We have some "public" wireless VLAN segments. These segments are provided purely as a courtesy to visitors walking into our building. ACLs block this public VLAN from seeing any internal server or device. The VLAN gets it DNS from an external DNS site which cannot resolve internal AD resources. However, this VLAN does get its IP address from a Windows server running DHCP server inside the private network. The wireless laptops do not directly authenticate to AD in any way. Occassionally someone on these laptops access the public facing Outlook Web Access using the externally published addresses. None of the public wireless VLANs are defined in Sites and Services since there is no need for a DC to authenticate against. We have proven that no one can be on the those public VLANs can access internal resources. However, occassionally we see a Sites and Services unauthorized VLAN error being generated from the public VLAN.
Since we know the ACLs block any use of the internal resources, are these messages being generated solely DHCP request that is allowed to go from the outside to the inside network? Could it be generated by the external call to OWA that originates from the public segment? We see no such messages when people are outisde our network on the internet.
Should those non-AD authenticating VLANsegments actually be defined in SItes and Services anyway? We have been thinking of bringing up Cisco's DHCP server to simply hand out some IP addresses on these public networks if the act of using DHCP is causing the Sites and Services unauthorized VLAN alerts.
I'd appreciate your thoughts on how best ot handle this.