Currently we have 3 SSIDs on campus, students, faculty, guest (captive portal). Students/Faculty are Radius. I know I can setup user/group based roles that have specific ACLs in place as we are doing this currently.
Currently our Student SSID is setup for Deny inter user traffic, and this works great. Easy configuration, low confusion because there are no long ACL block chains in place, etc.. BUT we have talked about moving to a single SSID and using radius groups to handle access control levels.
We have no need for any device on the student SSID to ever talk to each other, but this is not the case on the faculty side of things. So we would have to setup more ACL chains in order to achieve the same controls.
What are the best practices here, what are other sites doing. Am I simply looking at this wrong ;)
Thanks,
Dan