Hey folks! I'm working on setting up Wi-Fi for our employees who'll be using their own devices (BYOD) and I'm looking for some best practice advice. My plan is to create an open SSID (unencrypted) with a captive portal managed through a Fortigate firewall. The portal would connect to our Active Directory via LDAP to allow only selected users to log in using their AD credentials. This network will be isolated on a separate VLAN with very limited internet access and bandwidth controls.
One big concern I have is that since the SSID is open, users will see warnings that the network isn't secure. Given that this setup is akin to a public network for employees (separate from our internal network), is that a significant issue? Would love to hear your thoughts on this!
5 Answers
You really should reconsider the captive portal altogether. If you're worried about security, just stick with an open network that doesn't require logins. The simplest solution is often the best.
Exactly! Just make sure there's no sensitive stuff being accessed. It's about balancing convenience and risks.
From a technical perspective, the open SSID isn’t a major issue if you’re keeping the network isolated. But you might run into trouble with Apple devices due to features like Private Relay, which could block the captive portal from showing up. Just remind users to disable certain privacy settings temporarily for login, or handle those device issues upfront to avoid confusion later.
Sounds like a smart approach. We've had to explain some of these quirks to users, too. Just give them a heads up!
Right? It can get messy if they don't understand why it won't connect.
If you're only allowing specific employees on this network using AD credentials, consider using 802.1X authentication instead. It can secure the traffic much better than an open network. The captive portal could complicate things unnecessarily.
I get that, but 802.1X can be confusing, especially for non-tech users on Android. That’s why I thought a captive portal would be easier for initial access.
Yeah, educating users is half the battle. Make sure to have clear instructions!
You should know that Fortigate’s captive portal might not come with SSL out of the box. You’ll need to do some work to enable secure connections, which is essential for user trust.
Yep, that might complicate things if you don't address it early on.
Thanks for the heads up! I’ll definitely check the documentation for that.
Honestly, just put a PSK on the network. People are used to entering passwords for Wi-Fi these days. Also, enable host isolation to prevent devices from communicating with each other. Plus, consider monitoring this network closely to detect any unusual activity.
A good idea! Keeping track of network behavior could save a lot of headaches later.
Absolutely, monitoring could help catch any potential issues early on!
So you're actually saying we should ditch the encryption and just go completely open? Seems risky to me.