After all the work of performing a Wi-Fi site survey, running cable to key locations in the building and hooking up your access points (APs), you might be eager to quickly fill the airwaves. However, there are some things you should check just after powering on those new or upgraded APs and before letting users connect to them.
You can never be too careful when it comes to Wi-Fi security and performance, and you don't want to start off by ignoring them. That said, you can follow these tips at any time after you’ve already deployed your Wi-Fi.
1. Secure admin access
Although changing the admin password should be one of the very first things you do when initially configuring any network gear, it can be overlooked. You don't want a curious or ill-willed user to bring up the web GUI and get admin access by looking up the default password online.
After powering on each AP, double-check that the default password doesn't work and that you have replaced it with a strong one. Visit the web GUI of each AP and log in. Even if you're using a central wireless controller, each AP may have its own web GUI, so you should double-check every AP individually.
Consider blocking access to the web GUI of the APs and other network components from the Wi-Fi. I especially recommend doing this on any guest Wi-Fi network, which may be accessible by anyone nearby. Blocking the admin interface from wireless users can prevent curious users from even attempting to get into the equipment.
Some APs have a setting specifically for controlling access to the admin interface, for instance, a control that lets you designate the IP addresses of the devices that can access the web GUI. This setting is often found with other admin GUI management settings or in the VLAN settings so you can enable the admin access separately for each VLAN. For APs that don't offer a setting like that, check your router's documentation on how to create a firewall rule to block access to the admin GUI from certain subnets or VLANs.
2. Evaluate performance with speed tests
It's also a good idea to run internet speed tests from each AP and each SSID to measure download and upload speeds between end-user devices and the internet. This can help verify bandwidth limits you've imposed, such as on the guest SSID, or perhaps find limits that you accidentally imposed on the private network. A web-based test such as Ookla's Speedtest.net is a good option.
You'll also want to run local speed tests to verify performance of the wireless network. Consider using a tool like Nuts About Nets' NetStress or TotuSoft's LAN Speed Test to evaluate the Wi-Fi performance. Again, I suggest running these local speed tests from each AP and each SSID. If you don't achieve the wireless speeds you want, check out 9 tips for speeding up your business Wi-Fi.
3. Double-check SSIDs
To enable seamless roaming between APs for connected devices, you've probably set all the APs to broadcast the same SSID. If you're using a wireless controller to centrally manage all the APs, the SSIDs and other settings are most likely uniform across the APs. However, if you're manually configurin the APs, mistakes can easily happen. In this case, double-check the SSID(s) being broadcast from each AP after plugging them in. Remember, SSIDs are case sensitive, so make sure they're named exactly the same.
4. Check the VLANs of each SSID
If a network is configured with multiple virtual LANs and SSIDs, it is possible to misconfigure a setting on the router, switch, or AP. For instance, even if you assign each SSID to a single VLAN, the VLAN tagging could be misconfigured, accidentally opening up private VLANs to a guest VLAN. Thus, while you're testing each AP to ensure that it's operational, consider going a step further by verifying that the VLANs are properly configured.
After installing each AP, connect to each SSID and make sure the end-user devices are assigned an IP address of that particular VLAN. To ensure the inter-VLAN routing setting isn't accidentally enabled or the firewall rules misconfigured--either of which could allow users to access other VLANs--do some pinging between end-user devices on one VLAN and end-user devices on another.
5. Verify coverage
Even though you have done or should have done a Wi-Fi site survey prior to installing your APs, you should verify that Wi-Fi coverage is available everywhere you need it after the install. This could be as simple as walking around with your phone or laptop and looking at the native wireless signal reading of the device in various locations.
For more accurate readings, you can use a free or inexpensive Wi-Fi analyzer app to see the signal levels in the negative dBm values. Better yet, perform a full post-install site survey using professional map-based surveying tools so you can see a heat map or other visualization of the coverage along with other vital data such as signal-to-noise ratio.
Rember, you don’t want to just check overall Wi-Fi coverage and signal strength. You also want to look at the coverage cell of each AP. Having too little or even too much overlap of the individual AP coverage areas can cause issues with overall coverage and roaming. Look at both 2.4 and 5GHz signals and ensure each AP has about 15% to 20% overlap in both bands. You can turn the power levels up and down for either band to adjust coverage in addition to making changes to AP locations if required.
6. Verify proper roaming
After checking the whole network and individual AP coverages, you should ensure roaming is working properly for the wireless devices. For example, you don’t want a wireless device to connect to an AP and stay connected to it if they roam closer to an AP with a much better signal. Although a lot of the roaming is up to the wireless clients, you can adjust AP coverages to help, and some APs allow you to adjust some roaming settings.
