Problem solve Get help with specific problems with your technologies, process and projects.

Implementing a WLAN across three floors of an office building

I am looking to implement a WLAN on three floors of an office building that has 32 floors. The floors are scattered through out the building, but are on the same subnet via wired switches. Each floor is very large and will require multiple access points per floor. I have used Linksys wireless routers and favor that product. I would like to know the best way to implement this scenario with Linksys. Is there a way to secure APs or do I configure a wireless router and APs to see the wireless router? Can I use APs only and still implement MAC filtering and the other built in security tools like the router has?
Your WLAN may be large enough to consider looking at APs designed for big business use, like Cisco Aironet. You can use Cisco Linksys APs, but since these are aimed at home and small business networks, they will not be as tuneable or offer the same degree of secure management.

You definitely want to use wireless APs, not wireless routers. Use your Ethernet switches to connect all APs to...

a single subnet that you will designate for wireless stations. Place an access controller between this wireless subnet and your existing wired subnet. That device can be a traditional dual Ethernet firewall, a WLAN server from the likes of Bluesocket or Vernier Networks, or a WLAN switch from a company like Airespace or Trapeze Networks. This device will protect your wired network from wireless intrusion by authenticating WLAN users and enforcing policies that determine what they can access.

In addition, you should enable security features on your APs. Newer business-grade APs support WPA for link encryption and integrity, combined with 802.1X for port access control and dynamic key delivery. Residential/SMB APs are also starting to support WPA, but are typically used with WPA-PSK (WPA with a preshared key). If you don't have an 802.1X-capable RADIUS server, use WPA-PSK. If you have a RADIUS server that you want to use to authenticate WLAN users, you can benefit from using 802.1X instead. WPA requires support from your AP and all stations. If all your stations run Windows XP and you choose wireless cards that support WPA, then try using WPA from the start. If some of your stations run other operating systems or you must support multi-vendor cards without WPA, then get started with WEP first, upgrade to WPA later. To learn more about WPA, see the Wi-Fi Alliance Web site. You may also be interested in reading my primer on 802.1X.

WPA and WEP secure the wireless link and should be used no matter what kind of access control you place between your APs and wired network. WEP is often used with MAC access control lists; this can be helpful to keep outsiders from associating with your APs. However, MAC addresses are easily forged; all an intruder needs to do is sniff the air for legitimate traffic and "borrow" another station's address. So you shouldn't depend on MAC filters alone for WLAN access control. 802.1X raises the bar by allowing user authentication as part of AP access control. Only stations that authenticate get dynamic encryption keys and can access the network behind the AP. 802.1X and related authentication standards are still being refined, but is already a lot stronger than using MAC filters.

I do recommend using an access controller behind your APs, even if you use WPA. WPA with either PSK or 802.1X provides all-or-nothing access to your network. An access controller gives you more granular control over destinations, protocols, bandwidth, etc, at a single point of entry into your wired network. You will not have to depend on the security of any individual AP to protect your wired network, and you can manage, monitor, and log access at one point. WLAN servers and switches offer additional features, like facilitating mobility when stations roam or load-balancing traffic across multiple APs. Features vary, but I recommend that you take at a quick look at what these offer before you decide on your WLAN architecture. You COULD use only APs, connecting them directly into your wired network's switching fabric, but this would be risky without hardened APs and robust access controls.


Dig Deeper on Enterprise mobility strategy and policy