9 things to check after installing wireless access points
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on ComputerWorld
After all the work of performing a Wi-Fi site survey, running cable to key locations in the building and hooking up your access points, you might be eager to quickly fill the airwaves. However, there are some things you should check just after powering on those new or upgraded APs and before letting users connect to them.
You can never be too careful when it comes to Wi-Fi security and performance, and you don't want to start off by ignoring them. That said, you can follow these tips at any time.
1. Verify that individual APs are operational
This may seem like a no-brainer, but when installing many APs you can easily overlook issues with individual devices. There is always the possibility of a wiring or configuration mistake that could prevent an AP from working correctly. These single-AP problems may not be so noticeable during general use of the network later on or even during a quick network check after you've installed all the APs, but they might come back to bite you much later, when it will be harder to diagnose the problem.
To avoid this, after plugging in each AP at its mounting location, make sure it powers up, its status lights indicate normal operation, and you get network and Internet connectivity through each individual one you install. Remember to look at the signal level of the AP on the device you're using to test the APs; ensure that you're connected to the correct AP, which should show perfect signal levels.
2. Check the VLANs of each SSID
If a network is configured with multiple virtual LANs and SSIDs, it is possible to misconfigure a setting on the router, switch or AP. For instance, even if you assign each SSID to a single VLAN, the VLAN tagging could be misconfigured, accidentally opening up private VLANs to a guest VLAN. Thus, while you're testing each AP to ensure that it's operational, consider going a step further by verifying that the VLANs are properly configured.
After installing each AP, connect to each SSID and make sure the end-user devices are assigned an IP address of that particular VLAN. To ensure the inter-VLAN routing setting isn't accidentally enabled or the firewall rules misconfigured, either of which could allow users to access other VLANs, do some pinging between end-user devices on one VLAN and end-user devices on another VLAN.
3. Double-check the SSIDs
To enable seamless roaming between APs for connected devices, you've probably set each AP to broadcast the same SSID(s). If you're using a wireless controller to centrally manage all the APs, the SSIDs and other settings are most likely uniform across the APs. However, if you're manually configuring each AP individually, mistakes can easily happen. In this case, I strongly recommend double-checking the SSID(s) being broadcast from each AP after plugging them in. Remember, SSIDs are case sensitive, so make sure they're named exactly the same.
4. Verify wireless coverage
Even though you have—or should have—done a Wi-Fi site survey prior to installing your APs, you should verify that Wi-Fi coverage is available everywhere you need it after the install. This could be as simple as walking around with your phone or laptop and looking at the native wireless signal reading of the device in various locations.
For more accurate readings, you can use a free or inexpensive Wi-Fi analyzer app to see the signal levels in the negative dBm values. Better yet, perform a full post-install site survey using professional map-based surveying tools so you can see a heat map or other visualization of the coverage along with collecting other vital data such as the signal-to-noise-ratio.
5. Double-check channel assignments
Wi-Fi channels are tricky, especially in the crowded 2.4GHz band that has a measly three usable channels. Although it's tempting to keep the auto-channel feature of the APs enabled and forget about it, I recommend double-checking the auto channels. In some instances, such as when you have neighboring homes or offices with Wi-Fi that could interfere with your network, the auto-channel feature might be the way to go. But even then I suggest double-checking the assigned channels; I've seen APs choose some not-so-smart channels.
You can check Wi-Fi channel usage with an Android device or on your laptop with free or inexpensive applications. To learn more about channels, read How to configure Wi-Fi channels for top network performance.
6. Consider the physical security of APs and the network
Security is about more than just passwords. You can have the world's best encryption enabled on your Wi-Fi with the longest, most complex password ever invented, yet someone with physical access to the network could bypass it within seconds. For instance, they could wipe out an AP's security simply by inserting a pen tip into its reset button to restore factory defaults. Alternatively, they could plug in their own AP with another password at an open network wall or switch port.
Make sure the APs, cabling and all other network components are out of reach and ideally out of sight of the public and even employees. If there are false ceiling tiles in your building, consider putting APs above them where no one will be able to see them, instead of mounting the APs below the ceiling or on walls. And make sure the other network components such as routers, switches and wireless controllers are kept in a locked closet or room; you might also consider using a lockable network rack or cabinet.
7. Run speed tests to evaluate performance
It's also a good idea to run some internet speed tests while connected to each AP and each SSID, which would give you the download and upload speeds between the end-user devices and the internet. This can help verify any bandwidth limits you've imposed, such as on the guest SSID, or perhaps find limits that you accidentally imposed on the private network. A web-based test such as Ookla's Speedtest.net is a good option.
You'll also want to run local speed tests to verify the performance of the wireless network. Consider using a tool like Nuts About Nets' NetStress or TotuSoft's LAN Speed Test to evaluate the Wi-Fi performance. Again, I suggest running these local speed tests from each AP and each SSID. If you don't see the wireless speeds you want or need, check out 9 tips for speeding up your business Wi-Fi.
8. Note exact AP locations
After installing multiple APs, be sure to label the APs, write down their locations or mark the spots on a floor plan map, and keep it safely stored away with the other network documentation. For out-of-sight locations, such as above ceiling tiles, perhaps take a photo of the location as well. This can prevent the headache of tracking down the APs after you've forgotten their locations over time, and it's doubly helpful for someone else if you're not around anymore. Also remember to document any changes to the AP locations in the future.
9. Make sure that admin access is secured
Although changing the admin password should be one of the very first things you do when initially configuring any piece of network gear, it can certainly be forgotten or ignored. You don't want a curious or ill-willed user to bring up the web GUI and get admin access to your APs by looking up the default password online.
Just after powering on each AP, double-check that the default password doesn't work and that you have imposed a strong password instead. Visit the web GUI of each AP and log in. Even if you're using a central wireless controller, each AP may have its own web GUI, so even in this case you should double-check every AP individually.
In addition to changing the default password, consider blocking access to the web GUI of the APs (and other network components) from the Wi-Fi after you're all done with the install. I especially recommend doing this on any guest Wi-Fi network, which may be accessible by anyone nearby. Blocking the admin interface from wireless users can help prevent those curious users from even attempting to get into the equipment.
Some APs have a setting specifically for controlling access to the admin interface—for instance, a control that lets you designate the IP addresses of the devices that can access the web GUI. This setting is often found with other admin GUI management settings or in the VLAN settings so you can enable the admin access separately for each VLAN. For APs that don't offer a setting like that, check your router's documentation on how to create a firewall rule to block access to the admin GUI from certain subnets or VLANs.