create a separate wireless network for guests

  • 2
  • Question
  • Updated 4 years ago
  • Answered
want to create a separate wireless network for guests or so that employees may access the Internet with their personal devices. Devices on this separate network should only be able to access the Internet and not be able to access any internal resources.
Photo of Mike Perva

Mike Perva

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Laura

Laura

  • 5 Posts
  • 1 Reply Like

We have  created a guest SSID on its own VLAN for this purpose.



Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Yes, and use the firewall capability of the Aerohive system to enforce the access restrictions you're looking for.
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes
The key components of the above two responses are the traffic separation you get from putting the Guest traffic on its own VLAN, and the security benefits from using the firewall within the AP to further restrict network services and applications.

Other features that  you might like to consider in a Guest/BYOD network are:
  1. Time restrictions on the SSID or User Profile
  2. Restrict the Guest SSID to the 2.4 GHz spectrum only
  3. Rate limit Visitor / BYOD access
  4. A really simple PSK for authentication that only lasts a few hours (or the rest of the day)
If you are sure that Guest/BYOD access will be restricted to Internet only,one further thing that you might consider is tunnelling Guest/BYOD traffic to the DMZ of the firewall where you place another Aerohive device that acts as the tunnel termination point and DHCP server for the Guest/BYOD network.  In this way you keep the non-Corporate traffic totally separate from the corporate network.   
Photo of Mike Perva

Mike Perva

  • 4 Posts
  • 0 Reply Likes
Terence,
I like this idea. Do you have any docs on how to set this up? I would need the entire layout from user profile to DHCP setup to Tunnel setup.
Mike
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes
Hi Mike

The Aerohive Help contains this helpful little diagram, and quite a lot on how to set up the user profiles:


http://www.aerohive.com/330000/docs/help/english/6.1r5/hm/full/help.htm#config/com/tunPol.htm
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Here's a nice blog entry on this topic and, as with any questions you may have, the HM help is typically a great resource. As others mentioned, vlans, captive web portal, and firewalling are key. 

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/how-to-set-up-guest-wlans-101