How many Wireless Access Points do I need?

This is one of the more frustrating questions I get asked…  how long is a piece of string?!

I understand why people want to know – is it even worth doing a Survey if my budget will get blown, can I stretch to the better model of Access Point, how many PoE Switchports will I need to provide – but it’s not a quick or easy question to answer.

Before you ask this, or before you trust anybody who tries to answer, there are several things to consider;

  • What does the network need to do? (Data, Voice, Video, Location Tracking, RFID, etc)
  • On what scale will the network operate? (1 User or 10,000? How many devices per User?)
  • How will you quantify that the network is working well? (SNR? Bandwidth? Packet loss? User reports?)
  • What are the physical characteristics of your environment? (Open plan? low ceilings? Thick walls? Congested RF?)
  • What are the capabilities of the Clients using the network? (frequencies, transmit powers, phy, security capabilities, battery powered?)

I find it best to start with the desired target User experience and work back from there, via environmental considerations and device capability considerations, to arrive at an answer to the question.  Here’s a story of how requests like this sometimes go;

Let’s say you want a good, high performance network with Clients that are generally just browsing the Internet and sending e-mails – short bursty traffic flows.  Let’s further suppose you have a modern-ish fairly open plan office across three floors of a building with 200 people per floor.  You’ve recently splashed out on laptops and tablets so everybody has a device that supports 802.11AC and you want a ‘Wireless First’ network connectivity model because none of the Users can be bothered to drag around the brick that goes with their shiny new Surface Pro.

You’ll want to develop a target contention ratio of Users per Access Point to ensure everybody gets a fair amount of bandwidth to supported the anticipated usage; let’s say 20 Users per Access Point.  So, without even seeing any floorplans, 600 Users divided by 20 Users per Access Point gives us 30 Access Points as an initial estimate.  Let’s assume all of the floorplans are identical, so 30 Access Points across three floors leaves us with an initial estimate of 10 Access Points per floor.  With a bit of effort you also research the devices your Clients are using and you determine that you need a particular Signal Strength to let them hit the data rate they want; let’s say -67dBm at 5GHz.

Consider the layout of the floor, will ten Access Points realistically provide the coverage you want – at least -67dBm Signal Strength / +25dB Signal Strength @5GHz everywhere?  With lift shafts, stairwells, storage cupboards and areas that have particularly high or low user densities, you may end up needing 12 Access Points per floor, that’s 36 Access Points in total as a basic initial estimate.  Any experienced WiFi person will be good at estimating this off plan.  Many will give you “heatmaps” to show the coverage you can have, but if these are produced offline and without having gone to site, they’re just educated guesswork and must not be relied upon, and no, it doesn’t matter if they used Ekahau, AirMagnet, WCS, or whatever… it’s all guesswork.  No matter how impressive they look, they are not reliable.  If you want reliable results, do a proper site survey.

“You’ll need 36 Access Points” is the message that goes back to the customer, “but we’ll do a site survey just to check”.  An engineer goes to site and starts surveying for -67dBm at 5GHz with a target 20:1 contention ratio, but soon spots a problem.  Your office is in Zone 1, central London.  You’re surround above, below and on all sides by other Corporations all operating their own WiFi and the noise floor is much higher than expected.  To meet or exceed the minimum Signal Strength and Signal to Noise requirements, the coverage area of each Access Point has to be reduced.  This gives you a better User to AP contention ratio, but it increases the number of Access Points you need – let’s say you need an extra two per floor, so we’re now at 42 Access Points.

The survey continues and when the surveyor gets to the last floor, it becomes apparent the floorplan doesn’t represent the actual layout at all.  Instead of an open plan office, it has been divided up in to small meeting rooms with lots of floor to ceiling glass walls. The architect has used nice expensive, heavy glass that is hard for 5GHz to penetrate so to keep hitting your SS and SNR requirements, another two Access Points are needed on that floor and we’re now at 44 Access Points from our initial uninformed estimate of just 30.

You’ve read that 802.11AC can provide some really fast data rates – 2.6Gbps or so – can your 44 shiny new Access Points do that please?  In short, no.  With 14-16 Access Points on a relatively small, open plan floor, you’re likely limited to 40MHz channels to avoid channel re-use issues.  Rather than the sexy 160MHz channel 2.6Gbps rates you’ve been reading about from the Manufacturer’s marketing team, you’ll have peak datarates more like 600Mbps.

