Mid Market Mania

Mid Market Mania

By CWNP On 04/03/2008 - 2 Comments

How many times have you visited a small business where the owner or manager is trying to play "techie" due to the high costs of hiring consultants?  To make matters worse, this person also thinks he has a solid grasp on network fundamentals.  He calls you to come have a look at a 'seemingly random, but minor' network problem because he met you 10 years ago for 20 seconds at a seminar you don't even remember attending.

You oblige of course, and...


...when you're assessing the situation, he is both overbearing (thinking his presence and constant explanations are helpful) and controlling (wanting you to fully explain everything you're thinking and doing) on a second-by-second basis.  After trying to adapt to the situation, you realize that he is using SOHO infrastructure gear, SOHO Wi-Fi gadgets from companies you've never heard of, and he is in a multi-tenant building where there are at least 40 other heavily loaded 2.4 GHz Wi-Fi access points operating at max power.

Like it's a big surprise, the problem he is complaining about is one of his Wi-Fi gadgets.  You know the type of device I'm talking about, right?  I have a new favorite: the Wi-Fi access point & software-controlled VGA presentation converter appliance thingy.  It does NAT (though it doesn't tell you so), it is an AP and has an Ethernet port (that allows only one client to connect at a time), and configuration and documentation is almost non-existant.  After seeing a gadget like that attached to flat-screen TVs everywhere, seeing a hobbled Linksys Router-become-AP with one external antenna (just because it was free) is no surprise.  A WLAN protocol analyzer reveals at least 40 nearby (and LOUD) APs, so what is a poor consultant to do?

Well first, you talk to the "customer" to understand WHAT THE HECK he's trying to accomplish.  "Strong security like I have with my MAC filters now!" he says... Oh brother.  Then of course, he explains how connecting to each Wi-Fi TV gadget individually is somewhat of a pain, even more so when it doesn't work properly.  You can see where I'm leading, so I won't bore you with the rest of the conversational details.

The bottom line is that the customer wants three things: 1) His TVs to work without a hitch, 2) his WLAN to be reliable and not so complicated, and 3) he wants a different level of operational security for his employees and guests.  He asks for a different PSK for each employee (so that he can doink users easily when/if they leave the company) and a guest portal (after I explain what a guest portal is) for his guests - each user group with their own network privileges (server access, VoIP access, internet speed throttling, etc).  Don't lose sight of the fact that this is a 1-2 AP office who has, to date, splurged on SOHO networking gear.

In my mind it's a done deal...sort of.  Step 1: take those TVs off the WLAN and find a different solution that certainly doesn't do NAT for every TV.  

Step 2: Figure out whether his small office needs only a single AP or multiple APs with a controller.  Find an AP or controller that is suitable for his needs/wants and is reasonably simple to configure.  

Step 3: Did he say he wanted every user to have a different PSK?  Normally in a case like that, we do 802.1X/EAP and give each user his/her own password, but for a small office with one AP, that might not be such a great idea from a time/cost standpoint.  WPA2-Personal and WPA2-Enterprise is available on most APs and controllers, so security isn't a big deal at least.  Having a guest portal on the same WLAN infrastructure is tricky at best with most WLAN controller manufacturers, and not available in most autonomous APs.  Even with the best implementation of a captive portal, you have the issue of keeping traffic separated on the LAN using VLANs - never a fun project.  Lastly, role based access control (RBAC) configuration can range from very simple to very difficult depending on the AP or controller.  There's alot of tricky parts to this last piece of the puzzle.

My question is: How do YOU handle step 3? 

Let's just concentrate on infrastructure connectivity, leaving the other pieces of the Wi-Fi puzzle out for now (like WIPS).

2 Responses to Mid Market Mania

Subscribe by Email
03/16/2009 at 20:08pm
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



04/03/2008 at 22:21pm
This is an interesting scenario and all to common in the enterprise. I think /hope we are on the way to solving this somewhat with NAC/NAP but not with a PSK for every user.

We haven't deployed it yet, but in the next couple of months we will.

Having RBAC through an access server/gateway is going to help solve some of the issues by classify devices and keeping the network running securely and efficiently

Then again Ruckus Wireless started something called Dynamic PSK... now what is that ?


<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More