How secure is Ruckus Guest Access with the AP's on our normal IP scope?

Hi,

We're pretty new to a managed wireless solution but are moving forward nicely.

We use Ruckus for managed wireless and Smoothwall for proxy/web filtering. Smoothwall is also the default Gateway.

We have 10 Ruckus points, all with fixed IP addresses from our usual scope. We have created a Guest WLAN which uses full isolation so clients are unable to communicate with each other or access any of the restricted subnets. We have set a restricted subnet so that they can only talk to the proxy.

We use transparent proxy on port 80 with SSL login. If a guest brings a device in, they can connect to the Guest WLAN and providing they have no browser settings defined, it will automatically take them to the Ruckus AUP page. They agree and are then challenged for a Smoothwall SSL login. We have locked down some AD accounts and issued these to regular guests, such as Adult Education, Connections, etc. It all works great.

If students brought in their own devices, they are able to connect and use the Internet which is fine but without having some type of VLAN or having the Ruckus on a different scope, how secure is it?

If someone was a hacker, could they potential reach areas of the network we wouldn't them to as these AP's are on our normal scope range?

The reason we have it all on our normal IP scope is because we also have a corporate WLAN for staff to use. If we made the Ruckus AP's on a different range, i.e. 192.168.1.1, etc...how would the staff be able to access their Resources, etc?

Would we better of setting up the Guest WLAN on a VLAN and the corporate WLAN on another VLAN? If so, what is the process involved here?

Any help would be much appreciated.

Gary

Sorry to HiJack the thread, but I'm going to be getting Ruckus in our new school, and was wondering similar things re the Guest WLAN.

As far as my limited understanding of the situation as far as the VLANing goes. Would it be as simple as putting the port the Smoothwall(or ANother default gateway) on both the default VLAN and a second VLAN and then add the Wireless Controller to both and set the Guest WLAN to use VLAN2. Possibley requiring a DHCP service etc running somewhere on the second VLAN to keep everything nice and seperate. Could use the same scope on both DHCPs but limiting the range so as not to confuse the Gateway eg 192.168.1.1-10 for GuestDHCP and 192.168.1.11-254 for Corporate Network.

Gary, I'd stick the Ruckus kit in a VLAN used for server/management then throw each WLAN into its own VLAN, relevant to network access.

The security is tight with VLANs, the only risk being any known issues with your switches, rare. And your configuration.

You can disable the spare ports on the back of the APs or make them access ports to particular VLANs to stop unwanted access.