No WDS needed - that will just slow you down.
Exactly the same security on all APs (and I strongly suggest WPA2).
Same SSID on all APs.
Different channels, spaced at least 3, but preferably more, apart; i.e. 1, 4, 7, 11. Or if AP1 can't see AP3 (or are very far apart), you can use like 1, 6, 2, 7 (or similar).
WRTs configured to be APs only (no WAN, plugged to wired net via a LAN port).
DHCP server OFF on all APs (use your "other" DHCP server).
Now a wireless client can move freely among all the APs, and you (just about) won't notice when it roams from one AP to the next.
WPA2 has a built-in protocol that facilitates "fast roaming". This helps when a mobile wireless endpoint moves from say AP1's coverage area to AP2's coverage area. The transfer is a bit quicker with WPA2 (not that its very slow with other schemes). How quickly a wireless client switches over from one AP to the next is determined by how aggressive the client is set to roam.
Also, use AES encryption (which you actually should if you set WPA2), as this has the lowest encryption performance penalty.
Importantly, if your OS and/or wireless supplicant allows you to specify the AP by MAC, don't, as this would then not allow free roaming. Just specify the SSID
No real advantage to using Radius in a small environment - in a bigger env., there's mainly 2:
1) Nobody knows (or should know) the WPA passkey at any specific time, as the Radius server and the client sorts that. A real machine-to-machine love affair - no humans involved...
2) Every user can have a different username/password, or certificate, or the likes. It makes managing many users MUCH easier, especially if you already have an authentication framework like eDirectory, Active Directory, LDAP, etc.
Never use WEP! Even if you use a VPN on top of WEP:
1) hackers may still gain access to your router, fiddle it, and then get to your network, even if they can't decrypt your web browsing or file sharing traffic. Your network link packets, etc. are running outside the on-top-VPN. (To get around this, in days gone by [I think], companies used a VPN concentrator that sits between the AP and the rest of the net, and then allowed only specific traffic past the VPN concentrator. This way an AP compromise was not such a big deal).
2) WEP slows you down. The WEP encryption scheme is all software/CPU. Add to that the VPN encryption, which, most likely, will even involve multiple passes to decode/encode, further slowing your traffic.
With WPA or WPA2:
1) You already have the strongest VPN (experts call it something like RSN - Robust Security Network) you can just about imagine, encrypting not only your payload traffic (web browsing, file sharing, etc.), but also your link packets and some other connection data. (Bear in mind though that this VPN exists only between the wireless client and the AP. Where the AP joins the wired net, it's all unencrypted again.)
2) With Rijndael (I think that's how it's spelled) encryption, more commony known as AES or AES-CCMP, part of the work is done by hardware (in the client adapter and the AP) in a single pass. Quick-quick... Just "no encryption" beats AES's speed.
If you use TKIP encryption with WPA/WPA2, you are somewhat - not much - less secure than with AES, but the bigger drawback is that TKIP takes you back to all software encryption. Slower.
So, to stop my rambling: If you don't use a VPN to encrypt ALL you data on your wired net, there's really no point in having a VPN at all - just use WPA2/AES on your wireless segments to encrypt your on-air stuff
Source
http://www.linksysinfo.org/index.php?threads/need-multiple-access-points-wds-or-just-same-ssid.23469/
Exactly the same security on all APs (and I strongly suggest WPA2).
Same SSID on all APs.
Different channels, spaced at least 3, but preferably more, apart; i.e. 1, 4, 7, 11. Or if AP1 can't see AP3 (or are very far apart), you can use like 1, 6, 2, 7 (or similar).
WRTs configured to be APs only (no WAN, plugged to wired net via a LAN port).
DHCP server OFF on all APs (use your "other" DHCP server).
Now a wireless client can move freely among all the APs, and you (just about) won't notice when it roams from one AP to the next.
WPA2 has a built-in protocol that facilitates "fast roaming". This helps when a mobile wireless endpoint moves from say AP1's coverage area to AP2's coverage area. The transfer is a bit quicker with WPA2 (not that its very slow with other schemes). How quickly a wireless client switches over from one AP to the next is determined by how aggressive the client is set to roam.
Also, use AES encryption (which you actually should if you set WPA2), as this has the lowest encryption performance penalty.
Importantly, if your OS and/or wireless supplicant allows you to specify the AP by MAC, don't, as this would then not allow free roaming. Just specify the SSID
No real advantage to using Radius in a small environment - in a bigger env., there's mainly 2:
1) Nobody knows (or should know) the WPA passkey at any specific time, as the Radius server and the client sorts that. A real machine-to-machine love affair - no humans involved...
2) Every user can have a different username/password, or certificate, or the likes. It makes managing many users MUCH easier, especially if you already have an authentication framework like eDirectory, Active Directory, LDAP, etc.
Never use WEP! Even if you use a VPN on top of WEP:
1) hackers may still gain access to your router, fiddle it, and then get to your network, even if they can't decrypt your web browsing or file sharing traffic. Your network link packets, etc. are running outside the on-top-VPN. (To get around this, in days gone by [I think], companies used a VPN concentrator that sits between the AP and the rest of the net, and then allowed only specific traffic past the VPN concentrator. This way an AP compromise was not such a big deal).
2) WEP slows you down. The WEP encryption scheme is all software/CPU. Add to that the VPN encryption, which, most likely, will even involve multiple passes to decode/encode, further slowing your traffic.
With WPA or WPA2:
1) You already have the strongest VPN (experts call it something like RSN - Robust Security Network) you can just about imagine, encrypting not only your payload traffic (web browsing, file sharing, etc.), but also your link packets and some other connection data. (Bear in mind though that this VPN exists only between the wireless client and the AP. Where the AP joins the wired net, it's all unencrypted again.)
2) With Rijndael (I think that's how it's spelled) encryption, more commony known as AES or AES-CCMP, part of the work is done by hardware (in the client adapter and the AP) in a single pass. Quick-quick... Just "no encryption" beats AES's speed.
If you use TKIP encryption with WPA/WPA2, you are somewhat - not much - less secure than with AES, but the bigger drawback is that TKIP takes you back to all software encryption. Slower.
So, to stop my rambling: If you don't use a VPN to encrypt ALL you data on your wired net, there's really no point in having a VPN at all - just use WPA2/AES on your wireless segments to encrypt your on-air stuff
Source
http://www.linksysinfo.org/index.php?threads/need-multiple-access-points-wds-or-just-same-ssid.23469/
No comments:
Post a Comment