1. Home
  2. Wireless Networking
  3. Wireless laptop roaming through various access points
  4. Page 2

Wireless laptop roaming through various access points

The delay was around 7 seconds and sometimes a tad more. (the radius server isn't really nearby and the network is quite large so LAN traffic also plays a role in the delay - I might try connecting the Radius server on the same switch as the APs, just to see if there's better performance).

Unfortunately, if the laptops were to use Terminal Service, their connection would break (at approx. 10 sec. delay). I suppose local tcp/ip applications would be more tolerant.

Since I can't wait for the upcoming standards to be applied (and who knows whether it will imply buying new hardware) but on the other hand I do require tight security measures, so here's another method I thought of using and would like to know your thoughts.

I would disable using the freeRadius EAP-TLS system and would configure every AP to be open (or just have WEP). This way roaming is really fast. However, I would connect the devices as so:

LAPTOP1 LAPTOP2 LAPTOP3 (etc)

AP1 AP2 AP3 AP4 (etc) [192.168.1.0/24] |_____________|__________|____________| | SWITCH | Linux VPN Gateway/Router | The Big LAN [10.215.144.0/22]

The Linux VPN Gateway/Router would have OpenVPN or IPsec or similar and would route traffic between the smaller 192.168.1.0/24 subnet and the larger 10.215.144.0/22. Would this method be "close enough to what Radius-EAP-TLS" does to secure "The Big LAN"?

Am I overlooking something?

Reply to
VDP
Loading thread data ...

That's roughly the way the local hospital wireless LAN works. Anyone can connect, but without a VPN client and the necessary authentication and access, they go nowhere. The 192.168.1.xxx IP address issued by the Linux gateway DHCP server does nothing. Only after authenticating with the VPN server, does the VPN server issue a different

10.214.144.xxx IP address that works.

However, you might be trading one roaming problem for another. VPN connections do not do well when roaming from access point to access point. The one's I've tried are even more sensitive to packet loss. Lose a few bytes and they disconnect and renegotiate the entire key exchange cerimony. My guess is about 3-5 seconds delay after losing a few packets. You're going to lose something during the switch between access points. Fortunately, VPN authentication and header modification protection is based on IP addresses and not MAC addresses. Therefore, it should maintain the VPN connection when moving between access points.

There's also the problem of licensing VPN clients, although there are plenty of free ones available. Same with clients for PDA's.

In addition, with useable 192.168.1.xxx addresses assigned to clients, there's a real danger that these clients will turn your access points into their personal game network or something. I've had that happen to me. If you access points offer "client isolation" or something similar, use it.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.