Seeking advice on Aironet 1232 config for visitor and staff access

Hello everyone

I have an Aironet 1232AG (AIR-AP1232AG-A-K9) and I have to confgure it for use by visitors using laptops for "Internet Only" access, meaning no access to anything on our LAN, and for staff to access Internet + have access to servers on our LAN. The staff and visitors will be using different machines. I was thinking of using a seperate SSID requiring MAC address security and WEP for visitors, and another SSID using RADIUS via MS IAS (PEAP) which would require membership of workstation and user account in a special group in order to have wireless access. I'm just not sure if MAC and WEP for visitors is the best/most flexible way, and I'm not sure how to isolate visitors from our LAN while giving employees access to LAN & Internet. Would I use a VLAN? Help!

Reply to
Loading thread data ...

VLAN if possible. Else you can attach ACL block access to anything but DHCP, DNS and router for the guest SSID. Weird...only if VLAN isn't an option

Reply to
Uli Link

I would recommend using a WLSM and putting together a mobility group. This mobility group can be dumped onto the external network while the employees can be dumped onto the local LAN. All this without "vlans"

Reply to

Thanks for your advice. I worked on this yesterday and used IAS to authenticate visitors based on their MAC address. Switches were not configured for VLANS and there wasn't enough time to configure them, so I used the filters you mentioned and they worked. When a visitor comes in, the admin writes down the mac address of the device and creates an account named after the mac address in AD and adds the account to a group called Wireless guest whose members IAS will allow to authenticate. The IAS logs say the authentication type is PAP which isn't secure but I I need something that will work with almost any device that a visitor might want to connect to our AP so I will use PAP until I figure out what to replace it with. The device (laptop) is configured for WEP with open auth, and pointed to the correct SSID. I'm sure there are better ways to do this, but this is a start. I will continue to work on making it better. As for the WLSM mentioned by Nick, I ever knew they even existed. I googled "WLSM" and found something for the Cisco 6500. We only have a couple of Dell switches and 40 users. Thanks for your replies!!

Reply to
Ned Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.