Corporate wireless authentication

[dawks]

Hi guys, I run a smaller sized network ~100 PC's. Win XP/Vista/7, with Server 2003/2008, and Active Directory.

We have several wireless routers spread around, mostly standard consumer grade Linksys WRT-54's. Currently we just use WPA keys, which can be tedious.

I'm looking for a better authentication system. Back at my University, they had a Cisco based system where you would be able to connect to their wireless, but the only thing you could do is hit a login page, once logged in, you were on the network. That way I could give someone a guest account, they can use it, then lock it at the end of the day. No worries. Or I might want to give someone access to just the internet and nothing else, keeping them away from our servers and such.

Can I do this with Server 2008 NAP? Can this be done with the wireless routers we have? Would I use RADIUS or can they basically be setup as dummy AP's and let the server do the authentication and encryption?

We are a non-profit so I'd like to make it work with what I have if possible.

Thanks.

 

[spidey07]

You're best bet is to use RADIUS and WPA2-Enterprise with PEAP authentication. You can even tie it in to AD username/password which is normally easiest.

If your routers/APs support WPA Enterprise mode they'll support it. You'll need a radius server and I think MS server can do it, not sure though as I normally use Cisco's radius server.

 

[jlazzaro]

You're best bet is to use RADIUS and WPA2-Enterprise with PEAP authentication. You can even tie it in to AD username/password which is normally easiest.

If your routers/APs support WPA Enterprise mode they'll support it. You'll need a radius server and I think MS server can do it, not sure though as I normally use Cisco's radius server.

seconded...this is basically my default corporate wireless setup. microsoft IAS can handle the RADIUS side just fine. curious, do you have a PKI implemented?

 

[azev]

Search for " Captive Portal " that is what they have in your university.
Cisco wireless controller have this functionality or you can setup a server to be ur captive portal server.

 

[dawks]

Thanks guys,

I have setup certificate services on one of our servers, but havent really utilized it yet. Gotta do some more reading on it.

I just found the 'captive portal' stuff yesterday, and read up on it. This is pretty much what I want to do with our network.

I like to have all of our regular computers fully authorized, but any guest computers should have to go through an auth system.

Could I use something like MSFT NAP or similar to actually keep guest computers on a separate IP network, just to give them access to the internet and avoid our corporate network?

 

[thehstrybean]

Thanks guys,

I have setup certificate services on one of our servers, but havent really utilized it yet. Gotta do some more reading on it.

I just found the 'captive portal' stuff yesterday, and read up on it. This is pretty much what I want to do with our network.

I like to have all of our regular computers fully authorized, but any guest computers should have to go through an auth system.

Could I use something like MSFT NAP or similar to actually keep guest computers on a separate IP network, just to give them access to the internet and avoid our corporate network?

Sorry to jump into this late, but I just read about NAP. We had something like this where I went to college (except it was Bradford networks). Bradford worked OK (sometimes XP and Vista clients had trouble moving from remediation vlans to regular)...Has anyone used NAP on S2008?