Wireless networking (meetinghouse)
All content on this page is moving to clerksupport.lds.org under the Meetinghouse Technology topic. This page will be deleted at the end of October.
802.11 wireless (Wi-Fi) may be set up in meetinghouses so users can connect to the Internet without having to physically plug in to the network. Wireless is a convenient way for people to connect to a meetinghouse network and offers most of the same benefits of a wired connection. There are two situations where wired connections typically work better and wireless is not recommended: 1. network devices permanently set up in a fixed location and 2. when you're doing any sort of multimedia, such as webcasting.
Integrated wireless in the new meetinghouse firewall
The new Cisco 881W meetinghouse firewall comes with integrated Wi-Fi which is automatically configured upon installation and activation of the firewall. The SSID will be LDSAccess. The passphrase is mentioned upon successful activation of an 881W firewall or may be obtained by authorized individuals through the GSC. Wireless coverage from the 881W and 1041N access points mentioned below are often much better than typical consumer wireless devices. They are enterprise quality, centrally managed, and they adjust the frequency they use automatically based on their surroundings.
Note: There is not currently a way to disable the 881W wireless temporarily (like for a Webcast). You can contact the GSC to have it disabled long-term, but this should not be used for temporary purposes. This is something that is being worked on, but it is not currently available. Removing the 881W antennas reduces coverage a little, but not as much as you might think.
Extending wireless coverage with the 1041Navailable at the same location. Use this picture and instructions for help installing the 1041N. Once everything is plugged in correctly, the 1041 will automatically receive software updates and configuration. It may take up to two hours for this process to complete; however, some international locations have taken as long as 24 hours. The SSID will still be LDSAccess. The passphrase is the same as the one mentioned upon successful activation of an 881W firewall. It may also be obtained by authorized individuals at the GSC. Instructions on how to mount this type of access point and the meaning of the LED status indicators are available from Cisco.
The future of wireless access control in meetinghouses
Though currently wireless access in meetinghouses is controlled by a pre-shared key, we are working towards controlling it by individual LDS account authentication in the future.
Older 802.11 solutions
In buildings where other types of wireless access points have already been set up and are working well, you do not have to rip it all out and replace it with the 1041N's. However, if you do not have any wireless set up and you want it or if you are having unsolvable problems with another wireless solution, we recommend using 1041N's. It is recommended to not mix new wireless (881W and 1041N) with other wireless solutions.
1041N's with older meetinghouse firewalls
1041N's will work with older meetinghouse firewalls including the ASA, or PIX. If connecting a 1041N to an ASA or PIX for the first time, you will have to contact the GSC to do a one-time configuration change to the meetinghouse firewall.
Connecting back to the firewall
You will need to run an Ethernet cable from the firewall to each wireless access point. Before you run cable behind walls or through difficult ceiling spaces, try placing the access points in the selected areas without hiding the cables, and see if the locations yield the signal strength you need.
After you finalize the locations, you can then go to the trouble of running the cable inconspicuously behind walls, through crawl spaces, in attics, and so on. See the section on Wired networking for information on running cables through your meetinghouse.
Note: Newer buildings may already have network cables in appropriate places.
Keep in mind that you always connect the wireless access points through the firewall. If you bypass the firewall, you're operating against the Church's Internet policy.
The 1041N supports 802.11b, 802.11g, and 802.11n . This provides maximum theoretical speeds of respectively: 11mbps, 54mbps, and 300mbps (mbps = megabits per second). Actual real throughput (speed) is less than this due to protocol overhead, number of users sharing wireless, and the signal strength (see section Maximizing signal strength).
The 1041N has an antenna configuration of 2x2:2 and operates in single band mode on the 2.4GHz spectrum. The access point has a Power over Ethernet (PoE) enabled gigabit Ethernet RJ-45 port. Because the meetinghouse firewall only has 10/100mbps ports the bandwidth between wired and wireless devices will be limited to 100mbps. Typical speed for 802.11n devices with two spatial streams is 72-105mbps. Most locations do not have Internet connections that exceed 100mbps so this limitation will not be noticed.
Adding more ports
The firewall only has a specific number of local area network (LAN) ports available. If you need more ports, you can add a switch to the firewall. A network switch is a device that provides more ports for you to connect network cables to. The switch sits between the wireless access points and the firewall. A 16 port unmanaged switch may be purchased by facilities management groups via LDS eMarket.
Who sets up a wireless meetinghouse network?
