Guest WiFi Access Solution?

Our church is looking for an affordable solution (or solutions) to provide guest WiFi access with (1) a policy acknowledgment screen prior to granting access and (2) web content filtering. Any recommendations?

Many Wi-Fi Access points allow multiple SSIDs. Unifi has a guest network and one or more ‘work’ networks you can set up. Similar arrangements work for most small businesses. The Guest network in Unifi allows for an acknowledgement screen. it also allows bandwidth limits. Again, other brands have similar settings.
Unifi is very affordable, at the upper end of pricing for home units, and is very manageable. Aruba has a new line of small business Wi-Fi APs as well.

You should have filtering on a business firewall, and it likely allows multiple networks so you can heavily filter for guests and differently for staff. Both should likely use the same filtering.
To help get a good answer, identify any existing Wi-Fi equipment, your firewall, and the size of your campus to be covered. Those points will help others give useful recommendations.

Any business-grade system will allow you to run multiple SSIDs - create a separate one for guest traffic that’s bridged to an isolated VLAN (with internet-only access, or controlled access to guest resources in the building like AppleTV, printers, and so forth.

A key thing to remember though is that the captive portal (policy acknowledgement screen) is not part of the wi-fi - that all happens at Layer 3, although most wireless systems can present a captive portal. Any passwords required at the captive portal will not encrypt your guest wireless traffic the way a preshared key does (what is typically thought of as the “wifi password”). If you still want to provide secured guest access without a PSK, you’ll want a wifi system that can handle Opportunistic Wireless Encryption (OWE), also called “Enhanced Open”. This is typically found with the enterprise vendors like Cisco/Meraki, Ruckus, and Aruba (I don’t believe the InstantON product does EO, but Instant and Campus do).

Any content filtering is usually done at/by the gateway, although Aruba Instant and Campus do have the ability to do web content classification and policy enforcement at the AP as part of their segmentation framework.

All that said, ask yourself if you really need the acknowledgement screen at all - they don’t typically hold any legal water, despite counsel insisting you need one with a bunch of legalese, as a way of justifying their own existence. And they provide a point of friction for the end user.

If bandwidth is at all scarce in your environment, I recommend getting a separate internet connection for your guest users - this will also isolate it completely from your business traffic. The one thing you don’t want to do is traffic shaping - that usually winds up causing more problems than it solves.

Oh, and throw an iMac or Mac Mini on the network to cache Apple content. your internet connection will thank you.

Additional Reading:

Also be aware that hardware can be a little hard to come by right now.

We have guest WiFi for our church setup through our watchguard m270 firewall although I would assume most firewalls will do the same. Comcast also has an option for a low extra charge that will do something similar including web content filtering. It is called Comcast Business WiFi pro and you search for info on it and even watch YouTube on it. I don’t have personal experience with it but it seems very user friendly and a cheap option if it meets your needs.

1 Like

We’ve played the captive portal game for many years and it’s always been hit & miss on the user experience. We find that CP tends to become broken over time on older platforms and in particular with Apple they sort of abandon updating it once they stop supporting a particular OS but CPs within a wireless platform typically continue to advance. We’re in the process of evaluating something totally different, text based CP. Instead of using a CP page we’re using a PSK network and you can either text a shortcode to receive your key or you can go through a manual process. The advantage to this is you don’t have to do it all over again when you buy a new phone or device, you already have the key and if it’s Apple it will just connect automatically. There are platforms such as Mist that will let you assign a unique key to every single user but we’re really only concerned about having the CP from a legal standpoint so we’re just using a shared key. The nice thing about using this method is that we’ll get a valid phone number and can also send back info on how to download our App, which would then permit us to engage better with the individual. As a backup you can fill out some info on a form at our welcome center and then they will have a barcode to scan that connects you automatically. They will also have the password too in case the individual is trying to connect a laptop.

I don’t recommend mixing your content filtering with your wireless platform. All of them that I have seen are not strong filters and really won’t do much for you in the way of protection. My suggestion would be instead to use an appliance or a firewall solution. Content filtering is a tough one, the options out there aren’t great.

1 Like

For content filtering, I really like OpenDNS Family Safety for this application when an existing solution isn’t in place and you need filtering for liability and basic decency reasons. For policies, keep in mind splash pages ruin everything and only the desperate will put the effort in to get through them but if you absolutely must (you do not), and you don’t mind the liability and support burden they add (which is considerable) then your existing wifi controller typically offers this functionality. If it doesn’t, in 2021, your wifi probably doesn’t reasonably support guest access anyway.

1 Like

If you’re going to just assign a key to every user, you might as well just implement enterprise authentication at that point. MPSK really only exists so that you can get the benefits of enterprise auth (Dynamic VLAN assignment, role derivation, etc) on devices that don’t support it.

Also worth considering that any guest CP that requires social login will still require your guests to manually log into their social platform account within the captive portal browser, which on many devices (including all Apple devices) is sandboxed away from the app ecosystem as well as the system browser. There’s a very good reason you can’t just trigger an app to open from a captive portal.

Yeah; at some point it’s just easier to build a RADIUS frontend for your ChMS and let them log in that way with native controls…

Our use case on individual Keys Ian was the build something through Rock where the key would be created and linked to their account so we could track the user better and without them having to do anything new or different when they get a new device. It also means we’re tracking them and not their hardware so if they sell a device to someone else there is no purge process that has to happen there.

We have a lot of fancy options we could utilize because we deployed Mist but our experience has been that users don’t want to give out valid information about themselves and we didn’t want our solution to become too dependent on the capabilities of a platform. We built a list of functional requirements and then worked through what is the simplest solution that achieves all our critical goals. Text based CP so far has been the best we could come up with.

1 Like

We didn’t go this route because we wanted to make it simple enough it could even be deployed at a temp site with no connectivity into our main campus. RADIUS is not a bad option and we definitely looked that route but we were trying to get away from a CP page due to client compatibility issues and we wanted to try and capture a valid phone number without making people create an account in our database.

1 Like

That’s a great use of PPSK - So you’re leveraging Rock and Mist APIs to provision a unique guest wifi key? love it.