Alan Davies wrote:
No - I haven't got as far as making our Suse box to do wirelesss - yet. But its a small part of the plan....
We have decided to cover our campus with Wireless acces points.
We went for 801.11g at a potential of 54Mb/s but with the longer range of the old 801.11b standard. At the moment this gives us more compatibility with existing kit - especially PDAs which only seem to have 801.11b cards.
Of course I soon discover there is much to learn...
Channels 1 to 14 in the UK. I set my AP to channel 12. Our PDAs would not pick it up. Why? Because only channels 1 to 11 are 'universal'; channels 12 to 14 are only available in UK (EEC?)
Yup - Americans only have channels up to 11. That's why its important to check that you're buying equipment suited to your geographic area, and be prepared for overseas vistors having problems connecting to high-channelled access points. Also, ensure that you have got the firmware for the correct region too before flashing anything.
In the process I also discover that although the channels are 5MHz apart each channel is 22MHz wide so there are only 3 effective non overlapping channels - so some though must be given to channel settings on adjacent APs to get maximum benefit vs coverage. I'm not sure as so decide which channel to use - if some channels are used peramanently by DECT phones, BlueTooth, etc how will I know? Is there any reporting software utilties?
You shouldn't need to worry about these other devices - they shouldn't interfere with the 802.11 standards. However, the overlapping channel problem is significant. Through popularity, Channels 1, 6 and 11 are generally used. (There's no huge benefit to the extra channels we have in the EU, as we can't get another non-overlapping field out them!) This gets to be more of a problem when you have a building that might have heavy wireless usage, but is relatively "permeable". We have a building that (somehow) can be covered by two WAPs. Yet there's a possibility of having a great number of laptops in this building. They would, of course, all be sharing that 54Mbps. Adding a third WAP would alleviate the situation slightly, but not to a revolutionary degree. If anyone has any ideas about this sort of problem, I'd be glad to hear them!
Then there is security. We've all heared of those tin cans used as aerials by hackers driving around in cars. So I set up 128bit WEP in the APs.
IIRC, crackers (this being a Linux list, after all :) ) only need to sniff about 2GB-worth of net traffic to have a stab at getting your WEP key - even for a 128-bit key. That doesn't mean don't use it, but make sure you use MAC filters as well. (OK, so you can spoof MACs too....)
QUESTIONS: Why does the AP give me 4 keys? (but only transmit one?) Is it a random choice for me? Do I assign keys to different user groups so that I can forbid groups for connecting? What's the idea? Should I have the same key in the mobile (which only accepts one?) Can it be any of the 4 keys?
The theory is that you can set up 4 static keys on your WAP and enter all four keys on the client machines. When you switch between one key and another on the WAP, you then switch to the same numbered key on the client. If that all sounds fiddly, you're right. A friend on mine wrote a couple of scripts to help under Linux, one of which was run by a LAN-side server as a cron job - it used wget to send the appropriate HTTP request to his D-link WAP to change the key to a different value. In fact, this script enabled the use of many more than four WEP keys :) He then had a client-side script that rotated keys at the same time via a cron job. Unfortunately, I don't know a way of doing this automatically on Windows. The "proper" way of doing dynamic keys is to use a RADIUS server at the centre of your network. (There are Free RADIUS servers available.) These assign a random and unique key to a client that passes a valid set of credentials. This means that the keys change at a configurable interval, often enough to make sniffing a pointless passtime. You will need to ensure that your WAPs support RADIUS (my D-link one's all do) and, obviously, configure the RADIUS server.
Should I set the SSID to be the same for the whole campus? Does this make moving between access points easier (no need to select as you migrate?)
Yes, this is what we do. Students pick up a laptop and move to a hot-spot. The laptop does the rest.
(I don't think its quite as transparent as mobile phone cells there seems to a a gap of several seconds while it changes - and tends to stick with existing weak signal even if you are right next to another)
Yes, this is right - most cards will only look for a new WAP when it loses contact with its "current" WAP completely. (There are some cards that claim to do this dynamically, but I'm willing to bet that this is a vendor-specific feature, and probably not supported with Linux drivers.)
Or should I give a descriptive name to each AP?
Nah - see above :)
If lots of users are in an area covered my more than one AP do the clients share out the connections? Do they pick the lowest channel or highest? At random? Or do they pick on the strength of the signal? Or the loading of the Access points?
Again, I've seen claims that some kit will choose a more distant underloaded WAP against a closer higher loaded one. Generally, it just seems to be which ever WAP responds first. However, I also would be interested if someone knows more about this part. Cheers, Tony