# Wireless Devices and Active Directory.



## Ken76 (Mar 2, 2015)

I have two wifi networks (production and guest). With the guest wifi is meant that every (non domain member) wireless devices have access to but with the production wifi is intended that only domain member have access. With guest wifi you can only use Internet nothing more. How do I get theese things done? Have someone give suggestions where on the Internet I can find manuals and such regarding this issue?


----------



## Triple6 (Dec 26, 2002)

So you have these network running already or you want to implement this?

What router/firewall or wireless access points do you currently have? How big of an area do you need to cover?

This can be easily be done by using a wireless system that supports guest access or VLAN's.


----------



## Ken76 (Mar 2, 2015)

I have these wifi networks running and I wan't to implement them (production wifi) to Active Directory.
My Wireless device is Asus DSL-N55U. Is it possible with this device? I don´t need to cover a big area.


----------



## Triple6 (Dec 26, 2002)

Computers that connect to the one main production wireless network can have full just as if they were wired in. Then you create a guest wireless network for the internet only computers. Your router is a home based unit but the upside is that it supports a guest network. Log into the router and enable the Guest network feature.


----------



## Ken76 (Mar 2, 2015)

What I want to do or try to do is that when I join an wireless computer (at the time wired) to Active Directory it would automatically connect the to wireless network without typing any password key. Is it possible?


----------



## Triple6 (Dec 26, 2002)

Is this what you are referring too: http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Wireless/wireless-ADauth.html


----------



## zx10guy (Mar 30, 2008)

Yes. What you're asking is possible and done all the time in enterprise wireless deployments. What you need to do is set up 802.1x authentication on the wireless network for full internal access. There are a few parts you need to get this working. You have the first one which is AD. The other parts you'll need is to implement a RADIUS server and for best management the use of a certificate authority. The RADIUS server is a feature of Windows Server installed as a NPS or network policy server. The certificate authority is used to generate certificates that authenticate the wireless client as being trusted to even talk on the network. NPS is configured to use this cert to validate the wireless client. If for what ever reason you need to revoke access for that particular wireless client (ie device was stolen), you would just revoke the certificate associated with that wireless client and this will prevent this wireless client from being able to talk on the network. The other method is to use IP addresses manually entered into NPS. But the management overhead is too high and you'll have to use static IPs which is not ideal.

Once you have all the above components set up, you then configure the wireless network to use WPA 2 Enterprise. You point the wireless network to your AD and NPS/RADIUS server. When a wireless client looks to connect up to the SSID you're using for internal access, the wireless network will first validate if the client can even talk on the network via a RADIUS check. Once that is verified, the next step is to challenge the user on that wireless client for a username and password. This will then be checked against AD. If that comes back clean, then the wireless network generates an encryption key based on the certificate and the user's login credentials. This encryption key is used for the wireless encryption.

As you can see in an enterprise environment why this 802.1x method is so desirable. It eliminates the clunkiness and issues around using a single preshared key for all of a business' users. And it's much more secure than using a single preshared key. Some businesses take this concept one step further by implementing a NAC (network access control) solution. What a NAC provides a business is greater granularity in controlling what a particular user and wireless client can access on a given network. Take for example I want to connect into my business' internal wireless network but I want to use my Android phone. But due to the security policy of my company, it restricts access to only connecting to the internal company personnel web portal and only at a given company location say Dallas. But if I use my company hardened laptop, I get full access to everything on the company network no matter which branch office I'm in. All of this can be done using a NAC solution.

With regards to a guest wireless network, this can also be implemented alongside the above setup. Many business class wireless devices will support multiple SSIDs or VAPs (virtual APs). As mentioned by Triple6, each individual SSID can be assigned its own VLAN to access the network. So the guest SSID would get one VLAN ID and the internal SSID would get another VLAN ID. The problem becomes if the company has a bunch of different SSIDs it's using to segregate zones of access; such as users accessing one SSID my be from accounting and the payroll system is only able to be accessed on this SSID. A business can easily have what's called SSID/VLAN sprawl which can create a management headache. This again is where a NAC solution can cut down on using VLANs which were never really designed as a full up security feature to get the granular access control. Some wireless systems have guest access controls built in in the form of a captive portal. A captive portal is a feature which intercepts the guest client/user's network traffic when first connecting to the guest SSID. The wireless network will then push a web page down to the guest wireless client which has some information you would generate. The displayed web page can be the company's logo with wording stating, "Welcome to Acme Company. Please enjoy our courtesy guest wireless for Internet access. By clicking accept, you agree to be bound by our terms of service." When you layer on a NAC solution to guest wireless access, again you get a lot of additional security features. One such feature is the ability to authorize guest access without having network administrator intervention. Again the captive portal page is displayed when a guest accesses the guest wireless network. The guest is asked for identifying information such as full name, email address, company being represented, and point of contact at Acme Company. Once this information is entered, the NAC server will then email the point of contact at Acme Company with the guest's entered information. Through the email, the employee has two buttons. One to authorize guest access and the other to deny the request. So doing this allows the network admins to not be tied up managing guest access daily and it allows the guest SSID to be left unencrypted...ie no need for a preshared key. But still have control over who can access the guest network. You see some of this type of guest access setup in hotels with courtesy wireless where you would enter your last name and room number for access.


----------

