[SOLVED] Creating access point in shop that doesn't allow access to local network?

[robhellfire]

Good morning,

I've been asked to investigate adding a better access point to our work wifi but I'm not familiar with the security allowances in doing so.

Current setup includes multiple old modems set as access points primarily for staff which are password protected however once this is accessed our desktop machines are entirely visible and security on these is lax.

If it weren't for the POS system, CAD design software and some others using networked drives other connections / data share that I'm unaware of and my own limited knowledge of these settings and their quirks over different operating systems I'd overhaul the password/security on each PC.

What I'm trying to ask badly is can an access point be added straight to existing network either to one of the ethernet switches or to the (crap) modem provided by our ISP (a Technicolor TG589) that wouldn't allow access to the rest of the network?

I've tried googling and searching on forum but I'm mostly coming across problems in trying to connect to wifi due to the terms I'm entering.

Any assistance appreciated.


Rob

 

[Lutfij]

So long as the AP(access point) does not broadcast the password and username for the SSID you're good to go. You could also introduce a strong password for said AP after it's hooked up from the source (ISP's modem), provided it has more than one physical RJ45 port open for plugging in.

Essentially I know the AP will broadcast an SSID but the access to it will be protected(with a password only your staff knows). Perhaps even set the AP to shutdown once office hours are closed.

 

[robhellfire]

Oh heck, thanks for your reply but apologies I only wrote part of the question with all my waffle >.<

Reason they're looking at adding an AP is to allow customers wifi while in the showroom meaning at least that wifi SSID will have a password posted inside the shop so 'public'.

 

[faalin]

For our shop we a run a Cisco Meraki setup, slowly converting over to Ubiquiti.... anyway

We run 3 SSID's on our AP's
a internal signal, for all the managers that has full internet access and server/ mapped drives.
a floor signal, This is mostly used for streaming music, but has full access to servers/mapped drives, has a limited up/download speed.
A guest signal, must agree to a splash page, limited up/down speeds, can only see the internet nothing on the internal network.

All 3 SSID's use their own password and any device connecting to WiFi has to be brought to IT and they type in the password

 

[DeauteratedDog]

The solution described by faalin is pretty typical.

If the AP doesn't support multiple SSIDs on different VLANs, just carve out a separate VLAN that only goes to the internet and put it on a port on that VLAN.

 

[robhellfire]

Thanks for the responses, looks like I need to read into virtual LANs.

Every day is a school day