Introduction
Security has always been one of my top priorities when it comes to deploying and maintaining wireless networks. In fact, security does not stop at the network layer—it involves all participants in the chain, from access point to client, server, and application. When performing a WLAN audit, standardized checklists help ensure thorough coverage of security, design, performance, and monitoring. These domains are cross-functional, meaning that a single security decision can influence design choices and vice versa. This case study outlines how I improved both security and performance for a new healthcare customer by consolidating SSIDs and implementing role-based access control.
Problem
During a WLAN audit for a new customer in the healthcare sector, I identified several areas for improvement. Physical AP placement was generally sound across the campus, which was reassuring. However, upon reviewing the configuration, I discovered that there were eight active SSIDs—and in some locations, even ten. Most of these SSIDs were secured using WPA2-Personal (PSK), and the keys had not been updated in over three years. Each SSID corresponded to a different device classification: one for corporate tablets, one for ECG devices, one for staff BYOD, one for multimedia, and others for various telemetry devices. The absence of a formal security policy, outdated PSKs, and excessive SSID broadcasting indicated a need for significant changes.
Solution
Drawing from my experience and CWSP studies, I considered two primary solutions. The first was to implement a Private Pre-Shared Key (PPSK) SSID, which allows multiple PSKs on a single SSID, each mapped to a specific role. This approach would have enabled easy consolidation of multiple WPA2-Personal SSIDs. Unfortunately, the customer’s WLAN controller did not support PPSK functionality. The second option was to use RADIUS authentication to enable Role-Based Access Control (RBAC) and dynamic VLAN assignments. Fortunately, the customer already had a WPA2-Enterprise SSID configured and linked to a RADIUS server.
I began by creating distinct roles on the WLAN controller, each with specific VLAN, QoS, and ACL settings tailored to the supported device types. Initially, I created one profile per existing SSID, with the flexibility to expand roles for further segmentation and QoS optimization. Next, I configured access rules on the RADIUS server and NAC appliance. These rules matched multiple conditions—
such as authentication method (EAP-PEAP, EAP-TLS, MAC), device type, RADIUS attributes like memberOf, operating system, location, and time—to determine the appropriate role and send a RADIUS accept message with the role attribute to the WLAN controller.
Where possible, I preferred EAP authentication methods like EAP-TLS and EAP-PEAP. I verified whether each client type supported certificates or username/password authentication. For BYOD devices such as doctors’ laptops, which were unmanaged by IT, I provided separate credentials for WLAN access, distinct from those used for medical applications. Multimedia devices, including speakers and TVs, fortunately supported certificate installation, allowing for EAP-TLS deployment. EAP-TLS is ideal because it validates both client and server, and unlike passwords, certificates cannot be easily shared or intercepted.
However, not all devices supported EAP methods, necessitating the use of MAC authentication. While MAC authentication is not inherently secure, it was the only viable alternative to implement RBAC for certain devices. By leveraging NAC capabilities, I added conditions such as device type, location, and time to mitigate the risk of MAC spoofing. Additionally, I configured a strong, complex PSK that was difficult to memorize, further reducing the likelihood of compromise.
Ultimately, I reduced the number of SSIDs from ten to four. My general rule is to use one SSID per authentication type—802.1X, PSK, or open/OWE—with an exception for voice SSIDs, which may require separate QoS and roaming configurations. The final SSID configuration included:
- An 802.1X-enabled SSID for corporate devices and staff BYOD, each assigned distinct roles.
- A WPA2-Personal SSID with MAC authentication for corporate-owned devices lacking EAP support.
- A WPA2-Personal SSID for VoIP devices, which did not support 802.1X.
- An open SSID with captive portal for guest traffic.
Reducing the number of SSIDs improved airtime utilization. Each SSID transmits beacon frames every 102.4 ms at the minimum base rate (MBR). Consolidation reduced approximately 60 beacon frames per second at the lowest mandatory data rate. Additionally, increasing the MBR from 1 Mbps to 12 Mbps improved airtime efficiency by 10%, while SSID reduction contributed another 6%. These configuration changes alone yielded a 16% improvement in airtime utilization.
Conclusion
This case demonstrates how consolidating SSIDs and implementing role-based access control can significantly enhance WLAN security and performance. By reducing SSID clutter, updating authentication methods, and leveraging RADIUS and NAC capabilities, I was able to create a more secure and efficient wireless environment tailored to the needs of a healthcare organization. These improvements not only strengthened the network’s security posture but also optimized its operational performance.