What security risk is a GUEST VLAN?

Discussion in 'Wireless Networking' started by Mike Webb, Jul 3, 2007.

  1. Mike Webb

    Mike Webb Guest

    I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    want to provide Guest access to the internet, and LAN access to staff and
    designated others (to whom I'd give a domain account). I don't have the H/W
    to set up separate WLAN's - one for the LAN on the internal side and a GUEST
    on the external side.

    So ... can I setup the AP's as domain clients, locking them down with WPA
    and RADIUS, but still provide GUEST access via a VLAN and appropriate SSID?

    [The appliances: D-Link products - DWL-2200AP as the access points, and
    DES-3828 as the switch.]

    --
    Mike Webb
    Platte River Whooping Crane Maintenance Trust, Inc.
    a 501 (c)(3) conservation non-profit organization
    Mike Webb, Jul 3, 2007
    #1
    1. Advertising

  2. Mike Webb

    Gary Harmon Guest

    On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
    <> wrote:

    >I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    >want to provide Guest access to the internet, and LAN access to staff and
    >designated others (to whom I'd give a domain account). I don't have the H/W
    >to set up separate WLAN's - one for the LAN on the internal side and a GUEST
    >on the external side.
    >
    >So ... can I setup the AP's as domain clients, locking them down with WPA
    >and RADIUS, but still provide GUEST access via a VLAN and appropriate SSID?
    >
    >[The appliances: D-Link products - DWL-2200AP as the access points, and
    >DES-3828 as the switch.]


    Not knowing what brands and models of wireless equipment you have no.

    You can however put the WLAN on it's own VLAN and route it to the
    Internet only. Then on your firewall allow VPN out and back in (
    called looping ) then configure the 2003 server for VPN for your
    users.

    The other way is to replace the APs with a wireless router that will
    take the DD-WRT firmware then you can configure two SSIDs on VLANs and
    then set your firewall up for that.

    Give more information and maybe we can come up with a solution.

    I have a wireless mesh network setup running 3 SSIDs and VLANs at my
    work. The equipment is expensive but worth every penny ( Strix Systems
    http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
    block outside and 600,000 sq ft building w/2 floors.

    At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
    has access to my 2003 server and the other only Internet access for
    guests. The guest SSID has a login page that comes up when you try to
    access the Internet. Total cost $50.00 about.

    Things that we need to know are:

    Brand and model of your APs D-Link DWL-2200AP
    DD-WRT only seems to support routers but I've heard of it working
    on some APs. You can check the web site for routers that have been
    tested. http://www.dd-wrt.com. Routers can be had for around $50.00

    Firewall make and model

    The 2003 will have to setup with ISA to get Radius. The APs or Routers
    will have to support Radius also (WPA-Enterprise).

    Hope this helps some

    Gary Harmon
    Gary Harmon, Jul 4, 2007
    #2
    1. Advertising

  3. Mike Webb

    Mike Webb Guest

    Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
    run across the term/acronym DD-WRT so I'll look it up to see what you are
    referring to. As for the firewall, It's Microsoft's ISA 2004, fully patched.
    The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
    mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
    com,pliant with 802.11q.

    Mike
    "Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
    news:...
    > On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
    > <> wrote:
    >
    >>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    >>want to provide Guest access to the internet, and LAN access to staff and
    >>designated others (to whom I'd give a domain account). I don't have the
    >>H/W
    >>to set up separate WLAN's - one for the LAN on the internal side and a
    >>GUEST
    >>on the external side.
    >>
    >>So ... can I setup the AP's as domain clients, locking them down with WPA
    >>and RADIUS, but still provide GUEST access via a VLAN and appropriate
    >>SSID?
    >>
    >>[The appliances: D-Link products - DWL-2200AP as the access points, and
    >>DES-3828 as the switch.]

