Bring It Back
As you distribute APs around the building, you need to consider another detail: How do you connect all of the APs to the network backbone? If you plan to place APs in offices or locations that have existing network jacks, you're in good shape. But if the chosen locations are remote from any existing cable run (say, in a drop ceiling), you'll have to make some choices. By far, the most preferable method is to use a physical network connection to tie the APs to the network backbone. But if you want to park the APs in exotic spots, there is another way.
Some higher-end APs are dual-band-capable; that is, they have a 5GHz 802.11a radio signal as well as a 2.4GHz 802.11b/g/n radio signal. You can use a technique called WDS (for "wireless distribution system") over the 5GHz signal as a way to connect to the LAN, while using the 2.4GHz signal for client access. Theoretically, you can do both on a single band; but if you do, overall performance will suffer greatly.
Power to the People
Remember to plan how to get power to the access points. If there's an electrical outlet nearby, no problem. For relatively remote locations, such as in drop ceilings or where a network jack is available but an electrical outlet isn't, you have another option. Power over Ethernet (PoE) provides 48vdc to the AP over standard copper network cabling. The DC voltage travels over an unused pair in the ethernet cable either through a stand-alone PoE injector or from a PoE-enabled ethernet switch. Either way, PoE makes deploying an AP possible in the absence of a readily available AC outlet.
Once all of your APs are in place, you (or your IT staff) need some way to manage them effectively. If you have a small coverage area and just a handful of APs, managing each access point individually is easy and cost-effective. For deployments that cover multiple floors or whole buildings, a centralized management platform such as a Wireless LAN controller is the way to go.
Wireless LAN controllers are appliances (sometimes built into firewalls or other security devices) that allow you to configure and manage an entire wireless network from a single Web-based user interface. Their job is to push out a common configuration to each AP, thereby eliminating the need to set up each one manually. Some controllers can also automatically change Wi-Fi channels to avoid radio congestion. The primary benefits of using a wireless LAN controller are quick deployment and automatic optimization, without requiring network staff to monitor APs constantly. And when you have dozens or even hundreds of APs to keep track of, you need all the automation you can get.
Another management feature to consider is an AP's ability to classify traffic based on VLAN (virtual LAN) or QoS (quality of service) tagging. Not all APs have these features, which is another reason to stay away from non-business-grade access points. IT can apply a VLAN tag to a specific group of users and segregate the wireless traffic for that group, providing better control over which resources they can access and which are off-limits. For example, VLANs can force all Wi-Fi traffic out to the Internet only or to the corporate Web portal, preventing it from accessing internal file servers. Similarly, a QoS tag can ensure that business-critical traffic such as voice over IP gets the bandwidth it needs, while noncritical traffic such as Internet radio doesn't hog the bandwidth. This approach lets admins classify wireless traffic at the access point, so that they can apply bandwidth management at the source. Managing VLAN assignments and QoS tagging from a wireless LAN controller makes overall administration easier and helps eliminate human error during configuration.
In any wireless network, security should be paramount. Permitting unsecured APs on the enterprise can allow casual users access inside the network. Even for controlled guest access, such as a walled garden, it's still a good idea to require all users to secure their connections by using a passphrase at the encryption level, or at least a username and password at the Web portal. Access points support various encryption algorithms, including WEP, WPA, and WPA2-Enterprise. All are better than no encryption. But unless you have a specific reason for using it, avoid WEP, which is relatively easy to break and is no longer viewed as a secure encryption method.
High-end access points can support more than one SSID (the name of the wireless network), allowing admins to match an SSID to a VLAN. This simplifies the task of placing users in a security profile or even in a specific network. Being able to define multiple SSIDs on an access point allows your IT staff to control how your Wi-Fi network is displayed to the public. For example, one AP can handle secure corporate traffic, while at the same time presenting a public-access SSID that allows only Internet access. By matching SSIDs to VLANs and network access, admins can maintain control over Wi-Fi traffic and users.
That kind of control is the key to a successful Wi-Fi deployment: a secure, high-performing environment, where you can regulate access and usage, while keeping users productive and happy.