The debate between fat and thin access points shows no sign of coming to an end (indeed, some argue that cheap access points are the way to go). HP is on the fat side of the debate with its 500wl series enterprise access points that can be used as standalone nodes. However, the company's strategy also includes central intelligence on dedicated hardware to control the access points, in the shape of a wireless gateway, the 700wl series. The APs are semi-intelligent, being fully configurable, and the 700wl switch provides authentication, network access and policy enforcement, traffic differentiation based upon user type, and encryption services. There are three models, the 720wl Access Controller, the 740wl Access Control Server and the 760wl which combines the features of the first two in a single device. Where does the box come from?
[Editor's remarks:]. Before we go further we must mention that the HP 700 series bears a more than striking resemblance to Vernier's 6500 series wireless gateways. Obviously, HP is reselling the Vernier boxes. Since the terms of their agreement forbid either party from mentioning this fact, and in case lawyers on either side are listening, we worked it out for ourselves, all right? We mention it here, because Vernier's strategy is developing along interesting lines [End of editor's remarks] What does it do?
The 720wl sits between the wireless APs and the network, working in conjunction with either the 740wl or the 760wl. It uses IPsec, PPTP, L2TP/IPsec, or SSH tunnels to encrypt wireless traffic with DES, 3DES, Blowfish, CAST, or AES to provide user authentication and appropriate access to network resources, all controlled at the edge of the network, since all secure tunnels terminate within the 720wl or the 760wl. A number of common features apply to all these products. At the heart of the system is rights-based network access control and management. This enables the network manager to block all user traffic until the user is authenticated, allowing only traffic designated by a user's access privileges, giving network administrators the flexibility to configure access rights based on user, group, time, and location. The product includes standards-based authentication support for LDAP, Active Directory, 802.1x, RADIUS, Kerberos, and Windows 2000/NT domain. 802.1q VLAN support is also integrated, providing standards-based tagging by user or point of network access. It allows the placement of wireless traffic on separate VLANs, as well as application of filters based on VLAN ID. Our test environment consisted of an HP 720wl Access Controller, an HP 760wl Integrated Access Manager, two HP 520wl Access Points with 802.11a PC cards fitted. An HP 2626 Ethernet switch was also used in the configuration to interconnect the 720wl and 760wl units, each of which was on a separate subnet with the 54Mbit/s IEEE 802.11a standard being used for the test. Non-aggresive security
Much is spoken about the security issues with wireless networks and the possibility of “rogue” users gaining access to the network. While it is possible to effectively block access completely, a more flexible method is to set up a basic “guest” access, which gives casual users access – via the wireless LAN - to the Internet, but to completely block access to the internal network, or Intranet. This requires simply a DNS redirection. We set up a test login and logon webpage for guest access. Accessing the wireless network via this login simply resulted in the Internet being accessible but none of the internal network. As a non-aggressive antidote to potential hackers this is an excellent solution. With the 700wl series you can create multiple user group types to assign individual users to on as necessary. Take the instance of a contractor who needs to be assigned temporary access to the WLAN. By default, the policy setup for a generic user group is “All IP” meaning a user assigned to this group can send traffic to any address on the network. But in this case we wanted to restrict access for the contractor to just those areas of the network they need to see, so we effectively had an “internal” and an “external” network. A useful option here is that you can select a “members of this group do not get implicit user rights” rule that immediately restricts access for users of this group. You can now specify new rules to create an access policy specific to this group, or even an individual within a group. In this particular case we allowed access for the “contractor” group to just one of the two subnets we’d set up on the test network. For the VPN testing we configured a Windows XP client using PPTP and L2TP/IPsec to secure a VPN connection between the client and the 700 series. We then verified the VPN connections at both the client and access server ends of the network. The 700 series includes client tracking screens which show all active clients and active sessions at any time, including the number of active sessions per client, connection and security/encryption type. These are very useful management features given the critical nature of the client/session statues within a wireless environment. Solid connectivity
Of all the aspects of wireless networking, the number one priority is connectivity at all times. That connectivity is really put to the test when roaming across WLAN boundaries – in particular between subnets. To test this we placed a 720 Access Controller on one subnet and the 760 as Control Server on a separate subnet, both managed via the 760. Two APs were configured with the same SSID, one attached to the 760 and one to the 720. We then connected a client via one AP and tracked it as we moved the client across the network between subnets. Using simple ping tests, plus confirmation of the client keeping its original designated IP address, we checked for continuous connectivity while the client device switched between the two subnets. We also enforced a re-association with a second AP by powering down the first. We also roamed physically outside the test labs and were able to wander around 15 metres from the office – connected via 802.11a - before the 50cm thick stone walls of the office limited our transmission range. Throughout the roaming, at no time in the ping test did we encounter more than three successive time outs before reconnection. With the exception of live voice over IP, this would not have presented any problems to an application and we were able to maintain our browser sessions without problems. Conclusion: builds on what you know
The combination of regular AP-based WLAN, front-ended by access control devices means that anyone already familiar with the “fat” AP oriented wireless LAN methodology need not relearn what they already know but can simply take the 700 series approach and bolt it on to their knowledge base. Flexibility is good, so the HP solution doesn’t force you down one single path. In all areas of access control – for example, authentication and VPNs – there is plenty of choice as a result of widespread support for different standards and protocols.


If you already have a non-HP WLAN setup and are interested in the 700wl it may be that your existing APs will work with the access controllers. Or compare the whole solution with a fully-switched alternative.