Solved

Unifi

Posted on 2016-08-23
17
42 Views
Last Modified: 2016-09-09
Good day all, I would like to setup a wireless environment that will be able to access the Data network. the reason for this is an inventory application that i need to access via notebook (wireless) in a warehouse. Along with security of course.

I have purchased Unifi AP LR and ToughSwitch.

While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Please remember Security in mind. Is this the correct method or do i need to inject a Security Gateway Device?

The ToughSwitch is the only managed device.
0
Comment
Question by:IBSIT
  • 8
  • 5
  • 4
17 Comments
 

Author Comment

by:IBSIT
ID: 41767826
Here is the diagram
Wifi.jpg
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41768680
What type of environment is jt, active directory? Will other devices need to access the wireless, but not internal systems?

In an ideal case, you could implement something like 802.1x, a guest wireless network, and multiple VLANs.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41769684
UniFi APs are nothing more than an access point.

You need to have a server (Windows, Linux or other) or a router/firewall that can provide such leases to your network devices.

Alternatively, you could use your UniFi controller to lease IP Addresses to your network.

Do you have a DHCP server?
0
 

Author Comment

by:IBSIT
ID: 41788308
The network has a DHCP Server. In an Active Directory Environment. How i have it right now is the uplink from the data network, retrieving a DHCP lease on the APs and i am able to connect.
Security is a problem. Once the SSID and Authentication has been given out i am a little worried that compromise of the data network will be a posibility.
0
 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 250 total points
ID: 41788319
While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Yes.

For what you seem to want to do, that is a method that could work. However, there are things you can do to make the network even more secure. However, more details need to be shared, such as whether or not there is a domain in place. Also, we'd need to know if others might need to access the same application or other network resoruces wirelessly.
0
 

Author Comment

by:IBSIT
ID: 41788331
This is a Domain setting and yes users need to access an inventory database housed on the network, Wirelessly.
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 250 total points
ID: 41788884
I highly recommend you only use 1 DHCP server on your network but using more than one can potentially complicate your life(IMO)

I manage a client's AD and unifi AP network.

I only configured one DHCP Server to manage their Corporate network, Guest Network and a sub company that is on a completely separate vLAN.

DHCP is not the issue with wireless on your network.  If you have Windows, use a GPO to configure your wireless setting with 802.1x wireless settings.

At the end of the day, you are going to have to let staff know that their username and password are used for authentication.

The UniFi AP does not publish or store device leases, this is done by the Unifi  application. Have you installed this on a server(Linux or Windows server)?  You need this to manage your UniFi AP devices

screenshot1
0
 

Author Comment

by:IBSIT
ID: 41789778
The problem is that the only managed device is the ToughSwitch, everything else is generic. So creating vLANs might be an issue. With regards to the GPO, i am assuming you want to authenticate, but what if the notebooks are using Home Edition that cannot be attached to the domain?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:masnrock
ID: 41789885
I lost the post I was going to put up yesterday, which mentioned a lot of things that nappy_d mentioned.

What type of router or firewall are you using? You might be able to implement the VLANs from there, and configure your AP(s) to have multiple wireless networks that are attached to different VLANs.

Is your AD server also the DHCP server, or is your firewall/router serving that role?

You should use 802.1X or RADIUS for authentication. You should be able to accomplish quite a bit through NPS on your server. Good question about how it interacts with Home Edition.
0
 

Author Comment

by:IBSIT
ID: 41789894
I may have a simple solution. I created a scope for all wireless users and blocked the internet anyone outside of the scope i created a reservations so that they can access the internet. I may also use mac filtering to allow internet. Will this work?
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41789941
Who falls in the scope, users not needing the application?

MAC filtering may work for your purpose since it seems to be a very small environment. How exactly are you utilizing it?
0
 

Author Comment

by:IBSIT
ID: 41789961
In the scope it has content filtering enable to deny internet. MAc filtering will be for Wireless users that need to have access to both.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41790460
I would rethink Windows 10 Home edition as it's called that for a reason and you may not get all of the Enterprise level management as you would expect from Windows 10 pro.

How many network switches do you have?  Can you post a diagram and their connectivity?

DHCP and filtering with MAC/IP address is not necessarily the best security for wireless.  MAC addresses can be spoofed.

Do you have the UniFi management appliance installed?
0
 

Author Comment

by:IBSIT
ID: 41790475
I posted a diagram earlier.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41790566
Missed that :)

Bottom line; you need to replace that unmanaged switch with this or similar: https://www.amazon.com/NETGEAR-ProSAFE-JGS524E-Rackmount-JGS524Ev2/dp/B00GG1AD9A

That is the ONLY way you get to implement proper vLANs.  MAC filtering is no security.

You've spent all that money on the UniFi APs and toughswitch, this additional switch is not that big of a stretch on the wallet.
0
 

Author Comment

by:IBSIT
ID: 41791288
Agreed. I thank you all for your advice. appreciate it.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 41791478
If you need help with the configure DM me. I have several clients with this hardware.
1

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now