RE: guest + private wlan
- From: "Nick Duda" <nduda@xxxxxxxxxxxxxx>
- Date: Mon, 14 Jan 2008 13:26:07 -0500
Here is what I do:
- Cisco LAN controller (device that manages lightweight Cisco AP's)
- Cisco Aironets
- TACACS
Configure your employee WLAN (SSID) using WPA2 on the LAN Controller with authentication using TACACS (or any supported authentication proto, AD, LDAP..etc). We use TACACS for many Networking things and have it using AD for pass-through authentication. When an employee wants to use Wireless, they connect to the employee WLAN using NT credentials over WPA2. Configure another WLAN for guests and direct it to a seperate VLAN/subnet with just a DSL/Cable modem hanging off of it, no WEP. The Cisco LAN Controller allows a ambassator role to create accounts.
When a guest visits us, the receptionist asks "Will you be requiring Internet access with your laptop while you are here?". If yes, the receptionist logs on to the Cisco LAN Controller with a certain login that only shows her one section to create wifi accounts. She adds a new account with username, password and duration. We have business cards printed for guest access that she fills out and gives to the guest that has username/password and duration the account is good for. When the guest connects to the guest SSID and browses the web they are presented with a login page, just like you get at a hotel. They enter username and password and then get a popup that gives them some info, like who they are, duration left...etc. They can close it or keep it oepn , it doesnt matter. They are now on the seperate WLAN with only access out the dedicated DSL/Cable internet. It doesnt touch the corporate network. When the duration specified by the receptionist expires, they are booted from teh WLAN and need a new password..etc.
This setup works very well. It also allows us to put in line proxies and content filtering on the guest side also IDS. It also allows us to use products like Cisco Clean Access (CAS/CAM) for the employee side and IDS . In order to connect to the employee WLAN CAS/CAM performs checks on the laptop/computer (AV installed? AV DAT up-to-date? MS Patches installed?...etc)
If you want more info about how this was done, email me.
- Nick
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx on behalf of razigarbie@xxxxxxxxx
Sent: Mon 1/14/2008 7:52 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: guest + private wlan
Hi everyone,
Im in a position where i need to setup a guest wlan (open for public use) and a employee wlan that will handle "buissess data".
Does anyone have any suggestions on how this setup would look like from a secure perspective?
I thought of creating 2 VLANs one that uses WPA2 encryption while the other one is open (both within DMZ), is this good/bad?
// Thanks in advance, boney
- References:
- guest + private wlan
- From: razigarbie
- guest + private wlan
- Prev by Date: Re: Removing Local Admin Accounts - What do you think?
- Next by Date: Re: ISO IEC 27002 (ISO-17799) assistance please.
- Previous by thread: guest + private wlan
- Next by thread: RE: guest + private wlan
- Index(es):
Relevant Pages
|
