Wireless (General)

 View Only
  • 1.  Wired Guest Network

    Posted 07-06-2017 16:53
    How have you implemented guest access on your wired network? I currently have a fully segregated guest network on wireless, but nothing in place on wired. I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible).

    So, ideally:
    • User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access.
    • User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).
    It may be better to key on machines that are on the domain first. So, if the user machine is on the domain, they will get staff access. In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).

  • 2.  RE: Wired Guest Network

    Posted 07-06-2017 19:27
    We do this using Extreme Policy and NAC. If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page. You will then get an internet only policy that restricts you to the internet. If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit.

  • 3.  RE: Wired Guest Network

    Posted 07-06-2017 19:27
    If possible, could you share your internet only policy? There's one that was pre-built in my Policy but it does not restrict web traffic to internal resources.

  • 4.  RE: Wired Guest Network

    Posted 07-06-2017 19:27
    You can create a network resource that maybe all of your servers are on.

    You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly!

  • 5.  RE: Wired Guest Network

    Posted 07-06-2017 21:54
    Hello Terren,

    If you are using EXOS, you could try Netlogin feature.

    • For guest user: you could use Web-based authentication and associate one vlan for guest user only.
    • For staff user: you could use 802.1X authentication.
    Network Login Overview

    Best regards,