Didn’t realize there was any debate. I used WPA three enterprise with a radius server in an LXC container on a proxmox host. That SSID is for users, and the radius server dynamically assigns them to the appropriate VLAN. Iot gets its own SSID (2.4ghz only) and Mac filtering to keep the riffraff out
I run the setup of 1 IOT, 1 Guest (Voucher), 1 802.1X using Unifi's built in radius. Works a treat. Cuts down on the broadcast beacons and segments traffic which also cuts down on wireless broadcasts due to ARP. Ran a school network the same way with 1800 connected devices across ~170 APs. Makes managing Chromebooks and Windows laptops easy too.
When I had kids at home, they had their own SSID for gaming and school work with their friends. For home network I currently still have 4 SSIDs, IoT, Friends, Mom&Dad, Kids. For work we have 3 SSIDs (Corp, Employees, and Guests)
In an ideal world, the user would listen to the instructions provided to them about not sharing passwords and not allowing unauthorized devices on the network. I'm pretty sure corporates can take care of that, but for a lot of non-profits and volunteer places this is hard to implement. That's why I reached out to you to figure out a way to separate traffic, but still allow specific access to printers only.
At home, I have 4 SSIDs: Main, IoT, Guest, & Media. Over 3 wireless mesh GWN7660s. I have a GWN7803, and a GWN7813. I'm a little scetchy on how best to configure the L3 switch for inter vlan routing. Would love to see a video on that!
3 ssids the most. 1x wpa(2-3)ent for radius/nps auth, 1x wpa2-psk for those devices that cannot do first, and wpa2-open for guests with guest portal with eula. It's basically the standard now in manufacturing.
Maybe off topic, but I'd love to see a video about your experiences deploying Grandstream WiFi. Much has been said and discussed regarding tuning UniFi APs, best practices, etc, but there's scant resources regarding Grandstream. Perhaps roaming and general stability are great out of the box? Love to hear your experiences with your deployments, as you've got me super excited about this brand. Not to mention, they just announced a 6E access point is coming this quarter! Thanks Willie!
Another good topic Willie! I recently started using PPKs Instead of 4 SSIDs. I love it. Makes dealing with IOT devices easy. As far as security goes I would think it less secure. My firewall is done right. I trust unifi though. I am using UDM pro, 3 APs. Over 50 clients. Mostly all on the IOT network. Willie can I get your email again. I do have a quick question regarding Unifi talk app. Ty Love your show BTW. Keep them coming..
I have 5 SSIDs: Main, Guest, IOT, Security and kids. I would love to learn to group users per vlan based on credentials (kids vs main) but I think I'll keep the iot, guest and security separate SSIDs
I have been using UniFi radius with enterprise at home. I give all guest their own ID/password. Each user is placed on internal or guest network. I have several IoT networks on SSIDs and just learned about preshared keys and will probably switch all IoT networks to one SSID.
I have worked a few places, one was there a pre-shared key & password, but I migrated them to one SSID using enterprise active directory that requires their AD credentials. I currently work at a place where they push profiles, certs to Authorized computers that auto-magically connects the wireless if they don't have a LAN cable plugged in (or if there is something wrong with the LAN connection).
Nice quivck discussion, looking forward to some RADIUS authentication and vlan assignment. I run a few SSIDs on my Unifi APs at home, one for Private stuff with VLAN assigned by RADIUS, one for Gest with a capture portal, and a few "Test" SSIIDs for when I am messing around with stuff I want to keep separate from the home network, or restrict from getting "out"
Great video, would really like WPA 2 Enterprise video, which uses Azure AD, authentication/authentication when connecting to a PSK SSID. Currently using Entra ID to push a WPA 2 password to SSID, which is OK for corporate devices, but for BYOD devices have to manually ass password for SSID. Made big mistake in giving password to a couple of people. You guessed it, one man and his dog is now loading in their BYOD devices onto the corporate network.
I've been trying to avoid more than 3 SSIDs at home - private, guest and IOT. All my Unifi cameras are on their own VLAN, and all are hardwired except for one in the shed. I tried to use the Virtual Network Override feature to let it connect to my private SSID and then shift to my camera VLAN, but it seriously wrecked my Protect camera connectivity - even the hardwired ones. I need to revisit since firmware and OS has been updated since my last attempt. Staying with 3 SSIDs in the meantime.
Please create a video on wpa enterprise And preshared keys on both grandstream and unify. I am trying to decide between the 2. In my case I have No radius servers or active directory but am willing to spin one up in my pfSense or unraid server. But not a windows ad server!
Two SSIDs: private and guest. I don't find an IoT SSID useful since I only use Zigbee, Zwave or Thread devices and self-host all IoT services with Home Assistant. No cloud dependent IoT devices allowed!
I always figured there'd be a higher resource overhead with multiple SSIDs (and vlans of course), and luckily I am at four now due to trying to keep separation between my networks. One for IoT (home assistants - both google and alexa, and ESP based), one for hikvision network(cameras), one for private for trusted PCs, tablets, phones, and one I just added for the home assistant network. So bottom line I don't trust anything on my IoT network, the hikvision camera network I don't trust, and if anything in either network was compromised, I don't want anything from either network, being able to access the other network (especially cameras).
Security cameras on wireless seems like a bad idea. A somewhat intelligent person could flood the wireless channel just to breakdown its comms rendering them useless.
@@JWarrenPhilly a few of cameras where i cant run a wire or its used to monitor things because its hard to get to to read a meter. the buildings i install them at you cant get in to flood the wifi they are designed to block all external signals.
I have the defaut, guest, iot, business1 and business2 ssids - business 1 and 2 are routed trough a vpn. business 2 is not so important and runs on udm base (wifi5 only, after i found out about 4 ssid limit), the other 4 are broadcasted on my 2 u6pros. One u6pro is wireless meshed so not option to turn it off to get 8 SSIDs
When you start talking about Radius, LDAP, certificates, active directory credentials, pre-shared keys, etc.. you lose a lot of regular people. For people that don't know anything about IT, having separate SSIDs is really easy. People just want to get online. They don't want to bother about whether they are using more or less than 640KB of RAM. You also start about "training your users". It seems to me you have limited experience with human beings. 🙂 For our family holiday house, I have no goal to train my old mother's friends about Radius or LDAP when they come to stay there for a weekend (and I am not there when that happens).
I’d love to see a radius setup with WPA2/3!and multiple networks but one ssid using only Unifi equipment
Didn’t realize there was any debate. I used WPA three enterprise with a radius server in an LXC container on a proxmox host. That SSID is for users, and the radius server dynamically assigns them to the appropriate VLAN. Iot gets its own SSID (2.4ghz only) and Mac filtering to keep the riffraff out
I run the setup of 1 IOT, 1 Guest (Voucher), 1 802.1X using Unifi's built in radius. Works a treat. Cuts down on the broadcast beacons and segments traffic which also cuts down on wireless broadcasts due to ARP. Ran a school network the same way with 1800 connected devices across ~170 APs. Makes managing Chromebooks and Windows laptops easy too.
When I had kids at home, they had their own SSID for gaming and school work with their friends. For home network I currently still have 4 SSIDs, IoT, Friends, Mom&Dad, Kids. For work we have 3 SSIDs (Corp, Employees, and Guests)
I have network set up really similar. Wife and I, IoT, Kids, Guest
In an ideal world, the user would listen to the instructions provided to them about not sharing passwords and not allowing unauthorized devices on the network. I'm pretty sure corporates can take care of that, but for a lot of non-profits and volunteer places this is hard to implement. That's why I reached out to you to figure out a way to separate traffic, but still allow specific access to printers only.
Who even needs wifi? Cable gang rise up!
😂
Cat5e FOR THE WIN !!!
Unifi's new PPSK VLAN authentication feature using a single SSID fixed this for me.
At home, I have 4 SSIDs: Main, IoT, Guest, & Media. Over 3 wireless mesh GWN7660s.
I have a GWN7803, and a GWN7813. I'm a little scetchy on how best to configure the L3 switch for inter vlan routing. Would love to see a video on that!
As someone who works in a business with more than 1000 people….yes. Hence Aruba IAP
4 SSIDs on my Home Office set up: Staff, IVS (Intelligent Video Surveillance), IoT, and Guest.
WPA2 Ent demo - yes pls
3 ssids the most. 1x wpa(2-3)ent for radius/nps auth, 1x wpa2-psk for those devices that cannot do first, and wpa2-open for guests with guest portal with eula. It's basically the standard now in manufacturing.
Good stuff W!
Thanks, Tony!
I would love to see GWN full setup too, Thanks in advance
Maybe off topic, but I'd love to see a video about your experiences deploying Grandstream WiFi. Much has been said and discussed regarding tuning UniFi APs, best practices, etc, but there's scant resources regarding Grandstream. Perhaps roaming and general stability are great out of the box? Love to hear your experiences with your deployments, as you've got me super excited about this brand. Not to mention, they just announced a 6E access point is coming this quarter! Thanks Willie!
Another good topic Willie! I recently started using PPKs Instead of 4 SSIDs. I love it. Makes dealing with IOT devices easy. As far as security goes I would think it less secure. My firewall is done right. I trust unifi though. I am using UDM pro, 3 APs. Over 50 clients. Mostly all on the IOT network. Willie can I get your email again. I do have a quick question regarding Unifi talk app. Ty Love your show BTW. Keep them coming..
