Vendor Neutral WLAN Management: Do Your Research (Updated)
Picking a "vendor neutral" WLAN management system will require careful research and awareness of some tradeoffs.
Editor's Note: This article has been corrected since first running.
Last week, we explained your options for managing wireless networks. One category of wireless management products we identified was "vendor neutral," meaning products that claim to work across a variety of devices. This week, we'll cover two popular and feature-rich products: AirWave from Aruba Networks and WiFi Manager from ManageEngine.
To be clear, these are applications which are able to manage access points from various vendors; we are not talking about access point controllers. An access point controller, at least as it's commonly understood, refers to a "master" device that controls all other access points on the network. With controllers, you often don't run a full access point firmware on each device, instead each has enough smarts to boot and get its configuration from the master controller. Next week we will cover a few Cisco products that operate this way.
Vendor neutral management implies that you must be careful to ensure that your access points are supported. For products we're talking about today, the respective companies list access point compatibility on their product Web pages. With the exception of AirWave, which can manage controllers too, this type of software is often managing full access points, be they Cisco, Proxim, Avaya, or other devices. Each run their own firmware and traditionally require an administrator to login to each unit for configuration. Unified management software essentially logs in automatically (or uses SNMP) to configure the devices.
Centralizing configurations for wireless access points allow administrators to be certain each access point is configured correctly. It is configuration management, for those familiar with the Unix/Linux server world. Wireless management goes much further though, allowing the automation of firmware updates, security monitoring, and even threat elimination.
For any of this to work, the management software must know how each access point works, and it must be programmed specifically for each model of access point. The good news is that both products we're talking about today support a wide array of devices.
In March 2008, Aruba Networks acquired Airwave Wireless to take ownership of the AirWave Wireless Management Suite. The suite includes four main components:
- AirWave Management Platform
- VisualRF Location and Mapping Module
- RAPIDS Rogue Detection Module
- AirWave Master Console & Failover Servers
Together, the components of AirWave compose a full feature set for managing your wireless infrastructure. The Management Platform provides provisioning and configuration automation; the VisualRF module provides monitoring, reporting, and visualization of the WLAN; RAPIDS enables device discovery and policy enforcement; and finally the Master Console provides an interface to it all.
Much of WLAN management centers around security. The potential for abuse is great, and administrators spend most of their time dealing with security problems. Take, for example, a user found to be stealing MAC addresses to hop on the network and execute man-in-the-middle attacks. While AirWave provides many tools for dealing with rogue (unauthorized) access points, it doesn't actively monitor for man-in-the-middle attacks. If however, you discovered this happening via other mechanisms, the VisualRF module could easily locate the physical location of the offending user. Map overlays using Google maps, combined with device triangulation between all access points that can see the user, mean that a user's physical location can be pinpointed with surprising accuracy.
While AirWave does not publish a list of compatible devices, the company does provide a compatibility matrix to prospective customers on request. We would urge anyone looking at Aruba AirWave to take a careful look, as AirWave Suite's support for certain features will vary from device to device.
Our next vendor, makes it a little easier to do your research by publicly publishing a compatibility matrix that illustrates which features work with which devices.
WiFi Manager from ManageEngine takes things one step further in the security department. It can detect rogue access points, but also knock them offline automatically, either by DDoS or by disabling the switch port it's connected to. WiFi Manager discovers more than just access points, it needs to be given access to all switches and routers as well, so it can trace the physical port location of every MAC address on the network.
Cool features aside, WiFi Manager also does the basics you would expect. It centralizes configurations, allows configuration changes to be pushed out to every device, and can centrally dispatch firmware updates, assuming your access points are fully supported.
The WiFi Manager Web site is up front and honest about which features work with which device. The list is not overly large, but WiFi Manager certainly covers the popular access points used in enterprise deployments.
There are a few features lacking in this product, however, including: user location, mapping integration, and NMS integration. Compliance auditing and similar functions are not advertised, but often companies that advertise these types of features are just providing a simple dump of random data anyway. WiFi Manager seems to focus more on security, and provides all of the expected functions to make centralized access point management a reality.
If our skepticism was not readily apparent, let's spell it out:
These types of solutions rarely work flawlessly. Anyone who has run an NMS with multiple vendors' gear already knows this, and in larger organizations that is likely that person's only job function. It's that bad. If you're yearning for 100 percent compatibility and no surprises, the easy option is to go with central wireless controllers and access points from a single vendor. If you're already looking to replace your entire network, it makes sense to standardize. In this case, vendor lock-in can be a good thing. There is no need to purchase a separate management suite on top of your hardware investment, even if it is the exception (like AirWave) and will likely support all your devices. If you're in a more common budget situation and must support a variety of existing access points, be sure to get the real scoop (and even a trial) from your wireless management vendor.
Next week, we explain how to navigate the huge maze of Cisco access point and wireless controller options.
Since first running, the following corrections have been made:
- Unlike a number of other products in the field, Aruba provides the ability to manage wireless controllers.
- Contrary to our initial report, Aruba AirWave does provide a compatibility matrix to prospective customers on request.