How do hotels isolate wifi clients? - want to create "rooms" in a hospital
-
IMO your over thinking this, re all the subnets.
No need for subnets per room, especially when your dealing with Wi-Fi as it will bleed from one room to another.
802.1x for any type of medical device if required.
Guest Internet access for any patient, If they BYOD and I’m sure they will, they’ll need to go on the same subnet as the Sonos / Chromecast which will need internet access.
I’m not sure how the Sonos / Chromecast devices work but Apple TVs have a thing called “Conference Room Display” that pop up a 4 digit code that has to match on the users device and Apple TV, this stops person A displaying output in person B’s room.
Ubiquity do an inwall ap that may suit :-
https://inwall.ubnt.com
-
"802.1x for Sonos or Chromecast … unless anyone knows something I dont know, I dont think that's an option for either device/platform"
You do not need this for mac based assigned vlans..
The proper solution here is dynamic assigned vlans for isolation both at layer 2. Setting the IP on the device to you try and isolate at L3 but letting everything run on the same L2 is not the correct solution.. I do not help with borked configs - sorry..
"we don't care if traffic from a tablet can get to another"
If your not worried that device in room A can talk to B, then just put them all on the same network and pair the devices to what they should talk too. Sonos is a bit excessive, why not just get a simple bluetooth speaker for the tablet? Now your just pairing bluetooth to the speaker and your chromecast will be paired to the tablet in the room.
-
Thanks friends!
Sounds like, for our pilot, MAC assigned VLANs is the way to go.
I'll investigate that route.I appreciate the other suggestions as well. For now we're committted to android, Sonos and chromecast - the later two not supporting 802.1x. So seems MAC-based assignment is the way to go.
Thanks!
-
Here is dead simple solution.
What AP are you going to use? The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.
So you could have 8 different rooms on each AP. Just create the SSIDs for these 8 rooms, 4 if your AP have that limit - more if they can do more, etc.
So you have say ssid room101, room102, room103, etc..
Put each of those ssid on their own vlan.. Done! Simple straight forward easy to setup.. And you don't even need fancy or expensive AP or switches to do such a setup.
-
What AP are you going to use? The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.
Is that 5.5.x John, I'm on 5.4.19 and it's still showing 4 max ?
-
you need to make sure your not running link monitor it seems - might of miss spoke on the wireless uplink but that is also a issue with it I think. I am running 5.6.10, without the link monitor you can not switch over to wireless uplink, etc. But you don't really need the link monitor if your wired and don't want them to go to wireless uplink on wire fail, etc. That is my take on it - have not tested all the scenarios, etc.
But depending on his layout and where they plan on placing the AP, 4 rooms per AP wouldn't be all that bad either? So even if 4 ssid limit such a setup would work. So this would work with any AP and switch that supports vlans. The more ssid's your AP support would just give you more clients you could have connected to each AP via ssid vlans. This doesn't require any sort of other eap support either, works with just your typical psk auth. You could come up with some formula for the psk you use so if you know the formula you would know what the psk is per room, etc. But would still be hard to guess for random people (unless they figure out the formula) You could also just use random psk for each ssid. You could give this to the people in the room if they wanted to connect their own devices, etc.
While dynamic vlans would be a more elegant solution and allow you to use a common ssid, it does require hardware that supports mac based auth and be able to do that with non 802.1x clients, etc. The unifi switches can do it that way I do believe… I recall someone doing it on the forums.
See attached screenshot
-
Ah thanks, thats why I'm not seeing it then.
-
I have not tried it out as of yet. I do want to create a few more ssids though to further isolate different types of iot devices which now I currently have lumped into the psk ssid (vlan 200).. I thought I have read that they were going to add a built in radius server to the controller, which would then allow for mac based auth for clients that don't support enterprise mode of wpa, etc.
What I would love to do is the mac based vlans so could just run 1 vlan for all my different iot devices and put them in their own vlans based upon mac. But as mentioned this can be difficult based upon your hardware and the clients wifi eap support. Most of these shitty consumer devices do not support any sort of enterprise auth. So your stuck with psk..
To the number of rooms, you could prob even get 16 rooms this way - since the 8 is limited to wifi group. So you assign group 1 to your 2.4 band, for the rooms farther away from the AP and then another to your 5ghz band for the closer rooms.. So 16 rooms per AP would be quite a bit - but also depends on actual layout, etc.
What would be sweet is these devices would just support wpa-enterprise.. You would think as more an more iot devices come on the market and more and more people want/should be isolating them to their own networks that they would allow for enterprise level auth so you could use dynamic vlans.. But then you see these major players coming out with mesh networks (about time) for home users like google wifi, and netgears orbi, without even vlan support - wtf? ;)
-
Here is dead simple solution.
The unifi stuff, very reasonable priced has recently gone from 4 ssid to 8 ssid if you do not use wireless uplinks.
So you could have 8 different rooms on each AP. Just create the SSIDs for these 8 rooms, 4 if your AP have that limit - more if they can do more, etc.
done! That's a great fix! We are in fact using the Unifi stuff and I was thinking about the 4 SSID limitation. this is great news! Will try it out today.
Thanks everyone! Much appreciated!
-
even with the 4 ssid limit, you could prob still get 8 rooms on 1 AP via using different ssid per band - putting the farther rooms on 2.4 and closer rooms to the AP on the 5ghz band and use different ssid/vlans.. The only drawback to this would be your actual layout of rooms and types of walls, etc.
Lets us know how it turns out!
If you end up doing this and it works out good - be a perfect thing to post on unifi as case study ;)
Keep in mind I do not believe they have back ported the 8ssid thing to the older previous to 5.6.x line yet.. And there might be restrictions on which AP support it as well.
Do you have a drawing, or could you sketch up real quick a basic layout to look to see placement of the AP? Worse case is you need to use more AP and have less rooms per AP. But with the ability to create different wifi groups and different ssids and vlans you should be able to do it all under 1 site on the controller.
