Cisco Access Point Roaming

[roty80]

Hi, after a bit of advice.

 

A member of SLT has secured some funding and bought a large number of Nintendo DS's, PSP's, Ipod's and netbooks. What he wants to do is have students walk around school using these devices and be able to use the network constantly, moving from access point to access point.

 

Currently we have some Cisco Aironet 1200 access points and a few (but with more coming) 1130AG access points. We have never had the need to set up these access points for roaming in the past.

 

It seems that it can be done by enabling 'Wireless Domain Services' on the access points and setting up a 'Cisco Secure Access Control Server', unfortunately a quick search of google seems to suggest the ACS software is quite expensive (something we were never asked about when they were spending all the budget on netbooks).

 

So how do you guys handle roaming? Do you use ACS or an alternative?

 

I have looked at setting up Windows as a RADIUS server. Will this do the same job as Cisco ACS? And if so how do you get it to work with non-windows devices like Nintendos and Ipods? From what I understand it installs a security certificate on the clients. We have also seen FreeRADIUS but not very hot on linux here.

 

I have seen there is a setting in group policy for wireless security which is obviously fine for the netbooks but again not for the other devices.

 

I realise there are a few questions here, as you can probably tell not done any wireless in the past (except setting up at home) so any simple info gratefully received.

[roty80]

Forgot to mention. It is a Server 2008 network so a Windows RADIUS server would be NPS not IAS.

[tldees]

It depends on how your network is setup. If your network is all in the same vlan (or atleast the wireless), then you can simply use the same SSID on all access points. Just make sure you are using different channels. Things get more complicated if you are using multiple vlans, and therefore, different subnets. If I remember right, you'll WDS is needed in this situation.

 

RADIUS is only needed if you are doing EAP authentication.

[Ric_]

With all the investment in Cisco APs you might want to look at their management controllers too. All your existing APs can be used as thin APs so will not need replacing.

 

IIRC BlueSocket BlueSecure controllers can also manage these APs so that gives you another avenue to explore.

 

You can set up the APs manually but it will take you more time and you'll have to set up channels and power levels using trial and error if you don't use WDS.

 

I would recommend using VLANs to separate off the 'public' traffic. A managed system would also help with this.

[maniac]

You can set up the APs manually but it will take you more time and you'll have to set up channels and power levels using trial and error if you don't use WDS.

 

This is how I've setup our wireless network, also on Cisco 1200 series access points, fairly old now, but perfectly functional. I use the free software you can dowload from the Cisco website to sort of manage them with - it allows you to easily copy settngs between access points, and upgrade the firmware on them very easily as well. It will also draw you a rough map of them if they can see each other, although the power levels on ours are such that most of them can't detect each other properly, any stronger and they interfere with each other.

 

Mine run on RADIUS back to 2003 IAS for authentication, and they roam pretty well - ocassional drop outs, but nothing too major. For power levels, I set them all at a low setting to start with, and did a lot of experiments and walking around with net stumbler to see what APs are visible in different locations, adjusting power levels as necessary. After 6 months I've got it pretty well setup now, but it has taken time to achieve this.

 

If the money is there to buy a proper controller to manage them with then I'd definitely go with this route, as it wil make your life a lot easier.

 

Mike.