Guest high-speed Internet access (HSIA) is a required amenity for all hospitality properties today. Implementing a guest HSIA network requires considering numerous special circumstances that are unique to the hospitality industry.
Hospitality guest HSIA networks are built around the need to support the ability for end-users to “bring your own device” (BYOD). The network infrastructure required to enable end-users to BYOD is radically different from typical corporate networks. Each and every device that is permitted onto the network is owned by the company and supported by enterprise IT in most corporate networks. BYOD networks face complex challenges that are not present in corporate networks which are purposefully restricted to servicing a homogeneous set of devices that are policed by a central authority.
Authentication and authorization of devices on a typical corporate network is largely a matter of maintaining a database of all known devices as well as a mapping between the known devices to network privileges and logical organization/data-link topology. For example, a laptop connected to an corporate IT network is known to be a device that is used by a regional sales manager because the end-user entered valid credentials at the operating system login prompt. The network AAA system is then able to authorize the authenticated device for specific network privileges such as membership to the VLAN for sales managers.
Most hotels want to restrict access to the guest HSIA network to guests who are checked into rooms. However, in a guest HSIA network there is no a-priori knowledge regarding the set of permissible devices nor a mapping between devices and privileges. Thus most guest HSIA networks operate with bare minimum authentication policies.
Properties deploy hospitality industry specific customer relationship management (CRM) systems that are called property management systems (PMS). The use of an Internet gateway that authenticates PMS credentials (typically room number and last name) is the most common form of a bare minimum authentication policy for guest HSIA networks. Credentials usually take the form of a last name and room number tuple and are usually gathered via forced web browser redirect to a captive portal. Such mechanisms allow all devices, valid or otherwise, to connect to the local area network that is almost universally deployed as a single large broadcast domain. The systems then selectively enable those devices that have provided valid credentials to pass traffic to and from the Internet uplink.
Hospitality guest HSIA network requirements have evolved over time with the proliferation of Internet connected devices. Guest HSIA networks were originally designed to support each guest bringing a single laptop computer with specific use case emphasis on business travelers. The single device use case is well addressed by the bare minimum on/off authentication policy implemented in a classic guest HSIA network composed of a single large broadcast domain architecture. However the basic bare minimum approach fails to address contemporary guest HSIA needs.
Contemporary hotel guest HSIA requirements emphasize the deployment of personal area networks (PAN) to deliver a “home-like” network experience guests. The goal is to allow guest devices to interact with each other as if they were connected to their home network. The “home-like” interaction requirement is in addition to the basic BYOD requirement that existed previously. Furthermore the contemporary hotel guest room is equipped with numerous network connected devices including but not limited to smart TVs, thermostats, light and window blind controllers.
The desire for personal area networks drives hotel guest HSIA architectures towards congruence with that of corporate network architectures. From a L2 networking perspective it is possible to treat rooms in a hotel in a manner similar to departments in a company. IEEE 802.1q VLANs are used to provide L2 segmentation at the departmental level in a typical corporate network. Similarly VLANs may be used in a guest HSIA network architecture to implement guest room PANs. Assigning each guest room a unique VLAN and placing guest devices into the room VLAN provides an environment for the guest devices to communicate in the same manner that the devices would exhibit at the guest's home. However the admission control and device VLAN mapping of a hospitality guest HSIA network is an extremely complex problem.
Admission of wireless devices onto a corporate network is typically achieved through WPA2 Enterprise with 802.1X. Similarly admission of wireline devices is achieved through switch port 802.1X. Most 802.1X clients that including but not limited to those built into Microsoft Windows, Apple MacOS X, Google Android and Apple iOS present a credential challenge that asks for a username and password. Thus most IEEE 802.1q enabled networks use AAA servers to store username/password tuple to VLAN mappings. Distribution equipment that utilizes 802.1X for admission is almost always capable of assigning an 802.1q VLAN during the admission process. The use of 802.1X is unlike the forced browser redirect to a captive portal approach in that the devices need not be connected to the LAN in order to provide credentials.
Both authentication and authorization of VLAN assignment is usually accomplished through RADIUS communication with a AAA server. The IT administrator typically maintains credentials and VLAN mappings through a manual process. Corporate IT has a complete understanding of every device that will be admitted to the network as these devices are owned by the corporation. Device turnover is typically budgeted and staged thus making manual management reasonable.
The use of 802.1q VLANs to deploy PANs drives hospitality guest HSIA AAA requirements towards a superset of those typically found in a corporate network. The classic hotel guest HSIA network authentication approach of forced browser redirect to a captive portal in order to collect credentials for a binary authentication decision is completely incompatible with a network architecture that incorporates a separate broadcast domain for each room. The foremost problem is that the operation of forced browser redirect to a captive portal requires that the guest device to already be connected to the local area network. This is a reasonable assumption in the classic guest HSIA network architecture where there is only a single broadcast domain. However in a guest HSIA network architecture where 802.1q VLANs are used to enable per-room PAN the VLAN should be known before the device is admitted to the local area network. Thus a paradox exists that prevents the typical forced browser redirect approach to a captive portal approach to function in a guest HSIA network with PANs implemented through 802.1q VLANs.
Admission to a PAN network architecture where one VLAN is created per room should involve a AAA process that is similar to binding a corporate device to a departmental L2 where there is one VLAN per department. Thus a hospitality guest HSIA network that implements PAN via 802.1q VLANs will typically have a AAA server present that stores credentials and the device to VLAN mapping similar to a 802.1q enabled corporate LAN. However the guest HSIA network authentication and authorization paradigm is more complex in that the hotel guest HSIA network involves broad spectrum BYOD whereas the corporate network is composed entirely of devices that are authorized by corporate IT.
For the foregoing reasons, there is a need for a system that enables a hospitality property to deploy a guest HSIA network with PANs using the per-room VLAN approach that interoperates with 802.1X enabled wireless and wireline network distribution equipment.