What to look for when your Corporate Wi-Fi is underperforming

When you hear your office workers complaining that their Wi-Fi is better at home, you know you have a problem. And if they’re using it as an excuse to stay at home when the CEO is trying to get people back to the office, it can become a real hot potato.

So what are the biggest issues that IT people face with Corporate Wi-Fi? And what could be the underlying causes?

We polled Corporate IT people to ask what their biggest concern is. And we put the findings to one of our leading technical experts, Chris Dlugokecki. These are his insights into what the causes might be, based on his vast experience across numerous office, retail, higher education, manufacturing and distribution sites.

What are the biggest Wi-Fi issues?

Our poll on LinkedIn, July 2024, identified your key concerns:


 
 
 
 
 
 
 
 
 
 
So what’s going on here? And what can you do to fix it? Over to Chris.

Speeds, dropouts and blackouts


 
“These are probably the biggest challenge because A) they are immediately obvious to users, but B) they can be hard for IT managers to monitor, quantify, isolate and fix.

Let’s take them one by one.

Speed

When people say the Wi-Fi is slow, what they actually mean is that their experience on a specific device is slow. And that may have nothing to do with the Wi-Fi itself.

What you need to understand is how Wi-Fi works.

Wi-Fi is like a walky-talky – in the majority of cases, it only handles one conversation at a time. So if the person next to you is using a slow device or there are sub-standard devices on the network, it’s like being stuck behind an old banger on a country road. You might be in a Ferrari, but you can’t use your speed until the Morris Minor in front has pulled off.

Wi-Fi is also inherently resilient. Each device will try to connect at the highest speed first. If that doesn’t work it will try again at a slower speed. So depending on the environment, a user may end up with a slow speed connection, even the Wi-Fit itself is “capable” of delivering ten times more. Retries like this cause delays, and can be noticeable to users.

Basic speed tests can be misleading

What doesn’t help is that a typical IT web-based speed test measures wireless speed and internet speed together. When Wi-Fi is really slow, there’s a strong probability the wired infrastructure and internet line may be to blame.

There are commands on laptops you can run to see what MCS index a device is broadcasting at, ie the speed you are getting to and from a specific Access Point (AP). Beware, these can be misleading. To increase accuracy we can carry out iPERF testing, using a specialist tool to provide active measurements of the maximum achievable bandwidth on any IP network. What we find is that 90% of the time, the client is not capable of the top speeds possible of the AP, the wired network is the bottleneck or congestion on the RF is to blame.

Configuration is key

Whether you have a single office, multiple floors or numerous sites, the key to great Wi-Fi is configuration. And that is highly complicated.

When configuring a controller, the possibilities are endless; but just because there is the option to do something, doesn’t mean that it will help you. When looking at SSID’s some people treat it like a game show: “You get an SSID! You get an SSID! You all get an SSID!!!”

The industry recommends a maximum of 3 SSID’s broadcast in any location, so fine tuning of Wireless LAN configuration is needed to ensure you get what you need, where you need it.

On the RF side, one massive problem is the default ‘Best’ option you’ll find in some RF configuration settings. Many IT people may leave this expecting the AP to take care of settings itself. Although it will use algorithms to calculate the ‘best’ setting, it isn’t perfect – normally far from it. This actually results in uneven wireless networks that may hinder rather than help create a smooth network. Wireless networks that are left to the default settings tend to be those with the most issues.

My advice? Never use the Best button. Get an expert in who understands how to tune for the space, loads and specific usage that is important to you.

Dropouts

Delays in roaming or reauthentication

Dropouts are typically a result of wireless interference, poor signal / configuration or over utilisation of the airwaves, where there is simply too much demand.

What’s going on? Every time you want to respond, even if you’re already on a video or voice call, you effectively join the Wi-Fi queue. We’re back to that road scenario. Imagine you are trying to pull out on a busy road. You might get lucky as you approach the junction and be able to pull out or “talk” straight away. But you might get to that junction and there be a car in your way. You have to wait, hoping that a gap will appear. Here the car is actually another user communicating on the network.

It is possible to prioritise video and voice in settings, but once again there’s always an element of being limited by others already talking, regardless of if they’re your clients or not.

