Wireless Networking Question Pertaining to School District.


I work with a school district using an old NT Server 4.0 box for handing out IP Addresses.  These are 10.1.2.x numbers.

We are going to purchase some laptops shortly and the administration wants to setup a few computer labs with wireless access points.  We planned to use WAP and MAC address filtering for security.  However I was thinking it might be good to setup a network with IP Addresses set to 198.168.1.x so they would be separate from the 10.x network.  This may or may not be possible as they students may need access to servers on the other side.

Should we setup the 192.168. scheme on the wireless and have a gateway to the other 10.1 side of things?

Has anyone done anything similar to this, and what type of implementation did you use?  

I've setup a lot of networks and I've done VPN before, but just trying to think about what the best way to do this might be, being that kids will be kids and we have to take security in the school into consideration.

Thanks for any help...

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First - You should NEVER rely on MAC addresses for security. Though the MAC address is part of the network card's firmware it can be fairly easily changed with a single shell command.
For wireless LAN networks you have two solutions:
The first - Use WPA (or WPA-PSK if you're low on resources) to secure access to the network. Basically it means that a password will be needed to connect to your network. Do not use WEP since it uses extremely weak encryption.
The second - Separate the wireless LAN network from the "normal" network and use a PPTP VPN over the wifi network to access the normal network. Any Windows computer can act as a VPN server (just create a new connection and specify "Accept Incoming Connections" or configure the Routing and Remote Access service on Windows Server for more advanced configuration).
Separating the networks into two subnets will not do anything since normal gateways will pass all traffic between the networks. The only reasons you will want to do this is if either the gateway is a firewall so you can control where people can connect from the wifi access (but you still won't be able to determine WHICH users) or if you want to use my second solution, in which there won't be a "regular" gateway at all but a remote access server.
"This may or may not be possible as they students may need access to servers on the other side." Such as?

If its printing the you should just set up printer in the lab...I think that wireless access on the same network could be risky. It might be a better idead to issolate the network for right now...If after a couple of weeks of testing you feel the need that your wireless network needs to be on the same range then you should set up as part your current range of the ips..

The benefit of issolating the network is that you could better track traffic...because they traffic is comming from different IP ranges...

Just my 50 cents

Hello Matt,
         Using a seperate IP range on the access points will work fine, its more a matter of preference. I personally would use a 192 range just to keep confusion down.
As far as security: you can do fairly well with a laptop configured for good security policies. The way you worded it "we are going to purchase some laptops" sounds like your school will own and control them. Before issuing; make sure that proper policies are in place to prevent access to system utilities, this will stop all the but the extremely savvy users from being able to tamper. MAC filtering and WPA will be sufficient to secure the network for all but a very very select few individuals.

For more robust security, you might want to consider using a RADIUS server.
Hope this helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

diablo-26Author Commented:

Thanks guys for all your input...

Vroy, what exactly does a RADIUS server do?  Operating system?  We have some old NT 4.0 Servers here, 4 Brand new 2003 Servers, and 2 Novell Servers.  The network is comprised of some really old computers, clones...  Pentium III and Pentium 4 Dell Optiplexes and maybe some Pentium II Dell's out there as well.   Some of the older machines are still on 98, but everything within the last few years is all XP.


diablo-26Author Commented:
One more question as well... If I plug in a wireless router to run a couple classrooms... maybe a couple extra antenna's or repeaters as well.

How do I prevent the machines on the 10.1.x.x side from trying to grab an IP from the 192.168.x.x side?  I've set up a bunch of Cable/DSL routers before, but I guess I'm not sure if I can isolate the DHCP pool to only the wireless side of things...  

I don't want the normal classroom computers grabbing a 192.168 address... cause they won't be able to connect to anything.

Would it work it function correctly to go from the wall jack to the WAN port on the router?  Then the WAN port would grab the 10.1.x.x side and gateway and dns... and translate to the 192.168.x.x side of things?

a RADIUS server is basically a 3rd party authentication server to prevent MITM (man in the middle attacks) and sniffing of passwords.
it will authenticate a user then submit authorization to your server that the person has successfully logged in.

there are multiple ways of segregating the 2 wireless networks.
What i would reccomend is to setup the access points SSID's first, for this example we will call the SSID's "WLS1" and "WLS2".
now when you are configuring the laptops, you will need to install the software for the wireless cards. That software will allow you to define a specific SSID to connect to. you should assign them to the appropriate SSID here and make sure that policies exist to prevent the user from modifying the wireless control software.
This way they will be "Hard-coded" so to speak, and will only connect to the access point that they were setup for.
Also, since we are manually configuring the laptops with the SSID that they should connect to, we do not need the access points to broadcast their SSID... this is called 'beaconing'. If you login to the wireless router administration page, there should be an option to disable beaconing or SSID broadcasting.

when physically connecting the routers, the WAN port will be going to your wall jack. The router will grab a DHCP address from the 10.1.x.x network for itself, then the router will distribute 192.x.x.x addresses to wireless clients.

oh i misread your 2nd question.... thought you were asking about 2 wireless access points.
*How do I prevent the machines on the 10.1.x.x side from trying to grab an IP from the 192.168.x.x side?

The router will only give its own clients DHCP addresses, the router will not issue DHCP addresses through the WAN port.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.