Wifi on the domain network

anything I don't mind

anything I don't mind

anything I don't mind

Permabanned
Joined
28 Dec 2009
Posts
13,052
Location
london
If we add wifi to the domain network what would be the recommended configuration? The reason for adding it to the domain network is so that we can use training laptops and work laptops in the meeting rooms without cables. So they will need full access to the internal servers from the wifi network otherwise there is no point.
 
It's a little hard to suggest something without knowing a bit more information about the environment.

e.g. security requirements (are there PCIDSS implications?), size of the area to cover etc...

It could be as simple as buying a decent wireless access point or you could need a WLAN controller, seperate VLAN etc..
 
It is a law firm with 100 users. There is no payment systems on site, but accounts department and systems does sit within that domain.

Traditionally I am against adding wifi to the domain network because i know how insecure wifi can be and see it as hanging a network cable out the window. But it would make life a lot easier for training and meeting rooms.

If i wanted to put the wifi on to a vlan but still allow it to access the servers, how would that be any more useful than putting it on the main vlan?
 
Using its own VLAN means you can set access control lists and restrict access to all but the servers the wifi vlan needs access to.

There are many methods for making wifi secure, so just make sure you follow the basic guidelines for that. Creating its own VLAN is another aspect to improve security.
 
leigh_boy said:
radius server and use AD to authenticate?
Click to expand...

This is what we use at work. It's a Dell branded Aruba Networks solution. One controller and I think there are six access points around the building.
Roaming between points works very well too.
 
Just pointing it at AD means you are putting the security of your network In the hands of your users. How many of them do you think have crap passwords? I exploit this setup fairly regularly (I'm a pen tester, all legal)
Wireless + AD auth + specific group for wireless users + certificates is probably the best all round solution. Short of not using it at all ;)

CESG standards dictate access via a vpn gateway such as Citrix once connected to wireless. This could be combined with two factor authentication too. That's the route I would take.
 
anything I don't mind said:
If i wanted to put the wifi on to a vlan but still allow it to access the servers, how would that be any more useful than putting it on the main vlan?
Click to expand...

A different IP pool and the option to use a shorter lease time. Also the option to use firewalls to enforce the requirement for wireless clients to only get corporate data over VDI for example.

RADIUS is the way to go with this, authenticating against AD. Either use people's credentials or use certificates, or both. Depends how you want to deal with the tradeoff between convenience and security.

Aerohive for the APs would be my choice over Meraki. It's a better product and doesn't depend on the cloud controller being accessible to work.
 
If you have a wifi with radius and ad auth, how would a user log in to a laptop if they have not authenticated on to the wireless yet. If they can not log in as they don't have domain access. IF we take the laptops off the domain then that defeats the point of connecting them to the domain network.

How do you get around this problem? i know in gpo you can set an option that allows cache creds to work if AD connection is down, but seems bad idea to rely on that. As new users may want to log in to a shared laptop with their roaming profile.

I should add we already have a wifi network but that is on its own isolated network.
 
Last edited:
I am not with you. If we have a laptop that is on the domain and working ok. Then say we shut it down and start it up again and want to connect it to the wifi but we cant log in to the laptop/domain because its not on the network until we can connect to the wifi. Which we can't can't do because the laptop cant log in to the domain without it being on the domain network.
 
How so? It will have to authenticate the user details to the domain, which it can't reach because its not on the wifi yet as we havn't logged in. Unless you are saying use a local user account to connect to the laptop, then what's the point of it being on the domain network?
 
Each AD computer object is an account with a corresponding password, but the passwords are managed by AD for you, and rotated automatically. You can use these accounts on a WPA2 Enterprise network for pre-logon connectivity. When the user logs in then you can bring the network back up with their credentials if you want to.

Just add the computer group as well as the user group in your RADIUS server and push the settings out over GPO.
 
We have a Cisco WLC and have three different SSID's. One private where by it authenticates using a certificate and radius user authentication which is applied by group policy. The other two are staff mobile devices with MAC and a 32 character WPA2 key. Another public where our reception staff create the public users.
 
Cisco WLCs with your SSID running WPA2 AES and either RADIUS for 802.1x or ISE. Buy Prime and MSE and stick some WIPS MM APs out there (location defined by your site survey) for threat detection and neutralisation. Set the WLAN up via GPO on the client machines and you'll never get a call about getting on the network again.

The user who doesn't like your policies and plugs a home-grade wireless router into your LAN is a bigger threat than someone breaking WPA2. That's taken care of by the above with rogue detection and containment.

Good design around the RF parameters and getting a usable network is way more important than hyper paranoia about your security because the expectations for a wireless network are now at the point where it needs to work as well as a network cable everywhere, all of the time. If you fall short of that you're just giving yourself pain for no good reason.
 
You must log in or register to reply here.
Back
Top Bottom