2. Wi-Fi or WiFi is a technology for wireless local area networking with devices based on the IEEE
802.11 standards. Wi-Fi is a trademark of the Wi-Fi Alliance, which restricts the use of the
term Wi-Fi Certified to products that successfully complete interoperability certification testing
Wi-Fi networks use radio waves—typically deployed within unlicensed spectrum over the 2.4
gigahertz (12 cm) UHF and 5 gigahertz (6 cm) SHF ISM radio bands to connect to a wireless
access point called a “router”, which directly connects to the Internet.
Users connecting to Wi-Fi at an airport, coffee shop, library or a hotel—have all used an open
Wi-Fi network. Locations with open and public wireless access are called wireless or public Wi-
Fi hotspots.
it is more vulnerable to attack than wired connections, such as Ethernet. Web pages that
use Transport Layer Security (TLS) are secure, but unencrypted Internet access can easily be
detected by intruders.
For protection, Wi-Fi has adopted various encryption technologies. The early encryption Wired
Equivalent Privacy (WEP) proved easy to break. Higher quality protocols, such as Wi-Fi
Protected Access (WPA, WPA2) were added later. An optional feature added in 2007, called Wi-
Fi Protected Setup (WPS).
Introduction
3. There are two basic types of deployment models in wireless:
1. capacity based deployment models
2. coverage based deployment models
Capacity based deployment models
In a capacity based type of deployment, the goal is to provide good quality
wireless service to a concentrated set of concurrent users in a confined area.
Factors to consider when designing capacity based networks are:
• Number of users in a specific area covered by a single AP
• Number of Wi-Fi devices per person
• Percentage of users that are expected to be active
• Types of applications and throughput needed
• Mix of applications
• Type of users in the network (2.4 GHz vs. 5GHz)
• Legacy vs. .11n user protocols.
Deployment models
4. In a coverage based wireless design, the goal is to provide good quality of service (in terms of
RF signal strength) in as much of the area as possible with a single or multiple access points.
Examples of coverage based deployments school ,warehouses ,Hosptals, clinics ,Hotels ,
Office .
Factors to consider when designing coverage based networks are:
• Type of site - office, cubicle, warehouse, single room motel/hotel, etc.
• Floor plan and ceiling height – e.g. office (10 ft./3 m), warehouse (20 ft./3m), gym (30 ft./9m)
• Construction materials and obstructions - e.g. concrete, brick, drywall, elevator shafts
• Number of floors
• Exclusion areas – locations where coverage is not required/ required
Site characteristics Optimized for casual data Optimized for business-class Optimized for voice, video,
Easy
(line of sight,open space/cubes) 300-600 feet 200-300 feet 100-200 feet
Medium
(dry wall, wood) 150-250 feet 100-200 feet 50-100 feet
Difficult
(concrete, cluttered) 50-100 feet 40-70 feet 25-50 feet
Coverage based deployment models
5. AP Based Topology
Peer to peer Topology
Point to multi-point bridge
Topology
Wi fi Topology
6. IEEE 802.11 Wi-Fi Standards
802.11a - Wireless network bearer operating in the 5 GHz ISM band with data rate up to 54 Mbps.
802.11b - Wireless network bearer operating in the 2.4 GHz ISM band with data rates up to 11 Mbps.
802.11e - Quality of service and prioritization
802.11f - Handover
802.11g - Wireless network bearer operating in 2.4 GHz ISM band with data rates up to 54 Mbps.
802.11h - Power control
802.11i - Authentication and encryption
802.11j - Interworking
802.11k - Measurement reporting
802.11n - Wireless network bearer operating in 2.4 & 5 GHz ISM bands with data rates up to 600 Mbps.
802.11s - Mesh networking
802.11ac - Wireless network bearer operating below 6GHz to provide data rates of at least 1Gbps per
second for
multi-station operation and 500 Mbps on a single link.
802.11ad - Wireless network bearer providing very high throughput at frequencies up to 60GHz.
802.11af - Wi-Fi in TV spectrum white spaces (often called White-Fi).
802.11ah - Wi-Fi using unlicensed spectrum below 1 GHz to provide long range communications and
support for The Internet of Everything.
8. Carrier Grade Wi-Fi project key points
Large Coverage Footprint and Radio performance
Reliable, Carrier grade quality
Capacity based Good Bandwidth, Speeds
Integration
Mobility and roaming
Security Policy
Easy to Use
ROI and Value added Services offer.
9. High Density Design Recommendations -Best practices based on many
successful installations and should serve as guidelines for proper design,
planning, and deployment of a wireless network.
1) Identify High Density Areas - start the design process by using a live RF tool to identify
areas of high density.
2) Use Dual Band APs - use dual band concurrent access points (2.4GHz and 5 GHz radios)
to maximize available throughput for users. Always enable both radios.