For a simple roaming check, you can use a free or inexpensive Wi-Fi analyzer app to walk around with a floorplan of AP locations and their MAC addresses. As you walk around, monitor the AP your device is connected to using the MAC addresses. See how the device roams between the APs and investigate areas where you believe there’s an issue.
For larger networks, it’s best to check roaming with the active-surveying mode of professional map-based surveying tools that can create heatmaps of how roaming was experienced during the survey walk. Most tools can do active and passive surveys at the same time to show how roaming was experienced compared to all the AP cell coverages captured in the passive mode.
7. Double-check channel assignments
Wi-Fi channels are tricky, especially in the crowded 2.4GHz band that has just three usable channels. Although it's tempting to keep the auto-channel feature of the APs enabled and forget about it, I recommend double-checking the auto channels. In some instances, such as when you have neighboring homes or offices with Wi-Fi that could interfere with your network, the auto-channel feature might be the way to go. But even then, I suggest double-checking the assigned channels. I've seen APs make some not-so-smart channel choices.
Whether you're using auto channels or not, you should ensure the APs are set to what looks like the best channels. In the 2.4GHz band, you should try to stick with using channels 1, 6, and 11, as they are the only non-overlapping channels. You don't want the signal ranges of APs set to the same or overlapping channel as another AP, regardless of whether it’s one of yours or on a neighboring network. The 5GHz band can also have overlapping channels, but there are more channels available.
8. Check accessibility by wireless devices
We’ve discussed a couple ways to double-check performance of APs, but don’t forget about the Wi-Fi clients. Depending upon how many and the type of wireless devices, you might not be able to check connectivity of them all but do your best to ensure all are operational right after turning up the new APs. Clients with problems might be discovered later when users complain, but checking just after the AP install and making corrections can avoid productively issues.
Perhaps start with double-checking the connectivity of wireless devices that are mission critical, and any legacy or unusual clients like those connected to old machines. If users bring their own devices, you might not be able to test them all but do the ones can.
9. Double-check exact AP locations
After installing the APs, be sure to label them, write down their locations or mark the spots on a floor plan map, and keep it safely stored away with the other network documentation. For out-of-sight locations, such as above ceiling tiles, perhaps take a photo of the location as well and include notes on how to find later. This can prevent the headache of tracking down the APs after you've forgotten their locations over time, and it's doubly helpful for someone else if you're not around anymore. Also remember to document any changes to the AP locations in the future.
While you have your eyes on each AP, it’s a good time to consider whether they and their antennas are in the best places to minimize interference. Make sure the AP or antennas aren’t mounted very close to an interference source such as a big light fixture or electrical box. Also look at the antenna orientation if the APs have external antennas to ensure they are placed for best performance, and if the antennas are internal, that the APs are aligned for optimum performance.
10. Ensure physical security
Security is about more than just passwords. You can have the world's best encryption enabled on your Wi-Fi with the longest, most complex password ever invented, yet someone with physical access to the network could bypass it within seconds. For instance, they could wipe out an AP's security simply by inserting a pen tip into its reset button to restore factory defaults. Alternatively, they could plug in their own AP with another password at an open network wall or switch port.
Make sure the APs, cabling, and all other network components are out of reach and ideally out of sight. If there are ceiling tiles in your building, consider putting APs above them where no one will be able to see them. And make sure the other network components such as routers, switches, and wireless controllers are kept in a locked closet or room; you might also consider using a lockable network rack or cabinet.
11. Verify that individual APs are operational
This may seem like a no-brainer, but when installing many APs you can easily overlook issues with individual devices. There is always the possibility of a wiring or configuration mistake that could prevent an AP from working correctly. These single-AP problems may not be so noticeable during general use of the network later on or even during a quick network check after you've installed all the APs, but they might come back to bite you much later, when it will be harder to diagnose the problem.
To avoid this, after plugging in each AP at its mounting location, make sure it powers up, its status lights indicate normal operation, and you get network and Internet connectivity through each individual one you install. Remember to look at the signal level of the AP on the device you're using to test the APs; ensure that you're connected to the correct AP, which should show perfect signal levels. This would also be a good time to ensure the AP is broadcasting the correct Wi-Fi standard (for example 802.11ac or 802.11ax) and security (WPA2 or WPA3).
You can check Wi-Fi channel usage with an Android device or on your laptop with free or inexpensive applications. To learn more about channels, read How to configure Wi-Fi channels for top network performance.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, Wi-Fi Surveyors providing RF site surveying, and On Spot Techs providing general IT services.