    >
    > Not knowing what brands and models of wireless equipment you have no.
    >
    > You can however put the WLAN on it's own VLAN and route it to the
    > Internet only. Then on your firewall allow VPN out and back in (
    > called looping ) then configure the 2003 server for VPN for your
    > users.
    >
    > The other way is to replace the APs with a wireless router that will
    > take the DD-WRT firmware then you can configure two SSIDs on VLANs and
    > then set your firewall up for that.
    >
    > Give more information and maybe we can come up with a solution.
    >
    > I have a wireless mesh network setup running 3 SSIDs and VLANs at my
    > work. The equipment is expensive but worth every penny ( Strix Systems
    > http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
    > block outside and 600,000 sq ft building w/2 floors.
    >
    > At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
    > has access to my 2003 server and the other only Internet access for
    > guests. The guest SSID has a login page that comes up when you try to
    > access the Internet. Total cost $50.00 about.
    >
    > Things that we need to know are:
    >
    > Brand and model of your APs D-Link DWL-2200AP
    > DD-WRT only seems to support routers but I've heard of it working
    > on some APs. You can check the web site for routers that have been
    > tested. http://www.dd-wrt.com. Routers can be had for around $50.00
    >
    > Firewall make and model
    >
    > The 2003 will have to setup with ISA to get Radius. The APs or Routers
    > will have to support Radius also (WPA-Enterprise).
    >
    > Hope this helps some
    >
    > Gary Harmon
    >
    Mike Webb, Jul 5, 2007
    #3
  4. Mike Webb

    Gary Harmon Guest

    I had to get on the web and do some research on the D-Link stuff, I
    have not used D-Link for a few years. I couldn't find out how to
    configure the VLans in the APs but D-Link's web site lead me to
    beleive that you can do VLans on the DWL-2200AP's but did not say
    anything about being capable of 2 or more SSIDs. Worst case is use a
    dedicated AP for the guest SSID and configure a VLAN for it and route
    it to the internet only.

    Maybe some else has seen the DWL2200AP that can shed some light.



    On Thu, 5 Jul 2007 07:56:56 -0500, "Mike Webb"
    <> wrote:

    >Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
    >run across the term/acronym DD-WRT so I'll look it up to see what you are
    >referring to. As for the firewall, It's Microsoft's ISA 2004, fully patched.
    >The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
    >mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
    >com,pliant with 802.11q.
    >
    >Mike
    >"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
    >news:...
    >> On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
    >> <> wrote:
    >>
    >>>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    >>>want to provide Guest access to the internet, and LAN access to staff and
    >>>designated others (to whom I'd give a domain account). I don't have the
    >>>H/W
    >>>to set up separate WLAN's - one for the LAN on the internal side and a
    >>>GUEST
    >>>on the external side.
    >>>
    >>>So ... can I setup the AP's as domain clients, locking them down with WPA
    >>>and RADIUS, but still provide GUEST access via a VLAN and appropriate
    >>>SSID?
    >>>
    >>>[The appliances: D-Link products - DWL-2200AP as the access points, and
    >>>DES-3828 as the switch.]

    >>
    >> Not knowing what brands and models of wireless equipment you have no.
    >>
    >> You can however put the WLAN on it's own VLAN and route it to the
    >> Internet only. Then on your firewall allow VPN out and back in (
    >> called looping ) then configure the 2003 server for VPN for your
    >> users.
    >>
    >> The other way is to replace the APs with a wireless router that will
    >> take the DD-WRT firmware then you can configure two SSIDs on VLANs and
    >> then set your firewall up for that.
    >>
    >> Give more information and maybe we can come up with a solution.
    >>
    >> I have a wireless mesh network setup running 3 SSIDs and VLANs at my
    >> work. The equipment is expensive but worth every penny ( Strix Systems
    >> http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
    >> block outside and 600,000 sq ft building w/2 floors.
    >>
    >> At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
    >> has access to my 2003 server and the other only Internet access for
    >> guests. The guest SSID has a login page that comes up when you try to
    >> access the Internet. Total cost $50.00 about.
    >>
    >> Things that we need to know are:
    >>
    >> Brand and model of your APs D-Link DWL-2200AP
    >> DD-WRT only seems to support routers but I've heard of it working
    >> on some APs. You can check the web site for routers that have been
    >> tested. http://www.dd-wrt.com. Routers can be had for around $50.00
    >>
    >> Firewall make and model
    >>
    >> The 2003 will have to setup with ISA to get Radius. The APs or Routers
    >> will have to support Radius also (WPA-Enterprise).
    >>
    >> Hope this helps some
    >>
    >> Gary Harmon
    >>

    >
    Gary Harmon, Jul 7, 2007
    #4
  5. Mike Webb

    Mike Webb Guest

    Thanks.

