"All the mathematical sciences are founded on relations between physical laws and laws of numbers, so that the aim of exact science is to reduce the problems of nature to the determination of quantities by operations with numbers."
James C. Maxwell
Given the above guidance from our great wireless pioneer, James C. Maxwell , this app is created to help you to determine as best possible the " numbers" that could help describe the different facets of your network. It is with the hope that with enough of these numbers being obtained, WifiOptimizer can help you to have a better picture of your wireless network and how to optimize it for the best possible performance.
This help page is also aimed at arming you with a minimal understanding of the wireless network technology so that you can make a well guided network design choice whenever needed. A little bit of knowledge could go a long way so please come back to this help page often. That would help you to get familiar with the topics that effect your network.
Comment and Suggestion
Here are the main functions of WifiOptimizer.
You can access to each of the functions provided by WifiOptimizer through touching on the tab having the same name.
RSSI tab : this tab displays the RSSI chart. It shows the signal strength of each of the wireless router. Within the RSSI tab you can select to display either 2.4GHz channels (802.11b/g/n) or 5GHz channels (802.11a/n). If you enable GPS then you can select to display chart according to a location of interest from the location spinner. Figure 1 shows the RSSI chart. The strongest wireless router signals are arranged at the bottom of the chart from left to right.
|Figure 1: RSSI Chart|
SCAN tab: this tab displays the network scan result. Its text display give you much more detailed information of the wireless routers in your neighborhood. You can choose the display to be "Brief" or "Verbo ". There is also an email button provided so that you can share this information with your colleagues.
|Figure 2: Network Scan Result|
RF tab : this tab displays the RF interference chart. It shows the amount of RF interference for each of the channels in your network. It also let you know which is the best channel for you to configure your wireless router to.
|Figure 3: RF Channel Interference|
TRAFFIC tab : this tab displays the chart of WIFI traffic generated by your phone. It shows the amount of data sent and received by your phone. Using this feature you can see what is your network capable of sending and receiving in terms of instantaneous and average throughput.
|Figure 4: Transmit and Receive Throughput|
The WIFI standard is also known as the IEEE 802.11 standard. It encompassed a large number of standards that govern enterprise and home wireless networking. Each different standard is assigned different letter suffix that cover everything from the transmission media and protocol, to standards for security aspects, quality of service and the like. They are listed here for reference and only the most popular ones will be worth of our discussion.
Of these the standards that are most widely known are the network bearer standards, 802.11a, 802.11b, 802.11g and now 802.11n , which are the only ones that we needed to concern ourselves with.
All the 802.11 Wi-Fi standards operate within the ISM (Industrial, Scientific and Medical) frequency bands. These are shared by a variety of other users, but no license is required for operation within these frequencies. This makes them ideal for a general system for widespread use.The first accepted 802.11 WLAN standard was 802.11b and 802.11a, then came 802.11g and finally 802.11n. Table 1 shows the different WIFI standards and their operating characteristics.
|Date of standard approval||July 1999||July 1999||June 2003||Oct 2009|
|Maximum data rate (Mbps)||54||11||54||~600|
|Modulation||OFDM||CCK or DSSS||CCK, DSSS, or OFDM||CCK, DSSS, or OFDM|
|RF Band (GHz)||5||2.4||2.4||2.4 or 5|
|Number of spatial streams||1||1||1||1, 2, 3, or 4|
|Channel width (MHz)
||20||20||20||20, or 40|
Like 802.11b, its predecessor, 802.11g operates in the 2.4 GHz ISM band. It provides a maximum raw data throughput of 54 Mbps, although this translates to a real maximum throughput of just over 24 Mbps.
Although the system is compatible with 802.11b, the presence of an 802.11b participant in a network significantly reduces the speed of a net. In fact it was compatibility issues that took up much of the working time of the IEEE 802.11g committee.
A variety of modulation schemes can be sued by 802.11g. For speeds of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps Orthogonal frequency Division Multiplexing (OFDM) is used, but for 5.5 and 11 Mbps it uses Complementary Code Keying (CCK), and then for 1 and 2 Mbps it uses DBPSK/DQPSK+DSSS.
