edtech HD WLAN

Why K12 Schools Need Wi-Fi Design

Chalk drawing of WIFI

Enterprise Wi-Fi is expensive, very expensive. For schools with limited budgets and a responsibility to be good stewards of tax dollars, it is important to get it right, without spending more than necessary on the initial deployment, ongoing support, or fixing costly mistakes. Any savings can be used in other ways to improve education, so unnecessary spending on Wi-Fi can have an impact on the quality of education in schools.

That’s why it is critical for schools to work with Wi-Fi professionals to develop a sound design for the network before it is purchased and deployed. Fixing mistakes after the fact costs a lot of money. The usual “fix” of installing extra access points in areas where performance is poor can often make the situation worse, when the real solution might be to remove an AP or correct a bad channel plan.

What often happens is this: A vendor talks the school into purchasing one AP per classroom and then the channel planning is left up to auto-channel algorithms (known as RRM, or radio resource management). This is a very simple and seemingly easy way to get Wi-Fi in schools that doesn’t involve the headaches of procuring CAD drawings, performing multiple site surveys, collecting client device data, and other things that delay the installation of the Wi-Fi network and increase the up-front costs.

Don’t do it!

The big problem here is that this is extremely inefficient. Do schools need one AP per classroom? Some do, some don’t. You’ll only find out by doing a proper network design. Maybe the design process reveals that a school only needs one AP per two classrooms. A school like this that doesn’t bother with a design and just does one AP per classroom has spent 100% more money than it needed to.

Capacity issues aside, what about channel planning and radio transmit power control?Nearby AP’s on the same channel interfere with each other. Vendors love to tout their RRM as effective means to automatically set these controls optimally. Just turn it on and let the magic happen.

The truth is, RRM just can’t be trusted. It may work for a while, and then it changes something and it doesn’t. My experience has shown that RRM is fine for simple networks with few neighbors, but in the high density, busy RF environment of K12 schools it often fails miserably. Neighboring AP’s end up on the same channel resulting in interference with one and other. Transmit power goes up and down unpredictably. Your Wi-Fi network is an unpredictable moving target. What you measured and validated at one location one day is different the next day, and so on. The ongoing cost of supporting a network in this state is much higher than one that began with a proper design.

While some vendors’ RRM is better than others, no vendor is immune to this. A better solution is a proper design where channels and transmit power are determined by a Wi-Fi professional who is informed by years of experience and site survey data that RRM algorithms can’t factor into their decision making.

It is critical that schools include a proper Wi-Fi design in their Wi-Fi deployments to save tax dollars that would better be spent on other educational needs, and prevent many future headaches that result from over/under capacity networks and bumbling RRM algorithms. The Wi-Fi design process avoids these issues, and leaves schools with efficient, stable networks and the confidence in knowing that the network was validated against their needs, with the data to prove it.

Beyond the tax dollars, in a 21st century classroom, what is the true cost of poor Wi-Fi?


Uncategorized WLAN

This is How Wi-Fi Actually Works

I decided to write this blog because there appears to be a very common misunderstanding about how Wi-Fi works among end-users and even many network administrators as well. Instead of repeating myself, I can share this link with folks that need a little lesson in 802.11 operation.

Wi-Fi is does not work like AM/FM broadcast radio.

Well, in some ways it does, Wi-Fi radios transmit and receive radio frequency energy (RF) just like AM/FM stations do, but it’s operation is much more complex. If you are stuck in the AM/FM radio analogy, you’ll make several mistakes with Wi-Fi, such as:

  • Coverage is considered, not capacity. Again, if Wi-Fi were a one-way radio broadcast like AM/FM radio, you’d only need to provide a strong “Wi-Fi signal” for everything to work well. This leads you down this next path.
  • The “Wi-Fi signal” (using this term might be a tell that the person speaking is stuck in the AM/FM radio analogy) is too low, so crank up the AP’s transmit power to make it louder.
  • Every problem is thought of as an infrastructure problem, client radios are not considered when troubleshooting.
  • Getting hung up on the vendor’s name that is on the access point, without considering what is much more crucial, the overall design that went into the network.

How Wi-Fi Actually Works

Wi-Fi is not a one-way broadcast from AP to clients like AM/FM radio. This is not how Wi-Fi works:

Nope. Not like this.


