From the article we can conclude that the main enterprise WiFi major confusion is that management is difficult, so this article will give you to say whether the problem described above can be solved!
2, Network Newsletter - WiFi enterprise management solutions
The design principle requires a wireless network and the wireless network xxx company, wireless systems and technical characteristics of the product, the following design:
2.2 Wireless networking
with the user's wireless network requirements, technical characteristics of the products to meet the needs of users to construct high-speed wireless access network, a stable, safe, reliable, easy to manage, which is designed based on the structure of the wireless NOP + AC network solutions. Design of the network topology is as follows (editable):
Channel plans 2.3
to 2.4 GHz frequency, for example, to ensure that the channels do not interfere with each other, the required spacing between the two channels is not less than 25 MHz. Within a coverage area, providing up to three non-overlapping frequencies simultaneously, usually three frequency points 6 and 11 .WLAN frequency planning should consider the specific case of building structures, transmission loss, and wiring system.
Channel Program are as follows:
Orange, blue and circles in the figure ××× signals, respectively, 6 and 11 channels. Location is the center point of the implementation of the national action programs.
2.4 enterprise wireless security access design
in a wireless system can be constructed in front of the security system, a plurality of layers. Security design is as follows:
2.4.1 richer and efficient enterprise authentication security mechanism
when using 802.1x authentication is required to authenticate a user visits. Users can use the security certificate and a user name and password as credentials to access the network, and authenticated user can access the network. The industry is well known, 802.1x extremely complex user terminal device settings, it will increase a lot of configuration work for IT users and administrators. Wireless technology provides automatic configuration tool for enterprise authentication. Download auto-configuration tool, just click to easily connect to the corporate network, easy to install.
Automatic configuration tool can be unified package and distribute certificates of completion. In addition, it allows users to distribute via e-mail and downloaded through the network administrator, which is simple and fast.
The company supports the use of user authentication server for authentication. You only need to configure the connection information on the configuration page, you can quickly authenticate the identity of users and the company's database (such as LDAP, AD domain and Radius). It is safe and reliable.
Enterprise authentication support local internal database server to support the local database to verify the identity of the controller is terminated, in order to meet the small and medium enterprises do not have internal authentication server.
2.4.2 account, flexible terminal bind and eliminate unauthorized access
when you first connect to a wireless network authentication, it can automatically link the user name and the terminal, to help the company quickly complete identity link. If the user has multiple Internet terminals, the administrator can also approve a new link aggregation terminal manual. Therefore, the company structure is divided according to different user access rights organization, in order to avoid unauthorized access problems arise.
2.4.3 limit account access at multiple terminals while
the number of terminals you can limit the account can log on at the same time, effectively protect the company's network resources. You can take two steps beyond the account of:
Forcibly disconnected as soon as the access terminal.
Do not allow access to the new terminal.
Of course, account for the need to publish, such as the account owner, you can also set exceptions to the account.
2.4.4 diverse access control
access control based on the type and characteristics of the terminal. Phone, iPad and laptop can connect to a wireless network, you have the final say. No client software to install a wireless connection to perform the terminal type identification. When the access authentication, according to the mobile terminal can only access can not access the notebook type, or can only access the IOS terminal, you can not access the Android terminal. Do you think unsafe terminal can not access the network.
Based access control access location. You may use different access control policies to configure different wireless access points, wireless users that access points with different wireless access systems in different service company, which is safe and effective.
Control access based on user attributes. A wireless connection to a company's internal seamless connection authentication server, and supports user access control attributes, such as the user group [security group, organizational units] and the user name, and its supporting radio access control attributes. Not only that, but also the development of the internal local database server, it supports access control based on user attributes of the local database.
Even you can be flexibly combined access control conditions in order to meet different customer access control requirements. It supports the terminal according to the type and location of access and user access control attributes as a set of access conditions. For example, it can support different access positions and meet the specified characteristics of the terminal to allow access to the Internet, as follows:
2.5 enterprise wireless security office design
2.5.1 fine multi-role authorization management
Once the user has access to the network security company manager 0x7D0,0x7D0 offers user rights management authority full responsibility. Allocation table and support user attributes, types of terminals, access areas, different functions set period of time, rich access control configuration different strategies to build enterprise-class firewall features wider access control and refinement.
2.5.2 VLAN isolated
VLAN itself, the use of separate VLAN technology, the bandwidth of the transmission loss is effectively prevented AP limited resources between the terminals of the large number of documents, and further communication between different terminals may be connected between the terminals to prevent any file into the data could lead to theft, malicious act of poisoning, ensure maximum safety office and improve office efficiency.
2.5.3 Control based services and applications within the network
0x7D0 not only based on the traditional firewall policies to control port compatible, and the largest library database URL and recognition applications built, administrators can easily identify and apply specific URL, flexible strategies access network, so you can refine the application control program.
