Configuring a Guest wireless network with restricted access to Production VLANs
It’s a fairly common requirement – setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point – for this article, the access point is a Cisco WAP4410N.
Existing Network layout and Design
Assuming there is a core network switch and that it is a Layer 3 enabled switch which has inter-VLAN routing configured. By default all the VLANs can talk to each other, routed through the switch. The switch also is configured with a gateway of last resort pointing to the firewall’s internal IP – this allows internet access.
So the headlines are:
- Existing Production VLANs – VLAN10 iSCSI (10.1.10.0/24), 11 Server (10.1.11.0/24) and 12 Client(10.1.12.0/24) – these all route through the core switch and can see each other.
- Create a Guest VLAN – to be created VLAN13 (10.1.13.0/24), which can access the internet, but not the existing VLANs
- Create a Secure Wireless LAN – all traffic assigned to VLAN12. Since it’s a domain environment this will use PEAP authentication, so clients can use their domain password to access the WLAN.
- Create a Guest Wireless LAN – all traffic assigned to VLAN13. This will use a static WPA2 access passphrase which can be changed regularly – since it won’t be used by domain clients or those who will repeatedly access it, it’s not a huge admin overhead.
I’m not going to cover setting up a Domain, Certificate Authority, or Internet Authentication Service. I am assuming you have this already, and have issued a Server certificate to your IAS server, and the CA is trusted throughout your domain clients. My demo lab set up:
- Wireless Access Point (Cisco WAP4410N) – Definit-WAP
- Core Network Switch (Cisco 3750) – Definit-SW
- Active Directory Domain Controller – DefinIT-DC
- Public Key Infrastructure – DefinIT-CA
- Windows Server 2003 IAS – DefinIT-IAS
Preparing the Network Core
All commands are from the Configure prompt (config t)
The first task is to configure the new Guest VLAN13 using the commands below. The IP address assigned to the vlan13 interface acts as the gateway for VLAN13 on the core switch. (VTP will propagate the VLAN settings to the access switches, if configured).
vlan1 name DefinITGuest interface Vlan13 description DefinIT Guest VLAN ip address 10.1.13.1 255.255.255.0
Next configure the interface for the Cisco WAP4410N to plug into on the core switch (in this case G2/0/13) – port needs to be in trunk mode to carry multiple VLANs. I’ve configured the default VLAN to be the Server VLAN11 as this is the one I want the web management interface to be accessible on. Any untagged traffic will be assigned to this by default. Here you could also restrict the allowed VLANs using “switchport trunk allowed 13” but this wouldn’t allow the secure WLAN to access the server/client VLANs.
interface GigabitEthernet2/0/13 description DefinIT-WAP Trunk switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport mode trunk no shutdown
The Guest WLAN will not be allowed access to the server VLAN in any form, so it can’t use the client DHCP server. Fortunately the switch is more than capable of handling that – we move on to the DHCP pool configuration. Because the DHCP scope is on the same IP network as the VLAN13 interface, only that interface that will respond to DHCP requests (which is good, because I don’t want my network ruined by fighting DHCP servers!)
ip dhcp pool GuestWLAN network 10.1.13.0 255.255.255.0 default-router 10.1.13.1 dns-server 184.108.40.206, 220.127.116.11
Now that the plumbing is set up, we need to control who is allowed to access what. This means creating an Access List to deny the guest VLAN access to the production VLANs. Note that the format for the ACL does not use a subnet mask, but a wildcard mask. You need to subtract each octet of your subnet mask from 255 to get the wildcard mask (e.g 255.255.255.0 becomes 255-255=0, 255-255=0, 255-255=0 and 255-0=255 to get 0.0.0.255).
ip access-list extended DefinIT_GUEST remark Deny Guest VLAN13 access to other VLANs deny ip any 10.1.10.0 0.0.0.255 deny ip any 10.1.11.0 0.0.0.255 deny ip any 10.1.12.0 0.0.0.255 permit ip any any
Finally, apply the Access List to the Guest VLAN13 interface. Note that the direction is “in” which seems counter-intuitive but is correct. The perspective is from the switch, so traffic is coming in from a client on the guest VLAN to the VLAN13 interface on the switch.
interface Vlan13 ip access-group DefinIT_GUEST in
That’s it, core network configured!
Configure IAS to provide RADIUS authentication
Create a new RADIUS client by selecting the RADIUS Clients folder and right-click – new. Configure a friendly name for the Wireless Access Point, and the IP you’re using for the WAP (for me, DefinIT-WAP and 10.1.13.20). Configure the Client-Vendor to Cisco – or the vendor you’re using, and a strong shared secret (random, 13 characters upper/lower/alpha/numeric/special will do nicely).
Create an new Remote Access Policy using the Remote Access Policy wizard (right-click Remote Access Policies and select new…):
Select Wireless as the access method, and select a Windows Security group to allow access:
Select PEAP as the Authentication method, and configure the server certificate for identification, and the EAP type to use MSCHAP-v2. If you have issued client certificates to all users, you can add Smart Card or other Certificate to the EAP authentication methods.
Configuring the Access Point
I’m assuming you can manage to turn the thing on, access it’s web interface and assign the static IP you picked earlier to the AP, now we can configure the authentication and VLANs for the guest and secure WLANs.
Open the Wireless > Basic settings and configure your two SSIDs, save and then open the Security page.
Here you can configure WPA2-Personal for the Guest SSID, and WPA2-Enterprise Mixed for the Secure SSID. Configure the IP address of you RADIUS server and the Share Secret you configured earlier.
Now move onto the VLAN and QoS page – here you need to enable VLAN but leave the defaults otherwise. Under QoS you need to assign the VLAN ID for each network – 13 for Guest and 12 for Secure
That’s more or less it, time to test with a handy wireless client sitting nearby…