It’s a network. The AP and clients connected to it must all be able to transmit and receive to and from each other, more like this:

Note that while the intended destination of a transmitted frame is usually just one other radio, real RF transmissions radiate in all directions, and are heard by all clients.


Because they are all operating on the same channel, each client or AP must wait for the others to stop transmitting before it can transmit. It works just like Walkie Talkie radios. Only one radio can transmit at a time, everyone else must listen and wait. Additionally, they all need to be close enough to hear each other so that they do not transmit overtop of each other, causing interference that corrupts the communications. The channel they are using is what’s called a shared medium.

If they can’t all hear each other, they will transmit overtop of each other which results in corrupted frames (not packets, Wi-Fi operates at layer 2) that must be retransmitted. The bigger the cell, the worse this problem becomes (the hidden node problem). So when you crank up the transmit power of an AP to increase its coverage, you exacerbate this problem, because the AP is now serving clients that are further apart from one and other.

In many networks, the majority of Wi-Fi clients are smartphones with low-power radios and meager antennas. They already have difficulty hearing other clients further away in the cell. For networks like this, performance can be greatly improved by lowering the transmit power of the AP rather than increasing it.

Further, because the channel is a shared-medium, it has limited capacity. There is only so much available capacity to transmit in a single channel. Faster clients can transmit, well faster, and therefore use less of that capacity, known as airtime. Older or cheaper clients that are slower use more airtime to transmit the same amount of data. It doesn’t matter what vendor’s name is on the access point, airtime is airtime. Once a channel is saturated, that’s it. You can’t add more clients to it without leading to degraded performance. You can’t alter the laws of physics. At this point you need to add another AP to utilize the capacity of a different channel, or replace slow clients with faster ones.

Regardless, it’s worthwhile to intuitively understand the nature of Wi-Fi networks, so that these common pitfalls can be avoided. Many other Wi-Fi best practices that I haven’t outlined here stem from this foundational knowledge. Based on this, can you think of other things that might affect Wi-Fi performance?


This is a simplification of 802.11 operation meant to give those new to the subject a casual understanding of how it works. Sometimes 802.11 frames are broadcast, one-way-only, from the AP to all clients in the network. Some management frames and broadcast frames from the wired network are broadcast this way. The important point to remember is that this is the exception, not the rule, and if all clients cannot hear each other, there is still the possibility that this broadcast traffic could be corrupted by another client transmitting over it.


Wi-Fi Load Balancing Considerations

When deploying a WLAN it’s easy to fall into the trap of enabling features you might not need, just because, well, you paid for them and they are cool. Often times a KISS approach results in better performance, but hey, look at this cool new thing it can do it!

Load balancing is one of those features. While it seems harmless enough, there are some scenarios that can get you into trouble.

For the uninitiated, WLAN load balancing is a feature that encourages clients to associate with the least-loaded nearby AP. Typically, a client will attempt to associate with the loudest nearby AP, without regard to how many clients are already associated (most AP’s don’t share that information anyway, but some do by using the BSS Load element within management frames). Most load balancing algorithms work by suppressing probe and association responses from heavily loaded AP’s so that a client either won’t know that it is there, or it will fail to associate with it. Hopefully the client will then attempt to associate with a different AP that has more capacity available to clients.

There are a couple problems with this to keep in mind. The most important problem is one the affects all clients. The AP has a very different view of the RF environment than the client does. What a highly sensitive, enterprise grade AP is capable of hearing is quite different from what a low-cost, consumer-grade Wi-Fi chipset can, and they are of course not listening from the same location either. It gets worse if that client radio is part of a smartphone tucked into a pocket or purse. In this example, the AP may think it’s safe to ignore probe and association requests from that client because it’s aware of three other nearby AP’s that are less-loaded, but the reality is that the smartphone can’t hear any AP but the one that is ignoring it.

And not all load balancing algorithms do what you think they do.  Some operate by simply limiting the total number of associated clients an AP radio will accept, even some that are described as “airtime-based” from my experience. The problem here is that this doesn’t take into account the actual airtime utilization, the truest measure of the load on an AP radio. Often, the airtime utilization is quite low when an algorithm decides the AP is too loaded and should push clients elsewhere. Say 30 clients are associated to one of the AP’s radios. If they are all idle, there is still plenty of capacity for others to associate as well, as very little airtime is being used. Make sure you know exactly how your WLAN’s load balancing works. Test it to make sure it does what it claims it does, and set your limits high.