Firewall control industry is mainly based on exit gateway. You can restrict user access to external network resources within the network. Intranet users can not perform control-based services and applications. And 0x7D0 compensate for this black hole, and a unique control scheme based on network applications and services to bring new development and the gospel industry. Business network and internal application is very complex. As shown below, the internal wired and wireless networks. They need access to each other, access to internal resources, access to small mobile devices and data transmission, and access the Internet. Data centers need data synchronization. In this complex network environment and application environment, traditional firewalls can only control user access to network resources within the public network output gateway, neglect within a more complex environment.
Letter wire through the cable incorporates an integrated wireless. It was the first to introduce "user" concept in the industry people. Its access control strategy combines powerful application recognition library and "user" concept, including control between network users, and access to the public network resources. By external control, the program for the wired or wireless user, for the company to provide a clean and healthy environment network. At the same time, its configuration more human-oriented policy. Complex in a conventional manner different from the configuration of the IP, the user can select an application, select the connection address "user-initiated", "receiving user", calendar selection, the selection operation "allow" or "deny" "Here you can quickly implement access control. "
For example, employees can only access within the company's "internal business systems" network at work, do not allow access to the public network video sites. R & D personnel can not access the CRM system, marketing personnel, R & D personnel can not send e-mail to marketers; files can not be transferred, visitors can only access the fixed site, can not access the company's internal R & D and marketing resources, but not sent on microblogging information; for work-related instant messaging software, download software without restriction, and there are certain restrictions on download speeds.
2.5.4 Network layer protection
DHCP defense. Just forward credible response from the DHCP server, DHCP server to prevent illegal and prevent IP terminal is illegal. Prevent users from private IP configuration, effectively protect the network from a large number of IP addresses conflict and lead to paralysis of the client network.
DDOS defense. It can be protected to the maximum number of concurrent users, the new connection speed and the packet rate. After the limit is exceeded, you can automatically add dynamic blacklist freezing process and to avoid network ***.
2.6 Enterprise Wireless Internet quickly design
2.6.1-end protocol acceleration
increases as the number of visitors, due to the increased interference, Internet access slowdowns, access to the application experience is very bad. By unique application layer protocol acceleration, the client without installing any additional components, acceleration can simply activate an application on the wireless controller. By improving the algorithm wireless transmission protocol, the transmission speed of the wireless network can be increased 1.5-4 fold. Effective solution to network quality problems, such as low-speed wireless transmission, packet loss, and latency enterprise wireless network interference.
2.6.2 Anti-drag to make wireless terminal to run faster
and traditional low-speed wireless connection terminal will reduce the speed of high-speed terminal, which will result in slower response and reduce the overall performance of customer service, which will seriously affect access experience. Terminal applications.
The technology underlying radio layer technical improvements proposed innovation patent "anti terminal drag", allows the user to allocate bandwidth uniform, a single terminal to prevent the overall speed reduction. Network algorithm based on time.
2.6.3 RF applications based management
of dynamic allocation of network bandwidth wireless technology development. When insufficient bandwidth wireless access point, a guaranteed bandwidth reallocation wireless network according to the weights established. When the bandwidth of the wireless access point is sufficient, not limited to this. For example, a large office network can be configured to ensure normal service communications office applications. Non-critical networks (for example, guest network) can be configured to limit the lower weight non-critical network bandwidth, so as not to affect other wireless networks.
Each user can use the wireless network according to the customized sub-channel. The user can configure the relationship between the channel bandwidth. When insufficient bandwidth wireless network, guaranteed bandwidth allocated between channels according to the relationship established. When it enough, it is not bound by this relationship. For example, in the office network, P2P0x7D0 may have a smaller structure configured by weight, the weight 0x7D0 OA office system is the largest, and the weight 0x7D0 Internet applications are in between.
2.6.4 Multicast optimization and speed
automatically increases the speed of initial acceleration multicast transmission packet transmitted to accelerate the transmission efficiency of packet transmission, and to ensure that each terminal can receive the multicast packets and improve bandwidth performance.
ARP unicast forwarding to: improve efficiency by optimizing the ARP ARP delivery mechanism, reduce unnecessary proliferation of flooding.
Disable DHCP request to the wireless terminal: efficiency by optimizing DHCP DHCP transmission mechanism.
Speed access terminal: terminal supporting access speed, prohibiting access to the terminal below a certain speed and increase the speed of the overall network.
2.6.5 VLAN pool
using the set address VLAN domain can reduce transmission, reduce transmission flood improve the utilization of wireless network bandwidth resources.
