?
Solved

Running a private and public wireless network off the same WAP?

Posted on 2010-04-08
8
Medium Priority
?
1,210 Views
Last Modified: 2013-12-21
I was curious if it was possible to run both a private and a public wireless network off of the same wireless access point without using VLANs? I know it may be considered bad form to not seperate the two networks across two WAPs but a client is specifically asking if this is a possible setup and other than security I can't see any reason why it wouldn't be. Any ideas?
0
Comment
Question by:Totec
  • 3
  • 2
  • 2
  • +1
8 Comments
 

Expert Comment

by:mmartinez74
ID: 30146241
Yes!   Take a look at http://store.apple.com/us/product/MC340LL/A/AirPort-Extreme?mco=MTY3ODQ5OTY

Apple's Airport Extreme base station will do exactly what you want.
0
 
LVL 1

Author Comment

by:Totec
ID: 30146437
Sorry, didn't clarify...but we are a Cisco shop and running two Aironet 1140's to cover the building. The less elegant solution would be to just split the public and private across their respective WAPs but the client is very specific about wanting to share the WAPs between a public and private setup if possible.

Thanks.
0
 

Expert Comment

by:sjimenez_73
ID: 30149230
Cisco 1100 Series access point can setup multiple ssids with different security without
having to setup a vlan
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Expert Comment

by:mmartinez74
ID: 30149836
You are going to need something like this:  http://www.ict-partner.net/en/US/prod/collateral/wireless/ps5678/ps6973/ps8382/prod_brochure0900aecd806b8a72.html   to work with your existing infrastructure.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 30165690
Yes it is very possible to do. I will post a config for you.

You need to have vlans or it's a waste of time because your traffic will all be on the same network. Now if you have a spare interface on your firewall, you could use that to separate the guest internet traffic from your private corp traffic.

Do you have radius auth available in your environement or do you want straight wpa-psk?
0
 
LVL 1

Author Comment

by:Totec
ID: 30169667
Yeah, I'd love to see a config. Right now I"m splitting the public and private SSIDs between the two internal antennae in the 1140 and hitting a wall with trying to separate the private and public traffic.

If it's just a limitation and VLANs need to be used I"m sure I can chill the client down on them, for some reason they are skeeved out by them.

Using straight WPA-PSK.

Thanks!
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 1000 total points
ID: 30193424
You NEED a way to separate the traffic.

I would recommend that RADIUS be used for the Private wireless' authentication.  if you don't want to use it, rip out the sections of this config that have RADIUS and just use the wpa-psk config from the public SSID.

After you have done testing, make sure to do

interface gig0
no ip address
no ip route-cache
duplex auto
speed auto
interface gig0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled

hostname EnterHostName
interface BVI1
ip address x.x.x.x x.x.x.x
ip default-gateway x.x.x.x

interface gig 0.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled

aaa new-model
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key EnterPasswordHere
aaa group server radius rad_eap
server x.x.x.x auth-port 1812 acct-port 1813

aaa cache profile admin_cache
all
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default group tacacs+ enable
aaa accounting network acct_methods start-stop group rad_acct

dot11 ssid PrivateSSID
vlan 1
authentication open eap eap_methods
authentication key-management wpa
mbssid guest-mode
infrastructure-ssid optional

dot11 ssid PublicSSID
vlan 300
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii

interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers tkip
encryption vlan 300 mode ciphers tkip
station-role root
interface Dot11Radio0.300
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0
mbssid
ssid PrivatSSID
ssid PublicSSID

no shut
copy run testConfig
0
 
LVL 1

Author Closing Comment

by:Totec
ID: 31712550
You sir, are a gentleman and a scholar. Thank you!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question