5 Key points to unlock Guest WiFi
You have deployed your Wireless infrastructure for your employees and your are considering enabling a guest SSID for people visiting your premises. Here are a few tricks to make it easy!
Preamble: Don't mistakenly consider guest WiFi as a non critical service, indeed this may cause poor productivity and user insatisfaction. On the one hand your company host numerous visitors and most of them (IT consultant, financial auditors…) require performant Internet connectivity to achieve their goals. On the other hand, company's employees should not use guest WiFi bypassing corporate security.
Note: this article talk about the visitors entering your corporate facility, if you are considering deploying public hotspot, you can refer to this article (link to article #1)
1) Legal consideration
You should go to your legal council to be aware of the legal requirements applicable in each of your country of operations. Most of the time companies offering entreprise guest WiFi are subject to the same regulations than Internet providers. This usually leads the company to identify the users and records their activity logs in case the police department ask for it. In various countries, local laws may imply more constraints (phone numbers collection for example). In the meantime the collection of private data for non corporate employees is regulated. For example, the EU GDPR (link to GDPR blog article) is enforcing how the private data should be collected and stored.
2) Registration process
Your enterprise legal department will ask you to collect users identities. This can be achieved in various ways with various end-users convenience levels:
#1 Lobby pass: The receptionist checks the ID, create an account for the visitor with a lobby portal and give the guest a login and password. This requires some extra time from the receptionist and the guest. As an option the credentials generation can be automated with the lobby software together with the badge creation however as any manual process this is not mistake-proofing.
#2 Employee pass: There is also a trend to have the guest account created directly by employees. The employee is sponsoring his guest and is responsible for checking guest identity and creating the credentials on a dedicated interface. An alternative to using a dedicated interface is to have the guest request the access from the guest WiFi (email being sent to the employee) and the employee to accept the request with a link to click.
#3 Self service: The visitor uses self service registration and creates the account with an email address or phone number directly on the guest portal. If you need the information to be accurate, just send the password by email or SMS. The guest SSID being an open network, the signal has to be restricted to corporate use.
I do think that you should implement both solutions. By default, the visitor creates his account however the solution should still allow the receptionist or IT support to do maintenance tasks: bulk account creation or removal, password reset, credentials renewal...
You may think there is no need to filter the access to Internet for the guest WiFi but let me argue the opposite :
- If you have Web filtering enabled for your employees but not on the guest WiFi, internal users will use guest WiFi to bypass security. My advice is to apply at least the exact same security rules.
- You certainly don't want to bump into someone watching porn in your premises.
Also please remember that most people connecting on your guest WiFi still need to work. You should consider to allow some protocols which may be forbidden on the corporate network such as email protocols and IPSEC to Internet. This is also why it is important to keep track of who is using your guest network.
When implementing web filtering, you MUST also filter HTTPS. This may not be trivial because only few solutions are able to filter HTTPS without explicit proxy (which by nature cannot be used with unmanaged devices).
4) Bandwidth use
Regardless of how you choose to deploy (link to article #3) your guest SSID, you will share network resources. Being able to restrict the overall guest consumption can be critical. Therefore, implementing per user bandwidth limitation is a good way to prevent visitors from using your limited network ressources (radio bandwidth, WAN bandwidth, internet links…). The limitation can be achieved by any device on the path between the visitor and Internet, some examples:
- Access Point - At least Cisco WLC and Meraki can implement per-user bandwith limit directly on the access point.
- First router on the path - Usually, the router acting as the guest user's default gateway can implement per-user shaping.
- Security solution - Most of the web security solution can also implement bandwidth quota.
5) BYOD mindset
Companies should accept that employees can use the guest service with their own device. Ignore BYOD use is an Ostrich-like attitude leading to multiple user issues, support tickets and abuses. Accepting this use and controlling it with the creation of a framework seems to be a far more modern approach to me.
Here are a few thoughts to keep users on the right path.