5

Our small business currently has 3 wireless access points around the building, each with their own SSID. Security is done with WEP (ick) and MAC address filtering (double ick).

We are trying to reconfigure the setup, with these goals:

  • Wi-Fi roaming between the access points
  • user-based authentication that isn't as annoying as MAC address filtering.

  1. The entire building is hardwired with Ethernet, so I assume it should be easy to set up the routers to act as one big network, but I can't figure out how. Can someone point me in the right direction? The routers are consumer-grade linksys routers, is it possible to do this without getting new hardware?

  2. For security, we will probably upgrade to WPA2, and I'm thinking of using the Enterprise version so that users can log in with a username, instead of having a single key (so if an employee leaves or something, their access can be removed). We have several on-site Windows servers, can one of them be set up as a RADIUS server, or is that best left to a dedicated machine (again, using existing hardware is good).

grg
  • 136
  • 8
Hank
  • 563
  • 1
  • 7
  • 18

2 Answers2

3

  1. Nothing fancy, just use the same SSID and ensure they are all on the same subnet.

  2. Ensure you use AES, not TKIP. Whether or not you can use an existing server depends on how heavily loaded the existing server is and how much load you'd be adding. A quick bit of searching suggests that Windows server comes with a RADIUS server option (Internet Authentication Service) that can be integrated with Active Directory. That might be your best option if you're already using AD.

Cry Havok
  • 1,845
  • 13
  • 10
  • What's wrong with TKIP – James Watt May 03 '10 at 16:28
  • +1. Just to be more explicit, when @Cry says to make sure they're all on the same subnet, also make sure they're all simply bridging frames between wireless and wired (no NAT, no DHCP). You want all the wireless traffic to pass right through the APs to the existing DHCP server (and NAT gateway, if any) on the wired Ethernet LAN. Also, if the business is small enough that 3 APs suit their coverage needs, then they don't have enough clients to make any kind of dent in the RADIUS server's load. – Spiff May 03 '10 at 17:16
  • About roaming: we had tried to just set them all to the same SSID/subnet, with different (non-overlaping) channels, but had problems with that because computers would connect to the APs seemingly at random, and often would not pick the best AP. Sometimes the AP/channel that computers picked provided essentially no connectivity. Is there something to be done about that? – Hank May 04 '10 at 00:09
  • TKIP is insecure and known to be broken, it was introduced to allow legacy (ie WEP era) hardware to run WPA. – Cry Havok May 04 '10 at 17:19
  • *Henry* - that sounds like a client specific problem, not a lot you can do except improve coverage. – Cry Havok May 04 '10 at 17:20
  • @Cry Havok: I guess one of the things I wasn't sure of was whether all the APs should have the same channel or different channels...? – Hank May 05 '10 at 15:40
  • Different channels where they're adjacent, just like FM radio stations, otherwise they'll interfere with each other. – Cry Havok May 07 '10 at 10:05
0

Depending on the Linksys AP, you might be able to flash them to something like openwrt, dd-wrt and create a wireless mesh (dd-wrt makes this pretty easy).

But like I said, depends on your hardware.

Details go here on dd-wrt: http://www.dd-wrt.com/site/index

Jakub
  • 380
  • 1
  • 11