Access Controllers are Key to WLAN Deployment

In the absence of adequate 802.11 security, quality of service, and roaming
mechanisms, companies such as ReefEdge, Bluesocket, and Nomadix offer access control solutions to strengthen
wireless LAN systems. The key component to these solutions is an access controller:
hardware that resides on the wired portion of the network between the 802.11
access points and the protected side of the network. Access controllers provide
centralized intelligence behind the access points to regulate traffic between
the relatively open wireless LAN and important network resources.

Access controllers apply to a wide range of wireless LAN applications. In a
public wireless LAN, an access controller regulates access to the Internet by
authenticating and authorizing users based on a subscription plan. A corporation
can implement an access controller to avoid a hacker sitting in the company’s
parking lot from getting entry to sensitive data and applications.

Benefits worth considering

The use of an access controller reduces the need for "smart" access
points, which are relatively expensive and include many non-802.11 features.
Generally, vendors refer to these smarter access points as being "enterprise-grade"
components. Proponents of access controllers, however, argue that 802.11 access
points should focus on RF excellence and low cost and centralize access control
functions in an access controller that can serve all access points. These "thin"
802.11 access points primarily implement the 802.11 standard and not much more.

When using an access controller with "thin" access points, you can
realize the following benefits:

  • Lower Costs. Access points with limited functionality cost less,
    which generally results in lower overall system costs. This is especially
    true for networks requiring a larger number of access points, such as an enterprise
    system. The use of "thin" access points results in cost savings
    of approximately four hundred dollars per access point. In larger networks,
    this savings far outweighs the additional cost of an access controller, which
    costs on average about $5000.
  • Open Connectivity. "Smart" access points offer enhancements
    related to security, performance, etc. to the basic wireless connectivity
    that 802.11 offers. The problem in many cases is that you can only realize
    these enhancements if the users have 802.11 radio network interface cards
    (NICs) manufactured by the same vendor as the access point. This significantly
    reduces the openness of the system and limits the selection of vendors. On
    the other hand, "thin" access points can easily communicate using
    the basic 802.11 protocol with radio NICs made by multiple vendors while the
    access controller transparently provides enhancements, such as better security,
    quality of service, and roaming.
  • Centralized Support. An advantage of placing the smarts of the network
    in an access controller is that the system is easier to support, primarily
    because there are fewer "touch points" in the network. If all of
    the intelligence of the network is within the access points, then support
    personnel must interface with many points when configuring, monitoring, and
    troubleshooting the network. An access controller enables the access points
    to have fewer functions, reducing the need to interface with the access points
    when performing support tasks.

Important features

Access controllers generally provide port-based access control. When a user
attempts to utilize a network-based application, such as a Web site via a Web
browser, the access controller blocks access and redirects the user’s browser
to a login-in page. The user can then enter their user name and password, and
the access controller will authenticate the user via an authentication server.
The network application could, as an alternative, use digital certificates for
authentication purposes. The authentication server provides authentication and
authorization information that the access controller uses as a basis to regulate
the user’s access to the protected network. The user will have authorization
to use specific port addresses, such as "port 80" for Internet browsing.

When shopping for an access controller, assess the following features:

  • Authentication. Most access controllers
    have a built-in database for authenticating users; however, some offer external
    interfaces to authentication servers such as RADIUS and
    LDAP. Keep
    in mind the number of users and scope of your network when determining which
    authentication server type to use. For smaller, private networks, an internal
    database may suffice. If you plan to provide nationwide access, then an external
    centralized authentication server will provide better results.
  • Link Encryption. Some access controllers
    provide encryption of data from the client to the server and back, using such
    security as IPSec and
    PPTP encrypted
    VPN tunnels. This provides added protection beyond what 802.11 WEP
    provides. Be sure that that the access controller protects the transmission
    of user names and passwords.
  • Subnet Roaming. In order to support roaming
    from one network to another, access controllers general provide subnet roaming
    that allows users to roam without needing to re-authenticate with the system.
    As a result, users can continue utilizing their network applications without
    interruption. This feature is especially useful for larger installations where
    access to the network for specific users will span multiple subnets.
  • Bandwidth Management. Because users share
    bandwidth in a wireless LAN, it’s important to have a mechanism to ensure
    specific users don’t hog the bandwidth. Access controllers provide this form
    of bandwidth management through the assignment of user profiles based on required
    quality of service levels. A profile specifies the types of services (e.g.,
    Web browsing, video streaming, etc.) and throughput limit. For example, an
    unsubscribed visitor to a public wireless LAN could classify as fitting a
    "visitor" profile, which may only allow access to information related
    to the local hotspot and online subscription Websites. A subscriber, however,
    could have a different role that allows them to have access to the Internet
    at a throughput of 128Kbps. For users paying a premium, they could have higher
    throughput access, perhaps 3Mbps, for fast downloads and access to other higher
    end applications.

Access controllers aren’t always the best solution for wireless LAN applications.
If you’re implementing a smaller network for a home or small office, then there
may not be enough benefit to offset the thousands of dollars for an access controller.
With only one or two access points, the more cost effective solution is generally
to use a "smart" access point to provide enhancements to the network.
Or, you might only need to deploy "thin" access points alone if security
is not of major concern and you have a limited number of users.

Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
Wireless LANs
(SAMs, 2001), and regularly instructs workshops on wireless LANs.

a comment or question? Discuss it in the 802.11 Planet Forums

News Around the Web