Forum

  • Hi all,

    Currectly we are designing a guest network for our enterprise. The ssid will provide access to a vlan, implemented as a vrf across our premises.
    Users will have access only to internet.

    However, i need some help deciding how to implement access to this network:

    - The ssid will be broadcasted (for easier access).
    - I would like to provide them access during workhours; i dont want anyone to come by a day and connect to our network, even if has only internet access!
    - I prefer the minimum interaction between the guest user and IT.

    What security measures are usually implemented in such guest-ssid ?


    WPA2 + EAP is a possible solution? Is anyway the WPA2 encryption key be provided automatically after EAP authentication?

    The authenctication can be done on a Cisco ACS.
    The whole equipment is Cisco

    Thanks

  • Any ideas?

  • amprantino Escribi?3:

    Hi all,

    Currectly we are designing a guest network for our enterprise. The ssid will provide access to a vlan, implemented as a vrf across our premises.
    Users will have access only to internet.

    However, i need some help deciding how to implement access to this network:

    - The ssid will be broadcasted (for easier access).
    - I would like to provide them access during workhours; i dont want anyone to come by a day and connect to our network, even if has only internet access!
    - I prefer the minimum interaction between the guest user and IT.

    What security measures are usually implemented in such guest-ssid ?


    WPA2 + EAP is a possible solution? Is anyway the WPA2 encryption key be provided automatically after EAP authentication?

    The authenctication can be done on a Cisco ACS.
    The whole equipment is Cisco

    Thanks


    Hi Amp,

    A few questions -- Are you deploying thin or fat aps?

    Is this open GUEST to the public or is this an SSID for your employees?

    Guest networks by todays definitions is an open network whereby the public can gain access to the internet. From your description it sounds more like an internal SSID used by employees.

  • I can tell u, we use simple encryption, like WPA with code, then complete it, because if u use too complicated, ppl would be difficult to use~~~
    Or u can hide the SSID, then just give it to guest.

  • The guest ssid is for our guest. For employees we have different vlan/ssid.

    ssid is implemented on Cisco autonomous AP (this you mean by thin of fat?). Across all building is on vrf, totally separated by our network.

  • Have you thought about a captive portal (on a WLC)? This could capture guest users into a web-based authentication portal in which you could setup temporary accounts (time-limits available). This can be done in RADIUS (IAS if not others) if you want to go that route so that support center techs can create temporary accounts. If you go that route, it will scale much better. Just my two cents.

    Charlie

  • escuec Escribi?3:

    Have you thought about a captive portal (on a WLC)? This could capture guest users into a web-based authentication portal in which you could setup temporary accounts (time-limits available). This can be done in RADIUS (IAS if not others) if you want to go that route so that support center techs can create temporary accounts. If you go that route, it will scale much better. Just my two cents.

    Charlie


    What application or applicance can do that?

    Thanks

  • In Charlie's post, he mentions using a Wireless Lan Controller (WLC) for captive portal (like a Aironet WLC2006)

    I use chillispot at home with my dd-wrt loaded router. You can read more about it here - www.chillispot.info.

    Vivek

  • The most common solution is to have a wide-open Wi-Fi network (no L2 encryption or authentication) for guest access. You don't want guests to have to configure ANYTHING.

    A captive portal will redirect them (through the browser) to a simple log in screen.

    If you are looking for an enterprise captive portal solution, you can use a controller if you have one. If not, Nomadix makes a nice one, although it is a bit of a pain to configure. Once up and running, it is pretty solid.

    If you want a cheap solution let me know, but if you have a lot of clients to support, don't go cheap.

    GT

  • GTHill Escribi?3:

    The most common solution is to have a wide-open Wi-Fi network (no L2 encryption or authentication) for guest access. You don't want guests to have to configure ANYTHING.

    A captive portal will redirect them (through the browser) to a simple log in screen.

    If you are looking for an enterprise captive portal solution, you can use a controller if you have one. If not, Nomadix makes a nice one, although it is a bit of a pain to configure. Once up and running, it is pretty solid.

    If you want a cheap solution let me know, but if you have a lot of clients to support, don't go cheap.

    GT

    Yes, i was searching for an access wateway, Cisco BBSM is EOL so...

    Nomadix looks ok, but i have to find a demo before.
    If anyone can help by providing a demo or online presenattion, is welcome :)

    For cheaper solution i have found, but i think i prefer an appliance...

Page 1 of 2