3 dumb mistakes network admins make when configuring WLANs (Part 1)

March 24, 2010 5:57 PM EDT
For each of the next 3 days, I am going to list one "dumb mistake" when configuring wireless networks.   Let me preface the series with a comment that I understand that there are several different ways to legitimately configure a network.  These aren't hard and fast rules, but fall under the category of recommended best practices.  I will work backwards, with my strongest recommendation coming on the last day.  Without further ado, here is number three:

 


WLAN mistakes

3. Excessive SSIDs:  Here's the issue with running multiple SSIDs - each radio beacons approximately 10 times per second, per SSID.  Therefore, if you have 5 SSIDs in your environment, you have 50 beacons per second, per radioAll of these beacons chew into the available free air time, and thereby lower the amount of available bandwidth.  Sure, I understand organizations may need a 2-3 different SSIDs for different user groups to logically segment their traffic into different VLANs or to utilize different authentication & encryption schemes (for example, internal employees may use 802.1X with WPA2/AES encryption while guest users may be sent to a captive portal with no encryption).

 

However, I have often seen multiple user groups who use the same authentication & encryption methods, but are on different SSIDs (think of a university having both students and staff authenticate to the wireless network in the same manner, yet on different SSIDs).  In cases like this, it may be possible to consolidate SSIDs and leverage the concept of "user groups".  In my university example, students and staff would be placed into different OUs (organizational units) within Active Directory.  Both students and staff would log onto the wireless network on the same SSID with 802.1X and EAP.  However, when the RADIUS server responds to the wireless network, it passes along the OU as a RADIUS attribute.  The wireless network looks at this information and places the end user into the proper user group (either "student" or "staff").  The wireless network can then create specific policies for each user group that allows or denies access based on a myriad of options including port, service, time of day, IP address, IP range, etc.  For example, only teachers would be allowed to access the IP address of the server containing the student grades. 

Utilizing user groups cuts down the number of extraneous SSIDs and "cleans up the air".  With fewer beacons in the air, there is more available airtime, and therefore less management overhead and more available bandwidth.  Tune in tomorrow for the next dumb mistake, "hiding" the broadcast of the SSID.