Korea Communication Review January 2015

Netmanias Consulting www.netmanias.com

1

SPONSOR CONTENT

6 things you should know about enterprise WLAN

Jongmoon Choi (jmchoi@davolink.co.kr)

EEE 802.11 wireless LAN (WLAN) technology,

commonly known as Wi-Fi, has been evolving so
fast, adapting to the constantly changing mobile
communication
market.market.
Especially as Bring Your Own
communication
Device (BYOD) is becoming the growing trend in many
companies which value the network security and
stability, companies are deploying more WLANs every
year to ensure their employees use smartphones and
pads for work purposes as well.
The most important job of an enterprise WLAN
solution is to provide secure and robust wireless service
to users. To do the job, we have to first admit the fact
that WLANs are less secure by their nature than wired
LANs. Wi-Fi uses unlicensed bands that anyone can use
freely, and thus is inevitably vulnerable to various
interferences, which can lead to service degradation. So,
a good enterprise WLAN solution must feature
functions and technologies to address these issues and
supply the best wireless network service to users.
In general, an enterprise wireless network consists of
three basic components - AP, AP controller and
authentication server. But an additional component,
WIPS (WIPS sensor and server), can be included as
needed, for protection from wireless intrusion. The
following is a brief explanation of functionalities and
characteristics of the four components:
Access Point (AP): AP is essential for a Wi-Fi client
to connect to a wired network (Internet or intranet). A
Wi-Fi client scans SSIDs broadcasted from AP, selects
an SSID and then connects to the network through
standard authentication procedure.
AP Controller: AP controller is a management system
that controls all APs. It collects information from
individual APs and analyzes them to ensure and
maintain the service quality of the entire wireless
network.
Authentication Server (AAA): It provides authentication service to Wi-Fi clients not only by using user
ID/password as conventionally done, but also by using
user information in SIM/USIM of a smart device.
Wireless Intrusion Prevention System (WIPS):

It detects rouge APs or unauthorized Wi-Fi devices in a

WLAN and prevents them from accessing or attacking
the network. To this end, WIPS sensors monitoring all
the packets that travel through all the Wi-Fi frequency
bands in real-time are placed throughout the network.
Now we will find out what conditions should be met
and what specific features are needed to be a good
enterprise WLAN solution that can satisfy high
expectations in the enterprise market as well as new
requirements in the future Internet of Things (IoT) era.

1. Distributed architecture is in and centralized architecture is out

Until a few years ago, centralized architecture had been
preferred
for
enterprise
WLANs.
Centralized
architecture passes all AP traffic from Wi-Fi clients to
AP controllers (also known as wireless switch)
transparently. In this architecture, APs have just a few
simple functions (this type of AP is called thin AP) and
thus all 802.11 frames from Wi-Fi clients are simply
passed to AP controllers. Then the AP controllers take
care of high level functions, such as QoS, ACL, roaming,
etc., leading to enhanced control over WLANs.
However, as WLAN technologies improved to use
broader bandwidths through standardizations of
802.11n in 2009 (450 Mbps, 3x3 antenna) and 802.11ac
in 2013 (1.3 Gbps, 3x3 antenna), it became virtually
impossible for an AP controller to process all traffic of
Wi-Fi clients, as initially intended in the centralized
architecture.
Recently APs, upgraded to perform better, have
become capable to process traffic control, QoS, ACL and
firewall per Wi-Fi station and service, allowing AP
controllers to focus on just managing distributed APs
(this type of AP is called fat or intelligent AP). This so
called distributed or bridged WLAN architecture is
dominant these days. Accordingly, the distributed
architecture is expected to impose a lesser burden on
AP controllers, helping them to manage more APs,
compared to the centralized architecture.

