Best way to setup Wireless Network for both employees and guests

We have a client that wants us to install a wireless network for them.  they will only need 2 or 3 access points to cover the entire building.

I would like to set them up to have 2 SSIDs, one for guests and one for employees.  I would like for the employee one to have access to everything and for the guest one to limit traffic to only the internet.

Question, what is the best way to accomplish this?  I am sure that there are many expensive systems out there to handle this sort of thing, but I would like to try to find a cost effective way to handle this (I would like to not spend more than $1500 if possible).

Also, I would like to do it using Cisco equipment although I am open to other vendor suggestions.

THANKS!
LVL 1
AutomatedITAsked:
Who is Participating?
 
billwhartonConnect With a Mentor Commented:
simply trunk the access point to the switch using a trunk port so that it can pass two different vlan's. SSID translates to vlan on the switch and the traffic is kept separate. Next, apply acl's on the guest vlan to prevent them access to your internal network and only allow traffic to the internet. Most wireless vendors allow this kind of design
0
 
aboredmanCommented:
What services are available on the network?
Does you customer use active directory?
0
 
AutomatedITAuthor Commented:
They have a Microsoft network with Active Directory (Windows Server 2003).

They also have exchange, network printers, shared files.

0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
aboredmanCommented:
Well depending on the security level you need if the guests are not member of the same domain (or of a trusted domain) and your AD security is set right (no permission to EVERYONE) they won't have access to anything.

Exchange, shares, printers and the network should require AD credentials to be accessed.
0
 
Andres PeralesCommented:
You are not going to find a managed wireless solution, especially Cisco for that price.  The optimal solution would be a wireless lan controller 2106, with three LWAPs, fed into your network at which point you could use IAS from Active Directory to handle you user's authentication.  Guest Authentication could be open, or WPA2
The poor man solution would be to just buy some linksys wireless AP's and put them in your network for your users, the newer ones still support using Radius or IAS, stick those on the inside of your network for you authenticated users.
Stick another one in your DMZ switch to provide access to your guest, limits your guest to a certain area
0
 
omic_adminCommented:
I agree with peralesa-a DMZ with two sets of networks for the wireless would be the safest bet. I've heard that VLANs can be bypassed if someone knows what they are doing to force the switches to abandon VLANs when there is a heavy load. Having a separate, parallel SSID that sits on the DMZ for guests would be best, as they would be outside he firewall, while the protected SSID would allow regular users. However, this would involve multiple cabling for the APs and double routers for each area you are covering.
0
 
kavlinsCommented:
Create 2 VLANS, 1  for guests and another for Internal users....

1) create access-lists on Guest VLAN to restrict access to Internal network.

This way you avoid spending money on buying expensive equipments.....
0
 
PugglewuggleCommented:
I recommend the Cisco Aironet 1130 series. Check out the datasheet section for more info.

http://www.cisco.com/en/US/products/ps6087/index.html

These are enterprise class APs and support VLANs, wireless VLANs, POE, Muliple SSIDs, and full public/private separation. They even have a feature called AP isolation that prevents computers on the public WVLAN from accessing each other, thus mitigating your legal risk of having attacks occur through your wireless.
You can also authenticate against LDAP (MS AD), RADIUS, or TACACS+.

These devices are very good. And generally go for about $500 USD each.
Please let me know if you have any questions!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.