Installation is typically a coordinated effort between the facilities management group and the stake technology specialist. Especially when undertaking building modifications (for example, drilling holes through walls), the stake technology specialist must always coordinate with the facility manager to ensure the modifications are appropriate. The stake technology specialist is responsible for ensuring the proper security and management of the wireless network in meetinghouses.
Note: The focus on meetinghouse Internet this year is to get Internet into as many meetinghouses as possible. There is currently no mandate to provide wireless coverage to specific portions of a building. Work with your facilities manager to identify wireless needs and based on their budget and resources, they will determine what can be done and when.
Positioning wireless access points
Before you can position the wireless access points strategically in your meetinghouse, you need to decide where you need wireless Internet access. If you only need wireless access in the clerk and bishop's offices, this poses significantly less work than providing Internet access throughout the entire meetinghouse.
To provide Internet access throughout your meetinghouse, you will may need multiple wireless access points. You will need to run network cables from the firewall to each of these wireless access points. Additionally, the wireless access points will need to be plugged into power outlets.
Note: Before you undertake major installation efforts (such as cutting holes in the ceiling or attaching conduits on walls), contact your facility manager to coordinate this effort.
Maximizing signal strength
In positioning the wireless access points, signal strength is a key consideration. The signal strength you obtain from each wireless access point determines the number of wireless access points you need. Greater signal strength means you'll need fewer access points, and poor signal strength means you'll need more access points.
Signal strength is affected by several factors: the strength of the wireless signal generated by the wireless access point, the type and placement of the antenna, the construction materials of your building, and any electrical interference that may be generated by microwave ovens, cordless (but not cellular) phones, electric wiring, other nearby wireless networks, and other interfering devices.
Wireless signals have a harder time traveling through cinderblock, cement, and metal (such as ductwork) than with drywall. For a modern meetinghouse with drywall construction, you'll typically need fewer wireless access points to cover the entire building. Older buildings with plaster walls and ceilings, on the other hand, may have poor wireless coverage because plaster is often installed over wire mesh, which can block signals. In that case, you'll need more wireless access points to cover the building. Additionally, if your meetinghouse is all brick, you may need more access points, better access points, or different antennas (or some combination of the three). If your meetinghouse is smaller than normal in size, you may need fewer access points. But if you have attached buildings that also require Internet access, you may need more. In short, the number of wireless access points you need depends on your building.
Finding the best places for each wireless access point is a matter of trial and error. Some locations will provide more signal strength than others. Experiment by placing the access points in different locations to see what works best for your meetinghouse. In general, if your building has an attic area, try to place your wireless access points there. If there is no attic, look for ledges on the ceiling. This allows the signals to more easily travel over walls and cover more area. You may also be able to "gain" signal strength by replacing the antennas that came with your access point or by buying or making antenna boosters.
While the signal strength indicator (usually in the form of 0-5 "bars") on your computer will give a general idea of signal strength at any given location there are some free tools available that will give you a much better idea of the wireless signal conditions at your specific idea. Metageek provides one such tool, inSSIDer which is freely distributed as an open source project. This tool (and others similar) provide not only a graphical representation of signal strength in real time (the indicators will fluctuate as you move about the area) but also clearly demonstrate which channels are currently in use by other wireless users in the area (nearby homes or businesses). If you are having poor network communications a tool such as this may indicate that several wireless networks are competing on the same channel which should prompt you to change to a new frequency (channel) to avoid interference. This is less of a problem when using the wireless on the 881W and the 1041Ns as they are "frequency aware" and automatically adjust themselves when needed.
Finding strategic locations
There are several strategic locations for wireless access points:
- Attic Areas
- Side foyers: Placing wireless access points in each side foyer is a good idea because the areas are open and have low impedence to the wireless signal. You can often place the wireless access points on ledges near recessed lighting. This positions the access point away from member visibility and possible harm, but getting power to these ledge places may be problematic. If you can access the foyers through an attic or crawl space, place the wireless access points there.
- Ends of the building. Look for a location to place the access points at the front and back of the meetinghouse. However, avoid placing the wireless access points at the edges of the building, because you'll end up sending signal strength into the parking lot rather than into other areas of the building. Keep the wireless access points about 20 to 30 feet from the back and front of the meetinghouse.
- Clerks offices. You can also place the wireless access point in a clerks office, since clerks may be heavy users of the Internet. Installing an access point near the clerks offices may be an easy win for getting wireless access to clerks, but the signal's reach may be disappointing.
Note: Although you can place wireless access points in clerk's offices, try to place them in a more secure, less-trafficked, locked area.
