Mid Market ManiaBy CWNP On 04/03/2008 - 9 Comments
How many times have you visited a small business where the owner or manager is trying to play "techie" due to the high costs of hiring consultants? To make matters worse, this person also thinks he has a solid grasp on network fundamentals. He calls you to come have a look at a 'seemingly random, but minor' network problem because he met you 10 years ago for 20 seconds at a seminar you don't even remember attending.
You oblige of course, and...
...when you're assessing the situation, he is both overbearing (thinking his presence and constant explanations are helpful) and controlling (wanting you to fully explain everything you're thinking and doing) on a second-by-second basis. After trying to adapt to the situation, you realize that he is using SOHO infrastructure gear, SOHO Wi-Fi gadgets from companies you've never heard of, and he is in a multi-tenant building where there are at least 40 other heavily loaded 2.4 GHz Wi-Fi access points operating at max power.
Like it's a big surprise, the problem he is complaining about is one of his Wi-Fi gadgets. You know the type of device I'm talking about, right? I have a new favorite: the Wi-Fi access point & software-controlled VGA presentation converter appliance thingy. It does NAT (though it doesn't tell you so), it is an AP and has an Ethernet port (that allows only one client to connect at a time), and configuration and documentation is almost non-existant. After seeing a gadget like that attached to flat-screen TVs everywhere, seeing a hobbled Linksys Router-become-AP with one external antenna (just because it was free) is no surprise. A WLAN protocol analyzer reveals at least 40 nearby (and LOUD) APs, so what is a poor consultant to do?
Well first, you talk to the "customer" to understand WHAT THE HECK he's trying to accomplish. "Strong security like I have with my MAC filters now!" he says... Oh brother. Then of course, he explains how connecting to each Wi-Fi TV gadget individually is somewhat of a pain, even more so when it doesn't work properly. You can see where I'm leading, so I won't bore you with the rest of the conversational details.
The bottom line is that the customer wants three things: 1) His TVs to work without a hitch, 2) his WLAN to be reliable and not so complicated, and 3) he wants a different level of operational security for his employees and guests. He asks for a different PSK for each employee (so that he can doink users easily when/if they leave the company) and a guest portal (after I explain what a guest portal is) for his guests - each user group with their own network privileges (server access, VoIP access, internet speed throttling, etc). Don't lose sight of the fact that this is a 1-2 AP office who has, to date, splurged on SOHO networking gear.
In my mind it's a done deal...sort of. Step 1: take those TVs off the WLAN and find a different solution that certainly doesn't do NAT for every TV.
Step 2: Figure out whether his small office needs only a single AP or multiple APs with a controller. Find an AP or controller that is suitable for his needs/wants and is reasonably simple to configure.
Step 3: Did he say he wanted every user to have a different PSK? Normally in a case like that, we do 802.1X/EAP and give each user his/her own password, but for a small office with one AP, that might not be such a great idea from a time/cost standpoint. WPA2-Personal and WPA2-Enterprise is available on most APs and controllers, so security isn't a big deal at least. Having a guest portal on the same WLAN infrastructure is tricky at best with most WLAN controller manufacturers, and not available in most autonomous APs. Even with the best implementation of a captive portal, you have the issue of keeping traffic separated on the LAN using VLANs - never a fun project. Lastly, role based access control (RBAC) configuration can range from very simple to very difficult depending on the AP or controller. There's alot of tricky parts to this last piece of the puzzle.
My question is: How do YOU handle step 3?
Let's just concentrate on infrastructure connectivity, leaving the other pieces of the Wi-Fi puzzle out for now (like WIPS).