We haven't quite rolled the entire change into production, but we are moving from:
brandeis_secure, brandeis_guest, brandeis_open, brandeis_voice, and eduroam
to: eduroam and openwifi-brandeis (it sounds ridiculous but it's to keep the Apple devices from connecting alphabetically :) )
The eduroam network is for anyone with @brandeis.edu credentials or visitors from other eduroam insitutions that have a WPA2-Enterprise capable device.
openwifi-brandeis is for devices that do not support WPA2-Enterprise and guest access.
When a user connects to openwifi-brandeis for the first time, they are redirected to a page asking if they are a Brandeis user or a guest of the University. Guests proceed to the normal CP Guest registration process. Brandeis users are sent to QuickConnect.
The QuickConnect page guides users to download the quick setup utility or proceed to our Netreg to register game systems and other media devices. (we are currently working on moving this registration process to ClearPass using the MACTrack functionality and AirGroup).
Once a media-type device is registered, the captive portal is bypassed the next time they connect and they go into the appropriate role. Once a user successfully connects to eduroam, they are then effectively blocked from using open and receive a redirect loop if they try to connect.
There's really no need to have more than 2 SSIDs these days. You should design them based on encryption capabilites and not so much roles. A lot of magic can be done on the back end to take care of roles.