Chapter 5: Selection & Interfaces
Core product introduction, interface logic, wiring specifications, and product feature comparison tables
5.1 Core Product Introduction
The wireless security system is built around six core product categories. Each category addresses a specific functional layer of the security architecture, and products must be selected to meet the performance, security, and environmental requirements of the target deployment. The following product overview presents the key specifications and selection criteria for each category.
| Product | Key Specifications | Security Features | Selection Criteria | Typical Use |
|---|---|---|---|---|
| Wi-Fi 6E Indoor AP | Tri-band 6/5/2.4GHz; 4×4 MU-MIMO; 802.11ax; PoE++ (802.3bt); up to 9.6Gbps aggregate | WPA3-Enterprise; PMF mandatory; OWE; 802.11w; WIPS capable; TLS management | Client density, coverage area, ceiling height, PoE budget, roaming requirements | Office floors, meeting rooms, classrooms, retail |
| Wi-Fi 6E Outdoor AP | IP67; -40°C to 65°C; 802.3bt PoE; directional or omni antenna options; surge protection | WPA3-Enterprise; tamper detection; secure boot; encrypted management | Environmental rating, antenna pattern, mounting options, temperature range | Campus outdoor, parking, stadiums, industrial yards |
| WLAN Controller | Up to 300 APs; Active-Standby HA; CAPWAP over TLS; REST API; multi-site support | RBAC admin; MFA; audit logging; signed firmware; WIPS orchestration | AP count, HA requirement, cloud vs. on-prem, API integration needs | Central management for all AP deployments |
| RADIUS/AAA Server | EAP-TLS/TTLS/PEAP; LDAP/AD integration; CRL/OCSP; accounting; cluster support | Certificate validation; revocation checking; accounting logs; policy engine | Authentication volume, EAP method support, IdP integration, HA model | 802.1X authentication for all wireless and wired access |
| PoE+ Access Switch | 24/48 ports; 802.3at (30W) / 802.3bt (60W) per port; 2×10G SFP+ uplinks; 802.1X | Port security; DHCP snooping; dynamic ARP inspection; 802.1X enforcement | Port count, PoE budget per port, uplink speed, stacking requirement | AP power and uplink at access layer |
| RF Sensor / WIPS Probe | Dedicated monitoring mode; 2.4/5/6GHz scanning; PoE powered; passive/active modes | Rogue AP detection; evil twin identification; deauth flood detection; spectrum analysis | Coverage area per sensor, detection latency requirement, integration with controller | Sensitive areas, perimeter monitoring, high-security zones |
5.2 Interface Logic and Wiring Specifications
Understanding the physical and logical interfaces of each component is essential for correct installation and troubleshooting. The interface logic diagram below shows all physical ports, their logical functions, and the protocols and port numbers used for each connection. This diagram serves as the primary reference for cable labeling, firewall rule creation, and network documentation.
| Connection | Source Port | Destination Port | Protocol / Port | Direction | Notes |
|---|---|---|---|---|---|
| AP → Controller | AP Eth0 | Controller Data Port | CAPWAP UDP 5246/5247 over TLS | AP initiates | Control and data tunnel; encrypted |
| AP → RADIUS | AP (via Controller) | RADIUS UDP 1812 | RADIUS UDP 1812/1813 | Relayed by Controller | EAP relay; accounting on 1813 |
| Controller → SIEM | Controller Mgmt Port | SIEM Collector | Syslog UDP 514 / TCP 6514 | Controller → SIEM | All WLAN events; NTP synchronized |
| Controller → NTP | Controller Mgmt Port | NTP Server | NTP UDP 123 | Controller → NTP | Time sync critical for log correlation |
| RADIUS → LDAP/AD | RADIUS Eth0 | AD Domain Controller | LDAP TCP 389 / LDAPS TCP 636 | RADIUS → AD | User/group lookup for authorization |
| RADIUS → OCSP | RADIUS Eth0 | PKI OCSP Responder | HTTP TCP 80 / HTTPS TCP 443 | RADIUS → PKI | Certificate revocation check |
| NMS → All Devices | NMS Server | All network devices | SNMP UDP 161 / SSH TCP 22 | NMS → Devices | Monitoring and configuration management |
| PoE Switch → AP | Switch RJ45 Port | AP Eth0 | 802.3at/bt PoE + Data | Switch → AP | Cat6A max 100m; label with AP ID |
5.3 Core Product Feature Comparison
The following feature comparison table provides a structured reference for evaluating products across the six core categories. Features are rated as Mandatory (M), Recommended (R), or Optional (O) based on their importance to the security baseline defined in this guide. Products that do not meet Mandatory requirements should not be deployed in the primary security zones.
| Feature | Indoor AP | Outdoor AP | Controller | RADIUS | PoE Switch | RF Sensor |
|---|---|---|---|---|---|---|
| WPA3-Enterprise | M | M | M | — | — | — |
| 802.11ax (Wi-Fi 6/6E) | M | R | M | — | — | — |
| EAP-TLS Support | M | M | M | M | — | — |
| Dynamic VLAN (RADIUS) | M | M | M | M | M | — |
| WIPS Detection | R | R | M | — | — | M |
| 802.11r Fast Roaming | M | R | M | — | — | — |
| 802.11k/v RRM | M | R | M | — | — | — |
| PMF (802.11w) | M | M | M | — | — | — |
| Secure Boot | M | M | M | M | R | R |
| Signed Firmware | M | M | M | M | M | M |
| MFA Admin Access | — | — | M | M | R | — |
| REST API | R | R | M | R | R | R |
| PoE 802.3bt (60W) | M | M | — | — | M | — |
| IP67 Weatherproof | — | M | — | — | — | O |
| OCSP/CRL Support | — | — | R | M | — | — |