showcase. wireless lan deployment at microsoft supporting the mobile knowledge worker published...
TRANSCRIPT
Showcase
Wireless LAN DeploymentWireless LAN Deploymentat Microsoftat Microsoft
Supporting theSupporting theMobile Knowledge WorkerMobile Knowledge Worker
Published January 2002
AgendaAgenda Wireless Local Area Network (WLAN) Description Wireless Local Area Network (WLAN) Description Information Technology Group (ITG) WLAN Information Technology Group (ITG) WLAN
Deployment ProjectDeployment Project DriversDrivers Schedule and tasksSchedule and tasks RequirementsRequirements PilotingPiloting ResultsResults
Engineering ConsiderationsEngineering Considerations Security ConsiderationsSecurity Considerations Installation Approach – Concealed SystemInstallation Approach – Concealed System Lessons LearnedLessons Learned Reference InformationReference Information
What is Wireless LAN What is Wireless LAN (WLAN)?(WLAN)?
Personal AreaPersonal AreaBluetoothBluetoothInfrared Data Association (IrDA)Infrared Data Association (IrDA)
Local AreaLocal AreaWireless LAN (WLAN)Wireless LAN (WLAN)
Wide Area & Metro AreaWide Area & Metro AreaCellular-based mobile data (CDPD/ GPRS)Cellular-based mobile data (CDPD/ GPRS)Fixed Microwave Wireless (LMDS/MMDS)Fixed Microwave Wireless (LMDS/MMDS)Wireless Local Loop (WLL) Wireless Local Loop (WLL)
Global & Universal AreaGlobal & Universal AreaSatellite Data NetworksSatellite Data Networks
ITG WLANITG WLANDeployment Project DriversDeployment Project Drivers
Executive Call to ActionExecutive Call to Action Microsoft is Developing Software for Wireless Microsoft is Developing Software for Wireless
EnvironmentsEnvironments Multiple User Requests for WLAN Multiple User Requests for WLAN
Technology Deployment to Increase User Technology Deployment to Increase User MobilityMobility
Standardization and InteroperabilityStandardization and Interoperability PilotPilot
Puget Sound area buildingsPuget Sound area buildings Deploy to worldwide subsidiary offices as budget Deploy to worldwide subsidiary offices as budget
and local regulations permitand local regulations permit
ITG WLAN Deployment Project ITG WLAN Deployment Project Schedule and TasksSchedule and Tasks
150 user proof of concept (3 months)150 user proof of concept (3 months) Submitted RFI for 802.11b products (1 month)Submitted RFI for 802.11b products (1 month)
Two RFI finalists selected and lab tested both. Two RFI finalists selected and lab tested both. Pilot: four buildings, more than 600 users (2 months)Pilot: four buildings, more than 600 users (2 months) Completed Engineering & Operations Standard Completed Engineering & Operations Standard
design documentation (1 month)design documentation (1 month) 63 building campus wireless deployment (8 months)63 building campus wireless deployment (8 months)
1300+ Access Points (APs)1300+ Access Points (APs) Worldwide wireless deployments (on-going)Worldwide wireless deployments (on-going)
1200+ APs1200+ APs 802.1x enhanced wireless security deployment802.1x enhanced wireless security deployment
(1 month)(1 month) Covered 70 buildings in Puget Sound area and 23 Covered 70 buildings in Puget Sound area and 23
remote locationsremote locations
ITG WLAN RFIITG WLAN RFIInfrastructure RequirementsInfrastructure Requirements
Network Administration of APsNetwork Administration of APs Full support forFull support for
Simple Network Management Protocol (SNMP)-II Management Information Simple Network Management Protocol (SNMP)-II Management Information Base (MIB)Base (MIB)
802.11 extended MIBs802.11 extended MIBs HP Openview integrationHP Openview integration
Scalable, scripted AP firmware and configuration updates Scalable, scripted AP firmware and configuration updates Little to no user account administration, but securedLittle to no user account administration, but secured
Enterprise Installation ConsiderationsEnterprise Installation Considerations Low cost for all hardwareLow cost for all hardware Power supply configuration optionsPower supply configuration options Inexpensive plenum installationInexpensive plenum installation Variety of antenna solutions to increase or direct Radio Frequency Variety of antenna solutions to increase or direct Radio Frequency
(RF) coverage(RF) coverage SecuritySecurity
Encryption and authentication of the wireless linkEncryption and authentication of the wireless link Secured administrative access to wireless APsSecured administrative access to wireless APs No removable cards from APsNo removable cards from APs
ITG WLAN RFIITG WLAN RFIInfrastructure RequirementsInfrastructure Requirements
802.11b Installation with an Infrastructure Migration 802.11b Installation with an Infrastructure Migration Path to 802.11aPath to 802.11a
Troubleshooting Tools for End User and Troubleshooting Tools for End User and InfrastructureInfrastructure
