Security

I am trying to come up with the pro/cons of using a single SSID for provisioning/provisioned devices vs using two SSIDs (open network for provisioning and 802.1X network for provisioned devices).  

 

As I see it, with the single SSID, you have the issue of manually configuring non-domain Windows laptops for 802.1X prior to OnBoarding.  Other devices (Macs, iOS, Android) are easier to handle.  

 

Using two SSIDs solves that problem but I am wondering if it will introduce any others?  Will OnBoarded devices automatically switch over to the provisioned network after OnBoarding?   Is there anything else I need to take into account?

 

Xdrewpjx,

On boarding from a second SSID like from a link on a guest network makes things much easier for your users that do not know how to connect to a 802.1x in the first place. That is an excellent strategy.

And yes - the onboarding process adds the second ssid to the device and switches them over as the last stage.

Thanks!  I figured as much.  I just wanted to make sure there were no other caveats associated with this design.  

We did the two SSID method.

 

We built a Captive Portal that has a bunch of menu options for our users to select.

Connect to the SSID and what not.

 

You can also provide them with an XML file and a small batch script that will automatically configure their Windows laptops for 802.1x authentication.

 

Wrap it all in an SFX archive and have the archive ask for admin priv. and you are all set!

 

Two SSID method seems to work well though in our limited experience