• October 20, 2020, 01:57:01 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: ws5100 with ap5131 hotspot guest security help  (Read 4340 times)

0 Members and 1 Guest are viewing this topic.

Offline mdl

  • Rookie
  • **
  • Posts: 8
ws5100 with ap5131 hotspot guest security help
« on: May 26, 2013, 02:34:15 PM »
Firstly Hello to everyone and thanks in advance for any help.

I have been having a look through all the posts to try and find my answers but after 3 solid days I think I have to admit I need some direction.

I have had 2 5131,s in place for some time just providing our wireless but I now want to go the next step and provide a hotspot portal to our customers. This will eventually be a scoring site hosted locally so customers can see their scores on my web server and also log in for web access

I set up a 5131 for hotspot no problems but after some lengthy reading to do what I wanted I would need a switch so that I could link the 5131's and get a better result for the captive portal so I got a ws5100

I setup the adaptive ap no problem and the switch ws5100 picks up fine. I ran a few firstly open tests and then used the onboard radius and hotspot pages to perform authentication tests again no problems.

I then started to think about security and then the nightmares started.

there have been a few posts on here with similar questions but they were more advanced in the issues.

The 5131 was initaily set up for dhcp for the clients so it separated the scopes preventing an idiots view of the local networked machines so I have tried to setup the dhcp on the switch to do the same. Not much luck there im afraid lol, I have had the dhcp working and it assigns the different scope of address that I setup in the dhcp settings but no internet access was granted.

I started looking at how to tunnel the vlan but there seems to be differing opinions on which way to do it.

When looking through all the motorola manuals and web pages there seems to be an option of gre tunneling but this is not on my version of the gui version 3.3.5.0-002r. Could it be on the cli ?

I scrapped that idea for a day and looked at setting up some acl,s to prevent local access and just open for web but everything I have tried so far just refuses to give web access. I have tried opening all the extended acl's for a test but as soon as i apply them to a vlan or eth1 or 2 depending on the astounding amounts of setups i have tried I get the same reslults, No internet or local access.

Some of you may have picked up by now that I am not a professional tech but I know my way around networks to a degree. I am hoping that the elite dont  just turn there noses up and think whats he doing here lol, I am learning with each read of a post.

So I suppose my question (after all that lol) is what is the best way to secure my guest network. After all this messing around time and when I say three days I don mean 10 hours a day for the last 3 days. i would love to get the dhcp server working properly just so it had not beat me but that may not turn out to be the best way.

Some bits of info.

WS5100 version 3.3.5.0-002r
AP5131 just 2 of for now version 2.2.00-023r

I have tried loads of different configurations on both eth 1 and 2 access and trunk modes
I have reset the switch to make sure there is no conflicting settings and started from new
Current network dhcp is supplied from good old bt router and switch is dynamic 192.168.0.69 i have tried static as well same ip. I was going to use a win2008 server but dont think it will help any.
tried new vlans set on both eth ports and assigned different wlans to most of them open encryption as the radius will sort out the login secuity.
If i setup vlan1 on eth 2 and leave it as dhcp then I get an ip from the router pool and everything is fine but very open. (so the switch does work)

I really need a bit of guidance as to which way i should do this. I have tried a lot myself before I cried for help lol. I have been through all the manuals and release noted for the firmware updates and still cant sort myslef out.

Hopefully if you have taken the time to read all this then you might just be inclined to help out.

Thanks again for taking the time to read.

Matt



Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: ws5100 with ap5131 hotspot guest security help
« Reply #1 on: May 28, 2013, 04:37:33 PM »
Hi,

please find attached a presentation guiding you step by step through the hotspot and ACL setup in WiNG 3 / WiNG 4.
The example will show you how to permit ARP and DHCP/DNS/HTTP in an ACL.
If you need some more protocols you have to add them into the IP ACL yourself.
But the example should be good enough to start ...

Offline mdl

  • Rookie
  • **
  • Posts: 8
Re: ws5100 with ap5131 hotspot guest security help
« Reply #2 on: May 28, 2013, 08:05:56 PM »
Hi,

I have been through a lot of pages similar to your attachment but none as good so I will try from scratch tomorrow.

Many thanks for this I will let you know how i get on.

Cheers

Matt

Offline mdl

  • Rookie
  • **
  • Posts: 8
Re: ws5100 with ap5131 hotspot guest security help
« Reply #3 on: May 29, 2013, 04:09:42 PM »
Ok mmmmm some very strange results. I had no joy until I attached the rules to the layer2/3 instead of the wan. I got internet access on windows but no www access

So I have decided to try and start from scratch so please bear with me and see if what I have done is correct so far.

My BT router is providing internet access and also is the dns and dhcp server located at 192.168.0.1
My 5100 is up on eth2 and has an address of 192.168.0.69

I am going to setup and use vlan2 so I have trunked eth2 to accept both vlan 1 and 2. (1 being management)

I am going to try and setup a different dhcp range so its separate from my local lan. I will leave it open for now for the purpose of testing.

SVI setup

Added Vlan ID 2
Static address 192.169.0.1 sub 255.255.255.0
Description Wireless (for now)

Wireless lan setup
essid 101 and description wlan2 (not important for now)
VlanID is set at 2, not dynamic ticked
No Authentication (for now)

Services DHCP
Ticked for enable and ticked to ignore boot
Pool name and domain name set to wireless (not important for now)
Netbios mode Undefined
Network Associated interface set as Vlan2-Primary which gives me a a 192.169.0.0/24
Added range of ip 192.169.0.10 - 192.169.0.40 (just for testing)


When I connect to this wlan I get an ip assigned of 192.169.0.40 - 255.255.255.0
ipv4 DNS server 192.168.0.1.
No IPV4 Default gateway.

I assumed that this would have given me open access and then used firewall to restrict access.
My Vlan1 seems to work in this way.

Would somebody be so kind as to tell me if I have done right so far albeit not the results I am after yet. If this is correct then I will proceed with the acl rules until I get them right but I would be fighting a loosing battle If i am not correct so far.

Thanks

Matt








Offline mdl

  • Rookie
  • **
  • Posts: 8
Re: ws5100 with ap5131 hotspot guest security help
« Reply #4 on: June 13, 2013, 10:50:45 AM »
Hi Guys,

Sorry but can anyone confirm my setup so far,

Thanks

Matt