Here are some examples where load balancing can causes problems:

  • A high school classroom fills with students.  As they enter the room, their smartphones, which were already configured to join the WLAN, automatically roam to the loudest nearby AP. The teacher asks the students to get out their laptops as part of her lesson. The laptops now try to connect, but the nearby AP already has 30 smartphones associated to it, so it ignores the probe and association requests from the laptops. The best case scenario is that the laptops are able to associate with another nearby AP, albeit at a lower data rate than the louder AP. The worst case scenario is that client’s Wi-Fi radio drivers won’t budge, and continually fail to associate with the loudest AP (which is ignoring them), or the neighboring AP that the loaded-AP is trying to push new clients to is actually too distant for the new clients to hear. But the smartphones are all nearly idle, so it would have been better for the laptops to associate with the louder AP.
  • The school media center is used to store several carts of iPads. The iPads are not powered-down before being stored, so they all associate with the media center AP. Visitors to the media center have difficulty connecting to the network in the media center, because the algorithm believes it is heavily loaded and ignores requests to associate to the media center AP. The media center AP can hear another AP well, but most visiting clients in the media center cannot. The visiting clients cannot connect to the WLAN, yet in this case as well, the AP is actually not loaded at all. The iPads are completely idle and using almost no airtime.

Here is the where load balancing makes sense:

  • In areas where you can reasonably anticipate that a single AP radio may become overloaded, such as a cafeteria, gym, or performance space.
  • In areas where multiple AP’s are very close to one and other and create tightly overlapping coverage cells. This helps mitigate the problem of  clients and AP’s having a differing view of the RF.
  • Nowhere else. Only use load-balancing when both of the above criteria are met.
Hotspot 2.0 WLAN

Yes, Hotspot 2.0 is the Future of Secure Guest Wi-Fi

Since first blogging about Hotspot 2.0 and its application to typical enterprise WLAN guest networks I’ve learned quite a bit more thanks to several helpful tweets from Dave Wright of Ruckus Wireless. Although the large majority of the focus of Hotspot 2.0 still seems to be on integration with cellular carriers for AAA services and all the complexity and exclusivity that entails, there are provisions for simpler, anonymous, and secure Hotspot 2.0 guest networks that are much closer to what the typical enterprise WLAN operator will actually deploy. As I’ve said before, authentication is not a priority for most WLAN operators on their guest network, but encryption certainly is.

Is it the holy grail of guest Wi-Fi? Maybe, but more on that after we look at the Wi-Fi Alliance Passpoint (Release 2) Deployment Guidelines. In all 61 pages of the document, there are these few paragraphs devoted to what I predict to be the most common use of Hotspot 2.0.

12. Free Public Hotspot 2.0-Based Hotspots 

Hotspot Operators may provide Hotspot 2.0-based free, public, hotspot service. In this particular service, Hotspot Operators have the need to ensure hotspot users have accepted the terms and conditions governing their hotspot’s use, but are not interested in knowing (or do not wish to know/track) any particular user’s identity. This functionality is provided by Hotspot 2.0 Release 2 infrastructure. The Hotspot Operator configures their infrastructure as follows:

  1. The user in a Free Public Hotspot initiates the online sign-up registration process with the Free Public Hotspot’s OSU server.
  2. During the registration exchange, the OSU server presents the terms and conditions to the user.
  3. If the user accepts the terms and conditions, the OSU server issues a credential; if the user refuses, no credential is provisioned. Note that the same credential is issued to all users which have accepted the terms and conditions; therefore, the Hotspot Operator cannot track the identity of an individual user during the Hotspot 2.0 Access state (see section 6).
  4. When the user/mobile device returns to the same Free Public Hotspot, the previously provisioned credentials are used to provide secure, automatic access. The mobile device authenticates using EAP-TTLS, which provides for the generation of unique cryptographic keying material even though users share a common password.

If the terms and conditions change, then the user is taken through a subscription remediation
process during which the new terms and conditions are presented. If the user accepts the
changed terms and conditions, then a new credential is provisioned. 

There you have it. Hotspot 2.0 does provide for anonymous and secure guest networks. In short, 802.1X/EAP authentication is accomplished with EAP-TTLS through a common credential that is issued after the signup process. In fact, this has already been deployed by the cities of San Jose and San Francisco. To get an idea of how it works from a user’s perspective, check out the directions here.