Wireless network security
Wireless networks pose more security vulnerabilities than wired networks. Since the Church can be a target of attack, make sure you take measures to secure your network.
When your Internet connection is installed, your ISP may provide you with a modem that includes Wi-Fi capability. This wireless access must be disabled since any wireless connection made directly to the modem would not be going through the firewall and therefore would be in violation of the church Internet connectivity policy.
Commodity wireless access points
If you're using commodity wireless access points, ensure that the encryption type on your access points is set to WPA or preferably, WPA2. Second, make sure the network is protected with a strong password. Share this password with those who are authorized to have Internet access. Passwords should be at least 8 characters long and include both numbers and letters. You can check the strength of your password at passwordmeter.com.
While security is important, don't create such an arduous password that no one can remember it. Also keep in mind that you should periodically change the password, such as every several months. A good reminder would be to change your password each time you submit your quarterly report.
In addition to a strong password, turn off the setting in your wireless access point that allows remote management of the device.
Meetinghouses with Family History Centers
In many buildings with Family History Centers, the Church has installed wireless networks that typically use Cisco Aironet 1200 Series wireless access points. The installation of these wireless networks was paid for by the Church and generally installed by a contractor hired through the local Facilities Management group. If your meetinghouse already has a Family History Center with a wireless network installed, as most do, you can connect to its network to access the Internet (see 11 Feb 2008 letter for a reference to the authorization). If you have an official Family History Center at your site, you do not currently have wireless set up, and would like to order the Church's wireless access point for your site, please contact the Global Service Center.
Network profiles in Family History Centers
To connect to a Family History Center network, you need to understand a bit about the profiles configured on the wireless access points. The Aironet wireless access points have three possible configuration profiles: moroni, inorom, and LDSAccess. The first two are older profiles that require you to use a Church-issued computer with the Odyssey Client to connect to the Internet. The moroni profile requires users authenticate with a password that the GSC generates for the specific building; the inorom profile allows users to authenticate with LDS Account (but again requires a Church-issued computer to connect).
Beginning in 2008, the GSC started providing an additional option for connecting to the wireless network: LDSAccess. Upon request, the GSC will download and configure the LDSAccess profile to the wireless access points in Family History Centers. The LDSAccess profile uses WPA security and a passphrase provided to the stake technology specialist. With LDSAccess, members can use their own laptops rather than relying on Church-issued computers or the Odyssey client. The stake technology specialist provides the password to any member who needs Internet access.
LDS Access is the recommended configuration for the Aironet access points because it allows for more flexible access among a wider range of users. This access may be particularly necessary when conducting training (such as with family history or employment training) that covers techniques about online searching or site navigation. To configure the Aironet wireless access points with the LDSAccess profile, contact the Global Service Center.
Note: Do not confuse LDSAccess with LDS Restricted Access or LDS Extended Access. LDSAccess is a wireless WPA security profile that can be configured on Cisco wireless access points by the GSC to provide wireless connectivity. LDS Restricted Access and LDS Extended Access are filtering profiles that the GSC configures on an ASA firewall to limit the websites users can visit.
Troubleshooting Family History Center networks
The IT Support portion of the Global Service Center can troubleshoot or resolve issues with the Aironet wireless devices or Odyssey Clients (which were installed by Facility Management). A variety of problems have been reported in connecting with the Odyssey Client:
- Not all wireless network adapters work. The Church has supplied Linksys WUSB54G USB network adapters, which generally seem to work.
- When both the moroni profile and LDSAccess profile coexist on the Cisco wireless access point, administrative desktop computers using LANDesk seem to have trouble connecting. To correct the problem, try removing both the moroni profile and the LDSAccess profile, and then add the LDSAccess profile back to the wireless access point.
Wireless networks in field offices
Field offices refer to non-meetinghouse locations where Church employees work, such as Facility Management offices, Employment Centers, Distribution Centers, Deseret Industries, LDS Family Services, Mission Offices, Institutes, Seminaries, Temple Patron housing, Welfare Service Centers, Visitors Centers, and Temple President Housing.
In many of these locations, wireless networks have already been set up. These wireless networks often consist of the Cisco Aironet wireless access points. If a wireless access point in a Type 3 location fails, contact the Global Service Center. You may need to verify whether the failure stems from the wireless access point or the firewall. To determine the failure point, connect a laptop directly to the firewall. If the laptop has network access, the issue is with the wireless access point, not the firewall. You can also have the GSC troubleshoot the problem by requesting that they ping the firewall to determine its status.