilities on 802.11n access points, creating a feature-rich enterprise-grade WLAN that delivers the affordability and configuration simplicity, while offering impressive scalabili
Access Points , Access Point Groups and Spectrum (Air) Monitors
A wide range of 802.11n access points from respectable manufactures from Cisco, Aruba Networks, Motorola, Meru Networks and HP Networking should be considered for the implementation. Spectrum (Air) monitors (SM or AM) should be deployed at a ratio of approximately one spectrum monitor per every four access points deployed, and around the building perimeter for increased security and location accuracy. Spectrum (Air) monitors perform many of the intrusion detection system (IDS) duties for the network, including rogue AP containment, while forming accurate heat maps that display graphical RF data.
An AP group is a unique combination of configuration profiles. In general, all profiles can be assigned to an AP group to create a complete configuration. This flexibility in configuration allows arbitrary groupings of APs such as "All Davisville APs" or "All Hillcrest APs" with different configurations for each. Configuration profiles provide flexibility and convenience to wireless network managers who create AP groups.
Role-Based Access Model
The technical architecture is suitable to support the enterprise role-based WLAN access.
Based on the organization business requirements, the WLAN must distinguish three types (roles) of network users:
1. Corporate Authorized Users - These users are regular Corporate Domain members. Their network access privileges will be the same as at their regular work stations
2. Vendors and Contractors - Same restrictions as Corporate Authorized Users
3. Guests, Visitors and Outside Companies – This access is typically granted to visitors of outside companies in order for them to access the internet for presentation and training purposes. No access to the Corporate network
Service Set Identifier (SSID) is the network or WLAN that wireless access client can sees if the broadcasting of the SSID is enabled. A SSID profile defines parameters, such as name of the network, authentication type for the network, basic rates, transmit rates, SSID cloaking, and certain WMM settings for the network.
WLAN vendors usually offer different flavours of the Advanced Encryption Standard (AES), Temporal Key Integrity Protocol (TKIP), and wired equivalent privacy (WEP) encryption. AES is the most secure and recommended encryption method and since most modern devices are AES capable, the AES encryption should be the default encryption method. In case of accepting credit cards at the Point of Sale (POS), due to required compliance with the Payment Card Industry Data Security Standard (PCI DSS).latest version 2.0, the AES-CCMP (Advanced Encryption - Standard Counter Mode CBC MAC Protocol) must be implemented.
Authentication, Authorization and Accounting (AAA) Profiles
The AAA profiles define how users are authenticated. The AAA profile determines the user role for unauthenticated clients (initial role) and the user role to be applied after successful authentication (default role) based on the authentication type. The AAA profile also defines the server group that is used for the defined authentication method and RADIUS accounting.
Wi-Fi offers number of authentication protocols utilizing both network Layer 2 and Layer 3:
- Wireless Equivalent Privacy (WEP)
- MAC Authentication
- Pre-Shared Key
- Captive Portal
- Virtual Private Network (VPN).
- Wi-Fi also offers number of encryption forms that will be applied on the physical connection between the user device and the AP:
- Wireless Equivalent Privacy (WEP)
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
- Mixed Mode - combining TKIP and AES encryption on the same SSID.
The Wi-Fi Alliance created the Wi-Fi Protected Access (WPA) and WPA2 certifications to describe the 802.11i standard, and essentially encompasses implementation of the authentication and encryption. Though Wi-Fi networks have multiple authentication methods available for use, it is recommended that corporate WLAN utilizes WPA2 certification: AES encryption and 802.1X/EAP authentication with Transport Layer Security (EAP-TLS) where client-side certificate distribution is practical, and use PEAP for all other deployments.
The 802.11a and 802.11g radio profiles form the core of RF management for configuring:
- Radio tuning and calibration
- AP load balancing
- Coverage hole detection
- Received signal strength indicator (RSSI) metrics.
Virtual Access Point (VAP) Concept
A physical access point can advertise only one SSID, so even with a dual-radio AP, only two WLANs could be configured. Advertizing the Employee SSID (supporting also vendors and contractors), Guest SSID and Applications SSID simultaneously with conventional physical access would require deployment of up to 3 physical access points hardware. This problem has been solved using the concept of Virtual Access Points (VAP) software which allows the wireless LAN to be segmented into multiple broadcast domains. Each VAP acts like a real AP and is required to beacon like any other AP. These logical entities allow different security mechanisms for different clients on the same access point. Virtual access points also provide better control over broadcast and multicast traffic, which can help avoid a negative performance impact on a wireless network. Each virtual access point is identified by a configured service set identifier (SSID) and a unique basic service set identifier (BSSID). The BSSID assigned to each of the possible SSIDs on a physical AP are generated from the MAC address of the physical AP. The BSSID assigned to each SSID is random.