A sticky problem – Wi-Fi clients that won’t roam

I work in a very interesting industry. It seems like in no time, WLANs have gone from being a nice to have but definitely optional thing to something that everyone must have in order to operate their businesses. Part of the issue with this rapid change is that we are left with some decisions made in the past that have turned out not so great in the present day. One of those issues is caused by the decision to leave roaming decisions (if a WLAN client moves to a new AP and BSSID) up to the client. At the time I’m sure this seemed like a good solution. Craig Mathias over at NetworkWorld gave a bit of history around this decision that I wasn’t aware of before. Apparently it was felt that ‘few sites would be purchasing access points, so it was assumed that most networks would be peer-based’

We who deploy WLANs professionally know well the pain caused by buggy client drivers and the wide variance between different vendors on how they decide to do something as simple as roaming to a new AP. In comparison, cellular networks largely leave the roaming decision in the hands of the cell tower, which results in much smoother changes (such as not dropping your calls) in the main for clients as the move about. Two factors are converging to make this issue into a bigger problem for Wi-Fi networks. The first is that speeds are increasing on wireless (with 802.11ac it will go much higher) and people are using the WLAN because of this for more and more critical applications such as voice and video. The second is that the sheer number of devices using Wi-Fi as their only means of accessing the network has exploded since the introduction of the iPad in 2010. As Wi-Fi access becomes something that is relied on to run businesses, people naturally expect to be able to access it from wherever they need to work without a lot of hassle. They are not aware of such issues as limited bandwidth and contention caused by the increase in clients. They only want to know why their video doesn’t run smoothly or their voice call was dropped.

I attended yesterday Aruba Network’s 802.11ac day (as part of Tech Field Day where they announce their newest AP, the AP-220, and had several other things to talk about. Foremost amongst those was the announcement of their new ClientMatch technology to help with the issues with roaming caused by sticky clients. What is happening here is that clients are not making a decision to roam when a much better connection is available to them or when an AP is overloaded with other clients and a much lighter loaded AP is nearby. We have, in fact, a standardized way of dealing with this issue in the 802.11k and 802.11v standards, but not all clients support these standards. Aruba’s solution to this is to build intelligence into the access point and controller to help ‘match’ the client with the best AP from the clients point of view. This intelligence is happening on several levels. At layer 1, the link is being optimized by moving the clients either using 802.11k/v or by disassociating the client and only offering association to the ‘better’ AP. At layers 2-3 the load on the APs is taken into account and then for layers 4-7 what the application is doing is taken into account.

Interestingly enough Aruba believes that what they are doing is particularly unique and therefore patentable. They have submitted the following patent, US20130036188 which describes what they are doing for the clients that do not support 802.11k. Essentially they are creating the beacon reports used in the standard by collecting information from the APs when the client sends probe requests, authenticates or associates with the AP. What happens then is the AP takes the SNR information, does an adjustment and then sends the information upstream to either a controller, IAP or Airwave and that is used to figure out which AP is best for the client. This is a quite clever indirect way of figuring out how the client sees the network. The information that could be gathered is SNR, MAC address (as a key), channel, band, timestamp, noise floors, channel loading, AP capabilities and more. This combined with data the controller already has about applications means a decision can be made to whitelist or blacklist a certain STA on a group of APs. I’ve been told that they discovered in testing this that the actual SNR on the client was off from the readings they were getting from their algorithm by a constant amount, so they were able to just adjust to account for that.

