How to boost your business Wi-Fi


Steve Cassidy

17 Jul, 2018

There’s a sense in many offices that Wi-Fi represents a great break for freedom – as if your old Ethernet infrastructure was some kind of authoritarian dystopia. There’s something romantic in that idea, but it’s apt to turn sour when the realisation dawns that an overloaded or poorly configured wireless network can be every bit as flaky as a wired one.

Indeed, the experience can be even more disagreeable if you don’t understand what’s going on. I’ve seen one business resort to adding more and more DSL lines and Wi-Fi-enabled routers, to try to resolve an issue where wireless users were intermittently losing internet access. Nothing helped: in the end, it turned out that the wireless network itself was working fine. The problem was the ISP rotating its live DNS servers in some baroque plan to knock out hackers or spammers.

So lesson one is: before you start planning to upgrade your wireless provision, first of all ask yourself what the problem is you’re trying to solve, and then investigate whether it could conceivably be caused by bugs or bottlenecks elsewhere on the network. If that’s the case then a large, expensive Wi-Fi upgrade project may be no help to you at all. You might get better results from simply spending a few quid to replace old trampled patch leads.

1 – Multiple services make for resilient networks

When people talk about «boosting» their Wi-Fi, they’re almost always talking about speed. But there’s no single way to increase the throughput of a wireless network.

It may be that you need a ripout and redesign of your entire setup. Or it might be a case of tracking down a misconfiguration, in which all the machines simply sit showing their busy cursors because of a poor DSL link or a foolishly chosen cloud dependency.

The culprit might not even be connected to your network: it could be a machine like an arc welder that generates RF interference as a by-product of its regular duties, and flattens the wireless connection of any device within a 10m radius. Upgrading your Wi-Fi is rarely just about picking a quicker router.

Speed isn’t the only consideration, either. Do you want to control or log guest accesses – or will you in the future? Should you prioritise internal staff or internal IT people’s allocated bandwidth? Might you even want a honeypot machine to divert and ensnare would-be intruders? These functions are likely to exceed the capabilities of your standard small plastic box with screw-on antenna ears.

If your Wi-Fi is important enough to warrant an upgrade then don’t limit your thinking (or your spend) to a slightly better router. Finally, think about robustness. Investing in multiple DSL lines with multiple providers makes it harder for random outages and blips to knock your business offline. Being able to route internally over an Ethernet programmable router (look for «layer 3 routing and VLANs» in the description) at least gives you some ability to respond on a bad day.

2 – Remember, it’s radio, not X-rays

If you’re ready to upgrade your wireless network – or to set one up for the first time – then you should start by taking a look at your premises. You need to work out how you can achieve reasonably uniform coverage. You can do the basic research by just wandering about the building holding a smartphone loaded with a free signal-strength metering app.

There are much more satisfyingly complex devices than that, of course. These may become useful when you have the problem of a wireless footprint that overlaps with that of your neighbours. The issue might be overcrowded channels, or it might be down to the general weirdness of RF signal propagation, which can mean that you get horrific interference from a next-door network that, by rights, ought to be weak and distant.

Almost never is the solution to boost the transmission power of your APs. Turning the power down on your base stations and installing more of them, in collections that make best use of wired back-links and collective operation, is much more likely to fix dead spots and interference than a single huge, throbbing, white-hot emitter in the corner of your office.

3 – Wi-Fi over a single cable

Once you start shopping for business-grade Wi-Fi gear, you’ll quickly encounter Power over Ethernet (PoE). This can be a convenient solution for devices that don’t draw much power and don’t necessarily want to be situated right next to a mains socket.

However, PoE can also be a dangerous temptation to the rookie network designer. «Look, it just runs off one wire – without the annual testing and safety considerations of a 240V mains connection!»

The catch is that the power still has to come from somewhere – most often a PoE-capable switch. This might be a convenient way to work if you want to run 24 access points from a single wiring cupboard with one (rather hot) Ethernet switch carrying the load. But very few businesses require that kind of density of access points. It’s more likely you’ll have only a few PoE devices.

So for your medium-sized office, you’ll probably end up acquiring and setting up additional PoE switches alongside your main LAN hardware – which is hardly any simpler or cheaper than using mains power. It also brings up the situation of having your wireless estate on one VLAN and everything else on another.

4 – Strength in numbers

More APs is almost always better than trying to increase signal strength. It does have implications for management, though.

Businesses taking their first steps beyond a traditional single-line DSL router often have a hard time converting to a setup where access control and data routing are entirely separate jobs from the business of managing radio signals, advertising services and exchanging certificates.

