Seeking advice on Aironet 1232 config for visitor and staff access

Discussion in 'Cisco' started by Ned, Sep 23, 2005.

  1. Ned

    Ned Guest

    Hello everyone

    I have an Aironet 1232AG (AIR-AP1232AG-A-K9) and I have to confgure it
    for use by visitors using laptops for "Internet Only" access, meaning
    no access to anything on our LAN, and for staff to access Internet +
    have access to servers on our LAN. The staff and visitors will be using
    different machines. I was thinking of using a seperate SSID requiring
    MAC address security and WEP for visitors, and another SSID using
    RADIUS via MS IAS (PEAP) which would require membership of workstation
    and user account in a special group in order to have wireless access.
    I'm just not sure if MAC and WEP for visitors is the best/most flexible
    way, and I'm not sure how to isolate visitors from our LAN while giving
    employees access to LAN & Internet. Would I use a VLAN? Help!
    Ned, Sep 23, 2005
    1. Advertisements

  2. Ned

    Uli Link Guest

    VLAN if possible.
    Else you can attach ACL block access to anything but DHCP, DNS and
    router for the guest SSID. Weird...only if VLAN isn't an option
    Uli Link, Sep 23, 2005
    1. Advertisements

  3. Ned

    Nick Guest

    I would recommend using a WLSM and putting together a mobility group.
    This mobility group can be dumped onto the external network while the
    employees can be dumped onto the local LAN. All this without "vlans"
    Nick, Sep 25, 2005
  4. Ned

    Ned Guest

    Thanks for your advice. I worked on this yesterday and used IAS to
    authenticate visitors based on their MAC address. Switches were not
    configured for VLANS and there wasn't enough time to configure them, so
    I used the filters you mentioned and they worked. When a visitor comes
    in, the admin writes down the mac address of the device and creates an
    account named after the mac address in AD and adds the account to a
    group called Wireless guest whose members IAS will allow to
    authenticate. The IAS logs say the authentication type is PAP which
    isn't secure but I I need something that will work with almost any
    device that a visitor might want to connect to our AP so I will use PAP
    until I figure out what to replace it with. The device (laptop) is
    configured for WEP with open auth, and pointed to the correct SSID.
    I'm sure there are better ways to do this, but this is a start. I will
    continue to work on making it better. As for the WLSM mentioned by
    Nick, I ever knew they even existed. I googled "WLSM" and found
    something for the Cisco 6500. We only have a couple of Dell switches
    and 40 users.
    Thanks for your replies!!
    Ned, Sep 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.