Designing a Public Space WLAN

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you plan to deploy a public space WLAN in a venue such as an airport or shopping mall, you need to design your WLAN to meet some additional requirements.

  • Plan for a single wireless network infrastructure that multiple service providers can share and access.

    A single wireless network infrastructure eliminates radio frequency interference. Because of the finite number of non-overlapping channels available in 802.11b, multiple wireless network infrastructures in the same location cause interference among wireless APs with overlapping channel frequencies.

  • Make sure that the APs support VLANs, the capability for beaconing multiple Service Set Identifiers (SSIDs, also known as network names), and the capability for binding each SSID to a separate VLAN.

    Enhanced APs are necessary in a public space WLAN deployment. VLAN support enables the AP to route the wireless client to the correct network path. The capability for beaconing multiple SSIDs enables multiple service providers to share the same wireless network infrastructure. After the wireless client associates with the correct SSID, the AP must bind that SSID to the correct VLAN in order to route the network traffic to the correct destination. The AP maintains a table that maps each SSID to its respective VLAN number. The public space WLAN also must allow non-802.1X wireless clients access. To support this, you must assign a VLAN number for all non-802.1X wireless clients. The VLAN number routes the non-802.1X clients to a VLAN that is configured to provide non-802.1X clients with 802.1X credentials.

  • To provide security, you need an IEEE 802.1X and RADIUS-capable wireless AP, and an EAP-capable RADIUS server such as Windows Server 2003 IAS.

  • You might need to provide billing and accounting for services provided to customers connecting through the public space WLAN.

    A public space WLAN must provide a means for charging for services provided, typically by an ISP, to customers connecting through the public space WLAN. An ISP can charge the customer for this service in several ways. It can bill for the total time connected, the quantity of data transferred, or a combination of the two methods.

    You can configure the same IAS server that is used for the authorization of wireless users to capture this connection data and save it to an accounting log file. The log file contains the connection time, the amount of data transferred during a session, and other data that can be used to produce billing records for ISP customers. Database exporting can convert the log files into a format that can be read and interpreted to provide the billing records. IAS for Windows Server 2003 can also be configured to send accounting information to a SQL server database.

    In addition, third-party software is available to create billing solutions.

  • Provide sufficient bandwidth to support the volume of users likely to use a public space WLAN.

    In designing a public space WLAN, consider how many users need to connect simultaneously through each AP. For example, if you design for an average bandwidth of 56 kilobits per second (Kbps), approximating a 56K modem, more users will be able to associate with the network than if you design the average bandwidth to be more than 56 Kbps.

Figure 11.6 shows the infrastructure for a public space WLAN with 802.1X designed for an airport. This public space WLAN enables ISPs to provide Internet access for general and corporate users with wireless devices that are 802.11b-capable.

Figure 11.6   Example of a Public Space WLAN Infrastructure in an Airport

Public Space WLAN Infrastructure in an Airport

Example: Public Space WLAN Access

A user with a computer running Windows XP (with the Wireless Zero Configuration [WZC] service and IEEE 802.1X) starts his computer. The wireless adapter attempts to authenticate with an AP, but can only associate with VLAN 0 since it has no authorization for VLAN 1, the ISP network for the airport. When associated with VLAN 0, the wireless device is directed to the airport’s ISP Web server.

The Web server queries the user about access to the Internet or another company’s network. As a free service, the ISP’s Web site provides local travel information, including arrival and departure times and restaurants. If the user chooses to set up an account, the ISP creates the account for billing purposes and provides the wireless user with a certificate to join VLAN 1.

The wireless user now has a certificate and can access VLAN 1. The user is authenticated using IAS, which simultaneously creates or appends a log file. The log file and new user account are both used for billing purposes. The wireless user is granted permission to access the Internet.

If the user decides to access his own corporate network across the Internet, a virtual private network (VPN) connection can be created from the wireless client to a VPN server in the perimeter network.

Notes

  • As an alternative to a VLAN, a public space wireless network can support IP filtering. This requires the use of APs that are capable of IP filtering and can be configured to restrict access to only the IP addresses for the ISP’s certificate, DHCP, and Web servers. These servers provide the minimum connectivity and services that are required in order to obtain authenticated access.

  • If an AP is associated with repeatedly when you use IP filtering for authentication, the AP can consume the allotted quantity of IP addresses that the DHCP server has set aside, preventing additional wireless clients from obtaining an IP address. Although the infrastructure for IP filtering is less costly, because IP filtering saves a switch and a server, IP filtering is less secure. For these reasons, it is better to use a VLAN than IP filtering for a public space wireless network.