Kurt, Even with the password idea, you would have to rotate it daily if not weekly or someone will just leave it out where others can gain access. Honestly, anyone smart enough with AirCrack could get the password you put on the SSID.
You could limit the DHCP scope to say 64 address and that might help limit the scope or number of people that can get on the Wireless network, or setup MAC filtering ( Again can bypass that with MAC Spoofing) but it would be a bit more manual process. I am thinking your idea about a portal process and authorization is probably the way to go, Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, February 06, 2013 2:36 PM To: NT System Admin Issues Subject: OT: Guest network security All, Quite some time ago, I set up an unsecured guest VLAN in our network, providing wireless access to all of the sundry devices that staff and visitors carry. I set up a small FreeBSD machine to serve IP addresses via DHCP, and that was dead simple. It is a layer2 VLAN, traversing our backbone, and terminating on our corporate firewall. However, there are now other tenants in our building, and the subnet is getting too much bandwidth and address consumption - the range I set up is completely filled, and the VLAN is consuming about half of our Internet pipe, which is far too much for my comfort. I suspect the other tenants are leeching. What I've read of captive portals seems to indicate that the portal is part of the firewall. I could be wrong about that, though. Regardless, the corporate firewall will not be allowed to be part of this solution. The only other alternative I see right now is to set up a password on the SSID, and have the front desk hand it out to guests, after mailing it to staff, and I'm getting pushback on that from my manager. Does anyone have some ideas I could pursue on this? Thanks, Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
