Wired Guest Network

  • 0
  • 1
  • Question
  • Updated 11 months ago
  • Answered
How have you implemented guest access on your wired network?  I currently have a fully segregated guest network on wireless, but nothing in place on wired.  I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible).  

So, ideally:
  • User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access.
  • User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).

It may be better to key on machines that are on the domain first.  So, if the user machine is on the domain, they will get staff access.  In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).
Photo of Terren Crider

Terren Crider

  • 1,436 Points 1k badge 2x thumb

Posted 11 months ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
We do this using Extreme Policy and NAC.  If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page.  You will then get an internet only policy that restricts you to the internet.  If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit. 
Photo of Terren Crider

Terren Crider

  • 1,436 Points 1k badge 2x thumb
If possible, could you share your internet only policy?  There's one that was pre-built in my Policy but it does not restrict web traffic to internal resources.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
You can create a network resource that maybe all of your servers are on.  10.0.1.0/24

You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server.  You could create a rule to open up socket 53.  Anyway, you will have to make it your own and these things very greatly!
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hello Terren,

If you are using EXOS, you could try Netlogin feature.

  • For guest user: you could use Web-based authentication and associate one vlan for guest user only.
  • For staff user: you could use 802.1X authentication.

Network Login Overview
http://documentation.extremenetworks.com/exos/EXOS_21_1/Netlogin/c_overview.shtml

Best regards,