Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6042 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Strategy / Best Practices

reag

Dear Sophos Com,

 

We recently switched from an older UTM220 to an SG135w. Regarding Wireless, I would like to redo our current setup and cannot find much information on strategies in the Knowledge Base. Basically, we have the SGw internal Wifi and an older AP10 that we would like to use as a range extender.

 

Currently, my desired scenario would be like:

- Guest network, isolated from internal. May be ticket based (Hotspot).

- Internal WiFi, bridged to LAN. This would be for mobile workstations etc. that need to access the LAN like any cable-connected device. Authentication against Active Directory preferred.

- Internal WiFi, BYOD. Isolated from internal, but preferred with authentication against AD. So only current Employees would be able to use it.

 

Is that a valid design? Are there any documenst/whitepapers that cover something like this? I actually don't really know where to start. As we are no longer utilizing our previous Sophos Partner, I'd prefer to work thru this myself. I am experienced with the Sophos UI and would like to learn about Wireless.



This thread was automatically locked due to age.
Parents
  • 0

    Guest network can easily be separated from the rest by creating it as a "Separate zone". Then you can add this network to a hotspot and you have accomplished that task.

    For Internal WiFi and BYOD to authenticate to AD you will need to setup Radius on your Windows AD environment, so you're basically creating 802.1x (WPA2-enterprise). We have it running here but I remember setting it up was quite a challenge.

    However the second problem you'll have is that your BYOD devices can just as easily also connect to the "internal" wifi network using the same credentials unless you're going to keep a list of MAC-addresses than can connect to is (and then it's still not a failsafe once people know how to spoof their MAC-addresses and feel the need to do so). Keeping the list of MAC-addresses up-to-date may be challenging. Maybe you can add in some policy that forbids connecting to Internal wifi using a BYOD device, but still you're likely to see BYOD devices connect to the internal network.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thank you for the answer. We are a small biz with 20 users, so having a policy for BYOD should not be an issue. Additionally, with the small number of devices expected, I should be able to tell from the client list which one maybe uses the wrong net.

    I will look into the Radius thing. Basically, we have the AD server already in Sophos, as it pulls the userlist for VPN users from there. I guess I can use that as a scheme to set something up for internal WiFi.

    However I am still looking for the basics in setting up a working, secure WiFi on Sophos. Wondering that the knowledge base comes up with very little information on that.

Reply
  • 0 in reply to apijnappels

    Thank you for the answer. We are a small biz with 20 users, so having a policy for BYOD should not be an issue. Additionally, with the small number of devices expected, I should be able to tell from the client list which one maybe uses the wrong net.

    I will look into the Radius thing. Basically, we have the AD server already in Sophos, as it pulls the userlist for VPN users from there. I guess I can use that as a scheme to set something up for internal WiFi.

    However I am still looking for the basics in setting up a working, secure WiFi on Sophos. Wondering that the knowledge base comes up with very little information on that.

Children
No Data
Unfiltered HTML