Wireless Access

Currently we have 3 SSIDs on campus, students, faculty, guest (captive portal).  Students/Faculty are Radius.  I know I can setup user/group based roles that have specific ACLs in place as we are doing this currently.

 

Currently our Student SSID is setup for Deny inter user traffic, and this works great.  Easy configuration, low confusion because there are no long ACL block chains in place, etc..  BUT we have talked about moving to a single SSID and using radius groups to handle access control levels.

 

We have no need for any device on the student SSID to ever talk to each other, but this is not the case on the faculty side of things.  So we would have to setup more ACL chains in order to achieve the same controls.

 

What are the best practices here, what are other sites doing.  Am I simply looking at this wrong ;)

 

Thanks,

Dan

 

What's the goal with blocking devices from talking to each other? Is it a
network policy? I only usually see this feature used on guest networks, not
secure networks.

From a security standpoint we have no need for any user on our student network to see anything else on the student network.  So we found it easy to simply turn it off :)

 

We are a high school, and have a hybrid 1:1 students can get a chromebook from us or bring their own device.  Because we have less control over personal devices we thought it would simply be the best route (and have had this setup for 6 years...) to simply deny all inter VAP communications.  We basically treat our student network similar to that of a guest network.  Everything we do is cloud based including printing...

 

Thoughts?  << I did do some searches here, but did not really find anything concrete on this question>>