What is the best way to authenticate only certain computers/devices on a network for a web server?

Question

Currently I'm trying to use Windows Firewall service and select 'only these accounts'...but that isn't working. Normal access to file shares works by selecting said accounts but not to the web server for some reason.

Basically I have a POS app on the network and sometimes people come in and want to use our wireless. That exposes the POS app to them and I don't want that. At first I thought I'd just set DHCP to use addresses 100 and above and only allow IP's from below that, but that isn't very robust and dependable. If I go the 'user accounts' route I can't use mobile devices which is something I'd like to be able to use (just not devices from strangers). What are my options?

Windows Server 2008 is the OS.

I guess another question would be "how can I set up my network so that any wireless user won't be able to access the same subnet my hard-wired computers are on? i.e., some computers are on 192.168.0.x whereas DHCP gives 192.168.1.x. I'd also need all computers to be able to use the internet (internet hub connected as 192.168.0.254 to main router which has DHCP at 192.168.0.1).

Answer 1

It seems to me that the thing to focus on here is not in security or user accounts (or even on the Windows 2008 server), but in how you architect the network (i.e. placing your routers and configuring them appropriately). Companies do this all the time, and with the right equipment, its not that difficult to accomplish.

I would recommend setting up a separate subnet for your wireless devices. You've got the right idea: Use 192.168.1.x for your wired subnet, and then use a separate subnet for your wireless (192.168.2.x, for example).

Don't place your wireless router(s) onto the same subnet as your wired devices. What do I mean?

Let's say you have 20 RJ 45 ports scattered throughout the building. All of them are connected to a switch which is then connected to whatever is providing DHCP to these wired devices.

Don't simply plug in a wireless router into one of these wall ports. If you do want to put a wireless hub into a port off a wall in your office, then take that port out of the switch and move it over to a separate switch which is JUST providing internet to your wireless devices.

This is how I'd do it, anyway... If you've got good networking equipment like Cisco (and the know-how), then this precaution wouldn't be absolutely necessary, as you could then just set up separate vlans.