This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wired Guest Network

Wired Guest Network

Terren_Crider
Contributor

‎07-06-2017 04:53 PM

How have you implemented guest access on your wired network? I currently have a fully segregated guest network on wireless, but nothing in place on wired. I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible).

So, ideally:
  • User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access.
  • User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).
It may be better to key on machines that are on the domain first. So, if the user machine is on the domain, they will get staff access. In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).
0 Kudos
4 REPLIES 4

Bin
Extreme Employee

‎07-06-2017 09:54 PM

Hello Terren,

If you are using EXOS, you could try Netlogin feature.

  • For guest user: you could use Web-based authentication and associate one vlan for guest user only.
  • For staff user: you could use 802.1X authentication.
Network Login Overview
http://documentation.extremenetworks.com/exos/EXOS_21_1/Netlogin/c_overview.shtml

Best regards,
0 Kudos

Jeremy_Gibbs
Contributor

‎07-06-2017 07:27 PM

We do this using Extreme Policy and NAC. If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page. You will then get an internet only policy that restricts you to the internet. If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit.
0 Kudos

Jeremy_Gibbs
Contributor
In response to Jeremy_Gibbs

‎07-06-2017 07:27 PM

You can create a network resource that maybe all of your servers are on. 10.0.1.0/24

You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly!
0 Kudos

Terren_Crider
Contributor
In response to Jeremy_Gibbs

‎07-06-2017 07:27 PM

If possible, could you share your internet only policy? There's one that was pre-built in my Policy but it does not restrict web traffic to internal resources.
0 Kudos
GTM-P2G8KFN