1/1/13

Configuring a Guest wireless network with restricted access to Production VLANs DefinIT

Our use of cookies.

Like most websites we use cookies to provide a more personalised and responsive service. We use cookies to enable our website to function more efficiently, to improve performance and to tailor advertising with our partners. If you continue we will assume you are happy to receive all the cookies from our website.

Click To Continue More on cookies

DEFINIT
BECAUSE IF IT WERE EASY, EVERYONE WOULD DO IT
HOME VSPHERE POWERCLI ONE-LINERS AUTHORS

Subscribe via RSS

JUN /11

Configuring a Guest wireless network with restricted access to Production VLANs

Like 0 Share 1,022 Tw eet 1

Recent Comments SCOM 2012: Overview link blog | Dieter's System Center Blog on SCOM 2007 R2: Daily Health Check Script v2 JonJ on How to force the removal of Folder Redirection from specific user accounts Dan Bhatoa on Installing Exchange 2010 Edge Server with Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) Part 1 Tosin on Reporting all ActiveSync devices and their Users in Exchange 2010 Ulli on PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions Categories

Its a fairly common requirement setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point for this article, the access point is a Cisco WAP4410N.

Existing Network layout and Design

Assuming there is a core network switch and that it is a Layer 3 enabled switch which has inter-VLAN routing configured. By default all the VLANs can talk to each other, routed through the switch. The switch also is configured with a gateway of last resort pointing to the firewalls internal IP this allows internet access.

Select Category
Qualifications

So the headlines are:

Existing Production VLANs VLAN10 iSCSI (10.1.10.0/24), 11 Server (10.1.11.0/24) and 12 Client(10.1.12.0/24) these all route through the core switch and can see each other. Create a Guest VLAN to be created VLAN13 (10.1.13.0/24), which can access the internet, but not the existing VLANs Create a Secure Wireless LAN all traffic assigned to VLAN12. Since its a domain environment this will use PEAP authentication, so clients can use their domain password to access the WLAN. Create a Guest Wireless LAN all traffic assigned to VLAN13. This will use a static WPA2 access passphrase which can be changed regularly since it wont be used by domain clients or those who will repeatedly access it, it's not a huge admin overhead.

Im not going to cover setting up a Domain, Certificate Authority, or Internet Authentication Service. I am assuming you have this already, and have issued a Server certificate to your IAS server, and the CA is trusted throughout your domain clients. My demo lab set up:
Wireless Access Point (Cisco WAP4410N) Definit-WAP Core Network Switch (Cisco 3750) Definit-SW Active Directory Domain Controller DefinIT-DC Public Key Infrastructure DefinIT-CA Windows Server 2003 IAS DefinIT-IAS

Preparing the Network Core

All commands are from the Configure prompt (config t) The first task is to configure the new Guest VLAN13 using the commands below. The IP address assigned to the vlan13 interface acts as the gateway for VLAN13 on the core switch. (VTP will propagate the VLAN settings to the access switches, if configured).
v l a n 1 n a m eD e f i n I T G u e s t i n t e r f a c eV l a n 1 3 d e s c r i p t i o nD e f i n I TG u e s tV L A N i pa d d r e s s1 0 . 1 . 1 3 . 12 5 5 . 2 5 5 . 2 5 5 . 0

Next configure the interface for the Cisco WAP4410N to plug into on the core switch (in this case G2/0/13) port needs to be in trunk mode to carry multiple VLANs. Ive configured the default VLAN to be the Server VLAN11 as this is the one I want the web management interface to be accessible on. Any untagged traffic will be assigned to this by default. Here you could also restrict the allowed VLANs using switchport trunk allowed 13 but this wouldnt allow the secure WLAN to access the server/client VLANs.

www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/

1/4

1/1/13

Configuring a Guest wireless network with restricted access to Production VLANs DefinIT
the server/client VLANs.

i n t e r f a c eG i g a b i t E t h e r n e t 2 / 0 / 1 3 d e s c r i p t i o nD e f i n I T W A PT r u n k s w i t c h p o r tt r u n ke n c a p s u l a t i o nd o t 1 q s w i t c h p o r tt r u n kn a t i v ev l a n1 1 s w i t c h p o r tm o d et r u n k n os h u t d o w n

Archives December 2012 (2) November 2012 (3) October 2012 (4) September 2012 (1) August 2012 (4) July 2012 (1)

The Guest WLAN will not be allowed access to the server VLAN in any form, so it cant use the client DHCP server. Fortunately the switch is more than capable of handling that we move on to the DHCP pool configuration. Because the DHCP scope is on the same IP network as the VLAN13 interface, only that interface that will respond to DHCP requests (which is good, because I dont want my network ruined by fighting DHCP servers!)

i pd h c pp o o lG u e s t W L A N n e t w o r k1 0 . 1 . 1 3 . 02 5 5 . 2 5 5 . 2 5 5 . 0 d e f a u l t r o u t e r1 0 . 1 . 1 3 . 1 d n s s e r v e r8 . 8 . 8 . 8 ,8 . 8 . 4 . 4

June 2012 (1) May 2012 (1) February 2012 (1) January 2012 (4) October 2011 (2) August 2011 (1) July 2011 (1)