Yes, you can do this all without Hotspot 2.0 in a less elegant way: Add a notice to your guest network captive portal that users can login to the secure network with a specific generic credential, and even a link to download a .mobileconfig profile for iOS and Mac OS users. However, the user experience won’t be standardized like it is with an OSU server, and non-Apple users will have to manually configure a connection to the 802.1X network, including adding a cert to their trusted roots. Not good UX. And definitely not fast, free, and easy.

The bad news: With Hotspot 2.0, the guest network captive portal is here to stay.

The good news: Users only have to wrestle with the captive portal once (unless the client credential is changed). And perhaps the technology behind the portal is more mobile client-friendly than today’s captive portals. Hopefully a HS2 client sees the OSU server being advertised by ANQP and immediately presents a notification to the user. If the user doesn’t play ball, the client should disconnect and the SSID should not be saved as a preferred SSID.

The great news: This is a lower-friction way to get secure Wi-Fi to guests.

Is this the holy grail? That depends on what you think that is. To me, the barrier to entry is low enough that I think this is a win for guest Wi-Fi.

Another wrinkle: The Hotspot 2.0 802.1X network can still be configured to automatically connect guests from known realms. That means that you could add eduroam and the coming anyroam realms to the SSID to onboard users from those participating organizations securely and automatically. And yes, no captive web portal either. So if the opportunities to integrate with AAA clearinghouses grow (exist at all?), the number of users subjected to the captive portal shrinks.

I’m sure there are concerns regarding the possibility of new SSID’s. Luckily, a legacy open guest network can serve Hotspot 2.0 incompatible clients while also delivering the Online Sign Up portal to compatible clients. That means no new SSID’s.

For the visual learners among us, your typical enterprise WLAN might look like this now:

A typical enterprise WLAN
A typical enterprise WLAN

To support secure Hotspot 2.0 guest clients, it might look like this in the future:

A Hotspot 2.0-enabled enterprise WLAN
A Hotspot 2.0-enabled enterprise WLAN

I’m looking forward to seeing gear get updated to support Hotspot 2.0 Rev 2 so we can see this in the wild. Ruckus is doing a great job banging the drum for Hotspot 2.0, but other vendors seem to be further behind. Client support is not great (come on, Android), but Apple has supported it since iOS 7, so here’s hoping that will drive others to follow suit.


K-12 Needs eduroam Too

As eduroam sweeps across higher education in the United States, I think it’s worth considering its place in K-12 as well. After all, every university and college that joins eduroam is within the boundaries of a K-12 school district, and a longstanding relationship is likely to exist between those institutions.

Where I work, we have Miami University within our district boundaries. Miami has a highly regarded education program and dozens of Miami students student teach at our schools everyday. Miami faculty and staff send their kids to our schools, they volunteer here, and they regularly attend school functions. We maintain a formal partnership with the university.

Our teachers and staff take classes at Miami, teach classes, send their kids there, and attend events at Miami. Some of our high school students attend post-secondary classes there as well. In other words, there is a regular flow of visitors back and forth between the institutions.

Because Miami is an eduroam member, it made perfect sense for us to join too. Visitors from our district could gain automatic and secure Wi-Fi access at Miami, and visitors from Miami could have the same at our district. That’s why I pushed to deploy eduroam at my district, making us the first K-12 institution to join eduroam in the United States.

But what about K-12 schools that don’t have higher education institutions nearby? I think there is still a case to be made for eduroam for these districts too.

Quoting the eduroam US FAQ:

Our institution already has great guest Wi-Fi, why do I need eduroam?

eduroam is not a replacement to your guest network, it is a complement to make your guest network and your community compatible with other eduroam participants.

Enabling eduroam on your campus provides four main features:

  1.  it allows your campus to welcome eduroam enabled visitors in a strongly authenticated way (the strong authentication also provides a way to authorize users to different resources)

  2. it allows your own users to travel to eduroam enabled locations around the world (some places only have eduroam as a guest Wi-Fi)

  3. it saves provisioning time to your institution and to the visitors since authentication is automatic and access is immediate

  4. it improves security since your visitors use a standard protocol (WPA2-enterprise, 802.1X) that encrypts traffic between their devices and the Wi-Fi infrastructure

Doesn’t all of this apply to K-12 as well?

