Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Best way to setup Wireless Network for both employees and guests

Posted on 2008-10-01
8
Medium Priority
?
676 Views
Last Modified: 2013-11-12
We have a client that wants us to install a wireless network for them.  they will only need 2 or 3 access points to cover the entire building.

I would like to set them up to have 2 SSIDs, one for guests and one for employees.  I would like for the employee one to have access to everything and for the guest one to limit traffic to only the internet.

Question, what is the best way to accomplish this?  I am sure that there are many expensive systems out there to handle this sort of thing, but I would like to try to find a cost effective way to handle this (I would like to not spend more than $1500 if possible).

Also, I would like to do it using Cisco equipment although I am open to other vendor suggestions.

THANKS!
0
Comment
Question by:AutomatedIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Expert Comment

by:aboredman
ID: 22618717
What services are available on the network?
Does you customer use active directory?
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 22618738
They have a Microsoft network with Active Directory (Windows Server 2003).

They also have exchange, network printers, shared files.

0
 
LVL 11

Accepted Solution

by:
billwharton earned 1500 total points
ID: 22618760
simply trunk the access point to the switch using a trunk port so that it can pass two different vlan's. SSID translates to vlan on the switch and the traffic is kept separate. Next, apply acl's on the guest vlan to prevent them access to your internal network and only allow traffic to the internet. Most wireless vendors allow this kind of design
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 7

Expert Comment

by:aboredman
ID: 22618795
Well depending on the security level you need if the guests are not member of the same domain (or of a trusted domain) and your AD security is set right (no permission to EVERYONE) they won't have access to anything.

Exchange, shares, printers and the network should require AD credentials to be accessed.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22618820
You are not going to find a managed wireless solution, especially Cisco for that price.  The optimal solution would be a wireless lan controller 2106, with three LWAPs, fed into your network at which point you could use IAS from Active Directory to handle you user's authentication.  Guest Authentication could be open, or WPA2
The poor man solution would be to just buy some linksys wireless AP's and put them in your network for your users, the newer ones still support using Radius or IAS, stick those on the inside of your network for you authenticated users.
Stick another one in your DMZ switch to provide access to your guest, limits your guest to a certain area
0
 
LVL 3

Expert Comment

by:omic_admin
ID: 22619220
I agree with peralesa-a DMZ with two sets of networks for the wireless would be the safest bet. I've heard that VLANs can be bypassed if someone knows what they are doing to force the switches to abandon VLANs when there is a heavy load. Having a separate, parallel SSID that sits on the DMZ for guests would be best, as they would be outside he firewall, while the protected SSID would allow regular users. However, this would involve multiple cabling for the APs and double routers for each area you are covering.
0
 
LVL 6

Expert Comment

by:kavlins
ID: 22619406
Create 2 VLANS, 1  for guests and another for Internal users....

1) create access-lists on Guest VLAN to restrict access to Internal network.

This way you avoid spending money on buying expensive equipments.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22619740
I recommend the Cisco Aironet 1130 series. Check out the datasheet section for more info.

http://www.cisco.com/en/US/products/ps6087/index.html

These are enterprise class APs and support VLANs, wireless VLANs, POE, Muliple SSIDs, and full public/private separation. They even have a feature called AP isolation that prevents computers on the public WVLAN from accessing each other, thus mitigating your legal risk of having attacks occur through your wireless.
You can also authenticate against LDAP (MS AD), RADIUS, or TACACS+.

These devices are very good. And generally go for about $500 USD each.
Please let me know if you have any questions!
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question