What’s the solution? Typically, we need to look at the RF network and physical environment first and understand what’s causing the problem before we try to solve it. Solutions may be just configuration tweaks; on the rare occasion, it might be that adding another AP will split the load, but this should not be the go-to solution for these kinds of challenges.

Load balancing and hard-roam issues

Another common problem in Corporate Wi-Fi networks is ‘aggressive roaming.’

Your Wi-Fi network may respond to high loads by trying to push users to a less congested AP. Some clients (ie devices) don’t like this behaviour from the infrastructure, and it can end with the client being disconnected without a new candidate AP in place leading to what we call a ‘hard-roam’, where a device is caught unaware between two APs and therefore drops out.

And it doesn’t have to just be in high-density usage. I was once asked to look at a media compound before a major event, where just a few users were having Teams calls dropping out. The reason was that the AP was set-up for automatic client balancing and with just a few devices it was constantly throwing them from one AP to another. The solution there was to turn off automatic client balancing in network settings and allow each device to decide itself. It is important to note that the client (or device) is always the one making the decision about what AP to join.

In another, example we had two related organisations broadcasting the same SSID on from two sides of a road, causing a kind of ping pong effect and eventual drop out for people caught in between. The solution? Rename the networks or preferably combine them into one super-network with technologies such as VXLAN.

In another, example we had two related organisations broadcasting the same SSID on from two sides of a road, causing a kind of ping pong effect and eventual drop out for people caught in between. The solution? Rename the networks or preferably combine them into one super-network with technologies such as VXLAN.

Blackouts and blackspots

A blackout describes loss of connection. A blackspot describes poor coverage in a specific physical area. Both can be down to poor network design, compromised connectivity, interference or changes in the physical space.

There are generally four things on my mind when investigating blackouts and blackspots

1. The APs, their positioning and configuration

Firstly, we’ll check the positioning of your Access Points and that they are installed as per the manufacturer guidelines. Think of a Wi-Fi AP like a light bulb. If there’s an obstruction, you won’t get a “light” or signal behind it.

Architects love to hide relatively ugly APs out of sight, behind ceiling panels or in unobtrusive corners, which affects performance. They may have been positioned perfectly to begin with and then obscured by a retrofit A/C unit.

I’ve seen APs hung vertically on a wall like a clock, which is great for the people on the floors above and below or in a staircase but not good for the workers in your office. I’ve even met contractors who have installed APs without realising they need to be connected to an antenna.

Depending on the issue, we may also investigate the hardware/software itself, ensuring it is not being affected by a bug; it may turn out that poor configuration is causing the issue you are experiencing.

2. Changes to the physical space

If you are suffering with temporary dropouts, it might be due to changes in the space, day-by-day.

For example, an AP near a rack in a warehouse will work perfectly until the rack space is filled up with stock. We had a problem in a loading bay that was affecting vital real-time stock systems; that was caused by lorries temporarily blocking sight lines while they were waiting to unload in illegal parking spots.

3. Interference

Some wireless network designers think that the more APs you install the better the Wi-Fi, but this won’t necessarily be the case. If the overlap is too great you can end up with a greater ‘traffic jam’ and the load bearing issues described above.

And outside interference can also play a part. I worked with a customer 10 miles from a busy private airport and they were constantly battling dropouts. I discovered that on certain days, their Wi-Fi was overlapping with the airport radar; protocol demands that Wi-Fi has to immediately change channels when this happens. Why only on certain days? Because there was a lake nearby and it only bounced the airport radar signal off the surface on low cloud days.

4. The wired connection

Unlikely though it may be, physical connections do sometime get damaged or compromised. For example, the twisted pair in a network cable may have been chewed by rodents, leaving power unaffected but damaging data. Building works, weather ingress, seemingly unrelated maintenance in places like lift shafts can all effect network integrity.

Onboarding guests


 
Guests are always a fun one. And there are many conflicting arguments over the best way to onboard them.

The balance is always between a nice smooth experience for your guests versus the need for the highest possible security, the need to hold data about who is on your network and to secure written compliance with lawful usage and company policies.

The strategic thinking is that you want to know who owned the device that compromised your network. The counter-argument is that if someone wants to compromise your network, they won’t sign in with bona fide credentials.

