Planning the WLAN the Right Way
Look, if you want a secure Wi-Fi setup, you gotta start with proper planning. That means doing a full risk check. Figure out what matters—usually sensitive stuff like internal data—and make sure that stuff stays locked down. Remember, wireless doesn’t care about walls. RF goes wherever it wants. That makes it easier for outsiders to sniff around. So your plan better cover that reality.
Threats change all the time, so you can’t just write a policy once and forget it. You need a system that keeps checking for exposure and updates itself when new stuff shows up.
At the same time, get a real wireless security policy in place. Not some generic document nobody reads. It needs sign-off from the top. Spell out how access works, how certs get handed out and pulled, how devices join through MDM, and that 802.1X with EAP-TLS is the standard—period. No half-baked passwords or weak crypto. Use proper stuff only. And don’t forget to deal with compliance headaches like FIPS, HIPAA, PCI-DSS.
Also make sure you cover the small print: OCSP checks, how long passwords last (if you use them), what MFA looks like, how you deal with rogue APs, and what physical security controls are in place. Yes, that stuff matters too.
Now for the gear. You need a real PKI with a proper CA to issue and kill certs. None of that self-signed junk. A central RADIUS box should hook into LDAP or Active Directory and handle all the 802.1X backend stuff. MDM takes care of onboarding, pushing profiles, and managing certs automatically. And yeah, a WIPS needs to be running 24/7 to watch the airwaves and flag anything that doesn’t belong.
Users and devices should land in the right VLAN based on who they are and what cert they’ve got. Keep it lean—just one SSID to avoid clutter and airtime waste. Guest network? Not in this plan. Not needed. Not happening.
Designing the WLAN for Real Security
When you’re designing the wireless setup, don’t build on old junk. WEP, WPA, even WPA2—they’re done. They don’t hold up anymore. You build it as a proper RSN. That means WPA3-Enterprise from the ground up. It’s got real crypto, not just legacy patchwork. Cert-based auth only, using proper elliptic curve stuff like ECDH and ECDSA. No shortcuts.
Make the 802.1X EAP-TLS flow clear. It starts with both sides—client and network—checking each other’s certs. Then they derive the PMK. That’s followed by the four-way handshake. After that, if you're doing MFA (and you should), that happens inside the TLS tunnel. Clean, locked down, no leaks.
Every device gets dropped into the right VLAN, and that VLAN comes from RADIUS. So if the cert says “teacher,” the switch says “VLAN 20” or whatever. That way, groups and devices stay isolated. Each VLAN hits a firewall, and from there, more segmentation kicks in using VRFs or separate VLANs. Nobody talks to anyone else unless the firewall says it’s OK. No shortcuts, no flat networks.
The PKI system running all this better be solid. Full lifecycle or bust—issuing, renewing, revoking certs. You need OCSP up and running so you can check certs in real time. Certs get handed out through MDM. Devices show up already loaded with the root CA and their client cert. And yeah, OCSP must be enforced. If a cert is expired or revoked, the system needs to bounce that device instantly.
Rolling It Out: Implementation Phase
Now it’s time to put the thing on the ground, and you better stick to the plan. First, get your CA and OCSP responders up and running. Then set up the RADIUS server with the right AAA settings and plug it into Active Directory. Your WLAN profiles need to be ready too—EAP-TLS only, PMF switched on, and maybe 802.11r if your gear and clients support roaming that doesn’t suck.
Anything admin-related—like web UIs or command-line access—has to be locked to HTTPS, SSHv2, or SNMPv3. Nothing plain-text, nothing exposed.
Client-side, devices get pushed through the MDM system. They get their profiles and certs that way. OCSP has to be enforced—if a cert’s bad, the device is out. Devices also need to be locked down using MDM rules. Certs should renew automatically, or get revoked if they’re compromised. MDM also sets up what network rules apply, uses container tech to separate stuff on the device, and logs everything that matters.
After the core is in place, drop in the WIPS sensors. Calibrate them so they know what’s real and what’s not. Mark your own APs and devices as trusted, and build up behavioral baselines. That way, if anything shady pops up, the system knows and flags it fast.
Validation Phase: Prove It Works
You don’t just build it and walk away. You test it—hard. Start with pen tests. Use something like Wireshark to dig into the EAP-TLS flow and make sure key handling is solid. Try breaking the PMK or PTK. If WPA3-Enterprise is set up right, it should hold up without flinching.
Next, hit the OCSP system. Revoke some certs, expire a few, and see if the system actually reacts. If devices with bad certs still connect, you’ve got a problem.
Run threat simulations through the WIPS. Toss some fake rogue APs or strange clients in the mix. Watch how the system responds. Review alerts, make sure they’re firing where they should and that the workflow makes sense.
Don’t forget roaming and VLANs. Walk around with a test device and check if roaming works smooth and VLAN assignment still follows policy. This is where sloppy setups fail. Yours shouldn't.
Documentation Phase: Write It Down or Regret It
If you don’t document it, it didn’t happen. You need clear, detailed docs for everything. Start with your security policies—real ones, not boilerplate. Then write config guides, WLAN access steps, MFA setup, cert handling, MDM rules, and how to deal with rogue devices when they show up.
Your network diagrams should actually show what’s deployed. VLAN layout, IP ranges, where the APs and WIPS sensors live, how certs move through the PKI—put it all in. Don’t leave gaps.
You also need incident response plans. When stuff goes sideways (and it will), everyone should know what to do. Change control logs? Mandatory. If you can’t track who touched what and when, you’re blind. Keep audit logs and threat reports on file to cover compliance. And don’t skip training—admins and users both need to know the basics so they don’t accidentally blow holes in the whole setup.
Wrapping It Up
If you follow this method step by step, you’ll end up with a wireless setup that’s tight on security, plays nice with compliance, and holds up under pressure. You’re not just winging it—you’re building with structure. When you combine PKI, MDM, 802.1X with EAP-TLS, and WIPS, you’ve got a full system that covers both the airspace and the gear talking in it.
Bonus? This whole playbook works on wired networks too. Same ideas: 802.1X, cert-based auth, NAC, central policy control. One strategy to lock down the whole shop, front to back.
If you got the feeling now like “Yeah, I totally get Wi-Fi!” – then uh... nope. That was just a bit 802.1X, my friend. There’s a whole bookshelf waitin’ for you if you wanna be a real Wi-Fi geek. CWNA, CWDP, CWSP, CWAP, Wireless Security Architecture... yeah, it’s a ride. Buckle up.
Just a quick FYI:
This article’s got no tables or fancy graphics – on purpose. It’s built that way so screen readers and text-to-speech tools don’t freak out. Keepin’ it clean for the accessibility crew.
Heads up, Wi-Fi nerds:
This whole guide was put together using the CWNP books CWAP, CWAP and CWSP also Jennifer Minella's Wireless Security Archtecture Book. All the dive-in stuff about 802.1X, 802.11 weirdness, and packet wrangling comes straight outta those.