Planning Your Deployment

Before configuring access points and creating captive portals, take a few minutes to plan your IronWifi deployment. Good planning upfront prevents rework later — especially in multi-site or high-availability environments.

Choose Your Region

When you create a Network in IronWifi, you select a region for your RADIUS servers. Choose the region closest to your access points to minimize authentication latency.

IronWifi operates RADIUS servers in multiple regions, including North America, Europe, and Asia-Pacific. Authentication requests travel from your access point to IronWifi's RADIUS servers and back, so geographic proximity directly affects response time.

After creating a Network, the console displays the specific RADIUS server IP addresses, ports, and shared secret for your deployment. You will need these details when configuring your access points.

tip

If your access points are distributed across multiple regions, create a separate Network for each region. This ensures each site authenticates against the nearest RADIUS servers.

Redundancy and Failover

Always configure both primary and backup RADIUS servers on every access point. IronWifi provides two server IP addresses per Network specifically for this purpose.

How RADIUS failover works

Your access point sends an authentication request to the primary RADIUS server
If the primary server does not respond within the configured timeout, the access point retries
After a defined number of failed attempts, the access point switches to the backup RADIUS server
Once the primary server recovers, the access point returns to using it (behavior varies by vendor)

Best practices for redundancy

Configure both servers on every AP — Never rely on a single RADIUS server in production
Set appropriate timeouts — Most vendors default to 3-5 seconds; adjust based on your network latency
Test failover — Temporarily block the primary server IP in your firewall and verify that authentication still works via the backup
Enable RADIUS caching — If your access points support it, enable local credential caching so previously authenticated users can reconnect even during a complete RADIUS outage

For advanced failover strategies, see RADIUS Caching & Failover.

Network Architecture

IronWifi's flexible architecture supports deployments from a single office to global multi-tenant managed services.

Single site

The simplest deployment: one physical location with one Network in IronWifi.

┌──────────────┐      ┌─────────────────┐
│  Access Points│ ───▶ │  IronWifi Cloud  │
│  (1 location) │      │  (1 Network)     │
└──────────────┘      └─────────────────┘

Create one Network
Configure all access points at the site with the same RADIUS server details
Use one or more SSIDs (e.g., corporate + guest) pointing to the same Network

Multi-site

Multiple physical locations, each potentially in a different region.

┌─ Site A ─────┐      ┌─────────────────┐
│  Access Points│ ───▶ │  Network A (EU)  │
└──────────────┘      └─────────────────┘

┌─ Site B ─────┐      ┌─────────────────┐
│  Access Points│ ───▶ │  Network B (US)  │
└──────────────┘      └─────────────────┘

Create one Network per site (or per region)
Use Venues to organize locations and track access points per site
Users and groups are shared across Networks, so an employee can roam between sites with the same credentials

Multi-tenant (Managed Service Providers)

If you manage WiFi for multiple clients, use Venues and organizational features to separate tenants.

Create separate Networks or use shared Networks with Venues to isolate client data
Assign Team Members with scoped permissions per client
Use Fleet Management for mobile or vehicle-based deployments
Apply different policies per tenant using Groups

Capacity Planning

IronWifi's cloud infrastructure scales automatically, but planning your user capacity helps you configure the right policies and group settings.

Key considerations

Factor	What to plan
Concurrent users	Estimate peak simultaneous connections per site
Authentication rate	High-density venues (stadiums, conferences) may see bursts of hundreds of auth requests per minute
Session duration	Configure session timeouts in Groups to reclaim resources from idle users
Bandwidth allocation	Use Group attributes to set per-user or per-group bandwidth limits
User sources	Decide whether users are local, synced from an IdP (SCIM, connectors), or self-registered

Bandwidth policies

Use Groups to enforce bandwidth limits by user type:

Group	Download	Upload	Session Timeout
Employees	50 Mbps	20 Mbps	12 hours
Guests	5 Mbps	2 Mbps	1 hour
IoT Devices	1 Mbps	512 Kbps	Unlimited

These are example values. Adjust based on your available bandwidth and user expectations.

Security Considerations

RADIUS shared secrets

Use a strong, unique shared secret for each Network (minimum 16 characters, mix of letters, numbers, and symbols)
The shared secret is used to encrypt RADIUS communication between your access points and IronWifi
Never reuse RADIUS shared secrets across different Networks or vendors
Rotate secrets periodically and update all access points when you do

Certificate-based authentication

For the highest security, deploy EAP-TLS with client certificates instead of username/password authentication:

Eliminates credential theft risk (no passwords transmitted)
Requires an MDM solution (Intune, Jamf, Google Admin, Workspace ONE) for certificate distribution
See Client Configuration for platform-specific setup

VLAN segmentation

Use RADIUS-assigned VLANs to isolate different user populations at the network level:

Assign employees to a trusted VLAN with full network access
Place guests on an isolated VLAN with internet-only access
Put IoT devices on a restricted VLAN with no access to corporate resources
Configure VLAN assignments through RADIUS Attributes on user or group settings

Pre-Configuration Checklist

Before you begin configuring IronWifi, verify that you have the following:

Administrative access to your access points or wireless controller
Access point vendor identified — Check our supported devices list
Internet connectivity confirmed for access points to reach IronWifi servers
Authentication method chosen — See Choosing Your Authentication Method
User source decided — Local accounts, identity provider sync (SCIM, connectors), or self-registration
Groups and policies planned — Bandwidth limits, session timeouts, VLAN assignments
Network regions selected — One Network per site or region
Redundancy plan — Both primary and backup RADIUS servers will be configured on all APs
SSID names decided — Separate SSIDs for different authentication methods (e.g., corporate vs. guest)

Next Steps

Quick Start Guide — Set up your first network in 15 minutes
Configuration Guides — Vendor-specific access point setup instructions
Networks — Create your first Network and get RADIUS server details

Choosing Your Authentication Method — Compare captive portal, WPA2-Enterprise, Passpoint, and MAC authentication
RADIUS Caching & Failover — Advanced failover and caching strategies
Venues — Organize multi-location deployments
Groups & Policies — Configure bandwidth, session, and VLAN policies
RADIUS Attributes — Fine-tune per-user and per-group access settings

Choose Your Region​

Redundancy and Failover​

How RADIUS failover works​

Best practices for redundancy​

Network Architecture​

Single site​

Multi-site​

Multi-tenant (Managed Service Providers)​

Capacity Planning​

Key considerations​

Bandwidth policies​

Security Considerations​

RADIUS shared secrets​

Certificate-based authentication​

VLAN segmentation​

Pre-Configuration Checklist​

Next Steps​

Related Topics​