Building a new network for a K–12 school shares a lot of similarities with building one for enterprise, but when it comes to Wi-Fi, there are likely going to be some differences to consider. K–12 schools have different security needs, content filtering needs per SSID and capacity needs thanks to 1:1 iPad deployments. This week, as we continue our K–12 network overhaul series, I am going to look at Wi-Fi. For K–12 schools, the vast majority of users on the network will be Wi-Fi only. Regardless if a school uses iPad, Chromebooks, or Microsoft Surface, classrooms are rarely going to have more than one or two ethernet jacks. How do you build reliable school Wi-Fi?
About Making The Grade: Every other Saturday, Bradley Chambers publishes a new article about Apple in education. He has been managing Apple devices in an education environment since 2009. Through his experience deploying and managing 100s of Macs and 100s of iPads, Bradley will highlight ways in which Apple’s products work at scale, stories from the trenches of IT management, and ways Apple could improve its products for students.
Building reliable school Wi-Fi: build for capacity
One of the differences between building Wi-Fi for a school vs. a shopping mall, for example, is that capacity is the critical aspect. In a shopping center, one might need to make sure an entire complex is blanketed with Wi-Fi, but each AP might only see a handful of clients due to how the facility is laid out.
In K–12, a single classroom might have 20–30 clients. In your design, you might need to design for an AP per class, but you might have an AP per two classrooms. It’ll just depend on what’s in your walls, how close together your classrooms are, etc. One thing to consider is that 2.4 GHz only has three non-overlapping channels (1,6,11), so if you have APs blasting their signal at full strength, you might see co-channel interference.
In my experience, if you have high capacity needs, looking at dual 5 GHz access points makes a lot of financial sense if your devices support 5 GHz. All iPads do, but you’ll have to investigate your device lineup to make sure. While Wi-Fi 5 (802.11ac) was 5 GHz only, Wi-Fi 6 (802.11ax) brings back support to 2.4 GHz. In dense environments, it’s going to be difficult to build around the 2.4 band, though.
One thing to keep in mind is that it’s not just about clients supported per AP, but also the expected throughput of the device. If the content you’re accessing is streaming (vs. downloaded to the device), you’ll need to consider that.
You don’t need ten SSIDs
One of my pet peeves is going into a school and seeing a long list of SSIDs. In my opinion, anything past three is going to cause a slight network impact. This article from 2013 on the Revolution Wi-Fi blog help explains why:
One of the most commonly cited best practices among Wi-Fi professionals is to limit the number of SSIDs you have configured on your WLAN in order to reduce the amount of overhead on the network and to maintain high performance. But there is not a lot of public data out there to really drive home this point when explaining it to another engineer, management, or a customer. Simply telling someone that they shouldn’t create more than ‘X’ number of SSIDs isn’t very convincing.
If you download the Excel spreadsheet, you’ll be able to run your own numbers. Instead of creating an SSID for student, staff, guest, voice, etc., try to limit it to no more than three, but use your authentication method to assign user profiles to help with the quality of service, access permissions, etc.
What are your expansion options?
One thing I encourage folks to think through is how does their network scale if they need to double the access point count. What happens as your school adds buildings? Does your controller have a maximum it supports? Are you able to manage multiple locations in a single interface? I am not covering specific vendors in this article, but it’s something I stress when giving folks advice on how to build reliable school Wi-Fi.
Another thing to consider is if you can add new technology right alongside the old. For example, if you have a well designed and well-performing Wi-Fi 5 network, but you want to add Wi-Fi 6 in your dense areas to ease capacity concerns, are you able to do that with just the cost of the new access points?
Think through user authentication
For home environments, pre-shared key is the standard authentication method. If you want to build reliable school Wi-Fi, you’ll need to look at a better system, though. The only time I’d sign off on using PSK in K–12 is if you are installing a mobile configuration profile using your MDM so no student or staff members need to know the key. While there are still ways to discover it, it’ll be better than giving the key to everyone. A couple of options would be using a solution like a unique/private pre-shared key where each person gets assigned a unique PSK. Another would be to use something like JumpCloud to allow G Suite to act as a RADIUS login.
“One of the most basic needs of IT in K-12, and really all education sectors, is the ability to tightly control access to the WiFi network and internet at large. For security reasons, networks in K-12 need to be distinctly defined: faculty and student, while ensuring that deep content controls are in place. Although it’s easier to gain access to the student wifi, it is important to control what students can access. The faculty network needs to be more secure, to make sure that students and others can not access sensitive information.” – Greg Keller, Chief Strategy Officer at JumpCloud.
Wrap-up on building reliable school Wi-Fi
These tips are just a few of the things I’ve found helpful over the years. No advice can overcome a bad design, though. If you are building a mission-critical network, you might be well served to bring in a local expert who can do a site survey and help design a network that you know will work in your environment.
Do you have any tips for building reliable school Wi-Fi? Please leave them in the comments so we can all grow together.