Header Only - DO NOT REMOVE - Extreme Networks

Does higher WLAN security / encryption slow down that same WLAN traffic?


Userlevel 1
We're using Extreme AP7532's with a VX9000 controller in a great big 800,000 sq ft warehouse setting. This building has various types of conveyors, racking filled with boxes & product and we're using a voice controlled pick & pack system.

The vendor of this voice system is complaining that their system is running slow and having delays receiving data from the server because we're using WPA2-Enterprise security. They've recommended that we downgrade it to WPA2-personal, saying that higher security slows down a network.

I've tried researching and google searching this, but all I find is articles relating to home wifi and which is the best wifi security to use. Nothing ever mentions anything about 'higher security slows down wifi traffic'.

Has anyone heard of such a thing?

Thanks!

7 replies

Userlevel 4
The speed of WPA 2 PSK and 802.1x is the same.

For the encryption we need a MSK. For PSK this is the PSK converted to a 64 HEX value. For 802.11x the MSK is delivered from the AAA, also 64 HEX value.

From the encryption view, AES need more power than TKIP. But if you compare PSK and 802.11x, no different.

Only the initial connection needs more time, because you need to authenticate again the AAA. After this you have 802.11r (Fast Transition) that supports very fast roaming.

For a easy test, you can check the performance at one AP. If you don't roam and it won't work, it's not a problems from WPA2 802.1x.
Userlevel 6
Timo wrote:

The speed of WPA 2 PSK and 802.1x is the same.

For the encryption we need a MSK. For PSK this is the PSK converted to a 64 HEX value. For 802.11x the MSK is delivered from the AAA, also 64 HEX value.

From the encryption view, AES need more power than TKIP. But if you compare PSK and 802.11x, no different.

Only the initial connection needs more time, because you need to authenticate again the AAA. After this you have 802.11r (Fast Transition) that supports very fast roaming.

For a easy test, you can check the performance at one AP. If you don't roam and it won't work, it's not a problems from WPA2 802.1x.

Hi Jacob,

As Timo already mentioned - encrypted traffic has no significant difference.

However, we are most probably talking about hand-off which might be an issue for device not supporting 802.11r. While using 802.1x / EAP you may end up with up to 700 ms and certain VoWiFi defices require less than 150 ms - case of WPA/2-PSK



Taken from CWSP-204 study book - "Roaming and Dynamic keys"

Regards,
Ondrej
Userlevel 5
Timo wrote:

The speed of WPA 2 PSK and 802.1x is the same.

For the encryption we need a MSK. For PSK this is the PSK converted to a 64 HEX value. For 802.11x the MSK is delivered from the AAA, also 64 HEX value.

From the encryption view, AES need more power than TKIP. But if you compare PSK and 802.11x, no different.

Only the initial connection needs more time, because you need to authenticate again the AAA. After this you have 802.11r (Fast Transition) that supports very fast roaming.

For a easy test, you can check the performance at one AP. If you don't roam and it won't work, it's not a problems from WPA2 802.1x.

Hi Jacob, also agree it .
Even, there is no significant traffic between non-encrypted and encrypted traffic.


http://www.aterm.jp/product/atermstation/technical/2008/tech0728.html
Userlevel 1
which voice picking solution are you using ?
Userlevel 1
We're using Lucas.
Userlevel 2
Hi Jacob,
I advice to take a look at drops on aps, signal quality.
Ensure that has enabled on wlan profile:
wpa-wpa2 opp-pmk-caching
wpa-wpa2 pmk-caching
and you have virtual controller or controller.

And you can take a test how many time take a radius authentication procedure.

time-it service radius test 192.168.22.22 secret username password

This amount of time spended only on a first connectiion.

Regards

Aviv
Userlevel 1
Hi, what you could do as a test is create an ACL for the VP units or one at least, then create a test wifi using wpa-tkip, map the test network to your APs then test, I know a few years ago the vocollect units did not handle wpa very well, so we had to use wep-128 and an ACL, ( at the time they used symbol wifi cards so we could enable keyguard as well. Like I say it was along time ago. Do Lucas give any recommendations for the wlan settings or even the VP units themselves i.e firmware updates etc, How is the wlan setup ? are you using smart RF ? I recall a job where we supplied the PDT / MDT units, And the performance was terrible, It was another supplier that installed the wifi kit, which was cisco wlan controller, The site was huge and the AP's were all mounted high above the racking. The site was sporting goods. the wlan controller was using the cisco smartRF , as the AP's had clear site of each other they were backing the power off, they were also over 15m in the air with standard rubber duck antenna., anyway it was suggested that the smart RF was turned off and the power adjusted manually,( site survey ) and eventually we sorted it,

Reply