The
Tue Oct 09 17:46:25 PDT 2007
For security sake the best option would be to set the Student network as a
perimeter network between the internet facing firewall and the internal
facing staff network firewall and using Radius or not implement a VPN
solution back to the Staff network for trusted connection. This is of course
assuming you have only one internet facing publicly addressable IP address
and that is the original reason your public and private networks were even
that close to each other.
If you have a router with two IP addresses facing the internet than leaving
the two networks completely separate would be best. As for wireless I would
recommend access points that do not in any way talk to both networks if you
can help it. Money shouldn't be a consideration when you consider a WAP can
be purchased for around $35USD with support with WPA/WPA2 (802.1x)
Good luck with this. I've actually implemented both of these solutions at
home and at work. At the office the public network and private network leave
separate internet feeds, not just separate IP's. We use two different
vendors for internet access so these two networks have no way to communicate
with one another. And at home I implemented a 3 layer network with 2 with
wireless and one without wireless, but all of which use the same internet
feed through a single public facing IP address.
If however you still decided you want to go with a Radius solution for
authentication you would need to use 2 Radius Servers, one for each domain,
and install a Radius Proxy and IAS can do this for you. I will not go into
it, but its not entirely complicated. A decent TechNet article can be found
here:
http://tinyurl.com/2s4x7o
OR:
http://technet2.microsoft.com/windowsserver/en/library/277906c5-1eff-4ba4-8cc8-264f26fe0a8f1033.mspx?mfr=true
--
.rev
"It is the mark of an educated man to be able to entertain a thought without
accepting it"
~Aristotle
.
"Steve Ray" <nochance@all.com> wrote in message
news:LEQOi.4326$WX3.3224@newsfe5-win.ntli.net...
> Hi
>
> No I'm not looking to do this. I have 2 VLANS on site, each has its own
> Windows 2003 domain (VLAN1 - Staff / VLAN2 - Students.
>
> I am deploying wireless within the network and do no want to deploy
> wireless access points per vlan. I'm interested in deploying a wireless
> VLAN (say VLAN 3) and then authenticating the users into their relevant
> VLAN via (possibly) RADIUS.
>
> This means that users that are authenticated get their relevant AD
> settings and users that do not / cannot authenticate only get a non
> routable IP range
>
> Or maybe IAS can do this ? Would I need 1 IAS server per domain presumably
>
> Hope this makes sense
>
> Steve
>
> "Red Swingline Stapler" <kill@yourself.com> wrote in message
> news:Xns99C4559DC95A0nowaycom@207.46.248.16...
>> "Steve Ray" <nochance@all.com> wrote in
>> news:fefm9s$sql$1@north.jnrs.ja.net:
>>
>>> Guys
>>>
>>> I'm looking for a "free to use" RADIUS server I can use within my
>>> domain. Does anyone have any recommendations
>>>
>>> Thanks
>>>
>>> Steve
>>>
>>>
>>
>> Are you looking to enable the "Internet Authentication Service" in
>> Windows
>> Server 2003, or am I oversimplifying your need?
>
>