Troubleshooting WLANs to improve Wi-Fi uptime and security

By | May 24, 2005

IEEE 802.11-based wireless LANs, also called Wi-Fi networks, are quickly expanding into mainstream areas of business from their traditional niche applications in warehouses and on retail floors. As a result, it is becoming equally as important for network engineers and technicians to have the necessary tools to troubleshoot and secure their wireless networks, as it is their wired networks.

Especially useful are portable, integrated wireless/wired analyzers. Having a single device for troubleshooting both network segments allows technicians to quickly determine whether the sources of problems are wireless or wired issues – or non-network issues altogether – so they can maximize network availability for users, who are growing increasingly mobile.

There are several modes of Wi-Fi configurations, and visibility into all devices, RF channels, and protocol types in the various modes is critical for quick problem resolution. For example, it is important that ad-hoc peer-to-peer networks, as well as, bridged, switched, and mesh infrastructure networks can all be analyzed by device category, interface, and switch port using a single device.

Network Architectures

Ad-hoc networks consist of client devices communicating directly with one another in a peer-to-peer workgroup fashion. Ad-hoc networks can pose a threat if an unauthorized client(s) should automatically associate with a legitimate client that contains sensitive data or if they piggyback onto that client’s connection to gain access to wired network resources.

Wireless infrastructures are comprised of access points (APs) which are either connected directly to the wired network, or to wireless switches. They provide the RF environment for client devices, and can be configured to create pointto- point networks for bridging networks between buildings, such as across a parking lot.

Yet another infrastructure type is mesh networking. A mesh network consist of APs that communicate with one another using wireless routing protocols. Mesh networks enable communications with the wired network through a minimal number of access points that are connected to the wired network. Mesh networks are often considered in order to provide flexibility in access point placement and to reduce the costs and complexity of running cable from wiring closets to each AP.

Multimode Channel Scanning

In the radio access network of wireless clients and APs, it is becoming common that the full suite of 802.11 types – 802.11b and 802.11g, which operate in the 2.4GHz band, and 802.11a, which operates in the 5GHz band – will be in use in a given enterprise environment. The reason is that businesses desire to take advantage of the maximum number of non-interfering channels, avoid RF interference, and optimize WLAN capacity.

Even if an organization is using just one 802.11 mode, having a wireless analyzer that can scan all the channels in the 802.11b, a, and g bands is recommended as a best practice. Otherwise, your organization risks security threats from ad-hoc and rogue APs operating in the other bands.

A multimode analyzer scans the 802.11 channels in the 2.4GHz and 5GHz freqencies in a given geography to check for proper configuration, signal-to-noise ratio (SNR), bandwidth utilization levels, and other issues. If utilization on an AP is topping out, for example, it could be because there are temporarily too many wireless clients associated with it. On the other hand, perhaps a particular user or protocol is “hogging” bandwidth. Technicians equipped with wireless analyzers can discover those “top talkers,” enabling the company to decide whether MP3 downloads or other greedy traffic should be banned from the wire less environment.

Possible RF Problems

Unlike the wired network, the performance of the wireless LAN and users’ ability to access the network are prone to change as the environment surrounding APs and clients changes. Because users connecting to wireless APs are often mobile, it can be challenging to predict how many will be using a given AP at one time. In addition, intermittent coverage holes, or dead zones, may materialize when an AP becomes temporarily overloaded or when clients roam to areas where the RF signal strength is too weak to maintain association.

Dead zones in out-of-the-way areas where APs have not been installed can become a problem when new wireless applications, such as wireless voice over IP, are deployed. Also, changes to the physical environment made after the initial wireless site survey can impede the ability of clients and APs to communicate. Such changes might include the addition or movement of furniture, particularly metal file cabinets, and the installation of microwave ovens and other wireless consumer-grade devices.

Eliminating the Network as a Suspect

Often, of course, difficulties that wireless users experience have nothing to do with the wireless network or even the wired network. Infonetics Research reported last year that just 22% of network downtime in North America was actually due to network products, cables, and connectors. Rather, the firm estimated that 69% of downtime was attributable to service providers, servers, and applications.

Nonetheless, it is still the network technician’s job to identify whatever is causing percieved network problems. In many organizations, application support teams require that network issues be eliminated as possible culprits before they will troubleshoot their applications.

The Troubleshooting Process

When users encounter problems with their Wi-Fi connections, they typically call an internal help desk. When simple troubleshooting over the phone is not sufficient, the help desk dispatches a technician to the client’s location.

If a wireless user is having trouble logging in, the first thing the technician will want to determine is exactly where the problem is occurring. Using a portable test and measurement device that tests both the wireless and wired network is generally the quickest means to this end.

If the technician can use the wireless analyzer in client mode to successfully authenticate and associate from the problem location, then the problem may lie in the user’s client device configuration or in that client’s access rights. If the analyzer cannot reach the authentication server, the problem could lie in either wireless or wired physical layer. Not enough bandwidth, falling out of range, or interference, for example, could be at the root of the problem.

The technician can use a wireless analyzer to scan the wireless environment to measure signal strength and AP capacity from the problem location. Scanning in this manner is often referred to as passive mode, as the analyzer is not actually associated with an access point while performing these tests. In passive mode, the analyzer’s wireless NIC is only receiving wireless data and is not transmitting. If RF quality is satisfactory, then the technician will use the analyzer to link to the wireless network, in client mode, to conduct other tests such as authentication tests, ping, and throughput tests.

