Wireless Strategy / Best Practices

Question

Dear Sophos Com, 
 
 We recently switched from an older UTM220 to an SG135w. Regarding Wireless, I would like to redo our current setup and cannot find much information on strategies in the Knowledge Base. Basically, we have the SGw internal Wifi and an older AP10 that we would like to use as a range extender. 
 
 Currently, my desired scenario would be like: 
 - Guest network, isolated from internal. May be ticket based (Hotspot). 
 - Internal WiFi, bridged to LAN. This would be for mobile workstations etc. that need to access the LAN like any cable-connected device. Authentication against Active Directory preferred. 
 - Internal WiFi, BYOD. Isolated from internal, but preferred with authentication against AD. So only current Employees would be able to use it. 
 
 Is that a valid design? Are there any documenst/whitepapers that cover something like this? I actually don't really know where to start. As we are no longer utilizing our previous Sophos Partner, I'd prefer to work thru this myself. I am experienced with the Sophos UI and would like to learn about Wireless.

apijnappels · Answer

Guest network can easily be separated from the rest by creating it as a "Separate zone". Then you can add this network to a hotspot and you have accomplished that task. 
 For Internal WiFi and BYOD to authenticate to AD you will need to setup Radius on your Windows AD environment, so you're basically creating 802.1x (WPA2-enterprise). We have it running here but I remember setting it up was quite a challenge. 
 However the second problem you'll have is that your BYOD devices can just as easily also connect to the "internal" wifi network using the same credentials unless you're going to keep a list of MAC-addresses than can connect to is (and then it's still not a failsafe once people know how to spoof their MAC-addresses and feel the need to do so). Keeping the list of MAC-addresses up-to-date may be challenging. Maybe you can add in some policy that forbids connecting to Internal wifi using a BYOD device, but still you're likely to see BYOD devices connect to the internal network.