6 things you should know about enterprise WLAN | Jongmoon Choi (jmchoi@davolink.co.kr)

Korea Communication Review January 2015

Netmanias Consulting www.netmanias.com

2

SPONSOR CONTENT

Table 1. Comparison of WLAN architecture centralized vs. distributed

Item

Centralized Architecture

User traffic flow

Distributed Architecture

AP Controller

SmartAir AP Controller

Application Servers

Application Servers
Edge Switch

AP

AP

Edge Switch

SmartAir AP

SmartAir AP

Role of
AP controller

Simply manage APs

Process 802.11 frames
Drop down wireless traffic to intranet
Provide RADIUS client function
Support QoS guarantee of wireless traffic
Inspect wireless traffic for security
Solely handle L2/L3 roaming
Perform all or most of wireless traffic processing

Closely manage APs

Provide RADIUS proxy function
Provide QoS and security policy to AP
Support L2/L3 roaming by managing
authentication key
Collaborate more with APs

Role of AP

Pass 802.11 frames to AP controller

Provide RF monitoring data to AP controller

Terminate 802.11 frames

Provide RADIUS client function
Support QoS guarantee of wireless traffic
Inspect wireless traffic for security
Handle L2/L3 roaming in collaboration with AP
controller
Perform most of wireless traffic processing under
supervision of AP controller

Cost

Expensive solution

Inexpensive solution

Advantages

Stronger security than distributed architecture

Easier roaming than distributed architecture

More cost-effective than centralized architecture

Network scalability
No single point of failure

Disadvantages

High cost
Low scalability
Subject to single point of failure
Longer latency than distributed architecture

Weaker security than centralized architecture

Complex tunnel for L3 roaming

Outlook in the
future

Outdated concept, but still works in small-scale

networks

Suitable to process high bandwidth traffic in each

APs these days
Extensible to wireless bridge or mesh network for
IoT backbone

2. Secure network connection and various

authentication services
User data encryption and secure authentication are
essential for safe WLAN connection and use in
enterprise WLANs.
Encryption and security issues in the air link of
WLANs seem to have been perfectly taken care of by
IEEE 802.11i standards approved in the end of 2004.
fds

No vulnerability issues have been reported in relation

to 802.11i WPA2/AES encryption so far.
IEEE 802.1x-based authentication is most commonly
used in enterprise WLANs, and it supports three
authentication modes:
EAP-PEAP/EAP-TTLS with user ID and password
EAP-TLS based on client Certification Authority (CA)
EAP-SIM or EAP-AKA using SIM/USIM chip in
smartphone

6 things you should know about enterprise WLAN | Jongmoon Choi (jmchoi@davolink.co.kr)

 Netmanias Consulting www.netmanias.com

Korea Communication Review January 2015

SPONSOR CONTENT
Another common method is web-based authentication
(also known as captive portal-based authentication),
which is used mainly for guest authentication. With this
authentication method, a Wi-Fi client can use Internet/
intranet service only after going through an additional
authentication process, where user credentials (e.g.,
user ID / password) must be entered on the web server
even after WLAN standard authentication, such as PreShared Key (PSK) with AP, is completed. The webbased authentication enables an AP to redirect HTTP
packets (TCP port 80) of a Wi-Fi client to the AP
controller or external web server.

in an enterprise WLAN, and hence an AP should be able

to concurrently serve more than 100 Wi-Fi clients at
each radio interface (2.4GHz and 5GHz).

3. AP with excellent functionalities and

performance is the key

Guaranteed QoS

A good enterprise wireless AP should be able to meet

high functionality and performance standards to ensure
a certain level of service quality in the enterprise
wireless network. An AP must be able to do:

Supporting the latest WLAN standards

APs should support IEEE 802.11ac standards approved
in December 2013. Actually all recently released Wi-Fi
clients support 802.11ac. 802.11ac compatible devices
show 5 times better throughput than the previous
802.11n devices.

Number of stations that can be served concurrently

Usually dozens of Wi-Fi clients are connected to one AP

Station

SmartAir AP

DHCP
Server SmartAir AP
Controller

Association

Airtime fairness feature should be supported to ensure

fair and balanced distribution of bandwidths to Wi-Fi
clients that are using wireless resources competitively.
Especially, APs should restrict bandwidth usage by slow
devices using old technology, 802.11a/b/g, to prevent
them from consuming radio resource too much, and
thereby degrading performance of the enterprise
WLAN.
APs should provide granular Quality of Service (QoS),
and bandwidth management capabilities on a per
application, per user or per SSID basis. QoS in the
WLAN is controlled according to the Access Category
(CA) policy defined in 802.11e.

Detection and protection from harmful traffic

APs should support a function to detect harmful traffic
coming from authorized Wi-Fi clients. Wi-Fi clients
may make a Denial-of-Service (DoS) attack or generate
harmful traffic due to virus or worm. Sometimes CTS
jamming attack by an unauthorized Wi-Fi device results
in WLAN service quality degradation. In such case, AP
controllers should provide detailed protection strategies
and policies to APs.

