Employees on the guest wireless.  What do you think?

michelleayache · 2014-08-14T15:01:14.000Z

So there are several employee smart phones on the guest wireless. Apparently they have the password and have passed it around. While not specifically unauthorized, we want to make a decision on it. Now, this is an isolated network not on the LAN, so from a security standpoint it’s not bothering me too much. But it is annoying me and I would be concerned in an internet failover situation where we get billed by the GB of traffic.

The boss doesn’t want to encourage employee use of their phones. However, anyone with a smartphone should already have a data plan, so I don’t think it would make a huge difference. We can create a hotspot with terms of service, etc. which is probably the direction I would want to go.

I’d like to hear other opinions on the topic. Do you have anything to contribute?

@Cisco

cpunty · 2014-08-14T15:03:48.000Z

Personally I’d start changing the guest password monthly, let them use their data plans if they want to use their phones

csmith · 2014-08-14T15:05:15.000Z

Chris19delta:

Personally I’d start changing the guest password monthly, let them use their data plans if they want to use their phones

Although I agree with you on this, I think that it is definitely the lesser of two evils when comparing them to having access to the main wifi…

tannermcgibany · 2014-08-14T15:06:02.000Z

If you would still like to provide your employees with a secure wireless network, you could either push out specific policies and restrictions on the guest network, or create one specifically for your internal employees mobile devices. However, I would recommend limiting the access they have. I’m not sure of the control you have over your network, but I would assume you have the capability to limit bandwidth and data usage in the event you mentioned, as well as block explicit sites or other non work appropriate sites such as social media or streaming sites. If limited and well controlled and monitored, you don’t have to worry much about what traffic flows through their mobile devices, or about whether or not they are staying productive.

cd87 · 2014-08-14T15:11:07.000Z

Do you have enough bandwidth to support multiple wireless users on your internet? Sure, everyone has data plans but when someone can use the company wireless to avoid data usage on their plan then they’re going to do it. I would look into setting up a captive portal like you’re talking about.

chrisisit · 2014-08-14T15:15:04.000Z

I don’t see the harm in it. It is going to happen anyway through their own data plan, but this way you can get a picture of what they are using it for. If they use their data plan, its a bit easier to get away with playing Netflix (or other more nefarious things) since, unless they are showing it to everyone, there is no way of knowing.

Would be more ideal to set up their own hotspot, like you said, then you will KNOW what your employees are doing and can put a stop to their watching repeated cat videos. Once that’s established, like Chris19delta said, rotate the password monthly on the guest access.

anon50130192 · 2014-08-14T15:16:32.000Z

Setup an SSID for mobile phones, VLAN it out, and throttle the users to painfully slow internet on their phones. I would enforce content filtering and make sure they have to authenticate and agree with an AUP in the captive portal. This allows you to continue to monitor their traffic and make sure they aren’t violating company policies. In my case, my personal phone has company email tied to it for the time being so me being on our wireless for tablets & phones reduces my data usage.

steveb1352 · 2014-08-14T15:19:23.000Z

Better than having their stuff on the corp network.

sgriggs · 2014-08-14T15:20:40.000Z

We cap it low enough that 4G is faster heehee

Another idea we’ve considered is making the connection MAC ID specific, to prevent people from getting on the wireless without our knowledge.

marcmaehner7836 · 2014-08-14T15:29:46.000Z

no_sir.jpg394×642 123 KB

As long as the work gets done I guess…

servermonkey8064 · 2014-08-14T15:30:43.000Z

Personally I don’t care and I don’t think you should either.

Make it a management issue if you really think there is an issue.

justinmcnett · 2014-08-14T15:31:37.000Z

We allow any of our employees to connect to our guest network. The speed is throttled quite significantly, and they are isolated from anything else, but our opinion is they will do what they will anyway and it keeps them off our corporate wireless. We have several policies around the use and access, and we are confident the users are doing what they should be for the most part.

That said, any company issued phone can access our corporate network anyway, so there’s that…

stevecpa · 2014-08-14T15:50:28.000Z

We came across an issue with a client gaining access to our unprotected mobile network and since have implemented a password on it, it is also monitored to make sure employees aren’t playing games or watching videos for their entire shift when they should be working. Other than that, my boss doesn’t have any problems with it especially since he uses his tablet for radio streaming and it’s ideal for him to connect it to the mobile network rather than the main network.

stephenconsolini1162 · 2014-08-14T16:00:55.000Z

If you’re looking to write a policy then I would suggest getting other parties involved, including HR to make sure that the verbiage in the Employee Handbook is clear and concise. While all the ideas previously mentioned are great, you still need a solid policy in the off chance that you do find an employee using the guest wireless in an inappropriate manner.

joekreydt · 2014-08-14T16:03:07.000Z

I would keep allowing it, and possibly set some “parental” controls like blocking video websites. I am of the belief that if you give employees some liberties, most of them won’t abuse them. Further, it is shown that a little down time can make one more productive in the long run.

jack-veriato · 2014-08-14T16:07:19.000Z

Could you have the guest network disable itself if you failover to the backup ISP that charges you based on consumption?

chris0984 · 2014-08-14T16:14:55.000Z

I let our guest network be used by employees, its the only password I give out. The traffic is throttled anyways, so stream away.

Its a good way to provide users access and keep them happy in my opinion. Not everyone has unlimited data, and it helps them out and it helps me out by keeping them off my network.

robertchurch8395 · 2014-08-14T16:18:52.000Z

There are many things that can be done depending on your concerns and the impact of those concerns.

What is the cost of allowing access to employees to the guest network? Bandwidth, productivity, employee happiness are three scales that I can quickly think are relevant.
What is the impact of changing access? Lower cost? Employee dissatisfaction?
If you acknowledge the access and softly request / enforce limitations, would that be enough to make everyone happy?
Lastly, is anyone abusing this network with higher bandwidth, dangerous site access, posting to Facebook all day?

Having more information should never be a bad thing.

adamlegere · 2014-08-14T16:30:48.000Z

We allow basically anybody and everybody on our guest wifi. My company has multiple locations that would have customer waiting around for hours (sometimes). We provide WIFI, coffee and the constant drone of the 24hr news cycle. All our VLANs and APs pass through a Barracuda that is set to block streaming media so illicit content and bandwidth are not great concerns. With all networks similarly restricted there is no incentive to use internet on their phones rather than their workstations.

I don’t like having our guest networks wide open and am looking into locking it down with passwords available from the service counter upon request. ChrisIsIT and Gearhead89 have given me some great ideas, thank you.

networks-jj · 2014-08-14T16:56:34.000Z

I say open the door. It’s work, not jail let them use their phones on your wifi occasionally. I came from k-12 and ran a wide open wifi network for all students and staff. We had monitoring of that traffic through the wifi console, and our web filter settings would put non AD devices into the ‘visitor’ web filter which blocked access. Since we were k-12 that access was pretty limiting on social media and such.

Now, I work in the private sector with adults and we have mobile network and guest network. We can monitor and throttle traffic through the console. By choice there is no filtering in place. Mobile is WPA-2 with a password (shared via the helpdesk when requested, probably known by many) and Guest is open with a splash page and a little slower bandwidth. We VLAN the traffic and send it through a separate pipe from our ‘business’ traffic.

Personally, I want to reduce the redundant SSIDs and put every mobile device on the guest wifi (no more mobile). Give it a once a month splash page with the legal jargon and move on. It’s the internet and your users will figure out how to get there. Being secure is important, but hoarding access is not.