Limiting Guest Access

[rlgaooa]

I have a wireless network using Aironet 1200 access points with PEAP and a Microsoft Radius server controlling access to the network. Now I have been asked to provide guest access through the network to the internet. I have created a guest ssid and placed it on a separate vlan on one access point nearest where the guests are likely to be. What I need to do is design a solution that will restrict current employees from using the guest ssid. Control the bandwidth being consumed by the guest ssid and protect the internal LAN. These access points are connected to a Catalyst 3560 switch which is connected to the gateway router. Are vlans on the access point the way to go or should they be on the switch? If on the switch, can the port connected to the gateway router belong to two different vlans or will this compromise network security? Any suggestions would be greatly appreciated.

 

[MTandSAV]

yes, you should have a vlan on the AP as well as on the switch.
lets say vlan 100 guest ssid 'guest' and route that through you switch (make the switchport a trunk) to the internet.
I would be more concerned that guests can get to my internal network than employees using the guest network. So make sure there is not routing possible between your guest vlan and other internal vlans.


CCNA, CCNP..partly

 

[rlgaooa]

One little wrinkle that I neglected to mention is that this site is at the other end of a VPN cloud. The guest users will need a certain range of ip addresses assigned to them thru dhcp in order to pass through the vpn cloud to the proxy server and hit the internet. I would like to keep this solution as simple as possible while being as secure as possible. Is there a way that the Aironet 1200 can apply ip addresses based on SSIDs?