Windows® Hardware Quality Labs (WHQL)-certified Windows® Hardware Quality Labs (WHQL)-certified Driver SupportDriver Support Windows XP and Windows .NET ServerWindows XP and Windows .NET Server Windows CE 2.11 and Pocket PCWindows CE 2.11 and Pocket PC Windows NT® 4 and Windows 2000Windows NT® 4 and Windows 2000 Windows 98 and Windows 98 SEWindows 98 and Windows 98 SE
Adapter TypesAdapter Types PC Card (primary choice) PC Card (primary choice) PCI and USBPCI and USB Mini-PCI or other integration in laptopsMini-PCI or other integration in laptops
ITG WLAN RFIITG WLAN RFIInfrastructure RequirementsInfrastructure Requirements
Health and Safety Issues Health and Safety Issues FCC approved FCC approved Support to address health and safety issuesSupport to address health and safety issues
Documentation, Web sites, Q&A sessions, contact informationDocumentation, Web sites, Q&A sessions, contact information
Wireless Home LAN Hardware SolutionWireless Home LAN Hardware Solution Under $250Under $250 Easy to use and supportEasy to use and support Must promote security – Wired Equivalent Privacy (WEP)Must promote security – Wired Equivalent Privacy (WEP) Provides Network Address Translation (NAT)/Dynamic Host Provides Network Address Translation (NAT)/Dynamic Host
Configuration Protocol (DHCP) functionConfiguration Protocol (DHCP) function Variety of products and accessories – hubs, routers, Variety of products and accessories – hubs, routers,
external antennas, and wireless repeatingexternal antennas, and wireless repeating Robust support for home users provided by vendorRobust support for home users provided by vendor
ITG WLAN RFIITG WLAN RFIInfrastructure RequirementsInfrastructure Requirements
Installation ConsiderationsInstallation Considerations Power supply configuration optionsPower supply configuration options Inexpensive plenum installation supportInexpensive plenum installation support Flexible antenna solutions to increase coverage areaFlexible antenna solutions to increase coverage area
Worldwide DeploymentWorldwide Deployment Worldwide certification and supportWorldwide certification and support Manage differing RF and security requirements Manage differing RF and security requirements
across different countriesacross different countries
ITG Aironet/Cisco PilotITG Aironet/Cisco Pilot
Pilot WLAN in Three Buildings and One CafeteriaPilot WLAN in Three Buildings and One Cafeteria More than 600 users participatedMore than 600 users participated
PC Card adapters onlyPC Card adapters only
112 Aironet 4800B 802.11b APs112 Aironet 4800B 802.11b APs 11 megabits per second (Mbps) shared connection11 megabits per second (Mbps) shared connection 128-bit shared WEP key128-bit shared WEP key Installed APs using existing wall power and network Installed APs using existing wall power and network
connectionsconnections
Surveyed Users at the End of the PilotSurveyed Users at the End of the Pilot Greater than 50% response rateGreater than 50% response rate
WLAN Pilot Survey ResultsWLAN Pilot Survey Results 50% saved .5 - 1.5 hours per day due to their WLAN 50% saved .5 - 1.5 hours per day due to their WLAN
connectionconnection 10% used Windows CE devices10% used Windows CE devices 18% wanted PCI desktop support for testing, demos, 18% wanted PCI desktop support for testing, demos,
home networkinghome networking 24% used WLAN for more than six hours per day24% used WLAN for more than six hours per day 93% used their computer in new locations93% used their computer in new locations
In conference rooms, hallways, or in other employee officesIn conference rooms, hallways, or in other employee offices 72% could work without a wired connection72% could work without a wired connection 88% were interested in purchasing WLAN equipment for 88% were interested in purchasing WLAN equipment for
use at homeuse at home 66% felt they could run any application or installation over 66% felt they could run any application or installation over
the WLAN connectionthe WLAN connection
WLAN Pilot WLAN Pilot Operational RecommendationsOperational Recommendations
Require concealed installationsRequire concealed installations Reduces user RF health and safety concernsReduces user RF health and safety concerns
Require multicast application supportRequire multicast application support Require client and infrastructure Require client and infrastructure
troubleshooting tools troubleshooting tools
WLAN WLAN Engineering RecommendationsEngineering Recommendations
AP Placement (to minimize user/AP ratio)AP Placement (to minimize user/AP ratio) Decrease cell size (to 10 meter radius)Decrease cell size (to 10 meter radius) Increase cell densityIncrease cell density Overlapping cells via channel configurationOverlapping cells via channel configuration Force 5.5-11 Mbps connections onlyForce 5.5-11 Mbps connections only Mitigate possible Bluetooth interferenceMitigate possible Bluetooth interference Create a migration path to 802.11aCreate a migration path to 802.11a
