A Tale of Two Wi-Fis - A Guest Blog by Devin AkinBy CWNP On 06/21/2013 - 16 Comments
Often I (Devin) get the question, “Can two Wi-Fi systems be co-located beside each other peacefully?” Absolutely. This may be the case when performing a Wi-Fi system upgrade, vendor changeover, or well…you just happen to think that having different Wi-Fi vendors play different roles in your Wi-Fi network is cool. Whatever your reason, there are some specific items to be aware of when it comes to installing two disparate Wi-Fi systems side-by-side.
Radio Resource Management (RRM)
One system should have its channels and power statically configured, and the other system should have its channels and power statically configured or could be configured for automatic operation. What you don’t want is both systems to be configured for automatic operation because they have the potential for constant readjustment.
Least Common Denominator (LCD)
With Guest Management, BYOD, or even Fast/Secure Roaming (e.g. Voice-Enterprise or OKC) features, you may have to go with Least Common Denominator features between the two systems to avoid confusing users (e.g. Guest Management or BYOD on-boarding) or to avoid incompatibilities (e.g. Fast/Secure Roaming). Once one of the systems has been removed, then it’s advisable to enhance these LCD features to the best available features within the remaining Wi-Fi platform.
Wireless Intrusion Prevention System (WIPS)
Either disable the WIPS feature in both platforms or configure each platform so that the other platform’s APs are authorized. Since both systems will be connected to the wired infrastructure, each system will see the other system’s APs as rogues unless they are configured as authorized. This is typically easiest by importing a list of each system’s BSSIDs into the other system.
Fast / Secure Roaming (FSR) with WPA2-Enterprise
It’s important to understand that when a WPA2-Enterprsie client roams between the two systems, the first roam will be a slow roam, meaning that the 2nd system will authenticate the client against RADIUS because it will consider the authentication to be an Initial Mobility Domain Authentication (IMDA). Thereafter, every roam between the two systems will be a fast/secure roam as long as its roams do not exceed the cache timers of each system. Cache timer configuration typically depends on organizational security policy, but if unrestricted by policy, can be set to ~36 hours to yield “work week” access (which would time out over weekends) or ~72 hours to yield “never times out” access if a worker is expected to continually roam between systems.
It’s always good to physically separate Wi-Fi systems where possible. This separation is best accomplished by placing System-A in one building and System-B in another building. If you’re going through a system upgrade or have simply chosen another vendor for whatever reason, this is the best approach. It typically avoids the bulk of RRM, WIPS, and FSR issues, though you are still likely to deal with LCD issues. During a system swap-out or refresh, simply move/consolidate System-A into some buildings and System-B into some buildings and manage accordingly, and allow the physical separation between buildings help with roaming issues (which will be slow anyway), and RRM & WIPS issues (as the systems are unlikely to hear each other over the air).
All of these tips discount the fact that you will have to manage each system separately, which should be obvious. To some folks, this is no big deal, and in fact, is recommended by most vendors over having a single system (from any vendor) that manages its native system plus a lackluster job of managing a foreign system (e.g. from another vendor).
I hope you’ve found this helpful. If you know of other “gotchas”, please leave comments. These are just the items that rear their ugly head all of the time for me. I’m definitely interested in your thoughts!
Devin Akin Chief Wi-Fi Architect Aerohive Networks Tagged with: WIPS, RRM, Multiple wifi, WLAN vendors