3) Design AP Overlap - design the AP placement in high density areas such that each client
always sees two to three access points. If one or two access point is overloaded at any
given time, the client can be load balanced to another access point without any negative
impact to the end user.
4) Load Balance Traffic - set the threshold on the AP to effectively utilize an over the air
resource to ensure that you load balance the traffic to all of the access points that can be
seen by clients.
Recommend setting the maximum number of clients to 25 to 30 for high throughput
applications and the minimum RSSI threshold of (-73dBm). This means that any particular
AP will serve a maximum of 25 to 30 clients with good reception.
5) Set AP Power Lower – turning AP power up could cause additional co-channel and
adjacent-channel interference.
Recommended method is adding a third AP while setting the output power to one half or
one quarter for the 2.4GHz AP and to one half for the 5 GHz AP.
Design RecommendationsDetermining Access Point Throughput
10. When designing high density wireless networks, it is critical to understand which
applications will be used and how much bandwidth each application will consume in
terms of throughput per user.
General references on how much throughput is needed for common applications
such as internet, audio, video, printing, file sharing, and online testing. online video
applications such as youtube.com.
Throughput requirements can vary from 2 to 4Mpbs per user depending on the
video resolution. Once the bandwidth per application is known, this number can be
used to calculate the bandwidth required per user.
In addition to the type of applications to be used, bandwidth requirements will vary
based on the number of expected users on the wireless network. As more users
access the network, throughput per user goes down causing slower transmission
rates. If the network consists of mixed clients (11a, b, gand 11n modes), the
average throughput per client will also go down with the greater the number of
legacy clients
Once the types of applications are identified and the bandwidth per type of
application is determined, you can establish the aggregate bandwidth required by
multiplying the total Mbps by the number of expected users in the coverage area.
Establishing Bandwidth Requirements
11. In practice, there are several factors that will significantly reduce AP throughput vs.
the theoretical limit:
• Protocol and packet overhead - can reduce throughput by 40 - 50%
• Slow or “far away” clients - clients that are further away or in an area of weaker
signal strength must step down the transmission physical rate (PHY) rate to send
the packet (e.g. a client sending a packet at 1 Mbps will take 100 times longer than
a client sending the same packet at a PHY rate of 100Mbps), potentially causing an
additional 50% degradation of throughput.
• Uneven distribution of clients - in a dual band concurrent AP, both bands can
simultaneously support client traffic. However, not all clients are dual band and there
is no guarantee that even the dual band clients will evenly distribute themselves
between 2.4 and 5GHz. Network effectiveness may be reduced by another 50% due
to the behavior of the clients.
• Control traffic – control traffic exchanged between the AP and various clients at low
PHY rates can further reduce available bandwidth by 25%.
• Other – co-channel and adjacent channel interference, network re-transmissions,
and bad behavior clients will further reduce AP throughput.
Determining Access Point Throughput
12. Wi-Fi offloading
Explosion of data consumption in mobile networks.
3GPP access networks UMTS, LTE and LTE-A suffer from limited
availability of licensed spectrum.
Wi-Fi is ideally positioned to extend the cellular coverage. It uses
unlicensed spectrum in ISM bands (2,4 GHz 5 GHz).
First step (today) is manual selection of a Wi-Fi hotspot and login.
Goal
Goal of 3GPP standardization is to create a converged network
solution with seamless coverage including Wi-Fi.
Additional network elements will be added to handle network selection,
authentication, security, flow control and handovers.
Data streams shall even be able to use both connections (cellular and
Wi-Fi) at the same time depending on QoS requirements
Wi-Fi offloading
13. Wi-Fi networks: trusted or untrusted. The EPC architecture defines two
access path for non- 3GPP access networks towards EPC: trusted and
untrusted.
Trusted non 3GPP access path:
1. Security level (from operator perspective) is sufficiently safe.
2. Authentication similar to 3GPP access - via USIM credentials
Example: carrier’s own installed Wi-Fi
Untrusted non 3GPP access path:
1. No secure safety level
2. IPsec tunnels are used
Example: access using public hotspots
Wi-Fi offloading
14. Typically up to 45% of data is already offloaded by
user ‘casual offload’ at home, work and public WiFi
Difficult to assess how much can be offloaded as
you can’t count what would have never been on
cellular.
A successful WiFi offload strategy can only be
achieved by deploying a successful WiFi
management solution.
Challenge:
1. Flat Rate plans
2. Demand for data keeps on increasing
3. Limitations of Licensed spectrum
4. Can’t use traditional methods of expansion
•Wi-Fi is existing everywhere
•Currently 40% content delivered to smartphones
over Wi- Fi
•802.11N adds significant capacity changes
•Doesn’t depend on RAN nodes for routing
•Can be applied to legacy and new technologies
Wi-Fi offloading
22. Authentication Options -Two main authentication
models
• EAP/802.1x – WLC or AP authentication / ISG -
Authorization
• AAA is the authentication server
• EAP-SIM/AKA - proper supplicant software
available on terminal device
• Seamless authentication ,requires client config.