I think it does. K-12 school districts aren’t isolated islands. Teachers attend professional development at neighboring districts, students travel for field trips and athletic events, teachers and leadership attend meetings at local education service centers. Some even share employees who split their time between multiple districts. There is a lot of educational roaming occurring within today’s K-12 community.

802.11ac WLAN

WLAN Vendors: The NBASE-T Ball is in Your Court

I’m going to echo the position of Marcus BurtonLee Badman, and Andrew von Nagy. Despite the marketing push, there really is no need for > 1 Gbps link to a 802.11ac Wave 2 AP. Not at the access layer at least.

This Wi-Fi gauge goes up to 6.8 Gbps, so that means we need a 10 gig port for every AP, right?

Back to reality: 802.11ac Wave 2 is roughly 7 Gbps max with 8 spatial streams and 160 Mhz channel bandwidth, but most will use 4 spatial streams at max, cutting that in half. If you’re lucky you’ll will use 40 Mhz wide channels, cutting that four-fold. Then take off another 40% for layer 2 overhead and you get roughly 500 Mbps at half duplex on the wire. Maybe a gigabit with 80 Mhz channel width and absolutely ideal conditions that don’t exist outside of the lab.

Even if you have room for 160 Mhz wide channels, which might be possible if the FCC expands 5 Ghz unlicensed spectrum and then client adapters are updated to support those new channels, what is it that clients are using that calls > 1 Gbps of throughput? Remember that Wi-Fi is access layer technology. What applications are you supporting today or anytime in the foreseeable future that call for > 1 Gbps to a small group of clients?

Probably nothing coming over a WAN link. That leaves LAN applications. The list of potential applications provided by the NBASE-T Alliance doesn’t establish the need very well. Security cameras and signage systems?

It’s hard to think of many scenarios where it will be necessary to provide > 1 Gbps of throughput at the access layer. I can’t think of any of those that wouldn’t be better served by a wired solution.

Point to point Wi-Fi links in the distribution layer could benefit from NBASE-T, but how short must those links be to support 256 QAM, and is 8 spatial streams really possible outdoors with limited multipath? I don’t know the answers to those questions, but I don’t imagine that many locations exist that need > 1 Gbps of throughput that haven’t already provided that with fiber. We’re talking serious edge cases here, not typical enterprise Wi-Fi.

In any event, despite the hype, it will be a long time before the need for > 1 Gbps switchports extends outside of the network core and distribution layers.

WLAN vendors have an important decision to make here. Because 802.11ac appears to be the major justification for NBASE-T switches, I imagine they are under a lot of pressure right now. To get real interest in these new NBASE-T switches,  AP’s will have to be built with NBASE-T interfaces that use the faster speeds. I assume that those interfaces will be more expensive than standard gigabit interfaces. Given that NBASE-T supports 10 Gbps I bet they will be a whole lot more expensive than the gigabit interfaces used today. Just a guess though. Time will tell what this stuff really costs.

Will WLAN vendors become accessories to this marketing crime and include these potentially expensive interfaces in their Wave 2 AP’s? Aruba and Ruckus recently joined Cisco in the NBASE-T Alliance. We’ll have to wait and see their plans for the technology.

I hope that 802.11ac Wave 2 enterprise AP’s are still made with standard gigabit interfaces. Speciality AP’s like those used in point to point links could benefit from multigigabit interfaces, but the AP’s that are sold by the dozens for typical enterprise purposes do not. The added cost of an underutilized NBASE-T interface is not justified by real world needs.

Perhaps the usual product cycle will repeat itself. The first Wave 2 AP’s will have the highest end hardware and NBASE-T interfaces. Then the mid- and low-range AP’s that follow and actually get sold will have gigabit interfaces.

Whatever the case, it’s going to be interesting to see how the marketing hype about 802.11ac Wave 2 evolves as more people get clued in to its real world performance.

Hotspot 2.0 VoWiFi

Hotspot 2.0 Can Disrupt the Cellular Marketplace

When it comes to cellular in the U.S. there are two major carriers, AT&T and Verizon, and everybody else. While Sprint and T-Mobile both also compete in the national market, they have far fewer subscribers and a reputation for poor coverage. This has essentially been the state of affairs since Cingular bought AT&T Wireless in 2004 and continued business using the AT&T brand. There are some smaller regional competitors, but their market share is limited, and their customers roam onto one of these national networks when they leave their regional service area.

