Forum

PSK strength

26 posts by 10 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: July 1, 2011:
  • I'm guessing Andy is asking as the AP/controller or client is encrypting the data, does it take more processing to encrypt the data with a longer key as opposed to a shorter key?

  • Bucky:

    Andy figured that out already.

    Andy:

    With so few devices right now, youll never get many more working. You need to do a site survey.

    You may only have your power levels set too high, but something is definitely amiss. Or it could be
    your antenna placement or selection.

    Your automatic channel selection is probably mixed with dynamic power control, and the combination
    is what's causing your problems.

    Search on the forums under the words antennas, warehouses, and dynamic and you'll find lots of
    information.

    On a side note, some older bar code scanners only handle 8022.11b.

  • Well, I turned off the PSK WLAN and the devices stopped having connectivity problems. I don't know why they were affected at all, since they were configured to use a different WLAN/SSID entirely.

  • By (Deleted User)

    Old controller firmware?

    Have you tested the PSK WLAN with a short passphrase just to rule out the long passphrase as a variable?

  • It turns out there is an update to the controller firmware, Cisco 7.0.116.0 that I was not aware of. We're using 7.0.98.0.

    I have not tested with a short passphrase yet. We don't have a test environment so tests need to wait for a maintenance window. I will try this at the next opportunity. One thing that I've learned is that controller CPU and Memory utilization have remained constant before, during and after this problem.

    thanks

  • I'll take a stab at this. I think it makes perfect sense that when adding a new SSID to a less than ideal setup as you have discussed would cause issues. If you add a new SSID to a system that is already broadcasting on the lowest data rates and having co-channel issues, you have the possibility of adding more overhead to an already overloaded system. Then removing that SSID could bring it back into a "usable" threshold, while still not being ideal.

    I think Wlanman has it right. You need a survey to see exactly how big your cells are and how much they are overlapping. Perhaps it is as simple as a firmware update on your controllers, but if you are having trouble with the overhead from 20 units and are looking to increase that more than ten fold your problems will only get worse.

    Even if the devices are b devices, I would hope that they could run on 11. Get rid of the lower data rates and just run 11+. That should reduce your management overhead. And I think it is worth testing a shorter passphrase, but I would be surprised if that was the (only) issue.

    Anyway just my $.02

  • Andy you state that the channels are set by the controller, ie, ACS are you also using TPC, in other words auto-channel select with transmit power control? The reason I ask this is that even IOS 7 does not have the intelligence to understand omni?s used in a warehouse. Years ago did a survey in a warehouse with Cisco 1230?s, 802.11b, customer installed WLAN, and all was good. Customer decided to upgrade to 1242?s (LWAP?s) and add a 4400 controller. Customer saw all the auto RF settings and enabled them all, and guess what nothing worked, went onsite config?d AP?s per my site survey, static channels and transmit power @20dBm, and guess what all worked. The point is auto is not auto if it doesn?t work, think about it, let?s say you have a warehouse that?s say 800,000?/ft and the AP?s are mounted @45 feet and installed using 2506 Cisco antennas, you?re going to tell me that every AP in the warehouse can?t see every other AP in the warehouse no matter what racking or the product is? That?s the problem with auto-RF it scales back the transmit power to the AP?s, and this is the crux of the issue with auto-RF, that?s why some surveyors use directionals in warehouses, just to allow the use of auto-RF, if using auto-RF why pay for a survey, just throw darts on a map and hope things work!!! IOS 7 sees no change with this, still the same crappy algorithm that AirMagnet also uses and also sucks too!
    IF you pay for a survey and you don?t implement the survey during deployment, you can?t kill the surveyor!!!
    Just my 2 cents

    Good Luck!!!

  • Thanks for all the responses and ideas!

    Maybe I short-changed our network a little, but does anybody out there NOT have co-channel interference with 2.4GHz in a warehouse? I want to clarify this problem only affected one specific device model (Intermec CK30 802.11g) while the PSK wlan was turned on. We have roughly 75 PCs, 50 printers, 300 handheld computer/scanners and even some phones deployed, all WiFi (phones and PCs are mostly using 5GHz). The PSK WLAN was deployed to get around a problem with Summit radios in the LXE devices using WPA2 with 802.1x PEAP, but that's another story! (if anyone's interested I'm trying to document an issue where if the first EAP identity request times out, the Summit radio doesn't answer any retries from the AP until it gets sent a Deauth or it tries to associate with another AP)

    I was totally against the Transmit Power Control at first too since it just kept turning the power down, but you can tweak it so it works for you. For example set the lowest power you want to allow and/or adjust the trigger (minimum signal of the 3rd strongest neighbor). We've set the lowest power to 11dBm on the 2.4G radios which translates to power level 4, and most APs are power level 2 or 3. I've verified coverage on the floor with manual site surveys.

    I'm trying out the auto-channel selection but I'm about to give up on that one, especially in multi-floor installations.

    As for the additional SSID adding more overhead, I was able to remove an old SSID at the same time the new one was added in order to try to avoid more management frame overhead.

    Please forgive me if I'm sounding too defensive - I realize that this network can still use tweaking. I want to eliminate the lower data rates and consolidate the SSIDs in the future, just have to test it out first. We are replacing the Intermec devices in another 2 months so I'm going to wait until then to reactivate the PSK WLAN and try out some of the suggestions posted!

    Thanks again! Andy

  • Andy so what you?re telling me is that the devices that you?re having trouble with are CK30?s, right? The reason that I ask this is that for optimal performance of the STA you have to set the AP @14dBm and ?limit client power? to 14dBm, you can get away with 17dBm and ?limit client power? to 17dBm? but you?ll get much better performance @14dBm. I have gone the mat with Intermec on this, anytime there are issues with any of their gear this is their answer, and you know what it does solve the problem. As to your question about co-channel in a warehouse, metal everywhere, multipath everywhere, as long as your AP count is not higher than 1 AP per 10k you should be ok, just make sure that the channel settings look good and make sense.

  • Good to know sirkozz! thanks.

Page 2 of 3