Here is a new Tech Brief from our Engineering team on…

With the advent and popularity of laptops and mobile devices, available Wi-Fi Internet service is something people are coming to expect. This service would be essential for coffee shops, restaurants, retailers, hotels, convention halls, and any other small and medium business in which people may wish to surf the Internet during their visits. To react to this demand in the market, D-Link unified wireless solution is designed. With this solution, a unified wireless controller centralizes the configuration and management of multiple unified wireless access points. For IT managers and administrators, it is essential to bind the wireless controllers and the wireless access points into a cluster during network deployment in the network architecture. The D-Link’s feature of AP provisioning provides a convenient and robust way to configure the relationship between the wireless access points and wireless controllers.

Overview

Wireless connectivity is becoming a necessity and an integral part of every network. Wi-Fi networks are now the preferred choice for people to stay connected as it provides ease-of-use, mobility, and flexibility. The D-Link unified wireless solution is designed for either a small scale like a cafe or a large scale like a campus or hotel, where Unified Access Points (UAP) and unified controllers are included. It reduces overall operational expenses by simplifying network deployment, operations, and management. In this architecture, one of the essential procedures for network administrators is to bind a wireless controller and the UAPs into a cluster during network deployment. With the AP provisioning feature network administrators can configure the relationship between the controller and UAPs easily.

AP Provisioning

Figure 1 shows an example of a network topology in which D-Link unified wireless solution is used. Two controllers (Controller A to Controller B) and 6 UAPs (UAP 1 to UAP 6) are in this topology. In most cases, while making a controller manage the UAPs in the field, a network administrator enters the MAC addresses of the UAPs into “valid AP database” in the controller through the controller’s management web UI. The controller then sends discovery messages periodically and waits for discovery-responses from the UAPs. Once the controller gets a discovery-response, it looks up the MAC address in the “valid AP database”. If the MAC address exists in the database, then the controller will try to manage the UAP. This scenario is easy to understand, but the relationship between the controller(s) and UAPs could be uncertain. For instance, in Figure 1, to manage all UAPs and setup a redundant controller, we add all MAC addresses of UAPs into both databases of controller A and of controller B. That is to say, both controllers send discovery messages periodically and a UAP would send back a discovery-response immediately if it is unmanaged, no matter which controller the discover message was from. As a result, the UAP could be managed by either controller A or controller B at any time.

ap-2
Figure 1. Unified Wireless Solution

 

D-Link’s AP provisioning, which includes the following configuration, would be helpful to resolve this ambiguity for a network administrator.

1. Primary Controller and Backup Controller

A UAP with provisioning information will try to set up a connection to the primary controller and ignores all discovery messages; hence the network administrator can ensure that the UAP is managed by the desired controller. If a UAP fails three consecutive attempts of connecting to the primary controller, it will then attempt to connect to the backup controller instead. By designating a backup controller, the network administrator builds a failover/redundant controller.

2. Mutual Authentication

With mutual authentication, the controllers and the UAPs authenticate each other. When mutual authentication is enabled, all the unified wireless devices perform X.509 certificate exchange as illustrated in Figure 2. Each controller holds copies of X.509 certificates for all other controllers in the same cluster, and of the UAPs it manages as well. Similarly, each AP holds a copy of the X.509 certificate of the controller to which the AP may establish a connection. During the process of building a management connection, each party (controller or UAP) compares the certificate received from the other with the local copy. If they do not match, then the connection will drop. In addition, the X.509 certificates are auto-generated by the controllers and the UAPs, thus they do not need to communicate with any trusted certificate authority and the IT manager is not required to pay certificate maintenance fees.

Figure 2. Certificate Exchange in Mutual Authentication
Figure 2. Certificate Exchange in Mutual Authentication

 

Conclusion

D-Link AP Provisioning is a convenient and robust solution for IT staff and network administrators during network deployment. By designating primary and backup controllers, we can make network deploying easy and construct an environment with a redundant controller. With the mutual authentication feature, we can ensure that all devices in the unified wireless system are authenticated without certificate maintenance fees.