locked
Wireless switch suitable for NAP RRS feed

  • Question

  • We have deployed NAP in production using 802.1X and 3com switches. VLAN changes dynamically based on the state of machine trying to connect. so far so good. Company would like to extend their protection to include wirelss switch also. what would be the best solution for that ?

    On my exhausted findings i could hardly find a wireless router/AP which is though supporting EAP or WAP2 but does not support multiple VLANs i-e dynamic VLAN switches.

    Although there is list in this blog for switches that are tested and work for NAP but what about wireless switches ? Kindly guide me to one wireless router/switch/AP which i can buy to accomplish this, i failed to find a single one as yet.

    Monday, September 27, 2010 9:19 PM

Answers

  • Hi shahid,

     

    Thanks for update.

     

    The only relate document regard to you requirement that I found is in the link blow:

     

    ”Network access device” in the article “NAP-NAC Design”

    http://technet.microsoft.com/nl-nl/library/dd125393(WS.10).aspx

     

    Meanwhile, If you want achieve the goal with these AP devices you have right now, you might like to consider to deploy a wireless network controller into you system to implement the dynamic VLAN feature:

     

    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

     

    Another thought you might like to consider deploy the 802.1x DHCP Enforcement with NPS server to restrict the computers which noncompliant the policies to access network via wireless.

     

    DHCP Enforcement Example

    http://technet.microsoft.com/nl-nl/library/dd125379(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shahid Roofi Sunday, October 3, 2010 8:51 PM
    Wednesday, September 29, 2010 7:08 AM

All replies

  • Hi shahid,

     

    Thanks for posting here.

     

    Here is the explanation of “What model of AP will you purchase?” ,a part of article “Planning for Wireless AP Deployment” might answer your question:

    http://technet.microsoft.com/en-us/library/dd363547(WS.10).aspx

     

    In order to configure wireless APs as Remote Authentication Dial-in User Service (RADIUS) clients, all wireless APs must support the IEEE standard for 802.1X authentication. Additionally, for wireless transmission security reasons, all wireless APs must support either Wi-Fi Protected Access 2 (WPA2)-Enterprise, or WPA-Enterprise. WPA2-Enterprise is preferred over WPA-Enterprise.

     

    You might consult with hardware vendor to check what kinds of model AP device support such features.

     

    For further planning and deployment , I suggest to take look the article below , it had included all necessary information regard how to implement 802.1X Authenticated Wireless Access in your network:

     

    802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

     

    Hope that’s helpful

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, September 28, 2010 3:44 AM
  • Thanx for your efforts Tiger, however none of this actually answers my question.

    Let me try to explain you again.

    All models for wireless access point / router / switch i found in the martker place, atmost support radius or WPA or WAP2. However i none i found to do full 802.1X compliant as to support 802.1x-Dynamic VLAN functionality.

    My objective is two fold, to put WLAN guest users i separate VLAN and put WLAN complaint users in different VLAN that's it. Same is i am achieving on physical switch BUT NO MODEL I COULD FOUND WHICH COULD HELP ME DO THIS SAME IN WIRELESS !

    Cisco Aironet 1200 is said to be one but i've checked that it's not a standalone solution like other linksys APs/routers, you have buy complete cisco solution which works in it's background to complete the solution which becomes very very costly and i have'nt confirmed either if that would work

    Tuesday, September 28, 2010 9:50 AM
  • Thanx for your efforts Tiger, however none of this actually answers my question.

    Let me try to explain you again.

    All models for wireless access point / router / switch i found in the martker place, atmost support radius or WPA or WAP2. However i none i found to do full 802.1X compliant as to support 802.1x-Dynamic VLAN functionality.

    My objective is two fold, to put WLAN guest users i separate VLAN and put WLAN complaint users in different VLAN that's it. Same is i am achieving on physical switch BUT NO MODEL I COULD FOUND WHICH COULD HELP ME DO THIS SAME IN WIRELESS !

    Cisco Aironet 1200 is said to be one but i've checked that it's not a standalone solution like other linksys APs/routers, you have buy complete cisco solution which works in it's background to complete the solution which becomes very very costly and i have'nt confirmed either if that would work

    Tuesday, September 28, 2010 9:50 AM
  • Hi shahid,

     

    Thanks for update.

     

    The only relate document regard to you requirement that I found is in the link blow:

     

    ”Network access device” in the article “NAP-NAC Design”

    http://technet.microsoft.com/nl-nl/library/dd125393(WS.10).aspx

     

    Meanwhile, If you want achieve the goal with the AP devices right now, you might like to consider to deploy a wireless network controller into you system to implement the dynamic VLAN feature:

     

    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

     

    Another thought you might like to consider deploy the 802.1x DHCP Enforcement with NPS server to restrict the computers which noncompliant the policies to access network via wireless.

     

    DHCP Enforcement Example

    http://technet.microsoft.com/nl-nl/library/dd125379(WS.10).aspx

     

    <span style=%2


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 29, 2010 7:07 AM
  • Hi shahid,

     

    Thanks for update.

     

    The only relate document regard to you requirement that I found is in the link blow:

     

    ”Network access device” in the article “NAP-NAC Design”

    http://technet.microsoft.com/nl-nl/library/dd125393(WS.10).aspx

     

    Meanwhile, If you want achieve the goal with these AP devices you have right now, you might like to consider to deploy a wireless network controller into you system to implement the dynamic VLAN feature:

     

    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

     

    Another thought you might like to consider deploy the 802.1x DHCP Enforcement with NPS server to restrict the computers which noncompliant the policies to access network via wireless.

     

    DHCP Enforcement Example

    http://technet.microsoft.com/nl-nl/library/dd125379(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shahid Roofi Sunday, October 3, 2010 8:51 PM
    Wednesday, September 29, 2010 7:08 AM
  • Hi shahid,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 1, 2010 9:44 AM
  • thanx Tiger for the cisco link for WLC and LAP setup which gives a better and clear road to achieve our goal.

    There remains my wish if we could have single AP to help us on this. on the contrary it does make sense for big enterprises to purchase WLC and LAPs to achieve this.


    Shahid Roofi
    Sunday, October 3, 2010 8:54 PM