Configuring Access Points
March 04, 2003
Most wireless LAN access point default configurations enable plug-and-play operation; however, these out-of-the-box configurations can limit performance and security. Learn how to get the most out of your wireless LANs by effectively tuning access points.
As part of the installation of a wireless LAN (WLAN), you need to configure the access points in a way that best meets requirements. As a minimum, review the configuration settings offered by your access points and read corresponding documentation. The vendor manuals often provide valuable tips for configuring the access point based on various types of scenarios.
In order to configure the access point, connect a laptop or PC to the access point's console port via a serial cable. Through the use of terminal software, you can view access point configuration screens and change specific settings, such as radio channel, transmit power, etc. The problem is that this method of accessing the configuration screens is often character-based and not user friendly. Plus, a serial cable limits you to a close proximity to the access point when performing the configurations.
If your laptop or PC is equipped with a radio card, then you can access the configuration screens through the use of a Web browser by typing the Internet Protocol (IP) address of the access point as the URL for the Web page (such as typing "http:/192.168.0.1" without the quotes, for example). If the IP address in the laptop or PC is set within an acceptable range of the access point (the IP address would be 192.168.0.xxx, with the last three numbers something between 2 and 254), then the browser will render the configuration screens in a much improved format.Access Point Configuration Options
Access points include a wide variety of configuration settings, and the following represents the more common items you can change:
- IP address. Every access point (indeed, every client and server as well) must have a unique IP address to enable proper operation on the network. The access point will come with a pre-assigned IP address, but you'll probably need to change it to match the address plan of your corporate network. In most cases, the use of static IP addresses in access points is best, mainly to make operational support easier. Some access points allow you to use dynamic host configuration protocol (DHCP) so that the access point automatically obtains an IP address from a DHCP server. This may be beneficial for some home applications if the broadband service provide offers addresses via DHCP.
- Radio channel. Set the radio channel in access points within range of each other to different channels. This will avoid one from interfering with others. With 802.11b networks, use channels 1, 6, and 11 to ensure enough frequency separation to avoid conflicts. 802.11a channels, however, don't overlap, so just be sure the adjacent 802.11a access points are set to different channels. Some access points have a feature whereby the access point automatically sets its channel based on others already in use, making installation much easier.
- Transmit power. In most cases, the transmit power should be set to the highest value (100mW in the U.S.). This maximizes range, which reduces the number of access points and cost of the system. If you're trying to increase the capacity of the network by placing access points closer together, set the power to a lower value to decease overlap and potential interference. Lower power settings also limit the wireless signals from propagating outside the physically controlled area of the facility, which improves security.
- Service set identifier (SSID). The SSID defines the name of a WLAN that users associate with. By default, the SSID is set to a common value, such as tsunami for Cisco products. In order to improve security, you should change the SSID to a non-default value to minimize unauthorized users from associating with the access point. For even better security, some access points let you disable SSID broadcasting. This keeps most client device operating systems (e.g., Windows XP) from sniffing the SSID from access point beacons and automatically associating with the access point. Someone could, however, obtain the SSID using other sniffing tools that obtain the SSID from 802.11 frames when users first associate with the access point.
- Data rate. Most access points allow you to identify acceptable data rates. By default, 802.11b access points operate at 1, 2, 5.5, and 11Mbps data rates, depending on the quality of the link between the client device and the access point. As the link quality deteriorates, the access point will automatically throttle down to lower data rates in an attempt to maintain a connection. You can, however, exclude specific data rates. For example, you may want communications only at 11Mbps or not at all. This could be necessary to support higher bandwidth applications.
- Beacon interval. The beacon interval is the amount of time between access point beacon transmissions. The default value for this interval is generally 10ms, that is 10 beacons sent every second. This is sufficient to support the mobility speed of users within an office environment. You can increase the beacon interval and have lower overhead on the network, but then roaming will likely suffer. It's best to leave this setting alone.
- Request-to-send / clear-to-send (RTS / CTS). The RTS / CTS function alleviates collisions due to hidden nodes, which is when multiple stations are within range of a common access point but out of range of each other. In most cases, it's best to disable RTS / CTS, but refer to a previous tutorial for cases where RTS / CTS may be beneficial and what threshold values to use.
- Fragmentation. Fragmentation can help reduce the amount of data needing retransmission when collisions or radio frequency (RF) interference occurs. As with RTS/ CTS, refer to a previous tutorial for cases where fragmentation may be beneficial and applicable threshold values.
- Encryption. Most access points allow the enabling of wired equivalent privacy (WEP), which encrypts the frame body (not headers) of each data frame. Use WEP as a minimum level of protection. WEP is somewhat static and requires you to configure each access point and client device with the same encryption key. When using 40-bit keys, you'll need to enter a key having 10 hexadecimal characters (0-9, a-f, or A-F). 128-bit keys, which offer better security, are 26 hexadecimal characters long. For even better security, some access points offer more advanced forms of encryption, such as dynamic WEP, which ensure that keys change automatically at a rate that hopefully thwarts a hacker from cracking the security.
- Authentication. As part of the 802.11 standard medium access control (MAC) functions, access points implement the default 802.1 open system authentication and sometimes shared key authentication. Neither one of these forms of authentication provides very good security. As a result, many access points now include 802.1x mechanisms that authenticate users with an external authentication server. Certainly consider activating these more advanced authentication methods when configuring the access point. Access points will soon have Wi-Fi Protected Access (WPA) mechanisms as well that will offer effective standards-based encryption and authentication.
- Administrative interfaces. In order to improve security, be sure to disable the console port of the access point to avoid the possibility of an unauthorized person from reconfiguring an access point and removing encryption and authentication functions. Also, be certain to change the default administrative login user name and password to ensure hackers don't have easy access to configuration settings.
Always update the access point firmware as soon as you remove the access point from its box. In addition, be sure to check for updates periodically. By having the latest firmware, you'll have the most up-to-date configuration and operational elements available, possibly improving performance and security of your WLAN.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs and offers workshops on deploying wireless LANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.