What security risk is a GUEST VLAN?

Discussion in 'Wireless Networking' started by Mike Webb, Jul 3, 2007.

  1. Mike Webb

    Mike Webb Guest

    I have 802.11q appliances (AP's, switch, and internal NIC on server). I
    want to provide Guest access to the internet, and LAN access to staff and
    designated others (to whom I'd give a domain account). I don't have the H/W
    to set up separate WLAN's - one for the LAN on the internal side and a GUEST
    on the external side.

    So ... can I setup the AP's as domain clients, locking them down with WPA
    and RADIUS, but still provide GUEST access via a VLAN and appropriate SSID?

    [The appliances: D-Link products - DWL-2200AP as the access points, and
    DES-3828 as the switch.]
    Mike Webb, Jul 3, 2007
    1. Advertisements

  2. Mike Webb

    Gary Harmon Guest

    Not knowing what brands and models of wireless equipment you have no.

    You can however put the WLAN on it's own VLAN and route it to the
    Internet only. Then on your firewall allow VPN out and back in (
    called looping ) then configure the 2003 server for VPN for your

    The other way is to replace the APs with a wireless router that will
    take the DD-WRT firmware then you can configure two SSIDs on VLANs and
    then set your firewall up for that.

    Give more information and maybe we can come up with a solution.

    I have a wireless mesh network setup running 3 SSIDs and VLANs at my
    work. The equipment is expensive but worth every penny ( Strix Systems
    http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
    block outside and 600,000 sq ft building w/2 floors.

    At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
    has access to my 2003 server and the other only Internet access for
    guests. The guest SSID has a login page that comes up when you try to
    access the Internet. Total cost $50.00 about.

    Things that we need to know are:

    Brand and model of your APs D-Link DWL-2200AP
    DD-WRT only seems to support routers but I've heard of it working
    on some APs. You can check the web site for routers that have been
    tested. http://www.dd-wrt.com. Routers can be had for around $50.00

    Firewall make and model

    The 2003 will have to setup with ISA to get Radius. The APs or Routers
    will have to support Radius also (WPA-Enterprise).

    Hope this helps some

    Gary Harmon
    Gary Harmon, Jul 4, 2007
    1. Advertisements

  3. Mike Webb

    Mike Webb Guest

    Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
    run across the term/acronym DD-WRT so I'll look it up to see what you are
    referring to. As for the firewall, It's Microsoft's ISA 2004, fully patched.
    The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
    mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
    com,pliant with 802.11q.

    Mike Webb, Jul 5, 2007
  4. Mike Webb

    Gary Harmon Guest

    I had to get on the web and do some research on the D-Link stuff, I
    have not used D-Link for a few years. I couldn't find out how to
    configure the VLans in the APs but D-Link's web site lead me to
    beleive that you can do VLans on the DWL-2200AP's but did not say
    anything about being capable of 2 or more SSIDs. Worst case is use a
    dedicated AP for the guest SSID and configure a VLAN for it and route
    it to the internet only.

    Maybe some else has seen the DWL2200AP that can shed some light.

    Gary Harmon, Jul 7, 2007
  5. Mike Webb

    Mike Webb Guest


    Mike Webb, Jul 9, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.