Get started Bring yourself up to speed with our introductory content.

Five tips for managing guest wireless network access

With the proliferation of mobile devices, guest access to enterprise networks is more common. IT can maintain security with tools such as identity management and per-session security keys.

One of the first major extensions to enterprise wireless LAN systems was guest access, enabling nearly anyone to connect to an organizational WLAN for Internet access. Just as IT does with the organization's employees, it should set a policy for guest wireless network access.

More people are bringing smart devices into enterprise settings than ever before, and they aren't always employees. Nowadays, it's safe to assume that visitors come into organizations accompanied by a Wi-Fi-enabled phone. IT can set them up with Internet access, but even for organizations without major security concerns, it makes sense to put some restrictions on outsiders accessing the enterprise wireless network.

IT can provide visitors with access to an enterprise network by setting up a service set identifier that limits routing to wide area network traffic only; all other elements and services on the LAN remain invisible to guests. Need to provide access for contractors on a corporate network? Would no-cost Internet service help attract and retain customers? Provisioning guest wireless access, then, looks like a no-brainer.

It's not quite so simple. The definition of guest access keeps broadening, and IT departments need to put in place a few safeguards that most organizations overlook. Consumer-grade devices will soon account for the majority of traffic on enterprise networks, so IT should carefully think through a network access policy for guests rather than just providing a click-here-to-activate default for organizational outsiders.

Taking guest access precautions

Allow guest wireless access, but don't forget IT's priority is still to manage and secure the network.

Providing guest access isn't just about limiting Internet routing. In fact, most organizations should think of guest access as another class of service (CoS) enabled on the network. Also, guest access doesn't have to boil down to a single set of IT-approved capabilities. Instead, organizations can customize services for different types of guest users.

Here are five things to consider when setting up a network access policy for guests:

Operational specifications. Focus on the client base, and determine what services IT should enable accordingly. Internet access is usually a given, but IT may want to restrict access to some sites. IT can also enable printing or limited access to a public file directory for some outsiders, such as collaborative, long-term or even high-priority guests. Quality of service (QoS) is also a consideration; many enterprises prioritize guest services lower than most, if not all, other traffic. Some organizations may also prefer to limit access to a defined set of allowed devices and operating systems to minimize opportunities for mischief.

Per-session WPA2 keys. Look for third-party services that automatically assign security keys on a per-user basis. Don't just give out a single password to everyone; per-user, per-session keys make it easier to block a specific troublesome guest user with no interruption to everyone else. Enterprise-grade guest wireless network access should require security at the WPA2 level or greater -- 802.1X, IPsec, SSL, or a similar level of security. No company should ever leave its wireless network open.

Splash-page agreement. Organizations should list their local network access policies on a splash page that any connecting guest must pass through before connecting to the network. That page should include a "click here to agree" button. This provides a degree of protection if a guest violates IT's policies or even local laws.

Credentials expiration. Login credentials for guests should expire after a pre-defined period, such as the end of the work day, 24 hours or a multi-day (but preferably brief) engagement. Credentials that do not expire often become a security hole, allowing unauthorized reentry onto the network down the road.

Identity management. Many WLAN system vendors offer identity management (IDM) capabilities that enable IT to collect guest credentials information. Companies can capture and maintain this data for their own analysis of guest network usage. IDM services also make it easy to create multiple classes of guests and apply different permissions to different groups. After all, enterprises often have several types of visitors -- some who require different levels of network access than others.

Although consumer-grade WLANs increasingly offer a guest-access function, smaller organizations shouldn't trick themselves into thinking they can skip out on an enterprise-class WLAN system, which is designed for use in large, diverse environments. Only enterprise-grade systems can address the requirements noted above.

Guest access is really just another CoS with an associated QoS, and security and routing policies applied in parallel with other traffic. It boils down to a set of policies for a particular class of users, often with multiple classes of "guest" defined, with routing and permissions carefully customized to individual local needs. Identity management allows IT to easily change these policies to meet the inevitable evolution of provisioned network access. Allow guest wireless access, but don't forget IT's priority is still to manage and secure the network.

Next Steps

Optimize your wide area network

How to ensure Wi-Fi security in the enterprise

Why Wi-Fi is the best option for IoT networking

Dig Deeper on Enterprise mobility strategy and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization manage guest access to its network?
These are some very useful tips. The technology has come a long way to making this a lot easier to deploy and manage. We use Aerohive Networks at my school, and it's point and click for secure guest Wi-Fi. We really try to go above and beyond to give our guests a good experience. Nothing is more frustrating than slow guest Wi-Fi. Guests get fast and free access to the internet, but nothing else. I can also rate limit and block a lot of application types (bit torrent protocol, etc). They also have a nice ID Manager solution for more advanced needs.
Good set of basics in the article, but I believe overall that the "best" way to deliver enterprise-grade WLAN services is going to be by way of a service provided by a carrier (call it WLANaaS). Providing and managing Enterprise WLAN connectivity requires a skillset, particularly on the RF end that is not always found in the enterprise IT skillset.

Just a quick question/concern: How are you blocking BitTorrent? Have you verified this is working by actually attempting to use a BitTorrent client?

The problem here is that BitTorrent does not use a specific set of ports, is often encrypted, and can not be denied by port or destination address. BitTorrent is designed to be illusive.

Mitigating it requires a deep-packet inspection product (like Sandvine for instance) to even correctly interpret traffic as "behaving" like BitTorrent.

Jeremy D. Ward, CWNE
I'm the IT Mgr for a school, we have 9 AP's and the former Sys Admin left them with the same SSID and a generic password. I was aked to reconfigure it so guest will have a per-user, per-session keys assigned to them. Is it doable on cisco aironet 1131ag?
We manage guest access by using a segregated WLAN that guests must log into. If the guest requires a longer term solution, such as for extended onsite work, then we create an AD account for their use, which is subject to the same monitoring and filtering as the rest of the machines on the network.
I guess it’s not only guest access that’s an issue, but even the multiple devices that employees bring onto the network. For instance, I carry my company-issued laptop, my personal laptop, mobile phone, and tablet. everyday, and often use each of them at some point in the day. The company has accounted for this in some respects by having segregated wireless networks for computers, mobile devices, and guests.