(certificates, username/pwd, etc)
Weblogin – Portal-based Authentication and
Authorization
• Open SSID
• Subsequent Logins are transparent/automatic using
device MAC address
• Vulnerable to MAC Spoofing
• Requires no client configuration, completely Web-
based
Authentication
23. Alternative authentication methods include:
1. EAP-TTLS while retrieving policies as if it was a EAP-SIM/AKA authentication.
2. Authentication via one-time SMS (to verify a mobile subscriber)
3. WISPr-compliant client on the user device
4. Captive portal with manual log-in
5. 3rd party authentication tokens (such as SecurID)
6. MAC-based authentication (allows simple re-authentication of devices which
have previously been authenticated using another methods such as manual log-
in)
7. location-based multi-device login, making MAC-based authentication more
secure.
24. • 802.1x Authentication
using the EAP-TLS protocol.
•TTLS (Tunneled Transport Layer
Security)
•Username/password inside secure
tunnel
•This is the most common form of
EAP
•Very widely supported, simple with
certificate-based security
•EAP-SIM Full Authentication
Based on RFC-4186
•SIM – Use GSM SIM over EAP
• Only works in SIM-based devices
•. No configuration on device.
• Requires connection to HLR
associated with SIM
25. Web Portal Flow
First Time Auth.
Web Portal Flow
Second time Auth.
http://www.slideshare.net/rafaeljunquera/telesemana-webinar-enero-22-2013
26. UAM/WISPrAuthentication
1. Open SSID2.
2. User connects and receives IP address from the DHCP Server
3. DHCP/NAT can be also applied by the AP
4. User Web Traffic is redirected to the login page (redirection
enforced by the controller or AP)
5. User and Pass are checked against RADIUS
6. User is authenticated and proper policies are applied/enforced at
the Access Point (rate limit, volume and /or time quota)
28. Best practice for Wi-Fi offloading – EAP-SIM/AKA
SIM-based authentication is the best practice for authentication for mobile data
offloading as it utilizes the same mechanism as in the 3G/LTE network making the
authentication process seamless and secure for the end-user.
An automatic authentication process in combination with smartphones’ tendency
to prioritize Wi-Fi over 3G/LTE connections will ensure a high rate of offloaded
users.
The authenticates users based on the information retrieved from the HLR or HSS
in the mobile core in accordance with the 3GPP AAA functionality.
The Wi-Fi network must support the 802.1x in order to deliver SIM credentials to
the SIM authentication function, which provides the additional benefit of
encrypting the Wi-Fi link with the same level of security as that which is found in
the 3G/LTE network.
The security and the automatic authentication process make the Wi-Fi network a
trusted extension of the 3G/LTE network.
Together with the new IEEE 802.11u standard, SIM-based EAP-SIM/AKA
authentication has become the foundation of the next generation hotspot –
Hotspot 2.0, as defined by the Hotspot 2.0 Task Group in the Wi-Fi Alliance.
Mobile operators will need alternative authentication methods to support
customers Wi-Fi devices not support SIM-cards or support for EAP-SIM/AKA.
Wi-Fi offloading -Best practice
29. What precautions can users take to help secure their use of public Wi-Fi
networks?
• Manually select Wi-Fi networks laptop, tablet or smartphone are set to manually select
a Wi-Fi network, rather than having it automatically connect
• Use a VPN solutions provide encryption and security across public networks, as well as
masking your IP address so that opportunities for phishing are dramatically reduced.
• Use two-factor authentication step adds an extra layer of protection for public
password-sniffing hackers to try and overcome.
• Check the authenticity- Wi-Fi hotspot for the correct network name and password. Be
wary if there is no WPA or WPA2 password (for Wi-Fi protected access).
• Check for HTTPS web pages -ensure that the web pages you visit are https encrypted
where possible. SSL/TLS encryption, thus making Man-in-the-Middle (MiTM) attacks
much less likely.
• Patching and updating software on a regular basis is an essential security practice,
especially when it comes to Wi-Fi.
• Avoid accessing sensitive information.By and large, public Wi-Fi networks should not
be used to access email, online banking and credit card accounts, or any other sensitive
data .
• Logout when finished and Turn off Wi-Fi if not in use Don’t stay permanently signed
in to your personal accounts when accessing public Wi-Fi hotspots as you may leave
yourself exposed. For further security, log out from each website after each session.
Security- public Wi-Fi networks
30. In fact, 46% of global mobile
data traffic is being offloaded
to WiFi today.
A study estimates public
Wi-Fi hotspots to grow to
340 million by 2016
globally, amounting to 1
hotspot for every 20
people
India -Carrier WiFi
KDDI (Japan) rolled
out the world’s
largest Wi-Fi based
offload network.
Satish Chavan
satchavan@gmail.com
http://in.linkedin.com/in/satchavan
Please note : Non commercial document for information purpose only
January 2017