According to a June 2007 Kubernan Guiding Innovation 2007 Wireless LAN State of the Market report, 64% of enterprises are deploying guest access, placing it as the third most important application for wireless networks, followed only by e-mail and internet/intranet access. Ironically, guest access has been one of the more clumsily deployed services, torn between concerns regarding security; being a good host for clients, suppliers, and contractors; as well as technical limitations in network infrastructure and design.
There have been several approaches to guest access for wireless LANs, some with or without wireless encryption, with or without restricted access via access control lists. One approach has been to deploy an public-access network with a separate SSID that terminates all traffic outside the enterprise firewall. Most of these don't use any wireless security such as WPA-Personal or WPA-Enterprise as the goal has been to make access as barrier free as possible.
Another technique forces users to go through a gateway or portal (e.g. Bluesocket controller, Cisco BBSM, etc) and register themselves. Sometimes this method facilitates access to an SSL VPN or instructions or a tool to configure the end user's wireless supplicant. If no security is offered, the user also has the option to use their corporate VPN client, unless they're a student or employee without access to such kind of services. One limitation with self-registration is that there is no external validation, unless the portal requires some kind of credit card payment or hooks into an external authentication system such as Shibboleth or OpenID.
Other institutions have tried the "sponsored guest" approach, where an
authorized employee uses a web-based portal to generate temporary
credentials for their guest. These credentials could be inserted into the
organization's AAA infrastructure such that the guest can use secure access
via WPA Enterprise or it could give them access to a web portal. And for
each of these approaches there a dozen variations which reflect the
organization's unique business requirements and capabilities.
One of the additional challenges of guest access are the growing numbers of ASD (application specific devices) such as Wi-Fi enabled smartphones (e.g. Apple iPhone) and MP3 players (e.g. Microsoft Zune) that don't easily facilitate web-portal authentication. While MAC-based authentication appears to be an easy solution, unless there is some additional device profiling and monitoring it's too weak from a security perspective. What that means is that these devices are either considered completely untrusted and placed outside the firewall or lowest common denominator security such as a WPA-Personal using unique pre-sharked keys are provisioned.
Trapeze Networks original guess access solution called "GuestPass" depended on a Java-based application innovatively called "Guest Provisioning Application" to allow people such as receptionists and security guards to create non-AAA accounts with the necessary restrictions via IT-supplied templates. While Aruba and Cisco have their own guest-access solutions, Trapeze Network's originally led as one of the most polished.
Trapeze is attempting to keep a leg up with the introduction of "SmartPass", adding a significant stream of features. A few more new knobs have been added to access control. Rather than allow access for so consecutive hours or days, it's now possible to limit access to time of day (e.g. only 8 am to 5 pm), day of week (e.g. only Monday thru Friday), and date range (e.g. only September 10-12). Pre-defined templates have been added to address the most common scenarios, building on the pre-existing capability to create custom ones. There is now an ability to create guest accounts in bulk for situations such annual customer events or conferences. For those who want to tie guest access provisioning into an existing system, Trapeze has also introduced a web API, already put into use by the Bank of Montreal. SmartPass also automatically purges expired guest accounts.
Unlike some products that require configuration on a per-controller basis, Trapeze has developed the GuestPass solution as a separate piece of software than their management component, RingMaster. It communicates with all the controllers, and even in a N+1 configuration with failover, the guest access continues seamlessly.
One aspect where SmartPass falls short is out of the box support for location-based restrictions. While that's possible with the additional purchase of Trapeze's location application, the LA 200, some kind of a coarse location-based restrictions should have been included. There are times where an organization may want to restrict guest access to just the lobby and conference rooms in the main building, but no access in other buildings around campus.
Trapeze will charge just under $2,000 for an enterprise license that supports 10,000 guest accounts.