Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersseparate mobile device SSID on wireless ?
fran1942

82 posts

Master Geek

Trusted

#143168 5-Apr-2014 12:41
Send private message

Hello, in a corporate wireless situation you may have a corporate SSID for all the desktops and laptops in the company which authorises via Active Directory.
But often I have seen a separate mobile SSID which is for corporate users who want to access the company network using their iphones, tablets etc.

My question is why is there a separate SSID for the mobile devices ? i.e. why can't they just be part of the main corporate SSID that authorises through Active Directory ?

Thanks for any clarification.

Create new topic
nathan
5695 posts

Uber Geek
Inactive user


  #1018962 5-Apr-2014 12:51
Send private message

they could be on the same network

maybe in your case the company has one big flat network where there are no levels of trust / IPSec boundaries / VLANs etc and they don't trust the mobile devices and choose to put them on a separate SSID, maybe even make them appear like they are external to the LAN and come back into the network thru VPN / Firewall etc

Personally I think the IPSec domain isolation approach is simpler approach 

 
 
 
 

Free professional, reference and technical white papers (affiliate link).
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1019277 6-Apr-2014 00:58
Send private message

Without knowing the exact setup it's hard to comment but allowing BYOD devices on a standard corporate network introduces a massive number of security risks which is why it's basic security 101 to now allow such BYOD usage, but restrict this to a different SSID and/or VLAN.

Chippo
129 posts

Master Geek

Trusted

  #1019278 6-Apr-2014 01:07
Send private message

This is actually quite common when supported by your wireless equipment, and exactly how I would typically configure corporate WIFI.

Single SSID for Staff, Corporate devices authenticated by certificate and placed into one VLAN, Mobile / BYOD devices authenticated by AD Username and placed into a second VLAN.

Just be careful with your Microsoft licensing in this scenario. Any user or device using a MS service needs a CAL.

Guests authenticated to second SSID with captive portal.




I work for a global Data Protection Software company - But my opinions are my own.



toyonut
1508 posts

Uber Geek


  #1019425 6-Apr-2014 11:41
Send private message

Different Auth methods for a start, you can't authenticate staff devices via certificate and AD easily as the devices will not be stored in AD. I suppose you could do AD user auth, but that is not going to be as seamless as machine object wireless groups, certs and GP to point devices to the correct corporate wireless lan. This is the method we use for company machines and then have a user activation portal for users to authenticate their own devices to our staff network as well as a guest network for visitors.

Just had the perfect situation to demonstrate why you should separate everything out though.
Had a user bring their home laptop in to get me to set up the RDP gateway (another story about users who cannot follow basic instructions and then blame IT when it does not work), but the machine was the most virus riddled POS throwing up McAfee antivirus warnings and filled with apps she had torrented keygen software for. Keep that rubbish off your main network and enable every method of device isolation your wireless controller has. She was asked firmly but politely to never bring it in to work again, to never plug it in to our wired network and to make sure it was clean if I ever saw it again.

Also we have had issues with staff running torrent software on BYOD devices, not necessarily on purpose, but if it was running at home and they forget to disable it before coming to work, it is still running. You can vlan that off between the wireless controller and switches, funnel it through the firewall with separate more restrictive policies and stop it running so easily.

 

It is just about different levels of trust and privilege that can and should be set up to protect your network. You also want to make it easy and seamless too and between the Ruckus wireless and Watchguard firewall, I am loving the level of management we can apply with very little effort after initial setup.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B

nathan
5695 posts

Uber Geek
Inactive user


  #1019459 6-Apr-2014 13:52
Send private message

IPsec boundaries & isolation is interesting since you can easily allow trusted domain joined machines access to resources. Most companies I've ever seen with multiple SSIDs for different trust levels, never do the same for wired LAN, which is ironic when staff bring in home laptops onto the wired lan, or even being in their own wireless access points. Interesting challenges

Create new topic





News and reviews »

New Suunto Run Available in Australia and New Zealand
Posted 13-May-2025 21:00

Cricut Maker 4 Review
Posted 12-May-2025 15:18

Dynabook Launches Ultra-Light Portégé Z40L-N Copilot+PC with Self-Replaceable Battery
Posted 8-May-2025 14:08

Shopify Sidekick Gets a Major Reasoning Upgrade, Plus Free Image Generation
Posted 8-May-2025 14:03

Microsoft Introduces New Surface Copilot+ PCs
Posted 8-May-2025 13:56

D-Link A/NZ launches DWR-933M 4G+ LTE Cat6 Wi-Fi 6 Mobile Hotspot
Posted 8-May-2025 13:49

Synology Expands DiskStation Lineup with DS1825+ and DS1525+
Posted 8-May-2025 13:44

JBL Releases Next Generation Flip 7 and Charge 6
Posted 8-May-2025 13:41

Arlo Unveils All-New PoE Adapter With Enhanced Connectivity
Posted 8-May-2025 13:36

Fujifilm Instax Mini 41 Review
Posted 2-May-2025 10:12

Synology DS925+ Review
Posted 23-Apr-2025 15:00

Synology Announces DiskStation DS925+ and DX525 Expansion Unit
Posted 23-Apr-2025 10:34

JBL Tour Pro 3 Review
Posted 22-Apr-2025 16:56

Samsung 9100 Pro NVMe SSD Review
Posted 11-Apr-2025 13:11

Motorola Announces New Mid-tier Phones moto g05 and g15
Posted 4-Apr-2025 00:00








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright