How to enable wireless guest network in Cisco Wireless AP

Dear experts, I will be placing 2 wireless Cisco 1831 AP in my network. It's a simple network with an ASA and a Cisco 2960 switch. I intend to assign an interface in the ASA for wireless network. My ASA will be the DHCP server for wireless clients. Is there any way I can create 2 SSIDs? I for internal use and 1 for guest? Guest will have direct access to the internet only.
totallypatrickAsked:
Who is Participating?
 
Gareth Tomlinson CISSPConnect With a Mentor Network and Security ManagerCommented:
yes, VLAN 100 can be native.
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Yes, very simple to set up 2 SSID, match the VLAN with the existing network for the internal users, create a new VLAN for the guest users.
Set your switch ports for the AP as trunk ports for the 2 VLANs and connect the ASA interfaces to the same VLANs
0
 
totallypatrickAuthor Commented:
Thanks Gareth. How does DHCP work in this case? I do not have any Windows Server in my Network. I'm thinking of using the ASA to assign the IP Address. Say VLAN 1 is 192.168.30.0 for internal network and VLAN 2 is 192.168.40.0 for guest network. Can ASA assign the IP address for both VLANs? Do I create sub-interface on the ASA to do that?

Can I setup the trunk on my AP using the GUI interface? I am not really familiar with CLI.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Hi
DHCP is set up on the SSID setup on the AP, just tell it the IP address of the DHCP server; in this case the ASA
ASA can assign DHCP for both networks, just set up 2 scopes on the DHCP server section.
Remember DNS for the internet , use your local ISP DNS or google 8.8.8.8 and 8.8.4.4
Don't create subinterfaces if you don't need to, use 2 separate interfaces on the aSA and assign a scope to each, it is simpler. The switch needs a port in each VLAN for the ASA of course.
The AP will set up a trunk, the gui will do everything you need. I haven't used a cli on an AP for years!
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
0
 
totallypatrickAuthor Commented:
Hi Gareth, to be sure I got you right. Since this is a small office, I only have a 2960-X layer 2 switch only. No layer 3 switch.

i) I will assign 2 physical interface (internal and guest network) on the ASA to be connected to the switch. No trunking is needed between ASA and Switch.
ii) Create 2 separate VLANS on the switch. Vlan 100 for internal network (wired and wireless) and Vlan 200 for guest network (wireless)
iii) Assign 1 port on the switch to be setup as trunk to be connected to the AP. The trunk will carry Vlan 100 and Vlan 200.
iv) Create Vlan 100 and Vlan 200 in the AP. Do I create 2 different SSID on the AP and map each SSID to the corresponding Vlan?
v) Activate DHCP server feature on the 2 interfaces.
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Exactly right, Patrick. part iv, yes you map the VLAN to the SSID
Layer 3 is not needed on the switch, the ASA will route for both vLANs
0
 
totallypatrickAuthor Commented:
Thanks Gareth.  Do i just configure vlan on the switch as follows?

Switch# configure terminal
Switch(config)# vlan 100
Switch(config-vlan)# name internal
Switch(config-vlan)# end

Switch(config)# vlan 200
Switch(config-vlan)# name wireless
Switch(config-vlan)# end

Switch(config)# int gi0/2
Switch(config)# switchport trunk encapsulation dot1q
Switch(config)# exit

ip route 0.0.0.0 0.0.0.0 192.168.100.1

In the AP,

I will create VLAN ID 100 and 200 then under SSID Manager I will create 2 separate SSID and map to corresponding VLAN. Is this all to it for the AP? Is there a place in the AP's GUI that let us specify that the link is a trunk?
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
All looks good. When you create the VLANs on the AP, it automatically makes the network link a trunk, don't worry.
0
 
totallypatrickAuthor Commented:
Hi Gareth, 1 last question. Is it necessary to configure a native vlan on the AP or VLAN 100 can be the native vlan for management?
0
 
totallypatrickAuthor Commented:
Many thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.