Chapter 3: Scenarios & Selection

The corporate headquarters scenario represents the most common and complex enterprise Wi-Fi deployment. It encompasses managed staff devices (laptops, phones), contractor BYOD, meeting room AV systems, building IoT (HVAC, lighting, access control), and occasional guest users. The primary security challenge is enforcing strict role separation while maintaining seamless roaming across floors and meeting rooms. WPA3-Enterprise with EAP-TLS is mandatory for managed endpoints, with EAP-TTLS/PEAP fallback for legacy devices. Dynamic VLAN assignment ensures each device class lands in the appropriate network zone with firewall-enforced east-west isolation.

R&D laboratories require the highest level of wireless security due to the presence of sensitive intellectual property, prototype devices, and specialized test equipment. Only managed devices with valid enterprise certificates are permitted to connect. The lab operates on a dedicated VRF with strict egress filtering — only approved application destinations are reachable. Physical security is integrated with logical security: door access control events are correlated with Wi-Fi authentication events in the SIEM. Dedicated RF sensors provide continuous WIPS monitoring to detect any unauthorized wireless activity within or near the lab perimeter.

Logistics warehouses present unique RF challenges: long narrow aisles with metal shelving create multipath interference, and the device population is dominated by handheld barcode scanners and IoT inventory sensors that may not support 802.1X. The design uses directional antennas mounted on aisle poles to maximize coverage depth while minimizing inter-aisle interference. Handheld scanners authenticate via PPSK with per-device keys, landing in the Handheld VLAN. IoT sensors use DPPSK with ACL-based allowlists restricting communication to the inventory management server only. Forklift-mounted terminals require seamless roaming with 802.11r to maintain WMS connectivity during movement.

Public lobbies and event spaces require high-density AP deployment to serve hundreds of concurrent guest devices, while maintaining strict isolation from the corporate network. The guest SSID uses a captive portal with sponsor approval or time-limited access codes. All guest traffic is routed through a dedicated Guest VRF with internet-only access — no RFC1918 addresses are reachable. DNS filtering blocks malicious domains and inappropriate content. RF spectrum monitoring detects evil twin APs that may attempt to impersonate the official guest SSID. Security signage and user notifications educate visitors about safe Wi-Fi practices.

Healthcare environments combine clinical staff mobility with a large population of medical IoT devices — infusion pumps, patient monitors, portable imaging systems — that require reliable wireless connectivity for patient safety. HIPAA compliance mandates strict access controls, comprehensive audit logging, and encryption of all patient data in transit. Medical IoT devices are isolated in a dedicated VLAN with strict ACLs permitting only communication with the clinical information system. Clinical staff authenticate via EAP-TLS with MDM-managed certificates. Network availability is critical: redundant APs and controllers ensure no single failure disrupts patient care operations.

University campuses present a unique combination of outdoor coverage requirements, high device diversity (student laptops, phones, research IoT), and federated authentication via eduroam. Outdoor APs must be weatherproof (IP67) and mounted on lamp posts or building walls to provide seamless coverage across open areas, pathways, and courtyards. eduroam uses 802.1X with EAP-TTLS/PAP or EAP-TLS, allowing students and staff from partner institutions to authenticate using their home institution credentials. Research IoT devices on outdoor testbeds use dedicated SSIDs with strict ACLs. The campus security office monitors RF spectrum for rogue APs and unauthorized hotspots.

Manufacturing environments require ruggedized wireless infrastructure capable of operating in high-temperature, high-vibration, and electromagnetically noisy environments. The critical security challenge is maintaining strict separation between the OT (Operational Technology) network — PLCs, SCADA systems, robotic controllers — and the IT network. Industrial APs with IP67/NEMA4X enclosures are mounted on poles and ceiling brackets. OT devices communicate on a dedicated SSID with strict ACLs permitting only SCADA protocol traffic. An industrial firewall enforces the OT/IT boundary. Any wireless intrusion into the OT zone triggers immediate alerts and automated containment to prevent production disruption or safety incidents.

Hotels must provide high-quality guest Wi-Fi while ensuring complete isolation between guest rooms — preventing one guest from accessing another's devices or traffic. Per-room client isolation is enforced at the AP level using proxy ARP and client-to-client blocking. The guest SSID uses a captive portal with room number and last-name authentication linked to the property management system. Each guest session is assigned a unique VLAN or VRF ensuring complete traffic isolation. Hotel staff use a separate SSID with 802.1X authentication for operational systems. The network management console provides real-time visibility into AP health, client counts, and security events across all floors.