If you work in the Wi-Fi industry you are used to throwing around technical terms to describe the various smarts that underpin the technology, like 802.11ax, 40MHz channel width, 256-QAM or OFDM. To the ordinary business manager, and even more so the consumer customer, these terms are just buzz words made up to make them feel inadequate, and force them to get a professional like you involved.

The Wi-Fi Alliance is an industry "club" made up of a large number of the vendors who make and sell Wi-Fi to the rest of the world. They don't create the Wi-Fi standards, that's the role of the IEEE, but they have a lot of influence in what the standards are, and how to implement them. The Wi-Fi Alliance also operates a number of certification schemes that are designed to help improve interworking between vendors, and help purchasers find products that will work - hence the commonly seen Wi-Fi Certified logo found on the packaging of a lot of products.

To help users to identify the technology that is inside the latest generations of Wi-Fi equipment, the Wi-Fi Alliance has created the Wi-Fi CERTIFIED scheme. Their website says:

"Wi-Fi CERTIFIED™ products deliver interoperability with the latest technologies, and industry-standard security protections. The Wi-Fi CERTIFIED logo gives consumers confidence that the Wi-Fi devices purchased deliver a good user experience, regardless of brand. For retailers, vendors, and service providers, the Wi-Fi CERTIFIED seal of approval means consistent performance and better user experience."

Different generations of technology are numbered from 1 through to 6, with 802.11b being 1 and with the latest and greatest 802.11ax being 6. Who knows what will appear as 7?

 These are the generations:

The Certification programme comes with a set of logos that vendors can apply to their products, so that it will be easy for users to tell with just a glance.

The Certification also recommends a new set of widgets that can appear in the device User Interfaces, so end users can see with a glance what level of technology is being achieved with the current connection.

A follow-on article will discuss Wi-Fi 6 (802.11ax) and what it really means to the end user and Wi-Fi network owner.

On a recent trip to the UK to visit relatives, I heard that most dreaded of phrases - "can you help us with our internet connection?".  Of course, its phrased as a question, but the expectation is yes, and woe befall you if you say anything but yes.

In this instance, the property was a country property, over 100 years old.  Originally built as a schoolhouse, the walls were about 30cm thick, made of stone.  Over the years the building had been added to, with a floor added above, and some of the external (thick) walls had ended up as internal walls.  Being out in the country, the only available internet connection was ADSL, and this property was the furthest one from the exchange to be able to get ADSL, with some further properties down the lane being too far away (and the wiring being too old).  The network in the property had been "installed" by a local electrician, who also did satellite installations and internet.  This sparky had done a deal with my relatives, and their ADSL connection was shared with those further down the lane who could not get a connection.  This was facilitated by a PTMP wireless network mounted on the wall of the schoolhouse, and beaming the shared internet connection to other houses.  The sparky had chosen Ubiquiti equipment for this link, and it worked well.

Inside the house however, things were not so well laid out.  The property was too old to have any sort of structured cabling, but when some renovations were done my relatives had arranged for some Cat5 to be run in the newer parts of the house, which comprises a sort of home office.  Within the house, there were three access points, each broadcasting a different SSID, all on the same channel, and with three different subnets.  These access points were all connected back to the ADSL router, and thence to the internet. 

Problems:

• Roaming - there was none between access points
• Printing - only users connected to the same subnet as the printer could print (there was no routing between the three subnets)
• Coverage - yes, well
• knowledge - my family had no diagrams (because they did not exist) and did not know the router passwords

I whipped out my trusty survey utility on my tablet (we all travel with survey utilities on our tablet, don't we??) and had a walk around the property.  The placement of the three APs was "suboptimal" (I'm being polite) and the coverage was less than one bar in large areas of the house - one of the complaints was "I can't read my email when I'm in bed".

Temporary resolution:

• Created a network diagram, and got the passwords from the local sparky
• Routing - enabled routing on the ADSL router between the subnets, and set the DHCP scopes to send the gateway address.
• Printing - solved by the above
• Roaming - can't do much about that, its a full disconnect/reconnect
• Channels - changed the settings so each of the three APs were on the classic 1,6,11.
• Coverage - tweaked the location of the APs where I could - I found the upstairs AP was tucked in behind the hot water cylinder (it looked neater); of course wifi looooves metal and water, it's no wonder the coverage in that direction was bad.

Long term resolution:

Recommended the purchase of a Google home mesh wifi solution.  One of my families neighbours had the same equipment and would be able help set it up for them after I left.  I hear that its all much better now.

Over the years I have configured guest/visitor wireless access for a number of customers, and in every instance there have been five decision points that have delayed the implementation:

• What information do we need/want to gather from the visitor before allowing them in?
• What terms and conditions do we want them to agree to before allowing them in?
• What level of internet protection do we apply to the visitor guest connection?
• What level of protection do we apply to the wireless connection itself?
• Do we throttle the connection?

Each of these five decisions should be made by the business sponsor of the visitor access, not the IT team responsible for implementing the solution.  Lets look at each of these in detail.

What information do we need/want to gather from the visitor before allowing them in?
There are a number of underlying questions here, including: what info are we going to ask for; how much of it will be compulsory; when we get it, what are we going to do with it; what is the business value of this data?
A lot of businesses collect name/email/company data from visitors "just because they can", with no intention of using any of this data in any productive way.  They have to consider the need of the business to collect the data vs the inconvenience to the visitor in filling in the form.  My advice has always been to collect the minimum necessary data to satisfy the business, remembering that if you are collecting data you are required to protect it.

What terms and conditions do we want them to agree to before allowing them in?
There is a general requirement to "cover your butt" when providing any form of internet access, whether it be to staff or visitors.  Make sure you get the corporate legal team involved, and get them to sign off on a general wireless disclaimer.  It is a lot faster if you can give them a draft to agree upon, rather than asking them to come up with something from scratch.  The rider on having terms and conditions is having some way to "prove" that the visitor has seen and agreed to the Ts&Cs.  Is just having them available to view enough, or do you want/need the visitor to "click-through" to force them to at least see the first few lines, or do you have a "positive affirmation" tick box process that will not let them connect unless they adknowledge the terms?

What level of internet protection do we apply to the visitor guest connection?
It's a toss up between this one and the Ts&Cs which one causes the most delays.  How restrictive (or open) do you want to be with your guest connection?  What liability do you want to accept?  It goes without saying that the visitor internet link should go through some form of (modern) firewall, and if you can the link should enforce anti-virus and anti-malware protection, but how far should you go? Do you configure URL filtering to prevent visitors from connecting to "bad" sites, and what constitutes a "bad" site.  A lot of organisations I have worked with apply the same level of URL filtering to the visitor network as is applied to the internal staff network- mainly because this requires the least amount of thinking and discussion, and it is easy go get past the governance people. 

The issue that is starting to make itself felt at the moment is the great internet security bypass port, otherwise known as port 443 (https).  Should internet traffic for visitors be decrypted and examined for malicious traffic or should it be let through with no content inspection?  The answer is - it depends.  It depends on your level of paranoia, it depends on whether your firewalls have enough spare CPU cycles to perform the decryption and inspection, it depends on your industry and how savvy your visitors are likely to be.

This subject has a second question - what network ports or protocols should be allowed over the visitor connection?  Some customers only want visitors to be able to browse the internet, others want their visitors to be able to "work" whilst connected to their visitor network, which implies allowing VPN connections, cloud connections, SIP/voice and other productivity applications.  Again, this sort of discussion needs to be held right at the very beginning, when the business is deciding WHY it is providing visitor access at all.

What level of protection do we apply to the wireless connection itself?
This answer will change in the next few years.  At the moment it is pretty easy, WPA2 Personal or None.  WPA2 Personal will require that the visitor reconfigures their wireless connection on their end device to allow it to connect, and this can be an issue with technology challenged visotors.  If you go down this route, be prepared to have your reception team or IT help desk involved in reconfiguring visitor devices.  The alternative is no encryption on the wireless (known as Open).  This is the normal default for most public hotspots, airline lounges and places like that, and requires that the visitor make no changes to their wireless configuration to connect.  Just be sure that the Ts&Cs (see above) make it very clear that the wireless network traffic is in the clear, and anyone can sniff or capture the data, and that the organisation makes no guarantees around the security of their data.

In the next couple of years, we will see the introduction of WPA3 (Aruba has already announced availability), which is a new technical standard that will create a private encrypted connection for each visitor, without them having to enter any local keys (which is what WPA2 Personal requires).  WPA3 will require changes to the hardware and/or drivers on both the Access point and client sides, so it will take a while to become standard.

Do we throttle the connection?
How much our our internet bandwidth do we allocate to our visitors?  Often organisations will use their corporate internet connection to deliver their visitor network connection. There are two big issues with this - bandwidth and reputation.  Too many visitors, or visitors doing too much can eat internet bandwidth quickly, so there needs to be a way to throttle the connection; either on an aggregate connection basis (visitor wireless can only use 10% of the internet connection, no matter how many visitor wireless users there are), or on a per user/visitor basis (each visitor gets only 100Kb/s of internet access), or if you are lucky your wireless system will let you mix and match throttling in more intelligent ways.  

The visitor reputation issue is where a visitor uses your (free) wireless connection to conduct activities that generate a lot of low reputation activitity, such as sending spam.  If this spam traffic is noticed by some of the internet reputation services out there, the corporate internet connection may be blacklisted for valid email connections, and it can take some time to get some of these blacklistings removed.

If it can be arranged, a dedicated and low cost visitor internet connection removes these issues, protecting business internet traffic from visitor volume, and removing the reputational risk.

To reiterate, the delivery of visitor or guest wireless is a business decision, and it is our job to help the business decision makers understand the impact of their decisions, and to guide them in coming up with a workable, stable visitor wireless access that will enhace the bottom line.

<rant>

I am seeing so many wireless APs mounted vertically on walls instead of horizontally on ceilings or beams.  

These wireless installations are normally at schools, churches or halls, and are usually Ubiquiti devices.  Now I have nothing against Ubiquiti as a wireless device, and in fact I use them myself, mainly for backhaul or mesh solutions.  Ubiquiti is the vendor of choice for a lot of smaller installations, and the provider is usually "Joe's Electrical", the small business that does some electrical wiring, some data cabling, and small wireless installs.  These installers understand the "omni" aerial as providing a bubble of coverage around the AP, and that seems to suit locations that we are talking about.  These installs probably work as well, giving coverage in the hall or wherever, and the customer is happy.  It just triggers my sense of "rightness", knowing that half of the signal from these APs is being wasted through the ceiling or roof, and a much better coverage and throughput could be given to the customer if the AP was only mounted the way it was designed to be.

</rant>