White Paper

Troubleshooting wireless LANs to

improve Wi-Fi uptime and security

When wireless users report problems with their WLAN

connection, the help desk is usually the first place they

turn to for troubleshooting expertise. The technician

first needs to determine if the problem is at the client

device, the wireless infrastructure, the wired network,

Table of contents
or if it is an application problem.

Introduction. . . . . . . . . . . . . . . . . . . . . . . . 1

This whitepaper gives you an in-depth look at the Network architectures. . . . . . . . . . . . . . . . 1

wireless troubleshooting process. You’ll learn how to Multimode channel scanning. . . . . . . . . . 1

improve security and performance by identifying rogue

Possible RF problems. . . . . . . . . . . . . . . . . 2
access points and ad-hoc networks and learn how to
Eliminating network . . . . . . . . . . . . . . . . . 3
conduct network audits. You’ll also get a quick view of
Troubleshooting process. . . . . . . . . . . . . . 3
network test tools and their effectiveness at trouble-

shooting wireless LANs. Security and performance. . . . . . . . . . . . . 4

Rogue APs and ad-hoc networks . . . . . . . 4

Conducting network audits . . . . . . . . . . . 4

Portable systems . . . . . . . . . . . . . . . . . . . . 5

Centralized systems. . . . . . . . . . . . . . . . . . 5

Fluke Networks’ portable analyzers. . . . . 6

 White Paper

Troubleshooting wireless LANs to improve

Wi-Fi uptime and security
Introduction
IEEE 802.11-based wireless LANs, also called Wi-Fi networks, are quickly expanding into mainstream areas of busi-
ness from their traditional niche applications in warehouses and on retail floors. As a result, it is becoming equally
important for network engineers and technicians to have the necessary tools to troubleshoot and secure their wire-
less networks, as it is their wired networks.

Especially useful are portable, integrated wireless/wired analyzers. Having a single device for troubleshooting both
network segments allows technicians to quickly determine whether the sources of problems are wireless or wired
issues – or non-network issues altogether – so they can maximize network availability for users, who are growing
increasingly mobile.

The wireless environment

There are several modes of Wi-Fi configurations, and visibility into all devices, RF channels, and protocol types in
the various modes is critical for quick problem resolution. For example, it is important that ad-hoc peer-to-peer
networks, as well as, bridged, switched, and mesh infrastructure networks can all be analyzed by device category,
interface, and switch port using a single device.

Network architectures
Ad-hoc networks consist of client devices communicating directly with one another in a peer-to-peer workgroup
fashion. Ad-hoc networks can pose a threat if an unauthorized client(s) should automatically associate with a legit-
imate client that contains sensitive data or if they piggyback onto that client’s connection to gain access to wired
network resources.

Wireless infrastructures are comprised of access points (APs) which are either connected directly to the wired network,
or to wireless switches. They provide the RF environment for client devices, and can be configured to create point-
to-point networks for bridging networks between buildings, such as across a parking lot.

Yet another infrastructure type is mesh networking. A mesh network consists of APs that communicate with one
another using wireless routing protocols. Mesh networks enable communications with the wired network through a
minimal number of access points that are connected to the wired network. Mesh networks are often considered in
order to provide flexibility in access point placement and to reduce the costs and complexity of running cable from
wiring closets to each AP.

Multimode channel scanning

In the radio access network of wireless clients and APs, it is becoming common that the full suite of 802.11 types
– 802.11b and 802.11g, which operate in the 2.4GHz band, and 802.11a, which operates in the 5GHz band – will
be in use in a given enterprise environment. The reason is businesses desire to take advantage of the maximum
number of non-interfering channels, avoid RF interference, and optimize WLAN capacity.

Fluke Networks  www.flukenetworks.com

 White Paper

Even if an organization is using just one 802.11 mode, having a wireless analyzer that can scan all the channels in
the 802.11b, a, and g bands is recommended as a best practice. Otherwise, your organization risks security threats
from ad-hoc and rogue APs operating in the other bands.

A multimode analyzer scans the 802.11 channels in the 2.4GHz and 5GHz freqencies in a given geography to check
for proper configuration, signal-to-noise ratio (SNR), bandwidth utilization levels, and other issues. If utilization on
an AP is topping out, for example, it could be because there are temporarily too many wireless clients associated
with it. On the other hand, perhaps a particular user or protocol is “hogging” bandwidth. Technicians equipped
with wireless analyzers can discover those “top talkers,” enabling the company to decide whether MP3 downloads or
other greedy traffic should be banned from the wireless environment.

O piV
t w
ie
Inetgartde eN t o
w rk

Figure 1: Troubleshooting and securing a mixed-mode Wi-Fi environment

Possible RF problems
Unlike the wired network, the performance of the wireless LAN and users’ ability to access the network are prone
to change as the environment surrounding APs and clients changes. Because users connecting to wireless APs are
often mobile, it can be challenging to predict how many will be using a given AP at one time. In addition, inter-
mittent coverage holes, or dead zones, may materialize when an AP becomes temporarily overloaded or when clients
roam to areas where the RF signal strength is too weak to maintain association.

