RE: guest + private wlan

["Nick Duda" <nduda () VistaPrint com>]

Here is what I do:

- Cisco LAN controller (device that manages lightweight Cisco AP's)
- Cisco Aironets
- TACACS

Configure your employee WLAN (SSID) using WPA2 on the LAN Controller with authentication using TACACS (or any supported 
authentication proto, AD, LDAP..etc). We use TACACS for many Networking things and have it using AD for pass-through 
authentication. When an employee wants to use Wireless, they connect to the employee WLAN using NT credentials over 
WPA2. Configure another WLAN for guests and direct it to a seperate VLAN/subnet with just a DSL/Cable modem hanging off 
of it, no WEP. The Cisco LAN Controller allows a ambassator role to create accounts.

When a guest visits us, the receptionist asks "Will you be requiring Internet access with your laptop while you are 
here?". If yes, the receptionist logs on to the Cisco LAN Controller with a certain login that only shows her one 
section to create wifi accounts. She adds a new account with username, password and duration. We have business cards 
printed for guest access that she fills out and gives to the guest that has username/password and duration the account 
is good for. When the guest connects to the guest SSID and browses the web they are presented with a login page, just 
like you get at a hotel. They enter username and password and then get a popup that gives them some info, like who they 
are, duration left...etc. They can close it or keep it oepn , it doesnt matter. They are now on the seperate WLAN with 
only access out the dedicated DSL/Cable internet. It doesnt touch the corporate network. When the duration specified by 
the receptionist expires, they are booted from teh WLAN and need a new password..etc.

This setup works very well. It also allows us to put in line proxies and content filtering on the guest side also IDS. 
It also allows us to use products like Cisco Clean Access (CAS/CAM) for the employee side and IDS . In order to connect 
to the employee WLAN CAS/CAM performs checks on the laptop/computer (AV installed? AV DAT up-to-date? MS Patches 
installed?...etc)

If you want more info about how this was done, email me.

- Nick


-----Original Message-----
From: listbounce () securityfocus com on behalf of razigarbie () gmail com
Sent: Mon 1/14/2008 7:52 AM
To: security-basics () securityfocus com
Subject: guest + private wlan
 
Hi everyone,

Im in a position where i need to setup a guest wlan (open for public use) and a employee wlan that will handle 
"buissess data".

Does anyone have any suggestions on how this setup would look like from a secure perspective?

I thought of creating 2 VLANs one that uses WPA2 encryption while the other one is open (both within DMZ), is this 
good/bad?

// Thanks in advance, boney