Q about VLAN's and IAS

Current platform: SBS 2003 Premium, 2-NIC configuration, SOHO router, L2/L3
switch (a D-Link DES-3828). Software firewall: ISA 2004 SP2.
==============
Desired end-state;
(1) Secure wired LAN that prevents unauthorized devices from obtaining an IP
address.
(2) Access for staff via wireless that prevents unathorized devices from
obtaining an IP address.
(3) Internet only access for guest/visitor wireless devices.

Available wireless devices:
(1) a mix of D-Link AP's (DWL-2200AP's and DWL-2100AP's) - all VLAN-capable
(2) wireless router (D-Link DIR-524)
(3) Unmanaged switch (D-Link DES-1024D)

References I've read:
(1) MS paper: "Deploying Windows Server 2003 Internet Authentication Servcie
(IAS) with Virtual Local Area Networks (VLANs)"
(2) MS Press book: "Deploying Secure 802.11 Wireless Networks with Microsoft
Windows" I also have the 2008 update to it.

Question: Can I implement VLAN's and IAS if only the wireless devices are
VLAN-capable?

My wired devices do not have 802.11q NIC's in them. Only the switch and the
AP's do. I work for a small non-profit in a very rural area of Nebraska, so
the security may be overkill. However, we have a fair amount of visitors
and guests that need intenet access. My goal is to provide it with the
least hazard to our LAN.

I've prowled the internet for quite a while and not been able to get the
specific answer on the above. Unfortunately, the admin guide for the switch
does not provide enough information, and I can't get their tech support to
really help either.
I think I know how to set this up, in general, but not the specifics on how
to tie it together and make it work. My thinking is to create 3 VLAN's -
one for the wired, one for the staff via wireless and the last for
guests/visitors. I could then use the references above to create the
policies needed and setup IAS, but I don't know how to isolatethem in DHCP,
nor do I know whether a rule/policy (or two) is needed in ISA Server to
complement IAS.

I can provide more info if you have questions.
I would very much appreciate any all advice/comments on this subject; it may
help solve the problem, and I'll certainly learn from it.

Mike

I haven't got a chance work on D-link wireless and VLAN. This is what we do.

1. All equipments are Cisco AP, switch.
2. Setup windows IAS.
3. We have 3 level wireless: wireless LAN for the employees using VLAN 100,
wireless for student VLAN 200 and wireless for public VLAN 300.
4. The wireless LAN integrate with IAS so that we can use WPA enterprise and
it manage the wireless connecting based on the users' domain IDs.
5. The student wireless uses WPA2 to manage the security
6. The public Wireless is not security setup.
7. Forgot to mention, you need to configure the port connecting to the AP as
VLAN trunk.


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Mike Webb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Current platform: SBS 2003 Premium, 2-NIC configuration, SOHO router,
> L2/L3
> switch (a D-Link DES-3828). Software firewall: ISA 2004 SP2.
> ==============
> Desired end-state;
> (1) Secure wired LAN that prevents unauthorized devices from obtaining an
> IP
> address.
> (2) Access for staff via wireless that prevents unathorized devices from
> obtaining an IP address.
> (3) Internet only access for guest/visitor wireless devices.
>
> Available wireless devices:
> (1) a mix of D-Link AP's (DWL-2200AP's and DWL-2100AP's) - all
> VLAN-capable
> (2) wireless router (D-Link DIR-524)
> (3) Unmanaged switch (D-Link DES-1024D)
>
> References I've read:
> (1) MS paper: "Deploying Windows Server 2003 Internet Authentication
> Servcie
> (IAS) with Virtual Local Area Networks (VLANs)"
> (2) MS Press book: "Deploying Secure 802.11 Wireless Networks with
> Microsoft
> Windows" I also have the 2008 update to it.
>
> Question: Can I implement VLAN's and IAS if only the wireless devices are
> VLAN-capable?
>
> My wired devices do not have 802.11q NIC's in them. Only the switch and
> the
> AP's do. I work for a small non-profit in a very rural area of Nebraska,
> so
> the security may be overkill. However, we have a fair amount of visitors
> and guests that need intenet access. My goal is to provide it with the
> least hazard to our LAN.
>
> I've prowled the internet for quite a while and not been able to get the
> specific answer on the above. Unfortunately, the admin guide for the
> switch
> does not provide enough information, and I can't get their tech support to
> really help either.
> I think I know how to set this up, in general, but not the specifics on
> how
> to tie it together and make it work. My thinking is to create 3 VLAN's -
> one for the wired, one for the staff via wireless and the last for
> guests/visitors. I could then use the references above to create the
> policies needed and setup IAS, but I don't know how to isolatethem in
> DHCP,
> nor do I know whether a rule/policy (or two) is needed in ISA Server to
> complement IAS.
>
> I can provide more info if you have questions.
> I would very much appreciate any all advice/comments on this subject; it
> may
> help solve the problem, and I'll certainly learn from it.
>
> Mike
>
>