Dead zones in out-of-the-way areas where APs have not been installed can become a problem when new wireless
applications, such as wireless voice over IP, are deployed. Also, changes to the physical environment made after
the initial wireless site survey can impede the ability of clients and APs to communicate. Such changes might
include the addition or movement of furniture, particularly metal file cabinets, and the installation of microwave
ovens and other wireless consumer-grade devices.

Fluke Networks  www.flukenetworks.com

 White Paper

Eliminating the network as a suspect

Often, of course, difficulties that wireless users experience have nothing to do with the wireless network or even
the wired network. Infonetics Research reported last year that just 22% of network downtime in North America
was actually due to network products, cables, and connectors. Rather, the firm estimated that 69% of downtime
was attributable to service providers, servers, and applications.

Nonetheless, it is still the network technician’s job to identify whatever is causing perceived network problems.
In many organizations, application support teams require that network issues be eliminated as possible culprits
before they will troubleshoot their applications.

The troubleshooting process

When users encounter problems with their Wi-Fi connections, they typically call an internal help desk. When simple
troubleshooting over the phone is not sufficient, the help desk dispatches a technician to the client’s location.

If a wireless user is having trouble logging in, the first thing the technician will want to determine is exactly
where the problem is occurring. Using a portable test and measurement device that tests both the wireless and
wired network is generally the quickest means to this end.

If the technician can use the wireless analyzer in client mode to successfully authenticate and associate from the
problem location, then the problem may lie in the user’s client device configuration or in that client’s access rights.
If the analyzer cannot reach the authentication server, the problem could lie in either wireless or wired physical
layer. Not enough bandwidth, falling out of range, or interference, for example, could be at the root of the
problem.

The technician can use a wireless analyzer to scan the wireless environment to measure signal strength and AP
capacity from the problem location. Scanning in this manner is often referred to as passive mode, as the analyzer is
not actually associated with an access point while performing these tests. In passive mode, the analyzer’s wireless
NIC is only receiving wireless data and is not transmitting. If RF quality is satisfactory, then the technician will use
the analyzer to link to the wireless network, in client mode, to conduct other tests such as authentication tests,
ping, and throughput tests.

Often, technicians must verify that the client configuration conforms to the business’s security policies for packet
encryption and authentication method (such as Extensible Authentication Protocol, or EAP, type). A mismatched
security parameter would prevent successful authentication and authorization.

A well-designed portable wireless/wired analyzer should be able to monitor and troubleshoot every step of the authen-
tication process to see if and where it breaks down. If the authentication server is denying the user access, for exam-
ple, the issue might lie in the authentication server itself, the user’s security configuration, or the user’s access rights.
Supervising the EAP authentication process from a wireless analyzer will eliminate a number of possibilities.

Fluke Networks  www.flukenetworks.com

 White Paper

Bolstering security and performance

As mentioned earlier, wireless networks are dynamic. Once deployed, the wireless network environment continues to
change. This happens in part through human error and sometimes through the addition of unauthorized devices to
the network by employees seeking to improve their wireless access. In some cases, because wireless connectivity is
three-dimensional in nature, outsiders beyond the physical walls of an organization can also use unauthorized APs
to gain access, either by happenstance or by design.

Finding rogue APs and ad-hoc networks

Not all companies can justify the expense of deploying an overlay sensor network, such as an intrusion detection
system (IDS), to seek out unauthorized, or rogue APs. In most cases, the process of locating unauthorized rogue
APs and ad-hoc networks can be managed effectively by performing walk-around network audits that test for vulner-
abilities. This involves configuring a portable test device so that production APs are designated as “authorized” in
the test system software. The test device will then be able to quickly and clearly identify unauthorized APs and ad-
hoc networks in real-time during periodic audits.

Conducting network audits

From a security standpoint, Gartner Inc. predicts*
that through 2010, 90% of WLAN security incidents
will be the result of misconfigured systems (0.8
probability). Wireless analysis tools can help prevent
this by contributing to the best practice of conduct-
ing regular wireless audits to make sure APs and
clients are configured in accordance with corporate
policy, as recommended by the Bethesda, Maryland-
based SANS Institute, which offers information,
security training and certification.
Figure 2: Scanning the wireless network
The institute recommends enterprises regularly
check each AP’s configuration and make sure it accurately reflects the organization’s internal security policies. For
example, if an enterprise has adopted WPA and has selected, say, Protected Extensible Authentication Protocol
(PEAP), one of several available authentication methods, network administrators should regularly check that all APs
are indeed configured for PEAP.

