Do you have any thoughts regarding "thin" versus "fat" WLAN? As I understand it, "thin" APs pass authentication...
responsibility back to a central device, where a "fat" AP handles much of the authentication itself.
The terms thin and fat have been applied to WLAN access points (APs) in many different ways.
- Some vendors use thin AP to refer to entry-level/residential-grade products with few advanced features, in comparison to fat APs rich with enterprise network features like VLAN tagging and SNMP-based management.
- Some use thin AP to refer to products that can't be configured or used on their own, but instead are part of a WLAN switching system that governs both setup and operation. In this case, a fat AP is any stand-alone AP, no matter how extensive that AP's feature set.
- Some use thin AP to refer to products that offload selected tasks to an upstream server -- for example, communicating with 802.1X Authentication Servers, generating encryption keys, acting as a VPN gateway, or re-routing traffic for cross-network mobility. In comparison, any of these tasks could be performed directly on a fat AP, without relying on an upstream server.
Obviously, there are many ways to combine and distribute AP features; no matter how you spin it, thin and fat are just labels for opposite ends of a complex spectrum. My advice is to look at the actual features of products that you may be considering, without getting too distracted by the thin and fat labels. For example, do you want to purchase all your APs from a single vendor, or must you use APs from several sources? Does your business really need VLAN tagging or SNMP management or VPN mobility in its WLAN?
When it comes to 802.1X, I agree there are advantages to distributing responsibility. For example, encryption keys that are generated and cached on an upstream server can reduce the handoff delay when stations roam between APs -- this is important for WLANs that support latency-sensitive video or voice applications. It can also be easier to harden and secure communication with one device (a server) than many devices (individual APs), so having the server be your 802.1X Authenticator (RADIUS client) is arguably safer. But, ultimately, you must weigh these benefits against costs to decide what's best for your WLAN.
Dig Deeper on Mobile networking
Related Q&A from Lisa Phifer
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ... Continue Reading
Licensed and unlicensed frequency bands serve different purposes for wireless communications. Find out the differences between the two bands and the ... Continue Reading
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading