Whats the best way to implement secure internal wireless?

CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
I have been tasked with implementing secure internal wireless at our shop. I have a few ideas but am curious as to what you folks recommend. We currently have wireless that does not have access to our internal network but we have a need for devices such as iPads to have access to our internal network. We are a Cisco shop. So what do you guys recommend?
Currently reading: Network Warrior, Unix Network Programming by Richard Stevens


  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    Hmm... A couple ideas I have would be something like an AD login page or ISE + MDM integration.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • SteveO86SteveO86 Member Posts: 1,423
    Depending on what you have already, I'd start with a separate WLAN with Dot1X authentication for internal access. There are quite a few EAP to choose so you will want to pick your poison. Certificate or user based usually. Don't forget to ensure availability of your authentication, if you forward Dot1X authentication to an ACS server, have a second one in the event of a failure.

    In my experience a guest WLAN usually gets tacked onto the WLAN after some amount of time (and it's usually easily to plan for it out of the gate), for guest access. I'd recommend a second WLC as a mobility anchor behind a firewall with internet access. Perhaps even off it's own internet connection so guest traffic does not affect enterprise traffic from the internet edge perspective. Captive portal of guest users can be used secure guest access but guest users requires a bit of overhead (which can usually be delegated)

    I haven't had the chance to mess with ISE (yet) or many MDM applications so I can't speak for those. So my recommendations might be becoming outdated as I understand ISE introduces a whole new level of control.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
Sign In or Register to comment.