Solved

Best way to setup Wireless Network for both employees and guests

Posted on 2008-10-01
8
662 Views
Last Modified: 2013-11-12
We have a client that wants us to install a wireless network for them.  they will only need 2 or 3 access points to cover the entire building.

I would like to set them up to have 2 SSIDs, one for guests and one for employees.  I would like for the employee one to have access to everything and for the guest one to limit traffic to only the internet.

Question, what is the best way to accomplish this?  I am sure that there are many expensive systems out there to handle this sort of thing, but I would like to try to find a cost effective way to handle this (I would like to not spend more than $1500 if possible).

Also, I would like to do it using Cisco equipment although I am open to other vendor suggestions.

THANKS!
0
Comment
Question by:AutomatedIT
8 Comments
 
LVL 7

Expert Comment

by:aboredman
ID: 22618717
What services are available on the network?
Does you customer use active directory?
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 22618738
They have a Microsoft network with Active Directory (Windows Server 2003).

They also have exchange, network printers, shared files.

0
 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
ID: 22618760
simply trunk the access point to the switch using a trunk port so that it can pass two different vlan's. SSID translates to vlan on the switch and the traffic is kept separate. Next, apply acl's on the guest vlan to prevent them access to your internal network and only allow traffic to the internet. Most wireless vendors allow this kind of design
0
 
LVL 7

Expert Comment

by:aboredman
ID: 22618795
Well depending on the security level you need if the guests are not member of the same domain (or of a trusted domain) and your AD security is set right (no permission to EVERYONE) they won't have access to anything.

Exchange, shares, printers and the network should require AD credentials to be accessed.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 17

Expert Comment

by:Andres Perales
ID: 22618820
You are not going to find a managed wireless solution, especially Cisco for that price.  The optimal solution would be a wireless lan controller 2106, with three LWAPs, fed into your network at which point you could use IAS from Active Directory to handle you user's authentication.  Guest Authentication could be open, or WPA2
The poor man solution would be to just buy some linksys wireless AP's and put them in your network for your users, the newer ones still support using Radius or IAS, stick those on the inside of your network for you authenticated users.
Stick another one in your DMZ switch to provide access to your guest, limits your guest to a certain area
0
 
LVL 3

Expert Comment

by:omic_admin
ID: 22619220
I agree with peralesa-a DMZ with two sets of networks for the wireless would be the safest bet. I've heard that VLANs can be bypassed if someone knows what they are doing to force the switches to abandon VLANs when there is a heavy load. Having a separate, parallel SSID that sits on the DMZ for guests would be best, as they would be outside he firewall, while the protected SSID would allow regular users. However, this would involve multiple cabling for the APs and double routers for each area you are covering.
0
 
LVL 6

Expert Comment

by:kavlins
ID: 22619406
Create 2 VLANS, 1  for guests and another for Internal users....

1) create access-lists on Guest VLAN to restrict access to Internal network.

This way you avoid spending money on buying expensive equipments.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22619740
I recommend the Cisco Aironet 1130 series. Check out the datasheet section for more info.

http://www.cisco.com/en/US/products/ps6087/index.html

These are enterprise class APs and support VLANs, wireless VLANs, POE, Muliple SSIDs, and full public/private separation. They even have a feature called AP isolation that prevents computers on the public WVLAN from accessing each other, thus mitigating your legal risk of having attacks occur through your wireless.
You can also authenticate against LDAP (MS AD), RADIUS, or TACACS+.

These devices are very good. And generally go for about $500 USD each.
Please let me know if you have any questions!
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now