Best practice for employee BYOD Wi-Fi with captive portal?
Posted by MaaS_10@reddit | sysadmin | View on Reddit | 76 comments
Hi everyone,
I'm currently setting up Wi-Fi for employees using their own BYOD devices and wanted to ask what the best practice is in this case.
Here’s what I’m thinking:
The SSID will be open (unencrypted), and I’ll use a captive portal hosted on a Fortigate firewall. We'll connect the portal to Active Directory via LDAP, and allow only selected AD users to authenticate.
So, users will connect to the open Wi-Fi network and then log in using their AD credentials. This Wi-Fi will be on a separate VLAN with very limited internet access and bandwidth shaping in place.
The main concern I have is that since the SSID is open (unencrypted), users will see a warning that the network is not secure. Given that this is essentially a "public-like" network for employees (separate from the internal network), I assume this isn’t a big issue — or is it?
Thanks in advance for any advice or suggestions!
volster@reddit
Personally I'm not a fan of open guest wifi.
Mainly just because it's entirely too easy for people to end up on the wrong one; With resultant tickets about why their printer / file shares etc suddenly won't work. 🤦♂️
Likewise, captive portals are something that sound like a great idea on paper..... but every time i've tried rolling one out, it's just ended up being more trouble than it was worth in practice.
If it were me, i'd separate staff personal devices and genuine guest wifi into separate ssid's - Mostly just for the sake of neatness / bandwidth allocation & knowing who's on what than anything else (i'd turn on isolation for both).
Print the password & QR code onto some buisness cards and leave them at reception - if you want to mandate TOS acceptance like you'd be able to on a captive portal, just have people sign a form before handing it over.
Sure it's far less slick, but unless you're some giant enterprise org, in reality it ends up being far less of a PITA for all concerned.
sryan2k1@reddit
We block corporate devices from connecting to our guest networks.
volster@reddit
No matter how locked down or technically imposable it is - I have faith the users will still somehow manage to find a way.... They allways do 🙃
DragonspeedTheB@reddit
Anything idiot-proof just hasn’t met the right idiot.
dhardyuk@reddit
Everywhere I work I find they have one or two better idiots than the last place.
But they are the perfect testers.
Roll on the day where UAT is the first stage in the recruitment process and it’s about the user being accepted by the business.
torbar203@reddit
"I cant connect to the guest wifi from my work laptop, so I bought a wifi repeater, connect that to the guest wifi, and connect my laptop to the repeaters wifi network. I can get online now but I can't access my Q: drive"
CobraBubblesJr@reddit
I often set up three SSIDs like Office/Devices/Guest. All encrypted with different subnets. Guest only has Internet access. Office restricted to devices owned by the business and set up accordingly. Devices is for BYOD and loopback routing with pinholes is added for printers, etc.
The only problem I run into is users will invariably try to login to Devices with their business laptops if there's any kind of glitch and then will complain they can't access the server.
OtherwiseEffective@reddit
Seems like a terrible idea to teach employees to connect to an open wifi network and then enter their AD creds to the captive portal that pops up. What stops someone from pulling into your parking lot, setting up a rogue AP with the same network name and capturing user credentials?
a60v@reddit
This. Just use 802.1x authentication, no captive portal, separate VLAN with limited/no access to the corporate networks, and enable client isolation. Done.
Purple_Woodpecker652@reddit
This is the way. I have a captive portal that is pretty funny. “We all singed the policy and are adults please behave. Yes we will know. See HR for details.”
captainpistoff@reddit
The best part is you make your employees sing the policy. Hopefully you hire a lot less Katie Perry's than I hear on the radio.
Purple_Woodpecker652@reddit
yes they singed the policy its really juvenile to see one adult "repeat for me this section before you sig n about pornagraphy? you may sing a tune if you like"
dhardyuk@reddit
I read that as burnt the policy …..
Kebabulo@reddit
Use 802.1x with a separate, isolated VLAN that's internet only.
ukAdamR@reddit
If you're only allowing particular people to use this network, whom are on an Active Directory, why not use 802.1X to authenticate them with PEAP or EAP-TTLS and keep the network traffic secured? (WPA2/WPA3 in enterprise mode.)
MaaS_10@reddit (OP)
I’ve considered that as well, but on Android devices the login process is quite complicated. You have to select the certificate manually, choose the encryption method (like PEAP or TLS), specify the EAP method, sometimes even enter the domain, and it can be very confusing for non-technical users. That’s why I was leaning toward an open network with a captive portal for easier onboarding.
Disturbed_Bard@reddit
That hasn't been a thing since like Android 10....
I've found Apple devices to be way more annoying with certs and lease times, due to their "privacy" MAC address switching.
WasSubZero-NowPlain0@reddit
It's definitely a thing on android 15 when using 802.1x.
On some flavours you can ignore the server cert which makes BYOD easier. However on newer Pixels, you must install a root cert to trust or it won't connect.
Ecrofirt@reddit
I have a pixel 8 pro XL and it is exactly as the poster described.
Before I left my last job at a college I was working on a packet fence appointment. Android sucked with 802.1x, full stop.
I was trying to deploy a simple captive portal that you would use as a student to get TLS certificate from RCA, which would then connect you to the secure network. A separate captive portal for guests authenticated via vouchers or sponsors with a 24-hour time limit, and then an iot Network where you could register IOT devices for yourself the captive portal.
I had a hell of a time getting it working and got probably 90% of the way there but I couldn't get it to do what I wanted. Finding good documentation for it online was tough and ChatGPT constantly confidently lied about how to set it up.
But yeah, the Android devices sucked on secure networks.
Sobeman@reddit
Have you actually tested this on a modern Android phone?
sryan2k1@reddit
Why do you need the captive portal at all? Skip it.
ValeoAnt@reddit
Chatgpt told him so
MaaS_10@reddit (OP)
So you're recommending a completely open Wi-Fi network without any encryption at all?
Azuras33@reddit
Use WPA3-Enterprise, allow user to connect to the wifi network with their AD login, don't expose internal network on it, just internet and disable client to client communication.
sryan2k1@reddit
If it's just internet why the need to auth at all?
Azuras33@reddit
Law, if someone download illegal material with your connection, you don't want to be the only one responsible.
Also, to keep outside people out of your network.
And, to get an encrypted connection to the Wi-Fi instead of plain packet that can be easily intercept.
Squossifrage@reddit
Who cares about local interception?
TechDiverRich@reddit
In case the cops show up asking questions about online activity.
kop324324rdsuf9023u@reddit
You can still content filter it.
sryan2k1@reddit
"This is a visitor/byod network with no logging" is an acceptable answer.
SoonerMedic72@reddit
I can confirm that the FBI really does not like this answer and will question your abilities as an admin if that is your answer. No arrests though. In our case our logging had just crashed because our execs refused to buy new equipment for 15+ years. 🤷♂️
AngryBeaverSociety@reddit
Why do you care what the some agent at the FBI thinks?
SoonerMedic72@reddit
I mean I was in the process of leaving that shitshow so I didn't care, but they questioned my boss for like 3 hours insinuating he was in on some criminal plot and hinted to his boss that he was incompetent leading to him getting fired eventually. Maybe that was just because we had logs that were malfunctioning and if we had a written policy of no logs he would have been fine, but it wasn't just caring about his opinion that was concerning.
sryan2k1@reddit
I've run networks for large multinationals with dozens of locations worldwide. In the US there is no requirement to log access and "We don't keep logs" is a complete and acceptable answer.
MaaS_10@reddit (OP)
That's exactly why I plan to NAT this network behind a different public IP address than the one we use for our local LAN internet access. That way, it's completely separated. Also, we'll be able to trace the exact user responsible for any potential damage through the logs. When connecting to this network, users will be shown a disclaimer stating that they bear full responsibility for their actions, and so on.
MaaS_10@reddit (OP)
If I were to go the NPS route on a Windows Server, it would be very confusing for employees using Android devices—as I mentioned earlier in the previous comment. The setup on Android often requires selecting certificates, specifying EAP methods, entering domains, and so on, which can be overwhelming for non-technical users.
sryan2k1@reddit
Yes, you should never do 802.1x on BYOD unless you have a MDM installed on them that can push certs and configs.
-Copenhagen@reddit
Use OWE for the clients that support it.