I think the combination of Hotspot 2.0 and Voice-over-Wi-Fi (VoWiFi), or “Wi-Fi Calling” as it’s known has the potential to disrupt the current cellular marketplace dynamics.

Sprint and T-Mobile have been dropping their prices to try to attract customers away from the Big Two (AT&T and Verizon) for years, even offering to pay early termination fees and give trade-in credit for phones, but it appears that this has largely been unsuccessful. When you can’t make a call from within your own home or office, who cares how cheap the service is?

Part of the problem for T-Mobile is that a lot of the spectrum they own is higher frequency than their competitors, so it doesn’t penetrate buildings as well due to the increase in attenuation that occurs as wavelength decreases. That’s a tough problem to solve.


VoWiFi and Hotspot 2.0 can change all of that.

VoWiFi extends the network’s voice coverage into the subscriber’s home and office, where subscribers can easily connect their phone to the W-Fi network, which takes care of that concern. Sprint and T-Mobile could also partner with SOHO Wi-Fi router manufacturers so that Hotspot 2.0 roaming integration was preconfigured for their networks on these products. Imagine if a subscriber could buy a NETGEAR “T-Mobile Edition” router and have VoWiFi calling work out of the box, without any configuration on their phones.

Imagine if Sprint and T-Mobile aggressively pursued Hotspot 2.0 integrations with major public Wi-Fi providers. Their subscribers would have seamless VoWiFi coverage in the areas where they currently have the biggest problem: indoors. As public Wi-Fi continues to expand, the voice coverage for these carriers could expand right along with it.

In fact, if we assume a properly designed WLAN, in very high density environments the indoor service for these carriers could be superior to the Big Two. Ever go to a ballgame and been unable to make a call or use data in a full stadium? That’s a common experience and Wi-Fi roaming integration solves that. Wi-Fi was designed to meet LAN access needs like this. Why not actually use it that way?

This could make Sprint and T-Mobile attractive again. Although I don’t imagine the costs would be very significant as it doesn’t involve building new towers and deploying more of their own hardware, they would probably need to compensate large public Wi-Fi operators for the use of their networks. That would allow them to keep their service priced below the Big Two.

Cellular data offload is commonly thought of as a driver for the adoption of Hotspot 2.0. Voice coverage expansion for smaller carriers may be more important.


Channel Planning isn’t Easy for Algorithms

If you’ve ever had to create a manual channel plan where spectrum is scarce, you know how hard it is to get it right. You run out of virgin spectrum, then the difficult choice of channel reuse is encountered. Often, what looks acceptable on an architectural plan, doesn’t hold up to post-deployment validation. Two AP’s 6 classrooms away on the same channel can hear each other at a loud and clear -65 dBm RSSI. Reuse the same channel in the classroom directly above, and the signal disappears below the noise floor. An extra inch of concrete make all the difference. To get it right, you have test, change, check, test, change, check, etc.

A 2.4Ghz channel plan

Given the challenge, it’s no surprise that I’ve never encountered an automatic channel selection algorithm that produced better results. At least, not in high density designs where spectrum is scarce, which is more and more just about everything I design. AP’s directly adjacent to one and other end up on the same channel, blasting away at max transmit power.

Speaking of power, I’ve also never encountered an algorithm that satisfactorily handled transmit power control in a high density network. They always turn things up WAY too high. As in, I’m manually taking AP’s that were auto-set from 12-20 dBm down to 4-6 dBm to shrink their cells away from the AP’s that share their channel. That can mean a 10x reduction in power! And even when power levels are auto-set to an acceptable level, I’ve yet to meet an algorithm that proportionally adjusts an AP’s receive sensitivity to accommodate the smaller cell.

Another thing algorithms don’t do well is handle DFS channels. I use DFS channels in many high density designs, but there are always some clients that don’t support them. The best thing to do in that case is to evenly distribute DFS channels throughout the WLAN, and only use them where AP density would otherwise cause non-DFS channel overlap. In those environments I like to alternate non-DFS channels with DFS channels so that clients without DFS support are still within range of a 5 GHz radio they can use. My experience with channel selection algorithms has been that a group of adjacent of AP’s may all be set to a DFS channel, creating a 5 Ghz dead-zone for clients that don’t support DFS channels.

What gives?

This is all too bad because auto channel/power features would be ideal as it dynamically adjusts to changes in the RF environment. A neighbor puts up a new AP on one of your channels and, without intervention, the algorithm moves your AP to clean spectrum elsewhere. In urban environments, this is a highly desirable feature because there is so much RF in your environment that is out of your control.

