Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

guest wireless and corporate wireless

Hello,

 

What would be the securest (and cheapest), way to setup a "Guest" WLAN simultaneously with the "Corporate" WLAN?

 

In my own opinion, the securest way isn't the cheapest by far.  Because, in my own opinion, it would be best to segregate the WLAN's physically.  Meaning having the WLAN's on different WLAN Controllers as well as physically different WAP's.

 

Any and all advice will be greatly appreciated.

 

Thank you in Advance.

 

Jay

4 REPLIES
Cisco Employee

Hi, Physically setting up two

Hi,

 

Physically setting up two wireless networks would be very costly if you need both Corporate and Guest coverage everywhere and might also cause interference as you are increasing number of doubling the number of APs for covering the same area which otherwise could be covered by single AP. You can also use one controller and APs for both and use ACLs on WLC and switched to block Guest access to corporate subnets.

Guest-Anchor set up is perfectly secure. So one controller for corporate and the Guest traffic would redirect to the other controller may be sitting in the DMZ Zone.Aps would be common.

 

Regards

Dhiresh

Bronze

Hello, rjayswan5. Doubling

Hello, rjayswan5. 

Doubling the number of your AP and controller for getting a secured guest access it not cost effective. As Dhiresh mentioned, guest access on a single controller would already be secure. Any existing Cisco Controllers or Aironet that you are already using?

Let me know if you need more support or e-mail (adawa@cisco.com) me directly. Kind regards. 

New Member

Thank you all for your input

Thank you all for your input.

I inherited this network, and there are a total of 6 WLAN's on our 5508 WLC.  5 of the WLAN's are WEP.  As I said, I have no idea why.  My supervisor seems to think we need to setup the 5 Guest  (yes I said 5 Guest), WLAN's as WEP.  All of the Guest WLAN's can only access the internet and none of our network resources.  The only WPA2 WLAN is integrated with our AD so those users can access the network resources.  I want to change them all to WPA2, but my supervisor seems to be not waning that done.  I explained to him and our manager how the network can be compromised by that kind of setup, but the only one that agrees with me is my manager.

 

What I am concerned about is, even if I set them all to WPA2, can a vendor who has much Trojans and or other tools covertly installed on their device, would they be able to compromise the 5508?

Hall of Fame Super Gold

In my own opinion, the

In my own opinion, the securest way isn't the cheapest by far.  Because, in my own opinion, it would be best to segregate the WLAN's physically.  Meaning having the WLAN's on different WLAN Controllers as well as physically different WAP's.

This is the dumbest thing I've ever heard.  The "safest" is the most inefficient and financially stupid way of doing.  So what you are saying you've got TWO wireless AP (and two WLC) in the same vicinity of each other.  One AP broadcasts Guest and the other is Corp.  

 

The safest method is 802.1X.   Clients connect to the Guest SSID and their traffic gets plumbed to the proxy server, firewall and out the internet gateway.  Corporate traffic gets authenticated using the AD credentials and you can send Corp traffic whichever way you want.

84
Views
10
Helpful
4
Replies
CreatePlease login to create content