1

Not so much the technical details, but the policy from more of an HR standpoint.

Example: We have 2 networks. Guest, and domain-connected.

  1. We let anyone who’s an employee connect their phone to the domain wifi.

  2. Guests connect to guest only (posted around the building) and have to login through a portal where they (don’t) read a thing and click OK. 24 hour expiration, or as soon as they disconnect, must re-click OK.

  3. Personal laptops cannot connect to domain wifi, but I know they do it.

Basically, I want to make it easier for guests to get connected and stay that way, and for us to block cell phones and personal laptops since our business doesn’t need anyone to have domain access to either of those ever.

34 Spice ups
2

We have 3 SSIDs on two different networks.

  • Corporate wifi is on the same network as hardwired workstations. It is only available for company-owned devices. Password is only known by IT and is entered when the device is initially set up.
  • Employee wifi is on a separate network and is only broadcasted from the AP in the lunchroom, as per HR. All employees know this password.
  • Guest wifi is on the same network as employee wifi, but is available across the entire plant. Only IT and the receptionist know this password, and it is given to guests when requested.

EDIT: I should clarify that our guest wifi is a regular wifi network, not one of the builtin “guest services” one like Captain Hotsauce talks about below.

8 Spice ups
3

Verify your guest network is on a separate VLAN from your corporate network and ditch the guest services, then your guests just need the SSID and password. For the corporate you could set up MAC filtering and/or change the SSID/password and hide it. Check with HR to verify you don’t need the guest services (portal) for any reason before you turn it off, and MAC filtering/hiding the SSID will be a pain if you have a large user base as IT will need to touch all devices individually, but that will accomplish your stated purpose. Letting personal laptops connect to the corporate domain is wildly irresponsible, if you have any juice with the decision makers I’d start there personally.

8 Spice ups
4

We have 2 SSIDs

  • Corporate with WPA-Enterprise. Only domain joined PCs that are also in a specific security group are able to connect to this. We went with authenticated domain computers instead of users because we didn’t want employees being able to connect a personal device to the corp wifi with their user credentials.

  • Guest network that is open for anyone to connect to, VLAN’d out to a separate Internet connection. Security is also set where devices cannot talk to each other on this network, only the gateway.

Tx power on the APs is set lower to limit the signal to inside buildings. Also, the SSIDs are on a schedule, so it’s not available 24/7, just during business hours.

11 Spice ups
5

We have a small office, 3 SSIDs and 2 networks.

  1. Corporate wi-fi.Same access as hardwired workstations. Employees connect with their AD credentials.

  2. IOT network - separate VLAN from the corporate network. Devices on this network can talk to each other and the public internet. We’re using it for wall mounted TV’s, chromecasting, etc. IT provides this password as needed.

  3. Guest network - same VLAN as IOT. Restricted to public internet access only. Devices on this network can’t see other devices on the network. Password is posted in the office. Most employees connect their personal devices to the guest network.

3 Spice ups
6

Guest only on a separate VLAN, internet only. Mostly used by all of us connecting our phones to it.

3 Spice ups
7

We actually just changed this on Monday. It used to be one corporate wifi and one guest (unsecured, accept policy). Employees were allowed to use corporate wifi for personal devices. Now we changed the password and only set it up on devices with a valid reason to be on our network. Everyone else can use guest

3 Spice ups
8

3 Separate SSIDs

  1. Corporate wifi authorized through AD radius server own unique vlan that has access to normal resources

  2. Guest wifi own Vlan public internet only

  3. IOT same as guest vlan but no splash screen when connecting.

9

At least three SSIDs on three separate VLANS:

  1. Corporate network. Obviously, provides access to resources on the corporate network. If you’re paranoid, you put this on a separate VLAN from your wired network, and control access to the corporate network through a firewall appliance or maybe you use Network Access Control.
  2. Employee network. Employees can connect their personal devices to this SSID; that way they only have to sign in once and don’t have to go through a portal. Otherwise, only allows Internet access and disallows access to other clients on the same network. Only allows access to corporate resources that are otherwise publicly available. Basically, it’s the same as a guest network, except that it’s a bit more convenient for your employees.
  3. Guest network (unsecured). There’s no password associated with the SSID; guests must sign in via a portal. This can be done with time-limited “tokens” if you wish. Or you can require the user punch in the password every-so-often. This helps reduce automatic reconnection. Of course, same access limits apply as on the employee SSID.
  4. Optional VLAN+SSID: IoT network. For those corporate-owned devices that need Internet access but don’t need access to internal resources on the LAN.
  5. Optional VLAN(+SSID): Payment network. Put your payment devices (standalone credit card terminals) into a separate VLAN. This simplifies your “cardholder environment” for PCI compliance. (Maybe. Depends on what you read into the PCI regs. 100% PCI compliance may actually be unachievable.)
  6. Optional VLAN: Management network. All of your infrastructure devices (switches, routers, APs, out-of-band management [IPMI, IDRAC], etc.) are on a management VLAN that is separate from your corporate network VLAN. Firewall rules limit access to specified devices on the corporate network. This reduces exposure to malicious activity on the corporate network. Best not to have an SSID on this VLAN.
3 Spice ups
10

