Gotchas to watch out for....AP installation

[System Error Message]

What to watch out for is not to use amplifiers on the APs as you can spoil the radio and not to use microsoft for networking. Using windows or even windows server for networking is one of the most horrible things you can do.

 

[komatsu]

Ok so what solution do ye guys recommend for authentication?

 

[sfx2000]

Does the AAA server have to be Microsoft?

No, it can be any RADIUS server - AD makes it handy as it does profiles/ldap/exchange/radius/etc...

FreeRadius is another solution - and there was an article on the main site for integration of RADIUS into a LAN/WLAN - do a local search there...

 

[stevech]

No, there are many.

 

[stevech]

How is company proprietary and customer NDA data, or legal/contracts, health information, human resources private info, etc., when digital, protected?
email server?

Maybe you could use Google's business services. Low cost, easier than Microsoft's on-line Exchange servers "365".

WiFi itself is down in the noise here, in proper IT systems in corporation or LLC. Gotta get all the important ducks in a row before WiFi. In fact, WiFi should be avoided if at all possible, except for a guest SSID routing only to the Internet.

 

[komatsu]

How is company proprietary and customer NDA data, or legal/contracts, health information, human resources private info, etc., when digital, protected?
email server?

Most of their business is done on-line. They are a highly-profitable business operating in internet gaming company area.

In their city, they are quite well known esp. among gamers - this might make them more of a target for aspiring hackers.

They do not seem interested in an old-school setup of MS servers. But security here is important so apart from FreeRadius any
other suggestions would be much appreciated.

 

[stevech]

Most of their business is done on-line. They are a highly-profitable business operating in internet gaming company area.

In their city, they are quite well known esp. among gamers - this might make them more of a target for aspiring hackers.

They do not seem interested in an old-school setup of MS servers. But security here is important so apart from FreeRadius any
other suggestions would be much appreciated.

Suggest you pay an expert for a solution then you implement. The expert will interview to get policy defined then translate into a specific solution.

 

[komatsu]

The expert will interview to get policy defined then translate into a specific solution.

lol @stevech

How do you define an "expert"?

Remember when loads of "experts" said the banking systems of the USA and Europe were sound. They even wrote some
really impressive sounding reports to back up their claims. Remember when medical "experts" testified in the 1950's that cigarettes were
a "safe" product?.

Everyday I come across people who claim to be "experts". Then a couple of years later you find out that the "expert" advice
they were dishing out was deeply flawed. So I am very wary of "experts".

The great thing about the internet is that on most forums - knowledge can be shared and even "expert" advice can be torn asunder by people who don't claim to be "experts" but who have successfully applied robust and secure solutions that worked in their own home or workplace. No fuss. No fanfare. Just plain simple good advice.

I was hoping for that kind of advice here but maybe I've just come to the wrong forum...

 

[stevech]

lol @stevech


I was hoping for that kind of advice here but maybe I've just come to the wrong forum...

You did get advice on RADIUS and 802.1X.
But it appears that this didn't register since it's not in your realm of familiarity.

Security in IT systems begins with company policy. Absent that, you're getting generalized responses.
So you'll have to seek assistance and pay for it so you have recourse.
As you'd pick a house painter, word of mouth or other methods can get you what help you need. The subject matter expert (SME). Not the geek down the street.

First, create a strawman policy - say, 6 points. Becomes input to the SME. Whomever helps, needs this as a starting point.
such as

1. Network access requires IEEE 802.1X, RADIUS or equivalent AAA. All WiFi equipment shall support the chosen solution.
2. Employees' passwords for the AAA are issued by, controlled by, a designated employee (+ alternate). Passwords are changed every xxx
3. Visitors/contractors access with a password that changes daily (or ?) and provides network access only to the Internet and their employers' VPN.

and so on.

LoL back atcha... you're the CIO to be, like it or not.

CULnot

 

[komatsu]

Thanks Steve for you input.

The main contractor of this job who originally got us to quote thinks our price is a little high. The whole issue of security
does not seem to concern him in the least!

I think he now going to hire "a geek down the street" who will probably set them up on a nice little network secured by WEP

As a matter of interest what do you make of this cloud-based radius server?

https://www.ironwifi.com/