DefinIT Because if IT were easy, everyone would do it…

29Jun/114

Configuring a Guest wireless network with restricted access to Production VLANs

It’s a fairly common requirement – setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point – for this article, the access point is a Cisco WAP4410N.

Existing Network layout and Design

Assuming there is a core network switch and that it is a Layer 3 enabled switch which has inter-VLAN routing configured. By default all the VLANs can talk to each other, routed through the switch. The switch also is configured with a gateway of last resort pointing to the firewall’s internal IP – this allows internet access.

Wireless

So the headlines are:

  • Existing Production VLANs – VLAN10 iSCSI (10.1.10.0/24), 11 Server (10.1.11.0/24) and 12 Client(10.1.12.0/24) – these all route through the core switch and can see each other.
  • Create a Guest VLAN – to be created VLAN13 (10.1.13.0/24), which can access the internet, but not the existing VLANs
  • Create a Secure Wireless LAN – all traffic assigned to VLAN12. Since it’s a domain environment this will use PEAP authentication, so clients can use their domain password to access the WLAN.
  • Create a Guest Wireless LAN – all traffic assigned to VLAN13. This will use a static WPA2 access passphrase which can be changed regularly – since it won’t be used by domain clients or those who will repeatedly access it, it's not a huge admin overhead.

I’m not going to cover setting up a Domain, Certificate Authority, or Internet Authentication Service. I am assuming you have this already, and have issued a Server certificate to your IAS server, and the CA is trusted throughout your domain clients. My demo lab set up:

  • Wireless Access Point (Cisco WAP4410N) – Definit-WAP
  • Core Network Switch (Cisco 3750) – Definit-SW
  • Active Directory Domain Controller – DefinIT-DC
  • Public Key Infrastructure – DefinIT-CA
  • Windows Server 2003 IAS – DefinIT-IAS

Preparing the Network Core

All commands are from the Configure prompt (config t)

The first task is to configure the new Guest VLAN13 using the commands below. The IP address assigned to the vlan13 interface acts as the gateway for VLAN13 on the core switch. (VTP will propagate the VLAN settings to the access switches, if configured).

vlan1
name DefinITGuest
interface Vlan13
description DefinIT Guest VLAN
ip address 10.1.13.1 255.255.255.0

Next configure the interface for the Cisco WAP4410N to plug into on the core switch (in this case G2/0/13) – port needs to be in trunk mode to carry multiple VLANs. I’ve configured the default VLAN to be the Server VLAN11 as this is the one I want the web management interface to be accessible on. Any untagged traffic will be assigned to this by default. Here you could also restrict the allowed VLANs using “switchport trunk allowed 13” but this wouldn’t allow the secure WLAN to access the server/client VLANs.

 

interface GigabitEthernet2/0/13
description DefinIT-WAP Trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 11
switchport mode trunk
no shutdown

The Guest WLAN will not be allowed access to the server VLAN in any form, so it can’t use the client DHCP server. Fortunately the switch is more than capable of handling that – we move on to the DHCP pool configuration. Because the DHCP scope is on the same IP network as the VLAN13 interface, only that interface that will respond to DHCP requests (which is good, because I don’t want my network ruined by fighting DHCP servers!)

 

ip dhcp pool GuestWLAN
network 10.1.13.0 255.255.255.0
default-router 10.1.13.1
dns-server 8.8.8.8, 8.8.4.4

Now that the plumbing is set up, we need to control who is allowed to access what. This means creating an Access List to deny the guest VLAN access to the production VLANs. Note that the format for the ACL does not use a subnet mask, but a wildcard mask. You need to subtract each octet of your subnet mask from 255 to get the wildcard mask (e.g 255.255.255.0 becomes 255-255=0, 255-255=0, 255-255=0 and 255-0=255 to get 0.0.0.255).

 

ip access-list extended DefinIT_GUEST
remark Deny Guest VLAN13 access to other VLANs
deny ip any 10.1.10.0 0.0.0.255
deny ip any 10.1.11.0 0.0.0.255
deny ip any 10.1.12.0 0.0.0.255
permit ip any any

Finally, apply the Access List to the Guest VLAN13 interface. Note that the direction is “in” which seems counter-intuitive but is correct. The perspective is from the switch, so traffic is coming in from a client on the guest VLAN to the VLAN13 interface on the switch.

 

interface Vlan13
ip access-group DefinIT_GUEST in

That’s it, core network configured!

Configure IAS to provide RADIUS authentication

Create a new RADIUS client by selecting the RADIUS Clients folder and right-click – new. Configure a friendly name for the Wireless Access Point, and the IP you’re using for the WAP (for me, DefinIT-WAP and 10.1.13.20). Configure the Client-Vendor to Cisco – or the vendor you’re using, and a strong shared secret (random, 13 characters upper/lower/alpha/numeric/special will do nicely).

image image

Create an new Remote Access Policy using the Remote Access Policy wizard (right-click Remote Access Policies and select new…):

image image

Select Wireless as the access method, and select a Windows Security group to allow access:

image image

Select PEAP as the Authentication method, and configure the server certificate for identification, and the EAP type to use MSCHAP-v2. If you have issued client certificates to all users, you can add Smart Card or other Certificate to the EAP authentication methods.

image

Configuring the Access Point

I’m assuming you can manage to turn the thing on, access it’s web interface and assign the static IP you picked earlier to the AP, now we can configure the authentication and VLANs for the guest and secure WLANs.

Open the Wireless > Basic settings and configure your two SSIDs, save and then open the Security page.

image image

Here you can configure WPA2-Personal for the Guest SSID, and WPA2-Enterprise Mixed for the Secure SSID. Configure the IP address of you RADIUS server and the Share Secret you configured earlier.

image

Now move onto the VLAN and QoS page – here you need to enable VLAN but leave the defaults otherwise. Under QoS you need to assign the VLAN ID for each network – 13 for Guest and 12 for Secure

image

That’s more or less it, time to test with a handy wireless client sitting nearby…

Creative Commons License
Configuring a Guest wireless network with restricted access to Production VLANs by DefinIT, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Posted by Sam McGeown

Comments (4) Trackbacks (0)
  1. Excellent document with required information

  2. So I was wondering in this situation if I could setup the ip-helper address for an internal DHCP/DNS server for all the vlans except for the guest vlan, and then have your guest wireless use the DHCP from the router? (in my case the 3550)

    • You should be able to configure the ip helper-address x.x.x.x under the logical VLAN interface. In this example, it would look something like the below (w/ 10.1.1.1 as the DHCP server). You would then simply leave off that command for the VLANs that you don’t want 10.1.1.1 to hand out an address to. For these, the switch would respond to the DHCP broadcasts and if it has a DHCP scope in range, will offer an address to those clients.

      I’m pretty sure that the switch will have to have an IP address in any VLANs where the helper address command is used since it will be turning broadcast packets into unicast packets and return traffic will need to be routed to that address. I use a similar setup in my home network using a CentOS box as the DHCP(ISC) / DNS(BIND) server w/ a 3550 at the core.

      ! Secure wireless LAN
      interface vlan 12
      ip address 10.12.1.1 255.255.255.0
      ip helper-address 10.1.1.1

      Gary

  3. Chris, I have the same question!


Leave a comment

No trackbacks yet.