If a business has public WiFi (which they intend to be for their guests, only), what is the best method to keep people from using it in nearby businesses/on the street?

Having played with the different authentication methods, it seems that there's not really a good method to offer WiFi for free to guests, and block people nearby from using the WiFi without permission.

For example, there's a cafe in a "rough" part of town that switched to using WPA* authentication for the WiFi network to deter lowlifes in the area from congregating outside just to use the internet.

That's not foolproof of course, because the lowlifes can simply come inside and look at the password tags left on each table.

Usage limits probably wouldn't work well either, because that would kick off all of the frequent/regular customers.

Have you tried using antenna gain to reduce wifi signal from reaching outside the building?

Reduce by antenna gain???

Beyond how it is actually done, please call it
"reducing transmission power by counterintuitive antenna gain modification, as if a physical parameter could be varied by changing a number in software"...

You can consider two things:
The signal must reach clients inside the café, and at the same time signal of outside devices must be ignored.
You can not physically change antenna gain (whitout covering antenna with something, etc.) changing a parameter inside the software,
but you can transmit at lower power, just for reach customers inside the café.
When device have fixed antenna, like hAP ac², the parameter of antenna-gain is fixed and not easily changeable.
What you can do is use the tx-power-mode to select "all-rate-fixed" and set tx-power to lower values, starting from 17 and decreasing until the signal is good only indoor.
And you must add two rules for specify than the wifi must accept connections only from devices with reception on certain range.
What mean this last: when device is outside the signal reach the internal wifi with lower strength, and you can deny the link.

Using both methods, that not are absolute, at least you reduce outside use.

On my customers the password is not on the table / menu but it is directly written on the receipt when you have paid for what you have ordered.
The password change everyday automatically.

Inside guests get password.
Change it daily.
Use hotspot manager'
Lots of ways,,,,,,,,,,,

following on antenna matter

if you change you Access-point with one with a directional antenna and you locate it in a way that only the intended customer area is under the coverage of the antenna, you can safely reduce TX transmit power to make signal strength very low for devices out of this area

this plus limiting the client device minimum required signal level to connect you will reduce most of the outsider connecting

Been there, done that . It's FUN in the beginning.

Follow my story, if you have time for this.

Similar situation: holiday resort with tenants who pay for the expensive internet connection. (Quota metered by ISP because it is based on regular 4G subscriptions used in shared SXT LTE devices, with global wifi distribution in- and outdoor.)
Surrounded by more tenants from the neighboring resorts, that have no decent distributed internet. Open 52 weeks a year, typical stay 1 or 2 weeks.
Those persons around are sometimes tenants in a house with internet subscription.
The procedure and password for wifi is in the Vacation Rental Welcome book.

How to separate rightfull use from abuse? Avoiding false positive and false negative detection of rogue users? Without changing the passwords for owners and regular tenants?

So information is not usable as separation/authorization. Everyone has the needed information, that is valid for the vacation season.
The wifi coverage is a square km, neighbors are only 10 meters away, and sometimes just walk by.
Wifi RF signal and wifi operation principles are not helping. Interface rate will drop, as range extends. Far away clients get much MORE air-time than intended nearby client devices.

Sector limited antenna could indeed do something to limit the coverage.
TX power manipulation is not very effective (incrementing the "antenna gain" parameter in ROS , which is indeed not about the antenna gain itself, but the compensation in the TX power for that antenna gain, and must be equal or greater than that physical characteristic). At least this power reduction does not require math.
Setting TX power with "all rates fixed" TX Power must be calculated. The 'status' of the interface gives the current max value. In my case , for my latest acquired "SXTsq 5 HP" the max TX power in region ETSI is 8 dBm, for the channel with the highest EIRP in ETSI region, which is 27dBm.

And again the access will not drop the way we like, there is no sharp range limit, instead there is a ever declining service speed, that extends very very far.
Lower TX power will reduce the MCS rate used, also for the local devices.
Disabling lower supported interface rates (6-54Mbps and MCS0-MCS7, is NOT possible with VHT MCS (802.11ac))
It will also make local client devices disconnect faster.
Increasing the "basic rate" to enforce a minimum good working MCS never gave a satisfactory distinction.
Access list minimum receive signal, needs a lot of tuning. And many neighbor client devices have a stronger signal than some intended local ones.


How to spot the abusing client devices? By the timing and selection of AP where they connect.
Once identified they can be denied use of the internet. (e.g. MAC based)
Denying or rejecting is the wrong action here. They will just look and test further until they regain access. Remember they have time, and are desperately seeking for internet.
Reducing their services until ISP costs are acceptable, will not inform them when they have full access or not, they have no clue. They eventually stop, because of the poor service.

In the beginning this is doable as manual filtering. But 52 weeks, many tenants. Some automation is needed.

Low power connection, outdoor AP only, wrong user for that AP (this network is on RADIUS EAP authentication, not device MAC), wrong time ... are all indications for putting that device in a list or VLAN , where they have minimal service. But it's like fighting SPAM, you are either too strict, or too loose. Intention is to just get the obvious ones. The reduced service can be gradual, based on the number of indications.

In a public city network we managed, we had to turn off some AP's at night. Indeed large groups congregating outside the city library. We had to send a clear message there, That there was no service outside the library open hours.

Putting in porn filters helped a lot also.(Resident abusers).

Rogue AP, honeypot AP outdoor etc are just next possibilities, to identify abusers.
Identifying client devices that get a DHCP address (also) outside the business hours, is an identifier.

I like the idea of passwords being printed on a receipt that change daily. Not practical in all situations though

There's not really any good method. I would highly advise NOT implementing any sort of signal strength based denial process, it just will not work as intended
Signal strength is affected in 'both' directions and by 'both' antennas. It's not transmit-only at each end as most people seem to believe, so if you determined you get -58db at the edge of premises with your phone, another phone might get -64db in the exact same location because it has a lower gain antenna or simply a less efficient design, so a hard -60db drop rule is just going to cause issues with plenty of other devices. And on the flip side a device with a high gain antenna might hear the signal at -50db so does nothing
Another issue is its an instantaneous drop its not a running average so even if you somehow got it perfectly dialed, if you walk into a dead spot (which might be literally 10cm one direction or another) or very briefly walked outside, you might just trigger the -60db drop. All in all its terrible just don't do it