Hello, I have a question about simplifying our network.At the moment, we have three SSIDs. One for guest access, one for employee (BYOD) access and one for corporate devices. We want to shrink these three SSID's back to two. We thought about these two options;1. The guest and BYOD SSID's together, where the guests need to connect by accepting the terms & conditions on a captive portal, and the employee's need to log in with their AD credentials on a captive portal as well in order to gain access to the network.2. The BYOD and corp SSID's together, using OnBoarding for the BYOD devices in order to gain access to the network.Can someone tell me if there are more options than the two that I stated above? If so, please inform me about it. If not, what of the two options above would be the 'best', because I don't think the first option is insecure, because employees need to send their credentials over an open/public network. Or is there an solution to let employees send their credentials savely on this SSID?Kind regards,Jer
Make your employees connect to the guest network that only allows internet. Put a PSK on the guest network and have a captive portal for them to accept the T&C. Give the users on that network access so employees can connect like if they are home. Done.
Thanks for your reply cjoseph,With the option you gave, there is no difference between guests and employees. I forgot to state this requirement, but what we want is a different re-auth time and bandwidth for guests and employees. That is the reason why I thought about letting employees login with their AD credentials ( To distinguish between guests and employees ) on the guest network. But I think this is very insecure...
what are your thoughts on this?
How often would you want each group to reauthenticate?Do you have limited bandwidth?
For guests it would be 4 hours and for employees it would be around 8 to 10 (The time that they are in the building for work) <- reauthThe bandwidth for guests would be also less then the bandwidth for employees.But still, I don't think its a option to let employees send their AD credentials over the public network and we don't want a PSK on our guest SSID either.We want the guests to connect to the SSID by accepting the 'T&C' and the employees... Euhm, I can't think of a other way then letting them login with their credentials...
When you say "reauth" do you mean accept the terms and conditions after 4 hours? That might frustrate some people who suddenly cannot pass traffic and they don't know why.What would be the correct bandwidth for employees vs. guests?Honestly, anything that transmits a username and password on a webpage over the network is vulnerable in some way. If you give your employees their own PSK-based network, you can set the bandwidth on that SSID and treat the guests differently on their own SSID.
"When you say "reauth" do you mean accept the terms and conditions after 4 hours? That might frustrate some people who suddenly cannot pass traffic and they don't know why."
Yes, that is right. And I think that is not an issue because guests won't be in the building for 4 hours.
"What would be the correct bandwidth for employees vs. guests?"I can't give the answer to this question, I have to discuss this with my internship supervisor (I am a student)
But one thing is sure, and that is that we want different bandwidth for the two user groups.
"Honestly, anything that transmits a username and password on a webpage over the network is vulnerable in some way. If you give your employees their own PSK-based network, you can set the bandwidth on that SSID and treat the guests differently on their own SSID."
Right, we currently have this right now. One SSID for guests, one for employees (byod) and one for corporate devices.
With the corporate SSID, the internal network can be accessed. The other two can't. But one of the requirement is to simplify the network by reducing the SSID's back to two instead of three. So that is the reason why I am looking for options to reduce the SSID's. But then I think letting the byod's connect to the corp network with OnBoarding is a better solution. But maybe anyone knows another option?
I have plenty opinions about this, but I would like to give the community an opportunity to weigh in with their perspective.
I think that you can use the captive portal to authenticate guests or redirect to onboard the BYOD (using a link as you can see in this video: https://www.youtube.com/watch?v=ClEWaEsCjFw&ab_channel=AirheadsBroadcasting). After the process of onboarding redirect the BYOD to to corporate SSID.In my opinion, I think that using Captive Portal as internet only access or onbording process.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.