Re: Etablishing a enterprise solution for guest and employee access

• Previous message: Manjunath Bharadwaj [MSFT]: "Re: IAS-proxy and adding attributes part 2"
• In reply to: Peter Ullrich: "Etablishing a enterprise solution for guest and employee access"
• Next in thread: Thomas K: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Thomas K: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Peter Ullrich: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Peter Ullrich: "Re: Etablishing a enterprise solution for guest and employee access"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 21 Mar 2005 10:58:37 -0800

Peter Ullrich <unendlich@gmx.at> wrote in
news:zYU_d.5301$zY6.5129@news.chello.at:

> Hi!
>
> I have to set up as part of my thesis a WLAN network with the following
> requirements:
>
> .)802.1x and RADIUS Server authentication for employees to access
> critical data
> .)Simply WEP for guests who want to access just the internet
>
> Because I'm a really newbie in enterprise solutions i would like to ask
> you if this solution concept wil work (based on one AP Cisco 1300
> running as 1100, no roaming):
>
> .) I (will) etablish 2 different VLANs on the AP. Vlan_1 for the full
> security and Vlan_2 for Guest access. Vlan_1 has should therfore have
> access to the intranet and Vlan_2 only to the internet.
>
> .) A trunk connection between the AP and a VLAN enabled Router/switch
>
> .) The router/switch will distinguish both VLANs and redirect Vlan_1 to
> a Win2003 Server for further authentication processes and Vlan_2 is
> redirected direct to the WAN connected to the Router. The DHCP server
> for Vlan_1 is running on the Win2003 Server and the IP adresses for
> Vlan_2 are distributed by a DHCP server in the WAN. Both vlans will have
> a different subnet.
>
> So in my case, the question which security level is used, is decided by
> choosing the proper SSID.
>
> Will this theoretical Schema work? Do i have to consider other stuff?
>
> Thank you in advanced!
>
> Peter Ullrich
>
> Ps.: Please tell me, if you know some sites in the internet which could
> be interesting for me!
>

Hi Peter --

I think you should use IAS/RADIUS for both guest access and employees --
you can very simply set up two different remote access policies in IAS, one
to handle guest authentication and one to handle employees. You can also
configure IAS to assign the connection to a VLAN in the remote access
policy.

And it will be a much simpler and easier to manage configuration if you use
the WS03 DHCP server for both VLANs, then you can manage IP addresses in
one place.

For more info on VLANs and IAS, see the VLAN whitepaper at "Internet
Authentication Service"
http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

Also, I read your other post about WPA/WEP and EAP-TLS. WPA and WEP are
used between the AP and the client, while EAP-TLS is a certificate-based
authentication method that is configured at the IAS server. Typically you
are not choosing between WEP/WPA or EAP-TLS -- you would use WEP/WPA *and*
an authentication method such as EAP-TLS or PEAP-MS-CHAP v2.

-- 
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account 
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

• Previous message: Manjunath Bharadwaj [MSFT]: "Re: IAS-proxy and adding attributes part 2"
• In reply to: Peter Ullrich: "Etablishing a enterprise solution for guest and employee access"
• Next in thread: Thomas K: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Thomas K: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Peter Ullrich: "Re: Etablishing a enterprise solution for guest and employee access"
• Reply: Peter Ullrich: "Re: Etablishing a enterprise solution for guest and employee access"
• Messages sorted by: [ date ] [ thread ]