Periodically, after the initial wireless site survey, network technicians can use their portable analyzers to analyze
the RF environment and look for changes that might cause performance degradation. They can also watch for user
trends – such as finding where wireless users congregate – which may indicate areas where additional APs should
be installed.

* Gartner Inc. Research Note, November 21, 2006, Introduction to Wi-Fi Security Best Practices, John Girard, John Pescatore

Fluke Networks  www.flukenetworks.com

 White Paper

Form factor considerations

There are several types of analyzers available for troubleshooting and securing your wireless network. At this junc-
ture, the most useful type will likely be a portable device designed to troubleshoot both the wireless and wired
enterprise network segments.

Portable systems
Ruggedized, integrated network analyzers have several
advantages over laptop computers and handheld, per-
sonal digital assistant (PDA)-style devices, as well as
centralized systems (see subsection below). Laptops,
for example, are limited in performance by the Windows
Network Driver Interface Specification (NDIS) drivers,
which specify how communications protocols, such as
TCP/IP, communicate with the laptop NIC. NDIS limita-
tions often cut performance in half. From a usability
perspective, laptops are also less desirable as technicians
hesitate to loan their laptops to others to conduct tests,
and they may not want to leave their laptop somewhere Figure 3: Portable wired and wireless analyzer
to conduct long-term test and analysis.

For their part, PDAs lack onboard cardbus support, which is necessary in order to enable (802.11a/b/g) Wi-Fi
channel scanning. As noted earlier, this is a critical capability required for doing a thorough job of troubleshooting
the wireless enviornement.

Centralized systems
Systems that support some RF management capabilities in a wiring closet or data center switch or controller are
useful; however, they have visibility only into what the distributed infrastructure APs can “see” and are able to
report back to the centralized system. If there is a dead zone, for example, due to a change in the physical environ-
ment, a centralized RF management system may not be able to discover it.

Similarly, a centralized system may be able to indicate the general location of a rogue AP, but to the technician
dispatched to disable it, nearby APs visually look the same. Portable analyzers, on the other hand, serve as a com-
plement to the centralized systems by providing audible and visual signal strength indicators that lead technicians
directly to the rogue AP.

Finally, many enterprises today support legacy Wi-Fi infrastructures with traditional APs. They simply have not
had the budget or justification to upgrade to centralized infrastructures or install proprietary Intrusion Detection
Systems (IDS). In these environments, frequent audits with a portable wireless network analyzer offers an efficient
management and maintainance solution.

Fluke Networks  www.flukenetworks.com

 White Paper

Summary
As wireless LAN technology continues to proliferate, wireless LAN users will increasingly call upon help desk
resources to report wireless network issues. Fortunately, technicians no longer need to carry several tools in order
to test and troubleshoot their networks. Integrated wireless/wired portable analyzers can quickly isolate problems
to the wireless or wired network, client device, or application, enabling technicians to accelerate problem resolution.

Wireless analyzers discover network-connected devices and provide information regarding their associated health,
signal strength, and security configurations. They also have the ability to operate as a wireless client which helps
technicians to immediately determine whether the issue is specific to the given user’s device. Portable, integrated
network analyzers have performance advantages over laptops, multimode scanning advantages over handhelds, and
cost and granularity advantages over centralized systems.

About Fluke Networks’ portable

wireless network analyzers
The EtherScope™ Network Assistant and
OptiView™ Series III Integrated Network Analyzer
are portable tools for fast analysis and troubleshooting
of 802.11a/b/g wireless LANs and 10/100/gigabit
wired networks. They provide the depth of view into
your network necessary to resolve problems on both
Figure 4: OptiView portable analyzer (L) and EtherScope Pro (R).
sides of the access point.

The EtherScope and OptiView portable analyzers automatically scan all a/b/g channels to gather and report statis-
tics on the health of the RF network and to discover the active networks, mobile clients and access points. You can
drill down into any device to view its wireless configuration. Use the built-in maintenance utilities to edit the con-
figuration if necessary.

When testing wireless security, these analyzers will identify and flag security vulnerabilities including unauthorized
(rogue) devices and unprotected access points. Use the locate feature to track down the offending device.

You can use these portable analyzers to troubleshoot connectivity and login issues by monitoring the connection
and authentication processes. In addition, both tools feature extensive reporting capabilities for documenting
your WLAN.

Learn more about Fluke Networks portable network analyzers by visiting www.flukenetworks.com/wireless.

N E T W O R K S U P E R V I S I O N

Fluke Networks
P.O. Box 777, Everett, WA USA 98206-0777

Fluke Networks operates in more than 50 countries

worldwide. To find your local office contact details,
go to www.flukenetworks.com/contact.

©2007 Fluke Corporation. All rights reserved.

Printed in U.S.A. 1/2007 2407211 A-ENG-N Rev C

Fluke Networks  www.flukenetworks.com