Friday, October 25, 2013

Wi-Fi Alliance Voice-Enterprise Certification: Standardized Fast Secure Roaming

Two of the most important aspects of building a successful modern enterprise wireless LAN are enabling transparent user mobility across the network and strong security to protect sensitive corporate data. 

However, these two objectives have historically been difficult to achieve in tandem. A balancing act between mobility and security has caused an unpleasant trade-off for organizations due to the time-consuming processes that strong security methods require. On one hand, high performance mobility can be provided when relatively weak security is implemented with an Open or WPA2-Personal WLAN, but this leaves sensitive corporate data at higher risk of exposure. On the other hand, much stronger security can be implemented with WPA2-Enterprise, lowering the exposure risk of sensitive corporate data, but resulting in poor mobility performance due to the time-consuming 802.1X authentication process. Thus, the introduction of more secure Wi-Fi networks solved one problem (security) but created another (roaming performance).

The industry needed a high performance, yet secure, solution to this mobility problem. The answer lies with fast secure roaming. Pre-standard solutions, such as CCKM and OKC have been around for some time but have failed to realize widespread adoption, especially by client manufacturers. The Wi-Fi Alliance™ Voice-Enterprise certification program, introduced May 2012 and already appearing in major WLAN products, brings a standards-based fast roaming method to market, which serves to align infrastructure and client manufacturers on a common implementation method and provides the benefits of low-latency roaming performance while maintaining strong security with WPA2-Enterprise.

I dive deeper into the Voice-Enterprise certification program and implementation details of fast secure roaming in the new whitepaper, "Wi-Fi Alliance Voice-Enterprise Certification: Standardized Fast Secure Roaming" [PDF].

Whitepaper: Wi-Fi Alliance Voice-Enterprise Certification
(Click to Download)

Download this whitepaper to learn:
  • Challenges in providing both transparent user mobility and strong security
  • Requirements that products must pass to achieve Voice-Enterprise certification
  • Performance criteria that Voice-Enterprise products must achieve
  • Technical details of the Fast BSS Transition specification, based on IEEE 802.11r, for both controller-based and controllerless WLANs
  • Performance optimizations available with Radio Resource Measurement (802.11k) and Wireless Network Management (802.11v), both part of the Voice-Enterprise program

Friday, October 4, 2013

SSID Overhead - How Many Wi-Fi SSIDs Are Too Many?

One of the most commonly cited best practices among Wi-Fi professionals is to the limit the number of SSIDs you have configured on your WLAN in order to reduce the amount of overhead on the network and to maintain high performance. But there is not a lot of public data out there to really drive home this point when explaining it to another engineer, management, or a customer. Simply telling someone that they shouldn't create more than 'X' number of SSIDs isn't very convincing.

Therefore, I've created a visual tool to help you explain WHY too many SSIDs is a bad thing:

The Wi-Fi SSID Overhead Calculator
(Click Image to Download)
Wi-Fi SSID Overhead Calculator

This tool calculates the percentage of airtime used by 802.11 beacon frames based on the following variables:
  1. Beacon Data Rate - beacon frames are sent at the lowest Basic / Mandatory data rate configured on the WLAN. Beacons must be sent at a "legacy" data rate, meaning only 802.11a/b/g rates. Select the beacon data rate from the drop-down menu within the tool.
  2. Beacon Frame Size - beacon frames can vary in size based on the version of the 802.11 standard implemented (802.11a/b/g/n/ac) and features enabled on the WLAN (such as 802.1X authentication, CCX, 802.11r fast roaming, and 802.11u Hostpost 2.0). I recommend using a wireless sniffer to capture a beacon frame from your WLAN for use within the tool. Enter a beacon frame size that represents the total size of the MAC header and data payload.
  3. Beacon Interval - beacon frames are sent at a default interval of 102.4ms, but this may be modified in most enterprise WLAN products. Note that beacons are always sent at a multiple of the Time Units (TUs), where one TU equals 2^10 Kilomicroseconds (or 1.024 milliseconds). Therefore, 100 TUs equals 102.4ms. Enter the time interval between beacons, in milliseconds.
The calculation includes the inter-frame spacing (using WMM), physical layer preamble and header, MAC layer header, and data payload. It calculates the amount of time required for modulation of the bits over the air, but does not account for collisions or retransmissions. Technically, you wouldn't reach 100% airtime utilization on a Wi-Fi network because medium contention due to collisions and retransmission backoff result in a maximum airtime utilization of around 80-90%. But for SSID overhead planning purposes this level of detail is not required because the network will be equally degraded if we represent it with or without the collisions.

The tool also takes into consideration the number of co-channel APs within the physical area. All access points, either from your WLAN or a neighboring WLAN, contribute to the overhead on the channel. Remember, Wi-Fi operates in unlicensed spectrum and everyone shares the airtime!

I have also included a subjective rating of the amount of overhead into the following categories:
  • 0-10% = Low Overhead
  • 10-20% = Medium Overhead
  • 20-50% = High Overhead
  • >50% = Very High Overhead

You should ALWAYS attempt to keep your WLAN at low overhead (0-10%). 

If you have an existing deployment that falls within the medium overhead range (10-20%) you might consider methods to consolidate SSIDs and reduce the amount of overhead as your WLAN needs evolve over time. 

If you have an existing deployment that falls within the high overhead range (20-50%) you are likely experiencing significant performance problems on your WLAN already and should investigate immediate methods to consolidate and eliminate SSIDs at the earliest possible time.

If you have an existing deployment that falls within the very high overhead range (>50%) it is likely that you are in a highly congested area and will need to coordinate the WLAN configuration with your neighbors in order to reduce the amount of overhead to a reasonable level. This is common in dense urban / downtown areas and in multi-tenant buildings. 

I hope this tool proves useful. Enjoy!