Multiple VLAN's - Multiple SSID or Single SSID and Multiple VLAN's (radius)

I have a question regarding best practice. I have a case where i need multiple VLAN's in wireless networks. What is more performant?

Having multiple SSID and each of them have a VLAN (this also mean that they will be on the same chanell on that AP. Having one SSID for all asign VLAN's based on radius MAC auth rules

I'm also thinking if there is a way to encrypt open comunication...

Thank you


Solution 1:

Ideally you want only one SSID for each 802.11 security method you wish to employ (802.1X, PSK, and/or Open). To accommodate multiple VLANs, you would typically return a VLAN assignment from a RADIUS server or utilize a vendor's proprietary solution. The absolute maximum number of SSIDs you want to consider having should be no more than 4-6, but it is better if you use a maximum of 2-3.

Cisco's best practices document recommends 1-3 SSIDs:

It is recommended to have one to three SSIDs for an enterprise, and one SSID for high-density designs.

Aruba's best practices give an even lower target at 2:

Use as few SSIDs as possible. Generally, one WPA2 Enterprise SSID and one Open SSID are more than enough.

Why these numbers? There are two primary reasons. First, most wireless industry experts/vendors would agree that using separate SSIDs (with the same 802.11 security) simply to provide differing levels of access/privilege is poor design and security.

Ideally you would want to enforce any sort of access restriction or security policy based on the role of the user and/or device in the organization. Aruba probably gives one of the best official statements to this effect in this document:

[...] SSIDs are used for user classification and access rights policing. Thus users are assigned access rights not by their identities but by their SSID association which could give a malicious spoofer privileged access into the network. The solution requires Employee A in the sales department to associate with the “Sales” SSID for the right network access privileges. Associating with the “Employee” SSID could result in Employee A gaining access to a privileged set of servers not accessible to the Sales user group. This is because the rights are assigned by the SSID and not Employee A’s identity or authentication profile.

It is also easier to implement, support, manage and enforce when all employees connect securely to one 802.1X SSID that assigns access/privileges based on their role. No time wasted in figuring out which network they should connect to (or even connect to for different functions). Less confusion for end users as well since they all connect to the same SSID.

The second reason for lowering the number of SSIDS is spectral efficiency, or in other words since 802.11 traffic is a shared medium you want to increase the amount of "airtime" available to actual data and reduce the amount of non-data traffic such as management frames.

The general rule of thumb is the more SSIDs your wireless network is broadcasting, the less efficient it will be (i.e. less capacity for actual data traffic). Each SSID requires that the AP generate and send a beacon every "period of time" (usually about every 100 milliseconds). These beacons (and other management frames such as probe requests and responses) will typically use a much lower data rate than would normally be used for data traffic and as such take up a disproportionate amount of airtime.

Most of the references citing statistics for multiple SSIDs that I am aware of are older documentation. The numbers may not be as exact due to changes in 802.11, but the principles still apply. Data rates have increased, but so has the size of the typical beacon frame. Anyhow, here are references from Arubu's Airheads Community and Revolution Wi-Fi that provide statistics showing the impact of multiple SSIDs.