SSID Security, Guest Networks, and Authentication
Key Takeaways
- An SSID identifies a wireless network, but SSID hiding is not a meaningful security control.
- Guest networks should be isolated from internal systems and usually allow only internet access.
- Captive portals help with guest acknowledgement or onboarding but do not replace encryption or segmentation.
- WPA2 and WPA3 protect Wi-Fi traffic; WPA3 improves personal-mode authentication with SAE.
- Enterprise wireless commonly uses 802.1X with a RADIUS server for per-user or per-device authentication.
Wireless security questions often describe who is connecting and what they should reach. The right design separates employee access, guest access, device identity, encryption, and network policy.
SSID Design
An SSID is the network name that clients select. Organizations may broadcast multiple SSIDs from the same access points, but every SSID adds management overhead and airtime overhead.
| SSID | Users | Typical access |
|---|---|---|
| Corp | Managed employee devices | Internal applications based on user or device policy |
| Guest | Visitors and personal devices | Internet only, blocked from internal RFC1918 ranges |
| IoT | Printers, cameras, sensors, facilities devices | Limited device-specific access |
| Voice | Wireless phones or voice devices | Voice VLAN, QoS, limited call services |
SSID hiding does not provide strong security because management frames can still reveal network information. Use modern encryption, authentication, and segmentation instead.
Personal and Enterprise Security
| Mode | Authentication model | Best fit | Notes |
|---|---|---|---|
| WPA2-Personal | Shared passphrase | Small office or home | Everyone uses the same secret |
| WPA3-Personal | Shared passphrase with SAE | Small deployments with modern clients | Better protection against offline guessing than WPA2-Personal |
| WPA2-Enterprise | 802.1X with RADIUS | Business WLAN | Per-user or per-device authentication |
| WPA3-Enterprise | 802.1X with stronger options | Higher-security business WLAN | Requires compatible infrastructure and clients |
Enterprise mode is important because the organization can disable one user or device without changing the shared password for everyone.
802.1X and RADIUS Flow
In enterprise wireless, the client is the supplicant, the access point or controller is the authenticator, and the RADIUS server is the authentication server.
Typical flow:
- Client associates to the SSID.
- AP blocks normal data traffic until authentication succeeds.
- Client and RADIUS server perform an EAP method, often using certificates or credentials.
- RADIUS returns accept, reject, and optional policy attributes.
- AP places the client into the correct VLAN or applies the correct access policy.
Common exam clue: if a company needs unique user accountability and centralized wireless authentication, choose WPA2-Enterprise or WPA3-Enterprise with RADIUS, not a shared passphrase.
Guest Networks and Captive Portals
Guest WLANs should be designed as untrusted networks.
| Requirement | Implementation |
|---|---|
| Visitors need internet | Allow DNS, HTTP, and HTTPS outbound |
| Visitors must not reach internal servers | Deny guest VLAN to internal subnets |
| Visitors must accept terms | Use a captive portal |
| Guest traffic must not affect business apps | Apply bandwidth limits or QoS controls |
| Temporary access is required | Use expiring vouchers or time-limited accounts |
A captive portal is often used for acknowledgement, registration, or payment. It is not the same as WPA2 or WPA3 encryption. If the WLAN is open and only uses a portal, wireless frames before secure application protocols are not protected in the same way as encrypted WLAN traffic.
PBQ-Style Wireless Security Scenario
Facts:
- Employees need internal application access.
- Contractors need internet and one project portal.
- Visitors need internet only.
- The help desk is overwhelmed when a shared Wi-Fi password changes.
Better design:
- Use an enterprise SSID with 802.1X and RADIUS for employees.
- Use group or role attributes to place users into the right VLAN.
- Put contractors on a restricted VLAN that can reach only the project portal and internet services.
- Put visitors on a guest VLAN with a captive portal and no internal access.
- Avoid using one shared passphrase for all business access.
The key is separating authentication from authorization. RADIUS proves who the user or device is, and VLAN or firewall policy decides what that identity can reach.
A company wants each employee to use individual credentials for Wi-Fi and wants to disable one user without changing a shared password. Which option best fits?
Which controls are appropriate for a guest wireless network? Choose two.
Select all that apply
What does a captive portal primarily provide in a guest WLAN design?