Guest wireless network
TesseracT
Member Posts: 167
Hey guys hopefully one of you can help me here...
I have multiple access points working fine with two ssids, corporate LAN on one and a guest wireless LAN on the other.
What I want to do is centrally manage the account on the guest wireless LAN without buying a costly WLC. I've tried using multiple RADIUS clients but they all want to use certificates with EAP. This is a guest WLAN so we don't want certificates. Something like a centrally managed WPA key would work fine but I've not idea how that can be done using stand-alone AP's?
I have multiple access points working fine with two ssids, corporate LAN on one and a guest wireless LAN on the other.
What I want to do is centrally manage the account on the guest wireless LAN without buying a costly WLC. I've tried using multiple RADIUS clients but they all want to use certificates with EAP. This is a guest WLAN so we don't want certificates. Something like a centrally managed WPA key would work fine but I've not idea how that can be done using stand-alone AP's?
Comments
-
SteveO86 Member Posts: 1,423Without a WLC/LWAP combo, I think the closest thing to "centrally" managed you are going to get is individually configuring each AP. LWAP, WLC, WCS is just part of Cisco's UWN (Unified Wireless Network) model.
What Model AP and software version are you running? (Configuring a common WPA2 passphrase on each AP with the common guest SSID should do the trick for you.)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
TesseracT Member Posts: 167Thanks for your quick reply Steve, just left the office and I can't remember the models off the top of my head but they are all pretty new.
Because it's the guest network we don't want to have to deal with any sort of EAP as it should be a matter of the guest's entering in a key and off they go. I've got it working fine now with a static WPA key but as the number of APs grow it gets to be a bit of an administrative nightmare going around and changing the key on each AP every week (as that's the current policy). No other workarounds you know of? It seems pretty strange that there's no way to send the WPA request from the AP to a centrally managed RADIUS server or something so you just have to change it in the one spot? -
SteveO86 Member Posts: 1,423How many AP's do you have? I would try and plead your case with management and budget for a WLC (or two for redundancy), especially if policy is to change the key every week.... At some point the cost of the WLC has to justify itself with the time spent on individual AP management.
Cisco has WLC's to manage everything from a dozen AP's to 1000's.
(My opinion is very biased toward Cisco, so it is possible someone else may chime in with a solution, it might be possible to implement something like freeradius and rely on user based authentication instead of a SSID Passphrase but I can't vouch for that, just throwing out ideas.)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Forsaken_GA Member Posts: 4,024You'd probably be better off just opening up the authentication as far a key goes, and creating a captive portal instead. Then you could just tie the captive portal auth back into whatever you're using for centralized auth and change the password for the guest account in one location instead of having to change static keys on a number of AP's
I do this with pfsense on my home network. I just drop the AP in one vlan, and that VLAN's gateway is the pfsense box. Captive Portal is enabled for that interface. So folks can associate to the AP, but can't get anywhere outside of the subnet until they open the web browser and pass the captive portal page. pfsense can either maintain a local auth database, or tie back into a radius server -
TesseracT Member Posts: 167Thanks Foresaken that's a really good alternative. I'll have to read up on it a bit and see if we can wack in a VM of pfsense somewhere