Question:

My company’s remote users have been connecting from home via a Juniper NS 5GT and a VPN tunnel back to our corporate office.  We never included the wireless version of the 5GT because it was too expensive but have recently changed our mind.  I’m in the process of rolling out our first couple of 5GT-wireless boxes and am looking for a best practice answer to the following question. Assuming the user is primarily a wireless user, should I be using WPA2-PSK or Enterprise for the wireless security settings?  We have the infrastructure to support 802.1x auth but I’m concerned that if the VPN tunnel dies (some of my users are on some dodgy DSL connections) for some reason then the user isn’t going to be able to log into the network.  I’m thinking I should just hardcode some static passwords via WPA2-PSK and be done with it but I don’t want the password management hassle.

Solution:

i’m not to familiar with the WiFi part of NS5GTs – but what i would do is this:

* 1 x SSID called CorpWiFi (or similar), with 802.1x authentication with connection to Corp Office
* 1 x SSID called HomeWiFi (or similar), with WPS-PSK and only connection to internett.
if you’r boxes have IOS 5.4 you have possibility to use VLAN tagging for the networks and VLAN 30 gives you only internett and no Corp Access and VLAN 20 for Corp gives you also access to internett. That way other people in the house could use WiFi without gaininig access to Corp AND if T1 link at Main Office goes down – they can assess internet through WPA-PSK SSID

a bit work – but proparbly the safest way to do it ..