Separated WiFi networks with same SSID different password


So I'd like to have three isolated WiFi networks on my openwrt router: Lan, guest, iot.
Using three different SSID names is going to waste some air time due to many control messages. So I wonder if there's an option to use one SSID with three different passwords one for each network time. I need openwrt to figure out according to the password which network to associate a client to. Some commercial routers support such functionality, is there something similar in openwrt?
The alternative would be to use wpa2 Enterprise but I wonder if any iot client will support it.


You’re correct, Enterprise and a RADIUS server are generally required for by-client auth and VLAN assignment.

Three SSIDs isn’t so bad for beacon pollution, especially if you disable the legacy rates (beacons are sent at slowest, supported rate).


I've also seen that it's possible to use MAC addresses with a RADIUS server to assign different clients to different vlans but that does not seem very secure.

So I understand there is no option in hostapd to define multiple passwords for a single SSID and assign a vlan per password? Could have been useful to avoid the beacon pollution or the requirement to setup an Enterprise configuration.

You can also consider adding IOT devices on the guest Network. That's what I am using for my own network. Client isolation is enabled so clients cannot communicate with each other, and both type of devices are only able to connect to WAN IPs for internet access. That will bring your particular case down to 2 SSIDs per radio. Though honestly as already said before, even 3 SSIDs isn't bad at all in terms of beacon pollution.

In my humble opinion, using RADIUS or any similar solution is an overkill for a problem that could be easily solved using separated SSIDs.


So I guess I'll be using my guest Network, still surprised multiple passwords are not supported.

... are not a feature of the 802.11 specs for "personal" authentication.

Three SSIDs on a radio generally isn't an issue. (I run five or more, separating out the IoT devices into multiple SSIDs/VLANs). For me, as IoT is on 2.4 GHz and my "important" clients connect on 5 GHz, it is even less of an issue.

See, for example

From, set for 802.11g beacons:

1 Like