Wireless Access

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

Thanks for your reply cjoseph,

With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...

what are your thoughts on this?

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

How often would you want each group to reauthenticate?
Do you have limited bandwidth?

Thanks for your reply cjoseph,

With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...

what are your thoughts on this?

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

For guests it would be 4 hours and for employees it would be around 8 to 10 (The time that they are in the building for work) <- reauth
The bandwidth for guests would be also less then the bandwidth for employees.

But still, I don't think its a option to let employees send their AD credentials over the public network and we don't want a PSK on our guest SSID either.
We want the guests to connect to the SSID by accepting the 'T&C' and the employees... Euhm, I can't think of a other way then letting them login with their credentials...

How often would you want each group to reauthenticate?
Do you have limited bandwidth?

Thanks for your reply cjoseph,

With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...

what are your thoughts on this?

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

When you say "reauth" do you  mean accept the terms and conditions after 4 hours?  That might frustrate some people who suddenly cannot pass traffic and they don't know why.

What would be the correct bandwidth for employees vs. guests?

Honestly, anything that transmits a username and password on a webpage over the network is vulnerable in some way.  If you give your employees their own PSK-based network, you can set the bandwidth on that SSID and treat the guests differently on their own SSID.

For guests it would be 4 hours and for employees it would be around 8 to 10 (The time that they are in the building for work) <- reauth
The bandwidth for guests would be also less then the bandwidth for employees.

But still, I don't think its a option to let employees send their AD credentials over the public network and we don't want a PSK on our guest SSID either.
We want the guests to connect to the SSID by accepting the 'T&C' and the employees... Euhm, I can't think of a other way then letting them login with their credentials...

How often would you want each group to reauthenticate?
Do you have limited bandwidth?

Thanks for your reply cjoseph,

With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...

what are your thoughts on this?

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

"When you say "reauth" do you  mean accept the terms and conditions after 4 hours?  That might frustrate some people who suddenly cannot pass traffic and they don't know why."

Yes, that is right. And I think that is not an issue because guests won't be in the building for 4 hours.

"What would be the correct bandwidth for employees vs. guests?"
I can't give the answer to this question, I have to discuss this with my internship supervisor (I am a student)

But one thing is sure, and that is that we want different bandwidth for the two user groups.

"Honestly, anything that transmits a username and password on a webpage over the network is vulnerable in some way.  If you give your employees their own PSK-based network, you can set the bandwidth on that SSID and treat the guests differently on their own SSID."

Right, we currently have this right now. One SSID for guests, one for employees (byod) and one for corporate devices.

With the corporate SSID, the internal network can be accessed. The other two can't. But one of the requirement is to simplify the network by reducing the SSID's back to two instead of three. So that is the reason why I am looking for options to reduce the SSID's. But then I think letting the byod's connect to the corp network with OnBoarding is a better solution. But maybe anyone knows another option?

When you say "reauth" do you  mean accept the terms and conditions after 4 hours?  That might frustrate some people who suddenly cannot pass traffic and they don't know why.

What would be the correct bandwidth for employees vs. guests?

Honestly, anything that transmits a username and password on a webpage over the network is vulnerable in some way.  If you give your employees their own PSK-based network, you can set the bandwidth on that SSID and treat the guests differently on their own SSID.

For guests it would be 4 hours and for employees it would be around 8 to 10 (The time that they are in the building for work) <- reauth
The bandwidth for guests would be also less then the bandwidth for employees.

But still, I don't think its a option to let employees send their AD credentials over the public network and we don't want a PSK on our guest SSID either.
We want the guests to connect to the SSID by accepting the 'T&C' and the employees... Euhm, I can't think of a other way then letting them login with their credentials...

How often would you want each group to reauthenticate?
Do you have limited bandwidth?

Thanks for your reply cjoseph,

With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...

what are your thoughts on this?

Make your employees connect to the guest network that only allows internet.  Put a PSK on the guest network and have a captive portal for them to accept the T&C.  Give the users on that network access so employees can connect like if they are home.  Done.

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer

Hello, I have a question about simplifying our network.

At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;

1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.
2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.

Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?

Kind regards,
Jer