Meeting digital and technology standards in schools and colleges – Part Three

In the earlier two parts of this series, we looked at the broadband, network hardware and cabling parts of the standards and in this final part, we will be looking at the wireless network aspects.

As with the earlier parts of the standard the wireless network element is broken down into four interrelated topics:

1. Use the latest approved network standards
2. Have a fully functional signal throughout the school or college buildings
3. Have a solution that can central manage the wireless network
4. Install security features to stop unauthorised access

Wi-Fi 6

The standard states that new wireless implementations should be at least Wi-Fi 6 which is the Wi-Fi Alliance marketing name for the 802.11ax standard. Access points that conform to these standards use the 2.4GHz and 5GHz spectra and are capable of handling substantial numbers of clients at high data rates. Due to this the absolute minimum bandwidth that should be considered from the AP to the network switch should be 1Gbps and in reality many APs will offer higher rates, either by having multiple 1Gb ports or in more modern units by utilising 2.5Gbps or 5Gbps ports.

When designing a system therefore it is essential that the switch into which the AP is connected can also support those technologies to get the best result.

It is worth noting that wireless network standards are constantly evolving and we are now already seeing a newer variant, marketed as Wi-Fi 6E which adds the 6GHz spectrum to the existing bands to even further increase the performance. At the moment these may well be premium APs but over time they will become more prevalent and should probably be considered in high-volume spaces where the number of potential client devices. That said, this is very much future-proofing the design as there are only a handful of 6E supporting devices currently on the market although this will increase over time.

On the subject of devices, it is worth checking your current devices before implementing a project to deliver Wi-Fi 6. Although the APs that meet the standard will be backwards compatible with earlier wi-fi standards (usually at least to 802.11n and often even further back) which should mean older devices work I have seen several examples where those devices have needed firmware updates to the wireless hardware for them to connect. Obviously, if they can’t connect to wi-fi they need to be updated via a wired connection so it is worth checking this beforehand.

Over and above the conformance to Wi-Fi 6, the standards only other requirement is that network segmentation and QoS is configured. There is of course another part of the standard that deals more specifically with security.

The time to look at this standard is if the current solution isn’t providing sufficient capacity, either in throughput, coverage or the number of concurrent devices supported is lacking or when a new build is being planned.

There are considerations such as will the wireless network controller be a device onsite or will it via a cloud-based system. This may impact whether APs are one-off purchases or subject to annual licence fees. We’ve helped a number of schools and colleges through the design, procurement and implementation of their wireless infrastructure, if we can help you, please get in touch.

The wired and wireless networks, while dependent on one another, do not have to be upgraded at the same time or use the same manufacturer in order to get a good outcome. However, when looking at either area it is worth looking at both over a longer-term view to see whether there are any benefits to using a single vendor in terms of management simplicity and ensuring that plans for one do not force a compromise when planning for the other. We have recently been involved in projects that take both approaches, all in one go and wired separate to wireless and can help support any future projects to make sure they go well.

Signal Everywhere

This is without a doubt the vaguest of the standards as it simply states that there should be strong coverage in all areas of the school or college where mobile devices are to be used. This doesn’t give, for example, a number of devices that should be supported.

The standard notes that to meet the standard this could require up to an access point per classroom. Designing wireless networks is however much more complex than this as too many APs may in fact cause other issues, especially as devices may have to roam across multiple APs during the course of the day.

When planning for the number of devices that may be connected to any given AP it is important to remember both institutional devices and personal devices may be present. In schools, there is often a restriction on use of personal mobile phones in school, whereas in colleges they may not be accepted in class but elsewhere in the building, they are encouraged. This means that even if not in active use if turned on they may still be connected to the nearest AP. Therefore in a class with say 25 laptops being used, there could easily be another 25 devices connecting.

The numbers are even more important in open-access areas where large numbers of students may congregate such as dining spaces or self-study areas. The design consideration for these areas is usually between more APs or fewer, higher capacity APs.

Most reputable wireless install companies will be able to provide, usually for free, off-plan heat maps which while not guaranteed to be wholly accurate will give sufficient information to use in a procurement exercise. Where the wireless is being installed in existing buildings they can also do onsite surveys which are much more accurate as they will discover real-world barriers to wireless signals such as metalwork, pipes, and other elements not clearly visible from a plan. This is however usually a chargeable survey due to the time needed to undertake.

Obviously, in new builds there is no building to survey at the point that the design and procurement of the wireless network element needs to be done (or if there is you are probably way behind where you need to be!) so the off-plan heat map will be the way to go.

The more crucial element here is to make sure that there are sufficient Cat 6A outlets installed in the ceiling spaces to allow you flexibility when it comes to the installation and that the install contract includes a post-install site survey to confirm coverage meets the brief. In order to sign off the M&E design you will need to confirm the location of the Cat 6A outlets, however, providing there are no runs that approach the 90m limit, it is possible to use longer patch leads to give added flexibility to the placement of the AP. Just as long as the combination of the run from the AP to the switch and the patch leads at either end don’t exceed the 100m maximum.

The other consideration for wireless design is whether you want to provide a signal outside of the building as well as inside. Or to be more accurate, whether you want to deliberately provide a signal as opposed to having a signal via leakage from the internal APs. This could be useful to extend learning beyond the classroom while still allowing the use of digital technologies.

