The MSG100 is labelled as a “wireless office controller” not because it’s got any radios built in, but because it’s designed to sit between the switches to which your wireless access points are linked and the core of your network, and to control the flow of packets between the two worlds. This said, though, there’s absolutely no reason you couldn’t use it in a wired world too – if, for instance, you wanted to split guests from corporate users – though if you take this approach you’ll obviously have to patch your outlets through the infrastructure appropriately and label the outlets clearly.
The unit is a 1U free-standing box with six ports (two WAN and four LAN) on the back and power, status and Ethernet link lights on the front. Management is via an HTML-based GUI, so to get going you simply point your browser at https://192.168.1.254/ and walk through a simple initial-setup wizard that does all the usual stuff such as selecting a time zone, setting the admin password, etc.
My first impression of the GUI was that it’s designed for dextrously challenged three-year-olds – the buttons are big, idiot-proof and graphical, and whenever you click to go to a new section of the GUI you get a big table containing descriptions of what each icon therein actually does. Actually, though, this makes management an absolute breeze, and it doesn’t really get in the way that much.
Page one in the quick start guide tells you that the first thing to do is change the range of IP addresses from which access to the management GUI is permitted – because the default is to accept connections only from 192.168.1.1-254. So if you change the IP ranges used by the box (which I had to do as they clash with my test LAN) without adjusting the management IP range, you’ll lock yourself out. Suffice it to say that first time out I didn’t read this page, but I now know that the “factory reset” button on the back of the unit functions correctly.
Once you’ve sorted out your address ranges, you can get on and configure the access control functions. The MSG100 can work on a port-based basis (so you apply a policy to each of the four LAN ports) or a VLAN-based basis (so you do the same thing but base access control on VLAN ID). To set up a policy you first define a “service zone”. This is basically a collector for all the key features of how you want to set a particular wireless realm. So you define the mode of operation (NAT or plain routing), DHCP range (if required), authentication options (there’s a good range of support, including a local database, LDAP and RADIUS; an interesting inclusion in this screen is SIP, as it’s not every day we see telephony specifically supported in this type of device). Oh, and you can also tell the unit to accept connections from given IP/MAC addresses without requiring authentication. There’s also a “custom pages” section, for cases where you want to pop up a login box, a section for defining the access policy (notably the firewall rules you want to apply).
The firewall rules page is a little bit odd, in that you get a bunch of default rules (all of which are “block all”) and you simply modify and enable rules as you need; with other firewalls you start with a blank list (or a single “block all”) and then add/remove as you see fit. It only takes a moment to get used to it, though, and it’s no big deal. Oh, and in addition to permit/deny firewall rules, you also get niceties such as the ability to impose bandwidth control – even to the level of limiting the total bandwidth available for all concurrent users in a particular group.
Once you’ve defined your service zones, you go to the “LAN Port Mapping” section and attach your SZs to ports or VLANS. Once everything’s as it should be, you hit “Restart” and the system reboots with the new configuration; although having to reboot after a config change isn’t particularly desirable, at least it lets you configure everything and then do a single reboot when you’re done.
After a reboot, everything works as you’d expected; zones that require no authentication can see the world unimpeded, while zones that need authentication chuck up a login box and check your credentials accordingly before letting you in (or not, as the case may be). There’s the occasional bit of interesting English (this was the first time, for instance, that I’d ever been informed: “You had already logined”) but hey, who really cares?
The MSG100, then, is a really handy little device for enforcing access control for both wired and wireless users. It has a sensible range of authentication support, it’s straightforward to configure, and it seems to do what it says on the tin – as well as a lot more besides such as client-server and site-site VPN, WAN failover, and authentication via an external POP server (yes, really). So if you want multi-zone security on your network, you could do a lot worse than talk to 4ipnet.
This type of device is most useful where you want to apply different access control policies to different types of wireless user. And at £350, you’d be daft not to buy one.