To manage this, some corporates and public service use ‘splash portals’, collecting information about each user and requiring them to accept terms and conditions before access is granted. This may meet Infosec demands to meet your Acceptable User Policy (AUP), removing liability for your organisation – but there are downsides. As many of you will know, these pages can be slow, cumbersome and poorly designed, creating a pretty unwelcoming welcome experience.

To get round this, some organisations use a pre-shared Key (PSK) across the guest network , so users just get a password and away they go. That can be a much better immediate experience for the user, but it can be hard to tell who is connected to your network.

What’s the solution?

One solution is to work on the user-experience of the splash page. We’re currently working with one of the UK’s biggest landlords to redesign their splash pages to collect the data and permissions they need in a much better visual environment with a much smoother journey.

Another solution, coming to a network near you very soon, will be Open Roaming authentication.

With Open Roaming, anyone joining your guest network is federated by other credential authorities. If someone is logged into Samsung or Apple for example, you can decide to trust that authentication and let them straight in.

But (there’s always a but isn’t there?) this solution hasn’t been publicised to the general public, so people aren’t aware of it. It also needs support, as well as third party integrations, and it comes with a small cost to be part of the eco-system.

A note about iOS 18 devices – coming soon

The latest Mac operating system, iOS 18, currently in Beta, is reportedly going to use revolving MAC addresses. Every couple of hours it changes the device’s MAC address to keep the user identity more secure. Open Roaming will be able to handle this. Other authentication systems are going to need a rethink!

Onboarding devices

As offices and buildings get smarter, more and more devices, like aircon, CCTV, displays, lifts and access sensors are being connected to the network.

It’s amazing how many people connect permanent devices to Wi-Fi when they could be hard-wired and off the Wi-Fi network . The basic principle we adhere to in Smart Building converged network systems (CNS) is: if it doesn’t move, use a wired network.

In the corporate setting, some administrators want to implement pre-shared key networks (like the ones you see at home). Whilst these allow quick access to the network, the key is very easy to share and harder to contain, control or change.

Unfortunately, what makes it worse is that the rotation of passwords just doesn’t happen. To reform a well know phrase… “A preshared key ends up being for life, not just for Christmas”.

Here at Ideal, we will always recommend a Network Access Control (NAC) based solution for corporate access. Here each user/device will have their own credentials, meaning that the leaking of credentials can be more easily identified and stopped without compromising everyone else’s access.

Generally, Internet of Things (IoT) devices don’t support complex authentication so networks still need to use MAC Authentication Bypass (MAB) to onboard them. Even worse is that they sometimes go ‘silent’, only talking when spoken to. We don’t recommend ever using MAB over wireless; it’s not secure and will create a vulnerability in your network.

Capacity to diagnose and fix


 
If you are having problems with diagnosing and fixing problems on your Corporate Wi-Fi network, please be assured, you are not alone.

Most IT departments are juggling a wide range of responsibilities and Wi-Fi networks are hugely complex to configure, diagnose and fix. So, when your Finance Director tells you poor Wi-Fi signal affected a vital video call with America at 5.30pm last Tuesday, it can be really difficult to isolate data and understand what exactly was going on at that point in time.

Some people deliberately choose network providers that have a simpler front end; others are bolting on AI tools that translate data into more human real text. Even then, interpreting results and understating what needs to change is a bit of black art. A great tool we’ve seen in action are wireless sensors, able to probe and connect to the wireless and wired network to give you the ability to analyse how users see the wireless network on the ground, therefore being proactive rather than reactive to challenges.

Taking a holistic approach

When we are invited in to troubleshoot Wi-Fi issues, I would say the rough split is 30% configuration, 30% RF network, 30% user devices and 10% unique to the physicality of the building or the business demands of the organisation.

Of course, we have the best diagnostic tools combined with years of experience across all kinds of customers and devices that enables us to shortcut a lot of these deliberations and get straight to the pain point – so you could call Ideal…

Do you need support with a Wi-Fi issue?

Whether it’s speed issues, dropouts, blackspots or challenges onboarding new users and devices – sometimes all you need is a fresh pair of eyes.

Get a free Q&A session with an Ideal Wi-Fi Specialist.