Station

SmartAir AP

DHCP
Server SmartAir AP Portal AAA
Controller

Association

802.1x-based Authentication
EAP Req/Resp

AAA

Airtime fairness for each Wi-Fi device

RADIUS Access Req/Resp

PSK
DHCP (IP Allocation)

RADIUS Proxy

Web-based Authentication
HTTP Req

DHCP (IP Allocation)

HTTP Redirect
HTTP Resp (Login Page)

Intranet/Internet Access

HTTP Post (Login Credential)

Auth Req
Add Station
Remove Redirection Rule

RADIUS Access Req/Resp

Auth Resut

HTTP Resp (Login Result)

Intranet/Internet Access

(a) 802.1x-based authentication

(b) Web-based authentication

Figure 1. User authentication procedure in enterprise WLAN

6 things you should know about enterprise WLAN | Jongmoon Choi (jmchoi@davolink.co.kr)

Korea Communication Review January 2015

Netmanias Consulting www.netmanias.com

4

SPONSOR CONTENT

4. What AP controller functionalities are

essential?
Control And Provisioning of Wireless Access Point
(CAPWAP) is the international standard for AP and AP
controller, published by IETF as RFC-5415/5416. Using
this protocol, AP controllers can do AP control/
management and Wi-Fi client authentication. An AP
controller must be able to do:

Management of AP group configuration information

Integrated management of configuration data through
grouping APs that provide the same service is one of the
most critical features of an AP controller. If we have to
access each AP and change their configurations one by
one, it would be such a time-consuming hassle. This is
why this grouping can be so useful it groups
configuration information in the form of profiles,
making it easy to manage them.

AP auto configuration & provisioning

Plug & Play (PnP), also called auto provisioning, should
be supported. According to CAPWAP standards, an AP
should access an AP controller, automatically
downloads configuration, and apply it to complete
provisioning. Of course, AP firmware management
should be supported as well.

Station authentication and roaming

An AP controller should manage the master key (PMK)
passed from AAA (authentication server) after Wi-Fi
client authentication process is completed. When a WiFi client is roaming between APs, the client should be
able to skip the re-authentication process with the AAA
to minimize its roaming time. The AP controller should
pass the master key to the new AP, and command it to
skip the authentication process with AAA when the
roaming client attempts to access the new AP.

RF resource control & management

In case of an AP controller used in an enterprise WLAN
with multiple APs, the fact that one APs wireless traffic
can actually work as an interference signal to its
neighbor APs should always be considered. Therefore,
to maximize the quality of the entire WLAN service, an
AP controller should consider many related factors
when selecting Wi-Fi channels of each AP, and should
also have a feature that controls APs individually. Some
of the most common features that serve such purpose
are: auto channel selection, dynamic transmit power
control, self-healing or coverage hole detection and
auto-recovery, auto channel switching with interference
detection.

Load balancing and QoS guarantee

AP-based load balancing, also known as band steering
or band preference function, makes sure AP loads are
distributed to every radio interface provided by an AP.
AP controller-based load balancing, however, ensures
traffic loads are evenly distributed to each AP so that
every client is equally served. For even distribution of
traffic loads among APs, an AP controller monitors
signal strength and quality between AP and Wi-Fi
clients. Then when it detects an AP that can better serve
one of its Wi-Fi clients, it has the client roam to the new
AP.

HA clustering
An AP controller, if designed to concurrently manage
multiple APs with certain capacity (e.g. 256 APs all at
once), should support High Availability (HA) clustering
function.

5. Hidden cost of GUI-based management

console
A GUI-based management console is a kind of EMS/
NMS supporting Operation, Administration and
Management (OAM) functions for network managers.
So, if a network manager wants to configure a certainsized WLAN, he should first consider the extra cost for
deploying a management console in the new enterprise
WLAN infra. A management console must have
following features:

Map-based management of AP and Wi-Fi clients

A management console should support user-friendly
map-based location management of AP and Wi-Fi client
that can be easily used to check signal strength and
service coverage of APs. Also a feature that provides
roaming paths of Wi-Fi clients on the map can be very
useful.

Profile-based configuration management

As noted above, when managing a good number of APs,
hierarchical approaching can be very efficient. For
example, a network manager can configure profiles of
radio interface, SSID, security/authentication, VLAN
and QoS, and apply the profiles to AP groups as needed.

