Deployment of guests auth.

johnleeee · ‎11-24-2006

Hi all,

Im beginner in configuring APs and every help will be welcome.

First Id like to ask someone of us how does

association of client work? We have clients associated through Radius but on our AP is not configured any DHCP server but clients obtain IP address from pool in which is BVI interface.

Second ...could someone help me with possibilities of configuration guests when we need to associate them but on another IP pool in other VLAN and allow them only communication to Internet not to our resources.

Thanks a lot for advice.

BR

jl

frankzehrer · ‎11-24-2006

Hi John,

Have a look here to better understand the associations and authentication processes.

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

Here is a document about VLANs on Wireless APs:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

Since i have no clue about your AP setup, authentication scheme and your infrastructure i can assume some things here:

You have actual one VLAN on the AP configured. Lets say VLAN1 (or maybe no VLAN is configured).

All AP Interfaces are connected to this VLAN.

(If you have no VLAN configured all traffic out of the BVI interface is untagged and then gets the native VLAN from the switchport where the AP is connected to).

Now you connect the AP with a Radius Server, and the wireless clients authenticate with the radius server. Is it possible that this Radius Server has a DHPC service running?

Then it might be that the autheticated client gets an IP address.

Remebmer: All AP traffic from the radio interface will pass the BVI and this will forward it to the ethernet port. If you have no VLANs on the APs configured, all traffic into the switch will be mapped to the native VLAN.

Have a look into the link above for this!

Second question: Have a look into the link above It describes the setup of VLANs on an AP the mapping to a SSIDs and for short the setup of the connected swtitchports.

Good Luck

Frank

johnleeee · ‎11-27-2006

Hi Frank,

you are right. We have no VLAN configured

on our APs. So data are tagged with native VLAN.

But on our L3 interface for the same VLAN we have ip helper configured for DHCP server. But IP address is other than that for Radius,but on the same IP pool.

For example:

AP is in 10.10.10.0/24 and has 10.10.10.253

Radius is in 10.10.1.0/24 and has 10.10.1.2

DHCP has 10.10.1.3

L3 interface on L3 switch has 10.10.10.1 and ip helper has 10.10.1.3

DHCP server assign IP addresses from pool 10.10.10.0/24

Do you have any experience with what is best to deploy AP solution with access to clients from your company and guests?

Thanks a lot for info and advice.

BR

jl

frankzehrer · ‎11-27-2006

Hi John,

the best way to configure the guest and employee WLAN access is the deployment with VLANs and different SSIDs!

From the security point of view: If you try a setup with one VLAN and one SSID your infrastructure is open for skilled users.

The setup with a ip helper is suiteable for DHCP, TFTP, DNS and some other UDP protocols but not for TCP connections like Radius.

The router forwards the UDP packet as an IP unicast to the IP helper address. (You can utilize this behaviour with the useage of the command "ip forward-protocol").

For the good to best securtiy of your internal network have setup with PEAP or EAP-TLS or EAP-TTLS. The used VLAN should be mapped to a single SSID.

The guest users may use another ssid with an VLAN leading only to the internet proxy. For this SSID you may configure open authentication.

What kind of infrastructure are you using?

Autonomous APs with WLSE?

Lighweight APs with WCS / WDS usage?

Best regards,

Frank