Imagine 1,000 Wi-Fi users in a conference room or airport connected to a single device and not hearing complaints about their connection speed. That's the heart of the Xirrus XS-3900, a wireless switch with 16 discrete access points encased in a ceiling-mounted housing. The set of integrated access points connected via internal switching aims to give a 2 Gbit/s (full-duplex Gigabit Ethernet ) transmission vehicle for dense Wi-Fi needs.

We tested the XS-3900 and found that it will support more than 1,000 concurrent users, but only if you can spread a majority of 802.11a-capable clients/users with them. We found some very good features, yet some downsides (including one security hole) that concern us.

Giant smoke alarm or UFO?
The XS-3900 is an appliance that looks like an overgrown smoke alarm (even Xirrus uses this analogy) with LEDs that give it an extraterrestrial feel. The unit we tested supports 802.11a/b/g, and needs the 802.11a component because of overlapping channels in 802.11b/g . Four simultaneous 802.11a/b/g access points with dedicated channels are supported, joined to 12 802.11a access points with dedicated channels. The 802.11a access points have antennas with 60-degree dispersion and two layers offset for six channels on each layer. In our tests this gave very good 802.11a coverage. External 802.11a/b/g Wi-Fi antennas can add to the unit's range and coverage, but this wasn't tested.

The four 802.11a/b/g antennas, which have 180-degree dispersion, are overlapped by 90 degrees for additional coverage, and can all share the same Service Set Identifier (SSID) or have independent ones for each band (two total SSIDs). The 16 antennas, when used together, provide a large radial/axial coverage area, with focused high-gain antennas that also push dispersion (the signal) farther than regular access points. The XS-3900 is designed to handle 1,024 users, or 64 users per IAP. In theory, the bandwidth afforded to each user within this context at Gigabit Ethernet rates should yield 128 Mbit/s.

We tested the XS-3900 in a lab and free-air environment, a parking lot. We used a patched version of AirJack on three clients (a Compaq Presario 700US, Toshiba Satellite Portable and IBM ThinkPad 600e), all running a heavily patched version of AirJack under SuSE Linux 9.3 or RH4, to pound user-association spoofs (in a non-testing scenario this would be used as a distributed denial-of-service attack) to test the maximum number of associations.

We used Linksys and Proxim 802.11a/b/g cards (the ThinkPad used 802.11g, while the other two used 802.11a only). We used a Fluke OptiView II portable Windows XP-based unit and AirMagnet software installed on a separate ThinkPad to monitor the associations. We also used the OptiView II to track signal strength and dispersion characteristics in our testing.

Dispersion was tested indoors and in the parking lot, where the XS-3900 was suspended 3 meters in the air. Because the OptiView isn't a calibrated device, our measurements were approximate but consistent.

In the lab, we also used FreeRADIUS and OpenSSL running on a NetFrame 1600 (two Xeon 3.06GHz processors) to test 802.1x and RADIUS proxy authentication. All were configured according to their RFCs.

The lightweight unit (less than10 pounds) is designed for ceilings, but because of its power drain cannot use Power Over Ethernet and needs an AC or DC (different units sold separately) power connection. The LEDs, easily understood by their position, give a visual indication of what's going on, including power status, traffic activity and errors. The unit's power switch, hidden for security reasons, becomes inaccessible when the unit is installed.

The device has two Gigabit Ethernet ports, which can be configured for failover, and a 10/100 Ethernet interface for management. The XS-3900 is designed to connect to a switch port rather than an Ethernet hub, and we found this design helps availability, and to a smaller extent, load-balancing user streams.

We installed the XS-3900 on a switched Gigabit Ethernet network rather quickly. Like most access points, the management Web pages let us assign channels, and give Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) or 802.1X/RADIUS authentication choices.

These choices affect all the channels - you don't get a mix of some channels with one type of authentication and others without. Guest accounts can be created, but are done under the aegis of whatever security method is employed.

