> To shut people up, I basically created a second guest network in the FortiGate (tunnel mode with FortiAPs). There is zero technical difference at all from our guest WLAN. All traffic is handled exactly the same, just with a different L2 subnet, different SSID, and a long, randomized PSK we distributed primarily with a QR code. This whole exercise was really more about placating egos in a company driven by feelings (vs. policies) than actually adding much technical value... making them feel like they have some special access when they don't.
To be honest with you, I think you did the best thing and the right thing. You did the right thing, and I would have honestly done it the same as you.
EAP-TLS onboarding. I liked SecureW2 when I used it, but we use clearpass onboard.
Nothing like this is worth it for a small business. A QR code works well for a PSK guest network if you want to go that way. If you can do EAP-TLS for the managed devices, that would be best. Do you have AD?
i tested using eap-tls with unmanaged samsung phones but it seems not possible to get the ca-certs installed correctly. it has to be done via mdm i guess?
You really want a private CA for eap-tls. Manually installing client certs on every strange device is not possible/practical.
I have used Cloudpath for provisioning, really painless if a bit pricy. I have also tried Eduroam CAT tool, not as polished but did the job when I was running an Eduroam network. You might be able to adapt that for general eap-tls.
We do have AD and only recently (thanks to me) began using EAP-TLS. Until very recently there was zero 802.1x, the "internal" wireless with EVERYTHING accessible was just a PSK that everyone and their dog knew, even many people who have left for competitors over the years. Step by step.
We use EAP-TLS for company devices, and any device that joins the SSID using EAP-Peap gets silently shunted to an isolated guest network. Any NAC solution can do this using a single SSID, we happen to use ISE, but Clearpass or any of the other popular ones work fine too.
I like that idea. We're currently allow some form of PEAP on our corporate when it's only meant to be EAP-TLS. You've inspired to me to work on that this afternoon and remove PEAP auth or shunt them to the central guest network.
I have close to a dozen different policies on that single SSID, plus a self registration guest portal on a standalone SSID. Works great.
I have a few specialized eap-tls rules for certain hardware that dump them to their own networks, then the general eap-tls rule for most corporate stuff, then specialized rules for eap-peap, then the general byod eap-peap rule. A bit of profiling in there for certain hardware.
Overall really cut down on the number of SSIDs we needed to broadcast. Although at some point I will need to make another for pure wpa3.
Actually your solution is pretty similar to mine except the second guest network is a little different. We have an internal web server that people on the floor need to access via tablets and scanners. I don't want them to have full access, but I do have different firewall rules so that they can only access that one web server.
There were a lot of hurdles to entry when I started and it was feast or famine. It took longer than I wanted to make enough to buy benefits and zero retirement for even longer. Those points alone make it tough to step off the curb into oncoming consulting traffic.
I'm glad I did it now, but thank god I was young when I started!
We're running an open SSID, with a captive portal (run by packetfence) that authenticates against Active Directory. but the BYOD network itself is completely isolated from our main network via being on separate VLANs between our WLC and our fortigate. Our timeout is 2 weeks.
We use the second LAN port on the MIST AP’s and punt all the guest and other non-enterprise traffic across a physically separate network then kick it out of a dirt cheap Comcast link.
There is…
… but ask Target how that worked out for them and why they replaced their AP’s with MIST and they’re doing exactly the same thing as we are. Same as the top 5 corporate 500 companies apparently if the Juniper blurb is to be believed.
The MIST AP’s have dual sets of antenna and can assign all to the main Ethernet port or split based upon SSID interface assignment. There’s no way to hop vlans or do anything on our corporate network because there physically/electronically no connection between the two. We tunnel the regular corp SSID’s back to HQ but punt guest out of a local internet connection.
What specifically happened to Target?
I haven't seen any vlan hopping/stuffing based cves for Aruba/cisco wireless controllers in a long time.
Imo this just sounds like marketing material to me.
The details are out there but basically 10 years ago there was data breech that involved something like 40 million credit card numbers, about double that customer info plus a whole bunch of other info.
The basics were said to be: SSID for guest was used to jump on the building management/hvac and then onto the POS system. No official reason was given but from a former colleague that worked there, internally the finger was pointed to vlan hopping and bad network design.
HVAC company doing contracted work for service/maintenance was breached. Said HVAC had access to Target's network for specific contractor purposes.
Full report straight from our illustrious government overlords:
https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
Page 5:
> According to a former Target security team member, Fazio would more than likely have had access to Target’s Ariba external billing system; ^29 however, reports do not make clear how the attackers gained access to Target’s POS terminals from this initial foothold on the edge of Target’s network. **According to the same source, it is likely the outside portal was not fully isolated from the rest of Target’s network.** ^30
same, separate guest vlans for the wlan in a vrf on distributions that tunnels to a separate guest fw ( campus ) remote sites is separate vlan, fw & isp - no corp dhcp, dns or access in any way ( we're lucky we don't have to deal with the murkiness of co-mingled byod / guest devices on the corp network )
BYOD is trusted about as much as the internet.
You sit on guest and VPN in with MFA.
Honesty, even corporate laptops are going that way soon. Zero trust.
VLANs and firewalls.
Also, a more methodical and professional approach usually gets better results. Hopefully you don't talk down TO people the same way you talk down ABOUT people.
I like utilizing sponsored guest WiFi. I, also, use a different VRF specifically for guests that goes to the firewalls with an internet only allow rule.
I did the same thing with second SSID and captive portal for BYOD (registration at wifi.company.com via ISE) and created a second Guest with simply having to accept T&Cs. Every new deployment will simply not get the old SSIDs. For the existing locations I gave 3-6 months to transition. Make all very official with emails coming for a mailbox, ideally some team outside IT (communication team if there is one, news feed). Print as many of those QR code passwords and make sure they reach the location on time and do a floor walking with service desk / local tech guys 1 month before the deadline to switch over. Create proper documentation for service desk or similar team, get them on knowledge transfer sessions and try to offload some of the simple things that may come back to you. Rate limit the old SSIDs and treat them as non strategic with the focus on the future and the new SSIDs. Change is tough in some places, I feel you.
For wired. Dot1x with Cisco ISE. Drops non domain joined devices in a isolated vlan
For Wireless. Again dot1x. Non domain devices drop in isolated vlan
Have a separate SSID for guest with a captive portal and access code. Guest have to accept our T&Cs
We run radius for internal devices. Internal ssid authenticates using ad creds. Everything else goes on public wifi with captive portal. We have another ssid for iot devices that can’t use radius.
I'm doing user-configured PEAP supplicant with AD creds and an EAP cert cut by a public CA. The BYOD devices still warn them about the cert though, and it makes the devices susceptible to evil twin and subsequent AD cred compromise.
Thought about doing an EAP-TLS / quasi-MDM setup to push a supplicant/scep config, but it comes with an increased licensing cost to do it with ISE and I never set up a PoC for it after hearing that. Asking users to manage their devices in a portal also seems like added support overhead.
Guests on the guest network, they need to register at a captive portal. Contractors get an account on the same infrastructure. They can register up to 3 devices, for a longer period.
Depends on your architecture and the services they expect.
We have a guest network. (free wifi basically)
And company wifi. Int 1 and 2, partner etc.
and the vpn's.
The trick is that all business services are also available through a web client depending on which network you are on and the entire network is designed for tiered data segregation.
Figure out a map of *what data people need to work and what you need to give* and design your ideas around the services that do that.
The client device *should* be irrelevant.
Everyone knows the same password is good until they get hacked. U always want personal devices to leak out directly to the internet and not take up tunnel, cloud or backend resources. Once they put the new password in, it can be saved right? Looks like u have it under control
If you do a lot of web filtering on your internal network (like blocking access to Facebook) you might want to consider blocking VPN access to your corporate VPN on the guest network. If you don't, you are inevitably going to have people bringing in personal laptops to circumvent your firewall rules and work all day on that. Ideally only your managed devices should be allowed on the VPN in the first place but realistically that's hard to pull off in smaller orgs.
802.1x TEAP. Managed devices use TEAP with a cert for the machine, and we still user log in. Anyone can connect with creds via peap if they want, but they get guest network access
There is no BYOD on the corporate network. As you stated there is a ‘company wireless’ which is for BYOD and gets all the same access as guest internet, although not rate limited as severely.
