Context:
I have 3 SSIDs
Private - VLAN101 (Can talk to VLAN100)
Guest - VLAN102 (Can’t talk to anything except internet)
IoT - VLAN103 (Can’t talk to anything except internet)
And another VLAN for servers (VL100), not an SSID.
Issue:
So, I’ve noticed that people in my household (and next door) are supplying visitors with our ‘private’ password, however, they don’t know the password. I type it into their devices.
They’re getting the password because now on Android phones you can ‘share’ the SSID’s which will print the wireless password in plain text.
Question:
How can I keep devices separated into the correct network so people cannot share the password for private SSIDs?
Ideas:
Idea 1: Create a captive portal, one for Guest and one for Private each has their own login. This way I can make the SSID open, but they won’t be able to share the private password as it’s one-time. The issue with this idea is that Unifi only allows you to create a captive portal with 1 accepted password (Named ‘Simple Password’ in Captive Portal). I think this is dumb… but yeah.
Idea 2: I’ve tried to create the captive portals through pfSense however I’ve had a huge issue getting the phones to accept the self-signed cert, my Pixel 2 just does not like it and will refuse it.
Idea 3: MAC-Bind the ‘allowed’ clients to Private, sure, but this requires constant upkeep and management, and I’m not exactly sure how to enforce this in Unifi.
Idea 4: Use Vouchers with no expiry for private. 2 issues with this, this isn’t very userfriendly for guest access where I just want a simple password and isn’t very practical for private since there’s no true-unlimited, just set the expiry to like 999d. I didn’t particularly like this idea.
Closing:
So, does anyone have a better solution than my above attempts because I’m lost for ideas now?
Thanks and I’d appreciate anyone that’s able to help. I can’t be the only one that’s facing this or a similar issue.