Allowing Guest-Client Access to the Internet Over a WLAN

How can I make sure our wireless LAN (WLAN) traffic is encrypted and prevent attackers from trying to break into our server but still give visiting clients and business partners access to the Internet via our WLAN?

The best way is by creating a Virtual LAN (VLAN) for guests between your wireless Access Points (APs) and the switch that connects to the Internet. Then, you can configure remote access policies on your Internet Authentication Service (IAS) server to restrict wireless clients that aren't part of your domain to the guest VLAN, which gives guests Internet-only access. However, this approach requires special APs that support VLANs and a hefty degree of setup between your switch, the IAS server, and your APs.

If you aren't ready to take on all of that, you can use the setup described in Access Denied, "Alternatives for Safeguarding Your WLAN," September 2004, InstantDoc ID 43501. Guest clients will obtain a DHCP address from your wireless client range and won't be able to access your servers because they aren't part of your forest. But because your servers have a valid IP address and are configured with addresses for DNS servers and a default gateway, guests will be able to access the Internet. Of course, with this scenario you must accept the risk that outsiders might also connect to your WLAN to use the Internet.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.