DamDynatac@reddit
Wpa3 enterprise will mean you don’t need it. They login to WiFi with work credentials
sryan2k1@reddit
Doing 802.1x without MDM to load certs/configs into the device is almost universally a nightmare.
Silence_1999@reddit
One of my first jobs we had a very early implementation of 802. Had to manually load the cert on all laptops. I was just a worker-bee there. So I loaded that damn cert sooooo many times lol.
sryan2k1@reddit
Yes, for what is basically a visitor network. You could also do WPA3 with OWA.
JohnPulse@reddit
Captivate portal brings you authentication, not encryption.
YSFKJDGS@reddit
It helps preventing shit like TV's and other garbage you might not want on your network from doing anything. Perfect? No.
slugshead@reddit
Loads of consumer grade stuff like consoles and TVs are incompatible with 802.1x, so another vote for that over captive portal.
YSFKJDGS@reddit
Yeah I mean honestly I assumed captive portal was for guest networks, if it turns out this is corporate side then hell no, .1x (plus more) is the answer.
kop324324rdsuf9023u@reddit
Why care if the whole purpose is a guest wifi? Send it out a dedicated guest WAN IP and call it a day.
YSFKJDGS@reddit
Even a guest network you should care at some rate what is on it. You should have upnp disabled, but you should be concerned about garbage connecting to it that then spams outside services.
I have had instances where our owned ip blocks were hitting the google rate limit anti-spam protections because shit on the guest network was hammering the outside.
Frothyleet@reddit
That's why you route it out a dedicated IP whose reputation you are not relying on. Your basic outbound filtering otherwise keeps sanity.
YSFKJDGS@reddit
When they drop the entire /28 of the site, that is when a problem occurs.
Frothyleet@reddit
I guess, but unless you have an ASN they don't know what subnetting your ISP is assigning you and they'd just be shotgunning in response to a single problematic IP.
That's not really a reasonable response to be planning for.
sryan2k1@reddit
We literally do not care. It is the guest Network
reegz@reddit
We have a captive portal because it makes someone feel warm and fuzzy. What we do is have peer isolation enabled and then dump the traffic into the dmz where it flows out to a public IP we only use for guest traffic.
The traffic is still content filtered (although not as strict and we don’t do TLS inspection for obvious reasons).
adambomb1219@reddit
This is the way
Jeroo_@reddit
For testing purposes I tried a similar thing at my org using Fortigate with open SSID and authenticating users through SAML SSO. For most it was a non issue since we had SSO configured. Also found a way to extend the authentication session to be valid for 30 days so the redirects were not as annoying.
I found it interesting for outside permanent contractors to be still able to use internal resources like printers while not having the overhead of creating local AD users and them having the convenience of authenticating through Entra ID guest users with enforced MFA.
Haven't decided yet if I should rather wait so I find the time to implement radius correctly or if I should just go with it.
Outside-After@reddit
Would not allow access at all for employees. The risk in hogging resources is too great, even if managed, someone will try to bend the rules or have tantrum.
thegurujim@reddit
Don't use AD auth unless you can prevent the eventually saved password from triggering a lockout when they change their password on their PC.
If you need authentication have them sign up with their personal email in a captive portal. Then expire that weekly/monthly.
Frothyleet@reddit
I'd either accept a totally open guest SSID, or put a PSK on it with something like the company phone number to at least reduce "drive by" users.
Unable-Entrance3110@reddit
Not sure about best practice for BYOD Wi-Fi, but I know that it is definitely not best practice to broadcast unencrypted credentials out into the air where any yahoo can sniff them, especially AD creds at that.
We have a guest portal (UniFi) with an 8 hour window based on one-time codes.
Our BYOD is standard PSK which we rotate periodically but otherwise make well known.
The BYOD and Guest SSIDs are segmented via VLAN and only have ports necessary for web surfing open outbound. These networks are isolated at layer 2 on the upstream switches as well as isolated at the AP level.
There is no routing, whatsoever, from these networks to any other network other than the Internet.
Finally, the BYOD and Guest networks have a dedicated public IP for outbound NAT so that our main IPs are not brought down by any RBLs due to bad user behavior.