2.6.6 Smart Load, 5G priority, high-density stable and fast access
in high-density business areas, such as conference rooms and open sites, there are usually multiple wireless access points to cover the signal. Wireless solutions are automatically assigned to the number of users and access signal in accordance with the load of each AP. At least AP, will be less interference 5G band selection priority load, ensuring that each user can get a seamless wireless network experience. In addition based on the charge number, the technique may also be based on 2.4G and 5.8G dual band dual intelligent charging performed.
Smart dual load: mass automatic loading may be between 2.4G and 5G, 5G and a terminal connected to a preferably 5G network with less interference, thereby improving wireless access.
2.7 Design of enterprise wireless fast roaming
2.7.1 Anti-stiction terminal
traditional wireless terminal is based on roaming, which is a characteristic can not be controlled, and the "end portion of the card in the terminal," a technique to compensate for this deficiency. By preventing jamming terminal, the wireless device may direct the wireless terminal to move faster wireless access point has a better service capabilities, allowing customers to experience a better wireless network. After roaming, vlan terminal, and the role of IP remains the same, the user does not perceive.
2.8 Enterprise Wireless Internet Access Management Design
2.8.1 wired and wireless integrated
wireless enterprise network clients typically simultaneously connected users. Customers want to configure through a wireless controller, wireless controller wired port connection to complete the user authentication and centralized management of wireless users to connect and complete user traffic control, traffic management and audit traffic. Wireless technology integrated cable management and certification, and provide secure access authentication mechanism, such as "a combination of certification", "IP authentication" and "No certification certification" to real integration and user control cable and wireless users.
2.8.2 Internet audit
client wireless networks not only need full access, user authentication, but also want to audit user behavior and web content, including, inter alia, the outgoing HTTP content, website visits and downloads, e-mail, FTP, TELNET and so on. Web applications, Web content, ACL rejection and flow control, and Internet duration.
When configuring audit policy, referring to the role of audit policy application and the appropriate roles assigned to a user, the user can review.
2.8.3 flow control and bandwidth guarantee
customers want to manage network traffic and divide different users and applications, in order to complete the bandwidth guarantee and bandwidth constraints. Guaranteed bandwidth guaranteed bandwidth feature of important applications, limit the bandwidth capabilities may be limited group of users / total bandwidth for the uplink and downlink and several bandwidth. application. At the same time, customers want to provide a more flexible management and configuration to ensure that the bandwidth critical applications, and then allocate bandwidth between the same applications according to priority users different users.
This technology provides application-based traffic control, guaranteed bandwidth output by the user, and to ensure that bandwidth consumption critical applications, regardless of application.
2.8.4 richer data center reporting, audit reports automatically notify management
company's wireless network clients not only need to complete user access and authentication, users also need to review the network's behavior and content. Audit results stored in the data center.
Technology provides "Exit Risk Report", "Legal Risk Report" unique "report online behavior", and control risk behavior of employees.
Visitors Security Management 2.9 Design
2.9.1 two-dimensional code fast Internet
visitors are open companies face on a daily base. Suppliers, customers, business partners and the relevant leaders came to visit the company and need easy access to a wireless network. Provide a more concise method of authentication, visitors only need to connect to the company's wireless network, and then open the browser can automatically display a QR code inside the reception staff can use their terminals to be authenticated.
QR code authentication technology certified for the Ministry of Public Security, dating back to visitor behavior.
2.9.2 temporary visitors quick access
to the technology to provide temporary solutions to temporary visitors, to replace the traditional hospitality. Companies can open the guest account and password directly at the reception. Account can be your ××× numbers, passwords may be the last six digits of ×××. Effective access to the Internet time; at the same time, two-dimensional code technology combined with sharp letter to the temporary Internet visitors to generate two-dimensional code, business reception staff just need to give them a two-dimensional code, visitors can quickly scan two-dimensional code to access the Internet.
Temporary visitors online behavior can be traced.
2.9.3 SMS Authentication
This technology provides SMS authentication, guest users can access codes on your phone, easy access to the wireless network. Codes can be used for a permanent use.
2.9.4 micro-channel authentication
function provided by the micro-channel wireless authentication, visitors enter the room business presentation and access to the wireless network, which will address the message page specified, it will ask you to pay attention to micro - Signature and access the Internet. Visitors can follow the Micro Signal access the Internet. This greatly increased the visitors attention to the company, also contributed to the corporate advertising, promotional and commercial impulses.
The technology covers a variety of micro-letters, especially authorize a single click of concern, such as the site of Oauth, so that visitors can quickly access the Internet authentication method.
2.9.5 anti-rub network
duration of network and traffic quotas of the technology provided the flexibility to enterprise customers control strategies to prevent network intrusion and to protect the company's network resources according to customer demand.
2.9.6 in the same SSID isolation
technology provides isolation between employees and visitors the same SSID to prevent leakage of data transmission, corporate information, visits and other documents poisoning caused by risky behavior, protecting corporate resources and prevent confidential information leakage .
