• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

Public Wireless Access - Disallow Internal Clients

Hello EE,

I have an interesting question.  After much headache we finally got our Wireless infrastructure up and going with 802.1x authentication.  City owned laptop get their preferred network setting through GPO.  We also have a public wireless access point in the same vicinity as the internal network.  The public wireless is wide open and we want to keep it that way.  How can we keep our internal wireless devices from connection the the public WAP?  The public WAP is a Cisco AIR-AP1242AG set up in the DMZ of our firewall completely segregated from the internal network.  The internal wireless infrastructure consists of severl of the same cisco WAP's converted to LWAPP attached to a wireless LAN controller.  Any Ideas or thoughts.  Please see my attach diagram.

Thanks,

COK
no-public-wap.jpg
0
CityofKerrville
Asked:
CityofKerrville
  • 5
  • 3
1 Solution
 
rettif9ManagerCommented:
Can you set the two WAPs to run on different channels, and then configure your network devices to use the correct channel?
0
 
CityofKerrvilleAuthor Commented:
Can the channel be set in GPO? Don't recall seeing that option.
0
 
rettif9ManagerCommented:
After reviewing the user manual for the WAP here http://www.cisco.com/en/US/docs/wireless/access_point/1240/quick/guide/ap1240qs.html#wp37913
I realize that there doesn't seem to be a setting for channel. However, an equal solution is to configure your WAP and wireless devices to use a different SSID than the public WAP and enable security. You should be able to configure your wireless devices to connect to the correct SSID. Most wireless devices will operate on channels 6-11 I may have overlooked the setting in the setup guide.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
CityofKerrvilleAuthor Commented:
Ok,
The two networks are already on different SSID's.  For simplicity sake here I will call the PUB and WLAN.  WLAN is secured through 802.1x authentication and PUB is wide open to the public.  Adding security to the PUB network is not desirable as we do not want to have to manage keys or pass-phrases.  We want anyone who is in City Hall for a meeting or something to be able to connect with ease and with ZERO interaction from our IT staff.  WLAN devices have the network setting configured through GPO, butthat will not stop a computer savvy person from trying to find another WAP.  WLAN is on City Employee network and is monitored, thus the reason we don't want our WLAN devices connecting to the PUB and circumventing out network security.  Make sense?
0
 
rettif9ManagerCommented:
Ahhh. Thats a different problem. I thought you wanted to control the device not the employee. Very difficult to keep a 'computer savvy' employee out of an unsecured network. Let me get back into the user manual. The best solution would be incompatable equipment like g versus n or something of that nature. What about using Ip address to block activity and block access to TCP/IP config with permissions.
0
 
CityofKerrvilleAuthor Commented:
Yeah I thought about blocking access to TCP\IP properties, but then rememebred that would hinder some of our employees who are authorized to take their laptops home from connecting to there home networks.  The solution I am looking for would only keep them on out internal network when at work.  Maybe I would define the PUB network in GPO with some boggus properties and keep it from connecting?
0
 
CityofKerrvilleAuthor Commented:
The more I think about it, the more I think the solution will be group policy related.
0
 
CityofKerrvilleAuthor Commented:
I ended up just pushing some boggus settings for the PUB to the client through GPO and it seems to be doing the trick.  Thanks for the help
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now