Note: The target audience of this article is other computer networking professionals. If there are terms and concepts you don’t understand either Google them or press the “I believe” button and move on. 🙂
One of the first projects I had when I was hired at San Joaquin General Hospital was to implement a wireless network for hospital visitors and patients. There was an existing guest wireless network on the old wireless controller but since we were installing a new wireless controller it was the perfect opportunity to come up with a new solution. The main objectives of the new installation were:
- Allow guests to access the Internet
- Prevent guests from accessing internal networks and resources
- Easy to manage
The existing architecture of guest wireless used an existing VLAN and IP address that was part of our internal network. To prevent the guest users from accessing internal resources there was a combination of Access Control Lists on our internal routing infrastructure and the wireless controllers. The average person wouldn’t be able to cause any harm with this configuration but a good hacker could probably hop to a different VLAN and begin wreaking havoc on our internal resources. This made the existing configuration both difficult to manage (multiple ACLs on multiple devices) and insecure.
I elected to leverage our new Palo Alto Networks firewall to replace the multiple ACLs on the different devices. I removed the IP address from the existing VLAN by deleting it from the core router. I then moved it to the PAN firewall. So at this point there was no Layer 3 addresses on the VLAN within our switching infrastructure. It existed only on the PAN firewall. I then set up a DHCP server on the firewall and used an IP address scheme that was not routable on our internal networks (192.168.x.x). I also configured DHCP to set Google’s DNS servers in the DHCP client config.
Next was setting up the security policy on the firewall that would only allow DHCP from the firewall to the wireless clients, and then only allow them to go out to the Internet. Since the IP addresses handed out by DHCP are not routable on our internal network, there was no need to set up ACLs. Once the security policies were in place I tested DHCP and the security rules by plugging my laptop into a network port that was on the Guest Wireless VLAN. My laptop received a 192.168.x.x IP address from the firewall and I was able to get to Google and Yahoo on my laptop. I checked a few other websites to make sure Internet access was working as expected.
The last step was setting up Guest Wireless on our wireless controller. We set it up so that when they join the Guest Wireless network, they are redirected to a web portal page that displays legal disclaimers and terms of service that the guest user has to accept by clicking on an okay button. This is available out of the box with our Extreme Networks wireless controller. I did change the header image and web page colors to match our hospital branding. There are controls to do this on the web portal’s configuration pages. Once everything looked the way I wanted it I saved the Guest portal page configuration. A nice feature of Extreme Networks’ wireless controller is that when clients connect and get the portal page, at that point they are just tunneled directly to the wireless controller and don’t even have an IP address yet. Until they click “I accept” to the terms and conditions they are going nowhere.
After enabling Guest Wireless on my local access point I tested it. I connected to Guest Wireless and was re-directed to the portal page. I clicked “I Accpt” to the terms and conditions and then was redirected to the Internet. I then tried to access internal resources but was not able to get to anything but the Internet. Success. I then enabled the Guest Wireless network on all the other APs at the hospital and watched to see if guests started connecting. It was almost immediate. I checked the firewall logs and I could see that they were accessing the Internet with no problems.
An added bonus of putting a non-routable Layer 3 address on an internal VLAN is you can connect wired machines to just as easily. If vendors show up and need wired access to the internet I put them on the Guest Wireless VLAN on whatever network port they are on. This allows them to access the Internet and they can connect to whatever they need to (their workplace VPN, email, etc) from there. They do not get the Guest Portal page as they are not connecting to the wireless controller at all.
So that’s how I set up Guest Wireless at my workplace. Granted it’s not a step-by-step how-to on guest wireless services but can serve as a framework on which you can base your own implementations. Relatively easy, simple, and pretty secure.