Wireless Access

Dear Forumers

We are a school and since 2009 we are using a WLAN system consisting of an MSM760 Access Controller and MSM422 Access Points (AP). We so successfully have connected school's domain notebooks (WinXP) to WLAN, teachers can access the network with their Macbooks with 802.1X PEAP/WPA2 Enterprise Authentication and Macbook mobile classroom carts we connect via WPA2 PreShared Key. 

Once clients have authenticated with our RADIUS server the actual data traffic is not stressing the WLAN Controller (WLC) any longer. Except for the guests we have from time to time. Usually we have around 200 concurrent end clients connected to our WLAN during the day.

Now our needs are growing: We want to go with BYOD as soon as possible.

We expect 500 students end devices to come (calculated with 2 devices per student; Windows, MAC OS, Android, iOS ...), in additon our current 801:1 teachers Macbooks, 40 iPads/iPhones and mobile classroom carts (=40 Macbooks, 20 Windows notebooks). How many iPhones are online (from the around 80 teachers) I don't know at the moment.

In total (w/ guests): 500+80+40+40+20 = 680 = around 700 devices expected.

As we want to provide WLAN access to our Grade 6-12 students (next to also not so tech skilled teachers) the need fo a web logon page came up. This is in addition to problems we experiencing with the teachers' Apple Macbooks which struggle to re-connect from time to time using WPA2 Ent. Auth.: The Macbook asks for logon credentials although it's already entered into the client system.

We want the students and teachers to connect as easy as possible!

We are now using 22 AP. We need to upgrade our school with another 14, so we would have 36 AP installed in total.

One AP basically covers two classrooms which. whereby one AP would cover around 40 users at the most.

For several reasons part of the APs will be connected to 1Gbit/s PoE switch ports, the rest will be connected to 100Mbit/s switch ports.

I need answers to the following questions and wonder if you could provide expertise knowhow?:

1.1 Will the current WLAN setup be able to handle the expected users/devices? 

1.2 How many clients are supported by an AP?

2. The demanded web page logon can be implemented with the guest user authentication feature of the MSM device. Main disadvantages: separated VLANs for teachers and students (if teachers shall access internal resources but not students), unsecure/open WLAN access.

Advantage: easy WLAN access (authentication connected to internal RADIUS/AD server).

2.1 Would the entire user client data traffic would flow over the WLC?

How mich would this stress the performance of the WLC and the network bandwith?

2.2 How many concurrent "guest users" does the WLC support? We are using a lot of media and online streaming sites. Tendency increasing.

2.3 Is there a way to not relogon via browser (guest web page) every time a Macbook reactivates from sleep mode?

3. More important then mobile device management (MDM) is easy WLAN access. Nevertheless: Will the current system be able to support above needs or do we need an entirely new WLAN system to support BYOD?

4. Which important notes do you have to add from your perspective?

More question may follow.

Thank you for your time and effort in advance!

Sincerely

--Uwe

Hello Uwe,

basically the MSM760 access controller is capable handling your number of devices. When running recommended sofware >5.7 the controller can handle 2000 concurrent guest sessions - see http://h17007.www1.hp.com/docs/ballybunion/4AA2-3153ENW.PDF.

But the real number depends on the traffic of your WLAN clients. If you have 700 clients accessing video streams you definitely have a problem on your single controller. Increasing the number of controllers would be a valid approach (you need MSM760 mobility controller).

Keep in mind that 700 will share the bandwidth of 36 radio cells. In real live you might have 50 clients on one accesspoints, which might be the bottleneck in your design. Increasing the AP density or the data rate per radio should be a valid approach.

Best regards,

Michael Breuer 

1.1 Will the current WLAN setup be able to handle the expected users/devices? 

Design is pretty important, make sure to use enough controllers.

I recommend to split the controller roles in AP management (doing NO guest services, just AP management) and Guest management (all traffic passing controller, very cpu intensive)

1.2 How many clients are supported by an AP?

 Really depends on load and expectations. You could have 100 users online, but they will just be able to ping, so try not to get as much users as possible on an AP, but try to define an expectation and make a calculation.

Keep in mind:

* Possible max speed wifi/2=max real speed (eg a 150Mbps reported wireless will give you like 60-80Mbps actual troughput)

* a single radio is like a hub, so all BW is shared (remember to divide the actual BW, not the wifi BW)

* clients do not consider their wifi speed : A user will just stream a video, if the video takes 2Mbps (net), when connected at54Mbps (net 24Mbps), this user consumes 1/12 of the net bandwidth. However when the same user is further away and would connect at 12Mbps wifi (6Mbps net), it would consume 1/3 of the cell bandwidth for the same video.  Assume 2 of these users are streaming video. When even when all the other users would be connected at 54Mbps on the same AP (all believing they have good quality and good bandwidth), there is actually on 1/3 of the 54(24net)Mbps left, meaning 8Mbps net shared=> remove the low speeds from the VSCs, so low speed connectings do not impact the cell usage too much. Add APs, reduce the tx power, try to have as few users as possible per AP if you need/expect bandwidth intensive usage.

* Use the 460 for intense usage, has 3x3 mimo, providing (possible) better quality for the users

* Enable band steering on the VSC to move as  much users as possible to the 5Ghz band

2. The demanded web page logon can be implemented with the guest user authentication feature of the MSM device. Main disadvantages: separated VLANs for teachers and students (if teachers shall access internal resources but not students), unsecure/open WLAN access.

What do you mean with disadvantage: separated vlans ?

Advantage: easy WLAN access (authentication connected to internal RADIUS/AD server).

2.1 Would the entire user client data traffic would flow over the WLC?

How mich would this stress the performance of the WLC and the network bandwith?

