• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Security Options for Guest Access

We are getting 3500 series access points and a 5508 controller with the plan of having 2 wireless networks, one for employees and one for guests.
Other than just setting a static WPA key, what are other options for securing that network? Ideally I would like to let the receptionist handle this. So a static WPA key would be fine if she could change it on a regular basis without our help.
Please include any additional hardware/software requirements we would need. Thanks.

Anyone needing access to the network would have to check in with the receptionist anyway.
1 Solution
John MeggersNetwork ArchitectCommented:
My $0.02, the full monty would be to use a NAC solution in conjunction with a guest access server.  I'm most familiar with Cisco's offering in this area but I'm certain there are other similar offerings.  The receptionist could still issue credentials to guests (or employees can, it's flexible), but each guest would have their own individual authentication rather than just handing out a key that it's possible may not change very frequently.  NAC would allow you to control many aspects of the connection including what operating systems are allowed, but I would only seriously suggest that approach if you were already using (or deploying) a NAC solution for employees.  

If you're not going in the direction of a full NAC solution for employees, you can still use Cisco's guest server integrated with Cisco's WLC (using RADIUS) to issue time-limited guest credentials, track usage, etc. Full NAC is not a requirement.  See http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html.

However you decide to handle authentication, you want the VLAN associated with your guests to terminate in such a way that guests are not on the internal employee network. Whether that's into a firewall DMZ, or with a separate Internet connection, etc. is up to you.  If you do rely simply on a WAP key to authenticate guests, develop a rotating scheme to change the key periodically.  Daily is probably too frequent to be manageable, but weekly seems reasonable to me.  
akalbfellAuthor Commented:
Thanks for the very detailed response.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now