How you handle it depends – at least partly – on what sort of access points you’ve chosen. Some firms opt for sophisticated devices that can do all sorts of things for themselves, while others favour tiny dumb boxes with barely more than an LED and a cable port.

The larger your network grows, the more sense the latter type makes: you don’t want to be setting up a dozen APs individually, you want them all to be slaves to a central management interface. That’s especially so if you need to service a site with peculiar Wi-Fi propagation, handle a highly variable load or deal with a large number of guests wandering in and out of the office.

5 – The temptation of SSO

Single sign-on (SSO) is something of a holy grail in IT. The idea is that users should only have to identify themselves once during a normal working day, no matter how many systems they access.

It’s not too hard to achieve when it comes to Wi-Fi access, but it’s not a very slick system, on either the network side or the clients’. The bit of the Wi-Fi login cache that handles SSO, and decides if a password saved in a web page can be used to sign in to a particular WLAN, is also the bit that gets sniffed by hotel Wi-Fi systems to tag a single location as «definitely my home» and overcome all other applicants for the tag: set this attribute on your Wi-Fi for guests at your peril.

And while it sounds attractive to have to enter just a single password – after which a portfolio of machines, routers and cloud services will recognise your user as already validated – the reality isn’t as great. For one thing, people are used to typing in passwords these days: it isn’t a scary techie ritual any more. You don’t need to shield them from it.

Then there’s the continual and unresolvable fight between vendors as to who owns the authentication database itself. Nobody with a real job to do could possibly keep up with the in-depth technical mastery required to shift from one authentication mechanism to another – but that doesn’t stop various players from trying to tempt you to take up their system or proprietary architecture. The result is an unwelcome chunk of extra complexity for you to master.

6 – Beware compatibility gotchas

On the subject of proprietary approaches, it’s a fact that many base stations and Wi-Fi enabled devices just don’t work together.

Sometimes the problem is about range, or about contention (how many devices in total you can get into one repeater) or concurrency (how many devices can communicate at the same time). Other times it’s an idiosyncratic firmware issue, or some quirky issue with certificates on one side of the conversation, which renders the other side effectively mute.

I’ve seen plenty of firms run into these problems, and the result tends to be cardboard boxes full of phones, still with months on their contracts but unable to connect to the company WLAN since the last upgrade. It’s not a good look for the IT man in the spotlight: «You’ve broken the Wi-Fi!» is an accusation that always seems to come from the best-connected, least calm member of your company.

The real solution is to acknowledge the reality of compatibility issues, and plan for them. You don’t have to delve into the technical minutiae of your shiny new service, but you do need to work out how, and for how long, you need to keep the old one running in parallel to sidestep any generational problems. Thus, your warehouse barcode readers can keep connecting to the old SSIDs, while new tablets and laptops can take advantage of the new Wi-Fi.

If users are educated about this «sunset management» then hopefully they’ll feel their needs are being respected, and legacy devices can be upgraded at a manageable pace and at a convenient time.

7 – Manage those guests

One pervasive idea about Wi-Fi is that it can and should be «free». It’s a lovely vision, and it has perhaps helped push the telephone companies to cheapen up roaming data access – but within a business it’s a needless indulgence that makes it difficult to fully secure your IT portfolio. After all, it’s your responsibility not to get hacked, nor to facilitate someone else’s hack; opening up your network to all and sundry, with no questions asked, is hardly a good start.

That doesn’t mean you can’t let visitors use your network at all – but it does mean you should give them managed guest access. Think about how much bandwidth you want guests to have, and what resources you want to let them access. Do you want to treat staff and their personal devices as if they were visitors, or do they get a different level of service?

8 – What about cloud management?

The bigger your network grows – the more users, APs and network resources it embraces – the more important management becomes. And it’s not just about convenience but, again, security.

Our own Jon Honeyball became a fan of Cisco’s cloud-based Meraki management service when it enabled him to see that over 3,000 new devices had tickled his wireless perimeter in a week. It’s a statistic that makes for instant decisions in boardrooms. It’s very unlikely that all of these contacts were malicious. Most were probably just cars driving past with Wi-Fi-enabled phones.

Spotting the difference is where threat-detection systems really start to sort themselves into sheep and goats, and that’s something you can operate in-house: you don’t absolutely have to run all your devices from a vendor’s cloud service layer. Your local resources, like separate DSL lines and routers, already sit behind cloud-aggregated, collectively managed base stations.

If you’re in a business that doesn’t touch the Wi-Fi from one year to the next, cloud management may hardly matter at all. And while a cloud-based solution may seem to offer security advantages, it’s still necessary to protect your own network, so it’s not as if you can forget about security. Advanced password management for both users and administrators should be an absolute must for any cloud-managed Wi-Fi campuses.

Images: Shutterstock