The maximum range that can be achieved by 802.11g devices is slightly greater than that of those using 802.11b, but the range at which the full 54 Mbps can be achieved is much shorter than the maximum range of an 802.11 device. Only when signal levels and interference levels are low can the maximum specified performance be achieved.
The idea behind the IEEE 802.11n standard was that it would be able to provide much better performance and be able to keep pace with the rapidly growing speeds provided by technologies such as Ethernet. The new 802.11n standard boasts an impressive performance of 248Mbps. The major innovations are summarized below:
Use of MIMO in IEEE 802.11n: MIMO or Multiple Input Multiple Output is a technique that exploits multipath propagation. Normally when a signal is transmitted from A to B the signal will reach the receiving antenna via multiple paths, causing interference. MIMO uses this multipath propagation to increase the data rate by using a technique known as spatial division multiplexing. The data is split into a number of what are termed spatial streams and these are transmitted through separate antennas to corresponding antennas at the receiver. Doubling the number of spatial streams doubles the raw data rate, enabling a far greater utilization of the available bandwidth. The current 802.11n standard allows for up to four spatial streams.
Antenna technology for 802.11n: For 802.11n, the antenna associated technologies have been significantly improved by the introduction of beam forming and diversity.
Beam forming focuses the radio signals directly along the path for the receiving antenna to improve the range and overall performance. A higher signal level and better signal to noise ratio will mean that the full use can be made of the channel.
Diversity uses the multiple antennas available and combines or selects the best subset from a larger number of antennas to obtain the optimum signal conditions. This can be achieved because there are often surplus antennas in a MIMO system. As 802.11n supports any number of antennas between one and four, it is possible that one device may have three antennas while another with which it is communicating will only have two. The supposedly surplus antenna can be used to provide diversity reception or transmission as appropriate.
While 802.11n provides backward compatibility for devices in a net using
earlier versions of 802.11, this adds a significant overhead to any exchanges,
thereby reducing the data transfer capacity. To provide the maximum data
transfer speeds when all devices in the net at to the 802.11n standard, the
backwards compatibility feature can be removed. When earlier devices enter the
net, the backward compatibility overhead and features are re-introduced. As with
802.11g, when earlier devices enter a net, the operation of the whole net is
considerably slowed. Therefore operating a net in 802.11n only mode offers
In view of the features associated with backward compatibility, there are three modes in which an 802.11n wireless router can operate:
There is a total of fourteen channels defined for use by Wi-Fi 802.11 for the 2.4 GHz ISM band. Not all of the channels are allowed in all countries: 11 are allowed by the FCC and used in what is often termed the North American domain, and 13 are allowed in Europe where channels have been defined by ETSI. The WLAN / Wi-Fi channels are spaced 5 MHz apart (with the exception of a 12 MHz spacing between the last two channels).
The 802.11 WLAN standards specify a bandwidth of 22 MHz and a 25 MHz channel separation, although nominal figures for the bandwidth of 20 MHz are often given. The 20 / 22 MHz bandwidth and channel separation of 5 MHz means that adjacent channels overlap and signals on adjacent channels will interfere with each other.
The table given below provides the frequencies for the total of fourteen WLAN / Wi-Fi channels that are available around the globe. Not all of these WLAN / Wi-Fi channels are available for use in all countries.
|CHANNEL NUMBER||LOWER FREQUENCY
The channels used for WiFI are separated by 5 MHz in most cases but have a bandwidth of 22 MHz. As a result channels overlap and it can be seen that it is possible to find a maximum of three non-overlapping channels. Therefore if there are adjacent pieces of WLAN equipment that need to work on non-interfering channels, there is only a possibility of three. There are five combinations of available non overlapping channels are given below:
As some energy spreads out further outside the nominal bandwidth, if only two channels are used, then the further away from each other the better the performance.
is found that when interference exists, the throughput of the system is reduced.
