Guest Wireless Security Rant

[deanwebb]

We don't want our guest network to be totally wide open, so we will implement some security. Guests will have to authenticate to get on.

So, I get to find the solution...

Having the authenticator on the internal network created a problem because we can't have use our internal DNS domain on the Internet.

So, I build an authenticating box in the DMZ and set it to be managed by an internal system... which proceeds to place it automatically into the internal DNS domain.

I could make it a standalone box, which solves that problem... but the IP address that I was told to put on it by one group is unacceptable to the group in charge of the external DNS. I need to change that IP. Which is fine, except for the fact that the license I just put on it IS BOUND TO THE IP ADDRESS.



This won't just be starting over. This will be starting over in deep and profound ways.

[SimonV]

Doesn't your solution do DNS intercept? That way you could hand out public DNS servers but still redirect the first requests to your auth page

[deanwebb]

It does do a DNS intercept, the trick is getting it to *be* in the right place for our network.

For security, we don't allow external DNS to resolve internal hosts and vice-versa. That makes this solution a non-slam-dunk.

[deanwebb]

Troubleshooting procedure:

1. Google
2. Click all over the GUI
3. Type in a lot of ? in the CLI
4. Have my manager yell at the vendor

5. Vendor uses Google
6. Vendor shows me the goofy spot in the GUI where DNS and domain settings are managed... Under "Mail"... 


Now it works like a top.

[Nerm]

 

[deanwebb]

Quoted for truth.

[dlots]

Can you make it a stand alone box, and NAT it to the IP address they want it to use, and use the IP address it has for the actual IP address?

[deanwebb]

How's this... it was an interim situation, anyway, and the hardware that's SUPPOSED to go into the DMZ just arrived. Thankfully, I know who to ask about getting the right IP address...

[wintermute000]

(puts on router guy hat)

run a separate DNS in your external zone - possibly even from a humble router as a dns forward proxy, then create host entries for your internal / RFC1918 destinations

e.g. use 1.1.1.1 for your authenticator, and have a router in your external zone do DNS for guest, this router has a static entry for 'authenticator.deanwebbs.com' = 1.1.1.1, WLC dishes out authenticator.deanwebb.com as the landing page


bonus points, use the same R&S infrastructure except with guest VRF


my VAR deploys this design quite often

[deanwebb]

To save time and $$$, we're going to re-do policy to permit this one feature. Nothing like having accounting be the ultimate network architect team.

[icecream-guy]

To save time and $$$, we're going to re-do policy to permit this one feature. Nothing like having accounting be the ultimate network architect team.

..and here I thought it was the lawyers that yielded the ultimate network architecture powers..

[deanwebb]

Them too. But respect the power of accounting! They took a hardware-only solution and turned it into a nearly VM-only solution, among other things.

[icecream-guy]

Them too. But respect the power of accounting! They took a hardware-only solution and turned it into a nearly VM-only solution, among other things.

so they didn't have to buy hardware???  LOL.  virtualized it all.... what a cost savings...

[deanwebb]

HUGE cost savings. Time savings, too, since software has an expedited approval process relative to hardware.

[wintermute000]

Just make sure your VM guys spec their environment appropriately including storage performance/redundancy.