Semi-Public Wi-Fi Network

[Mr Bridger]

Hi all,

I am looking for advice on what the best way is to set up a Wi-Fi network that can be used by clients and staff members in an office scenario. It needs to be secure so only people coming into the building should know the WPA2 key and will need to have some form of segregation away from the main corporate network.

We use Active Directory and all users go through a proxy to filter out sites we don't want staff to get to. How would I be able to ensure that anyone connecting to the wireless network would automatically go through the proxy? At the moment we set the proxy address for IE through group policy. This is not an option for mobile devices not connected to the domain so are there any routers which allow all traffic to be sent through a proxy address first?

This will be a new wireless network being added onto the existing wired network which covers two buildings, 4 floors high, linked by fiber cable. What type of router / access points / hardware would you suggest for this scenario?

Many thanks,

Stuart.

[Roger H. Veteran]

If staff and people are gonna be using it and it's seperate then you can just ignore the whole proxy thing and set it on a different subnet and DHCP range so people can connect easily. It should be easy to setup the switch in the main network to be on a different VLAN and then set that vlan to different subnet and all that and route it straight to the internet and no cross-talk also. Proxying would just make it too complicated for normal folks :D

[fusi0n]

Get a separate internet line and wireless network. keep it away from your internal network.

[Mr Bridger]

If staff and people are gonna be using it and it's seperate then you can just ignore the whole proxy thing and set it on a different subnet and DHCP range so people can connect easily. It should be easy to setup the switch in the main network to be on a different VLAN and then set that vlan to different subnet and all that and route it straight to the internet and no cross-talk also. Proxying would just make it too complicated for normal folks :D

We want to proxy it though so we can keep track of what connected users can access. What I would like is for them to connect as usual and not know they are going through a proxy until it needs to block something.

[Roger H. Veteran]

Well if it's public and WPA secured then people will need to get that info from you somehow. You can throw up a splash page that they have to agree to about code of conduct but you shouldn't need to block something on a semi public network i guess. For all you know your client oneday could be admin@youporn.com but access to his email server would be blocked because of it's porn nature :D

It's your network of-course so you decide.

As for your originial post though, i am sure you are prolly using managed switches so you can just connect those APs to certain ports on the managed switch which then routes all traffic to the proxy server.

[+BudMan MVC]

What you want is a transparent proxy, or as already mentioned if you want a splash page of sorts - even if you don't have them agree to any terms. Saying hey is our network your using we reserve right to block sites we deem inappropriate you could do that with a captive portal.

Normally with a transparent proxy there is no sort of splash page or notification except when something it blocked maybe. And just all web traffic 80, 443 is just routed through the proxy from specific network or IPs.

With a transparent proxy -- clearly you would have a proxy somewhere. With a captive portal not really a requirement, sure the captive portal feature could hand off the traffic to a proxy. Or just may be used as a way to auth users, or notify users, etc. etc. All depends on how you want to set it up.

As to what hardware - comes down to budget to be honest. I would go Cisco and since it seems your going to have a decent sized area to cover you might want to go with a wlan controller and number of accesspoints would depend on number of users and area required to be covered. Mind you cisco is not cheap. And depending on your budget what you want can be done on a shoestring as well - comes down to the stability/features/reliability your wanting to pay for.

What kind of existing wired hardware do you have? Do you have the ability to vlan/segment traffic currently? If not wanting to isolate wireless traffic may require a upgrade to your existing infrastructure or the running of new wires to connect your APs, etc.

I would have to guess with 2, 4 floor buildings depending on their layout you are probably going to need at very min 2 AP for each building - it could go as high 100's to be honest.. Without knowing the size of the buildings, the material of the walls, the type of equipment that might be used in the buildings the number of users, etc.. its really impossible to say.

If you wanting to do this the correct way - I would either buy the tools needed or contract with a company to do a wireless survey to best figure out the the appropriate number and types of APs and equipment you will need to best provide wireless. Some locations omni directional antennas might be best on your AP, others directional for say outside walls, etc. They would also be best suited in knowing what other hardware would be fit your needs.

Like I mentioned you existing wired network may need upgrades to allow for wireless traffic, be it isolated or not, etc. Now maybe I am over thinking this but with the mention of 2 buildings and fiber connection, etc. Does not seem like throwing a few AP on the network is going to be the best idea ;) If you currently do not have the expertise in your current org for design and deployment of a wireless infrastructure I would really suggest you contract the project out.

Or get someone in your org the appropriate training to be able to handles such a project.

[Mr Bridger]

Thanks for that BudMan, we have a HP ProCurve J4900B Switch 2626 & a HP J4819A ProCurve Switch 5308xl.

We don't expect to have a lot of concurrent users and they will really only be using the connection for web browsing & email probably from smart phones / tablets.

Would the easiest way be to add a route to the iptables of the Procurve and get it to send all traffic coming from an access point to the internal proxy server first and connect the AP's to the current wired network?

[Kelxin]

Many wireless routers have two different wireless SSID's these days, either of which you can turn on wireless isolation which prevents it from communicating to anything on the same subnet that is wired, and on many you can even use different DHCP tables and gateways per SSID allowing you to specify one gateway for your corporate network, and a different gateway for your public network both with different SSID's and passwords giving you full security. Just remember to disable WPS on whatever wireless you get, none of the companies that produce wireless routers have fixed the attack loophole yet.

[Mr Bridger]

If we were to purchase this bundle and have one WNDAP350 in each building with the WMS5316 managing them would there be a way of sending all that traffic through the internal proxy server before it goes out onto the internet?