Single Broadcast Service Set Identifier (SSID)Single Broadcast Service Set Identifier (SSID) Enhanced usability with Windows XP Zero Enhanced usability with Windows XP Zero
Configuration wireless clientConfiguration wireless client Client and Helpdesk Troubleshooting ToolsClient and Helpdesk Troubleshooting Tools
AP Monitor in Windows XPAP Monitor in Windows XP
WLAN WLAN Engineering RecommendationsEngineering Recommendations
Each Separate Building Has a Dedicated Each Separate Building Has a Dedicated DHCP Subnet for WLANDHCP Subnet for WLAN Enables seamless roaming within buildingEnables seamless roaming within building Reduces collision domainReduces collision domain Restricts NetBIOS access to that building segmentRestricts NetBIOS access to that building segment Utilize Windows 2000, Windows XP automatic Utilize Windows 2000, Windows XP automatic
DHCP when changing subnetsDHCP when changing subnets Enhances securityEnhances security
Low Voltage Wiring or Inline PowerLow Voltage Wiring or Inline Power To enable cold booting of APs from a centralized To enable cold booting of APs from a centralized
or remote locationor remote location Easy Client Setup – Plug and PlayEasy Client Setup – Plug and Play AP Load BalancingAP Load Balancing
802.11b Security Concerns802.11b Security Concerns WEPWEP
Unique key required across enterpriseUnique key required across enterprise 802.11b standard is only 40-bit802.11b standard is only 40-bit
128-bit is proprietary128-bit is proprietary WEP keys are not dynamically changed and therefore vulnerable WEP keys are not dynamically changed and therefore vulnerable
to attackto attack Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can
be hacked within two hours, and a 40-bit key within 40 minutesbe hacked within two hours, and a 40-bit key within 40 minutes Difficult to change or administerDifficult to change or administer
Media Access Control (MAC) Address FilteringMedia Access Control (MAC) Address Filtering Not scalableNot scalable
Exception list must be administrated and propagated to all APsException list must be administrated and propagated to all APs The list may have a size limitThe list may have a size limit
MAC address must be associated to a user nameMAC address must be associated to a user name User could neglect to report a lost or stolen cardUser could neglect to report a lost or stolen card User could change the MAC addressUser could change the MAC address
The 802.1The 802.1xx Solution Solution Client network access (link layer) is controlled by the AP Client network access (link layer) is controlled by the AP
based on domain user and/or machine account based on domain user and/or machine account authenticationauthentication
Authentication process is secured via standard Public Key Authentication process is secured via standard Public Key Infrastructure (PKI) protocols available in WindowsInfrastructure (PKI) protocols available in Windows XPXP Extensible Authentication Protocol over LAN (EAPoL)Extensible Authentication Protocol over LAN (EAPoL) Transport Layer Security (TLS)Transport Layer Security (TLS) Public / private keys, X.509 CertificatesPublic / private keys, X.509 Certificates Uses two factor authenticationUses two factor authentication
Client user and computers negotiate authentication against Client user and computers negotiate authentication against Internet Authentication Server (IAS). Internet Authentication Server (IAS). IAS proxies authentication requests to Active Directory and IAS proxies authentication requests to Active Directory and
Certificate AuthorityCertificate Authority IAS is the Microsoft implementation of the IETF Remote IAS is the Microsoft implementation of the IETF Remote
Authentication Dial-In User Service (RADIUS) standardAuthentication Dial-In User Service (RADIUS) standard WEP keys are dynamicWEP keys are dynamic
They are changed with each new connection session, when They are changed with each new connection session, when roaming, or within a preset time intervalroaming, or within a preset time interval
802.1802.1xx Security SecurityThe 802.1The 802.1xx solution solution
802.11/.1X802.11/.1XAccess PointAccess Point
Domain UserDomain UserCertificateCertificate
LaptopLaptop
Con
trol
led
Port
Con
trol
led
Port
Unc
ontr
olle
d Po
rt
Unc
ontr
olle
d Po
rt
RADIUSRADIUS(IAS)(IAS)
DomainDomainControllerController
CertificateCertificateAuthorityAuthority
DHCPDHCP
ExchangeExchange
FileFilePeersPeers
Domain ControllerDomain Controllerused to log onto domain used to log onto domain after obtaining an IP after obtaining an IP address from DHCPaddress from DHCP
EAP/TLS EAP/TLS ConnectionConnection
802.1802.1xx Deployment Challenges Deployment Challenges
