Three SSIDs to rule them all: guest, staff, and IoT WiFi setup guide

PODCAST SCRIPT: 'Three SSIDs to rule them all: guest, staff, and IoT WiFi setup guide' [INTRO & CONTEXT - 1 min] You are a senior network consultant delivering a confident, authoritative briefing to a client. Speak in British English with a clear, measured, professional tone. Calm authority, not academic. Conversational but precise. Pace is steady and deliberate: Welcome to the Purple WiFi Intelligence technical briefing series. Today we are covering the three-SSID WiFi design - the architecture that separates guest, staff, and IoT traffic onto distinct, isolated networks using a single wireless infrastructure. If you manage WiFi for a hotel, retail estate, conference centre, stadium, or any venue where you run both public-facing and operational networks, this briefing is directly relevant to you. [TECHNICAL DEEP-DIVE - 5 min] Let me set the context first. Most enterprise venues today are running at least five or six SSIDs. There is one for guests, one for staff, one for point-of-sale terminals, one for IoT devices, maybe a hidden one for contractors, and often a legacy one that nobody quite remembers why it exists. Each of those SSIDs broadcasts a beacon frame every 100 milliseconds at the lowest data rate on the radio. In a dense venue with 50 access points on the same channel, that is hundreds of management frames per second consuming airtime before a single byte of user data is transmitted. The industry consensus is clear: broadcast no more than three SSIDs per radio. Three is the number that balances security segmentation against wireless performance. So the three-SSID design is this. SSID one: an open Guest WiFi network with a captive portal for visitor access. SSID two: a WPA2 or WPA3-Enterprise network for staff and secure guests, using 802.1X and RADIUS authentication. SSID three: an xPSK network for IoT devices, card terminals, digital signage, and printers, using per-device pre-shared keys to dynamically assign VLANs by device identity. Three SSIDs. Three completely isolated network segments. One physical wireless infrastructure. Let us go through each one in detail. Let us go through each one in detail. SSID one is your Guest WiFi. You configure this as an open network - no pre-shared key, no WPA2-Personal password. The access point broadcasts the SSID without encryption at the association layer. When a visitor connects, their device gets an IP address from a DHCP server on your guest VLAN - typically VLAN 10. Every DNS query and HTTP request is intercepted by the wireless controller or a dedicated captive portal appliance, which redirects the visitor's browser to your portal page. This is where Purple's platform integrates. The captive portal handles the visitor's authentication - whether that is a social login, email registration, SMS verification, or a voucher code. It captures consent under GDPR, records the visitor's details as first-party data, and then signals the controller to grant internet access. The visitor's session is tagged to VLAN 10, and your firewall enforces a strict policy: internet access only, with an explicit deny-all rule blocking any route to your internal RFC 1918 address space. The walled garden is a critical configuration step here. Before a visitor completes the portal login, their device needs to reach the portal page itself. You configure a walled garden - a whitelist of IP addresses and domains that are accessible without authentication. This must include your captive portal server's IP or hostname, any CDN endpoints it uses, and any social login provider endpoints such as Facebook's OAuth servers or Google's authentication endpoints. SSID two is your Staff WiFi. This uses WPA2-Enterprise or WPA3-Enterprise, which means 802.1X authentication. When a staff member connects, their device initiates an EAP exchange with the access point, which acts as the authenticator and forwards the credentials to your RADIUS server. The RADIUS server validates the identity against your identity provider and returns an Access-Accept message. The key to dynamic VLAN assignment is three specific RADIUS attributes in that Access-Accept message. Attribute 64, Tunnel-Type, must be set to value 13, which means VLAN. Attribute 65, Tunnel-Medium-Type, must be set to value 6, which means IEEE 802. And Attribute 81, Tunnel-Private-Group-ID, contains the actual VLAN ID as a string. When the access point receives these attributes, it dynamically tags that session with the specified VLAN. A staff member in the finance team authenticates and lands on VLAN 20. A contractor authenticates with different credentials and lands on VLAN 30 with more restricted access. Same SSID, same physical network, completely different logical segments. Purple's cloud RADIUS service handles the RADIUS authentication layer for Staff WiFi, integrating with your identity provider and returning the correct dynamic VLAN attributes per user. SSID three is your IoT WiFi. xPSK solves a problem that neither open networks nor 802.1X can address cleanly. IoT devices, card terminals, digital signage players, and printers cannot authenticate with 802.1X. But you cannot put them on a flat WPA2-Personal network with a single shared password, because a compromised device would have access to every other device on that segment. xPSK maintains a database of unique passwords, one per device or device group. The device connects