It therefore pays to reduce the levels of interference to improve the overall
performance of the WLAN equipment.
|5.15GHz to 5.35GHz||8 channels (36, 40, 44, 48, 52, 56, 60, 64)||Band is common between US and Europe|
|5.47GHz to 5.725GHz||11 channels (100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140)||Band is common between US and Europe|
|5.725GHz to 5.85GHz||5 channels (149, 153, 157, 161, 165)||Band available in US, Canada, China but not Europe|
In any radio frequency system it is not possible to confine all the energy to a specific bandwidth. Some energy will always be present beyond the bandwidth provided. Instead bandwidths are defined in terms of a spectral mask and the output from any transmitters must fall within the levels defined by the mask.
The 802.11 transmissions have a spectral mask defined as the energy from the transmitter will extend beyond the 22 MHz Wi-Fi channels allocated (i.e. +/- 11 MHz from fc the centre frequency). The spectral mask defines the maximum levels that may emanate from the transmitter over a given spectrum.
At 11 MHz from the centre of the channel, the energy must be 30 dB lower than the maximum signal level, and at 22 MHz away, the energy must be 50 dB below the maximum level. Further away from the centre frequency, the energy levels fall further but some energy is still present and could result in interference on some channels.
Spectral Mask for 2.4GHz and 5.0GHz channels
If you have worked with data security before, may be you would agree that this is the most complex and confusing field that mankind had created. Although the underlying mechanism is mathematically elegant, engineers have came up with too many algorithms, too many procedures and obscure jargons that obfuscate even the most beautiful things in the world. So please take it slowly and have plenty of drinks as you try to go through this section.
Wi-Fi security is defined under IEEE802.11i and popular systems such as WEP, WPA and WPA2 are widely used at home and at work.
Wi-Fi routers advertise their presence by periodically sending out a beacon signal that contains the SSID. This allows prospective users to identify the wireless router and to try to connect to it.
Once detected, it is possible to try to connect to the wireless router, and the Wi-Fi authentication procedure starts. To achieve access, a secret key is generally required.
Since the introduction of Wi-Fi a variety of keys have been used:
The aim for this key was to make wireless networks such as Wi-Fi as safe as wired communications. Unfortunately this form of security did not live up to its name because it was soon hacked, and now there are many open source applications that can easily break into it in a matter of seconds.
In terms of its operation, the Wi-Fi WEP key uses a clear text message sent from the client. This is then encrypted and returned using a pre-shared key.
A WEP comes in different key sizes. The common key lengths are normally 40 or 128 bits.
The security of the WEP system is seriously flawed. Primarily it does not address the issue of key management and this is a primary consideration to any security system. Normally keys are distributed manually or via another secure route. The Wi-Fi WEP system uses shared keys - i.e. the wireless router uses the same key for all clients, and therefore this means that if the key is accessed then all users are compromised. It only takes listening to the returned authentication frames to be able to determine the key.
Still Wi-Fi WEP is better than nothing because not all people listening to a Wi-Fi wireless router will be hackers. It is still widely used and provides some level of security.
In order to provide a workable improvement to the flawed WEP system, the WPA access methodology was created to replace the WEP protocol.
One of the key elements of the WPA scheme is the use of the TKIP - Temporal Key Integrity Protocol. TKIP is part of the IEEE802.11i standard and operates by performing per-packet key mixing with re-keying.
In addition to this the WPA, Wi-Fi Protected Access scheme also provides optional support for AES-CCMP algorithm. This provides a significantly improved level of security.
The WPA2 scheme has now superseded WPA. It implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security.
Certification for WPA2 began in September, 2004 and now it is mandatory for all new devices that bear the Wi-Fi trademark.
The keys for the authentication algorithms (WEP,WPA, or WPA2) that run between the wireless client and the wireless router can be obtained in one of two ways:
1. it is manually entered into the client and the wireless router by the user. This method is also known as pre-shared key (PSK).
2. it is distributed to the wireless client and the wireless router dynamically from an authentication server using the 802.1x protocol.
For home and many small offices, a pre-shared key (PSK) may be used as it is fairly fast and simple to configure. When using PSK, the whole 802.1X authentication process is eliminated. If you configure a PSK for WPA then it is often called "WPA Personal" (WPA-PSK).