Operational SupportOperational Support Requires improved troubleshooting tools for both Requires improved troubleshooting tools for both
client and infrastructureclient and infrastructure Integration of disparate support organizations for Integration of disparate support organizations for
end-to-end supportend-to-end supportCertificate Server, RADIUS server, Active Directory™, Certificate Server, RADIUS server, Active Directory™,
AP, and clientAP, and client
802.1802.1xx Technical Challenges Technical Challenges Certificates IssuesCertificates Issues
Required to build a secure, Web-based tool to validate and / or Required to build a secure, Web-based tool to validate and / or obtain computer / user certificates obtain computer / user certificates
Certificate Revocation List (CRL) expiration issues must be Certificate Revocation List (CRL) expiration issues must be managedmanaged
Active DirectoryActive Directory If Active Directory becomes overloaded; 802.1If Active Directory becomes overloaded; 802.1xx authentication is authentication is
affectedaffected Client DHCP Response TimeoutsClient DHCP Response Timeouts
Inconsistent across domains and platformsInconsistent across domains and platforms Poor RADIUS Server Failover Support in APsPoor RADIUS Server Failover Support in APs
Can cause clients to fail authentication and lose connectivityCan cause clients to fail authentication and lose connectivity Authentication Mechanisms Stresses InfrastructureAuthentication Mechanisms Stresses Infrastructure
Reauthentication required when roaming and at timeout Reauthentication required when roaming and at timeout Cross-forest and multi-domain authentication requiredCross-forest and multi-domain authentication required
Concealed System Installation Concealed System Installation Best PracticesBest Practices
Pre-installationPre-installation Develop AP location plan based on design guidelinesDevelop AP location plan based on design guidelines Field verify proposed AP locations to check for physical Field verify proposed AP locations to check for physical
interferencesinterferences Present final locations for approval prior to starting constructionPresent final locations for approval prior to starting construction
InstallationInstallation Enclose AP units and antennas within “plenum-rated” enclosures Enclose AP units and antennas within “plenum-rated” enclosures
to meet building fire code requirementsto meet building fire code requirements Central, low voltage power supply on uninterruptible power supply Central, low voltage power supply on uninterruptible power supply
(UPS)(UPS) DeliveryDelivery
Spot check AP installation for conformance with commissioning Spot check AP installation for conformance with commissioning checklistchecklist
Check RF coverage and network connectivity of each APCheck RF coverage and network connectivity of each AP Deliver “as-built” documentsDeliver “as-built” documents
Sample Installation ArchitectureSample Installation Architecture
AP Unit
Two CAT5E data cables(one for future use);plenum rated wiring
Dual bisquit jackassembly
12" x 12" x 6" NEMA#1 rated enclosure
Step up transformer 110 VAC handy box AP power supply
Network and out of bandconnector cable
Low Voltage PowerSupply
Step downtransformer
Low voltage power line;plenum rated and routedin existing cable trays
24 Voutput
120 Vline
voltageinput
Lessons LearnedLessons Learned
Costs are Concentrated in Labor and Materials for Costs are Concentrated in Labor and Materials for Building Infrastructure Installation and ConstructionBuilding Infrastructure Installation and Construction AP installations should be concealed within the plenumAP installations should be concealed within the plenum
Using Standardized Equipment Does Not Ensure Using Standardized Equipment Does Not Ensure InteroperabilityInteroperability
Involve IT Operations and Help Desk EarlyInvolve IT Operations and Help Desk Early Offer educational seminars and engineering reviewsOffer educational seminars and engineering reviews
Develop and Communicate Security Policies Develop and Communicate Security Policies Around “Rogue” Wireless ImplementationsAround “Rogue” Wireless Implementations
User Health and Safety Concerns Must Be User Health and Safety Concerns Must Be Addressed AppropriatelyAddressed Appropriately Involve vendor and internal Risk Management and Involve vendor and internal Risk Management and
Human Resource organizationsHuman Resource organizations
Reference InformationReference Information Microsoft CorporationMicrosoft Corporation
Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication ServiceAuthentication Service
http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asphttp://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp 802.1x (TechNet)802.1x (TechNet)
