9 steps to a trouble-free Wi-Fi upgrade

In many offices, Wi-Fi represents the great breakthrough of freedom, as if your old Ethernet infrastructure is some kind of authoritarian dystopia. There's something romantic about that idea, but it can easily sour when people realize that an overloaded or improperly configured wireless network can be just as vulnerable as a wired network.

[[411428]]

In fact, the experience is more unpleasant if you don't understand what's going on. I've seen one business try to solve the problem of wireless users' intermittent Internet access by adding more and more DSL lines and Wi-Fi-enabled routers. To no avail: Ultimately, the wireless network itself worked fine. The problem was that the ISP was rotating its live DNS servers in some baroque scheme to fight off hackers or spammers.

So lesson one is: before you start planning to upgrade your wireless equipment, first ask yourself what the problem is that you want to solve, then investigate whether it might be caused by a bug or bottleneck somewhere else on the network. If that's the case, then a big, expensive Wi-Fi upgrade project probably won't do you any good. You might get better results just by spending a few pounds to replace the old stomping patch leads.

1. “Upgrading” doesn’t mean buying a new router

Performance Speed

When people talk about "boosting" their Wi-Fi, they usually mean increasing the overall speed of the network. However, there is no single way to do this.

In reality, the solution will depend greatly on the circumstances. It could be that you need to remove and reinstall your entire setup, or it could be that you’ve isolated a misconfiguration that’s causing all of your computers to display busy cursors, assuming the problem is even connected to the network. It could be that an external device, like an arc welder, is capable of generating RF interference that’s causing your internal network to go haywire. If that’s the case, upgrading your router isn’t going to solve the problem.

It's important to remember that a strong network is more than just a fast network, it needs to provide the functionality you need for your business. For example, you may need to manage guest access, or control bandwidth for internal employees, or you may even want to create a honeypot machine to divert hackers away from your main network. Whatever additional needs your business has, these may be beyond the capabilities of a standard router.

If you want to "boost" your business Wi-Fi network, think in terms of broader options, rather than a slightly better, more expensive router.

2. Remember, it’s radio, not X-rays

If you're ready to upgrade your wireless network - or set one up for the first time - then you should start by taking a look around your property. You need to figure out what it will take to achieve reasonably uniform coverage. You can do a basic study simply by walking around the building with a smartphone equipped with a free signal strength measurement app.

Of course, there are more satisfyingly complex devices than this. These can be useful when you have problems with overlapping wireless footprints with your neighbours. The problem could be an overcrowded channel, or it could be due to general weirdness in RF signal propagation, which can mean you get horrible interference from the network next door, which by rights should be fragile and distant.

Boosting the transmit power of an access point is almost never the solution. Powering down base stations and installing more of them, making best use of wired backlinks and operating en masse, is more likely to fix dead spots and interference than a giant, throbbing, white-hot transmitter in the corner of your office.

3. Connect to Wi-Fi via a cable

optical fiber

Once you start buying business-grade Wi-Fi equipment, you'll quickly come across Power over Ethernet (PoE). It's a convenient solution for devices that don't need to consume much power and don't necessarily have to be located next to a power outlet.

However, PoE can also be a dangerous temptation to novice network designers. "Look, it just comes off a wire - without the annual testing and safety considerations of a 240V power connection!"

The problem is, the power still has to come from somewhere -- usually a PoE-enabled switch. If you want to run 24 access points from a wiring closet with a (rather hot) Ethernet switch, then this might be a convenient way to work. But few businesses need such a dense density of access points. More likely, you'll only have a few PoE devices.

So for a medium-sized office, you'd probably buy and install additional PoE switches alongside your main LAN hardware - which is hardly simpler or cheaper than running off mains power. It also presents a situation where your wireless property is on one VLAN and everything else is on another.

4. Strength in numbers

More APs are almost always better than trying to increase signal strength. This does have management implications, though.

Enterprises taking their first steps beyond the traditional single-line DSL router often have difficulty transitioning to a setup where access control and data routing are completely separated from the business of managing radio signals, advertising services and exchanging certificates.

How you deal with it depends at least in part on what kind of access point you choose. Some companies choose complex devices that do all sorts of things for you, while others prefer little dumb boxes with just an LED and a cable port.

The larger your network, the more the latter type makes sense: you don't want to set up a dozen APs individually, but rather want them all to be slaves to a central management interface. This is especially true if you need to serve sites with peculiar Wi-Fi propagation, handle highly variable loads, or handle a large number of guests coming in and out of the office.

5. The temptation of SSO

One of those holy grails is single sign-on (SSO). The idea is that users only have to confirm their identity once during a normal workday, no matter how many systems they access.

