Security

Dear Experts, i am faced with a hotel scenario, please help to advise

Current scenario

1) Hotel using 2 SSIDS

• First SSID (call it Public_SSID)for Public places such as lobbies etc
  • After connecting to this SSID, it redirects to Clearpass CP and asks for access code
• Second SSID (Room_SSID) is for Rooms (for guests). When a guest in a room connects to this SSID, he just have to provide his last name and room number and he/she gets instant access (no access code here)
• Since Room_SSID is currently not being advertised in public places so guests are having roaming issues. They have to connect to separate SSID but since they dont have access code, they are not able to use internet

My question is, how its done normally? what is the best way to achieve roaming for guest in this case? One solution that could be is per below 

1) Create 1 single SSID to be broadcasted everywhere (rooms and public). Call it Hotel_SSID

2) When the guests connects from room, he will be presented with CP_1 which asks for last name and room number.

3) when someone connects from public place, he will be presented with CP_2, which asks for access code

4) This will be done by assigning and matching different AP groups. 

5) Guests will be able to roam since their mac will be cached in Clearpass.

Is above workflow correct? also any better way to do it ?

I would go for a single SSID, for the reasons that you mention. Then what I see most times is that on the same captive portal, there is an option to login as a guest or with an access code. Such a page, with multiple login options, is trivial to create with ClearPass.

What you could do is for the access points that are out of reach of your public area, use a different AP group, with a different captive portal that just allows registered guest login, not the access code. Be careful that sometimes users connect to an AP on another floor, so to make it simple have the same page with guest or access code login everywhere if possible.

Dear Herman, 

I got this working but now there is one issue. When the guest user connects in the public area (initially for the first time), they are cached in controllers user table, assigned the public area role. Now when they move to their rooms they would actually roam and as we have just experienced, they are still getting the same public area login page. this is because of the controllers user table cache role. Is there anyway to clear the user table entry for any mac address that roams between 2 Ap groups? or any other way of doing it?

Have you tried setting the reauthentication timer low for the captive portal role? Like in 1 or 2 minutes?

I have mac caching in place, what will be the implication of setting this timer? will the user be forcefully asked to reauthenticate and if mac caching is enabled, the user will get reauthenticated automatically?

Yes, that is the concept op mac caching. As you mention that the captive portal role is 'stuck' for a user. If the user is mac-cached, return the normal access role with a longer timeout. Only apply the short timeout on the captive portal.