Associating clients to the device was speedy. We used 802.1X authentication to emulate a conference room environment, one with 1,024 notebooks logging on at the rate of about 125 per minute. The XS-3900 can take it - the full 1,024 associations with 802.1X. We also clocked a maximum of 1,100 associations, but did not track the impact of all 16 channels loaded with traffic. But we believe the unit can handle its rated user base maximum, since client duty cycles are typically irregular.

However, when we used its integrated RADIUS server, it couldn't take on more than 200 clients in our tests. The unit's RADIUS server is designed for smaller implementations - companies needing a higher user count will likely have RADIUS employed already.

Using 802.11g FTP uploads and downloads on single channels, we were able to max the XS-3900 at 2.35 Mbytes. on the 802.11g channels, and 2.66 Mbyte on the 802.11a channels, which puts the XS-3900 at the top of the speed categories for access points we've tested. We could log on more than the recommended 64 users per channel, but we found that sessions degraded quickly when we did this. The XS-3900 did well in balancing connections across available channels, even through most client/user drivers try to seek the lowest channel number, which fill quickly.

Radio sensitivity is strong in the XS-3900. At distances where data rates normally have fallen back to slower speeds, the XS-3900 had consistently higher transmission rates when we tested the unit in our parking lot (free-air) tests. When all 16 channels are considered, or when 802.11b/g or 802.11a are seen independently, the unit has a very good 360-degree dispersion. This means that if all channels/radios are used, the dispersion characteristics of the XS-3900 are highly desirable and predictable. Channels can be turned on and off (and/or have the power manually adjusted) to correct power reduction or airspace co-channel interference.
Managing the unit

All management and control is done through a Web page or a terminal SSH (or telnet, see below) logon to the unit. The Web page is well organised, though the help screens weren't yet working on the unit we tested (Version 1.1.3). The 16 individual access points can have highly articulate control placed on them.

We liked the Express Setup selection, which lets the unit listen and choose its own channels and power settings relative to its environment. This feature worked around fixed access-point channels very well (for situations where you have a wireless environment and don't want to adjust those channels). The system also used an unusual technique to find the address of our upstream DNS server, rather than the local DNS forwarding device we used. These comparatively sophisticated environmental searches will be a huge aid to DS-3900 installers.

The integrated RADIUS server isn't recommended for large environments, though we could proxy connections easily to an external RADIUS server (FreeRADIUS by OpenSSL). Security support includes WEP (not recommended for security), WPA (with 802.11i-style proxy authentication, TKIP or Pre-Shared Key), and AES. It is possible to use an external linking access control list to permit access by MAC address, though these are easily spoofed and just a basic sort of admittance control.

Our concerns
Incredibly, telnet can be used to manage the unit, and the unit has an easy-to-guess initial password (which can be changed, fortunately). SSH can also be used, but we found no way to turn off telnet access, though each Ethernet connection can have management on its interface disabled entirely, leaving a serial port connection as the only way to manage the device. We'd rather see telnet disabled entirely, because it is so easily cracked.

Second, there are so few 802.11a-capable devices in many environments. Of the four 802.11a/b/g interfaces, only 256 (we estimate a maximum of 300) users can log on without highly degraded experiences. Companies that invest in 802.11a technology will be highly rewarded just by the additional available access provided in the XS-3900.

While the documentation that comes with the XS-3900 was easy to understand, the help screens in the HTML user interface were missing. In addition, owners don't have ready access to the Xirrus Web site support section (at the moment, it's for resellers only), which leaves organisations purchasing the product to rely on the resources of their reseller/service organisation, which might or might not be acceptable.

Henderson is principal researcher for ExtremeLabs in Indianapolis. Laszlo Szenes of ExtremeLabs contributed to this story.


The increase in capacity and its high-density design make the XS-3900 worth its price. With enough 802.11a clients in an environment, we believe companies will benefit from this high-density access-point system, once the security and other concerns are addressed