cancel
Showing results for 
Search instead for 
Did you mean: 

Wired Guest Network

Wired Guest Network

Terren_Crider
Contributor
How have you implemented guest access on your wired network? I currently have a fully segregated guest network on wireless, but nothing in place on wired. I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible).

So, ideally:
  • User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access.
  • User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).
It may be better to key on machines that are on the domain first. So, if the user machine is on the domain, they will get staff access. In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).
4 REPLIES 4

Bin
Extreme Employee
Hello Terren,

If you are using EXOS, you could try Netlogin feature.

  • For guest user: you could use Web-based authentication and associate one vlan for guest user only.
  • For staff user: you could use 802.1X authentication.
Network Login Overview
http://documentation.extremenetworks.com/exos/EXOS_21_1/Netlogin/c_overview.shtml

Best regards,

Jeremy_Gibbs
Contributor
We do this using Extreme Policy and NAC. If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page. You will then get an internet only policy that restricts you to the internet. If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit.

You can create a network resource that maybe all of your servers are on. 10.0.1.0/24

You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly!

If possible, could you share your internet only policy? There's one that was pre-built in my Policy but it does not restrict web traffic to internal resources.
GTM-P2G8KFN