I've been having some in depth conversations with my colleagues at work and would like to peer into this forum for advise.
Here is the setup/scenario: An AP with open auth. The AP is bridged to a layer 2 vlan on our core production switches. In this vlan, we have a dedicated dsl router. No Firewall involved possibly FW feature set on router enabled.... this is simply for hot spot access for guest users. Non-company asset machines only.
The point of concern is the fact that these unsecure devices utilize a VLAN on our internal production switches. Being that this is a layer2 vlan with no switch interfaces, does this pose a risk?
Is there anyway it can be compromised or can it be "hacked" to gain access to the production network?? Can someone wirelessly spoof ethernet tags?
What if the AP was an LWAPP ap. The controller will have an interface in that Layer2 vlan but the option to administer the controller via wireless will be disabled. Any security concerns here as well?
You can alwasy setup the layer 2 as a private vlan. There was a thing called vlan hopping in which a hacker would double tag a frame, but that is all I know about that. If you have a WLC, it would be the same, the traffic would have to come out one of the ports to your core to the dsl. it's like if you have a guest user that plugs into your LAN, is it a guest lan or your corporate lan. Look at your security policies your for organization. I do have many clients that ddo what you are trying to do.
What some are doing is if you have a FW with a DMZ, you can put a wlc 4402-12 in the DMZ and create a tunnel back to your foreign (inside) wlc. This way guest will associate to an ap, get tunneled all the way to the DMZ.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...