Can we turn off Guest SSID from "Configure SSIDs and User Access" page?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Dumb question:
How can we turn off our Guest SSID without having to go into each AP's Configuration Page and turning it off for each device?
(We are still in Express Mode) TIA
Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When you say "turn off" do you mean permanently disable or are you looking to only have the Guest SSID available on certain days/times?
Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
Thanks for the response!

The latter - 
we want to be able to only turn on Guest access when we have a known visitor, and off all other times.
From my reading, we could do it by going to the GuestSSID configuration and Selecting a schedule of, say, April 1st, 2000 - Apr 2, 2000 to effectively turn it off.
Is there any other better way to turn off the GuestSSID (in Express Mode) without having to go to each of our 74 AP's Configuration pages and turning it off there?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Hmm, reading this comment makes me realize your needs are different than what I expected given your initial query.  I had assumed you did not want your guest network on some of your APs, while available on others.

The other posters are correct, that a secured Guest network (using PPSK or captive web portal authentication, or even an IDM subscription) is the best alternative to your issue.  Otherwise, you would have to push a job to all your APs to make the SSID available when you need it.

The three workarounds I can think in Express mode are :
1) SSID availability schedule, as you talk about.
2) a User profile availability schedule that bans the user when they try to connect.
3) deleting the SSID altogether, and recreating when you need it.

All three of these suggestions require a configuration change to make the network available when you need it.  Unfortunately, Enterprise mode would have the same requirements, with the one exception that for option 3 you could retain the SSID just unbind it from the network policy.  





Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
Thank you for the reply!
Actually, you are probably right in the long run about what are needs/desires are - the initial idea was to turn on and off the Guest SSID for certain campuses as needed.

Problems:
1) We have up to 26 AP's on one campus, so turning the GuestSSID on/off individually would become tiresome, but would probably be doable.
2) Initially, all AP's had the GuestSSID turned off.
A Selected Schedule was already used to turn on the GuestSSID. If all the AP's were then updated, I believe this was what caused the GuestSSID to be Enabled on all AP's - 
Do you think that is accurate, or a good guess?
3) You are right - it would be nice to be able to turn on GuestSSID on a group of AP's one one campus in the future. 
Is there any way to apply Policy changes to a subset of AP's, perhaps using a custom attribute (for each Campus) or the first 2 letters of each AP's name (probably requiring Enterprise Mode)?

I'm guessing at that point, the easier solution would be to go Enterprise, and then just bind the GuestSSID to the policy, push it out to the campus we want it on, then unbind the SSID and re-update that campus's AP's when we're done.
Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
One of my first questions is why do you want to turn the Guest SSID off?  Is it insecure?
Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
Because the manager wants it off unless being used by a known guest.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It is far better to just control who can connect using PPSKs that you enable and disable as appropriate.

Disabling the SSID completely just serves no purpose unless that SSID is insecure and open to all when it is enabled.

What is stopping you going down the PPSK route?
(Edited)
Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
Good question  -
The administrative overhead compared to a simple generic password the administrative assistants can distribute is what keeps us from going the PPSK route.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Express mode is one size fits all, with a single network policy that is deployed to all your APs.  As you point out, you can do individual per-AP overrides.  

If you switch to Enterprise mode, you can have a second network policy that does not include the guest SSID, and deploy that new network policy only to the APs that you wish to remove the guest network.


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I should probably take this opportunity to admit that I have never once used Express mode as the concept of it is anathema to me personally.

I must make an effort to explore it so that I get a feel for it better...
(Edited)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
There is no going back once you upgrade from Express to Enterprise unless you wipe the database and start over (or load a backup), so a test HiveManager would be a better option to explore that particular interface.


Photo of John W

John W

  • 7 Posts
  • 0 Reply Likes
A test HiveManager?
That sounds intriguing - what's involved in that?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
You can run a HiveManager VM for 30 days without a license, if you need to try something out.  On-premise HM users could also spin up a new VHM to test with.