Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Multiple SSID with security

Hello

I have an office setup whereby I have a wireless router connected to my ADSL. I also have my LAN switches connected to the ADSL router. Recently a wireless range extender was installed (TP-LINK 300Mbps wireless N range extender). This is used by all office staff whereby the Desktop Computers use Ethernet to the switch to get internet and their smart devices to connect wirelessly to the internet.

Recently guests have started using the wireless to get internet when they have to attend meetings at the office. I do not want them to have wireless to the internet on my current wireless setup as this gives them full access to my network.

What I am thinking is to put a WLC 5508 with an Aironet 3600 AP broadcasting multiple SSID's. Guest SSID needs to be in vlan going straight to internet. The second SSID needs to be in a separate VLAN with wireless internet access as well as LAN access to the switches.

My first question is can the mentioned devices do this or should I be looking at a different set of wireless gear? If I should be looking at a different set of wireless gear what is recommended?

My next question is if the above gear can handle the separate SSID's with the range extender, is there some sort of AV security built in? Say a guest has a smart device connected to the guest SSID what protection (other than the VLAN) will the WLC provide to alert me that this device is infected with some malware? Or is this something I have to look at separately? If I have to look at a separate form of protection what is suggested that will work well with the WLC & AP mentioned above? (In other words if I decide to install ESET NOD on my server to protect it against attacks, can I extend this to the WLC & AP or is there some built-in security in the WLC & AP which protects the devices against security threats, while belnding in with existing AV software?)

Thanks in advance

w

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Multiple SSID with security

You can also take a look at Meraki for this. It will solve most of your issues, just not the AV side of it. You can go down the road of ISE however the cost of implamentation is pretty big. I know that you can also goto a webinar from Meraki and they will send you a free MR12. Might be worth to play with to see if it will work for you.

6 REPLIES
VIP Purple

Multiple SSID with security

I can not provide you the exact anser of all questioin but still give you the idea which can resolve max conecrns.

1. Yes WLC -5508 and AP- 3600 will resolve your problem.

You can craete 2 sepearte ssid, one for guest and other for Employees.

You must have a ISE server :

Cisco Identity Services Engine (ISE) is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. Cisco ISE is primarily used to provide secure access and guest access, support BYOD initiatives.

ISE server can assign vlan accoding to policy defined for the users.

WLC provide enough security for wireless clients.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_AdvancedGuestWirelessAccessDeploymentGuide-Feb2013.pdf

Hope it helps.

Regards

Dontforget to rate helpful posts

Silver

Re: Multiple SSID with security

WLC/AP with the combination of ISE (Advance Licensing) can do this with the freature like profiling and posturing.The guest services is a very good solution which ISE is providing also.

New Member

Re: Multiple SSID with security

You can also take a look at Meraki for this. It will solve most of your issues, just not the AV side of it. You can go down the road of ISE however the cost of implamentation is pretty big. I know that you can also goto a webinar from Meraki and they will send you a free MR12. Might be worth to play with to see if it will work for you.

New Member

Multiple SSID with security

Hi David

Goodness do I feel like a real idiot! I know about Meraki and early last year went to some half day intro course of the product. Unfortunately with all the projects and work and being on the go this completely slipped my mind! .....until you mentioned it.

I had a look at the MR12 & MR24 and they look ideal for what I want to do.

Thanks again for your suggestion!

Wil

New Member

Re: Multiple SSID with security

It sounds ot me like you have a small network, where the 5508 may be too costly and an overkill.  How many AP's do you currently have?

Based on your current netowrk description, sounds to me like you have some security concerns as well.  If guests are using your wireless network, so hare hackers most likely.

I like the Meraki suggestion if you have s small network.  You may want to setup autonomyous AP's with mulitple SSID's and security for all SSID's, incluidng your guests.

A true guest network uses a DMZ with firewalls and even a second anchor controller.  ISE and NAC solutions will scan and clean the hosts before granting them access, but again you are getting into a more expensive and complex design.

Meraki AP's have a dedicated security antenna and the managment tools are very nice. 

https://meraki.cisco.com/

Good luck,
Bob

Hall of Fame Super Silver

Multiple SSID with security

Here is my 2¢

Cisco, Meraki, Aruba, etc... can all do this in various ways...

My first question is can the mentioned devices do this or should I be  looking at a different set of wireless gear? If I should be looking at a  different set of wireless gear what is recommended?

>Yes you can have seperate internal and guest, segmented

My next  question is if the above gear can handle the separate SSID's with the  range extender, is there some sort of AV security built in? Say a guest  has a smart device connected to the guest SSID what protection (other  than the VLAN) will the WLC provide to alert me that this device is  infected with some malware? Or is this something I have to look at  separately? If I have to look at a separate form of protection what is  suggested that will work well with the WLC & AP mentioned above? (In  other words if I decide to install ESET NOD on my server to protect it  against attacks, can I extend this to the WLC & AP or is there some  built-in security in the WLC & AP which protects the devices against  security threats, while belnding in with existing AV software?)

> This is your guest network... you should care more for your internal... you will have seperation between the two so a infected device on your guest network will not affect your internal network.  How do you protect from this today?

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
371
Views
0
Helpful
6
Replies
CreatePlease to create content