As part of your installation of a wireless LAN (WLAN), you need to configure the wireless access points in a way that best meets your customer's requirements. At a minimum, review the configuration settings offered by the wireless access points
In order to configure the access point for your customer, you can connect a laptop or PC to the wireless access point's console port via a serial cable. Through the use of terminal software, you can view access point configuration screens and change specific settings, such as radio channel and transmit power. The problem is that this method of accessing the configuration screens is often character-based and not user-friendly. Plus, a serial cable limits how far you can move from the wireless access point when performing the configurations.
If your laptop or PC is equipped with a radio card, then you can access the configuration screens through the use of a Web browser by typing the Internet Protocol (IP) address of the access point as the URL for the Web page (for example, "http:/192.168.0.1" without the quotes). If the IP address in the laptop or PC is set within an acceptable range of the access point (the IP address would be 192.168.0.xxx, with the last three numbers something between 2 and 254), then the browser will render the configuration screens in a much improved format.
Access point configuration options
Wireless access points include a wide variety of configuration settings, and the following represents the more common items you can change with tips on how to configure them.
IP address. Every wireless access point -- indeed, every client and server as well -- must have a unique IP address to enable proper operation on the network. The wireless access point will come with a pre-assigned IP address, but you'll probably need to change it to match the address plan of your customer's corporate network. In most cases, the use of static IP addresses in wireless access points is best, mainly to make operational support easier. Some wireless access points allow you to use dynamic host configuration protocol (DHCP) so that the wireless access point automatically obtains an IP address from a DHCP server. This may be beneficial for some home applications if the broadband service provider offers addresses via DHCP.
Radio channel. Set the radio channels in wireless access points within range of each other to different channels. This will prevent them from interfering with each other. With 802.11b and 802.11g networks, use channels 1, 6 and 11 to ensure enough frequency separation to avoid conflicts. 802.11a channels, however, don't overlap, so just be sure the adjacent 802.11a wireless access points are set to different channels. Some wireless access points have a feature whereby the access point automatically sets its channel based on others already in use, making installation much easier (but keep in mind that this could cause dropped calls with voice applications).
Transmit power. In most cases, the transmit power should be set to the highest value (100 megawatts in the U.S.). This maximizes range, which reduces the number of wireless access points and cost of the system for your customer. If you're trying to increase the capacity of your customer's network by placing wireless access points closer together, set the power to a lower value to decease overlap and potential interference. Lower power settings also limit the wireless signals from propagating outside the physically controlled area of the facility, which improves security.
Service set identifier (SSID). The SSID defines the name of a WLAN that users associate with. By default, the SSID is set to a common value, such as tsunami for Cisco products. In order to improve security, you should change the SSID to a nondefault value to minimize unauthorized users from associating with the access point. For even better security, some wireless access points let you disable SSID broadcasting. This keeps most client device operating systems (e.g., Windows Vista) from sniffing the SSID from access point beacons and automatically associating with the access point. Someone could, however, obtain the SSID using other sniffing tools that obtain the SSID from 802.11 frames when users first connect to the access point.
Data rate. Most wireless access points allow you to identify acceptable data rates. By default, 802.11b wireless access points operate at 1, 2, 5.5 and 11 Mbps data rates, and 802.11g access points operate at data rates of 6 to 54 Mbps, depending on the quality of the link between the client device and the access point. As the link quality deteriorates, the access point will automatically throttle down to lower data rates in an attempt to maintain a connection. You can, however, exclude specific data rates. For example, you may want your customer's communications only at 11 Mbps or not at all. This could be necessary to support higher bandwidth applications.
Beacon interval. The beacon interval is the amount of time between access point beacon transmissions. The default value for this interval is generally 10 ms, that is, 10 beacons sent every second. This is sufficient to support the mobility speed of users within an office environment. You can increase the beacon interval and have lower overhead on the network, but then roaming will likely suffer. It's best to leave this setting alone. In some cases, though, you might want to experiment with setting the beacon interval to higher values to maximize 802.11 power management functions (if roaming doesn't suffer).
Request-to-send/clear-to-send (RTS/CTS). The RTS/CTS function alleviates collisions due to hidden nodes, which occurs when multiple stations are within range of a common wireless access point but out of range of each other. In most cases it's best to disable RTS/CTS.
Fragmentation. Fragmentation can help reduce the amount of data needing retransmission when collisions or radio frequency (RF) interference occur. This can improve performance in some cases by enabling the clients and access points to retransmit smaller packets when errors are found.
Encryption. Most wireless access points allow the enabling of wired equivalent privacy (WEP), which encrypts the frame body (not headers) of each data frame. Use WEP as a minimum level of protection. WEP is somewhat static and requires you to configure each access point and client device with the same encryption key. When using 40-bit keys, you'll need to enter a key having 10 hexadecimal characters (0-9, a-f or A-F). 128-bit keys, which offer better security, are 26 hexadecimal characters long. For even better security, some wireless access points offer more advanced forms of encryption, such as Wi-Fi protected access (WPA) and 802.11i, which ensure that keys change automatically at a rate that hopefully thwarts a hacker from cracking the security.
Authentication. As part of the 802.11 standard medium access control (MAC) functions, wireless access points implement the default 802.11 open system authentication and sometimes shared key authentication. Neither one of these forms of authentication provides very good security. As a result, many wireless access points now include 802.1x mechanisms that authenticate users with an external authentication server. Certainly consider activating these more advanced authentication methods when configuring the access point. 802.11i and WPA include 802.1x mechanisms.
Administrative interfaces. In order to improve security for your customer, be sure to disable the console port of the access point to avoid the possibility of an unauthorized person reconfiguring an access point and removing encryption and authentication functions. Also, be certain to change the default administrative login user name and password to ensure hackers don't have easy access to configuration settings.
Always update the access point firmware as soon as you remove the access point from its box. In addition, be sure to check for updates periodically. By having the latest firmware, you'll ensure that your customers have the most up-to-date configuration and operational elements available, possibly improving the performance and security of their WLAN.
About the author
Jim Geier is principal consultant of Wireless-Nets Ltd. and assists companies with the design, implementation and testing of wireless LANs. Jim is author of over a dozen books, including Deploying Voice over Wireless LANs (Cisco Press) and Implementing 802.1X Security Solutions (Wiley).
This was first published in April 2008