Network Computingwww.networkcomputing.com

I installed prerelease versions of the 350 access point and PC Card in our Real-World Labs® at Syracuse University, in Syracuse, N.Y. It's a harsh environment for wireless (if you have a Sprint PCS phone, you might as well turn it off as you enter) and a good environment for verifying vendor claims of wireless range and reliability.

The first thing you'll notice about the access point is its lack of a power connector, which is welcome in light of the awkward external brick power supply used on the 340 series. Power is supplied over the unused pairs on a UTP Ethernet cable, and the unit conforms to the IEEE 802.3af in-line power draft standard. The power injector is about the size of a small notebook computer's power supply, and it provides 48 volts of power. Typically the injector will be housed in a wiring closet, but it can be installed close to the access point if AC power is available.

In addition to the power injectors, Cisco supports in-line power as an option on its Catalyst 3524 10/100 switch, but this option increases the list price of that device from $2,995 to $3,995. That premium is worth it if you are deploying many access points and don't want to worry about installing them close to AC power. The in-line power system is compatible with Cisco's IP phones, but don't expect interoperability with other vendors' in-line power systems. Cisco also advised us to be careful when mixing 340 and 350 access points since the injector can damage a 340 access point.

More Power

While transmission range has as much to do with radio receive sensitivity and immunity to multipath interference as it does to output power, the transmission range of the 350 series was at least 25 percent greater than that of the 340 series.

The higher radio power may come in handy, especially in factory and warehouse applications. However, experienced WLAN designers know that greater range is not always better, particularly where user density is high. In these cases, you often want to keep cell size down to reduce contention and improve performance. To address this, Cisco provides the option of reducing transmit power on the access point and NICs to as little as 1 milliwatt. When I did so, my WLAN cell was restricted to the lab.

Security is Key

Because of poor design and limitations in security features, many organizations with wireless LANs have, without knowing it, essentially installed Ethernet ports in their parking lots. The use of unique SSIDs (Service Set IDs) on each wireless segment has never been an effective security scheme, and using MAC (Media Access Control)-based address restrictions is managerially complex and easy to overcome since many wireless NICs let you specify a MAC address. Security-conscious sites have implemented WEP-based encryption, but until now, WEP key management has been a manual process. If a key was compromised, changing it on clients was an onerous task. Some sites have decided not to employ WEP, but with the impending release of 802.11 packet sniffers, that's very risky.

Cisco's solution to this problem is a sophisticated security architecture that addresses a range of vulnerabilities. Based on a mutual authentication mechanism that forces clients and access points to authenticate themselves bidirectionally, the system also dynamically manages WEP keys. Based on a version of the EAP (Extensible Authentication Protocol, RFC 2284) and the IEEE's 802.1x security framework, it is solid, but complex and restrictive.

To implement the new security framework, you need to install new drivers on all clients. Cisco deserves kudos for providing drivers for not only Windows but Apple Computer Mac OS and Linux as well. I installed the drivers and utilities on notebooks running Windows 98 and 2000 without problems. Basic parameters are set through the native OS driver. For more sophisticated functions, including enhanced security, I used the Aironet Client Utility.

On the back end, the security framework is controlled by version 2.6 of Cisco Secure Access Control Server for Windows NT/ 2000, also called ACS2000. The system uses RADIUS (Remote Authentication Dial-In User Service) to authenticate wireless devices and manage WEP keys. User accounts can be managed directly on ACS2000, or the system can authenticate to a Windows 2000 Active Directory (AD) or NT domain database. My initial attempts to install the system in a production AD environment were unsuccessful. I did install it on a standalone Windows 2000 server. Cisco says a few outstanding installation problems should be resolved by the ship date.

Cisco worked closely with Microsoft to develop this system, and it shows. The client authentication is integrated into the Windows login process. The system worked well during my limited testing, but I was unable to assess its scalability. Cisco claims the system can scale to more than 250,000 users per server. That might be true, as long as 99 percent of them are inactive users!

Although the improvements in the 350 series are significant, network managers will need to think long and hard before deploying the security system. While it is clearly the most robust system available, it is also complex and proprietary. Yes, complexity is often the cost of achieving robust security, but most organizations will be better served by living with current system limitations while waiting for the enhanced security framework now being hammered out by IEEE. The good news is that even if you never use the new security system, the 350 series provides significant improvements over its predecessors.

Since I was working with prerelease units that weren't optimized for performance, I didn't do rigorous throughput testing. However, pushing a few large files out to an FTP server revealed throughput in excess of 5 Mbps. Based on testing of previous Aironet products, we'd expect to see better numbers in the released version of the product.