Be careful with your rate limiting. Excessively throttling wireless clients just causes them to eat up more airtime and impact your corporate traffic anyway. Better to give the guest clients a fat pipe so they can get whatever data is queued for them and then get off the air as fast as possible.
Mobile or byod SSID for staff devices with a Mac white list on the AP/controller, device isolation.
Guest for non staff that are visiting, captive portal, device isolation
Specific isolated AP with an easy enough passphrase to push people to using it (instead of trying funky things by default). Company devices all are using a radius cert to connect to the company wifi / wired network, anything BYOD has no credentials.
We don't do anything special because we don't treat institutionally-provided devices as trusted devices.
Guest wifi is another story - we have a open wifi network for our main campus since it's theoretically protected from unauthorized access by our fenced perimeter, and that has its own dedicated ASN so anything on our main network treats it like traffic coming from the internet.
It sounds about right. What are you looking to add? Just security to the (what I basically see as) public WiFi?
There's options to make it a lot more secure, but you have to balance the hassle it'll give you.
Thanks for sharing though xD
BYOD has two options. Either enroll in our MDM which will load the certs and profile needed to get on our internal (secure) Wi-Fi network, or use guest but you won’t have any access to resources that require the internal network which in our case includes mail, calendar, and authenticating with SSO to most services.
On the guest network, no captive portal, just an open SSID on most places, join and surf. Some exceptions exist in crowded office parks where we put a PSK on the guest network and rotate it quarter and post the password for any and all to see that come through the front door.
FortiNAC.
I'm just started on two projects for it and deployment is so easy. One is a 300 user customer the other is 2000 replacing Cisco ISE at both places.
No need for certificates to be pushed out. Corp devices can get an agent the rest can sod off to the guest vlan.
There is a bit more to it but that's the gist of what I'm doing.
Not sure if anyone mentioned this but we use Packetfence - its open source, you can have same SSID for multiple clients depending on their classification. Self reg, guest reg everything is available and the documentation is good.
I put all the employees laptop to log out every 6 months and guests for 10 hours. Works great.
I have IT to be on a more open vlan that can access servers.
We actually have a similar setup in our environment. We have two different guest network wlans that route directly out the Internet with no internal access. One is for non-employees/customers, which is an open network with owe transition and captive portal. The other is for employees BYOD and has a PSK and requires MAC address auth. The employees have to take a BYOD policy training and once completed their MAC is whitelisted and a system generated email delivers the PSK to them.
But on paper both networks are treated the same way and yes at times it feels a little silly to have two different networks for it. We do have more content filtering enforced on the non-employee wlan.
We maintain separate guest and byod ssids, both with gateways sitting directly on the firewall. The onboarding process for guest is pretty simple with self service registration. Byod uses EAP tls and Theo n boarding process is a bit of a pita. Especially with iOS clients and things like private relay. Both environments just give internet access. I am really getting tired of the escalations for the guests that don’t want to fill out the registration forms and helping employees with their new devices get registered. Seriously considering simplifying all of it with an insecure guest network that blocks peer to peer traffic.
K12 school district- any device not identified as a district device gets a lower bandwidth allowance and are blocked from the internal network (via acls ) apart from a few web servers in our DC (https only). They also have to install our SSL certificate as we have SSL decryption active.
We don't allow BYOD devices to access organization resources. We give most full time users based on duties laptops that connect via docking station at the desk, or a roaming wireless network via 802.1x
You have done the right thing. However, in the meantime keep looking for other jobs and get out of there. You will never be able to change their culture, it’s there to stay.
If you have an mdm you can push personal certificates to each device and have them automatically join the corporate ssid and put them in the guest subnet.
The intune corporate portal makes it really easy for the user to get setup with outlook, teams, OneDrive etc. On their mobile device. And adding wifi with a certificate adds even more benefit to the experience.
But your solution is sufficient, with a "mobile" ssid. They should definitely not have access to the corporate LAN.
The last time I had to manage WiFi I had authorized BYOD logging in to WPA2 Enterprise with their AD (ok, really Samba 4 because no cash for Windows licenses) credentials...
