Corporate WiFi (hotspot), unified passwords (across Google Apps/WiFi/Etc)

Happy Friday all,

The primary reason for this EE Q is to address our challenge with WiFi security. We are a small start-up with a mix of Linux, Mac, and Windows 7 workstations, as well as hand held BYODs policy (iPhones and Android). We rely on a wired network as well, about 40% of our devices are connected to 2 WiFi routers.

The primary problem to solve is that we all share a single WiFi password... this is not good for security... and because we often have guests, we need to change this password on a regular basis (which makes this problem worse).

Ideally, we would like to have a unified password system (overall goal) - accessible from a central console. But at the moment (if it makes sense), we need to link our Google Apps passwords to our WiFi for authentication. This first priority would allow regular users to authenticate themselves using their current Google Apps password AND allow us to give limited-time passwords to guests that require access to the WiFi network.

Because we are a Microsoft Partner, we have access to entire Microsoft suite so, if necessary, we can build a Microsoft server with Active Directory or whatever is required. I mention this because sometimes the Linux solutions are not cross-platform compatible and whatever solution we use must not be limited to certain equipment.

We are willing to consider commercial solutions, as long as the solution involves only a one-time fee. Ideally though, we would like to accomplish this with the software and hardware we already have.

Hopefully, I have given enough information to properly illustrate our WiFi challenge.

Thank you so much for your tips, step-by-step solutions, or any wisdom you can offer.
S ConnellyTechnical WriterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What type of WiFi AP's do you have?

If they support VLAN's and multiple SSID's then you should not have a problem.  

You can setup a "Guest" SSID and have a single "password" and then setup a "employee" SSID which you should be able to use Windows AD for authentication.  However this does all depend  on what WiFi AP's you have.
S ConnellyTechnical WriterAuthor Commented:
Hello, thank you for your response.
We are using an ASUS RT-N66U Dark Knight. Yes, I believe it does support more than one SSID and vLANs.

But what about unifying passwords across Google Apps and using the same authentication on the WiFi?

If you know of any instructions of provide tips on how to get there... what I need to know, etc. much appreciated.

S ConnellyTechnical WriterAuthor Commented:
I suppose the other term I should use is single sign-on. But again, the solution must be either free or a one-time cost product.
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

I took a quick look at ASUS RT-N66U and it does not seem to be a "corporate" level AP.   Meaning it is really for home or small office use.

It does not seem to support any type of external security, only pass phrase keys.

As for multiple SSID's it looks like it can support a unique SSID for 2.4 Ghz and a unique SSID for 5Ghz, or you can have the same SSID for both.  But ir really does not support multiple SSID's to different VLAN's/IP Subnets.

You can setup a Guest LAN also, which restricts guests to being able to access the Internet only, they can't access your internal network at all.

If you want external security you will need to get a different AP that supports external security using LDAP, RADIUS, LEAP or something else.  These AP's will be quite expensive, USD $1,000 and up and some requires a external Wireless Controller.
S ConnellyTechnical WriterAuthor Commented:
Hello thank you.
I'm looking into whether or not re-flashing the AP with one of the available open source mods will give us what we require.
you can use a low wifi security and authenticate each client using an http redirect. many firewalls can do this.

if you need integration with wifi security, a tool such as chillispot should be able to help because it can forward the passwords given through WPA to a radius server. either have the radius server use google SSO as a backend, or create an authentication plugin for chilispot that will do the same (should only be a few lines)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
S ConnellyTechnical WriterAuthor Commented:
Sorry all, I've been so busy with other projects. I'd like to tackle this a bit later. I'll revisit this EE Q over this weekend.

Thanks for your patience.
S ConnellyTechnical WriterAuthor Commented:
I [sort of] found the problem and everything works now.

What I did was simply turn off all unnecessary network protocols and features. After unchecking a bunch of items, I was left with:
Client for Microsoft Networks
File and Printer sharing...
Internet Protocol Version 4 (TCP/IPv4)

I don't know which specific item or items caused my troubles but all the troubles are gone now. I'll revisit this later to determine the cause.

how is that related to your original question ?
did you post in the wrong thread ?
S ConnellyTechnical WriterAuthor Commented:
skullnobrains: You are correct. I have two EE Qs open and well...

I wish EE allowed us to delete our own posts.
S ConnellyTechnical WriterAuthor Commented:
I solved this Q using a different method so thank you to all that helped!

But what I did was very similar to skullnobrains' suggestion.

Thank you all.
<off topic>
you cannot delete questions yourself, but
- you can ask for the question to be deleted with point refund in which case an automated process will delete the question after a few days if nobody objects, or the question will be moderated if someone does
- you can describe your own answer and accept it which does not cost points either but keeps the question in the database

feel free to post your answer anyway. if you found something that authenticates with WPA or whatever wifi authentication you use other than chilispot, i'm interested

best regards
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.