Friction Free Wireless Network Best Practices for the CloudFirst Office
Recently we published some tips for a ‘strong’ Cloud First network in your office. In that post, I discuss the importance of not forgetting that with all the awesomeness that comes with a modern, CloudFirst existence in an office, also comes the necessity for a solid gateway (firewall) that can handle the capacity and good range/coverage of Wi-Fi in all the nooks and crannies of the office.
Expanding on that, I’m going to talk about our approach at Regroove to ensuring offices can have ‘friction-free’ Wireless that supports people coming and going, while maintaining solid network security.
A modern, CloudFirst office should have 3 Wireless Networks
Here’s the short version, then I’ll dig in to explain each a little:
A wireless network for guests, with a captive portal
· A wireless network for staff
· A hidden, perimeter network for security devices and peripherals
A wireless network for guests, with a captive portal
If you plan on providing a Wi-Fi network for guests, be sure to be a good host by providing a reliable and simple to join network. In our office, we ensure our guest network includes:
· An easy to find network name so guests know exactly what network is there for their purpose
· A captive portal — this means providing a web page (also a branding opportunity) that appears as soon as the guest joins, where you can put a friendly welcome message, your logo and explain the terms of your wireless network
· A limited timeframe before having to rejoin. We set ours to 4 hours so that we can comfortably provide a simple to remember (and say) password so that guests can type it in quickly and easily and join our meeting or gathering without fuss. By having a 4 hour join window, we can prevent nearby squatters from using our network permanently as they would have to rejoin every 4 hours
In our office, we named our guest Wi-Fi network “Regroove Guests”.
A wireless network for staff
For staff, you want a network that is easy to join with their devices, but with a much more robust password. Ideally, if you can facilitate it (there is more complexity to this), even better than a password delivered by the device is actually authenticating/identifying who the person is using LDAP, RADIUS or other methods (in other words, they have to type in their email address and company password to join). When staff leave the company, you then either change this password and communicate to everyone what the new password is, or, if you were authenticating users by their account, you’d simply disable their account and life carries on.
In our office, we named our staff Wi-Fi network “Regroove Staff”.
A hidden, perimeter network for security devices and peripherals
Finally, this last one is a bit of a ‘pro tip’. We always create a third, hidden network for devices that are going to stick around for the long term.
Why? Because if all devices (staff included) end up joining the main network Wi-Fi network, even your peripherals (printers, scanners, wireless access points), iOT devices (smart plugs, lighting systems and other modern gadgets) and security devices (cameras, door locks, sensors) would all have to be updated/changed if you had to change the password for security reasons (such as when a staff member departs, if you follow could security practices).
So, our perimeter network is:
· A hidden, wireless network for security devices (cameras, door locks, sensors) network equipment (routers, etc.), peripherals (printers, scanners), iOT devices (smart plugs, TV’s and all the other modern goodies constantly being introduced)
· Enforces a very strong password with limited sharing/knowledge of that password
· Rarely, if ever changed (it is a big job to go to every device on our network to change the password — upwards of 40 devices sometimes, in a small office that uses lots of energy saving and security technologies
These devices ideally are ‘set and forget’, for a long time. Printers, security cameras, wifi access points, IOT devices
For this network, we recommend not even broadcasting it exists — it is for internal eyes only and joining it should be a managed/governed process
In our office, we named our perimeter Wi-Fi network “Regroove Perimeter”.
