Wifi Concern at Hospital

Yea, that's why I keep using the ASA/AnyConnect. AC is one of the best enterprise clients, and it's also allowed on my locked down work laptop, so I can connect from that device too.

I had a Meraki at one time but I'm not paying their annual fees. I can get free Cisco ASA licenses.
 
Yeah, that's been my experience with several guest WiFi services (healthcare included, I also work in Health Care, though on the services side of things), they tend to block L2TP and IPSEC. More recently, rules have been incorporated to allow broad blocking of consumer VPN's (even over SSL, since it's the target addresses that are blocked) and DoH.

This is why having a home or work SSL VPN is useful, because it won't get blocked, since something like AnyConnect is indistinguishable from other HTTPS traffic. So unless you are using permit-only rules, which would be a disaster to maintain when compared to dynamic block lists, this is pretty much guaranteed to work.
Yep, we use AnyConnect for our VPN needs as well. But as most people don't have something like that setup for use outside of IT and just use your standard VPN setups, makes it more difficult for you average user to protect themselves. I know our guest wifi blocks all the consumer VPNs, even those that use OpenVPN or Wireguard. We get numerous complaints from both employees and non-employees and we just tell them the same thing everytime. VPNs are blocked on guest wifi, you can't use them.
 
What's the argument for blocking VPNs on a guest wifi? What's the risk, assuming you're using wifi client isolation?

That is sort of the purpose, right? Non-employees, like contractors/consultants/etc, can all connect back to their work resources, since they should be blocked on the enterprise network.

If you block it, they just wifi tether to a phone and now you have channel interference on your APs.
 
Last edited:
What's the argument for blocking VPNs on a guest wifi? What's the risk, assuming you're using wifi client isolation?

That is sort of the purpose, right? Non-employees, like contractors/consultants/etc, can all connect back to their work resources, since they should be blocked on the enterprise network.

If you block it, they just wifi tether to a phone and now you have channel interference on your APs.
You generally block consumer VPN's and DoH to force traffic to be compliant with "acceptable use" (filtering) policies (porn, malware, botnets...etc.).

If your org uses an SSL VPN like AnyConnect, it will work fine.
 
I had a family member that was in the hospital 38 days.......

I took my work laptop and have a built in VPN/Zero Trust Network Access (Zscaler), so wasn't an issue for me. If you're worried, get a VPN.
 
You generally block consumer VPN's and DoH to force traffic to be compliant with "acceptable use" (filtering) policies (porn, malware, botnets...etc.).

They're going to have an issue when ESNI to become more common. At that point, it'll be DNS inspection only.
 
"teleport" built into the wifiman app for unifi products is decent.
1 click works.
with my pixel 9 it will flake out after a few hours but so does the google FI vpn.
have to turn it off and on .. and everything is good again.
 
What's the argument for blocking VPNs on a guest wifi? What's the risk, assuming you're using wifi client isolation?

That is sort of the purpose, right? Non-employees, like contractors/consultants/etc, can all connect back to their work resources, since they should be blocked on the enterprise network.

If you block it, they just wifi tether to a phone and now you have channel interference on your APs.
I'm not sure in the end, especially since the guest wifi is totally open with no password or anything on it, just a redirect to a page before you can use it after connecting to say your agree with the terms and policies and click the button to let you start using the wifi. Acceptable use policy and all that is already part of the page you click on to use the wifi. Funny thing is the old group that ran this area didn't block VPNs on the guest wifi while the new one that took over a couple years ago does. They also force everyone, employees and non-employees to use the guest wifi for personal devices and only registered corp devices are allowed on the main corporate wifi. They have no other wifi options available, which leads to some other issues that I won't go into here.

Me and others have brought this up with management but since the new group doesn't care what anyone has to say other than management types, we don't matter. I gave up a while ago trying to get anything changed for the better.
 
Good to ask.

My wife has worked at hospital for 25 years and used their public WiFi since 2007 on her iPhones and done banking and other financial transactions without issue.
 
Back
Top Bottom