Prevent SSID/network trespassing

In many large Wi-Fi deployments, we often need to broadcast different SSID for different purposes, eg. one SSID for internal staff or premium guests, one SSID for public user, while sharing the same hotspot infrastructure:

  • same APs (each AP broadcasts multiple SSID)
  • same switches (each SSID is mapped to its respective VLAN)
  • same HotSpot gateway (each VLAN is running its own hotspot instance, with it's own customized landing page and access control)
  • same AAA/RADIUS (while residing in the same RADIUS user database, each user must be restricted to permit login from its own SSID/VLAN only)

Preventing SSID trespassing is to make sure that, while sharing the same hotspot infrastructure, users who are restricted to access its own SSID/network and can not trespass to other SSID/network which gives different privileges and security control etc.

Generally, there're two approaches to prevent SSID trespassing:

  1. under the HSG hotspot instance, configure hotspot controller to point to different external RADIUS servers for different instances, so that each instance authenticates with its own set of user database. eg. configure "radius-server <server1> <radiuskey> <server2>" under hotspot instance config. See details.
  2. if all instances share the same RADIUS (eg. HSG built-in RADIUS server), under the RADIUS user access setting, tag each user (or user profile) to their respective VLAN/network only.

This document focuses on scenario #2 above, using below network setup

  1. SSID VLAN10 is a public user Wi-Fi access, using email self-registration or social sign-in.
  2. SSID VLAN20 is for premium user Wi-Fi access, using pre-generated voucher from GMC (see GMC).

The objective here is to make sure public user can't login to VLAN20 which is dedicated for premium access with much higher speed.

You can refer to earlier labs for setting up HSG, MAP and Captive Portal for each vlan.

Once VLAN10 is up and running, each self-registered public user is auto tagged to a profile, either called <hostname>-<vlanid>-byemail or <hostname>-<vlanid>-byfacebook, then we create a RADIUS profile to restrict all users tagged to this profile to login from VLAN10 only, by adding VLAN10 hotspot IP.

Where in above screenshot, "" is the hotspot IP of VLAN10 (user's default gateway). It's the IP of hotspot LAN Interface, or you can get it from HSG CLI from below:

mbox# show security hotspot

Authentication service: running


HotSpot service: running


LAN TUN Server IP Client-Net Client-DHCP DHCP Issued Clients


vlan10 tun0 / 2 2

vlan20 tun1 / 1 0

If you want to restrict more (or allow more vlan access for users with this profile), you can add multiple LAN interface IP in above RADIUS profile setting.

Watch live demo on youtube