isolate wireless for corp environment

[skisteven1]

I'm looking to set up a wireless network for my company with some very specific requirements, and I'm not sure how to go about doing it. I have 1 windows and 1 blank (linux, freebsd, whatever) computer to work with. Please advise.

requirements:
*Seamless (or at least painless) transition between AP's
*Splash screen (captive portal) that asks for an email address before providing internet
*complete isolation from local network for anonymous users
*some sort of P2P restriction on anon users (bandwidth cap or blocking things like BT/emule/etc)
*a login system that will allow employees to gain access to local network resources (shares, printers, etc)

I have ports in every room that come back to a central punchboard, so i can control exactly goes to which port. Right now we have 1 Linksys 54G access point, but have budget for more APs if necessary.

Right now I am thinking to use the linux box as a firewall between the network and the wireless, and plug only the APs behind the linux box. I'm looking at the software nocatauth for authentication and capture/release. Can anyone recommend a better solution? I've looked breifly at VPN, but I think it would be overkill for what I'm trying to do.

Suggestions? Ideas? other things I've run across: m0n0wall, chillispot, wifidog

 

[nweaver]

I'll qualify this...I am a cisco wirless bigot, especially for business, when it matters. I would do the following:

Setup AP's and ACS for AD authentication right onto the corp network, WPA2, EAP-Fast with TLS inner method authentication (requires a valid AD issued cert to join wireless network) and then run a second VLAN on those (1200 series support vlans) and put that behind the linux box, with whatever s/w is required for anon authentication, and setup b/w limiting on a per IP basis.

Based on what you currently have/know, this may be too expensive/beyond your current knowledge. A Linksys has no place in a corp enviroment.

 

[RebateMonger]

One "easy configuration" software solution is with Microsoft's ISA 2004 Server. If you have less than 75 PCs, you can get Windows Small Business Server, Premium Edition, for about $800 (with 5 CALS). That would allow you to isolate your wireless network, would allow you do do high-end authentication as nweaver suggests, would only allow authorized employees access to the main network, and could block undesirable applications from accessing the Internet, as well as giving you the built-in Exchange mailserver, SharePoint Server, and other useful business tools.

 

[skisteven1]

That's a little bit over my head, and about $15K over my budget. This is a small business with about 8 employees. We do not have any managed switches, nor an AD server.

Thanks for the response though

 

[spidey07]

Originally posted by: nweaver
I'll qualify this...I am a cisco wirless bigot, especially for business, when it matters. I would do the following:

Setup AP's and ACS for AD authentication right onto the corp network, WPA2, EAP-Fast with TLS inner method authentication (requires a valid AD issued cert to join wireless network) and then run a second VLAN on those (1200 series support vlans) and put that behind the linux box, with whatever s/w is required for anon authentication, and setup b/w limiting on a per IP basis.

Based on what you currently have/know, this may be too expensive/beyond your current knowledge. A Linksys has no place in a corp enviroment.

yep, this how you do it.

You'll run two separate SSIDs and authentication mechanisims. What you are asking for requires a "real" wireless solution.

 

[InlineFive]

I have a small business with two laptops and although we will probably go with the more expensive (albiet secure) route when we expand right now we are simply using WPA2-Personal with a 63 character key. So far (to my knowledge) no one has managed to break it and it suites our purposes.

As far as WDS I'm sure some of the Cisco WAPs can handle that with relative ease.

 

[Brazen]

Well, for what you want, you'll have to have EAP, which means you will need a radius server and a directory server (right?). You could use FreeRadius for your radius server and OpenLDAP for the directory server. Then flash your linksys with the dd-wrt firmware to get the VLAN and EAP capabilities on your AP.

 

[nweaver]

Originally posted by: InlineFive
I have a small business with two laptops and although we will probably go with the more expensive (albiet secure) route when we expand right now we are simply using WPA2-Personal with a 63 character key. So far (to my knowledge) no one has managed to break it and it suites our purposes.

As far as WDS I'm sure some of the Cisco WAPs can handle that with relative ease.

yes, Cisco supports WDS well...

WPA2 is (currently) not brute forcable, so a strong key is good encryption. For a small business without a lot of capital that may be a good way to go. i wouldn't get over 20-30 employees before going with a serious AP, like a 1231. Those will do EAP with onboard radius servers (so no need for Radius server or directory server)

 

[kevnich2]

For a small business like you have, I don't see any reason to simply use WPA for your wireless. Your business probably isn't SO important someone will want to try breaking in a wireless environment like that. I've had WPA on my work network for a while and have been monitoring the connections throughout this time and nobody's gotten in. It's secure enough for my liking.