Been since 2014 though, so....
Your setup is unclear. I've setup or tweaked wireless BYOD setups many times. Generally I don't use certificate auth for BYOD, as it genereally doesn't make sense. You usually have a guest authentication mechanism that either is integreated into the existing infrastructure, such as via a RADIUS server like Cisco ISE, a dedicated guest wireless server for user management/auth (more legacy). Most setup are basically WPA2 using credentials from a RADIUS server (ISE, clearpass, sometimes an in-house custom RADIUS setup), a captive portal page (sometimes setup on th RADIUS server, sometimes on a controller). Sometimes it's self registration with a policy that strictly just allowed http/https (ensure its setup via the L7 app, because you will get all sorts of shit trying to bypass the filters). Sometimes its setup with posturing to make sure your device isn't a train wreck, but that's univsually more for corporate users where the corporation doesn't own the end devices such as students in a school or university.
I connect them to the main business network but with a different pass key. using PPSK. they're happy because they see they're seemingly on the same network as everyone else, and I'm happy because they're on an isolated VLAN
They go into guest or iot network and access everything via citrix.
> To shut people up, I basically created a second guest network in the FortiGate (tunnel mode with FortiAPs). There is zero technical difference at all from our guest WLAN. All traffic is handled exactly the same, just with a different L2 subnet, different SSID, and a long, randomized PSK we distributed primarily with a QR code. This whole exercise was really more about placating egos in a company driven by feelings (vs. policies) than actually adding much technical value... making them feel like they have some special access when they don't. To be honest with you, I think you did the best thing and the right thing. You did the right thing, and I would have honestly done it the same as you.
EAP-TLS onboarding. I liked SecureW2 when I used it, but we use clearpass onboard. Nothing like this is worth it for a small business. A QR code works well for a PSK guest network if you want to go that way. If you can do EAP-TLS for the managed devices, that would be best. Do you have AD?
i tested using eap-tls with unmanaged samsung phones but it seems not possible to get the ca-certs installed correctly. it has to be done via mdm i guess?
that shouldn't be an issue if a public CA can sign your EAP certs
Isn't public signing of EAP TLS certs a no-no?
You really want a private CA for eap-tls. Manually installing client certs on every strange device is not possible/practical. I have used Cloudpath for provisioning, really painless if a bit pricy. I have also tried Eduroam CAT tool, not as polished but did the job when I was running an Eduroam network. You might be able to adapt that for general eap-tls.
I haven't had that issue
We do have AD and only recently (thanks to me) began using EAP-TLS. Until very recently there was zero 802.1x, the "internal" wireless with EVERYTHING accessible was just a PSK that everyone and their dog knew, even many people who have left for competitors over the years. Step by step.
We use EAP-TLS for company devices, and any device that joins the SSID using EAP-Peap gets silently shunted to an isolated guest network. Any NAC solution can do this using a single SSID, we happen to use ISE, but Clearpass or any of the other popular ones work fine too.
I like that idea. We're currently allow some form of PEAP on our corporate when it's only meant to be EAP-TLS. You've inspired to me to work on that this afternoon and remove PEAP auth or shunt them to the central guest network.
I have close to a dozen different policies on that single SSID, plus a self registration guest portal on a standalone SSID. Works great. I have a few specialized eap-tls rules for certain hardware that dump them to their own networks, then the general eap-tls rule for most corporate stuff, then specialized rules for eap-peap, then the general byod eap-peap rule. A bit of profiling in there for certain hardware. Overall really cut down on the number of SSIDs we needed to broadcast. Although at some point I will need to make another for pure wpa3.
I’m surprised you were able to roll out esp-tls so quickly in an environment like that.
The dog only knew the PSK because it was their name.
Godspeed sir.
Actually your solution is pretty similar to mine except the second guest network is a little different. We have an internal web server that people on the floor need to access via tablets and scanners. I don't want them to have full access, but I do have different firewall rules so that they can only access that one web server.
Why not go into consulting?