2.10 centralized management design
2.10.1 AP zero-configuration
all wireless access points arranged uniformly arranged in the wireless controller, easy implementation and configuration, without the user learning costs.
The automatic and manual configuration compatible backup and restore, and wireless access points to ensure the double running 24 hours a day.
2.10.2 cloud upgrade
all wireless hotspots are supported automatically updated from the cloud to the latest version. Different AP hardware model may be automatically determined and updated. The wireless client manual intervention to reduce ongoing maintenance and upgrade costs.
Customers can choose to automatically update in the evening, during the day in order to reduce business disruptions caused by the update.
2.10.3 visual heat map
with the rapid development of large companies, the implementation of wireless access points increased dramatically, the implementation of enterprise branch controller has also increased dramatically, facing complex device management issues.
The technology provides a powerful visual map of access points, which can effectively help network administrators analyze operational status and real-time control and fast charging equipment. This feature hierarchical management using a map to track the real-time operational status of equipment at presentation equipment.
Bitmap access point also provides for the analysis of human flow, density and user security events quick search sites to help network managers to better manage wireless networks, and mechanisms to meet the staff.
2.10.4 AP intelligent remote connection
of some company branches remotely AP, need access to the headquarters of the wireless controller, wireless network access to resources through headquarters. The company is headquartered exit IP frequent changes to the remote AP is a big problem.
This technology provides intelligent connection technology. IP conversion is transparent to the headquarters of the remote AP. Without any manual operations can quickly restore the network, and without interruption of service.
2.10.5 Intelligent RF management
interference signal is a common problem in the use of wireless networks. Mobile operators in China, China Network and other radio signals, as well as Bluetooth, wireless security cameras, 2.4G band work, will work with the wireless network interference.
Wireless access is provided only with minimal interference channel may also reduce power consumption, reduce overlapping coverage, improve the power compensation according to the actual coverage hole, etc. at the same time from a radio interference circundante.Al to interference preventing true.
2.11 enterprise data protection, safe and reliable design
2.11.1 *** rogue AP detection and the counter
from the wireless signal of the wireless network is open, rogue access points, such as phishing AP and AD-HOC, easy to hide a wireless network to attract business users to access, steal user account and steal confidential company documents or spread the virus.
Employees can also unlawful access point for data transmission, resulting in the company information disclosure.
The technology uses whole defense system, in order to establish a more secure wireless access to your network, wireless resist ***, such as phishing and AD- AP hepatic oval cells, or deceive *** initiated by the user and a secure flood wireless network environment.
2.11.2 wireless air encryption
of wireless data transmission over the air carriers of a variety of business needs efficient and reliable data encryption to prevent data from being manipulated or violence. International Technical Support a variety of standard data encryption methods to ensure that the company's business data is secure during transmission. Mainly in the following three aspects:
The technique uses WPA / WPA2 + AES to encrypt data and ensure data security. WPA2 key length of 128 bits, solve the traditional key is too short to easily intercepted by third parties. In CPA2, the definition of a higher security encryption standard CCMP, which is designed to provide users a complete authentication mechanism, following a wireless access point to determine whether to allow access to a wireless network based on. The results of user authentication, and authentication information with the user's identity by comparing the database prior to certification, to confirm whether the rights and privileges dynamically distributed to clients. The encryption key may be dynamically changed encryption keys for each user according to several methods to access (the number of packets transmitted when a user accesses the network, etc.). Further, the user data transmitted in a wireless connection to the packet encoding MIC, to ensure that other users do not change the user data.
Data packets between the wireless access points and controllers are RC4 encryption, which is effective and safe.
The technology is also compatible with WAPI standard, to further ensure the confidentiality and integrity of data.
2.12 enterprise wireless design stability
2.12.1 single integrated multi-function device
that has a variety of wireless technology not only function, but also has cable management and authentication, and integrated into the wireless controller. Each functional module independent of each other, the data forwarding and processing platform at the application layer, you can quickly restore a failure of the service module.
2.12.2 redundancy, reducing single points of failure
technology provides a mechanism for dual backup systems to reduce customer service due to failure of a single device interrupts, improve the reliability of customer service, and reduce single points of failure.
2.13 equipment selection
based on the above analysis of the mall XXX demand for faster, secure enterprise WLAN construction, XXX wireless system must have the following characteristics:
Accelerate wireless network
Identify and ensure focus on the company's business data bandwidth
Identify and control illegal Web applications and URL
Guest network authentication through a QR code or a separate temporary guest systems
The wireless access point NAP 2.4G and 5G Dual Access quantity and quality to guarantee access.
Reproduced in: https: //blog.51cto.com/14257353/2405392