WiFi in Schools
What we’ve learned over the past 10 years.
Lets unpack some key concepts considered in delivering world-class WiFi in high demand environments like schools. Our school has over 2100 students each with a Chromebook (famously reliant on the Internet & WiFi) and 200 staff using a variety of Mac’s & PCs. We also support Chromecasts, phones, tablets and other random IOT devices on the WiFi.
On any given day we surpass 3000 concurrent WiFi devices on our network.
Less power, more wireless AP’s
Mixing your environment with higher and lower power APs can be a recipe for disaster. Sometimes you simply need extra power in larger spaces but this can cause devices to roam to an AP that is 100’s of meters away as it appears to be the strongest signal. Keeping the APs lower power and placing more of them around the school (1 per classroom) has meant more predictable WiFi coverage.
Slim your channels
When dealing with strange WiFi deadspots, reducing our “channel widths” (sometimes called channelization or channel bonding) down to 40 or even 20Ghz means more space in the spectrum for extra connection but less overall bandwidth for your clients. For us with a heavy internet workload we only really need above 10Mbps to each client.
Less SSIDs = better
Whether your SSIDs are hidden or not they will add to your overall noise. We try to limit our SSIDs to no more than 2 or 3. Every SSID you add or that can be seen by nearby AP’s means dividing your channels and therefore less performance. Operating with a single SSID is ideal, but not practical in most scenarios.
WiFi controllers are not smart
If you think that your controller is mapping out your APs, auto adjusting busy APs and handing off clients — you’d be wrong. The nature of WiFi leaves much of the decision making up to the client which means controllers really just connect APs and can can suggest power and coverage settings. That’s about it!
Heat maps don’t tell the full story
Every WiFi audit can draw a lovely green map, but what happens when you have highly dense classrooms with 30 users sitting next to each other? That is a different story. A good test of your WiFi is to walk around in a busy time and check how much throughput you’re getting and how well you’re handed from AP to AP.
2.4Ghz vs 5Ghz
Turning off our 2.4 network has alleviated the majority of our connectivity complaints. Granted, some older devices can no longer connect to that SSID but keeping 2.5 and 5 on seperate SSID’s means devices aren’t hanging onto low signal 2.4Ghz connections when 5Ghz is comfortably within range. This is a similar principle to the above point about installing more, less powerful AP’s for better WiFi consistency.
Authentication sucks
WiFi has been around for over 25 years, yet still we have no good way to log into it. Lets break down each of the popular ways to do so at the moment:
- WPA2-PSK
Pros: Probably the most widely accepted standard and works on almost any device. Used mostly in small environments when sharing a single key is not problematic.
Cons: Everyone using the same keys means if you need to change it after someone leaves the organisation you’re forcing everyone off the WiFi. Not scalable. - Radius
Pros: Certificate based authentication means really strong security (if certificates are enforced). Can be linked to your Active Directory (AD) or other identity services.
Cons: Most embedded devices don’t support certificates (eg: Chromecast, IOT devices, Google Home, etc). Radius handshake needs to happen every-time you roam between AP’s which can be slow and often drops devices off. If you change your password, all of your devices must be updated (Sometimes the process can be too complex for users) - Captive Portal
Pros: Easy to access and only requires 1 SSID for many different types of users.
Cons: Signing in via a captive portal basically means using MAC address Access Control Lists. This means anyone can spoof your MAC address once you’re logged into the captive portal and they’re on as you. This is why many hotel systems that use this force you to re-authenticate every hour or so to ensure you have the correct key, not a great experience for your users. This is terribly insecure and is open to abuse by they most rudimental of hackers. - Dynamic Pre-Shared Keys — also know as: DPSK, Private Pre-Shared Keys or Unique Pre-Shared Keys
Pros: Generating a unique WPA2-PSK key for each user’s device means almost every device will be compatible with your network, no need to support certificates. You can integrate with Active Directory (AD) or other IDP’s. You can easily remove certain user’s devices as people leave etc. Roaming is quick. Changing your password doesn’t affect connectivity as the PSK sticks with the device forever (or until you disable the associated user or key).
Con’s: Most vendors have limits to the amount of keys you can generate (Ruckus support up to 10000 other vendors less). Initial login is a number of steps: authenticate against AD, get your key & put it into the correct SSID. Once everyone has a unique key in their device, migrating to a new system can be problematic. - Open
Pros: Of course, leaving your WiFi with no security at all means it’s super easy to access. This can be good where physical access is limited and the general public aren’t able to wander into your WiFi coverage.
Cons: Your network is completely wide open to people intercepting your traffic and stealing private information. Also means anyone can join and easily get access to your infrastructure.
Investigating WiFi issues requires rigour and discipline. It’s often hard to reproduce WiFi issues and you need to track them over a series of months.
What did I miss? Let me know on Twitter or reply below:
