Options

Guest wireless network

TesseracTTesseracT Member Posts: 167
in CCNA Wireless
Hey guys hopefully one of you can help me here...

I have multiple access points working fine with two ssids, corporate LAN on one and a guest wireless LAN on the other.

What I want to do is centrally manage the account on the guest wireless LAN without buying a costly WLC. I've tried using multiple RADIUS clients but they all want to use certificates with EAP. This is a guest WLAN so we don't want certificates. Something like a centrally managed WPA key would work fine but I've not idea how that can be done using stand-alone AP's?
· Share on FacebookShare on Twitter

Comments

  • Options
    SteveO86SteveO86 Member Posts: 1,423
    Without a WLC/LWAP combo, I think the closest thing to "centrally" managed you are going to get is individually configuring each AP. LWAP, WLC, WCS is just part of Cisco's UWN (Unified Wireless Network) model.

    What Model AP and software version are you running? (Configuring a common WPA2 passphrase on each AP with the common guest SSID should do the trick for you.)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
  • Options
    TesseracTTesseracT Member Posts: 167
    Thanks for your quick reply Steve, just left the office and I can't remember the models off the top of my head but they are all pretty new.

    Because it's the guest network we don't want to have to deal with any sort of EAP as it should be a matter of the guest's entering in a key and off they go. I've got it working fine now with a static WPA key but as the number of APs grow it gets to be a bit of an administrative nightmare going around and changing the key on each AP every week (as that's the current policy). No other workarounds you know of? It seems pretty strange that there's no way to send the WPA request from the AP to a centrally managed RADIUS server or something so you just have to change it in the one spot?
    · Share on FacebookShare on Twitter
  • Options
    SteveO86SteveO86 Member Posts: 1,423
    How many AP's do you have? I would try and plead your case with management and budget for a WLC (or two for redundancy), especially if policy is to change the key every week.... At some point the cost of the WLC has to justify itself with the time spent on individual AP management.

    Cisco has WLC's to manage everything from a dozen AP's to 1000's.

    (My opinion is very biased toward Cisco, so it is possible someone else may chime in with a solution, it might be possible to implement something like freeradius and rely on user based authentication instead of a SSID Passphrase but I can't vouch for that, just throwing out ideas.)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    You'd probably be better off just opening up the authentication as far a key goes, and creating a captive portal instead. Then you could just tie the captive portal auth back into whatever you're using for centralized auth and change the password for the guest account in one location instead of having to change static keys on a number of AP's

    I do this with pfsense on my home network. I just drop the AP in one vlan, and that VLAN's gateway is the pfsense box. Captive Portal is enabled for that interface. So folks can associate to the AP, but can't get anywhere outside of the subnet until they open the web browser and pass the captive portal page. pfsense can either maintain a local auth database, or tie back into a radius server
    · Share on FacebookShare on Twitter
  • Options
    TesseracTTesseracT Member Posts: 167
    Thanks Foresaken that's a really good alternative. I'll have to read up on it a bit and see if we can wack in a VM of pfsense somewhere
    · Share on FacebookShare on Twitter
Sign In or Register to comment.