I'm under pressure to provide wireless access for the staff at work, (for use of their personal phones, laptops etc during rest breaks) but I want to try and avoid any abuse of the facility and keep it legal.
Everyone has access to corporate machines, but they are soooo slow and the log-on takes minutes at a time, what with the whole building linked to corporate servers through vpn and a 2mb link. (It was originally only intended to run SAP and company web pages).

A simple wireless router would cover the areas required, but most likely leak beyond too.

Since we are close to a public area, I thought that I could use MAC filtering along with password to prevent staff giving access to other users in adjacent buildings (there is a fire station, police, terminal building, public areas etc all hungry for internet access), so long as typing in all the numbers into the router does not get too tedious - I dont want to put much time into this as its really outside my remit.

The other thing I've stumbled across is OpenDNS family shield - it looks like all I have to do is change the primary and seconday DNS addresses in the router to 208.67.222.123 and it will no longer resolve dodgy sites. Sounds a wonderful free service that would prevent the majority tech non-savvy from causing embarrasment, anyone heard of it?

Hi,

Would the MAC filter not be a admin nightmare. How many staff do you have and remember that they may also have more that one device.

can you not set up the router to go through a proxy and give each individual a username and password and also remember to update the electronic coms policy to include the wifi access.

personally unless you have major issues with 3/4g reception i would push back on granting access as it will open up a whole pile of poop as some smart a$$ will find a way around what you put in place and then it's porn all the way for them if your lucky.

Hi,

Would the MAC filter not be a admin nightmare. How many staff do you have and remember that they may also have more that one device.

can you not set up the router to go through a proxy and give each individual a username and password and also remember to update the electronic coms policy to include the wifi access.

personally unless you have major issues with 3/4g reception i would push back on granting access as it will open up a whole pile of poop as some smart a$$ will find a way around what you put in place and then it's porn all the way for them if your lucky.

I agree. There would be about 30 staff with say 2 devices, and then I can imagine management wanting to give guests occasional access too.
I dont want to get involved with buying extra hardware and administering it either, I've better things to do. However, if I can find a fit and forget solution that will only cost a few man hours and minimal upkeep I'd offer it.

Can't you override the routers dns settings on your device?


Then again you could also use a proxy so I guess nothing's completely safe

Can't you override the routers dns settings on your device?


Then again you could also use a proxy so I guess nothing's completely safe

I've no idea - no-one would have access to the wireless router and it would be password protected, but if someone were to type the actual ip address of a site rather than its name then that would bypass, but we are talking about a largely trustworthy and IT non savvy workforce.

Separate the wireless so its on a different vlan. Use a captive portal server to manage authentication (similar to what you use in pubs now a days - with the login webpage).
Captive portal forwards any authentication requests to your Active Directory (or other authentication method).

You need to remember security is key, so spend the additional time on setting up a proper system. Its your head that will roll if security is breached.

Separate the wireless so its on a different vlan. Use a captive portal server to manage authentication (similar to what you use in pubs now a days - with the login webpage).
Captive portal forwards any authentication requests to your Active Directory (or other authentication method).

You need to remember security is key, so spend the additional time on setting up a proper system. Its your head that will roll if security is breached.

umm that not in my language sorry.
I'll distance myself from any liability - I'll just set something up and hand responsibility over.
The only reason its been dumped on my door is I run the engineering department and management think we do everything from fixing flat tyres to providing 4G consulation to the government

umm that not in my language sorry.
I'll distance myself from any liability - I'll just set something up and hand responsibility over.
The only reason its been dumped on my door is I run the engineering department and management think we do everything from fixing flat tyres to providing 4G consulation to the government

I'll try and explain best I can (in non-IT speak!).

VLAN = Virtual LAN (Local Area Network). This effectively gives you two separate networks using the same infrastructure (network equipment). Exactly what you want - your wired traffic and your wireless traffic using the same equipment. This basically stops wireless traffic from accessing areas of your network you don't want them to (storage servers, workstations etc for example).

Once you've separated your wireless network from your main wired traffic, you need a captive portal. A captive portal effectively tells any wireless traffic "you must come here before you can do anything else" This is a webpage. This web page will ask for some form of authentication (username or password for example). If you supply correct credentials, it will then allow you do go about your business. If you fail authentication, it will not allow you further. You will need a separate PC to do this (with two network cards).

Have a look at the following captive portal https://www.untangle.com/

Its free, I've never used it (as we paid for our captive portal at work), but I've heard it is very very good and very easy to setup.

Untange also has a proxy (a means of restricting web content) built in, which could be useful in your situation.

Hope this helps.

Thanks, I understood that better :)
Thing is, I'll just get BT to put in a new circuit (or have internet added to one of the spares I have) so it will be fully isolated from anything that already exists in the building.

get a decent router that has block filters on it, Draytek do these. Great bits of kits that are used commercially and in Academic environments.
Something like this http://www.draytek.co.uk/products/vigor2830.html

I cannot believe you are being asked to provide wireless access for non-work use. If people want to check their personal e-mail (or post to the Org) let them use their data allowance or find their own hotspot.

So no-one has internet access from work, do you all use your own phones or 3g dongles?

Whislt your building it, don't forget to limit the time peeps can access it to your working hours and not sat or sun etc.

Pete

So no-one has internet access from work, do you all use your own phones or 3g dongles?

We have a separate wifi network for private devices which requires a login and is internet access only.

You have to agree to the AUP before signing in, and if you do anything dodgy then its the same as doing it on the corporate network and you are shown the door.

Slightly different to normal companies though since I work for an ISP.

B.y.o.d

B.y.o.d

And corporate data ends up on private devices, no control as to how it is used or where. Users then expect support as their device is being used for business purposes. 50,000 users are then expect be able to read a document in an unsupported proprietary format because somebody has forgotten just why we have bought 50,000 licences for MS office.

BYOD sounds great until the practicalities kick in.

Whislt your building it, don't forget to limit the time peeps can access it to your working hours and not sat or sun etc.

Pete

its 24 hours here.

However, since I've asked for a AUP for users to sign and corperate have got involved and want to quote for a 'proper' system.
Prolly better off with 3g at this rate.
or 4g as we get round here.

And corporate data ends up on private devices, no control as to how it is used or where. Users then expect support as their device is being used for business purposes. 50,000 users are then expect be able to read a document in an unsupported proprietary format because somebody has forgotten just why we have bought 50,000 licences for MS office.

BYOD sounds great until the practicalities kick in.


We don't use it, had a web meeting with a tech from cisco, some good ideas but what we was looking for, I can see it working in some places though.

I just have a Cisco wireless controller with a few access points VLAN'ed off and push it through our proxy server, create individual accounts that expire every Friday and the users have to set a new password.