Guest Account for Wireless in a Buisiness

[jerb]

I've recently hit a snag in our deployment of a campus wide wireless network.

Our network it laid out such that our proxy servers hand out 172.16.xx.xx numbers to everyone. So anyone who plugs in to an outlet can put in their user name and password to access the internet (if they have group permissions). I've also set aside a small bank of eight 192.168.xx.xx numbers which we use for some of the accountants who come in annually, I just hardkey in the specific IP and bypass our proxy servers so that they dont need credentials on our network for internet access(and couldn't access network resources if they tried)

For our wireless network we're using cisco 1130 access points which support multiple ssid, vlans, and IP forwarding. they're great (albeit expensive) pieces of hardware capable of much more than we use them for.

I'm looking for a way to allow guests to come in, connect to a "visitors" ssid, and get internet without letting them access our network resources or leaving it open so that our employee's can use the guest account to bypass our security software.

In my opinion, the only way to accomplish this would be through a "portal", setup a server and when a visitor is coming make an account like (login=companyname password=month) then have the server doll out the 192.168.xx.xx numbers via dhcp

does this make sense? does anyone have any good software recommendations? is there another way to do this without the portal hassle?

 

[Vito_Corleone]

Skip the portal stuff and just create a separate VLAN, only allow said VLAN access to the internet. On the 1200 APs you can map SSIDs to VLAN, I think. If so, map the guest SSID to the VLAN and you're done. If you want to encrypt it just use a WPA2 with a PSK and change it monthly or something.

 

[Zlash]

Stick them on a seperate vlan and setup a guest portal.

 

[jerb]

thank you both very much for the speedy replies.

from the looks of it, the 1130ag's we already have deployed (roughly 25 of them) support SSID to vlan mapping.

This would be an ideal solution, utilizing hardware for this distinction but I am a cisco noob and thus have no idea how to implement vlans. I did a couple of google searches and found wikipedia to be a little over my head.

does anyone have a good link describing how to use vlans?

 

[Vito_Corleone]

What kind of switches are you using?

 

[jerb]

we are currently using cisco 2900XL series switches within our network

 

[Vito_Corleone]

I think the syntax is different on those, but on the newer switches it would be something like:

enable
conf t
vlan 200
 name wireless

interface 10
 switchport mode access
 switchport access vlan 200

You may need to use the VLAN Database on the older stuff, which would be something like:

enable
vlan database
 vlan 200
 name (might be 'description', I don't remember) wireless
 end

Then the rest should be similar, adding the port to the VLAN and all that.

The best thing to do is go on Cisco's site and look for some config stuff or Google. You should be able to find examples for the WAP too. "Using VLANs" is hard for me to put into words, you're using them to segment your network and, in your case, apply Access Control. You should be able to set the VLAN up on the switch and then (hopefully) trunk the switch to the WAP, then make a new SSID for the guest wireless and make sure the WAP is tagging accordingly.

 

[jerb]

Thanks for all the help so far, I've spent the last week reading the cisco ccna study guide reading up on my vlans and I have another question.

alright, heres what I understand so far. My AP has two SSID's, employee's and guests. Currently my network has 1 vlan, the default vlan1. So i will set my SSID to use vlan1 to make life easy, any one who connectcs with that ssid will be a part of my network and utilize all the network recources.

I will assign my guest SSID to be vlan20 which I will enable my switch. I can then put a DHCP server attatched to one of my switches and set that port to be a Vlan20 as well such that my new dhcp will hand out IP's to anyone on the guest SSID... is this correct?

this is the part I dont understand (despite how many times I read it in the book), do I set the port which connects to the AP to trunk?

I hope this made sense, if you PM me your paypal ID I'll buy you a beer for you help so far