We use Cisco AP here. Two SSID, one for guest one for staff. SSID Guest is on a VLAN and it's using the integrated Cisco captive portal on our WLC controller, users are authenticated by IAS radius server using their AD-account. Only member of the Guest-Internet group have access. That VLAN only have access to printers and internet. Users bringing their personal laptop/ipod connect to the Guest SSID.
The other SSID is on our network and we use Computer authentication, also done by IAS with PEAP. That way only domain joined machine can have access to our resources. Using PEAP we can send GPO to laptop with the correct wireless configuration. Now i need to do the same thing on the wire side. On Wed, Jun 9, 2010 at 8:30 PM, Jon Harris <jk.har...@gmail.com> wrote: > "I don't pretend to have experience with anything in the previous > sentence, and the better the physical separation I can achieve, the > safer I feel - at least until I get a bunch more education/experience > under my belt" > > If that is the case purchase some cheap home routers and create a seperate > VLAN on the backbone wired network to get them access to a > DSL/FIOS/Broadband connection. Lock them to only be on for just so many > hours per day and work days. If possible and the wire exists already > instead of a seperate VLAN put them on a seperate wired network. I was able > to do the VLAN method at the last gig I had and all was good. Our external > consultant caWme in and pen tested the networks to verify no leakage from one > to the other prior to going live and was there the day we went live the > check everything again. Seperate networks are so much nicer and if the user > just had to use the Guest WiFi then they had to use VPN to access internal > stuff. Some times it is just better to be the one that says no and keeps it > that way. The powers that were, were not happy paying for the second > connection but a couple of months later it became very handy when some > "visitors" just had to have access to the Internet and they flooded the > Guest network with traffic from an infected machine. Having a seperate > Guest network also comes in handy when testing remote access to the network. > > Jon > > On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> AFAIK, nmap and wireshark won't tell you as much as you need to know >> about arp flooding, vlan hopping and suchlike. Well, wireshark might, >> but you'll need to monitor it pretty much continuously, and that's >> probably a full time job. >> >> For assurance, initially you'll need a pen-test and/or an full audit >> by someone who knows what they're doing, then put in place good >> IDS/IPS systems that are tuned for your environment. >> >> I don't pretend to have experience with anything in the previous >> sentence, and the better the physical separation I can achieve, the >> safer I feel - at least until I get a bunch more education/experience >> under my belt. >> >> Kurt >> >> >> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier <jgauth...@lastar.com> wrote: >> > You should provide specifics, instead of ambiguity. >> > Ambiguity helps no one, last I checked. >> > >> > >> > -----Original Message----- >> > From: Kurt Buff [mailto:kurt.b...@gmail.com] >> > Sent: Wednesday, June 09, 2010 4:50 PM >> > To: NT System Admin Issues >> > Subject: Re: OTish: Wireless network configuration >> > >> > And more than that will be needed, as well. >> > >> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche <p...@optimumdata.com> >> > wrote: >> >> Or use Wireshark to make sure you don't see traffic you shouldn't. >> >> >> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote: >> >>> You use NMAP to do network scans to determine what is accessible and >> >>> what isn't. >> >> >> >> -- >> >> >> >> Phil Brutsche >> >> p...@optimumdata.com >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
