Wireless clients, 2 SSID's and SBS - need recommendations

[Also posted on microsoft.public.windows.server.sbs]

Running SBS 2003 Premium SP2, ISA 2004, SQl, Exchange, WSUS, 2 NICs
and a router, managed switch that is 802.11q capable (D-Link
DES-3828),
5 AP's - 802.1q capable (D-Link DWL-2200AP's), Symantec Corp. A/V and
Backup Exec 11d.
============================
I need everyone's help/guidance/comments/recommendations on this
issue. It's one I've been working on for 2 months now. I've had
lot's of pervious help on previous posts, but it got harder than it
had to be (my opinion) and so I decided to start from scratch.

My goal: Wireless LAN (WLAN) with 2 SSID's - one to tie domain users
and computers to the wired LAN, and the other so that visitors and
contractors can access the internet ONLY.


Add'l info: Security is not a huge issue; we are in a rural area 7
miles from the nearest town and 1 mile from the nearest house. We are
so far off the "beaten path" we can't get landline internet - we use
satellite. we are at the end of a road 1.5 miles off the main road.
Lot's of tree's to the north and south. Anyone who comes here is
invited; no tourists or drive-bys. During our busy season (now) we
have 20 people living on-site in our houses and bunk house while they
do research or assist the reasearchers. Most bring their laptops for
off-time use.


I' ve looked hard at the MS white paper on securing wireless in a SBS
environment, and also Owen William's paper on this, too. Spent most
of yesterday implementing his steps, but made a big mistake -- I must
have entered the wrong secret word for RADIUS on the switch and now
can't access it at all. Had to take an old unmanaged switch of my
junk pile and put it into service last night so the wired clients
would have LAN and internet access. After a lot of thought last
night, I'm convinced that I just don't need to implement such a
secure
wireless environment. I just need to keep those off-hour folks out
of
the server.


I'm sure the solution is staring me in the face -- probabaly involves
ISA and a special user group --, but I'd like your thoughts.


Many(!) thanks in advance!


Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501(c)(3) conservation nonprofit organization

On Jul 15, 2:51 am, Mike_in_Nebraska <mike_w...@whoopingcrane.org>
wrote:
> My goal: Wireless LAN (WLAN) with 2 SSID's - one to tie domain users
> and computers to the wired LAN, and the other so that visitors and
> contractors can access the internet ONLY.

Hi,
Not sure why you would need two SSIDs for this setup. The wired LAN is
as the name implies "wired" so what use do the computers on the wired
LAN have for an SSID?
Easiest way to accomplish what you want is to segment the network.
Since you are using a Managed switch, easiest way is to create two
VLANs. Put the wired LAN on one VLAN (including the server) and the
wireless on the other. Create appropriate routes so that users from
both VLANs can reach the internet but not each other (The Dlink manual
will help you do this).
To add more exotic things like user authentication etc, you will need
to use something like Coova (on a WRT54G) or monowall (www.m0no.ch/
wall) on a Soekris board.
Regards,
Shiv

Hi,

Are you sure that you aren't making it all more complicated than need be?

I have a private WLAN, plus an "open internet-only pipe" SSID. (In
addition, have other SSID's that are for other things such as media.)

- Setup your WLAN as you see fit.

- As for the "internet-only" pipe, just put it behind a captive portal.

I'm using ZoneCD (free). Works great.

http://www.publicip.net/zonecd/how.php