For a larger office, especially in the enterprise, it is preferable to use server based authentication method. 802.1x is the security protocol that enable remote authentication. A WPA configuration using server based key management is often called "WPA Enterprise".
The main parts of 802.1x Authentication are:
In a wireless network, 802.1x is used by an wireless router to implement WPA. In order to connect to the wireless router, a wireless client must first be authenticated using WPA. Being a door man, all that the wireless router does is to pass the authentication information between the client and the authentication server - the boss. The authentication server handles the actual verification of the client's credentials. This lets 802.1x support many authentication methods, from simple user name and password, to hardware token, challenge and response, and digital certificates.
802.1x uses EAP (Extensible Authentication Protocol) to facilitate communication from the supplicant to the authenticator and from the authenticator to the authentication server.
This diagram shows the steps of 802.1x and EAP used in authenticating a supplicant:
EAP supports various authentication methods. As a user seeking authentication, you just need to use a method supported by the authentication server. As an administrator, you need to select which methods your server will use.
Key management describes the handshake for generating and exchanging data encryption keys between the authentication server (i.e., the boss) and the client. See Figure 5.
Figure 5: Key management and distribution in 802.11i.
When the client and Authentication Server (AS) authenticate, one of the last messages sent from AS, given that authentication was successful, is a Master Key(MK). After it has been sent, the MK is known only to the client and the AS. The MK is bound to this session between the Client and the AS.
Both the Client and the AS derive a new key, called the Pairwise Master Key (PMK), from the Master Key.
The PMK is then moved from the AS to the wireless router. Only the client and the AS can derive the PMK, else the wireless router could make access-control decisions instead of the AS. The PMK is a fresh symmetric key bound to this session between the client and the wireless router.
PMK and a 4-way handshake are used between the client and the wireless router to derive, bind, and verify a Pairwise Transient Key (PTK). The PTK is a collection of operational keys:
Key Confirmation Key (KCK), as the name implies, is used to prove the posession of the PMK and to bind the PMK to the wireless router.
Key Encryption Key (KEK) is used to distributed the Group Transient Key (GTK). Described below.
Temporal Key 1 & 2 (TK1/TK2) are used for encryption. Usage of TK1 and TK2 is ciphersuite-specific.
See figure for a overview of the Pairwise Key Hierarchy.
The KEK and a 4-way group handshake are then used to send the Group Transient Key (GTK) from the wireless router to the client. The GTK is a shared key among all clients connected to the same wireless router, and is used to secure multicast/broadcast traffic.
Figure PKH: Pairwise Key Hierarchy
The EAP-TLS authentication method and the TLS protected EAP methods based on it - EAP-TTLS and EAP-PEAP - all make use of the Transport Layer Security (TLS) protocol to provide integrity and confidentiality protection.
The underlying TLS protocol is based on the Secure Sockets Layer (SSL) protocol commonly used by web browsers to secure web transactions. Using public key cryptography, communicating parties may authenticate themselves to each other using public key certificates. In web applications, only the server typically has a certificate and authenticates itself to the client so that the user can have confidence that his communication has not been redirected or intercepted by an imposter. In this case, TLS provides unidirectional authentication. But if both parties have certificates, TLS can provide mutual authentication. Following the authentication phase, the two parties use a key agreement protocol such as Diffie-Hellman to derive a session key which is used to authenticate and encrypt messages exchanged during the TLS session.
EAP-TLS uses the TLS public key
certificate authentication mechanism within EAP to provide mutual authentication
of client to server and server to client. With EAP-TLS, both the client
and the server must be assigned a digital certificate signed by a Certificate
Authority (CA) that they both trust.
Features of EAP-TLS include:
The Tunneled TLS EAP method (EAP-TTLS) is very similar to EAP-PEAP in the way that it works and the features that it provides. The difference is that instead of encapsulating EAP messages within TLS, the TLS payload of EAP-TTLS messages consists of a sequence of attributes. By including a RADIUS EAP-Message attribute in the payload, EAP-TTLS can be made to provide the same functionality as EAP-PEAP. If, however, a RADIUS Password or CHAP-Password attribute is encapsulated, EAP-TTLS can protect the legacy authentication mechanisms of RADIUS.