I have 5 SSIDs: Main, Guest, IOT, Security and kids. I would love to learn to group users per vlan based on credentials (kids vs main) but I think I'll keep the iot, guest and security separate SSIDs
I have been using UniFi radius with enterprise at home. I give all guest their own ID/password. Each user is placed on internal or guest network. I have several IoT networks on SSIDs and just learned about preshared keys and will probably switch all IoT networks to one SSID.
I’d love a WPA2 Enterprise video
Hi Willie - im having issues setting up a network with stripe as the payment processor. Any videos that can help with this? Thanks!
I have worked a few places, one was there a pre-shared key & password, but I migrated them to one SSID using enterprise active directory that requires their AD credentials. I currently work at a place where they push profiles, certs to Authorized computers that auto-magically connects the wireless if they don't have a LAN cable plugged in (or if there is something wrong with the LAN connection).
Nice quivck discussion, looking forward to some RADIUS authentication and vlan assignment.
I run a few SSIDs on my Unifi APs at home, one for Private stuff with VLAN assigned by RADIUS, one for Gest with a capture portal, and a few "Test" SSIIDs for when I am messing around with stuff I want to keep separate from the home network, or restrict from getting "out"
By capture do you mean packet sniffing or what?
Great video, would really like WPA 2 Enterprise video, which uses Azure AD, authentication/authentication when connecting to a PSK SSID. Currently using Entra ID to push a WPA 2 password to SSID, which is OK for corporate devices, but for BYOD devices have to manually ass password for SSID. Made big mistake in giving password to a couple of people. You guessed it, one man and his dog is now loading in their BYOD devices onto the corporate network.
I've been trying to avoid more than 3 SSIDs at home - private, guest and IOT. All my Unifi cameras are on their own VLAN, and all are hardwired except for one in the shed. I tried to use the Virtual Network Override feature to let it connect to my private SSID and then shift to my camera VLAN, but it seriously wrecked my Protect camera connectivity - even the hardwired ones. I need to revisit since firmware and OS has been updated since my last attempt. Staying with 3 SSIDs in the meantime.
Want to see you deploy this
Please create a video on wpa enterprise And preshared keys on both grandstream and unify. I am trying to decide between the 2. In my case I have No radius servers or active directory but am willing to spin one up in my pfSense or unraid server. But not a windows ad server!
With preshared keys, why do you need more than one for a residential application?
I went from 4 to 2 at home by doing that
Probably not, good observation
Two SSIDs: private and guest. I don't find an IoT SSID useful since I only use Zigbee, Zwave or Thread devices and self-host all IoT services with Home Assistant. No cloud dependent IoT devices allowed!
Been looking for an NPS for dynamic vlan assignment video. Thumbs up from me if you do one
I always figured there'd be a higher resource overhead with multiple SSIDs (and vlans of course), and luckily I am at four now due to trying to keep separation between my networks. One for IoT (home assistants - both google and alexa, and ESP based), one for hikvision network(cameras), one for private for trusted PCs, tablets, phones, and one I just added for the home assistant network. So bottom line I don't trust anything on my IoT network, the hikvision camera network I don't trust, and if anything in either network was compromised, I don't want anything from either network, being able to access the other network (especially cameras).
Most of my sites run at min 4. Office, sec cameras with multicast, guest, iot
Security cameras on wireless seems like a bad idea. A somewhat intelligent person could flood the wireless channel just to breakdown its comms rendering them useless.
@@JWarrenPhilly a few of cameras where i cant run a wire or its used to monitor things because its hard to get to to read a meter. the buildings i install them at you cant get in to flood the wifi they are designed to block all external signals.
I have the defaut, guest, iot, business1 and business2 ssids - business 1 and 2 are routed trough a vpn. business 2 is not so important and runs on udm base (wifi5 only, after i found out about 4 ssid limit), the other 4 are broadcasted on my 2 u6pros. One u6pro is wireless meshed so not option to turn it off to get 8 SSIDs
What difference have you seen between the Grandstream APs and the Unifi APs with regard to VOIP?
Grandstream is great for latency sensitive apps (VoIP, video, etc).
When you start talking about Radius, LDAP, certificates, active directory credentials, pre-shared keys, etc.. you lose a lot of regular people. For people that don't know anything about IT, having separate SSIDs is really easy. People just want to get online. They don't want to bother about whether they are using more or less than 640KB of RAM. You also start about "training your users". It seems to me you have limited experience with human beings. 🙂 For our family holiday house, I have no goal to train my old mother's friends about Radius or LDAP when they come to stay there for a weekend (and I am not there when that happens).
Just remember, thoe are the ones that are targets for the bad guys. Someone has to be the gatekeepers.
@@RonnieRedd Your reply makes no sense.
@SeanChYT which part? Their CC number is a target and if their account can be escalated to a domain administrator then...
@@RonnieReddStill makes 0 sense.
@@SeanChYT What security do you use?
Promo_SM ✨