Thursday, December 10, 2009

Meraki and Aerohive - Meraki bad whitepaper

I had an assignment to design a wireless network for a mid-sized hotel.
The specification was for Cisco, but IMHO Cisco Controllers are bloatware for this kind of situation
  • Small amount of in-house IT at client site +
  • Big cost of Cisco controllers (+ possible ongoing configuration and maintenance needs)
  • = bad choice
I have been out of the 802.11 game for a year or two doing other things, so thought I'd read up. Hotels are an interesting application - especially in a business hotel - you have a potential for very high spiky usage at conferences. Security might be deemed unimportant, however to conserve precious bandwidth you need to restrict access. Plus here are the ineresting questions of what is the easiest way to distribute and manage logins, and if you can protect guests from each other that might not be a bad idea. So some kind of built-in easy radius server would be good.

I looked into meraki and aerohive  -
The "fat AP is out"  right? Thin is in.. OOps - not anymore. These APs  look like they do a fair amount of processing, but are in some way "collaborative" and "self-managing" (WRT sharing the airspace and routing traffic at least). So I  would call them "fat and sassy" APs-  But the preferred term by vendors seems to be "Smart".

 I am still reading up and playing with Aerohives nice online demo tool.  Meraki looks like they have really geared their product to exploit Cisco's pricing  in this area - in terms of ease of manageability and price - they even have a Meraki vs Cisco calculator.  -Which admittedly has list prices for Cisco stuff that you will never pay.

Even so, their "cloud controller" option makes sense for hotels and other public access networks.

HOWEVER. Reading Meraki's product literature, (a network security whitepaper) I was bothered by evil half-factiods, which made me wonder if they are sloppy or sleazy in other ways.

Quoth Meraki"
WPA2-Enterprise, also known as 802.1x,
WPA2-Enterprise is not known as 802.1x - Maybe you mean 802.11i  ?
is considered by many to be  the “gold standard” of wireless security. In this architecture, each client(known as a supplicant) uses a unique username and password to authenticate on the wireless network.
Um, WPA2- Enterprise - using 802.1x/EAP can do  a number of different types of authentication, including certificates.

The client’s username and password are checked against any Active Directory or LDAP server that supports the RADIUS protocol (and most do).
You really don't need to mention Active Directory here, because that has nothing to do with it.
Also Radius is not really necessary, though almost always used. I would reword this as:
"The most common form of WPA2-Enterprise uses 802.1x authentication to  to allow the access point to check user and password information for each client against an authentication server. This authentication server is almost always a RADIUS server  "
Meraki supplies an integrated RADIUS server that companies can use instead of a stand-
alone server if they wish.  The primary advantages of WPA2-Enterprise are that it is highly secure and scales well. IT administrators can re-use their existing authentication
infrastructure, so as employees come and go they are automatically added and removed from the wireless network. There is also no need to VPN.   Since 802.1x is a relatively new standard,
Whoa! 802.1x has been around before wireless lans. It is not so new.
client support is still evolving.  As of 2009, support is common on most laptop and PC operating systems. However, support for PDAs, scanners, and other devices still
varies. In addition, client configuration can sometimes be complex.
While implementation of 802.1x has often been highly complex, Meraki
has simplified the process significantly. 802.1x takes just a few clicks to
deploy, and is no more difficult than implementing WPA2-PSK.
I am not sure on the preceeding because there is some legitimacy to what they are saying here.
But I think it should be worded "implementation of 802.1x authentication in WPA2" to clarify.


Am I just being picky? or maybe my understanding of the issues is rusty?

4 comments:

  1. I found that interesting. Picky? No. that is probaly the Meraki marketing writing the product specs. End users need to be aware.

    So I am interested what did you choose for the Hotel wifi network?

    Ron
    SF WiFi

    ReplyDelete
  2. Wow! A comment. And I thought I was just writing for my own amusement!
    This was a whitepaper, and IMHO, thou shalt judge a company by the whitepapers they write. One expects general product literature to be full of meaningless drivel and half-truths, but whitepapers should show that they company has some brains. I later read that Google funded Meraki. Their site is pretty slick.

    No selection as of yet. Made a case for both aerohive and cisco separately. we'll see.

    ReplyDelete
  3. Your post was a long time ago I realize. Have you learned more over the past 2+ years. I am in the process of comparing Meraki to Aerohive. They propose a very similar cloud solution. I'm trying to determine how they are different. Any thoughts on that? I'd appreciate whatever you can offer.

    ReplyDelete
    Replies
    1. Hi-
      To my memory, (note I have not evaluated recently) - Meraki was quite inexpensive, but Aerohive seemed to have better features/ cloud tools.

      Ruckus seems pretty cool too. I would look at it for high-density. But not a cloud-controller solution?

      Delete