I've inherited our current WLAN that consists of two identically configured 1121 APs in separate buildings. Authentication is WPA-TKIP PSK that requires manual configuration of all devices. Guest access is handled through a separate VLAN that has ACLs that restrict traffic from the rest of the network, authentication is WPA-TKIP PSK. The SSID determines what VLAN they connect to.
We also have a point-to-point connection using two 1310 bridges that is secured by WPA-AES CCM+TKIP and MAC authentication.
We recently purchased a Secure ACS Express 5.0 and will be purchasing 3 additional APs.
My question is, what is the best way to clean up our WLAN, increase security and manageability, and preferably provide 0-configuration wireless access to guests and employees? I'm guessing a WLC is going to be required, but since I have very little wireless design experience I want to have this done right.
The vast majority of our wireless clients are laptops using Window's wireless configuration, but we also have several smart-phones, several iPhones, a few MacBooks, and no Blackberries.
Network users should authenticate with their domain credentials, and guests should not have to authenticate (or cancel out of a prompt).
Thanks for any assistance you can provide.
The bridges are great. Using WPA with AES encryption is rock-solid. I would consider disabling the TKIP though, no real need to have it when both sides support AES. The two bridges are likely defaulting to AES anyway, so it might not make a difference.
Just so you know, bridges aren't supported in a lightweight solution, which just means that they'll remain autonomous. No need to plan on upgrading them if you decide to go that route.
Upgrading to lightweight controllers is a great way to improve scalability of your network. They provide a single point of configuration for your APs and allow for Radio Resource Management, which dynamically adjusts your radios for optimum performance.
WLCs also allow for web authentication to the network, allowing them to simply agree to a disclosure or requiring that they submit a key provided for access. Normally, one doesn't worry about encrypting guest traffic, and keys (WPA or otherwise) are simply meant to restrict who can join. If you just want people to be able to join without a key for ease of management, then you'll be allowing anyone to connect who can receive a signal. Some people don't care about that, others do, it's a business decision to make.
As for security, consider upgrading to PEAP for ease of management. You do need to deploy a certificate to the machine, but that beats out having to update every single client if the WPA-PSK password needs to be changed for security purposes.
I hope that helps!