wireless access point -- business

Currently the business I work for is all WIRED, but I want to plug some wireless access points into each building since some buildings are 2,000+ feet away from each other.

Possible Requirements
   1. setup GUEST network with individual user/pass for each GUEST
   2. setup WORKER network with individual user/pass for each WORKER
   3. possible RIGHTS to LIMIT each wireless users so they don't take up ALL my bandwidth
   4. ONE "website management" interface for the 10+ access points across buildings

What "access points" do you recommend ?
Who is Participating?
pergrConnect With a Mentor Commented:
Since you do not want to manually configure each AP for each guest, you should consider a system with a central controller.

Also, if you use a central controller, then you can "tunnel" all the guest connections to the controller, and give them internet from there, so that you do not need to create a guest VLAN across the campus.

One option is to get a FortiGate firewall, since these can also function as controllers for FortiAP access points. Then you get to configure both firewall and APs in one place.

Since it is a small deployment, any other controller based system should probably have the controller running as a VM on VMWare, in order to keep the costs down. I know Juniper does this - perhaps others too.

Other options are "cloud based" controllers, like the service from ADTRAN.
btanConnect With a Mentor Exec ConsultantCommented:
you likely are segmenting out the various segment within the Wireless for different purpose and I supposed you have some sort of different SSID associated with those segment - I dont think it is optimal for each segment n/w to have one user, or one guest or one worker/vendor, tough to scale up. Also needed one WLAN controller to aggregate and manage all the APs which has minimally have PEAP/CHAPv2 for user/password , it is more secure for EAP/TLS1.2...

Wireless controller can have their internal user database to check identity but likely you are looking at external identity user db. So RADIUS will comes in minimally (or something like Microsoft NPS) is needed for the the authentication part which then help to assign the necessary segment n/w lan. Most of the time is web portal to key in credential and from there spawn off to various segments..

Some candidate for quick deployment include
 - Cisco Unified Wireless Guest Access Services that is self-contained and does not require any external platforms to perform access control, web portal, or AAA services. Also external RADIUS server can be used to authenticate guest users in place of creating and storing guest credentials locally. The cisco wireless faq helps to list the various components necessary including making the router wireless etc and also other controllers that can be used to support guest access in the unsecured network area

Other on WLC  feature are available in here

Q. What are the various options available to access the WLC?
    A. This is the list of options available to access the WLC:
        GUI access with HTTP or HTTPS
        CLI access with Telnet, SSH, or console access
        Access through service port

Q. How are guest users handled by WLC?
    A. Guest users are third-party network users, who needs limited access to the network resources and internet connectivity. WLC provides wireless and wired guest access using the existing wireless network infrastructure. Usually a separate SSID is provided for wireless guest users. Guest users on both the wired and wireless networks are assigned a separate VLANs, which provides isolation of guest traffic from the rest of the data traffic. This provides better control over the guest traffic and greater network security. Guest users are usually authenticated through Web authentication.

Q. Does the wireless LAN controller (WLC) locally support EAP-PEAP authentication?
    A. Through version 4.1, PEAP is not supported locally on the WLC. You need an external RADIUS server. With WLC version 4.2 and later versions, local EAP now supports PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication.
in term of rate limiting, there is the basic QoS role to limit the bandwidth of guest clients. There is certain Cisco IOS version that support micro policing that allows for granular rate limiting in both the upstream and downstream directions.
lherrouConnect With a Mentor Commented:

I'd take a look at the products offered by Open-Mesh (http://www.open-mesh.com/) in combination with the free Cloudtrax (https://www.cloudtrax.com) to managed your wireless net.

The Open-Mesh access points are inexpensive, and can be powered locally at each access point or by passive PoE (if you are already using PoE, make sure your injector is compatible with the Open-Mesh products).

Cloudtrax allows you to set up both a public and a private wireless net, both running through the same access points. The private net will be configured with standard single password for any user, the public one can be configured to require accepting "terms and conditions", or force users to obtain unique tokens (by purchase or provided by you) to access the network. You can set the total up/down bandwidth for each public user, duration they may use the net without reaccepting terms and conditions / providing new token, etc, etc.

btanConnect With a Mentor Exec ConsultantCommented:
Something I missed out is the use of Wireless Bridge or Outdoor Access Point/Bridge, (some examples) and also the meshed AP network connected that consists mainly Root access point (RAP)  and Mesh access point (MAP). Normally all access points are configured and shipped as mesh access points. To use an access point as a root access point, you must reconfigure the mesh access point to a root access point. In all mesh networks, ensure that there is at least one root access point.

The RAPs have wired connections to their controller, and the MAPs have wireless connections to their controller. MAPs communicate among themselves and back to the RAP using wireless connections over the 802.11a radio backhaul. MAPs will have to determine the best path through the other mesh access points to the controller to avoid loops and latency esp critical for long range n/w.
Aaron TomoskySD-WAN SimplifiedCommented:
For hardware I prefer software based controllers like unifi http://www.ubnt.com/unifi
Or meraki
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.