I am pretty much a newbie when it comes to wireless. I am a voice person but have responsibility for the mobiles in our company. We have moved away for the stand alone Cisco IOS AP's to a WLC with Airwave managing it. At present all laptops on our network are installed with a MS certificate which is used to authenticate with the AP. The SSID etc are all pushed by default.
Now we have moved over the the WLC we now have the possibility to have the guest network with direct access the the internet. Authentication is done via a web page and a temporary userid and password.
We would like to have another SSID that only mobile phones/smart phones connect to. The key to this is that the user must have no intervention apart from switching on WiFi. Maybe we need to look into another certificate based solution?
I'm afraid that this won't be possible in a nice way.
Where the client is connecting to is a client decision. So if you have WPA corporate SSID and another SSID that is fully open, then by default, any device you turn on will try to connect to the open SSID.
But you already have the guest SSID for this. So how are the phones supposed to connect to the phone SSID and not the guest SSID ?
I'm afraid you can't steer them, the users will anyway have to select "phone ssid" on their phone.
For the "no intervention" part, I'm afraid certificates would require an admin to install the certificates on the phones (that's a burden with all those different models of phones). Either you go for open ssid or you have a pre-shared key that the users can cache on their phone so that it doesn't beg them anymore.
thanks for your reply. At present the mobile devices have no connectivity to the guest network. The guest network is used for laptops and guests only as the longest userid you can have is 1 month before expiry.
One idea i was thinking of is to have certificate on a web server that someone from IT can browse to and install on the device whilst they are configuring mail etc. do you think that is possible? I dont think we can go for a PSK as any users who are able to extract it would have unmonitored access to the internet.
Your idea sounds like everyone using the same certificate ? That's not what I call security.
How about password authentication then if you don't trust PSK.
But in any case, the problem is the same : you need to configure a wifi profile on the phones.
If this is a task you accept, then any security is fine (cached password or certificate, whatever), but you won't have the phone connecting without user intervention and still keep security, that's just contradicting each other.