Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

82 posts

Master Geek


# 143168 5-Apr-2014 12:41
Send private message

Hello, in a corporate wireless situation you may have a corporate SSID for all the desktops and laptops in the company which authorises via Active Directory.
But often I have seen a separate mobile SSID which is for corporate users who want to access the company network using their iphones, tablets etc.

My question is why is there a separate SSID for the mobile devices ? i.e. why can't they just be part of the main corporate SSID that authorises through Active Directory ?

Thanks for any clarification.

Create new topic
5166 posts

Uber Geek


  # 1018962 5-Apr-2014 12:51
Send private message

they could be on the same network

maybe in your case the company has one big flat network where there are no levels of trust / IPSec boundaries / VLANs etc and they don't trust the mobile devices and choose to put them on a separate SSID, maybe even make them appear like they are external to the LAN and come back into the network thru VPN / Firewall etc

Personally I think the IPSec domain isolation approach is simpler approach 

28260 posts

Uber Geek

Biddle Corp
Lifetime subscriber

  # 1019277 6-Apr-2014 00:58
Send private message

Without knowing the exact setup it's hard to comment but allowing BYOD devices on a standard corporate network introduces a massive number of security risks which is why it's basic security 101 to now allow such BYOD usage, but restrict this to a different SSID and/or VLAN.


65 posts

Master Geek


  # 1019278 6-Apr-2014 01:07
Send private message

This is actually quite common when supported by your wireless equipment, and exactly how I would typically configure corporate WIFI.

Single SSID for Staff, Corporate devices authenticated by certificate and placed into one VLAN, Mobile / BYOD devices authenticated by AD Username and placed into a second VLAN.

Just be careful with your Microsoft licensing in this scenario. Any user or device using a MS service needs a CAL.

Guests authenticated to second SSID with captive portal.

I work for a Hosting Provider - But my opinions are my own.

1508 posts

Uber Geek

  # 1019425 6-Apr-2014 11:41
Send private message

Different Auth methods for a start, you can't authenticate staff devices via certificate and AD easily as the devices will not be stored in AD. I suppose you could do AD user auth, but that is not going to be as seamless as machine object wireless groups, certs and GP to point devices to the correct corporate wireless lan. This is the method we use for company machines and then have a user activation portal for users to authenticate their own devices to our staff network as well as a guest network for visitors.

Just had the perfect situation to demonstrate why you should separate everything out though.
Had a user bring their home laptop in to get me to set up the RDP gateway (another story about users who cannot follow basic instructions and then blame IT when it does not work), but the machine was the most virus riddled POS throwing up McAfee antivirus warnings and filled with apps she had torrented keygen software for. Keep that rubbish off your main network and enable every method of device isolation your wireless controller has. She was asked firmly but politely to never bring it in to work again, to never plug it in to our wired network and to make sure it was clean if I ever saw it again.

Also we have had issues with staff running torrent software on BYOD devices, not necessarily on purpose, but if it was running at home and they forget to disable it before coming to work, it is still running. You can vlan that off between the wireless controller and switches, funnel it through the firewall with separate more restrictive policies and stop it running so easily.


It is just about different levels of trust and privilege that can and should be set up to protect your network. You also want to make it easy and seamless too and between the Ruckus wireless and Watchguard firewall, I am loving the level of management we can apply with very little effort after initial setup.

Try Vultr using this link and get us both some credit:

5166 posts

Uber Geek


  # 1019459 6-Apr-2014 13:52
Send private message

IPsec boundaries & isolation is interesting since you can easily allow trusted domain joined machines access to resources. Most companies I've ever seen with multiple SSIDs for different trust levels, never do the same for wired LAN, which is ironic when staff bring in home laptops onto the wired lan, or even being in their own wireless access points. Interesting challenges

Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36

2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17

Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46

Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51

Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35

Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24

The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55

Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.