Separate Device SSID question

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Okay, here's the situation: We deployed a large 1:1 for student devices this year (Chromebooks) and we have our normal Staff Secure SSID (and a guest SSID) that we have always had. Due to the larger number of devices and not wanted to simply expand my DHCP secure scope, I created a hidden SSID, and new VLAN, called Chromebooks and pushed the SSID and key down to the devices via the Google Apps management console, pretty slick.

However, next year I want to simply go back to two SSIDS (Staff Secure and Guest), but is there anyway to keep the student devices and staff devices on separate VLANs (and therefore subnets) on the SAME SSID?

I'm just worried about having another SSID because I once read (I believe on this forum) that one should have no more than two SSIDs if possible. But is that rule for "broadcast SSIDs" or TOTAL SSIDs?

Photo of Larry


  • 55 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So I do this with PPSK groups.  Create one PPSK group for students, one for teachers.  Assign proper VLAN to each.  Then create a single PPSK within each group.  Tie both PPSK groups to the same SSID. 

This should give you the simplicity of a single PSK for each group (staff/student), but allow each group to be on their own VLAN while being on the same SSID. 

I normally try to keep the SSID to < 4.  Less management frames being spewed out means more time spent serving clients.  Disabling lower data rates and/or using a radio profile and the High-density settings to control at what data rates mgmt frames come out of the AP can do the same thing.
Photo of Larry


  • 55 Posts
  • 1 Reply Like
Thanks Brian, is there any documentation I missed for that (PPSK groups)?

Thanks again!  That seems to be EXACTLY what I'm looking for.
Photo of Michael Maness

Michael Maness

  • 1 Post
  • 0 Reply Likes
I created a hidden SSID, and new VLAN, called Chromebooks and pushed the SSID and key down to the devices via the Google Apps management console, pretty slick. 
Can you give me a rundown of how you set that up? Right now our Chromebooks use our open guest SSID and I want to put them on their own SSID so I can begin limiting the bandwidth on our guest SSID.
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
3 SSID's should be the most in my opinion.

1. Guest
2. Staff/students
3. Devices that don't support 802.11x or that are non mobile.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
You did not mention what authentication methodology you are using for the Staff and Chromebook SSIDs. 

If using PPSK, then yes you can use PPSK groups to assign different user profiles to Staff vs Students on the same SSID.

If using 802.1X, you can use RADIUS attributes to assign different user profiles.  Your RADIUS server would deliver a different value for Staff vs Students, and APs would assign to a different user profile accordingly.

Another option is to do client classification by OS.  Set a rule in your default user profile to redirect ChromeOS based devices to a different user profile based on the detected OS.  Make sure you are using DHCP based OS detection (or both DHCP and HTTP together). Of course, if staff used a Chromebook in this case, they would wind up the ChromeOS user profile, not the Staff/default.

By the way, all of these methods require you use the Enterprise version of HiveManager 6 (not Express). If you are using HiveManager NG, the same different methods of classification are available, but the way to accomplish client classification in step 3 is a little different.
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
I assign user profiles to staff and students based upon Radius attributes.  I have assigned the appropriate VLAN within the Aerohive user profile.