Unifi

Good day all, I would like to setup a wireless environment that will be able to access the Data network. the reason for this is an inventory application that i need to access via notebook (wireless) in a warehouse. Along with security of course.

I have purchased Unifi AP LR and ToughSwitch.

While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Please remember Security in mind. Is this the correct method or do i need to inject a Security Gateway Device?

The ToughSwitch is the only managed device.
IBSITAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
nappy_dConnect With a Mentor Commented:
I highly recommend you only use 1 DHCP server on your network but using more than one can potentially complicate your life(IMO)

I manage a client's AD and unifi AP network.

I only configured one DHCP Server to manage their Corporate network, Guest Network and a sub company that is on a completely separate vLAN.

DHCP is not the issue with wireless on your network.  If you have Windows, use a GPO to configure your wireless setting with 802.1x wireless settings.

At the end of the day, you are going to have to let staff know that their username and password are used for authentication.

The UniFi AP does not publish or store device leases, this is done by the Unifi  application. Have you installed this on a server(Linux or Windows server)?  You need this to manage your UniFi AP devices

screenshot1
0
 
IBSITAuthor Commented:
Here is the diagram
Wifi.jpg
0
 
masnrockCommented:
What type of environment is jt, active directory? Will other devices need to access the wireless, but not internal systems?

In an ideal case, you could implement something like 802.1x, a guest wireless network, and multiple VLANs.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
nappy_dConnect With a Mentor Commented:
UniFi APs are nothing more than an access point.

You need to have a server (Windows, Linux or other) or a router/firewall that can provide such leases to your network devices.

Alternatively, you could use your UniFi controller to lease IP Addresses to your network.

Do you have a DHCP server?
0
 
IBSITAuthor Commented:
The network has a DHCP Server. In an Active Directory Environment. How i have it right now is the uplink from the data network, retrieving a DHCP lease on the APs and i am able to connect.
Security is a problem. Once the SSID and Authentication has been given out i am a little worried that compromise of the data network will be a posibility.
0
 
masnrockConnect With a Mentor Commented:
While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Yes.

For what you seem to want to do, that is a method that could work. However, there are things you can do to make the network even more secure. However, more details need to be shared, such as whether or not there is a domain in place. Also, we'd need to know if others might need to access the same application or other network resoruces wirelessly.
0
 
IBSITAuthor Commented:
This is a Domain setting and yes users need to access an inventory database housed on the network, Wirelessly.
0
 
IBSITAuthor Commented:
The problem is that the only managed device is the ToughSwitch, everything else is generic. So creating vLANs might be an issue. With regards to the GPO, i am assuming you want to authenticate, but what if the notebooks are using Home Edition that cannot be attached to the domain?
0
 
masnrockCommented:
I lost the post I was going to put up yesterday, which mentioned a lot of things that nappy_d mentioned.

What type of router or firewall are you using? You might be able to implement the VLANs from there, and configure your AP(s) to have multiple wireless networks that are attached to different VLANs.

Is your AD server also the DHCP server, or is your firewall/router serving that role?

You should use 802.1X or RADIUS for authentication. You should be able to accomplish quite a bit through NPS on your server. Good question about how it interacts with Home Edition.
0
 
IBSITAuthor Commented:
I may have a simple solution. I created a scope for all wireless users and blocked the internet anyone outside of the scope i created a reservations so that they can access the internet. I may also use mac filtering to allow internet. Will this work?
0
 
masnrockCommented:
Who falls in the scope, users not needing the application?

MAC filtering may work for your purpose since it seems to be a very small environment. How exactly are you utilizing it?
0
 
IBSITAuthor Commented:
In the scope it has content filtering enable to deny internet. MAc filtering will be for Wireless users that need to have access to both.
0
 
nappy_dConnect With a Mentor Commented:
I would rethink Windows 10 Home edition as it's called that for a reason and you may not get all of the Enterprise level management as you would expect from Windows 10 pro.

How many network switches do you have?  Can you post a diagram and their connectivity?

DHCP and filtering with MAC/IP address is not necessarily the best security for wireless.  MAC addresses can be spoofed.

Do you have the UniFi management appliance installed?
0
 
IBSITAuthor Commented:
I posted a diagram earlier.
0
 
nappy_dConnect With a Mentor Commented:
Missed that :)

Bottom line; you need to replace that unmanaged switch with this or similar: https://www.amazon.com/NETGEAR-ProSAFE-JGS524E-Rackmount-JGS524Ev2/dp/B00GG1AD9A

That is the ONLY way you get to implement proper vLANs.  MAC filtering is no security.

You've spent all that money on the UniFi APs and toughswitch, this additional switch is not that big of a stretch on the wallet.
0
 
IBSITAuthor Commented:
Agreed. I thank you all for your advice. appreciate it.
0
 
nappy_dCommented:
If you need help with the configure DM me. I have several clients with this hardware.
1
All Courses

From novice to tech pro — start learning today.