This isn't hard to implement when it comes to Wi-Fi access, but it's not a very flexible system, either on the network side or on the client side. The bit in the Wi-Fi login cache that handles SSO and decides whether a password saved in a web page can be used to log into a particular WLAN, and the hotel's Wi-Fi system also sniffs a bit, marking a spot as "definitely my home" and overriding all other applicants for the label: set this property on your Wi-Fi and leave your guests at risk.

Although it sounds appealing to just enter a password, the reality is not so good - after entering the password, a group of machines, routers and cloud services will recognize that your user has been authenticated. First of all, people are used to entering passwords now: it is no longer a scary technological ritual. You don't need to protect them.

Then there's the ongoing and unresolvable battle between vendors over who owns the authentication database. It's impossible for anyone with a real job to master the in-depth technology required to switch from one authentication mechanism to another, but that doesn't stop different players from trying to lure you into using their systems or proprietary architectures. The result is an unwelcome block of extra complexity for you to master.

6. Beware of compatibility issues

As far as patented methods are concerned, it is a fact that many base stations and Wi-Fi-enabled devices do not work together.

Sometimes the problem is about range, or about contention (how many total devices are in a repeater) or concurrency (how many devices can communicate at once). Other times it's a peculiar firmware issue, or some weird problem with the certificates on one side of the conversation that effectively silences the other side.

I've seen so many companies run into these issues, and often the result is a cardboard box full of phones that still have a few months left on their contracts but can't connect to the company's wireless LAN since the last upgrade. For the IT person in the spotlight, this is never a good look: "You broke the Wi-Fi!" This accusation always seems to come from the best-connected, least cool member of your company.

The real solution is to acknowledge the reality of compatibility issues and plan for them. You don't have to delve into the technical details of your shiny new service, but you do need to figure out how, and how long, you need to keep the old one running in parallel to avoid any generational issues. So your warehouse barcode readers can continue to connect to the old SSIDs, while your new tablets and laptops can take advantage of the new Wi-Fi.

If users are educated on this “sunset management” then hopefully they will feel their needs are respected and that legacy equipment can be upgraded at a manageable pace and at a convenient time.

7. Manage guests

A common view about Wi-Fi is that it can and should be "free." It's a nice vision, and it may have helped phone companies reduce the cost of roaming data access - but within the enterprise, it's an unnecessary indulgence that makes it difficult to fully secure your IT portfolio. After all, it's your responsibility not to be hacked, or to facilitate hacks by others; opening your network to everyone, no questions asked, is not a good start.

This doesn't mean you can't let visitors use your network - but it does mean you should give them managed guest access. Think about how much bandwidth you want your guests to have, and what resources you want them to access. Do you want to treat employees and their personal devices as guests, or do you want them to receive a different level of service?

8. What about cloud management?

The larger your network grows—the more users, APs, and network resources it contains—the more important management becomes. Not just for convenience, but also for security.

Our own JonHoneyball became a fan of Cisco's Meraki cloud-based management service, which allowed him to see more than 3,000 new devices appear around his wireless network in a single week. That's a statistic that should make a boardroom decision. It's unlikely that all of those contacts were malicious. Most were probably just cars passing by with Wi-Fi phones on.

The difference is that threat detection systems really start to separate themselves into sheep and goats, and that’s something you can operate on-premises: You’re not necessarily running all your equipment from a vendor’s cloud service layer. Your local resources, like individual DSL lines and routers, already sit behind a cloud-aggregated, collectively managed base station.

If you're in an industry that doesn't touch Wi-Fi year after year, cloud management may not be important at all. Although cloud-based solutions appear to offer security advantages, it's still necessary to protect your own network so you don't forget about security. For any cloud-managed Wi-Fi campus, advanced password management is a must for users and administrators.

9. Upgrade your equipment

Upgrading your wireless infrastructure is all well and good, but all the high-end networking hardware in the world won’t mean much if the devices your employees are using can’t take advantage of it. Not all wireless technology is created equal, and newer standards like 802.11ac and MU-MIMO allow for much higher theoretical speeds than the older 802.11n standard.

If that new wireless device you invested in isn’t living up to the blazing speeds it promised, there’s a good chance this is why. If adapters, which are the wireless cards your end devices use to access it, are past a certain age, they won’t be able to reach the maximum speed threshold of your network.

Of course, even if they’re using the latest standard, there’s no guarantee they’ll hit the theoretical maximum — that depends on factors like the number of antennas, distance, and signal interference — but if they’re using an older standard, then you don’t stand a chance.