We had 3 networks: one for company phones and laptops, one for production equipment and also a guest network. We used a central controller for all our sites. We installed certificates on company laptops and phones that would allow the device to automatically connect no matter what site you at. The production network was strictly for vehicle mounted devices and was hidden. We added a guest network that went to the Internet. To access it I or the service desk had to create a temporary account on the central controller. We would collect name, business name, email and reason for access. They would also have to go through the portal and accept terms and conditions. We could set the account to expire anywhere from 1 hour to 30 days. Using this method guests, usually vendors or contractors, can bypass our filters that blocked some of their sites. Employees were not allowed to connect any personal device to any network, period. Only corporate equipment could get on to access any corporate resource. I liked the way it worked, I could let vendors or contractors have their Internet for a limited time and didn’t have to worry about any rogue devices connecting.

2 Spice ups
11

Guest wifi sits on a separate VLAN and connects to it’s own Edge Router that connects to a cable modem. No password needed. Connections bandwidth limited to 1Mbps. Edge hands out DHCP and translates all DNS queries to OpenDNS. Porn is blocked. All non-company devices connect to this.

The secure wifi bridges to the LAN. Password known only to IT; never given out. Period. Our servers provide DHCP and DNS. No employee personal devices on this network. Period.

4 Spice ups
12

I guess my question would be, why have an ‘open’ SSID that directly connects into your internal network? And when I say ‘open’ I mean that because if staff knows the password, they are using it for personal devices or giving it away to others to use.

Most organizations I work with have a few SSIDs within their environments, and this is backed up by the replies in this thread as well.

  1. One SSID for Guest access, this should be straight internet and could be gated with a T&C language or just open, depending on the organization. This is usually on a separate VLAN or even a separate connection itself, depending on the environment that doesn’t even touch or connect to at all any internal resources. Usually this SSID is pretty locked down regarding adult content, P2P or other various suspicious activities. It is also usually throttled pretty heavily to let guests check email and social media but not stream 4K HD videos or the like.

  2. Staff SSID: This usually is throttled as well, but not nearly as much as the guest network. It usually is on a separate VLAN that has a few routes to internal resources like email or an internal website. Depending on the organization, there could be access to file servers and such, but usually there isn’t.

  3. Domain SSID: This is a very much locked down and (usually) hidden SSID where IT is the only one that knows the password and logs in directly to any organizational devices that need domain access.

Those are the main 3 that I always see…there are a few others depending on the organization and policies within it.

Regarding the first question, I don’t recommend completely removing the T&C from guest SSID, it is a CYA measure that you can use if you find anyone using wifi for malicious purposes. Regarding the guest connection challenges, there should be some settings on your WAP controllers that allow you to adjust the timeout for a session. 24 hours is a good number.

About the second question, set up a Staff SSID where you have a route to email but nothing else internal and give folks that password. There is no reason that you have an ‘open’ SSID straight into your domain that folks outside IT knows…

Hope this helps!

2 Spice ups
13

Just for the record, a saved WiFi password can be looked at by someone with local admin credentials. (Right-click Start > Network Connections > Change adapter options > double-click WiFi > Wireless Properties > Security > Show characters) Presumably not an issue since users should not be local admins, but sometimes it happens in our environment due to legacy applications or other reasons.

@rhummel @big-green-man

4 Spice ups
14

No end users have local admin rights on any company-owned device, so we’re good.

3 Spice ups
15

We have 2 WiFi Access Points

  • Company wifi is on the same network as hardwired workstations. It is only available for company’s laptops. Password is only known by IT

  • Separate WiFi which is on a DMZ and is only broadcasted from the AP

This Separte WiFI AP is split into 4 wirless networks

  • Guest WiFi
  • Staff
  • Training
  • IT

Each of the WiFI networks also has restriction of Download and Upload speeds

16

Absolutely. No local admins here. LOL.

17

Hidden wifi on separate fiber connection, only IT has password. Used for approved guests and some personal devices (some users allowed iPads). Wifi is completely unfiltered, wired network heavily restricted. Employee owned devices are NEVER allowed on the wired network.

18

Guest WIFI, WPA2, with corporate phone number as password. Guests and employee personal devices, and corporate cell phones go here. Splash page displayed every 60 days. Bandwidth limited depending on location.

Internal WIFI. For computers only/devices that need to access company internal resources.

MDM SSID For company managed IOS devices through MDM.

All SSID’s same at all company locations.

19

We have domain wifi, bridged for company laptops. We have guest wireless for everyone else that also goes out a separate firewall/ISP connection and is on it’s own vlan. They get what they get and I don’t care. We also have a contractor wifi which strictly allows them access to a couple printers but otherwise it’s out the guest ISP connection as well.

20

Only company owned laptops are allowed to use the domain wi-fi. All others may use the seperate segregated guest wi-fi. Company owned phones also use the guest wi-fi because they have no need to use the domain network. If it does not require access to our corporate LAN, it doesn’t connect to the domain wi-fi.

Fortinet gear makes managing this access fairly easy.