When designing wireless services, I.T departments usually create one service/SSID for employees and one for visitors (check my tips to deploy this). The wireless service for visitor usually relies on self service (user creates his account directly on the portal) or sponsorship (either the employee or the receptionist will create the account for the visitor).
In any case, your employees can very easily connect their professional devices to the guest service (and be sure they will!). This brings some confusion, some issues (device may switch between SSIDs) and security concerns (if the policies are not aligned).
Here are a few tips to force your employees not to use the guest SSID.
1) Provide a service aligned with needs
Okay, this may seem obvious but, if you provide a good connectivity to users and if they have access to whatever they need, they will certainly not try to find something better.
I have seen companies providing a good smartphone with WiFi access to Internet and they never tried to connect on another SSID.
Same on laptops, if you provide a seamless (but secured) access to Internet (whatever the browser or application he uses), users will not need to try another solution.
2) Degrade user experience for employees on guest SSID
Don’t worry, I’m not talking about a mediocre Internet access. I’m talking about implementing limitation that matches exactly the visitor needs (in terms of bandwidth quota, time quota, filtering, opening hours for example) but not your employees needs. Employees may switch to the guest SSID but will quickly go back to the official one!
3) Block the SSID on professional devices
For some operating system, it is possible to block some WiFi SSIDs via a policy pushed to the device (MDM, GPO or anything similar).
Here are a few links to implement this restriction:
If you are not able to block an SSID, you can push the configuration for the SSID with wrong security settings.
Example: Considering your visitor SSID is named “MyCompany visitors” and is configured an open SSID (which is usually the case for guest access). Just push a profile for “MyCompany visitors” configured with a WEP key and the device will never be able to connect.
4) Converge both SSIDs
This is the ultimate way! Having one SSID providing both service. This can be achieved for example with 802.1X authentication. A corporate laptop will authenticate automatically via login/password or certificate and anyone else will be redirected to a web portal. The Web portal will allow the visitor to authenticate themselves.
The main prerequisite is that the WiFi profile is pushed automatically and systematically on all corporate devices. Then, the employee can’t bypass the authentication mechanism that will redirect him to the internal network.