Securing Guest Wireless Networks?

By Arunkumar posted Jun 27, 2014 06:35 PM


Environment : This article applies to all controller models and AOS versions 5.0 and higher.



  • Guest Wireless networks should be assigned a separate untrusted VLAN with any incoming and outgoing traffic must pass through a predefined ACL and should be authenticated with captive portal before network access is granted.

  • On the login page a legal banner should be presented as the part of captive portal authentication and should be reviewed periodically to ensure that it is appropriate with the company’s security policy in place and for the type of potential monitoring that’s done.

  • The pre-authentication policy should be configured to allow only basic services like DHCP, DNS, and ICMP, with ACLs to redirect all HTTP and HTTPS traffic to the Captive Portal and ACL to blocks a guest user from being a DHCP server and should drop and log anything else. 

  • Common guest credentials is good option for a low-maintenance guest system, but it does not provide any individual accountability for activities on the network. Organizations willing to accept this trade-off in exchange for simplicity should change the common guest password atleast every 60 Days.

  • By default HTTPS is used for captive portal authentication, this prevents outsiders, such as “wardrivers”, from using the organization’s Internet access as a free connection. This shouldn’t be changed to HTTP on Captive Portal Authentication Profile unless needed.

  • As a part of Secure Guest Access Design redirect all guest traffic into a GRE tunnel to a DMZ router/switch, so that guest users’ frames (or packets) are never exposed to the internal network this will help to prevent any malicious software that found its way onto guest devices from spreading to other unprotected devices in the network.

  • If Secure Guest Access Design doesn’t fit your network then have a guest policies in place to deny access to internal network addresses and logs the attempted network access.

  • Guest access should be restricted to the certain network protocols like HTTP for web browsing, POP3 for email, and IPSEC/PPTP for VPN access. Outgoing email using SMTP should be blocked to prevent the network from becoming a spam relay, and peer-to-peer file sharing should also be blocked to limit legal liability. 

  • Restrict wireless guest access to working hours and weekdays so that it is not available outside of normal working hours, Guest traffic may also be bandwidth limited so that guest users cannot consume excess amounts of network capacity.

  • If needed guest users with captive portal can be restricted to certain domain names by defining the whitelist and blacklist.

  • Client Blacklisting by Authentication Failure should be enabled for captive portal in order to prevent any Brute-Force attacks carried out to find the Guest Wireless networks password.

  • Have a guest provisioning account configured for the front desk persons to create guest accounts as needed.


1 view