Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




82 posts

Master Geek

Trusted

# 143168 5-Apr-2014 12:41
Send private message

Hello, in a corporate wireless situation you may have a corporate SSID for all the desktops and laptops in the company which authorises via Active Directory.
But often I have seen a separate mobile SSID which is for corporate users who want to access the company network using their iphones, tablets etc.

My question is why is there a separate SSID for the mobile devices ? i.e. why can't they just be part of the main corporate SSID that authorises through Active Directory ?

Thanks for any clarification.

Create new topic
5262 posts

Uber Geek

Trusted
Microsoft

  # 1018962 5-Apr-2014 12:51
Send private message

they could be on the same network

maybe in your case the company has one big flat network where there are no levels of trust / IPSec boundaries / VLANs etc and they don't trust the mobile devices and choose to put them on a separate SSID, maybe even make them appear like they are external to the LAN and come back into the network thru VPN / Firewall etc

Personally I think the IPSec domain isolation approach is simpler approach 

28601 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1019277 6-Apr-2014 00:58
Send private message

Without knowing the exact setup it's hard to comment but allowing BYOD devices on a standard corporate network introduces a massive number of security risks which is why it's basic security 101 to now allow such BYOD usage, but restrict this to a different SSID and/or VLAN.




 
 
 
 


65 posts

Master Geek

Trusted

  # 1019278 6-Apr-2014 01:07
Send private message

This is actually quite common when supported by your wireless equipment, and exactly how I would typically configure corporate WIFI.

Single SSID for Staff, Corporate devices authenticated by certificate and placed into one VLAN, Mobile / BYOD devices authenticated by AD Username and placed into a second VLAN.

Just be careful with your Microsoft licensing in this scenario. Any user or device using a MS service needs a CAL.

Guests authenticated to second SSID with captive portal.






I work for a Hosting Provider - But my opinions are my own.

1508 posts

Uber Geek


  # 1019425 6-Apr-2014 11:41
Send private message

Different Auth methods for a start, you can't authenticate staff devices via certificate and AD easily as the devices will not be stored in AD. I suppose you could do AD user auth, but that is not going to be as seamless as machine object wireless groups, certs and GP to point devices to the correct corporate wireless lan. This is the method we use for company machines and then have a user activation portal for users to authenticate their own devices to our staff network as well as a guest network for visitors.

Just had the perfect situation to demonstrate why you should separate everything out though.
Had a user bring their home laptop in to get me to set up the RDP gateway (another story about users who cannot follow basic instructions and then blame IT when it does not work), but the machine was the most virus riddled POS throwing up McAfee antivirus warnings and filled with apps she had torrented keygen software for. Keep that rubbish off your main network and enable every method of device isolation your wireless controller has. She was asked firmly but politely to never bring it in to work again, to never plug it in to our wired network and to make sure it was clean if I ever saw it again.

Also we have had issues with staff running torrent software on BYOD devices, not necessarily on purpose, but if it was running at home and they forget to disable it before coming to work, it is still running. You can vlan that off between the wireless controller and switches, funnel it through the firewall with separate more restrictive policies and stop it running so easily.

 

It is just about different levels of trust and privilege that can and should be set up to protect your network. You also want to make it easy and seamless too and between the Ruckus wireless and Watchguard firewall, I am loving the level of management we can apply with very little effort after initial setup.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B


5262 posts

Uber Geek

Trusted
Microsoft

  # 1019459 6-Apr-2014 13:52
Send private message

IPsec boundaries & isolation is interesting since you can easily allow trusted domain joined machines access to resources. Most companies I've ever seen with multiple SSIDs for different trust levels, never do the same for wired LAN, which is ironic when staff bring in home laptops onto the wired lan, or even being in their own wireless access points. Interesting challenges

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.