The wireless space in the education environment, especially at colleges and universities, is both highly complex and diverse. Every day and night, whether or not they’ve been upgraded or properly maintained, a multitude of different versions of endpoint devices are connecting to wireless networks.
Understanding how all of those devices work inside of the wireless space, as well as how they want to and can talk is vitally important. Important questions like what authentication will look like, what flavor of wireless protocol 802.11 can the devices use and how quickly will devices access the network all factor into the wireless capability mix. The primary challenge then with providing wireless solutions and IT services for schools of all sizes is how to maximize the user experience without compromising the wireless space.
Wireless networks take tremendous forethought
Colleges and universities, in particular, are a conundrum for wireless engineers. This is due to the complexity and diversity of everything that needs to connect to their wireless networks. Jeff Keese, ClearPass Expert and Wireless Engineer, VectorUSA
Wireless network engineering requires considerable forethought because newer wireless devices, such as those with Windows 10 and the latest flavors of O SX, want to use TTLS or TLS authentication. It’s critical to ensure that both the fastest and slowest devices interact equally as well with the wireless network while also providing the best user experience. With wireless networks, nodes of radios broadcast on a set of two frequencies: either 2.4 GHz (G) with up to 11 channels or 5 GHz (A) with its up to 32 channels. Within a 5 GHz space, capability goes up dramatically because you can perform channel bonding. That means going from a 20 MHz channel (connecting at A and G speeds) to 40 MHz channels for A which allow two channels to bond together. That provides twice the amount of throughput. With 80 MHz channels (AC and AX), that provides three times the speed. Progressing through the 802.11 protocols (from A through AX) there is a lot of difference. With A, you get about 160 MHz max. On AC you get 866. So that's 866 megs across wireless. In AX, if you do the 160 MHz channels, you're above a gig at that point, so you’ll experience better than wired speeds on wireless. Unfortunately, there are some downsides when you start to increase channel bandwidth:
- You reduce the number of total channels available.
- Wireless is half-duplex.
- There is only a set amount of frequencies you can use.
The wider that your channel is, the less physical channels you have to broadcast and the more co-channel interference (one access point talking over another access point). Jeff Keese, ClearPass Expert and Wireless Engineer, VectorUSA
It can be like standing in a crowded room, and because everyone's shouting, no one is heard. For our wireless solutions, our engineers look at the usability of the space and determine how to create the best user experience based on what the space can allow. And too, the wireless airspace is not just smartphones and laptops. It involves Bluetooth mice and headsets, presentation pointers, a car that drives by with a wireless hotspot built into it, perhaps a plane passing overhead and more. Weighing speed advantages versus usability on the network factors in heavily as well. While student housing may require 40 or 80 MHz channels to handle high-speed demands, lecture halls with 20 MHz channels primarily ensure reliable connectivity over speed.
What about security encryption protocols?
Along with reliable network access, wireless network security is equally as important. Various encryption protocols (how a wireless network secures from a device to the access point) include several options. The most popular of which are EAP-TLS, EAP-PEAP with MSCHAPv2 and EAP with TTLS Of those, the primary protocols are EAP-TLS and EAP-PEAP with MSCHAPv2. The main difference between the two is that EAP-TLS uses certificates that are downloaded to your client device to verify your identity. EAP-PEAP with MSCHAPv2 takes a username and password that you've entered and verifies it against some kind of authentication source. EAP-TTLS is essentially a hybrid of the two with a username being broadcast, but you're using the certificate of the server that you're talking to and the client is verifying that certificate. EAP-TTLS is not quite as secure though as EAP-TLS. EAP-TLS is the most secure because it’s nearly impossible to break the client certification that gets downloaded to your device. The most widely used protocol, however, is EAP-PEAP with MSCHAPv2 and has been for the last 15 years or so.
As campus environments continue to become increasingly security-minded, more network administrators are moving toward EAP-TLS because it’s simply the best possible security for wireless networks. Jeff Keese, ClearPass Expert and Wireless Engineer, VectorUSA
There are benefits and costs to each protocol option. Even though EAP-TLS is the most secure, it also requires a much more involved infrastructure to support it versus EAP-PEAP with MSCHAPv2. If you're running a Windows domain, it just works. You can use the Windows server as the authentication source and have Windows NPS, Aruba ClearPass or any of the other security programs (the authorization and authentication servers) talk from wireless to your authentication source. Again, each encryption protocol has its pluses and minuses. But most college campuses are sticking with the traditional EAP-PEAP with MSCHAPv2 due to the cost of creating a PKI environment or buying the license to do onboarding. In terms of wireless network security, it pays to ask yourself, "What's our use case? How do we want to use this?" Wireless network security boils down to what you’re looking for, your requirements and the level of user hassle you’re willing to accept. As part of our IT services for schools, we initially talk to our clients first about how we're going to design their wireless network, what they’re looking to do and how they're looking to do it.
Don’t put an Edsel engine in a Ferrari
Aside from instructors in classrooms who might still be using a wired desktop computer, nearly 100 percent of devices in the classroom are either smartphones, laptops or some form of a tablet. And beyond that, students may be using as many as nine wireless devices, including Alexas, Fire Sticks, and Xboxes. Everything has to be online. For the most part, dorm rooms are all wireless. Everything has to be able to function in that space together and part of that is in the overall network design.
When planning your institution’s wireless network, you certainly don’t want to run the risk of placing the absolute best wireless network on top of an antiquated wired network that only has the capability of going 100 meg. Jeff Keese, ClearPass Expert and Wireless Engineer, VectorUSA
That’s like putting an Edsel engine in a brand new Ferrari! If you want a world-class wireless network, you must have a world-class wired network to start. If you don't first have a maximum performing wired network, then it doesn’t make sense to invest the funds to gain a maximum performing wireless network that you can't use. Remember that the access points are just radios. They still have to talk to the network. If the network is slow, then it doesn't matter how fast the access points talk. The network is only going to go as fast as the slowest part. It’s also important to consider how fast your IDF can connect back to your core, what kind of speeds do you get on the IDF and what kind of speeds do you get on the core. That, along with incorporating multi-gigabyte capable switches and access points for more throughput and a better user experience, will help lay the right foundation for your network project. From complete network refreshes to helping you implement the last mile of an already designed network, VectorUSA will assist you with making the right decisions to ensure flawless network operation.
Post Topic(s): EDUCATION | WIRELESS SOLUTIONS