Hotel/Conference Center SSID Design/Strategy
Posted by hobbyfarmfl@reddit | sysadmin | View on Reddit | 16 comments
I'm rethinking the SSID strategy for our retreat/conference center facility and seeking advice/recommendations. For the point of this conversation, I'm talking about guest wifi only. And yes, it is all on its own vlan in a separate subnet from our employee/business stuff.
We have multiple accommodation/hotel areas with guest wifi and several meeting areas. Currently, each hotel location has it's own SSID, ie: Hotel1, Hotel2, Hotel3, etc, and all the meeting space shares a common ssid, ie: MeetingGuest.
For a guest that is staying on-site, this means they have to connect to at least 2 SSID's if they want internet in the room they are sleeping in and where they are having their meetings.
Spaces are far enough away that maintaining an active connection between hotel space and meeting space is not a consideration, they will drop the wifi connection.
For guest convenience sake, it seems a single SSID is easiest. But, if a guest doesn't need internet in a meeting space, having their phone or device pinging for new email or other type of push notifications and traffic just adds unnecessary AP overhead. By keeping the SSID on the hotel side separate, it helps to limit these extra connections.
So, what would/have you done, and why?
- Separate SSID's like we have now for all our hotel spaces plus one for meeting space
- 2 guest SSID's, one for hotel spaces and one for meeting spaces
- 1 guest SSID across the entire facility
- Something else I'm missing?
Thanks for your thoughts and insight.
sryan2k1@reddit
One massive SSID, guest isolation enabled, multicast mitigations enabled, no password or splash page if legal will allow it, and some sane per client rate limiting.
Funny_Wing3136@reddit
Please reply, I really need this
Funny_Wing3136@reddit
Please, can you help me? Can I get a fully accurate, highly secure, and up-to-date WBA OpenRoaming profile? Do you think this file will allow my phone or computer to automatically connect to any network in my country and around the world? If you think it’s reliable, could you provide me with links to access the complete file, and explain the best practical methods for implementing it? If you have other suggestions that allow my phone to automatically and securely connect to all networks, I’d appreciate your help. I look forward to your response, Thank you
KillingTime1212@reddit
This. Avoid splash pages. Just make it easy. Make sure nothing is being blocked. Wide open.
hobbyfarmfl@reddit (OP)
Thank you. Same ISP across the campus.
You're saying you'd make subnets different between buildings? Can you explain how this would make management/troubleshooting easier?
KillingTime1212@reddit
If you have a single gateway that’s large enough to handle the load, make it one big subnet.
We have our main open SSID with client isolation enabled. We have a second SSID that has a password changed once a month that has isolation disabled. This is for people that need to talk to a printer or another device, like screencast.
We keep it simple.
hobbyfarmfl@reddit (OP)
Thanks.
hobbyfarmfl@reddit (OP)
Thank you. I don't know all the reasons, I inherited about a year ago. I'm at the point of evaluating if this is how I want to manage it.
One reason I can think of is different groups may have different needs, ie, wanting to restrict access so only those with the password can access it (think youth groups). In practicality, this is not requested very often and I'm thinking it will be easier to manage in the long run using one-off SSID's when necessary and making this an up-charge. IE: all campus locked down, all meeting facilities locked down, everything locked down except one meeting facility or one hotel unit, etc.
SevaraB@reddit
Bingo. Monitor by BSSID, not by SSID. OP mentioned there’s enough distance between the meeting APs and hotel guest APs that there shouldn’t be mixed usage on any single BSSID. Right with you on client isolation and multicast trimming; any east-west needs like AirTame should be carved off and handled separately and not using a “general” SSID (don’t monitor Internet activity, but do monitor east/west traffic)
DrDuckling951@reddit
One reason I can think of is the conference setting where the presenter may want to share the screen of their mobile to the screen. I have seen some hotel has a dedicated AP that we have to pay extra to use for such use case. The AP SSID is hidden and we have to connect manually. AP then turned off after the scheduled event. The phone reconnect back to the hotel SSID afterward. iirc we paid like $300 for the 2 hours session. pricey... but it's company's money...
pdp10@reddit
Assuming that the authentication domain is intended to be the same, then one SSID.
hobbyfarmfl@reddit (OP)
Thank you
origindigitalsignage@reddit
A single SSID for the entire facility seems like the most user-friendly approach, especially for guests juggling multiple locations. You could potentially mitigate some of the overhead concerns with clever AP placement and configuration to manage roaming effectively
MyPlaceHQ@reddit
Option 2. Collapse Hotel1/2/3 into a single "HotelGuest" SSID - guests shouldn't have to think about which one to connect to. Keep MeetingGuest separate.
Your overhead concern is valid. During a session, you don't want 40 phones sitting on the same network as the presentation room constantly pinging for notifications. Different SSIDs also makes it easy to set different bandwidth rules for each without them stepping on each other.
hobbyfarmfl@reddit (OP)
Thank you.
Adept_Strategy_9545@reddit
One for the whole facility. The complexity isn’t worth trying to nickel and dime meeting attendees