Solved

Unifi

Posted on 2016-08-23
17
101 Views
Last Modified: 2016-09-09
Good day all, I would like to setup a wireless environment that will be able to access the Data network. the reason for this is an inventory application that i need to access via notebook (wireless) in a warehouse. Along with security of course.

I have purchased Unifi AP LR and ToughSwitch.

While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Please remember Security in mind. Is this the correct method or do i need to inject a Security Gateway Device?

The ToughSwitch is the only managed device.
0
Comment
Question by:IBSIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 

Author Comment

by:IBSIT
ID: 41767826
Here is the diagram
Wifi.jpg
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41768680
What type of environment is jt, active directory? Will other devices need to access the wireless, but not internal systems?

In an ideal case, you could implement something like 802.1x, a guest wireless network, and multiple VLANs.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41769684
UniFi APs are nothing more than an access point.

You need to have a server (Windows, Linux or other) or a router/firewall that can provide such leases to your network devices.

Alternatively, you could use your UniFi controller to lease IP Addresses to your network.

Do you have a DHCP server?
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:IBSIT
ID: 41788308
The network has a DHCP Server. In an Active Directory Environment. How i have it right now is the uplink from the data network, retrieving a DHCP lease on the APs and i am able to connect.
Security is a problem. Once the SSID and Authentication has been given out i am a little worried that compromise of the data network will be a posibility.
0
 
LVL 29

Assisted Solution

by:masnrock
masnrock earned 250 total points
ID: 41788319
While configuring, I found that the AP doesn't publish leased IPs to clients, so i a acquire an ip from the DATA network Server and pass it through to the APs?

Yes.

For what you seem to want to do, that is a method that could work. However, there are things you can do to make the network even more secure. However, more details need to be shared, such as whether or not there is a domain in place. Also, we'd need to know if others might need to access the same application or other network resoruces wirelessly.
0
 

Author Comment

by:IBSIT
ID: 41788331
This is a Domain setting and yes users need to access an inventory database housed on the network, Wirelessly.
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 250 total points
ID: 41788884
I highly recommend you only use 1 DHCP server on your network but using more than one can potentially complicate your life(IMO)

I manage a client's AD and unifi AP network.

I only configured one DHCP Server to manage their Corporate network, Guest Network and a sub company that is on a completely separate vLAN.

DHCP is not the issue with wireless on your network.  If you have Windows, use a GPO to configure your wireless setting with 802.1x wireless settings.

At the end of the day, you are going to have to let staff know that their username and password are used for authentication.

The UniFi AP does not publish or store device leases, this is done by the Unifi  application. Have you installed this on a server(Linux or Windows server)?  You need this to manage your UniFi AP devices

screenshot1
0
 

Author Comment

by:IBSIT
ID: 41789778
The problem is that the only managed device is the ToughSwitch, everything else is generic. So creating vLANs might be an issue. With regards to the GPO, i am assuming you want to authenticate, but what if the notebooks are using Home Edition that cannot be attached to the domain?
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41789885
I lost the post I was going to put up yesterday, which mentioned a lot of things that nappy_d mentioned.

What type of router or firewall are you using? You might be able to implement the VLANs from there, and configure your AP(s) to have multiple wireless networks that are attached to different VLANs.

Is your AD server also the DHCP server, or is your firewall/router serving that role?

You should use 802.1X or RADIUS for authentication. You should be able to accomplish quite a bit through NPS on your server. Good question about how it interacts with Home Edition.
0
 

Author Comment

by:IBSIT
ID: 41789894
I may have a simple solution. I created a scope for all wireless users and blocked the internet anyone outside of the scope i created a reservations so that they can access the internet. I may also use mac filtering to allow internet. Will this work?
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41789941
Who falls in the scope, users not needing the application?

MAC filtering may work for your purpose since it seems to be a very small environment. How exactly are you utilizing it?
0
 

Author Comment

by:IBSIT
ID: 41789961
In the scope it has content filtering enable to deny internet. MAc filtering will be for Wireless users that need to have access to both.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41790460
I would rethink Windows 10 Home edition as it's called that for a reason and you may not get all of the Enterprise level management as you would expect from Windows 10 pro.

How many network switches do you have?  Can you post a diagram and their connectivity?

DHCP and filtering with MAC/IP address is not necessarily the best security for wireless.  MAC addresses can be spoofed.

Do you have the UniFi management appliance installed?
0
 

Author Comment

by:IBSIT
ID: 41790475
I posted a diagram earlier.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 250 total points
ID: 41790566
Missed that :)

Bottom line; you need to replace that unmanaged switch with this or similar: https://www.amazon.com/NETGEAR-ProSAFE-JGS524E-Rackmount-JGS524Ev2/dp/B00GG1AD9A

That is the ONLY way you get to implement proper vLANs.  MAC filtering is no security.

You've spent all that money on the UniFi APs and toughswitch, this additional switch is not that big of a stretch on the wallet.
0
 

Author Comment

by:IBSIT
ID: 41791288
Agreed. I thank you all for your advice. appreciate it.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 41791478
If you need help with the configure DM me. I have several clients with this hardware.
1

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Coaxial cable bending There are several factors that govern the selection of coaxial cable for your Machine to Machine (M2M) application: the location of cable runs, either indoor or outdoor, inside or outside an enclosure, maximum bending and the…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question