Question from City of Cupertino article

  • 1
  • Question
  • Updated 2 years ago
In the latest Aerohive press release about Cupertino adopting Aerohive, there's a tidbit that I am curious about. 

It can be found here:
http://www.aerohive.com/customers/City-of-Cupertino.html

But here's the line:

"Cupertino has set up three different SSIDs across its network, including a separate network for employees, guests and Apple TVs."

Does anyone know the reasoning why a seperate SSID was dedicated JUST for Apple TVs? 
Photo of Mark Techa

Mark Techa

  • 13 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Nicolas Maton

Nicolas Maton

  • 38 Posts
  • 9 Reply Likes
The first thing that comes to my mind is MDNS. The Bonjour protocol. So you isolate this traffic on your network on a vlan. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Honestly, probably because things like user profiles, VLANs and the Bonjour Gateway weren't explored fully.

Nick
Photo of Mark Techa

Mark Techa

  • 13 Posts
  • 1 Reply Like
The first thing I thought about was Bonjour Gateway too. 

I guess isolating the apple tv bonjour broadcasts is a good thing to do, but doesn't that make the end user experience kinda crappy? Whether they are an employee or a guest, they'll have to switch networks just to Airplay something?

Am I mistaken to think that since bonjour gateway makes it so you can talk to bonjour devices across different networks, it will also send the broadcasts across different networks too?
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
It's most likely because of the authentication methods for each group is different and to separate the traffic. The SSID for employees is probably WPA2-Enterprise (802.1x). The guest SSID is probably open or using PPSK. And the Apple TV SSID is probably WPA2-Personal.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes, possibly. It is a ambiguously worded. The rule of thumb is, of course, to have one SSID per authentication method where possible.

I hear of many places that deploy with role based SSIDs, however so I always err towards being suspicious! :-P

Mark, my suggestion is to only use these case studies as food for thought and to whet the appetite, the real technical meat is, intentionally, elsewhere.
(Edited)
Photo of Carsten Loemker

Carsten Loemker

  • 8 Posts
  • 2 Reply Likes
In my case I configured a seperate SSID for Apple TVs and other devices where 802.1x authentication in fact becomes hard work. While Apple TVs support 802.1x using profiles dished out to them using Apple configurator the issue really is that every software update for an Apple TV will break that config and the step has to be repeated. If you have a number of them that is hard work.
So for Apple TVs WPA2 and PPSK is the way to go. That most likely will be the reason why Cupertino CC has gone that way.
Cheers