CommScope RUCKUS Community Forums

When it comes to securing guests network, it's really about balancing convenience with security. If you make guest security too cumbersome, you'll end up with guests that are dissatisfied with or bring their own portable hotspots, which then in turn degrades everyone's wifi experience.

Bottom line is, yeah, it is theoretically possible for guests to sniff and disrupt network traffic for others. I wrote a script to do so when I was 16. It would simply promiscuously look for another user on the network that appears to be having internet access, and then copy their MAC and IP address and attempt to associate. WIPS systems at the time were not advanced enough to detect this simple spoofing attack.

Modern WIPS systems are smarter and it will likely result in both users getting blocked, which means guests can still harass other guests.


WPA2-PSK will help a little with guests that don't know the key. But once a guest knows the key, they will still have the ability to eavesdrop on other guests (and if you need both a PSK and a guest pass, eavesdrop and intercept guest passes).


If you want to harden guest security, you'll want to use WPA2-enterprise with credentials you generate for the guest. Or possibly a DPSK based approach, and both need an onboarding portal with valid SSL certificates so that guests don't get duped by a bogus captive portal.


Overall, though, this seems like a lot of unnecessary work in my opinion. The majority of your guests will want to abide by the rules you set. Attempting to nab the 1% of abusers will end up harming the convenience of the rest of your users, which will ultimately lead to a worse guest network experience. I would strongly recommend instead working on a good network isolation, content filtering, and throttling strategy such that a handful of freeloading guests cannot degrade your experience.

Thanks to you all and thanks John for your great post!
I decided not to use WPA2 PSK. A basic Guest Network with Tickets valid for some hours.
Thanks!

Completely agree with John D. - for guest network WPA-PSK doesn't make sense, especially as now client OS shares with unknown number of "friends" access credentials. So it doesn't make sense to have any static reusable credentials, which will become shared very soon. I see it everyday in some companies, which don't want to use any other solutions, and are located in business centers with a lot of neighbors. They Guest network user number grows steady in time until password is changed, and than start to grow again.
Also you can't provide security to users, which are not interested in security, but want only convenience. You can't force them -- they will do as they want anyway, moving to the own mobile hotspot, and degrading environment for everybody.
So use full client isolation, and filter Internet traffic using UTM device. Clients must use only SSL and/or VPN for any type of sensitive traffic, but it have to be done by user...
It makes not much sense to make too secure Wi-Fi network, when  traffic goes through all Internet without any security...
Probably, when HotSpot 2.0 will be widely used, it will solve part of problems, but still security will mostly depend on users.
Unfortunately, most users doesn't care about privacy and / or security, convenience is the king. It is not a technical issue, it's a human nature - so no much chance to change it. 
May be this will change a bit when more an more payments will be done by mobile phones -- after user wallet will be emptied  couple of times as a result of bad security habits,  than there will be a slight chance that habits will change...

Wouldn't the wireless client isolation in the WLAN settings prevent computers from talking to each other? Aside from spoofing macs and getting somebody kicked off the network for a bit