A “Virtual Access Point” is a logical entity that exists within a physical Access Point (AP). When a single physical AP supports multiple “Virtual APs”, each Virtual AP appears to stations (STAs) to be an independent physical AP, even though only a single physical AP is present. For example, multiple Virtual APs might exist within a single physical AP, each advertising a distinct SSID and capability set. Alternatively, multiple Virtual APs might advertise the same SSID but a different capability set – allowing access to be provided via Web Portal, WEP, and WPA simultaneously. Where APs are shared by multiple providers, Virtual APs provide each provider with separate authentication and accounting data for their users, as well as diagnostic information, without sharing sensitive management traffic or data between providers.
Virtual APs allow a single provider to offer multiple services, as well as enabling multiple providers to share the same physical infrastructure. Advantages include:
Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs (WISPs). However, in the US and Europe, 802.11b networks can only support three usable channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.
Capital expenditure reduction. Wireless LAN deployment is expensive, and in the current economic environment, raising capital is difficult. In order to provide a better return on the installation and maintenance costs of wireless infrastructure deployment, it is less expensive to build infrastructure and share it among multiple providers, than to build overlapping infrastructure.
Since each Virtual AP is a logically separate entity, providers may use Virtual APs to offer multiple services on the same physical infrastructure.
Example 1: Guest networks. An enterprise customer could use Virtual AP capabilities in order to offer access to guests as well as employees without having to deploy multiple AP networks. One Virtual AP can advertise the “GUEST” SSID, offering access to an Internet VLAN, while another Virtual AP can advertise the “CORPNET” SSID, offering access to the corporate network VLAN.
Virtual APs also allow providers to share the same physical infrastructure, while offering access to distinct networks.
Example 2: Web Portal/WPA transition. A Wireless ISP (WISP) formerly offering Web Portal access might want to add support for WPA. In order to allow both WISP access and WPA to coexist simultaneously, one Virtual AP can advertise the “EXAMPLE” SSID with Open Authentication, while another Virtual AP can advertise the “EXAMPLE” SSID, but with WPA support.
Example 3: WLAN resale. An infrastructure provider can resell access to the WLAN network, allowing each reseller to advertise their own unique set of services. For example, access could be offered via Web Portal, WPA or RSN simultaneously without having to deploy separate networks. For example, one Virtual AP could advertise the “SLOWNET” SSID, offering rates of 1 and 2 Mbps, along with support for a Web portal with open authentication (no WEP). Another Virtual AP could advertise the “FASTWPA” SSID, offering rates of 1, 2, 5.5 and 11 Mbps and support for WPA, while yet another Virtual AP could advertise the “FASTRSN” SSID, offering rates of 1,2,5.5 and 11 Mbps and support for RSN. STAs signed up with the SLOWNET service can then associate with that network via the Web Portal, while STAs signed up with the FASTRSN service and supporting RSN can associate with that network. Since the “SLOWNET”, “FASTWPA” and “FASTRSN” Virtual APs coexist within the same physical AP, no additional equipment is needed to enable this.
A Virtual AP is a logical entity that to a STA is indistinguishable from a physical AP residing within the same enclosure. As with all idealizations, a Virtual AP implementation may approximate the ideal behavior to a greater or lesser degree. Virtual and physical AP implementations are compared in Figure 1.
Figure 1. The Virtual AP Concept
In order to provide STAs with the illusion of multiple physical APs within the same enclosure, it is necessary for Virtual APs to emulate the operation of physical APs at the MAC layer. Emulating the operation of a physical AP at the radio frequency layer is typically not possible within a Virtual AP, unless multiple radios are available.
As noted in Figure 1, Virtual APs emulate the MAC layer behavior of physical APs by operating with distinct BSSIDs, SSIDs, capability advertisements and default key sets.
In order to provide providers sharing an AP with their own distinct authentication and accounting data as well as diagnostics, it is desirable to provide partial emulation of the IP and Application Layer behavior of physical APs.
At the IP layer, the behavior of distinct physical APs is emulated by allocating a distinct IP address, and potentially a Fully Qualified Domain Name (FQDN) to each Virtual AP.
At the Application Layer, the behavior of distinct physical APs may be emulated by providing each Virtual AP with its own set of SNMPv3 secrets and SNMPv2 communities, RADIUS shared secrets, and Web and telnet login identities.
To provide the desired emulation at the MAC, IP and Application Layers, it is necessary to solve several technical problems:
Multiple SSIDs. In order to support multiple Virtual APs within a single physical AP, it is necessary to define how APs can support multiple SSIDs, and how STAs can discover those SSIDs. This allows each Virtual AP to each advertise its own SSID.
Multiple capability advertisements. Since each Virtual AP may wish to offer a different set of services, it is necessary for each Virtual AP to advertise its own set of capabilities. In some cases, this may require the same SSID to be advertised with multiple capability sets.
Multiple VLANs. It is typically desirable to avoid intermixing of traffic from distinct Virtual APs. For example, on an AP shared by the FAA, an airline and a Wireless ISP (WISP), it would be undesirable for a WISP user to be able to snoop on or inject traffic into the FAA network. This can be achieved by allocating a unique VLAN to each Virtual AP. Since each VLAN represents a unique broadcast domain, in order to provide separation, each VLAN requires a unique default key.
Multiple RADIUS configurations. To allow each Virtual AP to be separately configured without affecting other Virtual APs, it is desirable to allow multiple RADIUS configurations, one for each virtual AP. For example, each Virtual AP might be configured to use a different RADIUS proxy.
Multiple virtual SNMP MIBs. To enable each Virtual AP to be separately managed, it is desirable a unique virtual MIB per Virtual AP. This can be accomplished by allocating each Virtual AP its own IP address, or by use of SNMPv3 context [RFC2975].
Pre-authentication routing. In the Association/Reassociation Request, the STA indicates the SSID it is associating with. Since 802.11 supports authentication prior to association, it is possible for an AP to receive an authentication request prior to association. Since Virtual APs may support multiple authentication models, before responding to a pre-authentication request, it is necessary to determine the SSID (and Virtual AP) to which it is targeted.