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp 802.1x Authentication802.1x Authentication
http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp Wireless Network Security within 802.1xWireless Network Security within 802.1x
http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp Set up 802.1x Authentication on Windows XP ClientSet up 802.1x Authentication on Windows XP Client
http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asphttp://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asp Securing Wireless Networks Security BulletinSecuring Wireless Networks Security Bulletin
http://www.microsoft.com/windows2000/datacenter/evaluation/news/bulletins/secwireless.asphttp://www.microsoft.com/windows2000/datacenter/evaluation/news/bulletins/secwireless.asp
Wireless LAN AssociationWireless LAN Association http://www.wlana.org http://www.wlana.org
IEEE 802.11 & 802.1xIEEE 802.11 & 802.1x http://www.ieee.org http://www.ieee.org
OSHA Health and SafetyOSHA Health and Safety http://www.osha-slc.gov/sltc/radiofrequencyradiation http://www.osha-slc.gov/sltc/radiofrequencyradiation
Cisco SystemsCisco Systems http://www.cisco.com/warp/public/44/jump/wireless.shtmlhttp://www.cisco.com/warp/public/44/jump/wireless.shtml
For More InformationFor More Information
Additional IT Showcase white papers, case Additional IT Showcase white papers, case studies, and presentations on ITG studies, and presentations on ITG deployments and best practices can be found deployments and best practices can be found on on http://www.microsoft.comhttp://www.microsoft.com..
Microsoft TechNet Microsoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase..
The Future of WLAN TechnologyThe Future of WLAN Technology 802.11a802.11a
New physical layer using 5 GHz band utilizing Orthogonal New physical layer using 5 GHz band utilizing Orthogonal Frequency-Division Multiplexing (OFDM) to provide speeds up to 54 Frequency-Division Multiplexing (OFDM) to provide speeds up to 54 MbpsMbps
Lower range and higher power requirementsLower range and higher power requirements 802.11b802.11b
Existing implementation using 2.4 GHz band to provide speeds up to Existing implementation using 2.4 GHz band to provide speeds up to 11 Mbps11 Mbps
High range and low power requirementsHigh range and low power requirements 802.11d 802.11d
AP specifies a client profile which includes channel set and powerAP specifies a client profile which includes channel set and power Allows for single AP and client product which would self-configure to Allows for single AP and client product which would self-configure to
meet local RF regulationsmeet local RF regulations International roaming – “World Mode”International roaming – “World Mode”
802.11e802.11e Quality of Service (QoS) supportQuality of Service (QoS) support Coupled with 802.1p (Class of Service) and 802.1qCoupled with 802.1p (Class of Service) and 802.1q Support for real-time applications like voice and streaming mediaSupport for real-time applications like voice and streaming media Dynamically-plumbed WEP keysDynamically-plumbed WEP keys
The Future of WLAN TechnologyThe Future of WLAN Technology 802.11g802.11g
New physical layer using 2.4 GHz band utilizing OFDMNew physical layer using 2.4 GHz band utilizing OFDM Max speed 22 Mbps, but cannot coexist with 802.11bMax speed 22 Mbps, but cannot coexist with 802.11b
802.11h 802.11h Enhancement to MAC to support EU power and RF Enhancement to MAC to support EU power and RF
requirementsrequirements Recommended feature for any future implementationsRecommended feature for any future implementations
802.11i802.11i Enhanced SecurityEnhanced Security Advanced Encryption Standard (AES) strong Advanced Encryption Standard (AES) strong
contender for replacing WEP contender for replacing WEP May be used with 802.1May be used with 802.1xx
802.1q802.1q Virtual LAN (VLAN) taggingVirtual LAN (VLAN) tagging
The information contained in this document represents the The information contained in this document represents the current view of Microsoft Corporation on the issues discussed current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the guarantee the accuracy of any information presented after the date of publication. date of publication.
This document is provided for informational purposes only. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENTIMPLIED, IN THIS DOCUMENT..
20022002 Microsoft Corporation. All rights reserved. Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Where to you want to go today?, Windows, Microsoft, Active Directory, Where to you want to go today?, Windows, and Windows NT are either registered trademarks or trademarks of and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the Other product and company names mentioned herein may be the trademarks of their respective owners.trademarks of their respective owners.