How many SSIDs is too much?

  • 1
  • Question
  • Updated 10 months ago
I just started a new job and I'm wondering how many SSIDs is considered too much? I'm coming from another Aerohive network the only difference is that this new place hosts HiveManager in house. I only have experience with a cloud hosted HiveManager. At my old place we had 4 SSIDs, and I read that should be the max. This new place seems to have all kinds of wireless issues and I noticed I'm seeing like 10 SSIDs being broadcast at once. This seems excessive and I'm wondering if that could be the cause of clients not being able to connect / dropping connections / not connecting to the closest AP. My old place mainly had 330s?and 230s. This place might have AP390s (they have something with antennas) I haven't looked at their Aerohive configuration just yet, I'd like to get some thoughts from the community before I go stepping on any toes my first week here. 
Photo of zzzP

zzzP

  • 19 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
I use 3 at max. Most of the times 2 is enough.
Photo of Eddie Klaczko

Eddie Klaczko

  • 28 Posts
  • 5 Reply Likes
Using 4 SSIDs, but I'm working on going to 3. 

Here's a good read:
http://www.revolutionwifi.net/revolutionwifi/2013/10/ssid-overhead-how-many-wi-fi-ssids-are.html
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
Andrew's SSID overhead chart is one of my all time favorite references.  Every time that I get asked why can't we add another SSID I just show them the chart and I tweak our user profile(s) instead.

We are currently moving from two SSIDs to one. We had three SSIDs for a short time for a unique scenario and that worked just fine but, we are not in a HD deployment either.  I would say no more than 3 and use user profiles instead of more SSIDs.

And to echo Nick - disable the b rates if possible.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sometimes extra SSIDs are unavoidable where you want to support things like 802.11k/r/v (and perhaps w) but have to cope with intolerant, broken clients. The key concept to keep in mind is to keep them to an absolute minimum. User profiles really help here!

Also, as a starting position, seek to disable all the 802.11b data rates to keep the airtime impact of sending beacons under control. This should really be the default for APs these days. Needing support for 802.11b clients is the exception, not the norm.
(Edited)
Photo of Eddie Klaczko

Eddie Klaczko

  • 28 Posts
  • 5 Reply Likes
Totally agree on disabling b data rates.  Especially true if you surveyed and deployed for 5GHz.  We had a lot of trouble on multiple vendors gear when we started video multicasting, this helped a lot.  Not sure how newer code would work but no reason to test.  :D
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
One thing I do not see addressed here or on that great overhead chart is what effect, if any, a non-broadcasted SSID has on overhead. Anyone know or care to speculate? I used one for special network device items which I need on a certain subnet but which might get relegated to a different subnet with the client classification rules I have in place. 
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
Hidden SSIDs are poor practice anyway from a privacy, security and reliability perspective for general client access. It should be largely moot therefore as nobody should be using them. You would be better using a PPSK or 802.1X, with a unique credential, to decide where to place such clients.
This is not "general client access;" I explained that it is for a special purpose. What you write is true when the hidden SSID is the only SSID on the radio and when used without encryption with the expectation that security is enhanced. However, if used as an additional SSID for a special purpose and encrypted with WPA2-PSK it works fine and is secure. It is hidden mainly to keep my users less confused. I am the only one who uses the SSID and with devices I manage and -- if you don't use any Windows devices, which I don't -- it's completely reliable. Since my other SSIDs are being broadcast from the same radios, there is no problem with nearby AP's choosing the same channels. I also have it available to enable me to quickly rule out PPSK and client classification as the cause of quirks which one might see over the course of time managing wireless networks. For this particular use, PPSK has no advantage over WPA2-PSK. I explained more than your answer deserves, because you did not even attempt to answer my legitimate query of whether a hidden SSID adds to the overhead discussed in this thread.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2476 Posts
  • 447 Reply Likes
I guess I need to clarify...

By general client access, I meant general purpose SSIDs used for all and any client access purposes rather than 'behind the scenes' infrastructure services like a backhall network of some kind.

It is unnecessary because you simply do not have to offer additional SSIDs for these devices, at that point there would be no potential to confuse users.

Using hidden SSIDs is always the wrong thing to do, that's why it is generally a moot concern for Wi-Fi professionals and you won't find the question you ask discussed or considered therefore; ask around and nearly all simply do not use them unless a client demands it.

The privacy and reliability issues still apply when encryption is being used with both Windows and non-Windows clients. There can be security implications from the privacy leak too.

Regards,

Nick
(Edited)
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
OK, Let's say I need a separate SSID for 'behind the scenes' infrastructure services like a backhall network of some kind. If I turn off broadcast of this SSID, will it reduce the network overhead discussed earlier in this thread?

As for Windows, I was speaking only of reliability problems I've encountered with Windows clients and hidden networks in the past. I have seen none of that in the eight or so months using a variety of other wireless clients and my unmentionable hidden SSID. 

What privacy issues apply to hidden vs. non-hidden, all else being equal?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2476 Posts
  • 447 Reply Likes
*backhaul

Where a beacon is not being sent periodically, yes, it does increase available airtime. But...

With many devices, while unassociated, the continuous probing necessary to be able to connect to hidden SSIDs configured constantly leaks the real MAC address of the client allowing it to be tracked as it moves about. Even when that MAC address is randomised, a recent development, you can sometimes fingerprint the device by the set of hidden SSIDs that are probed for in a particular order while unassociated in conjunction with any disambiguating characteristics of the 802.11 probe request frames sent.

By knowing the name of a hidden SSID that uses a PSK, you can often socially engineer by putting up a fake SSID which you learn from the probes with no encryption - users will in some cases get prompted and elect to connect.

With TLS-based 802.1X/EAP, if the server certificate is not validated correctly (which is very common) you can further often transparently MITM such a client having learn the SSID from the probes.

You can establish a malicious SSID with MS-CHAP-v2 is used as the inner that accepts any credentials.

Where that happens, you can easily harvest and subsequently reverse credentials using something like CloudCracker to do the grunt work.

There just is not a legitimate use case for hidden SSIDs for client access, it is always wrong. Some good discussion can be found here:

http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx

https://technet.microsoft.com/library/cc512578.aspx

http://blogs.technet.com/b/networking/archive/2008/02/08/non-broadcast-wireless-ssids-why-hidden-wir...
(Edited)
Photo of Gaston Robles

Gaston Robles

  • 1 Post
  • 0 Reply Likes
Excelent!
Photo of Volkan Bagci

Volkan Bagci

  • 55 Posts
  • 3 Reply Likes
We have 2 with dynamic VLANs, one with WPA/WPA2 802.1X (Enterprise) for "every client" , and one with Captice web portal with 802.1x for those clients that are exceptions. That is enough for 3 type of users/vlans pr site.
Photo of Joel Rohne

Joel Rohne

  • 1 Post
  • 0 Reply Likes
We also utilize 2 SSID and also with dynamic vlans. Gives up plenty of flexibility and is very stable.
Photo of Ben Eggenberger

Ben Eggenberger

  • 1 Post
  • 0 Reply Likes
I use 2 but I can see where I will want more some day.
Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
It seems to me the ideal, with 802.1x, is just two; an internal SSID and a public SSID. Simpler is better.
Photo of Rob Pritchard

Rob Pritchard

  • 86 Posts
  • 8 Reply Likes
I had discussed this with my Aerohive engineer when we first started converting to Aerohive this past summer and he told me that you really shouldn't have more than 4 SSIDs.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
I would not have more than 3 SSIDs per radio.