Hi all. I’m running ac3 with the widely used guest WIFI setup - 2 bridges, 2 SSIDs. Is it possible to have only one SSID for all bridges (lans), and separate users based on the password entered when connecting? It looks like a charm: only one SSID and no one knows that he is currently using the main or guest local network.
I tried to set the same SSID for the main and guest access points (total: 4 interfaces with the same name). Android phone with the password of the main network tried for a long time to connect alternately to each of the access points (started with guest points), until it finally connected to the main one.
The Windows PC displayed a password error after a while - apparently, the Win did not have the patience to go through all the access points.
Are there better solutions to reduce the timeout or not force clients to connect directly to the correct network (for example, users of the main network are immediately directed to the correct point)?
Why do you want to use the same SSID with different passwords ?
What is the underlying requirement for this ?
If users are not supposed to know what network they are connecting to, what’s the point of separating them ?
Put everyone on guest then.
It may look like it, but doesn’t work without some heavy iron features (some might call them enterprise features): RADIUS for customizable passwords and VLANs (so that RADIUS will request to put different stations into different VLANs which translate into different networks).
Or, if you are willing to share same security credentials for everybody, you can go with poor man’s solution: MAC-based ACLs with VLAN IDs. This way some “well known” clients will be placed into “main” network, the rest will use guest network. This doesn’t work with anonymizing MAC address BS because every time client will connect to your network, it’ll have different MAC address.
The way you did it is against standards: when device sees multiple BSSIDs (wireless interface MAC addresses) serving same SSID it rightfully assumes it sees an eSSID and that it can freely roam between constituting BSSIDs (it will be able to use same PSK, it doesn’t have to perform any L2/L3 handshake because it’ll still be in same L3 subnet … which means same IP setup including own IP address, gateway IP address, DNS server addresses, etc.).
The main idea: do not allow users to ask questions “What is this second network? There is something more important in it than in the guest network?” A little trick from mom’s hackers, if you will.
Maybe you have a not very complicated guide on how to set the radius for my case?
Yes, I could just create a few rules for known mac addresses (disable mac randomization for authorized devices) and route the rest (including random macs) to the guest network. But I don’t really trust random mac addresses - what if one of them one day matches “authorized” and enters the main network? And I will have to provide a common password for all devices, including unauthorized ones.