using its unique key. The controller validates the key and returns the dynamic VLAN attributes. A card terminal connects and lands on VLAN 50, your PCI DSS-isolated payment network. A smart thermostat connects and lands on VLAN 40, your IoT network with restricted routing. The vendor terminology varies. Cisco Meraki calls it iPSK. HPE Aruba calls it MPSK. Ruckus calls it DPSK. Juniper Mist and Ubiquiti UniFi both call it PPSK. The underlying architecture is identical across all five vendors. [IMPLEMENTATION RECOMMENDATIONS & PITFALLS - 2 min] You are a senior network consultant delivering a confident, authoritative briefing to a client. Speak in British English with a clear, measured, professional tone. Calm authority, not academic. Conversational but precise. Pace is steady and deliberate: Now let us talk about implementation pitfalls and real-world scenarios. The first pitfall is misconfigured trunk ports. Your switch ports carrying multiple VLANs must be configured as 802.1Q trunk ports, not access ports. If a trunk port is accidentally set as an access port, all traffic collapses onto a single VLAN and your segmentation disappears silently. Always audit your switch configuration after any change. The second pitfall is an incomplete walled garden. If your captive portal page fails to load because you have not whitelisted the correct endpoints, visitors will see a blank screen and assume the WiFi is broken. Test your walled garden from a fresh device with no cached DNS before going live. The third pitfall is MAC address randomisation. Modern iOS and Android devices use a randomised MAC address for every network they join. If your xPSK system relies on MAC address binding to associate a device with its unique key, you will have authentication failures when a device rotates its address. Use vendor implementations that bind the session to the key itself rather than the MAC. Let me give you two real-world scenarios. Scenario one: a 200-room hotel. The hotel needs to provide guest WiFi across all rooms and public areas, staff WiFi for front desk, housekeeping, and management, and IoT connectivity for smart thermostats, IPTV systems, and door lock controllers. They deploy three SSIDs across their Cisco Meraki access points. SSID one, the guest network, uses Purple's captive portal with email registration and GDPR-compliant consent capture. Guests authenticate, land on VLAN 10, and get internet-only access with a 20 megabit per second per-client rate limit. SSID two, the staff network, uses WPA3-Enterprise with RADIUS authentication against Microsoft Entra ID. Front desk staff land on VLAN 20 with access to the property management system. Housekeeping staff land on VLAN 21 with access to the housekeeping application only. SSID three, the IoT network, uses Meraki iPSK. Each smart thermostat has a unique key mapped to VLAN 40. Each door lock controller has a unique key mapped to VLAN 41. IPTV systems have keys mapped to VLAN 42. All IoT VLANs have no internet access and strict firewall rules limiting communication to their specific management servers. [RAPID-FIRE Q&A - 1 min] Now for some rapid-fire questions. Do I need a separate RADIUS server for xPSK? It depends on the vendor and scale. For small deployments, Cisco Meraki iPSK and HPE Aruba MPSK-Local can store keys directly on the controller without a RADIUS server. For enterprise scale, you need a central RADIUS server - either your own FreeRADIUS or NPS instance, or a cloud RADIUS service like Purple's. Is WPA3-Enterprise mandatory? Not yet, but deploy it where your client devices support it. WPA3's 192-bit security mode and Protected Management Frames eliminate several attack vectors present in WPA2. Run WPA3 in transition mode to maintain backwards compatibility. How do I handle BYOD on the staff SSID? Use PEAP-MSCHAPv2 for credential-based authentication, which works with personal devices without requiring certificate deployment. If you need stronger security, deploy EAP-TLS with certificates pushed via your MDM. What is the minimum viable setup for a small venue? Three SSIDs, three VLANs, a firewall with inter-VLAN rules, and a captive portal for guests. That is your baseline. You can add RADIUS and xPSK as your device estate grows. [SUMMARY & NEXT STEPS - 1 min] To summarise: the three-SSID design gives you the segmentation you need without the airtime overhead of running five or six separate networks. Guest WiFi with a captive portal handles visitor access and GDPR compliance. Staff WiFi with 802.1X and dynamic VLAN assignment handles identity-based access control. IoT WiFi with xPSK handles headless devices with per-device isolation. Your next steps: audit your current SSID count. If you are broadcasting more than three, plan a consolidation. Review your VLAN design and firewall inter-VLAN rules. And if you are not already using a managed captive portal with GDPR-compliant data capture, that is the highest-value change you can make to your guest network today. Purple's platform supports this three-SSID architecture across more than 80,000 live venues worldwide. We provide the Guest WiFi captive portal, the cloud RADIUS for Staff WiFi, and the integrations with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi to make the whole design work as a single managed system. Thanks for listening to this technical briefing from Purple. Links to the full written guide and architecture diagrams are in the show notes.