Often, technicians must verify that the client configuration conforms to the business’s security policies for packet encryption and authentication method (such as Extensible Authentication Protocol, or EAP, type). A mismatched security parameter would prevent successful authentication and authorization.

A well-designed portable wireless/wired analyzer should be able to monitor and troubleshoot every step of the authentication process to see if and where it breaks down. If the authentication server is denying the user access, for example, the issue might lie in the authentication server itself, the user’s security configuration, or the user’s access rights. Supervising the EAP authentication process from a wireless analyzer will eliminate a number of possibilities.

Bolstering Security and Performance

As mentioned earlier, wireless networks are dynamic. Once deployed, the wireless network environment continues to change. This happens in part through human error and sometimes through the addition of unauthorized devices to the network by employees seeking to improve their wireless access. In some cases, because wireless connectivity is three-dimensional in nature, outsiders beyond the physical walls of an organization can also use unauthorized APs to gain access, either by happenstance or by design.

Finding Rogue APs and Ad-Hoc Networks

Not all companies can justify the expense of deploying an overlay sensor network, such as an intrusion detection system (IDS), to seek out unauthorized, or rogue APs. In most cases, the process of locating unauthorized rogue APs and ad-hoc networks can be managed effectively by performing walk-around network audits that test for vulnerabilities. This involves configuring a portable test device so that production APs are designated as “authorized” in the test system software. The test device will then be able to quickly and clearly identify unauthorized APs and ad-hoc networks in real-time during periodic audits.

Conducting Network Audits

From a security standpoint, Gartner Inc. predicts that through 2006, 70% of successful Wi-Fi attacks will occur due to the misconfiguration of APs and client software. Wireless analysis tools can help prevent this by contributing to the best practice of conducting regular wireless audits to make sure APs and clients are configured in accordance with corporate policy, as recommended by the Bethesda, Md.-based SANS Institute, which offers information, security training and certification.

The institute recommends that enterprises regularly check each AP’s configuration and make sure it accurately reflects the organization’s internal security policies. For example, if an enterprise has adopted WPA and has selected, say, Protected Extensible Authentication Protocol (PEAP), one of several available authentication methods, network administrators should regularly check that all APs are indeed configured for PEAP.

Periodically, after the initial wireless site survey, network technicians can use their portable analyzers to analyze the RF environment and look for changes that might cause performance degradation. They can also watch for user trends – such as finding where wireless users congregate – which may indicate areas where additional APs should be installed.

Form Factor Considerations

There are several types of analyzers available for troubleshooting and securing your wireless network. At this juncture, the most useful type will likely be a portable device that is designed to troubleshoot both the wireless and wired enterprise network segments.

Portable Systems

Ruggedized, integrated network analyzers have several advantages over laptop computers and handheld, personal digital assistant (PDA)-style devices, as well as centralized systems (see subsection below). Laptops, for example, are limited in performance by the Windows Network Driver Interface Specification (NDIS) drivers, which specify how communications protocols, such as TCP/IP, communicate with the laptop NIC. NDIS limitations often cut performance in half. From a usability perspective, laptops are also less desirable as technicians hesitate to loan their laptops to others to conduct tests, and they may not want to leave their laptop somewhere to conduct long-term test and analysis.

For their part, PDAs lack onboard cardbus support, which is necessary in order to enable (802.11a/b/g) Wi-Fi channel scanning. As noted earlier, this is a critical capability required for doing a thorough job of troubleshooting the wireless enviornement.

Centralized Systems

Systems that support some RF management capabilities in a wiring closet or data center switch or controller are useful; however, they have visibility only into what the distributed infrastructure APs can “see” and are able to report back to the centralized system. If there is a dead zone, for example, due to a change in the physical environment, a centralized RF management system may not be able to discover it.

Similarly, a centralized system may be able to indicate the general location of a rogue AP, but to the technician dispatched to disable it, nearby APs visually look the same. Portable analyzers, on the other hand, serve as a complement to the centralized systems by providing audible and visual signal strength indicators that lead technicians directly to the rogue AP.

Finally, many enterprises today support legacy Wi-Fi infrastructures with traditional APs. They simply have not had the budget or justification to upgrade to centralized infrastructures or install proprietary Intrusion Detection Systems (IDS). In these environments, frequent audits with a portable wireless network analyzer offers an efficient management and maintainance solution.


As wireless LAN technology continues to proliferate, wireless LAN users will increasingly call upon help desk resources to report wireless network issues. Fortunately, technicians no longer need to carry several tools in order to test and troubleshoot their networks. Integrated wireless/wired portable analyzers can quickly isolate problems to the wireless or wired network, client device, or application, enabling technicians to accelerate problem resolution.

Wireless analyzers discover network-connected devices and provide information regarding their associated health, signal strength, and security configurations. They also have the ability to operate as a wireless client which helps technicians to immediately determine whether the issue is specific to the given user’s device. Portable, integrated network analyzers have performance advantages over laptops, multimode scanning advantages over handhelds, and cost and granularity advantages over centralized systems.

Leave a Reply