Every WLAN vendor offers automatic channel/power selection. They all ticked that box a long time ago. But who’s got an algorithm that actually works?

edtech Hotspot 2.0 WLAN

eduroam – Secure, Automatic Roaming Between WLAN’s

eduroam (education roaming) is the secure worldwide federated network access service developed for the international research and education community.

I’ve been really intrigued by the WLAN phenomenon eduroam which has swept across much of Europe and is being deployed in many US universities this academic year. This is a secure WLAN roaming technology, but it doesn’t require Hotspot 2.0/Passpoint/802.11u/Rev 1/Rev 2 (whatever you want to call that).

Participating institutions put up an ‘eduroam’ SSID with 802.1X authentication, and on the back-end authentication is handled by the authenticating user’s home institution’s RADIUS server, rather than the local server of the WLAN. That allows users to establish secure connections to any participating institution’s WLAN.

To get a user on the WLAN, RADIUS requests are proxied by the local RADIUS server to the eduroam regional or top-level RADIUS routing servers. The eduroam server inspects the username in the request for the domain, e.g., matches the realm ‘,’ and then proxies the request to the users home institution’s RADIUS for authentication. The home institution’s server then responds through the same proxying scheme.

eduroam RADIUS routing example
eduroam RADIUS routing example

For users, it ‘just works.’ They connect to the SSID once and add it to their preferred SSID list just like any other network, then their device automatically connects securely wherever they see the eduroam SSID. Could be another university, could be a coffee shop, or even an airport.

For participating institutions, they just need to configure a few RADIUS proxying rules for users outside of their institution, and then users from hundreds of institutions around the world can securely connect to the WLAN.

If my understanding of Hotspot 2.0 is correct, the future for eduroam may be very bright. In a HS2 WLAN, a separate eduroam SSID isn’t needed. eduroam could register to become a HS2 roaming hub, then WLAN operators advertise eduroam through ANQP as a supported roaming hub on their existing 802.1X SSID, and then eduroam users will automatically connect to it. Fewer SSID’s is always better.

While all the talk about HS2 is about offloading cellular data onto Wi-Fi networks, there is real potential here for more useful federated authentication for everyone-not just cellular subscribers. eduroam is the model for that.

Hotspot 2.0 WLAN

Hotspot 2.0: The Future of Guest Wi-Fi?

Hotspot 2.0 is a technology that leverages 802.11u and service provider authentication systems to connect clients to WLAN’s securely and automatically. For example, an owner of a Verizon Samsung Galaxy S5 with Passpoint enabled who comes within range of a Hotspot 2.0-enabled SSID which can serve Verizon customers will automatically connect to the WLAN, secured by WPA2, with no user interaction.

At least, that’s how I understand the most common use case for Hotspot 2.0 and 802.11u. Personally, I have other ambitions for the program and currently it isn’t at all clear what else Hotspot 2.0 is capable of.

I’m encouraged to see that Hotspot 2.0 Release 2 provides a public key infrastructure and pre-installed trusted root certificates on clients for use when forming secure connections to WLAN infrastructure components.

What I’d really like to see if that PKI infrastructure used in a manner similar to HTTPS, so that clients securely connect to an “open” SSID, use EAP-TLS to evaluate the server certificate against its trusted roots, and establish a WPA2 protected connection without any client-side credentials or cumbersome captive portal registration process. 802.11u data can be presented to the client for use in evaluating the certificate. To me, that is the holy grail for WLAN guest networks.

Authenticating users through carrier AAA isn’t important because very few WLAN operators want/need to know the identity of users on their guest networks (with the exception of retail, I suppose).

I must say that I cringed when I read that Release 2 includes “portal based signup.” Hopefully this is substantially different from the extremely mobile-unfriendly process of current captive portal technology. Either way it will be an obstacle to onboarding users. Guest Wi-Fi should be frictionless.

I’m not interested in authenticating guest users on the WLAN, but I do want them to have a secure connection. It would be awesome if WLAN operators could opt-out of all that AAA integration complexity required by Hotspot 2.0 and just use the PKI infrastructure to run an open, encrypted WLAN for guests. This would allow more clients to connect securely as well, rather than only smartphones with with carrier agreements and users that suffer through a portal-based signup process. Will this be possible? I certainly hope so.