Re: Guest Access using IAS/AD/ISA/WPA
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 Jan 2007 10:52:41 -0800
"eugenevr" <evrng@xxxxxxxxx> wrote in
news:1169550215.929433.126630@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:
We have set up secure wireless access using IAS, with WPA/TKIP and
auto-enrollment for domain computers. (On SBS2003SP1 with ISA 2004) All
works fine. Next requirement:
Guest/contractor access using the same infrastructure (WAP etc) Note
that we are using a private CA (no Verisign etc). This access should be
to access the Internet only.
Can anyone assist in testing my logic?
1) We could use WPS, but it seems like a lot of work for the odd guest
connection?
2) We cannot autoenroll certs, as the units will not be joined to the
domain. Even if we do use certs, that means the user would need to add
the certificate to the local store manually. Not something we would
like to see.
3) We could use the guest account, but then I have two q's:
a. Am I right in assuming there will be no certificate issues?
b. I suppose I would need to setup specific rules in ISA to ensure this
user gp has correct outbound access.
4) I could use VLAN's but for a small network once again this seems
like an overkill?
Any suggestions appreciated.
Eugene
Hi Eugene --
The other person who responded had a good idea for you.
Another approach is to allow the guests to connect to the same SSID and use
IAS remote access policy to assign the guests to an Internet-only VLAN. In
that case you would configure a Guest remote access policy to allow
unauthenticated access (you can configure each remote access policy with
its own authentication requirements).
If you wanted more security than unauthenticated access, it would take a
small amount of administrative work -- just create a group in AD called
'Visitors' (or whatever), and when a new visitor arrives, create a user
account for them and add them to the group.
Then the remote access policy applies only to members of that group. When a
group member attempts a connection, IAS sends the VLAN attributes
configured in the remote access policy to the AP and the AP assigns the
connection to the VLAN dictated by IAS.
You would need VLAN-aware hardware to do this though.
Details on how to configure this with IAS can be found in this whitepaper:
"Deploying Windows Server 2003 Internet Authentication Service (IAS) with
Virtual Local Area Networks (VLANs)" at
http://www.microsoft.com/downloads/details.aspx?FamilyId=C9ED3609-49FC-
439B-92F4-266B187CAE5A&displaylang=en
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- Guest Access using IAS/AD/ISA/WPA
- From: eugenevr
- Guest Access using IAS/AD/ISA/WPA
- Prev by Date: Re: SDO successor for Longhorn?
- Next by Date: for fayette: extremely trustable premium nntp access - copci lecyi - (1/1)
- Previous by thread: Guest Access using IAS/AD/ISA/WPA
- Next by thread: FYI: Customer Webchat: "Using Microsoft's RADIUS server to secure your Network" on Jan 29 @ 1 PM (PST)
- Index(es):
Relevant Pages
|
Loading
