The problem

The company's offices are located on three locations, HQ and two branch offices, with a total of 200 employees. About a dozen of SOHO grade APs from various manufacturers are already in use at different departments of the enterprise. As the users occasionally want more mobility, there are various ad-hoc WLAN networks in operation that are not under control. There's no central WLAN access policy, APs use different SSIDs and some still use WEP, which is unacceptable. Most APs use IEEE 802.11g wireless standard.

One of the branch offices houses the company's main production line that needs to expand it’s LAN access. But it has very limited network resources, since there isn't enough switch access ports, nor is there sufficient cabling available. Also the LAN users, at the production line, would benefit greatly from more mobility.

WLAN network should have enterprise grade security, as the WLAN users will have access to the company's LAN and the Internet. The network administrators should be able to control WLAN network usage and note the occurrence of any rogue APs (WIPS).

There should be a separate WLAN network available throughout the company for guest users that would offer Internet access only. Currently this functionality is available, but not under a common administrative control.

The solution

After a wireless survey of all three locations 30 thin enterprise class APs were installed. The APs are connected to the wired LAN network, with the exception of the production line where 15 APs are operating in a wireless mesh, thus reducing the need for further cabling.

Thin APs are connected to the CAPWAPP wireless AP controllers (redundant for the production line area to achieve greater reliability and greater availability), which enable central management of wireless network. The CAPWAPP wireless controllers are connected to the LAN network through a firewall's DMZ. The APs now support IEEE 802.11g and the IEEE 802.11n-2009 WLAN standards, which give the wireless users more bandwidth. APs also have dual radios. That enables the network administrators to dedicate the first radio for IEEE 802.11n-2009 wireless access and the second one to carry out control over the radio space and take appropriate counter measures (WIPS).

The WLAN network provides a high level of security as solely WPA2-AES authentication is used. Further more 802.1X user access control is integrated with the LDAP domain server, which enables central WLAN user access management. User access control is a crucial functionality as the user WLAN network has full access to the internal company's LAN and the Internet.

The WLAN network also enables Internet-only access for guests that use a separate SSID. It’s traffic uses a separate VLAN going to the UTM firewall, so the guests have no access to the internal LAN. A ticketing system is used to enable guest users to use the WLAN.

The entire WLAN network supports IPv4 and IPv6 in dual-stack.

The advantages

The redesigned wireless network now enables a secure LAN and Internet access throughout the entire company, which allows a greater mobility of users. Mobility is especially important for WLAN users at the production line, since it provides the company with a whole new level of doing warehouse business.

Wireless internet access is also available to the guest users. Their traffic is completely separated from the internal LAN.

The new WLAN network now provides all the components a company needs in a network - a manageable, growth-ready and secure wireless network equaling a wired network.