The advantage of this becomes apparent if the EAP-TTLS server is used as a proxy to mediate between an access point and a legacy home RADIUS server. When the EAP-TTLS server forwards RADIUS messages to the home RADIUS server, it encapsulates the attributes protected by EAP-TTLS and inserts them directly into the forwarded message. The EAP-TTLS messages are not forwarded to the home RADIUS server. Thus the legacy authentication mechanisms supported by existing RADIUS severs in the infrastructure can be protected for transmission over wireless LANs.
We shall devote a bit of time describing the EAP-PEAP in a little more details because as we have mentioned before, it offers the best compromise for security and cost of implementation.
Protected EAP (PEAP) adds a TLS layer on top of EAP in the same way as EAP-TLS, but it then uses the resulting TLS session as a carrier to protect other, legacy EAP methods.
The PEAP protocol has two phases. The first phase is to establish a secure tunnel using the EAP-TLS with server authentication. The second phase implements the client authentication based on EAP methods.PEAP Phase 1
Like in regular EAP negotiation, the phase 1 starts when the wireless router sends an EAP-Request/Identity message. Unlike regular EAP where the Client replies with an EAP-Response/Identity message, in PEAP, the client can reply with an anonyous identity, for example email@example.com. The client's real identity is sent in phase 2. It is likely that the client can send its identity partly like user@company_name.com, so that the wireless router can choose a proper authentication server based on company name.
After the client EAP-Response/Identity is forwarded to the Authentication Server using RADIUS by the wireless router, the EAP-TLS starts. The process is same as SSL Connection Setup.
The EAP server becomes aware of the client when it receives RADIUS Access Request message forwarded by the wireless router. The server sends an empty EAP-TLS request with the Start flag set and Type field set to 25 (PEAP); EAP-TLS uses Type=13. Only this message has the Start flag set. The client sends a Client-Hello message containing all the ciphersuites it supports including a Client-Random ID with Session ID set to 0.
The server replies with a Server-Hello message containing a Server-Random ID, a Session ID and the agreed ciphersuite. The server also sends a Certificate including its public key in a Server Certificate message. It can request a client Certificate from the Client. This is followed by a Server Hello Done message and waits for the client to take the next step.
The client in response sends a Client Key Exchange message after computing the pre_master secret. The client generates a random number (48 bytes) which is called the pre-master secret, encrypts it using server's public key and sends to the server. Only the server can decrypt this message as it holds the Private key. Both, client and server, now have the pre-master secret.
The client and the server now generate the Master Session Key (MSK) from the Client-Random ID, Server-RAndom ID and the pre_master secret.
Finally, the server sends an EAP-Success message to complete the EAP Handshake.PEAP Phase 2
Phase 2 begins with an EAP server sending an (optional) EAP-Request/Identity message to the client, protected by the TLS ciphersuite negotiated in phase 1. The client responds with an EAP-Response/Identity message containing its user-id.
The server will then select an authentication method (aka EAP Type like EAP-MD5, EAP-TLS or EAP-MSCHAPv2, etc) for the client, and will send an EAP-Request message with the proposed authentication method. The client can reply with a NAK or accept the authentication method. EAP methods are always encapsulated within EAP Payload TLV.
Before completing negotiation of EAP method, the client and the server must use Crypto Binding TLV. The success or failure of EAP method negotiation is done using EAP Result TLV.
The client and the server now derive the Extended Master Session Key (EMSK) and subsequently the Compound Session Key (CSK). The CSK is 128 bytes which is concatenation of MSK and EMSK. Then the server sends its CSK and the EAP Success message to the wireless router.
The client can then send data to the wireless router using the derived CSK.
Figure 1 - EAP-PEAP Authentication
Please report any problems by mail to firstname.lastname@example.org . Emailing is more helpful for me than reporting them on the market. I am always looking for ways to improve the application so I will study all of your comments and I'll try to work them into the application in the later releases. My aim is to make WifiOptimizer a helpful trouble shooting tool, easy to use so I would appreciate all your suggestions.
Thank you for using Wifi Optimizer.
I appreciate any donation to help fund this work. Thank you.