On the basis of the above diagram, the network structure for our WLAN project will be explained. As already briefly described in the last post, it is about the setup of three SSIDs:
[table id=5 /]
The SSIDs are permanently assigned to a VLAN and routed accordingly. It is important for us that there is no possibility to access the company network directly from the WLAN. A strict separation must be made here in order to guarantee security. The networks for mobile phones / tablets / PCs and guests are terminated directly into the Internet and the hand-held scanners from production are routed to an SSL VPN gateway.
The guests must of course authenticate themselves at the captive portal before accessing the internet – in our case the portal is provided by the Unifi controller software, a portal of the firewall (e.g. Sophos XG) can also be used. There are many ways to provide guests with regulated internet access.
Notebooks are authenticated against the Active Directory via RADIUS. The Microsoft network policy server is used here as the RADIUS server. This server could also be used for dynamic VLAN assignment.
In the firewall (in our case a Sophos XG 320) the notebooks are treated like normal PCs and routed through the proxy including the ruleset. The guests are routed to the internet with a proxy but without a filter – this is only about logging.
The scanners automatically connect to the WLAN “productionaccess” and then only have access to the VPN gateway and the MDM server. If the corresponding app is started, a so-called “Per App VPN” is automatically established. The advantage of this VPN is that only apps distributed via the Mobile Device Management (MDM) system may use the VPN tunnel, and not the whole device or other apps. In addition, it is set up automatically and, thanks to certificate-based functionality, does not require user names or passwords.
Thus, with a simple setup, we can guarantee both flexible functionality and high security.
In the next part the technical implementation follows with the help of the Unifi software and Ubiquiti Access Points.
Enterprise WLAN Part 1 – The Introduction
Enterprise WLAN Part 2 – The network structure
Enterprise WLAN Part 3 – The Setup of Unifi Software
[table id=6 /]