Noobie in a bit of hot spot right now and seeking help:
Moved to a new big office building and the ubiquiti gears we had before is really sucking hard, office decides to change the whole on-premises AC+AP solution and looking for a better alternative very very soon so we can have a whole meeting without somebody dropping off all the time.
Our new building is around 9000sqt and with a lot of creative workers that uses mac computers inside. right now is about 100 ppl but eventually it should support around 300ppl. Which enterprise solution would be the best in consideration of Mesh wifi and secure AC with auto blacklist function that is not Cisco?
1 Like
Ensure all desks have wired access, buy USB nics / docks for employees who dock laptops - do wired 802.1x. So that they’re not on wifi when at their desks.
For laptops, only when they’re on the go, have separate corp 5GHz only 40MHz wide networks - so that you can have a ton of independent access - protect with 802.1x.
For your employee phones, steer them towards a guest network that doesn’t overlap channels with your laptop wifi.
If you don’t have staff to dedicate on maintaining wifi for 300people (estimating at least 2 people half-time dedicated to wifi only, not wired network, not network accounts, not anything else) ; if you don’t have that staff you’ll probably want to outsource to and MSP. If I had to guess the MSP will most likely pick either Ubiquiti, or Ruckus or Aruba. Since for 300 people you’ll probably have 50-100 APs.
8 Likes
Cisco ISE or Aruba something something. Can not remember.
Those two neatly integrate into other systems, and are the only two I am aware of that I would call “enterprise grade”. The rest is a lot of sticking things together-work.
Edit: Searching about, this came up: https://www.packetfence.org, May be interesting.
I think LANCOM also offers RADIUS functionality, you are paying for that “Made in Germany” though!
Then again, running an entire network on LANCOM and R&S gear should be pretty neat. 
MAC based network authentication is not something you want to rely on. Certificate based authentication is the ONLY acceptable way to go (as is WPA2-Enterprise, you are not a lemonade stand!
This! Nothing more reliable than wired.
Having an Edge-Switch sitting on a shelf as cold spare in case one dies and core/distro switches should be redundant anyway.
Read as: What @risk said!
I briefly dabbled with MikroTik and FreeRADIUS, was complete overkill for use at home though. Setup went fairly smoothly (given the users were Me, Myself and I)…
Do not even attempt Mesh in a setting of a hundred clients (or more likely, 3 per employee = 300) hitting a mesh.
Slap access points on the ceilings/pillars/etc. and run them to a switch via cable. Maximum with really good (= pricey) APs is 60-ish clients (depending on workload).
Edit: A setup like that is easier to manage and troubleshoot. Most known networking gear manufacturers have this figured out, so pick what works/worked for you.
5 Likes
I’m going to go against @MazeFrame and @risk on this point. I think you are generally right, but with USB-C Laptops that are not Mac’s, I’ve had TERRIBLE luck with Ethernet via docks and USB-C Adapters
At home I’ve got a very recent XPS-13 and its 50/50 if it will actually connect and work via a USB-C to Ethernet adapter. But, my Ruckus WAP’s work 100% of the time
For the 3 times I’ve ever gone into the office to work, the first 45 minutes is me screwing around with the ethernet adapter to get it to work. Worse, it sometimes “Connects” but doesn’t pass traffic, so it doesn’t fall back to wireless, and you just have no network. Or, an hour into working it just drops all traffic
I’ve tried maybe 5 different adapters on around 10 different laptops since USB-C started becoming popular, and I’ve never had a good experience apart from on my Macbook which just works 100% of the time with no issues
At home, my work laptop sits with an unplugged USB-C to Ethernet adapter next to it, because I’ve given up.
If I were going to be the ones supporting the users, I’d highly consider a really nice enterprise wireless setup and call it a day
You mentioned mesh wifi in the post, don’t do it. Every AP should have a drop to it. Of course some will fall back onto mesh, which is nice
2 Likes
have had zero issues with ethernet via docs, displays sure but not eth. Maybe your stuff is cursed?
If this company is 300 ppl they probably all use similar gear and could just get an adapter that is know good if there really are that many usb → eth adapter issues.
4 Likes
Supporting a fleet roughly the initial size Op mentioned, I can say there is one in ten USB-adapter related hick-ups.
And of those trouble makers, the majority is due to MAC-randomization (fuck that! Seriously! The bastard at [brand] thinking: “Lets just roll out this update with this enabled” needs to be trialed at Den Haag!) 
