Wireless Coverage for a 10,000 sq ft. office

[markz]

Hi all,

Just discovered this great site while doing some research for my office's wireless LAN. I've got a question which I've run by a few of my friends, but I figured it would be good to get your input as well.

While we get construction finished, I've picked up a DIR-825 hooked up directly to our T1 line just to have something running until I finish planning the rest of the network.

My question is this... how would you cheaply and effectively set up the whole office for good, seamless, wireless coverage? That is, the goal is that all clients see one SSID with the same WPA-Enterprise security information, so that when they travel from one part of the office to the next, they essentially assume they're connecting to the same AP regardless of their location.

I've got CAT5e drops in each of the four corners, and my strategy thus far is to buy 3 more DIR-825s, wire them back to the LAN ports of the first DIR-825... disable DHCP... duplicate the security settings on each router. Is this a good strategy?

My one concern is that any time I make a security change, I have to do so on each subsequent router. Also, if each client gets his own login credentials via WPA-Enterprise, will I have to create those credentials on each router the same as the first?

Any input is appreciated!

Mark

 

[stevech]

WiFi access points. (APs). Each connects by cat5 to a router.

In an office, with $$$$$$ and company reputation (security breach) at stake, I would never use consumer grade products.

Among the cheapest Small Office brand names in this world are ZyXel. The conservative approach is Cisco though costly.

Start with the security approach. It's really important. You should get some professional consulting assistance.

Often, such a configuration has no wireless router. Only a good, VPN/Firewall capable wired router. To that, you can connect access points. Don't take it lightly - how to preclude a hacker or over-zealous media rep from hacking in via WiFi and getting to customer data.

 

[thiggins]

The least expensive way to have a centrally managed WLAN with multiple APs is to buy biz-grade APs that are supported by an SNMP-based management application. You won't get this with consumer grade routers converted to APs.
Some alternatives can be had from NETGEAR . Cisco has a new AP500 series that may be worth a look. (~$340) per dual-band N AP (single radio).

Basic approach would be multiple APs, connected via Ethernet. Set APs to Channels 1, 6 and 11 so that adjacent APs use different channels. Single security key is fine (use WPA2/AES), but you'll need to set the key on each AP with the config you propose. Note that WPA/WPA2 Enterprise requires a RADIUS server.

 

[markz]

The least expensive way to have a centrally managed WLAN with multiple APs is to buy biz-grade APs that are supported by an SNMP-based management application. You won't get this with consumer grade routers converted to APs.
Some alternatives can be had from NETGEAR . Cisco has a new AP500 series that may be worth a look. (~$340) per dual-band N AP (single radio).

Basic approach would be multiple APs, connected via Ethernet. Set APs to Channels 1, 6 and 11 so that adjacent APs use different channels. Single security key is fine (use WPA2/AES), but you'll need to set the key on each AP with the config you propose. Note that WPA/WPA2 Enterprise requires a RADIUS server.

I do understand security in the office is of utmost importance, but at this stage, we don't have very much money to play with, and there isn't that much volatile information available over the network (yet). I do want to set up a proper corporate DC as soon as possible with enterprise VPNs, but it will have to wait a little while.

Could I set up a free computer to act as a RADIUS server so that we can use WPA2-Enterprise? I was checking out: http://www.tekradius.com and it looks fairly promising. Any opinions about that?

Thanks

 

[egeier]

If you don't want to run your own RADIUS server, you might consider a hosted solution such as AuthenticateMyWiFi.

 

[claykin]

If you don't want to run your own RADIUS server, you might consider a hosted solution such as AuthenticateMyWiFi.

Have you tried this service? Can you trust them? They have a free version for single AP. Maybe Tim should test?

 

[egeier]

I actually run the service. Created it to promote Enterprise-class security to small businesses.

 

[claykin]

I actually run the service. Created it to promote Enterprise-class security to small businesses.

I read your "about us" page so I should have put it together. Your username was a giveaway.

I may setup a single user account to try it out at home.

Tim, think its worth a test?

 

[thiggins]

I read your "about us" page so I should have put it together. Your username was a giveaway.

I may setup a single user account to try it out at home.

Tim, think its worth a test?

You'll probably get to it before I do.

 

[claykin]

You'll probably get to it before I do.

I'm trying to use the single user free account with my DIR-825. Not authenticating. Says incorrect user credentials when I know they're correct. Tried from 2 XP PC's.

Also tried using a Cayman DSL router and having the same issue. Two different networks and I cannot get authentication to work.

Also just tried to connect using my Blackberry and it too says incorrect credentials.

Argh!

I also tried the Contact US link on the NoWiresSecurity website and it says the following:


Error 404: File Not Found

Lovely!

Maybe egeier will read this and send me a PM. I'd like to give this a good report, but it has to work to get that from me... I have high standards.

 

[egeier]

I'll PM you

 

[stevech]

I do understand security in the office is of utmost importance, but at this stage, we don't have very much money to play with, and there isn't that much volatile information available over the network (yet).
Thanks

Then use wall jacks and cat5.
Don't risk it with WiFi. One article in the newspaper can ruin the company. And your job. One dolt news reporter or kid working for a news outfit, sitting in the parking lot making even false claims can ruin you.

Consider the cost/benefit and risks, in a professional setting.

If you don't have the money to do it securely and properly, at 10K sq. ft., then don't do it at all. Or do just ONE conference room for visitors and use a ZyXel or other router that can VLAN visitors to go ONLY to the Internet, not your PCs and servers.

 

[tipstir]

That issue is because of the DLINK firmware bug been plaguing even DIR-655 crowd also. I would take back all those 825s and get ESR9850 or EAP9550 instead or best to use Enterprise AP that can cover your range of 10,000 sq. Even just two DD-WRT in AP mode on WHR-HP-G54 has the range of 5,000 sq.