Five tips for managing guest wireless network access

With the proliferation of mobile devices, guest access to enterprise networks is more common. IT can maintain security with tools such as identity management and per-session security keys.

One of the first major extensions to enterprise wireless LAN systems was guest access, enabling nearly anyone to connect to an organizational WLAN for Internet access. Just as IT does with the organization's employees, it should set a policy for guest wireless network access.

More people are bringing smart devices into enterprise settings than ever before, and they aren't always employees. Nowadays, it's safe to assume that visitors come into organizations accompanied by a Wi-Fi-enabled phone. IT can set them up with Internet access, but even for organizations without major security concerns, it makes sense to put some restrictions on outsiders accessing the enterprise wireless network.

IT can provide visitors with access to an enterprise network by setting up a service set identifier that limits routing to wide area network traffic only; all other elements and services on the LAN remain invisible to guests. Need to provide access for contractors on a corporate network? Would no-cost Internet service help attract and retain customers? Provisioning guest wireless access, then, looks like a no-brainer.

It's not quite so simple. The definition of guest access keeps broadening, and IT departments need to put in place a few safeguards that most organizations overlook. Consumer-grade devices will soon account for the majority of traffic on enterprise networks, so IT should carefully think through a network access policy for guests rather than just providing a click-here-to-activate default for organizational outsiders.

Taking guest access precautions

Allow guest wireless access, but don't forget IT's priority is still to manage and secure the network.

Providing guest access isn't just about limiting Internet routing. In fact, most organizations should think of guest access as another class of service (CoS) enabled on the network. Also, guest access doesn't have to boil down to a single set of IT-approved capabilities. Instead, organizations can customize services for different types of guest users.

Here are five things to consider when setting up a network access policy for guests:

Operational specifications. Focus on the client base, and determine what services IT should enable accordingly. Internet access is usually a given, but IT may want to restrict access to some sites. IT can also enable printing or limited access to a public file directory for some outsiders, such as collaborative, long-term or even high-priority guests. Quality of service (QoS) is also a consideration; many enterprises prioritize guest services lower than most, if not all, other traffic. Some organizations may also prefer to limit access to a defined set of allowed devices and operating systems to minimize opportunities for mischief.

Per-session WPA2 keys. Look for third-party services that automatically assign security keys on a per-user basis. Don't just give out a single password to everyone; per-user, per-session keys make it easier to block a specific troublesome guest user with no interruption to everyone else. Enterprise-grade guest wireless network access should require security at the WPA2 level or greater -- 802.1X, IPsec, SSL, or a similar level of security. No company should ever leave its wireless network open.

Splash-page agreement. Organizations should list their local network access policies on a splash page that any connecting guest must pass through before connecting to the network. That page should include a "click here to agree" button. This provides a degree of protection if a guest violates IT's policies or even local laws.

Credentials expiration. Login credentials for guests should expire after a pre-defined period, such as the end of the work day, 24 hours or a multi-day (but preferably brief) engagement. Credentials that do not expire often become a security hole, allowing unauthorized reentry onto the network down the road.

Identity management. Many WLAN system vendors offer identity management (IDM) capabilities that enable IT to collect guest credentials information. Companies can capture and maintain this data for their own analysis of guest network usage. IDM services also make it easy to create multiple classes of guests and apply different permissions to different groups. After all, enterprises often have several types of visitors -- some who require different levels of network access than others.

Although consumer-grade WLANs increasingly offer a guest-access function, smaller organizations shouldn't trick themselves into thinking they can skip out on an enterprise-class WLAN system, which is designed for use in large, diverse environments. Only enterprise-grade systems can address the requirements noted above.

Guest access is really just another CoS with an associated QoS, and security and routing policies applied in parallel with other traffic. It boils down to a set of policies for a particular class of users, often with multiple classes of "guest" defined, with routing and permissions carefully customized to individual local needs. Identity management allows IT to easily change these policies to meet the inevitable evolution of provisioned network access. Allow guest wireless access, but don't forget IT's priority is still to manage and secure the network.

Next Steps

Optimize your wide area network

How to ensure Wi-Fi security in the enterprise

Why Wi-Fi is the best option for IoT networking

Dig Deeper on Mobile management

Unified Communications