Alternatives to Sites configuration

  • 0
  • 1
  • Question
  • Updated 4 years ago
Hello, gentlemen!

We are trying to compete on a big wireless project here in Brazil, (against Aruba and Cisco) where the customer needs local resilience on more than 350 diferent remote locations.

"Sites" wouldn't be an option since he doesn't want to provide 350 radius servers and also only B@AP with wep, wpa and wpa2 seems to be too humble since he wants a voice solution running on the locations with full availability.

What would you recommend?  

Any suggestion are very welcome.

Thank you !

Leandro - EXT Brazil



Photo of Cibulka, Leandro

Cibulka, Leandro, Alum

  • 236 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
I think the design of the wireless network will result from the answer to the following 2 questions...

1) where is the PBX, is there one in every remote location or a big one in the HQ
2) what encryption/authentication should the VoWLAN phones use

Photo of Cibulka, Leandro

Cibulka, Leandro, Alum

  • 236 Points 100 badge 2x thumb
1- Yes, one on every remote location.

2 - They will probably use AES with MAC authentication or 802.1x (not decided yet)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
In that case bridge@AP would be the best topology for such scenario as the traffic will stay local in the remote site and isn't transported back to the controller.

Still the problem with central authentication for i.e. 802.1X persists and there is not much you'd do about it if you don't plan to have one RADIUS/AD in every remote location.
But I also don't see how the other competitors could solve it as the C. controller works about the same as the Extreme with the site feature.

So either the customer likes to have central authentication and it's OK that the clients can't connect during an WAN outage or he'd need to use PSK encryption without central authentication.


Photo of Cibulka, Leandro

Cibulka, Leandro, Alum

  • 236 Points 100 badge 2x thumb
Yeah, the problem is C. has something called Flexconnect where they can reply Radius/AD or part of it straight to the APs.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
I've just read thru the "Enterprise Mobility 7.3 Design Guide" of C and as far as I unterstand flexconnect supports only local auth on the AP for LEAP (which is unsecure/broken) and EAP-FASTwith a max of 100users in the local database.

For 802.1X they also need an external RADIUS/ACS in the remote location.

So I don't see a major advantage as no one will use LEAP in 2014 and I don't think that there are a lot of network admins out there that even know what EAP -FAST is and how it work :-)

Photo of Cibulka, Leandro

Cibulka, Leandro, Alum

  • 236 Points 100 badge 2x thumb
Thank you very much Ron, it will help if we have a chance to explain the technologies. Cheers!
Photo of Cibulka, Leandro

Cibulka, Leandro, Alum

  • 236 Points 100 badge 2x thumb
How many "sites" can we configure at the WC ?

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
here the matrix....