 

What to look for when your Corporate Wi-Fi is underperforming

When you hear your office workers complaining that their Wi-Fi is better at home, you know you have a problem. And if they’re using it as an excuse to stay at home when the CEO is trying to get people back to the office, it can become a real hot potato.

So what are the biggest issues that IT people face with Corporate Wi-Fi? And what could be the underlying causes?

We polled Corporate IT people to ask what their biggest concern is. And we put the findings to one of our leading technical experts, Chris Dlugokecki. These are his insights into what the causes might be, based on his vast experience across numerous office, retail, higher education, manufacturing and distribution sites.

What are the biggest Wi-Fi issues?

Our poll on LinkedIn, July 2024, identified your key concerns:

So what’s going on here? And what can you do to fix it? Over to Chris.

Speeds, dropouts and blackouts


 
“These are probably the biggest challenge because A) they are immediately obvious to users, but B) they can be hard for IT managers to monitor, quantify, isolate and fix.

Let’s take them one by one.

Speed

When people say the Wi-Fi is slow, what they actually mean is that their experience on a specific device is slow. And that may have nothing to do with the Wi-Fi itself.

What you need to understand is how Wi-Fi works.

Wi-Fi is like a walky-talky – in the majority of cases, it only handles one conversation at a time. So if the person next to you is using a slow device or there are sub-standard devices on the network, it’s like being stuck behind an old banger on a country road. You might be in a Ferrari, but you can’t use your speed until the Morris Minor in front has pulled off.

Wi-Fi is also inherently resilient. Each device will try to connect at the highest speed first. If that doesn’t work it will try again at a slower speed. So depending on the environment, a user may end up with a slow speed connection, even the Wi-Fit itself is “capable” of delivering ten times more. Retries like this cause delays, and can be noticeable to users.

Basic speed tests can be misleading

What doesn’t help is that a typical IT web-based speed test measures wireless speed and internet speed together. When Wi-Fi is really slow, there’s a strong probability the wired infrastructure and internet line may be to blame.

There are commands on laptops you can run to see what MCS index a device is broadcasting at, ie the speed you are getting to and from a specific Access Point (AP). Beware, these can be misleading. To increase accuracy we can carry out iPERF testing, using a specialist tool to provide active measurements of the maximum achievable bandwidth on any IP network. What we find is that 90% of the time, the client is not capable of the top speeds possible of the AP, the wired network is the bottleneck or congestion on the RF is to blame.

Configuration is key

Whether you have a single office, multiple floors or numerous sites, the key to great Wi-Fi is configuration. And that is highly complicated.

When configuring a controller, the possibilities are endless; but just because there is the option to do something, doesn’t mean that it will help you. When looking at SSID’s some people treat it like a game show: “You get an SSID! You get an SSID! You all get an SSID!!!”

The industry recommends a maximum of 3 SSID’s broadcast in any location, so fine tuning of Wireless LAN configuration is needed to ensure you get what you need, where you need it.

On the RF side, one massive problem is the default ‘Best’ option you’ll find in some RF configuration settings. Many IT people may leave this expecting the AP to take care of settings itself. Although it will use algorithms to calculate the ‘best’ setting, it isn’t perfect – normally far from it. This actually results in uneven wireless networks that may hinder rather than help create a smooth network. Wireless networks that are left to the default settings tend to be those with the most issues.

My advice? Never use the Best button. Get an expert in who understands how to tune for the space, loads and specific usage that is important to you.

Dropouts

Delays in roaming or reauthentication

Dropouts are typically a result of wireless interference, poor signal / configuration or over utilisation of the airwaves, where there is simply too much demand.

What’s going on? Every time you want to respond, even if you’re already on a video or voice call, you effectively join the Wi-Fi queue. We’re back to that road scenario. Imagine you are trying to pull out on a busy road. You might get lucky as you approach the junction and be able to pull out or “talk” straight away. But you might get to that junction and there be a car in your way. You have to wait, hoping that a gap will appear. Here the car is actually another user communicating on the network.

It is possible to prioritise video and voice in settings, but once again there’s always an element of being limited by others already talking, regardless of if they’re your clients or not.