Inventory management of AP and Wi-Fi clients

A management console should have a feature for
managing a list of APs and Wi-Fi clients information
(e.g. user ID, IP address, connection time, authentication status, etc.), preferably with useful functions like
column filtering, searching and sorting for easier
management of many APs and Wi-Fi clients

6 things you should know about enterprise WLAN | Jongmoon Choi (jmchoi@davolink.co.kr)

Korea Communication Review January 2015

Netmanias Consulting www.netmanias.com

5

SPONSOR CONTENT

Alarm and statistics management

Alarm and statistics features are the most basic features
of the management console because network managers
can monitor service status by checking alarms and
statistics frequently. Not only that, if the diagnostic and
alarm features are available to monitor the network
connectivity between AP and AP controller, it can help
to detect network failure and respond fast accordingly.

Scheduled/unscheduled reporting
Scheduled/unscheduled reporting is also essential for a
management console because it allows network
managers to keep track of operation conditions in the
WLAN through email and/or SMS notifications sent
regularly. More detailed unscheduled reports should be
accessible through the management console.

Dashboard
Dashboard provides a page that shows the general
status of the entire network so that network managers
can instantly respond to network issues detected.

Wizard function
Wizard function helps network managers, even without
sufficient knowledge on WLAN, easily configure a
complicated enterprise WLAN by following step-bystep instructions.

However, most IoT hub devices are cable-powered, and

thus can be easily connected to Wi-Fi interfaces. And
using a Wi-Fi network to access the Internet is likely to
be considered a very popular option in an IoT service
network architecture. Especially, networks like Wi-Fi
mesh or bridge that connect Wi-Fi APs will serve as a
perfect backbone for IoT because Wi-Fi networks can
securely deliver a large volume of traffic at a relatively
low cost. Therefore, what an enterprise WLAN solution
can do for the IoT would be one of the key factors in
selecting a network solution from now on.

Closing
The past 10 or so years witnessed drastic changes in
mobile communication first the release of smartphones, then Wi-Fi technology innovation like
802.11ac, and the advent of the IoT. These changes are
now making enterprise WLAN solutions evolve even
more, and faster. Enterprise WLAN solutions so far
have required AP and AP controller that support the
new technology, 802.11ac. But the coming IoT era will
require new solutions that can easily accommodate,
integrate and manage the increasing number of IoT
devices and hubs.

About Davolink

Figure 2. SmartAir dashboard

6. Ready for the IoT era

WLAN technologies have their advantages in that they
give you broadband bandwidth and wider service
coverage than other competitive technologies like
Bluetooth, Zigbee, Z-wave, etc. But, they also have their
disadvantages. They consume too much power, and
thus it seems impossible to configure a sensor network
where battery-powered IoT devices are directly
connected Wi-Fi networks.

Since its establishment in 2000, Davolink has supplied

various types of access network devices to Korean
operators such as KT, SK Telecom and LG U+. In 2005,
the company developed home gateway equipped with
802.11 WLAN interfaces, and has been supplying about
500,000 units of ADSL2+ modems domestically and
globally (Netherland, Tele2) so far.
In 2013, the company released the Koreas first high
power AP (model: DVW-4038H) for enterprise that
supports IEEE 802.11ac standard, and an AP controller
(model: SC-2000) that can manage 4,096 APs
concurrently using the standard protocol CAPWAP
(RFC-5415/5416). Davolinks AP and AP controller have
been tested and verified by a Korean reputed testing
agency, Telecommunication Technology Association
(TTA). Since 2015, the company has partnered with
PCS (www.promelit.it), an Italian solution distributer to
promote its enterprise WLAN solution, SmartAir, in
the European market. n

Davolink, Inc. 112, Beolmal-ro, Dongan-gu, Anyang-si, Gyeonggi-do, 864-7, Korea

Email: overseas_sales@davolink.co.kr TEL: +82-31-387-3240 FAX: +82-31-387-3241 www.davolink.co.kr
2015 Davolilnk, Inc. All rights reserved. All brands and trademarks remain the property of their respective owners.
Davolink, Inc. reserves the right to modify the information and specifications this publication without notice. Davolink, Inc.
assumes no responsibility for any errors or omissions.
6 things you should know about enterprise WLAN | Jongmoon Choi (jmchoi@davolink.co.kr)