Mearki WAP - number of SSID limitations and Key management for large deployments

Solved
BS
Getting noticed

Mearki WAP - number of SSID limitations and Key management for large deployments

Hello All,

 

Im working on a deployment design where I'm expecting long term users.

 

It will be like a Hotel environment where each room needs SSID ( considering security I feel it will be good provide separate SSID's) Im expecting around 60 rooms all of them with multiple devices.

 

May be 1 AP' for 4 rooms ( 15 AP's 60 rooms) for and apply some bandwidth restriction on these SSID's to make sure everyone gets fair bandwidth

 

My questions are

 

1. is it good to have many SSID's , does it impact AP performance?

2. How do I manage the keys - ( example on boarding a new person's devices, how to change the keys etc..) is there a separate solution for that?

 

Thanks

1 Accepted Solution
GuilhermeMacedo
Getting noticed

Theres no much more than @kYutobi said, but you can follow this KB Managing User Accounts using Meraki Authentication.

 

hope was help!

View solution in original post

17 Replies 17
kYutobi
Kind of a big deal

1. Too many SSID's causes overhead.

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerati...

 

2. If you go to Wireless - Access Control you can see all the options there. From what you're telling me I think setting up a "Splash Page" with Meraki authentication would be a good option for you. You can use 1 SSID and control users by either having them sign up or making an email you can assign them. 

 

Capture.PNG

Enthusiast
BrechtSchamp
Kind of a big deal

I think it's a bad idea to setup an SSID per room. Each SSID that is on a channel increases the amount of overhead. So the recommendation is to keep the number of SSIDs per AP to 3 or 4 maximum.

 

You could create either a NAT-mode SSID, or a bridge mode SSID with LAN 2 isolation activated? That way they can't reach each other. You can still assign per-client bandwidth limits for the users.

NolanHerring
Kind of a big deal


@BrechtSchamp wrote:

I think it's a bad idea to setup an SSID per room. Each SSID that is on a channel increases the amount of overhead. So the recommendation is to keep the number of SSIDs per AP to 3 or 4 maximum.

 

You could create either a NAT-mode SSID, or a bridge mode SSID with LAN 2 isolation activated? That way they can't reach each other. You can still assign per-client bandwidth limits for the users.


Technically its the same amount of overhead if each AP is broadcasting only its unique SSID.

 

1 SSID on 10 access points, vs 10 SSID's, but each one only broadcasting on each individual AP, is the same overhead. Still just a single SSID from each AP at the end of the day. It's a terrible idea of course, and roaming won't work, but that is another issue all together 😃

Nolan Herring | nolanwifi.com
TwitterLinkedIn
BS
Getting noticed

If I have to go with multiple SSID's like Tentats, Management and support on different channels do you see a challenge in roaming?

BrechtSchamp
Kind of a big deal

@NolanHerring agreed, but I was talking about having more than 3-4 SSIDs per AP. Having a single AP per room might also be challenging with regards to co-channel contention...

 

@BS you can't configure more than 15 SSIDs in a single network. So you would have to split up into different networks. But anyway, it's a bad idea :P.

Dylan_YYC
Getting noticed

I wouldn't recommend doing so many SSID's. Anything more then 4 SSID per AP and you're going to start seeing significant speed impacts, it also does nothing for security. TBH i would run 1 or 2 SSID's with the AP's set to L2 LAN isolation. That way devices cant talk to each other even if they are connected to the same SSID. 

As for key management, that can be a fun one. Depending on how your environment is setup, and who owns the devices you may want to consider a captive portal with 802.1X authentication or just use a PSK. 

BS
Getting noticed

Thanks Dylan.

If I have to go with 2 or 3 SSID's , can I still have separate Keys for each room?
GuilhermeMacedo
Getting noticed

Hi @BS glade to answer you question.

 

I sow your scenary more like a single SSID for all your rooms and to all your guests use a per room authentication. (and more one SSID if you need a corporate SSID for your team, as you need.) 

 

Then you are able to use Meraki Autentication method for free and this will give you a chance to create many users/room. So every room has a user and a password that can be setup at right moment that your guest are in your lobby doing the checking. How this sounds to you?

 

So answering more especifically your question:

1 - Use more than 3 SSIDs at the same time in your deployments can cause some decrease performance of your Wlan see more at: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerati...

2 - Using a Meraki Authentication, you'll easily create and reset a user/room in real time. See more at: https://documentation.meraki.com/MR/Encryption_and_Authentication/Managing_User_Accounts_using_Merak...

 

BS
Getting noticed

@GuilhermeMacedo

Thanks for your guidance.

Could you please give me some inputs links to how to configure the authentication for user/room
GuilhermeMacedo
Getting noticed

Theres no much more than @kYutobi said, but you can follow this KB Managing User Accounts using Meraki Authentication.

 

hope was help!

BrandonS
Kind of a big deal

@BS Had you seen this in the Meraki Marketplace? https://apps.meraki.io/details/aerwave/

- Ex community all-star (⌐⊙_⊙)
PhilipDAth
Kind of a big deal
Kind of a big deal

I would use a single SSID.

 

Have you considered using any of the billing options?

https://documentation.meraki.com/MR/Splash_Page/Billing_for_Wireless_Access

BS
Getting noticed

Hey Philip

 

I dont need to bill the users, my concern is on the key management. How do I on/off board them , the users might remain in this location/room for a few months

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't need to actually charge/bill the customer.  You would use the "Use fast prepaid login page" option.  Check out thsi documentation:

https://documentation.meraki.com/MR/Splash_Page/Customizing_Splash_Pages_for_Fast_Prepaid_Card_Billi...

 

 

BS
Getting noticed

Hello all,

First of all thanks to everyone for providing your inputs.

Im approaching this solution with some changes.

I'm planning to install MR30H in each apartment , Can I create a single SSID for all apartments for example "Tenants"
and create separate VLAN for each apartments?

as it is a single SSID can I contain Broadcast and multicast in this ?

There are common areas like pool and Gym, as the Tenants move with their devices Do you recommend to create a separate SSID for roaming? Could you please provide some best practices?

Thanks
PhilipDAth
Kind of a big deal
Kind of a big deal

I would be tempted to look at the Splash Access "Business Co-working" solution.

https://www.splashaccess.com/splashaccess-co-working-office/

This allows you to have one SSID but put each group of users into their own seperate VLANs.  It allows them to roam all over the complex as a result.

 

You can achieve the same thing using group policy - but you'll need to assign the group policy to each client device before they can use it.

BS
Getting noticed

Thanks Philip.

 

That's a great suggestion. I will go through that link.

Get notified when there are additional replies to this discussion.