Technology question - wifi

[Kurt Buff]

I don't think I've asked this before, but remind me if I have....

We're switching away from Meraki wireless infra, going to Cambium.

Cambium have got a cool feature they call ePSK.

When implemented, the VLAN your machines lands on depends on the password you use to connect to the SSID. Cuts way, way down on beaconing, allows better network segmentation, etc.

However...

I've got a GPO in place that prohibits machines from connecting to our guest and IoT SSIDs, because the VLANs they use don't have access to our production environment - all they get is Internet access, so any domain-joined machines become unmanageable - All of our management tools are on-prem-oriented (WSUS, Bomgar, Kace).

If we switch to ePSK, that GPO becomes useless.

I haven't found anything on how to prevent the users from putting their machines on a guest network (the password for which will be posted in conference rooms, etc.)

The only thing I can think of is to move to WPA Enterprise with machine and user certificates, but our CIO has nixed that (doesn't like RADIUS, for some inexplicable reason - and believe me, I've asked) - and even then, I don't know how I can prevent users from putting in a guest password and connecting.

Does anyone have ideas on how to handle this?

Kurt

(given my recent announcement, you can imagine that I don't have a lot at stake here, but I am still trying to help out.)

[Wright, John M]

In all seriousness, you might consider setting the guest password to something inconvenient like #@Jfsdf2dA%.

 

Even if the users accidentally or perversely connect to the Guest network, they’ll almost certainly muff the password as they not infrequently can’t enter their own.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Tuesday, November 18, 2025 3:46 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Technology question - wifi

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5VnAZD1Duimzex_FLY_ANY5WoXPXJSG%2B64xVd697BbFQ%40mail.gmail.com.

[Erik Goldoff]

Does the guest SSID work with a captured portal, as in the user has to click to acknowledge terms of (guest) service before passing through to the internet?

Erik

--

[Kurt Buff]

No, it does not. It was decided long ago not to do that.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGMVfXQhoGKSS7BU2ASiuw2x4uA-tfK5yAjOAmZYhXWrJeHxcA%40mail.gmail.com.

[Kurt Buff]

Oh, man, that would be nice, but it's very simple now - just two lower case words concatenated.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB671477CD87F7DBDF18B6443491D6A%40SN7PR12MB6714.namprd12.prod.outlook.com.

[George Cole]

Lurker here, I do this with a GPO that hides the SSIDs of the guests network for domain joined devices. Can't see it, can't access it. 

George 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5Xxq78e5%3DuBT7-SVp68kZThyD8BjgkyuEE1n8oYcksaQ%40mail.gmail.com.