Alan Davies wrote:
No - I haven't got as far as making our Suse box
wirelesss - yet. But its a small part of the plan....
We have decided to cover our campus with Wireless acces points.
We went for 801.11g at a potential of 54Mb/s but with the
longer range of the old 801.11b standard. At the moment this
gives us more compatibility with existing kit - especially
PDAs which only seem to have 801.11b cards.
Of course I soon discover there is much to learn...
Channels 1 to 14 in the UK. I set my AP to channel 12. Our
PDAs would not pick it up. Why? Because only channels 1 to 11
are 'universal'; channels 12 to 14 are only available in UK (EEC?)
Yup - Americans only have channels up to 11. That's why its important to
check that you're buying equipment suited to your geographic area, and
be prepared for overseas vistors having problems connecting to
high-channelled access points. Also, ensure that you have got the
firmware for the correct region too before flashing anything.
In the process I also discover that although the
channels are 5MHz
apart each channel is 22MHz wide so there are only 3 effective non
overlapping channels - so some though must be given to channel
settings on adjacent APs to get maximum benefit vs coverage. I'm not
sure as so decide which channel to use - if some channels are used
peramanently by DECT phones, BlueTooth, etc how will I know? Is
there any reporting software utilties?
You shouldn't need to worry about these other devices - they shouldn't
interfere with the 802.11 standards. However, the overlapping channel
problem is significant. Through popularity, Channels 1, 6 and 11 are
generally used. (There's no huge benefit to the extra channels we have
in the EU, as we can't get another non-overlapping field out them!)
This gets to be more of a problem when you have a building that might
have heavy wireless usage, but is relatively "permeable". We have a
building that (somehow) can be covered by two WAPs. Yet there's a
possibility of having a great number of laptops in this building. They
would, of course, all be sharing that 54Mbps. Adding a third WAP would
alleviate the situation slightly, but not to a revolutionary degree. If
anyone has any ideas about this sort of problem, I'd be glad to hear them!
Then there is security. We've all heared of
those tin cans used as aerials
by hackers driving around in cars. So I set up 128bit WEP in the APs.
IIRC, crackers (this being a Linux list, after all :) ) only need to
sniff about 2GB-worth of net traffic to have a stab at getting your WEP
key - even for a 128-bit key.
That doesn't mean don't use it, but make sure you use MAC filters as
well. (OK, so you can spoof MACs too....)
Why does the AP give me 4 keys? (but only transmit one?) Is it a random
choice for me? Do I assign keys to different user groups so that I
can forbid groups for connecting? What's the idea? Should I have the same key
in the mobile (which only accepts one?) Can it be any of the 4 keys?
The theory is that you can set up 4 static keys on your WAP and enter
all four keys on the client machines. When you switch between one key
and another on the WAP, you then switch to the same numbered key on the
If that all sounds fiddly, you're right. A friend on mine wrote a couple
of scripts to help under Linux, one of which was run by a LAN-side
server as a cron job - it used wget to send the appropriate HTTP request
to his D-link WAP to change the key to a different value. In fact, this
script enabled the use of many more than four WEP keys :) He then had a
client-side script that rotated keys at the same time via a cron job.
Unfortunately, I don't know a way of doing this automatically on Windows.
The "proper" way of doing dynamic keys is to use a RADIUS server at the
centre of your network. (There are Free RADIUS servers available.) These
assign a random and unique key to a client that passes a valid set of
credentials. This means that the keys change at a configurable interval,
often enough to make sniffing a pointless passtime. You will need to
ensure that your WAPs support RADIUS (my D-link one's all do) and,
obviously, configure the RADIUS server.
Should I set the SSID to be the same for the whole
campus? Does this
make moving between access points easier (no need to select as you migrate?)
Yes, this is what we do. Students pick up a laptop and move to a
hot-spot. The laptop does the rest.
(I don't think its quite as transparent as mobile
phone cells there seems to
a a gap of several seconds while it changes - and tends to stick with existing
weak signal even if you are right next to another)
Yes, this is right - most cards will only look for a new WAP when it
loses contact with its "current" WAP completely. (There are some cards
that claim to do this dynamically, but I'm willing to bet that this is a
vendor-specific feature, and probably not supported with Linux drivers.)
Or should I give a descriptive name to each AP?
Nah - see above :)
If lots of users are in an area covered my more than
one AP do the clients
share out the connections? Do they pick the lowest channel or highest? At random?
Or do they pick on the strength of the signal? Or the loading of the Access points?
Again, I've seen claims that some kit will choose a more distant
underloaded WAP against a closer higher loaded one. Generally, it just
seems to be which ever WAP responds first. However, I also would be
interested if someone knows more about this part.