ShadowCVL@reddit
Well, it’s not a big issue from a technical standpoint since they won’t be doing any work related things on their devices, turning on client isolation would be best practice.
However, Apple (and a few androids) are NOT gonna go smoothly. With Apples private relay it’ll just not display the captive portal, say relay unavailable and then just not work.
It’s easy enough to fix by turning off private relay until the authentication is done, but try explaining that to those users we all know we have.
wimpwad@reddit
You sure about that? We have that exact setup (open guest network with captive portal) and it works perfectly fine with Private Relay. It waits until after authentication to activate the private relay. Almost like Apple has been able to detect captive portals for a decade+ now...
ShadowCVL@reddit
Yeah, seen it with extreme and Ubiquiti so far. As recently as last week.
Seems to work fine with Meraki and others.
AtlanticPortal@reddit
Why are you using a captive portal and not WPA-Enterprise?
sembee2@reddit
Is it BYOD to access company resources or just to use the Internet? If the latter, then set up a separate SSID with a PSK. For guests, have the captive portal and no key. You can use the same VLAN. Turn both off when the office is closed.
AngryBeaverSociety@reddit
Great idea! Keep their personal traffic off your network.
Why? Why go through all these extra steps. Do you need attribution? Do you have some kind of regulatory requirement? Who is asking for this? If the employees are doing something they shouldn't be, cover that in your AUP and let HR deal with that crap - policing users isnt your job (unless it is?)
Treat their traffic like any other guest. Its dirty net and short of a few minor controls (no torrent, light URL controls (with HR approval), bandwidth controls). You're over-engineering a solution that will cause you nothing but headaches.
bunnythistle@reddit
Something to be aware of is that the captive portal on FortiGates is not SSL by default, and they don't exactly make it straightforward to enable and force it either with a valid certificate. It can be done, but it'll take reading a lot of docs to get setup correctly
fireandbass@reddit
Your whole plan sucks. Why do you need anybody to sign in to the guest wifi? How are you going to stop Jim from browsing to Suzies shared photo album on her personal MacBook?
systonia_@reddit
Your main concern, the unencrypted traffic, can be tackled by using OWA as security. This will encrypt traffic even on a open wifi
Silence_1999@reddit
If you have thousands of non-employees that are going to constantly hammer it that can be a hassle.
WhoTookMyName6@reddit
Depending on the environment. Wouldn't this be a really easy way for bad actors to capture/steal login information?
Cold-Pineapple-8884@reddit
Capture portal can use https
canadian_sysadmin@reddit
If you're limiting access to employees, you probably don't need a captive portal. The only point of a captive portal is 'agreeing to terms', which employees should already be doing via. policy.
Since you're going to use employee credentials, use WPA3-Enterprise. WPA3 should be the defacto standard on all networks now. You can utilize the same infrastructure for SCEP on on your main network (also the way to go).
If you're going to make it secure, make it properly secure. Don't half-ass it.
datOEsigmagrindlife@reddit
In the past when I had to put in place a guest WiFi I gave it a physically separated network, including its own internet connection (which was our failover link).
We just blocked a bunch of categories that might cause problems like porn, torrents etc.
And had the WiFi password at reception and a very basic captive portal so there was at least some kind of tracking of activity if needed.
Personally I wouldn't leave any WiFi open, unless you're a McDonalds or something.
accidentalciso@reddit
Everyone is used to using WiFi passwords these days, so I would probably still put a PSK on it.
I would make sure host isolation is enabled.
I would also consider a technical policy to disallow company issued devices from connecting to the BYOD network.
I would also suggest using your network monitoring tools to keep an eye on the BYOD network so you can detect any weird behavior or potentially compromised devices. Even if the company isn’t really responsible for those devices, you want to make sure they aren’t doing bad things from your internet connection. Also, compromised personal devices affect your employees, which also can affect the business.
CeC-P@reddit
Just keep telling yourself, at least you're better than foreign contractors, even at companies worth $50 billion.
haamfish@reddit
Use wpa enterprise and have users log in that way, just have it go out to the internet.
For a guest network sure maybe a captive portal, but you could also just do a PSK and tell the people who need to know. Rotate the PSK if you need to.