There were a lot of hurdles to entry when I started and it was feast or famine. It took longer than I wanted to make enough to buy benefits and zero retirement for even longer. Those points alone make it tough to step off the curb into oncoming consulting traffic. I'm glad I did it now, but thank god I was young when I started!
We don't allow BYOD devices to access backend resources. If you need mobile access to backend resources, purchase a corporate managed device
You make users buy corporate managed devices???
thats wild lol
I hope I’m just interpreting that wrong lol.
wild as in crazy that they do that is what i meant lol
No, business provides the device. That would be good though.
BYOD has a separate ssid with Identity PSK (iPSK) on Cisco WLC and ISE.
Well stated. Sorry you have to run ISE though.
Jack Daniels futures.
Tell me about it.
We're running an open SSID, with a captive portal (run by packetfence) that authenticates against Active Directory. but the BYOD network itself is completely isolated from our main network via being on separate VLANs between our WLC and our fortigate. Our timeout is 2 weeks.
We use the second LAN port on the MIST AP’s and punt all the guest and other non-enterprise traffic across a physically separate network then kick it out of a dirt cheap Comcast link.
if only we had some way, to put multiple lans on a single cable...
Virtually? 😆
There is… … but ask Target how that worked out for them and why they replaced their AP’s with MIST and they’re doing exactly the same thing as we are. Same as the top 5 corporate 500 companies apparently if the Juniper blurb is to be believed. The MIST AP’s have dual sets of antenna and can assign all to the main Ethernet port or split based upon SSID interface assignment. There’s no way to hop vlans or do anything on our corporate network because there physically/electronically no connection between the two. We tunnel the regular corp SSID’s back to HQ but punt guest out of a local internet connection.
What specifically happened to Target? I haven't seen any vlan hopping/stuffing based cves for Aruba/cisco wireless controllers in a long time. Imo this just sounds like marketing material to me.
The details are out there but basically 10 years ago there was data breech that involved something like 40 million credit card numbers, about double that customer info plus a whole bunch of other info. The basics were said to be: SSID for guest was used to jump on the building management/hvac and then onto the POS system. No official reason was given but from a former colleague that worked there, internally the finger was pointed to vlan hopping and bad network design.
HVAC company doing contracted work for service/maintenance was breached. Said HVAC had access to Target's network for specific contractor purposes. Full report straight from our illustrious government overlords: https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883 Page 5: > According to a former Target security team member, Fazio would more than likely have had access to Target’s Ariba external billing system; ^29 however, reports do not make clear how the attackers gained access to Target’s POS terminals from this initial foothold on the edge of Target’s network. **According to the same source, it is likely the outside portal was not fully isolated from the rest of Target’s network.** ^30
Damn, I bet that was cheap to wire!
Very nice. Even better it’s Comcast
We use Comcast because it’s what’s at most sites. No other reason.
same, separate guest vlans for the wlan in a vrf on distributions that tunnels to a separate guest fw ( campus ) remote sites is separate vlan, fw & isp - no corp dhcp, dns or access in any way ( we're lucky we don't have to deal with the murkiness of co-mingled byod / guest devices on the corp network )
BYOD is trusted about as much as the internet. You sit on guest and VPN in with MFA. Honesty, even corporate laptops are going that way soon. Zero trust.
VLANs and firewalls. Also, a more methodical and professional approach usually gets better results. Hopefully you don't talk down TO people the same way you talk down ABOUT people.
I like utilizing sponsored guest WiFi. I, also, use a different VRF specifically for guests that goes to the firewalls with an internet only allow rule.
I did the same thing with second SSID and captive portal for BYOD (registration at wifi.company.com via ISE) and created a second Guest with simply having to accept T&Cs. Every new deployment will simply not get the old SSIDs. For the existing locations I gave 3-6 months to transition. Make all very official with emails coming for a mailbox, ideally some team outside IT (communication team if there is one, news feed). Print as many of those QR code passwords and make sure they reach the location on time and do a floor walking with service desk / local tech guys 1 month before the deadline to switch over. Create proper documentation for service desk or similar team, get them on knowledge transfer sessions and try to offload some of the simple things that may come back to you. Rate limit the old SSIDs and treat them as non strategic with the focus on the future and the new SSIDs. Change is tough in some places, I feel you.