Once you have built up this database of information, the next decisions you have to make is how to use it. Aruba told me that they decided to push this back down to the APs in a distributed way, so that the decision to associate a client wouldn’t suffer from having to look back to a controller or other device. As was pointed out on twitter, moving active voice or video streams off a poorly performing AP is not a decision to take lightly. Most voice calls use a metric called a MOS score to figure out what the quality of the call is. Aruba is using, as much as they can, information from the call itself to figure out the MOS score on a realtime basis and then move other, non-voice clients off the AP if that will interfere with the call quality. This was particularly highlighted by the Microsoft presenter who spoke about how they had opened an API up so that Aruba could gather this type of information about the Lync call. It wasn’t discussed, but I think that the basic client roaming algorithm would move a voice client if it got too far away from an AP for its inbuilt MOS score to be sufficiently high. In this case, the Aruba ClientMatch system would encourage it to pick a much better AP by only offering those that would be good for the client. One final point to make, Aruba was very careful to point out they took a cautious approach with ClientMatch so they were not moving clients with an 80% score just to get a 90% score. They wanted to make sure they concentrated on the bottom percentage of clients so that the improvement would be much larger and this would increase stability of the WLAN in general.

There are some additional uses that can come from being able to track what is happening from the client point of view. These uses come in Aruba’s Airwave product where the information is being used to add to the ability of Airwave to troubleshoot user’s connectivity. Aruba has created additional reports to give more visibility into client behavior, one of which is called the steering report. This report gives you information about what clients are being steered by ClientMatch and how often they have been steered. This gives you some clues into which clients might have firmware or driver issues that should be looked at because they are constantly sticking to poor AP connections. VisualRF additionally shows the status of client connections, indicating in a nice red color when a client has a poor connection. All this builds your control over what is happening on your Wi-Fi network and especially control over the client behavior that you haven’t had before.

Whew, this has definitely been one of my longer blogs. There was quite a lot of information to get through and I wanted to make sure, as much as I was able, to have it correct. If anyone from Aruba reads this and see’s I got something very wrong in my explanations of what’s going on I’d love to hear from you so I can correct this. Indeed I would also love to hear from anyone else with an opinion on this technology. I think this could be the start of fixing something that has been very annoying for some time, the ‘client’ problem. I know I’m looking forward to doing some testing of my own of ClientMatch once its released.

Aruba is now a Mobility company not just a WLAN company

I’ve watched with interest over several years how Aruba Networks seems to have an uncanny ability to bring to market, or acquire, technologies needed to stay at the forefront of the WLAN market. They seem to keep a close eye on competitors and move the focus of their company when needed with as much agility as a small startup does. Wireless is evolving at a very fast pace and this sort of focus is the difference, I believe, between has been companies and companies that really get what their customers and market space is about.

In addition to this observation I think that there is a more fundamental shift going on in wireless right now. What I call this is the shift from the story being about how to build wireless networks to how to enable users and businesses to work/live/play while mobile. The following is a dictionary definition of mobility;

Mobility

  1. The ability to move or be moved freely and easily.
  2. The ability to move between different levels in society or employment.

In the enterprise we tend to focus on the first meaning and I would argue that Aruba is now well on its way to redefining itself as being a Mobility company and not just a WLAN company. This is indeed where the heat and customer angst is with mobile devices in the enterprise and focuses squarely on a problem that is in need of multi-faceted solutions. In my own work place this is widely recognized by both the technical and not technical folks as being a top concern for our customers. They are really looking for help with enabling their employees to use mobile devices. As an amusing (to me) aside, this is partially being driven by executives looking to be able to do their jobs while out of the office.

A few months ago I attended the Aruba Airheads conference in Las Vegas. One of the keynote speakers there was Paul DeBeasi from Gartner who talked about the above shifts and Gartner’s research on it. It was very interesting to me to hear Paul speak and that he was confirming many of the conclusions I had come to myself. The following diagram from Gartner illustrates how a mobile architecture looks and what pieces need to be considered;

Mobile Architecture Requirements

If you consider Aruba to just be a wireless infrastructure company, then only one of the above circles applies. I would argue, however, that Aruba is steadily developing a portfolio of solutions to mobility needs in the enterprise. An example would be ClearPass Policy Manager. This fits clearly into the identity and security circle. The recently announced acquisition of Meridian Apps also fits clearly into the application architecture circle.

