Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco wireless access point security question 4

Status
Not open for further replies.
JacobTechy

JacobTechy

Programmer
Apr 14, 2005
181
US
I have a Cisco Wireless Access point which I would like to configure for both employee and guest access to avoid the guest accessing our network files. I was told by Cisco that I would need to create vlans which means I have to configure the hp switch port for this also. However, I have tested the wireless ap with a guest laptop using just one secret key and when the guest tries to access our network they get prompted for a username and password. Therefore, since the guest is actually being blocked would it be ok to have just one secret key and avoid the hassle of configuring vlans.
 
Sort by date Sort by votes
The presumption is you will have a easy to access guest wifi with no encryption. Additionally, one normally does not want to allow someone else's computers on the company's network.
 
Upvote 0 Downvote
I know with the 1200 series you can create a guest ssid which points to a vlan with no security and then create a corp ssid with encryption which point to the intranet.
not up on hp switches but you should have the guest out in the dmz or at least configure a access list to filter it out to the net. You can run it through a radius server with reject pointed out only
 
Upvote 0 Downvote
like the others said I would make sure the guest VLAN is a layer 2 VLAN only and drop it off in the DMZ or outside to the Internet. You do not want the guests to even have a prompt for username and password for you corporate because then they are essentially on routed on your network just don't have access to certain things....yet...
 
Upvote 0 Downvote
What I would like is for the user to get a sign on screen on the web browser with the option guest or employee then they are directed to enter their passkey then routed accordingly. With Cisco routers I have to setup a vlan which means I have to configure the hp switch port for the same vlan. Does anyone know a good tutorial on how to do this.

Also for other waps such as linksys would it requre vlan setup or does lynksys have some kind of built in setting where you done have to mess with the hp swith port.
 
Upvote 0 Downvote
Having a login screen is not a good idea since a trusted user could logon from an un-trusted workstation, or someone could 'guess' a users password and then have unrestricted access to your corporate network.
Physical separation is the best way to go, if this is not possible then using SSID's mapped to VLAN's works well. A corporate SSID using strong authentication & encryption mapped to a 'trusted' VLAN, plus a second 'guest' SSID mapped to an 'untrusted' or restricted VLAN is pretty easy to deploy.

Andy
 
Upvote 0 Downvote
thanks

I will try to research a tutorial on how to deploy that type of configuration.
 
Upvote 0 Downvote
Here is how i see it.
You need to have a different different for your guest wireless no matter what.
Your cisco access point can support two vlans?
Does your hp switch support vlans? You can go to the hp web site and find the documentation for your specific switch.

Once you define the vlans on the AP and switch, you need a gateway/firewall to the internet.

Do you have available router port or firewall port and 1 public IP address.

If you don't want to mess with the two networks on the same access point, you could use a separate Linksys all in one wireless/router/firewall. Make it your guest access point and plug it directly in to your outside network. Run a cable to the location you want the access point. Configure it for a different channel as your cisco access point.
 
Upvote 0 Downvote
The vlan approach is the best. I used three VLAN, corporate data, VoIP, and guests. Make sure you set the switchport to trunk mode.

I use an ACL on the GUEST SSID/VLAN to limit traffic to only DNS server, our Websense filter, then typical Internet protocols. We cannot dump our VLAN outside the firewall since we have 30 remote sites that share our Internet T3.

ip access-list extended GUEST-SSID-ACL
permit tcp any any established
remark allow DHCP server connection
permit udp any any eq bootps
remark allow DNS lookups
permit udp 10.150.37.0 0.0.0.255 host 10.150.36.10 eq domain
permit udp 10.150.37.0 0.0.0.255 host 10.150.0.150 eq domain
remark Websense filtering port
permit tcp 10.150.37.0 0.0.0.255 host 10.150.0.141 eq 15871
remark deny access to corporate subnets
deny ip any 10.150.0.0 0.0.255.255
deny ip any 209.44.0.0 0.0.255.255
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq pop3
permit tcp any any eq ftp
permit tcp any any eq ftp-data
deny ip any any log
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

smittywes38
  • Locked
  • Question
Unable to print to wireless printer connected to VPN
Replies
0
Views
94
smittywes38
smittywes38
DenisTz
  • Locked
  • Question
Wireless Management software
Replies
0
Views
105
DenisTz
DenisTz
mwiinde
  • Locked
  • Question
How to Send Data Packet From Ms Access 2016 to Rs 232 Serial Port
Replies
0
Views
102
mwiinde
mwiinde
johannjoezzz12
  • Locked
  • Question
how do i reload CISCO Air 702i Access point OS?
Replies
0
Views
65
johannjoezzz12
johannjoezzz12
DrJorde
  • Locked
  • Question
No wireless receiver detected on your computer message after plugging in a USB3 1
Replies
3
Views
328
DrJorde
DrJorde

Part and Inventory Search

Sponsor

Back
Top