What’s the solution? Typically, we need to look at the RF network and physical environment first and understand what’s causing the problem before we try to solve it. Solutions may be just configuration tweaks; on the rare occasion, it might be that adding another AP will split the load, but this should not be the go-to solution for these kinds of challenges.

Load balancing and hard-roam issues

Another common problem in Corporate Wi-Fi networks is ‘aggressive roaming.’

Your Wi-Fi network may respond to high loads by trying to push users to a less congested AP. Some clients (ie devices) don’t like this behaviour from the infrastructure, and it can end with the client being disconnected without a new candidate AP in place leading to what we call a ‘hard-roam’, where a device is caught unaware between two APs and therefore drops out.

And it doesn’t have to just be in high-density usage. I was once asked to look at a media compound before a major event, where just a few users were having Teams calls dropping out. The reason was that the AP was set-up for automatic client balancing and with just a few devices it was constantly throwing them from one AP to another. The solution there was to turn off automatic client balancing in network settings and allow each device to decide itself. It is important to note that the client (or device) is always the one making the decision about what AP to join.

In another, example we had two related organisations broadcasting the same SSID on from two sides of a road, causing a kind of ping pong effect and eventual drop out for people caught in between. The solution? Rename the networks or preferably combine them into one super-network with technologies such as VXLAN.

In another, example we had two related organisations broadcasting the same SSID on from two sides of a road, causing a kind of ping pong effect and eventual drop out for people caught in between. The solution? Rename the networks or preferably combine them into one super-network with technologies such as VXLAN.

Blackouts and blackspots

A blackout describes loss of connection. A blackspot describes poor coverage in a specific physical area. Both can be down to poor network design, compromised connectivity, interference or changes in the physical space.

There are generally four things on my mind when investigating blackouts and blackspots

1. The APs, their positioning and configuration

Firstly, we’ll check the positioning of your Access Points and that they are installed as per the manufacturer guidelines. Think of a Wi-Fi AP like a light bulb. If there’s an obstruction, you won’t get a “light” or signal behind it.

Architects love to hide relatively ugly APs out of sight, behind ceiling panels or in unobtrusive corners, which affects performance. They may have been positioned perfectly to begin with and then obscured by a retrofit A/C unit.

I’ve seen APs hung vertically on a wall like a clock, which is great for the people on the floors above and below or in a staircase but not good for the workers in your office. I’ve even met contractors who have installed APs without realising they need to be connected to an antenna.

Depending on the issue, we may also investigate the hardware/software itself, ensuring it is not being affected by a bug; it may turn out that poor configuration is causing the issue you are experiencing.

2. Changes to the physical space

If you are suffering with temporary dropouts, it might be due to changes in the space, day-by-day.

For example, an AP near a rack in a warehouse will work perfectly until the rack space is filled up with stock. We had a problem in a loading bay that was affecting vital real-time stock systems; that was caused by lorries temporarily blocking sight lines while they were waiting to unload in illegal parking spots.

3. Interference

Some wireless network designers think that the more APs you install the better the Wi-Fi, but this won’t necessarily be the case. If the overlap is too great you can end up with a greater ‘traffic jam’ and the load bearing issues described above.

And outside interference can also play a part. I worked with a customer 10 miles from a busy private airport and they were constantly battling dropouts. I discovered that on certain days, their Wi-Fi was overlapping with the airport radar; protocol demands that Wi-Fi has to immediately change channels when this happens. Why only on certain days? Because there was a lake nearby and it only bounced the airport radar signal off the surface on low cloud days.

4. The wired connection

Unlikely though it may be, physical connections do sometime get damaged or compromised. For example, the twisted pair in a network cable may have been chewed by rodents, leaving power unaffected but damaging data. Building works, weather ingress, seemingly unrelated maintenance in places like lift shafts can all effect network integrity.

Onboarding guests


 
Guests are always a fun one. And there are many conflicting arguments over the best way to onboard them.

The balance is always between a nice smooth experience for your guests versus the need for the highest possible security, the need to hold data about who is on your network and to secure written compliance with lawful usage and company policies.

The strategic thinking is that you want to know who owned the device that compromised your network. The counter-argument is that if someone wants to compromise your network, they won’t sign in with bona fide credentials.