That doesn't sound too difficult. One question about #7 .... did you have
to create DHCP scopes for each VLAN?

Mike

"Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I haven't got a chance work on D-link wireless and VLAN. This is what we
>do.
>
> 1. All equipments are Cisco AP, switch.
> 2. Setup windows IAS.
> 3. We have 3 level wireless: wireless LAN for the employees using VLAN
> 100, wireless for student VLAN 200 and wireless for public VLAN 300.
> 4. The wireless LAN integrate with IAS so that we can use WPA enterprise
> and it manage the wireless connecting based on the users' domain IDs.
> 5. The student wireless uses WPA2 to manage the security
> 6. The public Wireless is not security setup.
> 7. Forgot to mention, you need to configure the port connecting to the AP
> as VLAN trunk.
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Mike Webb" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Current platform: SBS 2003 Premium, 2-NIC configuration, SOHO router,
>> L2/L3
>> switch (a D-Link DES-3828). Software firewall: ISA 2004 SP2.
>> ==============
>> Desired end-state;
>> (1) Secure wired LAN that prevents unauthorized devices from obtaining an
>> IP
>> address.
>> (2) Access for staff via wireless that prevents unathorized devices from
>> obtaining an IP address.
>> (3) Internet only access for guest/visitor wireless devices.
>>
>> Available wireless devices:
>> (1) a mix of D-Link AP's (DWL-2200AP's and DWL-2100AP's) - all
>> VLAN-capable
>> (2) wireless router (D-Link DIR-524)
>> (3) Unmanaged switch (D-Link DES-1024D)
>>
>> References I've read:
>> (1) MS paper: "Deploying Windows Server 2003 Internet Authentication
>> Servcie
>> (IAS) with Virtual Local Area Networks (VLANs)"
>> (2) MS Press book: "Deploying Secure 802.11 Wireless Networks with
>> Microsoft
>> Windows" I also have the 2008 update to it.
>>
>> Question: Can I implement VLAN's and IAS if only the wireless devices are
>> VLAN-capable?
>>
>> My wired devices do not have 802.11q NIC's in them. Only the switch and
>> the
>> AP's do. I work for a small non-profit in a very rural area of Nebraska,
>> so
>> the security may be overkill. However, we have a fair amount of visitors
>> and guests that need intenet access. My goal is to provide it with the
>> least hazard to our LAN.
>>
>> I've prowled the internet for quite a while and not been able to get the
>> specific answer on the above. Unfortunately, the admin guide for the
>> switch
>> does not provide enough information, and I can't get their tech support
>> to
>> really help either.
>> I think I know how to set this up, in general, but not the specifics on
>> how
>> to tie it together and make it work. My thinking is to create 3 VLAN's -
>> one for the wired, one for the staff via wireless and the last for
>> guests/visitors. I could then use the references above to create the
>> policies needed and setup IAS, but I don't know how to isolatethem in
>> DHCP,
>> nor do I know whether a rule/policy (or two) is needed in ISA Server to
>> complement IAS.
>>
>> I can provide more info if you have questions.
>> I would very much appreciate any all advice/comments on this subject; it
>> may
>> help solve the problem, and I'll certainly learn from it.
>>
>> Mike
>>
>>
>