Yes, all web portal logins must pass the controller. For this scale I would not recommend it on the main AP controller.

2.2 How many concurrent "guest users" does the WLC support? We are using a lot of media and online streaming sites. Tendency increasing.

Like previous post mentioned, hard to say, but I would not count on 2000. I have seen 100% cpu load with e.g. 500 users, so it really depends on the traffic of the users.

2.3 Is there a way to not relogon via browser (guest web page) every time a Macbook reactivates from sleep mode?

* Configure less aggressive idle timers, so the session stays online longer (more load on controller, but you will need multiple controllers anyway). Idle timers are more important when charging customers, but for internal portal usage, the idle timer can be set higher.

* The controller supports a "welcome back" feature, so no re-login typing is required. You do get a webpage when opening a browser which says "welcome back"

3. More important then mobile device management (MDM) is easy WLAN access. Nevertheless: Will the current system be able to support above needs or do we need an entirely new WLAN system to support BYOD?

As a "guess" I would introduce 1/2 controllers just for the guest portal traffic mgmt. Use the current controller to send the guest VSC with a local breakout vlan on the wired network. Use the other controller LAN wired port on that vlan to provide the guest auth (no APs to manage).

If you want more than 1 controller for the guest portal, you will need some kind of loadbalancing on the AP Management controller. This means that when clients are connecting, they should be placed in vlan11/12/.. in a dynamic but consistent way. In these vlans 11/12/.. you then place the guest controller which will provide the portal pages.

To get this loadbalancing (not default feature of the controller), you can enable mac-auth on the AP controller and tweak the Radius server to allow all mac-addresses.

However, in the radius policies, you can set filters, so you can specify "if user mac ends with 0/2/4/..." then assign vlan 11, if mac ends with 1/3/5/... then assign vlan 12 etc.

Best regards,Peter

Hello Michael

And thank you for your insightful reply!

Indeed the amount of users/connections per AP is a challenge. That's why I want to find out what is possible in real life.

And next to it the question really is whether the WLC supports all that and is it worth to go with two new Wireless Mobility Controllers?

Dear Peter

Thank you for enormous effort to reply on my request!

Your concept thought points on the use of two controllers and the AP user amount handling.

With "2. disadvantage: separated vlans" I mean that one has to create two VSCs/SSIDs to separate teachers and students because they are using two different VLANs.

* * *

As a meeting's result today it is demanded that all wireless connections shall be encrypted and web authentication shall be possible. 

How do you configure the WLC to HTTPS-encrypt the web auth. page?

Best regards,

  --Uwe

Hi Uwe,

* HTTPS auth is fairly simple, install a (preferred public) certificate on the controller, configure the controller to use the cert for htnl auth (controller - security - certificates+usage).

Next move to Controller - public access - (I believe) web content - you will see an option http/https for login.

* The vlan problem is easily solved when you use a central Radius (NPS/IAS on Microsoft AD for instance) with vlan assignment. The teachers group can be assigned to vlan 11, while the students would be assigned to vlan 12.

Keep in mind that you can have only 1 routed outbound connection.

So there is 1 shared IP subnet for all users (students+teachers).

When teachers login, they have an IP from the BYOD subnet (controller DG), and would be routed outbound by the controller via a vlan11 transport vlan.

When student login, they have an IP from the BYOD subnet (controller DG), and would be natted outbound by the controller via a vlan 12 transport vlan.

So controller would need an IP interfaces in vlan 11 and vlan 12.

Best regards,Peter.

Hello Peter

I really value your replies!

If you could help me to understand the following?:

We are using a dedicated guest VSC since a company has set up our WLAN network in the past. 

When connecting to it the client gets an IP address from let's say VLAN 9, 10.0.0.0/24. So he is only allowed to reach the controller('s logon page). Nothing more.

Once the client has authenticated successfully (guest accounts locally saved on controller itself, VMT/guest software use) the client traffic is being tunneled over another VLAN (VLAN 19, 172.17.3.0/24). We named it "GUEST-DATA" and there is an extra DHCP Server for it.

Ergo: VLAN 9 "WLAN-GUEST" (10.0.0.0/24) contains VLAN 19 "GUEST-DATA" (172.17.3.0/24 ).

It's a bit complex and demands our switches to use two VLANs just for visitors. The advantage seems to be that no abuses can be made because without proper logon the visitor/guest client is on his own within a separate network.

The WLC has two physical Ethernet ports: 1-Internet, 2-LAN (also AP management)

The switch ports they are connected to for this case they have the following interesting VLAN assignments:

1-tagged: GUEST-DATA

2-untagged: AP-MGMT VLAN, tagged: WLAN-GUEST

To be honest, it's a bit confusing for me.

Reviewing this I would like to know what do I need to configure to create an analog example for the students/teachers network? (let's play with example B-net IP address networks like 172.18.0.0/16 ..)

Or does it have to be that complicated at all?

* * *

Parallel to above:

I have enabled the option Public Access > Access Control > Automatically reauthenticate HTML-based users for

I set 10080 min = 1 week

Can I configure that for just the teachers? We also use mobile classroom notebooks. When a student would log on with via the discussed guest web authentication method and he would close the popup window that enables the user log off... the next lesson the next student would be connected with the previous student's account data and could abuse that. Means: What to do to make the logoff-window reappearing?

* * *

Would it also be possible to set up a Quality of service that guarantees a certain bandwidth in between the AP and the client/s for HTTP/S traffic and so to reduce the video stream bandwidth if needed?

* * *

Regarding the certificate:

Would it encrypt just the web login procedure or the entire user's HTTP data traffic as well?

Curious for the next reply/replies.

Regards,

--Uwe