Set up secure wireless networks with 802.11x, access points and bridges

Wireless network connection setup flaws present common challenges for networking professionals.

Despite the popularity of Wi-Fi and its growing use in enterprise settings, getting access point placement and configuration right can be difficult. Poor wireless setup and access difficulties slow down business commerce, while network security risks threaten its integrity.

In this tip, our wireless networking expert answers specific questions from networking professionals on how to set up wireless networks and how to keep them secure. Site expert Lisa Phifer explains how to avoid the hassles of using an 802.11n network in close proximity to 802.11a/b/g networks; how to provide clients with working access points (APs) in a number of buildings connected to one wired LAN; whether or not security encryption affects wireless signal strength; and how to prevent frequent connection loss by securing your connection.

How can you avoid 802.11n coexistence problems with neighboring businesses that use 802.11g (in multi-tenant office buildings, for example)?

Lisa's response: In highly congested areas, neighboring WLANs may use 802.11a/b/g long after your own clients have been upgraded to 802.11n. Operating in greenfield mode not only makes you a bad neighbor -- it can cause numerous collisions that degrade the performance of your own WLAN.

The best way to avoid this problem is to assign your own APs to use channel(s) different from those used by neighboring legacy APs. This is relatively easy when your neighbors use 802.11b/g in the 2.4 GHz ISM band -- just make sure that your own greenfield 802.11n APs use only channels in the 5 GHz UNII band. If your neighbors also use 802.11a in the 5 GHz band, you'll want to assign your greenfield 802.11n APs to unused channels -- for example, the recently added UNII-2e section of the 5 GHz band. You should avoid using 40 MHz wide channels unless you've found an unused area of the 5 GHz band in which to operate. Finally, you may want to let your 802.11n APs use dynamic frequency selection (DFS) within the range of channels that you've selected, so that they can automatically detect and try to avoid new sources of co-channel interference.

I am deploying a WLAN in a three-building hotel. There are approximately 100 feet between Building A (which houses the wired LAN) and Buildings B and C. I am using a ZyXEL B-3000 access point (AP) and three B-420 wireless bridges, but I am having trouble bridging between ZyXEL B-420s to connect all three buildings.

Lisa's response: To link your wired LANs using wireless between buildings, use your B-420's wireless panel to set their operating mode to "bridge." Set Building B and C's B-420 peer bridge MAC address to Building A's B-3000 MAC address.

Next, use the B-3000's wireless panel to set operating mode to AP+Bridge. Enter MAC addresses belonging to Building B and C's B-420s in the remote bridge MAC address list. At this point, any wired device plugged into Building C's B-420 Ethernet port should be able to reach any wired device plugged into your Building A Ethernet switch, including your router. But you still need to configure your infrastructure mode WLAN.

Using the B-3000's wireless panel, enter an SSID -- this is the "available wireless network" name that clients will use to connect to your wireless AP (WAP). At this point, any wireless device within shouting distance of your B-3000 should be able to browse for available wireless networks, see the SSID that you entered, and connect to it. Once connected via wireless, those clients should be able to reach any device on your wired LAN, including your router.

More information on wireless networking

If you actually want to provide wireless client access in all three buildings, you've still got work to do. In that case, you probably want to put B-3000s (not B-420s) in all three buildings, setting all to AP+Bridge mode. In that case, each building will have its own wireless LAN, and these are then joined to one another over the WDS bridge. To learn more about the capabilities of your B-3000 and how to configure other settings, see ZyXEL's PDF: ZyAIR B-3000 802.11b wireless AP user's guide.

Does having encryption on a wireless network improve signal strength and therefore reduce the number of connection losses?

Lisa's response: To my knowledge, enabling encryption has no impact whatsoever on signal strength. Signal strength is an attribute of the physical medium (RF), while encryption simply alters the length and payload encoding of the data link frames sent over that medium. If your client's received signal strength (RSSI) is N for a given AP without encryption, it should still be N with encryption.

I'm constantly losing my wireless network connection. What can I do?

Lisa's response: Clients scan all channels in their spare time, looking for other APs that might offer better service than the one they are using. A client willing to connect to any open AP is far more likely to accidentally connect to other nearby APs, dropping the existing connection to do so. On the other hand, a client that is configured to connect only to a single known SSID will be less easily distracted by neighboring APs. Furthermore, if the AP requires encryption for that SSID, the odds of a "rogue AP" luring clients away are diminished. One might argue that encryption reduces the accidental connection losses otherwise caused by client-initiated roaming.

Dig Deeper on Wireless LAN (WLAN)