i was thinking about jobs i hadnt done and remembered i have a new wireless AP (Netgear i assume) and it was suppose to be installed in the conference room. It never was so im going to look at doing it tomorrow. My question is i'd like to be able use it so guests with wireless devices can use our internet. is there a way to auto configure the browsers and authenticate them so they can access the internet without having to come downa nd put in one of our passwords? Much like the systems you get in hotels just without the extra layer of security.
I recently figured out how to allow anonymous authentication through our fireall from certain IPs, maybe this could be linked in somehow?
Making this work will depend on your infrastructure. If your network is already segmented into subnets you should be able to simply make a new segment that the new AP is plugged into. You would need to setup the new routing information and DHCP for it to. This way any clients connected to the AP will get an IP from your new subnet.
You can then setup this subnet up to not require authentication by your firewall and assuming the routing is set up correctly it should all work. As the visitors would be in a seporate subnet you could also implement security rules in your core router to prevent anything but web traffic from flowinf in and out of it effectivly pocking it off from the rest of the network.
You could set the same kind of thing up if you do not already have a subnetted network by adding a new network card to a server and using that as a router for subnetting. The other way would be using a wireless router instead of an AP to create the seporate subnet for your visitors and include static routes in the firewall that point back to it.
ok well we have an IP range of 192.168.16-19
the DHCP scope is the 17-19 range.
I think i need to think about this more logically. I can set a range of IP addresses to be allowed through the firewall but im not quite sure how to just give out these IPs through the AP only? If im understanding you correct?
sorry its been a long day already.
I think that it would probably be easier for you to use a wireless router. That way you could set the router up to use NAT then the wireless clients would all use the one ip address on your main network that is assigned to the wireless routers WAN port. Then you could just allow that ip through your firewall.
Unless you have experience with subnetting and routing the other method that I described will be rather complicated. With that method you would need to subnet off a group of addresses to be used for your visitor pcs, set up routing for this subnet and add a DHCP scope just for that subnet. It would be even more complecated if you are only given a certain range of ip addresses from a larger LEA network that you can use as you will need to reconfigure your existing subnets to make room for a new one. You may not even be able to to this if the schools core routing is managed by the LEA providers.