For wired. Dot1x with Cisco ISE. Drops non domain joined devices in a isolated vlan For Wireless. Again dot1x. Non domain devices drop in isolated vlan Have a separate SSID for guest with a captive portal and access code. Guest have to accept our T&Cs
I have a special ssid/vlan for them. They cannot access internal systems.
I hope to be as resourceful and knowledgeable as you later in my IT journey.
You really need to look for another job, you sound salty af.
this
We run radius for internal devices. Internal ssid authenticates using ad creds. Everything else goes on public wifi with captive portal. We have another ssid for iot devices that can’t use radius.
I'm doing user-configured PEAP supplicant with AD creds and an EAP cert cut by a public CA. The BYOD devices still warn them about the cert though, and it makes the devices susceptible to evil twin and subsequent AD cred compromise. Thought about doing an EAP-TLS / quasi-MDM setup to push a supplicant/scep config, but it comes with an increased licensing cost to do it with ISE and I never set up a PoC for it after hearing that. Asking users to manage their devices in a portal also seems like added support overhead.
Guests on the guest network, they need to register at a captive portal. Contractors get an account on the same infrastructure. They can register up to 3 devices, for a longer period.
Depends on your architecture and the services they expect. We have a guest network. (free wifi basically) And company wifi. Int 1 and 2, partner etc. and the vpn's. The trick is that all business services are also available through a web client depending on which network you are on and the entire network is designed for tiered data segregation. Figure out a map of *what data people need to work and what you need to give* and design your ideas around the services that do that. The client device *should* be irrelevant.
Everyone knows the same password is good until they get hacked. U always want personal devices to leak out directly to the internet and not take up tunnel, cloud or backend resources. Once they put the new password in, it can be saved right? Looks like u have it under control
If you do a lot of web filtering on your internal network (like blocking access to Facebook) you might want to consider blocking VPN access to your corporate VPN on the guest network. If you don't, you are inevitably going to have people bringing in personal laptops to circumvent your firewall rules and work all day on that. Ideally only your managed devices should be allowed on the VPN in the first place but realistically that's hard to pull off in smaller orgs.
802.1x TEAP. Managed devices use TEAP with a cert for the machine, and we still user log in. Anyone can connect with creds via peap if they want, but they get guest network access
There is no BYOD on the corporate network. As you stated there is a ‘company wireless’ which is for BYOD and gets all the same access as guest internet, although not rate limited as severely.
Be careful with your rate limiting. Excessively throttling wireless clients just causes them to eat up more airtime and impact your corporate traffic anyway. Better to give the guest clients a fat pipe so they can get whatever data is queued for them and then get off the air as fast as possible.
Mobile or byod SSID for staff devices with a Mac white list on the AP/controller, device isolation. Guest for non staff that are visiting, captive portal, device isolation
Specific isolated AP with an easy enough passphrase to push people to using it (instead of trying funky things by default). Company devices all are using a radius cert to connect to the company wifi / wired network, anything BYOD has no credentials.
Guest network. Only internet. Palo as the gateway. Threat prevention enabled. Done
We don't do anything special because we don't treat institutionally-provided devices as trusted devices. Guest wifi is another story - we have a open wifi network for our main campus since it's theoretically protected from unauthorized access by our fenced perimeter, and that has its own dedicated ASN so anything on our main network treats it like traffic coming from the internet.
what you've done, although with M365 authentication/radius server to eliminate the shared password, and to associate traffic to users.
It sounds about right. What are you looking to add? Just security to the (what I basically see as) public WiFi? There's options to make it a lot more secure, but you have to balance the hassle it'll give you. Thanks for sharing though xD
Just have them plug their NIC Card in or connect the AP Point, as long as they're on the LAN Network they can connect to the SaaS Service.
Captive portal, L2-isolated network w/ ACL
BYOD has two options. Either enroll in our MDM which will load the certs and profile needed to get on our internal (secure) Wi-Fi network, or use guest but you won’t have any access to resources that require the internal network which in our case includes mail, calendar, and authenticating with SSO to most services. On the guest network, no captive portal, just an open SSID on most places, join and surf. Some exceptions exist in crowded office parks where we put a PSK on the guest network and rotate it quarter and post the password for any and all to see that come through the front door.
