Interesting. I may have to find some outside HP help on this.
Kurt On Wed, Jun 9, 2010 at 16:50, Charles Regan <charles.re...@gmail.com> wrote: > We use Cisco AP here. Two SSID, one for guest one for staff. > SSID Guest is on a VLAN and it's using the integrated Cisco captive > portal on our WLC controller, users are authenticated by IAS radius > server using their AD-account. Only member of the Guest-Internet group > have access. That VLAN only have access to printers and internet. > Users bringing their personal laptop/ipod connect to the Guest SSID. > > The other SSID is on our network and we use Computer authentication, > also done by IAS with PEAP. > That way only domain joined machine can have access to our resources. > Using PEAP we can send GPO to laptop with the correct wireless configuration. > > Now i need to do the same thing on the wire side. > > > On Wed, Jun 9, 2010 at 8:30 PM, Jon Harris <jk.har...@gmail.com> wrote: >> "I don't pretend to have experience with anything in the previous >> sentence, and the better the physical separation I can achieve, the >> safer I feel - at least until I get a bunch more education/experience >> under my belt" >> >> If that is the case purchase some cheap home routers and create a seperate >> VLAN on the backbone wired network to get them access to a >> DSL/FIOS/Broadband connection. Lock them to only be on for just so many >> hours per day and work days. If possible and the wire exists already >> instead of a seperate VLAN put them on a seperate wired network. I was able >> to do the VLAN method at the last gig I had and all was good. Our external >> consultant caWme in and pen tested the networks to verify no leakage from one >> to the other prior to going live and was there the day we went live the >> check everything again. Seperate networks are so much nicer and if the user >> just had to use the Guest WiFi then they had to use VPN to access internal >> stuff. Some times it is just better to be the one that says no and keeps it >> that way. The powers that were, were not happy paying for the second >> connection but a couple of months later it became very handy when some >> "visitors" just had to have access to the Internet and they flooded the >> Guest network with traffic from an infected machine. Having a seperate >> Guest network also comes in handy when testing remote access to the network. >> >> Jon >> >> On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >>> >>> AFAIK, nmap and wireshark won't tell you as much as you need to know >>> about arp flooding, vlan hopping and suchlike. Well, wireshark might, >>> but you'll need to monitor it pretty much continuously, and that's >>> probably a full time job. >>> >>> For assurance, initially you'll need a pen-test and/or an full audit >>> by someone who knows what they're doing, then put in place good >>> IDS/IPS systems that are tuned for your environment. >>> >>> I don't pretend to have experience with anything in the previous >>> sentence, and the better the physical separation I can achieve, the >>> safer I feel - at least until I get a bunch more education/experience >>> under my belt. >>> >>> Kurt >>> >>> >>> On Wed, Jun 9, 2010 at 14:29, Jason Gauthier <jgauth...@lastar.com> wrote: >>> > You should provide specifics, instead of ambiguity. >>> > Ambiguity helps no one, last I checked. >>> > >>> > >>> > -----Original Message----- >>> > From: Kurt Buff [mailto:kurt.b...@gmail.com] >>> > Sent: Wednesday, June 09, 2010 4:50 PM >>> > To: NT System Admin Issues >>> > Subject: Re: OTish: Wireless network configuration >>> > >>> > And more than that will be needed, as well. >>> > >>> > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche <p...@optimumdata.com> >>> > wrote: >>> >> Or use Wireshark to make sure you don't see traffic you shouldn't. >>> >> >>> >> On 6/9/2010 3:41 PM, Jason Gauthier wrote: >>> >>> You use NMAP to do network scans to determine what is accessible and >>> >>> what isn't. >>> >> >>> >> -- >>> >> >>> >> Phil Brutsche >>> >> p...@optimumdata.com >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >>> > >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> > >>> > >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >> >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
