• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 982
  • Last Modified:

Wireless Corporate Guest Access

I need to setup a  WIreless Guest Access Network in my company. I have very little experience with this .
We are using Cisco Aironet APs'.
Questions I have;
What do I use to protect the data from being snooped while in transit, I know WEP is bad, other suggestions? Is there a wireless encryption thats preferred?
Do I broadcast a Guest SSID or create a new one?
Do I run any proxys on it?
ANy ideas for Best Practices??
Thanks for the help
3 Solutions
Stephen MandersonCommented:
You would want to be using WPA Enterprise Encryption in a business enviroment with a phrase of about 30 characters, not leters so be sure to include $p3(1AL characters as it makes it much more secure..

As far as broadcasting your SSID its easy to detect anyway with programs such as network stumbler, as long as you have a long WPA pass phrase it shouldnt be an issue to broadcast your SSID as even to try and brute force the key would theoretically take years if its long enough.

You could run it via a proxy in order to limit access to particular pages etc.. what would the guest be getting access to on the WLAN, would it be purely for net access?

If your Access Points are connected to a VLAN capable switch and your Access Points are running IOS, then you can assign your public users to a totally different VLAN.


For encryption on the secure wireless VLAN, I'd go with WPA2 + certificates.  If you're running a Windows 2003 Enterprise Server anywhere in your network, you can do this all for free.  Let me know if you need further assistance.
What I'd do is buy a separate connection for the wireless, and then have users connect to the main network over the internet using a secure VPN connection.
That way even is someone does get on your wireless (likely) they will still have to VPN into your corporate network to access any real information (much less likely).
Dave HoweCommented:
WEP is probably good enough for guest access; just change the key regularly and use the ability of the aeronets to support VLANning to place the guest network into a VLAN "jail".

If you really care about security, its probably easier to give the guests access to web based resources themselves secured via https than to try and lock down on a guest web. it is a fair guess that guest users could be compromised, so they shouldn't be trusted, by yourself or each other.

typically in a cisco-specific WLAN environment, you would be using a static key only for the guest SSN; you can tunnel or VLAN the guest traffic, even while roaming, and for the real WLAN you can use radius authentication with FAST EAP or PEAP.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now