Wireless Password

I recommend you use two-factor authentication for this. So there is the shared-key (the WIFI password as you called it), but then they also have to authentication with something like Active Directory for the second password via Radius. The Active Directory would be a per user login that would be the same as their Windows login.

So in this case, I think you would be talking about the shared key. I just post it on our intranet page. My wireless doesn't have access to our network and is only Internet. People have to vpn in if they want access just like they would from home. So in a way this is two-factor, shared-key, and then vpn access (Maybe I am using the term a little bit loosely, not sure).

I recommend you do something like this, having your company's network protected by only a single key on wireless is pretty scary to me.

It depends on the security requirements. At a previous job, every user had a unique username/password to access the privileged wireless network. Guests were allowed into a highly restricted network by clicking through a "You're using our network, be good!" warning.

At my current job, we were careful to design our network so that being on the office wireless granted no privileges higher than would be granted to someone out on the internet. So there we use a single shared WPA2-PSK password that everyone knows.

I would find it hard to justify trying to keep a shared password secret. If network access needs to be protected (due to privileged server access, for example) then the only auditable and manageable system is unique credentials for each user, with good logging. If network access does not require that degree of protection, then trying to keep a shared password secret is just an annoying exercise in futility...

If you have a server that can do RADIUS and an AP that supports it you can use that to authenticate regular users See this question. Wireless This means if you are not an authenticated user, no access. That also means staff can't use wireless after they leave the company. AD manages it all.

Some APs will allow several SSIDs and authentication to each can be different like the WAP200 mentioned.

This allows one SSID and authentication for staff and one or more for guests. depnding on the number of users, you may be able to manage with just multiple SSIDs and authentication.

If you want the guests only to have Internet, it is a bit more complex.

At my old job we had 2-factor. Everyone knew the wireless password, it was even posted on the main Wiki page and saved as an email message in outlook shared folders, so everyone had access to it, but getting on the wireless network alone did not get you anywhere. The only thing you were albe to reach was out VPN server, so you had to VPN in to get anywhere.

But at the job before that, help desk had to register each MAC address and we still had to use SecureID (2-factor auth) to log in .

What i am trying to say is that 2-factor is the best, but I can totally see the situation where it's a small company and management would start crying foul because they have to type in one extra password

On our network we allow guess access since we host many conferences and meetings. We have open wifi with a captive portal on a network separate from the wired network. When staff need to access a protected resource they establish a VPN the same way they would access resources from any other open wireless network.

Thanks for everyone's input! Been a great looking glass into your configurations at your companies and your thoughts about wifi and its security.

Ended up just leaving it.

We just don't have enough visitors to justify publishing the password.

Additionally some users bring in laptops and I would like them to be able to access the domain without a VPN.

If this becomes an issue I will buy another wireless router and set it up on its own network and publish the connection information.