In our case, yes, we do setup DHCP server for each VLAN.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Mike in Nebraska" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> That doesn't sound too difficult. One question about #7 .... did you have
> to create DHCP scopes for each VLAN?
>
> Mike
>
> "Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I haven't got a chance work on D-link wireless and VLAN. This is what we
>>do.
>>
>> 1. All equipments are Cisco AP, switch.
>> 2. Setup windows IAS.
>> 3. We have 3 level wireless: wireless LAN for the employees using VLAN
>> 100, wireless for student VLAN 200 and wireless for public VLAN 300.
>> 4. The wireless LAN integrate with IAS so that we can use WPA enterprise
>> and it manage the wireless connecting based on the users' domain IDs.
>> 5. The student wireless uses WPA2 to manage the security
>> 6. The public Wireless is not security setup.
>> 7. Forgot to mention, you need to configure the port connecting to the AP
>> as VLAN trunk.
>>
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> "Mike Webb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Current platform: SBS 2003 Premium, 2-NIC configuration, SOHO router,
>>> L2/L3
>>> switch (a D-Link DES-3828). Software firewall: ISA 2004 SP2.
>>> ==============
>>> Desired end-state;
>>> (1) Secure wired LAN that prevents unauthorized devices from obtaining
>>> an IP
>>> address.
>>> (2) Access for staff via wireless that prevents unathorized devices from
>>> obtaining an IP address.
>>> (3) Internet only access for guest/visitor wireless devices.
>>>
>>> Available wireless devices:
>>> (1) a mix of D-Link AP's (DWL-2200AP's and DWL-2100AP's) - all
>>> VLAN-capable
>>> (2) wireless router (D-Link DIR-524)
>>> (3) Unmanaged switch (D-Link DES-1024D)
>>>
>>> References I've read:
>>> (1) MS paper: "Deploying Windows Server 2003 Internet Authentication
>>> Servcie
>>> (IAS) with Virtual Local Area Networks (VLANs)"
>>> (2) MS Press book: "Deploying Secure 802.11 Wireless Networks with
>>> Microsoft
>>> Windows" I also have the 2008 update to it.
>>>
>>> Question: Can I implement VLAN's and IAS if only the wireless devices
>>> are
>>> VLAN-capable?
>>>
>>> My wired devices do not have 802.11q NIC's in them. Only the switch and
>>> the
>>> AP's do. I work for a small non-profit in a very rural area of
>>> Nebraska, so
>>> the security may be overkill. However, we have a fair amount of
>>> visitors
>>> and guests that need intenet access. My goal is to provide it with the
>>> least hazard to our LAN.
>>>
>>> I've prowled the internet for quite a while and not been able to get
>>> the
>>> specific answer on the above. Unfortunately, the admin guide for the
>>> switch
>>> does not provide enough information, and I can't get their tech support
>>> to
>>> really help either.
>>> I think I know how to set this up, in general, but not the specifics on
>>> how
>>> to tie it together and make it work. My thinking is to create 3
>>> VLAN's -
>>> one for the wired, one for the staff via wireless and the last for
>>> guests/visitors. I could then use the references above to create the
>>> policies needed and setup IAS, but I don't know how to isolatethem in
>>> DHCP,
>>> nor do I know whether a rule/policy (or two) is needed in ISA Server to
>>> complement IAS.
>>>
>>> I can provide more info if you have questions.
>>> I would very much appreciate any all advice/comments on this subject; it
>>> may
>>> help solve the problem, and I'll certainly learn from it.
>>>
>>> Mike
>>>
>>>
>>
>
>

Good to know, thanks!

"Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In our case, yes, we do setup DHCP server for each VLAN.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Mike in Nebraska" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> That doesn't sound too difficult. One question about #7 .... did you
>> have to create DHCP scopes for each VLAN?
>>
>> Mike
>>
>> "Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I haven't got a chance work on D-link wireless and VLAN. This is what we
>>>do.
>>>
>>> 1. All equipments are Cisco AP, switch.
>>> 2. Setup windows IAS.
>>> 3. We have 3 level wireless: wireless LAN for the employees using VLAN
>>> 100, wireless for student VLAN 200 and wireless for public VLAN 300.
>>> 4. The wireless LAN integrate with IAS so that we can use WPA enterprise
>>> and it manage the wireless connecting based on the users' domain IDs.
>>> 5. The student wireless uses WPA2 to manage the security
>>> 6. The public Wireless is not security setup.
>>> 7. Forgot to mention, you need to configure the port connecting to the
>>> AP as VLAN trunk.
>>>
>>>
>>> --
>>> Bob Lin, MS-MVP, MCSE & CNE
>>> Networking, Internet, Routing, VPN Troubleshooting on
>>> http://www.ChicagoTech.net
>>> How to Setup Windows, Network, VPN & Remote Access on
>>> http://www.HowToNetworking.com
>>> "Mike Webb" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Current platform: SBS 2003 Premium, 2-NIC configuration, SOHO router,
>>>> L2/L3
>>>> switch (a D-Link DES-3828). Software firewall: ISA 2004 SP2.
>>>> ==============
>>>> Desired end-state;
>>>> (1) Secure wired LAN that prevents unauthorized devices from obtaining
>>>> an IP
>>>> address.
>>>> (2) Access for staff via wireless that prevents unathorized devices
>>>> from
>>>> obtaining an IP address.
>>>> (3) Internet only access for guest/visitor wireless devices.
>>>>
>>>> Available wireless devices:
>>>> (1) a mix of D-Link AP's (DWL-2200AP's and DWL-2100AP's) - all
>>>> VLAN-capable
>>>> (2) wireless router (D-Link DIR-524)
>>>> (3) Unmanaged switch (D-Link DES-1024D)
>>>>
>>>> References I've read:
>>>> (1) MS paper: "Deploying Windows Server 2003 Internet Authentication
>>>> Servcie
>>>> (IAS) with Virtual Local Area Networks (VLANs)"
>>>> (2) MS Press book: "Deploying Secure 802.11 Wireless Networks with
>>>> Microsoft
>>>> Windows" I also have the 2008 update to it.
>>>>
>>>> Question: Can I implement VLAN's and IAS if only the wireless devices
>>>> are
>>>> VLAN-capable?
>>>>
>>>> My wired devices do not have 802.11q NIC's in them. Only the switch
>>>> and the
>>>> AP's do. I work for a small non-profit in a very rural area of
>>>> Nebraska, so
>>>> the security may be overkill. However, we have a fair amount of
>>>> visitors
>>>> and guests that need intenet access. My goal is to provide it with the
>>>> least hazard to our LAN.
>>>>
>>>> I've prowled the internet for quite a while and not been able to get
>>>> the
>>>> specific answer on the above. Unfortunately, the admin guide for the
>>>> switch
>>>> does not provide enough information, and I can't get their tech support
>>>> to
>>>> really help either.
>>>> I think I know how to set this up, in general, but not the specifics on
>>>> how
>>>> to tie it together and make it work. My thinking is to create 3
>>>> VLAN's -
>>>> one for the wired, one for the staff via wireless and the last for
>>>> guests/visitors. I could then use the references above to create the
>>>> policies needed and setup IAS, but I don't know how to isolatethem in
>>>> DHCP,
>>>> nor do I know whether a rule/policy (or two) is needed in ISA Server to
>>>> complement IAS.
>>>>
>>>> I can provide more info if you have questions.
>>>> I would very much appreciate any all advice/comments on this subject;
>>>> it may
>>>> help solve the problem, and I'll certainly learn from it.
>>>>
>>>> Mike
>>>>
>>>>
>>>
>>
>>
>