    "Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
    news:...
    >I had to get on the web and do some research on the D-Link stuff, I
    > have not used D-Link for a few years. I couldn't find out how to
    > configure the VLans in the APs but D-Link's web site lead me to
    > beleive that you can do VLans on the DWL-2200AP's but did not say
    > anything about being capable of 2 or more SSIDs. Worst case is use a
    > dedicated AP for the guest SSID and configure a VLAN for it and route
    > it to the internet only.
    >
    > Maybe some else has seen the DWL2200AP that can shed some light.
    >
    >
    >
    > On Thu, 5 Jul 2007 07:56:56 -0500, "Mike Webb"
    > <> wrote:
    >
    >>Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
    >>run across the term/acronym DD-WRT so I'll look it up to see what you are
    >>referring to. As for the firewall, It's Microsoft's ISA 2004, fully
    >>patched.
    >>The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
    >>mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
    >>com,pliant with 802.11q.
    >>
    >>Mike
    >>"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
    >>news:...
    >>> On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
    >>> <> wrote:
    >>>
    >>>>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    >>>>want to provide Guest access to the internet, and LAN access to staff
    >>>>and
    >>>>designated others (to whom I'd give a domain account). I don't have the
    >>>>H/W
    >>>>to set up separate WLAN's - one for the LAN on the internal side and a
    >>>>GUEST
    >>>>on the external side.
    >>>>
    >>>>So ... can I setup the AP's as domain clients, locking them down with
    >>>>WPA
    >>>>and RADIUS, but still provide GUEST access via a VLAN and appropriate
    >>>>SSID?
    >>>>
    >>>>[The appliances: D-Link products - DWL-2200AP as the access points, and
    >>>>DES-3828 as the switch.]
    >>>
    >>> Not knowing what brands and models of wireless equipment you have no.
    >>>
    >>> You can however put the WLAN on it's own VLAN and route it to the
    >>> Internet only. Then on your firewall allow VPN out and back in (
    >>> called looping ) then configure the 2003 server for VPN for your
    >>> users.
    >>>
    >>> The other way is to replace the APs with a wireless router that will
    >>> take the DD-WRT firmware then you can configure two SSIDs on VLANs and
    >>> then set your firewall up for that.
    >>>
    >>> Give more information and maybe we can come up with a solution.
    >>>
    >>> I have a wireless mesh network setup running 3 SSIDs and VLANs at my
    >>> work. The equipment is expensive but worth every penny ( Strix Systems
    >>> http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
    >>> block outside and 600,000 sq ft building w/2 floors.
    >>>
    >>> At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
    >>> has access to my 2003 server and the other only Internet access for
    >>> guests. The guest SSID has a login page that comes up when you try to
    >>> access the Internet. Total cost $50.00 about.
    >>>
    >>> Things that we need to know are:
    >>>
    >>> Brand and model of your APs D-Link DWL-2200AP
    >>> DD-WRT only seems to support routers but I've heard of it working
    >>> on some APs. You can check the web site for routers that have been
    >>> tested. http://www.dd-wrt.com. Routers can be had for around $50.00
    >>>
    >>> Firewall make and model
    >>>
    >>> The 2003 will have to setup with ISA to get Radius. The APs or Routers
    >>> will have to support Radius also (WPA-Enterprise).
    >>>
    >>> Hope this helps some
    >>>
    >>> Gary Harmon
    >>>

    >>
    Mike Webb, Jul 9, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ant
    Replies:
    1
    Views:
    4,918
    slizer
    May 25, 2005
  2. Steve Young

    Windows Media Player 9 is a security risk

    Steve Young, Oct 22, 2003, in forum: Digital Photography
    Replies:
    230
    Views:
    3,125
    Mxsmanic
    Nov 10, 2003
  3. Wireless Devices - Security Risk?

    , Jun 9, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    435
    Colonel Flagg
    Jun 9, 2004
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Information Security Risk Analysis", Thomas R. Peltier

    Rob Slade, doting grandpa of Ryan and Trevor, Jun 21, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    696
    Rob Slade, doting grandpa of Ryan and Trevor
    Jun 21, 2004
  5. Mike Webb

    Guest VLAN can connect but can't get an IP

    Mike Webb, Oct 9, 2007, in forum: Wireless Networking
    Replies:
    6
    Views:
    625
    Mike Webb
    Oct 10, 2007
Loading...

Share This Page