The WLAN market is clearly changing. This is a good thing as we are moving beyond simply how to get things to work (which is of course still important) to enabling people to be more flexible and satisfied at work. This survey on BYOD and Mobile Security (slide 2) puts the number one benefit of BYOD as being greater employee satisfaction and productivity. I would encourage others to shift their focus as well to looking at the bigger picture of what we are doing in this business. We are transforming the way people work, live and play in giving them the tools to be mobile and always connected.

Finding the lazy bee’s – Aerohive’s application visibility and control

This week Aerohive announced their new switch line along with an upgrade to the Hivemanager and HiveOS to version 6.0. There are other reviews that went into this announcement quite well, including Lee H. Badman over at Network Computing and fellow blogger Tom Hollingsworth. What I would like to comment on in this blog is how I believe the addition of application visibility and control is actually a bigger deal than the announcement of new hardware, important though that is for the mobile enterprise.

As more and more businesses discover that their employees are bringing shiny new mobile devices to work (often it happens to be executives that are the primary people doing this) the IT department discovers they have a problem, namely they can’t easily tell the difference between devices connected to their WLAN and more importantly, what those devices are doing. Many enterprises are setup to monitor and filter wired traffic from workstations with web filters, IDS, IPS and the like but it is common for guest WLANs to not have such strict monitoring. Top of the questions I get asked when talking about the issues around BYOD and mobile devices is what can we do to have more insight into what mobile devices are doing on our network. Add in that the apps used in mobile devices many times just simply use standard http/s and it becomes very difficult to use the simple approach of filtering just on ports, protocols and IP addresses

Deep packet inspection

In order to help their customer’s solve this issue Aerohive has added into their OS the ability to inspect packet’s to discover where that packet is destined and what type of data is flowing across a connection. This type of functionality is commonly referred to as deep packet inspection, but Aerohive in keeping with their company mantra to Simpli-fi the WLAN calls it Application Visibility and Control. This perhaps more accurately describes what is gained by their customers in having this great feature added to their Aerohive devices. As I covered in a previous post, I believe that this functionality will eventually make WIPS irrelevant, so I am glad to see that more WLAN vendors are adding it.

If you look from a much higher level at how much mobile devices and cloud connectivity are changing enterprise IT security, this is really a first major step beyond simply authenticating users towards control at an individual device level of the data being accessed by users. Many a CIO or CSO is concerned by the collapse of their controlled perimeter and they know that the only way they can begin to understand what is happening to the different types of data inside their network is to have visibility at an application level as to how mobile devices access that data. If you consider that today many employees access that data via the WLAN, Aerohive is providing them with the tools they need to see what is being accessed, by who and with what types of devices. The next step of being able to control what happens to their data is built into this release and pushes the control to the edge, exactly where it’s needed.

Application Visibility and Control

Managing mobile security

I call this new functionality that is migrating into the WLAN the next generation of WLAN security as its pushing functionality that has been centralized on IT perimeter firewalls out to the edge of the network, to where devices are accessing the network. I recognize, however, that more needs to happen than simply adding this in. Security is a many layered thing and starts with a thorough mobile device access policy that gives employees clear lines of responsibility for what they do with their devices when they access the WLAN. There also needs to be a solid authentication architecture, which can differentiate authorization of what can be accessed based on user, device and location. Aerohive’s Application Visibility and Control gives you the ability to enforce those policies and gain a much greater insight into what is happening on your WLAN than previously. I’m sure that many IT department’s will thank Aerohive for giving them better tools to address management concerns about mobile devices.

My take on wireless has always been from a security point of view and I for one am glad that Aerohive in implementing functionality into their platform to help solve the security problems brought on by the explosion of mobile devices. Aerohive is quite rightly recognized as a lead innovator in the WLAN market and they are taking steps to maintain that lead and solve their customer’s problems in an innovative way. I look forward to seeing what else they have up their sleeves. It’s a great time to be in wireless.