However, the dockingstations, there is one that causes grief. Still troubleshooting that one, no clue what makes it different from all the others in daily use. 
You need both anyway. For the volume of traffic moving towards one central point (either SAN/NAS or internet), mesh is a PITA with a “traditional” WAP&wired backbone being less pain. And it still will be pain since your wireless controller has to handle everyone showing up within half an hour and then proceed to read news online.
The advantage of having most traffic on wired is that your management and meeting rooms can hog bandwidth from wireless without affecting productivity or vice versa.
I don’t think it would be acceptable to have a switch sitting in the open on the conference table 
2 Likes
They make conference tables with flip up keystone + power connectors in it 
3 Likes
May not be a bad idea then. Provide Wireless and Wired in the conference rooms in case a video conference with a customer can not go wrong.
4 Likes
Yeah its nice to put an HDMI in those to the projector / tv etc. less wireless shit to deal with
3 Likes
Used to have 70 employees in a big open space and had 4x Ubiquiti AC Pro 5 APs for the laptops, 2x AC Pro 5s for the guest network and in the separate half of the building with 4 small meeting rooms and the kitchen, another AC Pro for laptop network and another one for guest network. Yes, for 70 people, we had 5x APs for work and 3 for guest / phone network.
Nobody ever complained about dropped connections. The controller for the laptop network was a VM with 4 GB of RAM and 2 cores, while the guest one was a RPi 4 2GB version. Both were using the same 1Gbps dual WAN (BGP) connection, but the guest network was a guest VLAN (duh!). And all APs were wired through the ceiling with cat6.
While this is nice in theory, nobody used the wired connection in our office, because it was an annoyance to plug both power, HDMI and Ethernet. And we had about 15 USB to Ethernet adapters for very few laptops that did not have Ethernet. They worked fine, but people didn’t use them, because wifi was good enough.
I would say that if we invested (way more money) into monitors with docks that had everything built-in and gave everyone new laptops with only USB-C, it would have made a big difference in using the damn wired connection! Just connect the type-c which has power, display and network and you’re gold.
Bonus points for my old network. We were mostly using 5GHz, but everyone also had 2.4GHz wireless USB mice, yet the 2.4GHz band was still very usable for the people with slightly older laptops. And that was besides all the other 2.4GHz networks all around us (it was an area with lots of office spaces and last I remember, there were at least 20 other wifis around when I did a wifi analysis on my phone).
Kinda sad we downsized the office after covid, we moved to the city downtown, had a 20 people max office, just 1 AP with the same VM on an intel i5 haswell NUC running proxmox. But the company saved a boatload of money on rent and finally we colocated our servers in a proper data center (although the basement data room had 5 racks, of which only about 4 were filled up, with 3 AC units and a generator - too bad we had to give up on our proliant micro-servers, although good riddance!).
4 Likes
I like to thank all the advice you guys have givin me, i feel this community are very welcoming and helpfull.
I originally had and presented the identical idea as @risk replied to our CTO, he weren’t gonna go for it, probably too used to using wifi. But now he is finally loosen up a little and going to implementing wired connections as a backup to all the office rooms.
As for WIFI, I’m still contacting few of the third party enterprise solution, I think if he know how much it’s gonna cost for assesment, mapping, APs… He’ll probably compromise to not wifi our whole building with it.
2 Likes
I like tplink as a mid enterprise solution over unifi. Mesh is not going to work given the space and number of clients.
I will agree that you need a standard dock that is already plugged into power network and monitor to train people to use wired.
I would go out and buy a bunch of different solutions and pick the most reliable.
https://www.amazon.com/Dell-Thunderbolt-Docking-Station-Delivery/dp/B07V867LW4/ref=asc_df_B07V867LW4?
I have a dock like this, I leave network, KVM, audio, and power in it at all times and then just plug my laptop into it via thunderbolt which powers and charges.
I means I have 1 cable and I’m done.
3 Likes
Right now for enterprise wifi the best solution is “what can I get inside of 12 months”.
I’ve had lead times quoted ranging from 90 to 550 days for procurement in recent months.
Be sure to get lead time estimates before you buy, and it may be worth getting a wifi expert to help see if there are any fixable issues with what you have. Because new enterprise wifi gear is hard to get right now. 3-12 months depending on vendor.
1 Like