To manage this, some corporates and public service use ‘splash portals’, collecting information about each user and requiring them to accept terms and conditions before access is granted. This may meet Infosec demands to meet your Acceptable User Policy (AUP), removing liability for your organisation – but there are downsides. As many of you will know, these pages can be slow, cumbersome and poorly designed, creating a pretty unwelcoming welcome experience.

To get round this, some organisations use a pre-shared Key (PSK) across the guest network , so users just get a password and away they go. That can be a much better immediate experience for the user, but it can be hard to tell who is connected to your network.

What’s the solution?

One solution is to work on the user-experience of the splash page. We’re currently working with one of the UK’s biggest landlords to redesign their splash pages to collect the data and permissions they need in a much better visual environment with a much smoother journey.

Another solution, coming to a network near you very soon, will be Open Roaming authentication.

With Open Roaming, anyone joining your guest network is federated by other credential authorities. If someone is logged into Samsung or Apple for example, you can decide to trust that authentication and let them straight in.

But (there’s always a but isn’t there?) this solution hasn’t been publicised to the general public, so people aren’t aware of it. It also needs support, as well as third party integrations, and it comes with a small cost to be part of the eco-system.

A note about iOS 18 devices – coming soon

The latest Mac operating system, iOS 18, currently in Beta, is reportedly going to use revolving MAC addresses. Every couple of hours it changes the device’s MAC address to keep the user identity more secure. Open Roaming will be able to handle this. Other authentication systems are going to need a rethink!

Onboarding devices

As offices and buildings get smarter, more and more devices, like aircon, CCTV, displays, lifts and access sensors are being connected to the network.

It’s amazing how many people connect permanent devices to Wi-Fi when they could be hard-wired and off the Wi-Fi network . The basic principle we adhere to in Smart Building converged network systems (CNS) is: if it doesn’t move, use a wired network.

In the corporate setting, some administrators want to implement pre-shared key networks (like the ones you see at home). Whilst these allow quick access to the network, the key is very easy to share and harder to contain, control or change.

Unfortunately, what makes it worse is that the rotation of passwords just doesn’t happen. To reform a well know phrase… “A preshared key ends up being for life, not just for Christmas”.

Here at Ideal, we will always recommend a Network Access Control (NAC) based solution for corporate access. Here each user/device will have their own credentials, meaning that the leaking of credentials can be more easily identified and stopped without compromising everyone else’s access.

Generally, Internet of Things (IoT) devices don’t support complex authentication so networks still need to use MAC Authentication Bypass (MAB) to onboard them. Even worse is that they sometimes go ‘silent’, only talking when spoken to. We don’t recommend ever using MAB over wireless; it’s not secure and will create a vulnerability in your network.

Capacity to diagnose and fix


 
If you are having problems with diagnosing and fixing problems on your Corporate Wi-Fi network, please be assured, you are not alone.

Most IT departments are juggling a wide range of responsibilities and Wi-Fi networks are hugely complex to configure, diagnose and fix. So, when your Finance Director tells you poor Wi-Fi signal affected a vital video call with America at 5.30pm last Tuesday, it can be really difficult to isolate data and understand what exactly was going on at that point in time.

Some people deliberately choose network providers that have a simpler front end; others are bolting on AI tools that translate data into more human real text. Even then, interpreting results and understating what needs to change is a bit of black art. A great tool we’ve seen in action are wireless sensors, able to probe and connect to the wireless and wired network to give you the ability to analyse how users see the wireless network on the ground, therefore being proactive rather than reactive to challenges.

Taking a holistic approach

When we are invited in to troubleshoot Wi-Fi issues, I would say the rough split is 30% configuration, 30% RF network, 30% user devices and 10% unique to the physicality of the building or the business demands of the organisation.

Of course, we have the best diagnostic tools combined with years of experience across all kinds of customers and devices that enables us to shortcut a lot of these deliberations and get straight to the pain point – so you could call Ideal…

Do you need support with a Wi-Fi issue?

Whether it’s speed issues, dropouts, blackspots or challenges onboarding new users and devices – sometimes all you need is a fresh pair of eyes.

Get a free Q&A session with an Ideal Wi-Fi Specialist.