Central Management

This largely mirrors the requirements on the wired network side to have a single view of the entire wireless network that allows for key elements to be easily and readily accessible. As a minimum the system should:

• provide active signal management and load balancing of user or device connectivity
• Have tools to configure the wireless access points, monitor performance and provide alerts in the event of failure
• be scalable and accommodate future higher bandwidth requirements
• maintain a base configuration that allows the system to be reset to the original state should it be needed

In addition, it should include manufacturer warranty information and include support and licensing arrangements that allow for software enhancements and firmware updates to be included and deployed, preferably automated.

Depending on the nature of the institution the system can be either handled in-house or via a suitable 3rd-party contract arrangement. Where in-house resources are used, including where this is via a managed service, it is imperative that part of any new system include system administrator training to ensure that all aspects of AP deployment, management and security can be actively managed.

When considering the system it is strongly recommended that one capable of delivering push notifications to support teams via email, Teams or other actively monitored channels as this will allow for more rapid response in the event of any issues arising with APs. These notifications can range from actual faults to bandwidth or capacity concerns and allow for trends to be identified that may point to further investigation being needed.

One very useful feature that is available in a number of central monitoring tools is a historic record of the real-time data that can be replayed. This is critical when reports come in of wireless issues after the fact, for example, if an event is held and the following day a report comes in of wireless problems, looking at the current activity in that area may show no issues, however going back in time to the day and time of the event may well show capacity or bandwidth issues or point to another cause of the reported issue.

Ensuring that the management system meets the needs of the individual organisation is a key one to any procurement exercise and it is one we are well placed to help with. Please get in touch for more information.

Security

The aim of this requirement is to prevent unauthorised users from gaining access to systems or data while providing secure connectivity to institutional and guest users.

Unlike some other areas of these standards, this one doesn’t give a prescriptive list of things that must be done, although it does reference a number of possible technical areas to consider.

The key with security is to ensure that for regular users there is as easy a way as possible to connect to the wireless network with no loss of performance while at the same time protecting the network from external and unauthorised internal interception.

By default, wireless networks are a broadcast medium, that is to say, anyone connecting to an access point would be able to “see” any of the traffic going too and from devices also connected to that AP. To prevent this the first critical aspect is to make sure that you don’t operate the network in an open state.

Modern wireless systems will operate a range of protocols to ensure that users need to authenticate to the network to gain access. It is best practice to use the latest standard as these will use enhanced levels of encryption. At the time of writing that would include WPA3. Wireless Protected Access (WPA) is a standard for authenticating and encrypting wireless signals endorsed by the Wi-Fi Alliance. Any device bearing the Wi-Fi Certified logo (which is most devices) after July 2020 must support WPA3.

However, it is worth noting that WPA3 was only certified in 2018 so devices prior to this date may not work with just this standard so laptops or other mobile devices older than 4 years old would need checking to ensure that they are able to be updated or a compromise will need to be included to also support WPA2. While technically possible this is not advised as there are known issues with the older protocol that can be exploited by bad actors.

WPA3 is the starting point and a range of other measures can be layered over to further enhance security. The standard mentions:

• access control lists (ACLs)
• certificate-based authentication (particularly helpful on organisationally prepared devices as they can be preloaded meaning the device will authenticate automatically and the user can then authenticate using a pre-existing password such as active directory)
• virtual local area networks (VLANs)

The standard also references wireless intrusion protection (WIP) and this can feed into the central management system from some vendors giving insight into elements such as devices that are not recognised and including the ability to track and block rogue access points.

The way that the wireless network is secured should be considered as part of a wider view of the overall wired and wireless network security. Most of the techniques, once connected, are common between both, and in terms of giving the users a seamless experience, having a common set of security configurations in place can help.

As noted earlier, while it is by no means necessary to replace wired and wireless together, and neither is it necessary to use the same manufacturer for both, it is worth teasing out what security measures are important and ensuring that there is a consistent and interoperable set of protocols across the wired and wireless network.

One emerging area is in policy-based security. This leverages many of the security features listed earlier but does so by reference to user and device so that the system adapts the security measures based on who is using the system and what device they are using. Although this comes at a cost from most of the major manufacturers, once configured it does simplify the security picture and makes implementing changes somewhat simpler.

A final area for consideration is whether or not a guest wireless network is needed. Or indeed more than one where you may for example want to offer different experiences to those renting a space to do a one-off activity versus a parent or other guest who you may want to provide a connection to while onsite.

As noted earlier, it would be very bad practice to have an open wireless network and so even for guest users there needs to be an element of authentication and encryption. You do however not want to turn guest access into an administrative burden for your teams so need to think carefully about how you will ensure that guests can access securely but with ease. It is also critical that any guest services are secured from your wider network and only get access to the internet.

Furthermore, any guest users must be made aware that their use of the network is subject to your acceptable use policy and that their activities will be monitored in the same way that the activities of your other users are.

Having a robust and secure wireless network can be a challenge but with a little thought upfront, delivering a cost-effective and technically sound solution can be pain-free. We have delivered a number of projects across schools and colleges that meet the technical standards outlined here and would be happy to discuss any requirements you may have. Please get in touch via the form on the homepage.