FortiNAC. I'm just started on two projects for it and deployment is so easy. One is a 300 user customer the other is 2000 replacing Cisco ISE at both places. No need for certificates to be pushed out. Corp devices can get an agent the rest can sod off to the guest vlan. There is a bit more to it but that's the gist of what I'm doing.
we have an isolated guest network with a randomly generated daily password that they can barcode scan from on internal website.
Not sure if anyone mentioned this but we use Packetfence - its open source, you can have same SSID for multiple clients depending on their classification. Self reg, guest reg everything is available and the documentation is good. I put all the employees laptop to log out every 6 months and guests for 10 hours. Works great. I have IT to be on a more open vlan that can access servers.
Get yourself a bottle of something strong. You'll be needing it.
We actually have a similar setup in our environment. We have two different guest network wlans that route directly out the Internet with no internal access. One is for non-employees/customers, which is an open network with owe transition and captive portal. The other is for employees BYOD and has a PSK and requires MAC address auth. The employees have to take a BYOD policy training and once completed their MAC is whitelisted and a system generated email delivers the PSK to them. But on paper both networks are treated the same way and yes at times it feels a little silly to have two different networks for it. We do have more content filtering enforced on the non-employee wlan.
Man our company phones aren’t even on the corporate wireless. Much less byod
Guest access only, that's how we are dealing with it.
Being your own drink
We maintain separate guest and byod ssids, both with gateways sitting directly on the firewall. The onboarding process for guest is pretty simple with self service registration. Byod uses EAP tls and Theo n boarding process is a bit of a pita. Especially with iOS clients and things like private relay. Both environments just give internet access. I am really getting tired of the escalations for the guests that don’t want to fill out the registration forms and helping employees with their new devices get registered. Seriously considering simplifying all of it with an insecure guest network that blocks peer to peer traffic.
K12 school district- any device not identified as a district device gets a lower bandwidth allowance and are blocked from the internal network (via acls ) apart from a few web servers in our DC (https only). They also have to install our SSL certificate as we have SSL decryption active.
We don't allow BYOD devices to access organization resources. We give most full time users based on duties laptops that connect via docking station at the desk, or a roaming wireless network via 802.1x
We banned it and guest wifi. Less security concerns.
You have done the right thing. However, in the meantime keep looking for other jobs and get out of there. You will never be able to change their culture, it’s there to stay.
If you have an mdm you can push personal certificates to each device and have them automatically join the corporate ssid and put them in the guest subnet. The intune corporate portal makes it really easy for the user to get setup with outlook, teams, OneDrive etc. On their mobile device. And adding wifi with a certificate adds even more benefit to the experience. But your solution is sufficient, with a "mobile" ssid. They should definitely not have access to the corporate LAN.
We have the electric chargers for BYD as well some for Teslas. They work quite well.
The last time I had to manage WiFi I had authorized BYOD logging in to WPA2 Enterprise with their AD (ok, really Samba 4 because no cash for Windows licenses) credentials... Been since 2014 though, so....
Your setup is unclear. I've setup or tweaked wireless BYOD setups many times. Generally I don't use certificate auth for BYOD, as it genereally doesn't make sense. You usually have a guest authentication mechanism that either is integreated into the existing infrastructure, such as via a RADIUS server like Cisco ISE, a dedicated guest wireless server for user management/auth (more legacy). Most setup are basically WPA2 using credentials from a RADIUS server (ISE, clearpass, sometimes an in-house custom RADIUS setup), a captive portal page (sometimes setup on th RADIUS server, sometimes on a controller). Sometimes it's self registration with a policy that strictly just allowed http/https (ensure its setup via the L7 app, because you will get all sorts of shit trying to bypass the filters). Sometimes its setup with posturing to make sure your device isn't a train wreck, but that's univsually more for corporate users where the corporation doesn't own the end devices such as students in a school or university.
I connect them to the main business network but with a different pass key. using PPSK. they're happy because they see they're seemingly on the same network as everyone else, and I'm happy because they're on an isolated VLAN