[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Security Options for Guest Access

Posted on 2011-10-27
Medium Priority
Last Modified: 2013-11-09
We are getting 3500 series access points and a 5508 controller with the plan of having 2 wireless networks, one for employees and one for guests.
Other than just setting a static WPA key, what are other options for securing that network? Ideally I would like to let the receptionist handle this. So a static WPA key would be fine if she could change it on a regular basis without our help.
Please include any additional hardware/software requirements we would need. Thanks.

Anyone needing access to the network would have to check in with the receptionist anyway.
Question by:akalbfell
LVL 18

Accepted Solution

jmeggers earned 2000 total points
ID: 37042647
My $0.02, the full monty would be to use a NAC solution in conjunction with a guest access server.  I'm most familiar with Cisco's offering in this area but I'm certain there are other similar offerings.  The receptionist could still issue credentials to guests (or employees can, it's flexible), but each guest would have their own individual authentication rather than just handing out a key that it's possible may not change very frequently.  NAC would allow you to control many aspects of the connection including what operating systems are allowed, but I would only seriously suggest that approach if you were already using (or deploying) a NAC solution for employees.  

If you're not going in the direction of a full NAC solution for employees, you can still use Cisco's guest server integrated with Cisco's WLC (using RADIUS) to issue time-limited guest credentials, track usage, etc. Full NAC is not a requirement.  See http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html.

However you decide to handle authentication, you want the VLAN associated with your guests to terminate in such a way that guests are not on the internal employee network. Whether that's into a firewall DMZ, or with a separate Internet connection, etc. is up to you.  If you do rely simply on a WAP key to authenticate guests, develop a rotating scheme to change the key periodically.  Daily is probably too frequent to be manageable, but weekly seems reasonable to me.  

Author Closing Comment

ID: 37044814
Thanks for the very detailed response.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Multi-source agreements are important because they set standards that all manufacturers should follow to ensure that devices are compatible with multiple vendors. The multi-source agreement (MSA) is an agreement that establishes how multiple vendors…
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question