How to Provision Guest Wi-Fi
Guest Wi-Fi has become a vital amenity for hotel chains, doctor's offices and many large enterprises. These organizations are in part addressing the growing expectation among end users that connectivity will always be available to them, whether through Wi-Fi, cellular or some other means.
The stakes are weirdly high for ensuring this Internet access: According to a survey conducted by Purple WiFi, approximately 75 percent of respondents stated that they would be grumpier after a week without Wi-Fi than they would after one without coffee.
In this context, it is important to know how to provision a guest network via a solution such as Cisco Meraki. Network admins have to pay attention to security, traffic/bandwidth shaping and limits on what resources guests can access. Let's look at a few tips for conceptualizing and then setting up safe yet user-friendly guest Wi-Fi access.
What Should a Guest Wi-Fi Network Do?
A guest Wi-Fi network should be segmented from the company's internal network. It should provide Internet access only, in a secure, cost-effective and intuitive way that doesn't require any advanced configuration by end users.
Guest Wi-Fi access should be secure and segmented from the LAN
How Can we Ensure That it Does That?
Meraki provides a good blueprint for guest Wi-Fi setup, since it is a relatively simple yet powerful wireless platform:
- Start by creating an SSID for the network. Adding "guest" somewhere in the name is helpful in setting expectations. You will probably want to leave the network open, without any required password, since guests will likely be connecting without any enterprise credentials. A pre-shared key with WPA2, such as a provided phrase that must be entered upon login, is also an option.
- Next up is the splash page. You can either decline to set one up, create a click-through page or explore other possibilities such as SMS or Facebook authentication.
- For assigning your IP addresses, Network Address Translation is usually a good idea. Your access point behaves like an DHCP server here, handing out addresses in the 10.0.0.0/8 range and preventing guests from seeing or communicating with each other.
- For security purposes, you will want to completely wall-off guest traffic from the wired LAN. Layer 3 firewall rules can set to deny (i.e., drop at the access point) any traffic destined for this LAN.
- Depending on your situation, you may need to go even further and set Layer 7 rules that block certain types of applications. Video streaming services and BitTorrent clients are common candidates for such restrictions.
What Else Should we Keep in Mind?
This setup is just one possible example. You could alternatively use Ethernet over IP tunneling, or wireless VLANs, as outlined by Cisco in this deep dive guide to guest network provisioning.
When setting up your guest network policy, you may also want to weave in specific features such as allowing access based on time of day, technology type or role. These implementations can give you fine-grained control over when and how your network is accessed. Network admission control appliances are another possibility for ensuring secure guest access even with many different types of devices in play.
Interested in learning more? Contact us for more information.