Whats the best way to implement secure internal wireless?

CodeBlox

I have been tasked with implementing secure internal wireless at our shop. I have a few ideas but am curious as to what you folks recommend. We currently have wireless that does not have access to our internal network but we have a need for devices such as iPads to have access to our internal network. We are a Cisco shop. So what do you guys recommend?

Iristheangel

Hmm... A couple ideas I have would be something like an AD login page or ISE + MDM integration.

SteveO86

Depending on what you have already, I'd start with a separate WLAN with Dot1X authentication for internal access. There are quite a few EAP to choose so you will want to pick your poison. Certificate or user based usually. Don't forget to ensure availability of your authentication, if you forward Dot1X authentication to an ACS server, have a second one in the event of a failure.

In my experience a guest WLAN usually gets tacked onto the WLAN after some amount of time (and it's usually easily to plan for it out of the gate), for guest access. I'd recommend a second WLC as a mobility anchor behind a firewall with internet access. Perhaps even off it's own internet connection so guest traffic does not affect enterprise traffic from the internet edge perspective. Captive portal of guest users can be used secure guest access but guest users requires a bit of overhead (which can usually be delegated)

I haven't had the chance to mess with ISE (yet) or many MDM applications so I can't speak for those. So my recommendations might be becoming outdated as I understand ISE introduces a whole new level of control.

Polynomial

Complex passwords: https://www.youtube.com/watch?v=oNrWgjh9tnU