44 Access Points, 600 Mbps peak rate, fine.  Let’s get them installed.  Wait, why don’t they work?  Did you audit your LAN properly?  Newer 802.11AC Access Points need PoE+ or even UPoE to work properly.  Older switches might only support 802.3af and the one switch you have that does support 802.3at is at its power limit.  Access Layer LAN upgrade please…

The morale of the story?  When you ask one simple question – how many Access Points will I need – but you get 50 questions back with no sign of your question being answered, take the time to answer thoroughly, it will be time well spent in the long run.


How organisations weaken their own security without realising

A couple of real examples about how organisational disharmony causes security problems.

I visit a lot of customers with similar requirements… “our Wired/Wireless network needs securing“.  The solution is, more or less, always the same and it’s simple enough to implement when you’ve been through the process so many times.

Simple enough says I, but it requires different parts of an IT team that are so often like oil and water, to work together seamlessly.  Yes you’ve probably guessed it, we need the Network Team, Server Team and Desktop Teams to all work together to deliver one secure solution.

In some (rare!) cases, IT Teams are multiskilled and get to work with one person who has access to, and good knowledge of, all of the systems involved.  Bliss!  One person who can read a Security Policy and who can work with me, through lots of systems, so they can see how their policy is implemented end-to-end – Clients, Switches, Wireless LAN Controllers, RADIUS Servers, SSL Certificates, Domain Security Policies, Troubleshooting Methodologies, approaches to managing change, and so on… perfect!  This is my ideal – implementations happen quicker (saves money), with fewer problems (saves money, improves end-user perception), and are more secure (because of fewer interconnects between teams where problems can occur).

In most cases however, especially in big Corporates, IT teams are split in to silos and in my experience, they seldom play nicely together.  Who, for example, should look after a RADIUS Server?  “It’s a Server, so the Server team should” is the obvious answer, but it’s used by the Network team to secure the network and as it’s Cisco ISE or HP Clearpass it’s nothing the Server team know about so it’s now the network team’s responsibility.  Fine, networks it is.  But the RADIUS server will reference AD Group Memberships – who keeps these up to date?  What if the Server guys have a tidy up and delete some groups the RADIUS Server was using?  “The network  is down” come the cries from the office floor when nobody can get access, without the network guys having done anything wrong at all.  “Change Management will stop that from happening” is the common response, but “not always effectively enough” is my experience.  I’ve seen customers run siloed change control processes for example.  One Server guy talks to another Server guy about deleting some AD Groups.  Neither know about how the RADIUS Server uses the Groups so they get deleted and they break RADIUS.  Even customers that run sensible change control processes with all of the stakeholders involved, it’s still human nature to focus on what you’re interested in.  If the Desktop Team say they want to roll out a new AV Client, will the Network Team who are running Posture Assessment via Cisco ISE remember to implement new Posture Policies?  Not always.  When the network team rollout a new Secure SSID and ask the Desktop/Server Team to push out a new Policy to ensure Clients use the new SSID correctly and securely, does it always happen perfectly? Does it even happen at all?  Not always.  In my experience, Teams are too often guilty of an inwards looking mentality – “how can we help ourselves” instead of “how can we help the teams around us”.

In today’s ever increasingly integrated world of IT Solutions, I’m starting to think that strictly siloed working practices are borderline dangerous.  Sure, you’ll always need a specialist in one thing or another, but in my experience, the more people that have a nice wide end-to-end view of how “IT solutions” operate, the more usable and more secure – the better – the solution will be.  If everybody involved has a solution-wide view, far fewer things will fall between the gaps, leaving fewer issues for Users and fewer attack vectors for hackers.

Access Layer Security (Part 3) – 802.1ae

In previous entries we’ve looked at how easy it is to attack networks secured with Profiling, MAC Address authentication and/or 802.1X, especially if you have access to a device that is known to work.

So how then, if you can get around even EAP-TLS security on a LAN, do you really secure an Access Layer network?

802.1ae MAC sec

In short terms, 802.1ae is for wired networks, what WPA2 is for Wireless networks.

All of the methods of securing a network that we’ve looked at so far provide (varying levels of) authenticated network access, but do nothing to protect the traffic post-authentication, which, because MAC Addresses are so easily spoofed, potentially leaves big holes in your network’s security.

