Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6023 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Strategy / Best Practices

reag

Dear Sophos Com,

 

We recently switched from an older UTM220 to an SG135w. Regarding Wireless, I would like to redo our current setup and cannot find much information on strategies in the Knowledge Base. Basically, we have the SGw internal Wifi and an older AP10 that we would like to use as a range extender.

 

Currently, my desired scenario would be like:

- Guest network, isolated from internal. May be ticket based (Hotspot).

- Internal WiFi, bridged to LAN. This would be for mobile workstations etc. that need to access the LAN like any cable-connected device. Authentication against Active Directory preferred.

- Internal WiFi, BYOD. Isolated from internal, but preferred with authentication against AD. So only current Employees would be able to use it.

 

Is that a valid design? Are there any documenst/whitepapers that cover something like this? I actually don't really know where to start. As we are no longer utilizing our previous Sophos Partner, I'd prefer to work thru this myself. I am experienced with the Sophos UI and would like to learn about Wireless.



This thread was automatically locked due to age.
  • 0

    Guest network can easily be separated from the rest by creating it as a "Separate zone". Then you can add this network to a hotspot and you have accomplished that task.

    For Internal WiFi and BYOD to authenticate to AD you will need to setup Radius on your Windows AD environment, so you're basically creating 802.1x (WPA2-enterprise). We have it running here but I remember setting it up was quite a challenge.

    However the second problem you'll have is that your BYOD devices can just as easily also connect to the "internal" wifi network using the same credentials unless you're going to keep a list of MAC-addresses than can connect to is (and then it's still not a failsafe once people know how to spoof their MAC-addresses and feel the need to do so). Keeping the list of MAC-addresses up-to-date may be challenging. Maybe you can add in some policy that forbids connecting to Internal wifi using a BYOD device, but still you're likely to see BYOD devices connect to the internal network.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thank you for the answer. We are a small biz with 20 users, so having a policy for BYOD should not be an issue. Additionally, with the small number of devices expected, I should be able to tell from the client list which one maybe uses the wrong net.

    I will look into the Radius thing. Basically, we have the AD server already in Sophos, as it pulls the userlist for VPN users from there. I guess I can use that as a scheme to set something up for internal WiFi.

    However I am still looking for the basics in setting up a working, secure WiFi on Sophos. Wondering that the knowledge base comes up with very little information on that.

  • 0

    You can authenticate WPA2 against a RADIUS server, and the Windows RADIUS service does use AD.  Start with a Google on:

    site:community.sophos.com/kb utm wireless

    You might find Configuring HTTP/S proxy access with AD SSO helpful.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.  Finally, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML