Hey everyone! I'm in the process of configuring Wi-Fi for employees using their personal devices (BYOD) and I'd love your insights on best practices. I'm planning to create an open SSID that employs a captive portal through a Fortigate firewall, connecting it to Active Directory via LDAP so selected users can authenticate using their AD credentials. The idea is to have this network separated into its own VLAN with limited internet access and bandwidth shaping. My main worry is that with the open SSID, users will encounter warnings about the network being insecure. Given that this is essentially a public-like network for employees, is this a concern I should take seriously, or is it alright? Thanks for any tips or experiences you can share!
5 Answers
If you're limiting access to specific users in Active Directory, I'd suggest using WPA2/WPA3 Enterprise with 802.1X instead of a captive portal. It keeps things secure without the hassle of a captive portal, which sometimes complicates things for users.
Yeah, it can be tricky for those not tech-savvy. How do you plan to manage that?
From a technical perspective, the unencrypted SSID isn't a major issue as long as employees aren't doing sensitive work on their devices. It's worth enabling client isolation to keep devices separate. Just be cautious with Apple products and their Private Relay; it can mess with captive portals.
Good point! We actually have the same setup, and it works fine with Private Relay too. Apple has been able to handle captive portals for a long time.
That's reassuring to hear! I'll make sure to test that out.
Just a heads up: the default captive portal on FortiGates isn't SSL secured, and getting that set up right might take a bit of work. Be sure to check that out if you're going this route!
Yeah, it’s definitely worth the extra effort to secure it properly.
Good advice! I’ll prioritize getting that sorted out as well.
A lot of people are used to Wi-Fi passwords these days, so why not consider adding a pre-shared key? Plus, don't forget to monitor the BYOD network for any unusual activity. Better safe than sorry!
Absolutely! Monitoring is key to catch any potential security issues.
Thanks for the reminder! I'll make sure to keep a close eye on that.
Honestly, you might not need the captive portal at all. If the network is just for employees, going completely open could simplify things. Just make sure to isolate clients to prevent them from seeing each other on the network.
But wouldn't that pose a security risk? Without any form of authentication, how do you prevent unauthorized access?
That's an interesting take! I thought captive portals would add a layer of control, but skipping it could make onboarding quicker. I'll consider it!
That's another good idea! I worry that 802.1X can be a bit complicated for some users, though.