With MAC sec enabled networks and Clients, once the device has been authenticated through an EAP method (like PEAP or EAP-TLS), traffic is encrypted between the NIC of the Client and the Switchport, typically using GCM-AES-128 or GCM-AES-256.  Because the encryption negotiation process is secure, even if an attacker spoofs a MAC address and sniffs all of the traffic between a known good device and the network, they will not be able to decipher the encryption keys and they will not be able to gain access to the network.  This is, to my knowledge, the only way to guarantee (as far as anybody in IT can guarantee anything) that only valid devices can access the network.

Unfortunately, despite having been available for quite some time, support for MAC sec is somewhat limited.  There is currently no native support for MAC sec in Windows so Microsoft Users need a third party supplicant like the Cisco AnyConnect Agent.  MAC sec is supported in Linux though, from kernel 4.6 onwards (I think!).  802.1ae also requires a suitable Client NIC & drivers, and a LAN Switch and RADIUS Server that support 802.1ae.

Cisco Identity Services Engine (ISE) v2.4

Cisco Identity Services Engine v2.4 was released last week, bringing a number of changes to the platform.  The biggest changes to be aware of are;

VM Hosts are now licensed.

Previously the number of VM hosts deployed within a cluster wasn’t controlled.  Sure, Cisco asked you to buy a SKU for each VM ISE, but it wasn’t enforced by the appliaction until now.  With ISE v2.4, each ISE VM requires its own licenses and the licenses are specific to the size of the VM(s) you have deployed;

Small (<=16GB RAM, <=6 Cores)
Medium (16-64GB RAM, 7-8 Cores)
Large (>64GB RAM, >8 Cores)

If you’re planning an upgrade to v2.4 from an earlier release and you bought the proper VM SKUs, e-mail with your order numbers and they’ll send you the licenses you need.  If you didn’t buy the correct VM SKUs, you’ll need to buy them from your Cisco partner first.

TACACS+ licensing change

Prior to v2.4, TACACS+ was a cluster-wide, on/off feature… you either had TACACS+ enabled or you didn’t.  From ISE v2.4 onwards, TACACS+ is licensed per PSN that you enabled TACACS+ on.

Larger VM MNT

A new ‘Large’ (huge!) VM appliance is available, specifically for the MNT role, significantly improving performance when it comes to the Live Log and Reporting.

Other enhancements

ISE v2.4 also brings a number of small enhancements;

  • Enhanced IPv6 support – Network Devices can now be defined with IPv4 and/or IPv6 addresses
  • Posture enhancements – Additional of a Grace Period and various enhancements to AnyConnect Posture module behaviour
  • Various TrustSec & pxGrid enhancements
  • ISE can now pull data from Cisco Industrial Network Director (Cisco IND)
  • Improvements to the profiler database

Personal view

There are some nice new features added in v2.4, particularly for those using Posture Assessment and those with larger estates, but I’d wait until the first Maintenance Patch or two have been released before deploying it in to a production environment.  If you can’t wait that long, do at least run it in a lab first and check it’s all fine and make sure you have a rollback plan in case there are any issues with it.

Further reading

Cisco ISE v2.4 Release Notes
Cisco ISE v2.4 Order Guide

Cisco 4800 Access Point

The latest Access Point from Cisco was announced this week, the Cisco 4800.


The 4800 provides the same Flexible Radio configuration (2.4+5GHz or dual-5GHz) 802.11AC WiFi capabilities as the 2800/3800 Access Points, but it now includes a third radio which provides native support for analytics, hyperlocation & improved BLE capabilities without the need for any additional modules, making it ideal for customers who want to provide location analytics services.

The 4800 needs v8.7 software so anybody on a 5508 WLC (or equivalent generation) will need to upgrade their WLC hardware to a current generation WLC (like a 5520) before they can use this Access Point.  v8.7 doesn’t support some older Access Point models so if you have a mixed estate, ensure all of your AP & WLC hardware is supported accordingly.  The 4800 also needs 802.3at PoE (30Watts) to work on a single 1Gbps interface, or UPOE (32W) for mGig functionality.

I love new hardware as much as the next technophile, but if I’m honest, this AP isn’t anything new.  It’s a few existing, disparate features all in one box.  For 99% of organisations who just want a reliable WiFi service to provide Voice & Data connectivity for Users in a Corporate environment, I’d stick with the 2800…  it’s cheaper, proven to be reliable, and has fewer backwards-compatibility considerations.

Video Overview by Cisco;