Now that the plumbing is set up, we need to control who is allowed to access what. This means creating an Access List to deny the guest VLAN access to the production VLANs. Note that the format for the ACL does not use a subnet mask, but a wildcard mask. You need to subtract each octet of your subnet mask from 255 to get the wildcard mask (e.g 255.255.255.0 becomes 255-255=0, 255-255=0, 255-255=0 and 255-0=255 to get 0.0.0.255).

i pa c c e s s l i s te x t e n d e dD e f i n I T _ G U E S T r e m a r kD e n yG u e s tV L A N 1 3a c c e s st oo t h e rV L A N s d e n yi pa n y1 0 . 1 . 1 0 . 00 . 0 . 0 . 2 5 5 d e n yi pa n y1 0 . 1 . 1 1 . 00 . 0 . 0 . 2 5 5 d e n yi pa n y1 0 . 1 . 1 2 . 00 . 0 . 0 . 2 5 5 p e r m i ti pa n ya n y

June 2011 (2) April 2011 (1) March 2011 (7) February 2011 (4) January 2011 (1) December 2010 (1) November 2010 (3)

Finally, apply the Access List to the Guest VLAN13 interface. Note that the direction is in which seems counter-intuitive but is correct. The perspective is from the switch, so traffic is coming in from a client on the guest VLAN to the VLAN13 interface on the switch.

i n t e r f a c eV l a n 1 3 i pa c c e s s g r o u pD e f i n I T _ G U E S Ti n

October 2010 (1) September 2010 (5) August 2010 (3) July 2010 (5) June 2010 (4) May 2010 (2) April 2010 (3) March 2010 (6) February 2010 (5) January 2010 (1) December 2009 (2) November 2009 (1) October 2009 (3) September 2009 (3) July 2009 (3) May 2009 (1)

Thats it, core network configured!

Configure IAS to provide RADIUS authentication

Create a new RADIUS client by selecting the RADIUS Clients folder and right-click new. Configure a friendly name for the Wireless Access Point, and the IP youre using for the WAP (for me, DefinIT-WAP and 10.1.13.20). Configure the ClientVendor to Cisco or the vendor youre using, and a strong shared secret (random, 13 characters upper/lower/alpha/numeric/special will do nicely).

Create an new Remote Access Policy using the Remote Access Policy wizard (right-click Remote Access Policies and select new):

April 2009 (2) February 2009 (2) January 2009 (4) December 2008 (2) November 2008 (1) October 2008 (3) September 2008 (5) August 2008 (1) July 2008 (6) May 2008 (8) April 2008 (2)

Select Wireless as the access method, and select a Windows Security group to allow access:

March 2008 (1) February 2008 (1) January 2008 (1) November 2007 (1) October 2007 (1) July 2007 (1)

www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/

2/4

1/1/13

Configuring a Guest wireless network with restricted access to Production VLANs DefinIT

July 2007 (1) June 2007 (6) May 2007 (2)

Select PEAP as the Authentication method, and configure the server certificate for identification, and the EAP type to use MSCHAP-v2. If you have issued client certificates to all users, you can add Smart Card or other Certificate to the EAP authentication methods.

Configuring the Access Point

Im assuming you can manage to turn the thing on, access its web interface and assign the static IP you picked earlier to the AP, now we can configure the authentication and VLANs for the guest and secure WLANs. Open the Wireless > Basic settings and configure your two SSIDs, save and then open the Security page.

Here you can configure WPA2-Personal for the Guest SSID, and WPA2-Enterprise Mixed for the Secure SSID. Configure the IP address of you RADIUS server and the Share Secret you configured earlier.

Now move onto the VLAN and QoS page here you need to enable VLAN but leave the defaults otherwise. Under QoS you need to assign the VLAN ID for each network 13 for Guest and 12 for Secure

Thats more or less it, time to test with a handy wireless client sitting nearby Related posts:
1. 2. 3. 4. 5. Configuring Server 2008 R2 Core Series: Network Settings In-depth: Installing and Configuring Threat Management Gateway 2010 in a Network Load Balanced Array Teaming NICs with ESX 3.5 and Cisco Switches in an aggregate. Configuring SSTP VPN connections to Threat Management Gateway 2010 Outlook Web Access over SSL using Forms Based Authentication AND Integrated Authentication

www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/

3/4

5. Outlook Web Access over SSL using Forms Based Authentication AND Integrated Authentication

Enjoy this article?

Consider subscribing to our rss feed!

Posted by Sam McGeown

Tagged as: access control lists, acl, guest, peap, secure, vlan, wireless

Leave a comment

Comments (1)

Trackbacks (0)

( subscribe to comments on this post )

Mohammad
March 24th, 2012 - 17:34

Excellent document with required information

( REPLY )

Leave a comment
Name (required) Email (required) Website

Submit

Please tick this to confirm you're a human being! Check here to Subscribe to notifications for new posts
Installing and Configuring OTRS 3.0.9 on Windows Server 2008 R2 A work/learn balance..

Copy right 2013 DefinIT Powered by WordPress Lightword Theme by A ndrei Luca

Go to top