Q

Vendors that can support multi wireless access ports

I am trying to find vendors that can support "multi" wireless access ports across a campus and allow users to "roam" between the points without having to reauthenticate everytime they move buildings. The problem is that we use a Checkpoint VPN client and gateway and the IPSec protocol to connect. Are there any vendors out there that supply this type of infrastructure?
In your scenario, roaming occurs at two levels:

1) At the link layer, 802.11 stations automatically sense changes in signal strength and will (re)associate with

the AP offering the best signal. Link-layer authentication (open system or shared key or 802.1X) is repeated when this occurs. The IEEE 802.11f standard under development will enable multi-vendor association handoff by defining an inter-AP protocol and recommended practices, but until that's done, you are limited to proprietary methods in homogenous WLANs.

2) At the network layer, hosts using DHCP automatically renew their IP leases when they sense interface status change (like when the station reassociates). I say most, because behavior depends on the OS (more specifically, the TCP/IP stack). If you're supporting Windows ME/XP/2K PCs, this is probably what's happening to your users. When the IP address changes, the VPN tunnel must be re-established, requiring reauthentication of the VPN client. If you're using interactive client authentication, this isn't practical. Even if you're not, applications may be disrupted by reestablishment.

My guess is that what's bothering you is really #2, not #1. If so:

 

  • You can use static IP assignments and treat all 802.11 stations as one big subnet. Probably not practical for you.
  • You can allocate IPs from the same DHCP server, same pool, so stations keep the same IP when they renew. Use VLAN tags to logically group all the APs into one big subnet. This works up to a point, but eventually it doesn't scale.
  • You can use a WLAN gateway that enables IPsec roaming by letting stations keep their existing IP when they move to another subnet. Details differ, but solutions include Bluesocket and ReefEdge.
  • You can use a mobile VPN instead of your Checkpoint VPN ? for example, NetMotion and Cranite Systems put client software on your stations, a server/controller somewhere in your network, and use proprietary tunnels to authenticate/encrypt traffic from roaming hosts without interruption.
  • You may also want to look at some of the new "wireless switches" that have been announced - to see if and how they can help.
This was first published in March 2003

Dig deeper on Wireless LAN Implementation

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close