Skip to main content
Skip to main content

Network Segmentation

Network segmentation isolates different types of traffic on your WiFi network. Use IronWiFi's RADIUS attributes to dynamically assign VLANs, enforce bandwidth limits, and separate guests from employees and IoT devices -- all controlled centrally through the IronWiFi Console.

Why Segment Your Network

BenefitDescription
SecurityCompromised devices on one segment cannot reach resources on another
PerformanceGuest traffic does not compete with business-critical traffic
CompliancePCI DSS, HIPAA, and similar standards require network isolation
ManageabilityApply different policies (bandwidth, access) to different user types

How RADIUS-Based Segmentation Works

IronWiFi dynamically assigns VLANs and applies policies based on who authenticates, not which SSID they connect to.

The access point receives the VLAN assignment in the RADIUS response and places the user on the appropriate VLAN. This happens transparently -- the user connects to a single SSID, and the network automatically segments them based on their identity.

VLAN Assignment

Required RADIUS attributes

To assign a VLAN, add these three reply attributes to a Group:

All three attributes are required. The access point ignores the VLAN assignment if any are missing.

AttributeValueDescription
Tunnel-Type
VLAN
Tells the AP to use VLAN tagging
Tunnel-Medium-Type
IEEE-802
Specifies 802 media type
Tunnel-Private-Group-ID
VLAN ID (number)The VLAN to assign the user to

Setting up VLAN assignment in IronWiFi

  1. Navigate to Users > Groups in the IronWiFi Console
  2. Create or edit a Group
  3. Add the three VLAN reply attributes with the desired VLAN ID
  4. Add users to the Group
  5. Users in this Group will be placed on the specified VLAN upon authentication

Prerequisites on your network infrastructure

For VLAN assignment to work, your network must be configured to support it:

  • Access points must support dynamic VLAN assignment (most enterprise APs do)
  • Switches connecting to access points must have the VLANs configured as trunk ports
  • DHCP must be available on each VLAN (either a DHCP server per VLAN or a DHCP relay)
  • Routing between VLANs should be controlled by a firewall or router with appropriate ACLs
warning

If the VLAN specified in the RADIUS response does not exist on the switch, the user's traffic may be dropped or they may fall back to a default VLAN. Always create the VLAN on your switches before assigning it via RADIUS.

Segmentation Design

Typical segmentation architecture

SegmentVLANPurposeBandwidthAccess
Corporate100Employee workstations100 MbpsFull internal + internet
Guest200Visitors, contractors10 MbpsInternet only
IoT300Sensors, cameras, printers5 MbpsLimited (cloud services only)
Management400Access points, switchesN/ANetwork management only
BYOD500Personal devices25 MbpsInternet + limited internal

IronWiFi Group configuration for each segment

Corporate Employees

Guest Access

IoT Devices

BYOD (Personal Devices)

Guest Isolation

Guest users should be isolated from internal resources. This involves both VLAN assignment and firewall rules.

Step 1: Assign guests to a dedicated VLAN

Create a "Guest" Group in IronWiFi with VLAN 200 (as shown above). All captive portal authentications can automatically assign users to this Group.

Step 2: Configure firewall rules

On your firewall or router, restrict traffic from the guest VLAN:

Step 3: Client isolation on access points

Enable client isolation (also called AP isolation or station isolation) on your access points for the guest SSID. This prevents guests from communicating with each other directly, even on the same VLAN.

Most enterprise access points support this setting:

  • Meraki: Wireless > Access Control > Client isolation
  • UniFi: Settings > WiFi > Guest Policies > Enable client isolation
  • Aruba: SSID Profile > Client isolation
  • MikroTik: Wireless > Default Forward (disable)

IoT Segregation

IoT devices (cameras, sensors, printers, smart displays) often run outdated firmware and present security risks. Segregate them on a dedicated VLAN with restricted access.

MAC-based authentication for IoT

Most IoT devices do not support 802.1X. Use MAC authentication (also called MAC auth or MAB) instead:

  1. In the IronWiFi Console, create users with the device's MAC address as the username
  2. Set the password to match the MAC address (the format depends on your AP vendor -- common formats: 
    aabbccddeeff
    , 
    AA-BB-CC-DD-EE-FF
    , 
    AA:BB:CC:DD:EE:FF
    )
  3. Add these users to the "IoT" Group with VLAN 300

Firewall rules for IoT VLAN

tip

Keep an inventory of IoT device MAC addresses and their purpose. This makes it easy to track which devices are authorized and to remove old devices from IronWiFi when they are decommissioned.

Bandwidth Allocation

Control bandwidth per segment using RADIUS attributes on IronWiFi Groups.

Bandwidth attributes

AttributeDirectionUnitExample
WISPr-Bandwidth-Max-Down
Downloadbits per second
10000000
= 10 Mbps
WISPr-Bandwidth-Max-Up
Uploadbits per second
5000000
= 5 Mbps

Planning bandwidth allocation

When planning bandwidth allocation across segments, consider your total available bandwidth:

SegmentUsersPer-User BandwidthPeak Aggregate
Corporate (50 users)50100 Mbps down / 50 Mbps up~500 Mbps
Guest (30 users)3010 Mbps down / 5 Mbps up~100 Mbps
IoT (20 devices)205 Mbps down / 2 Mbps up~30 Mbps
BYOD (20 devices)2025 Mbps down / 10 Mbps up~150 Mbps
note

Per-user bandwidth limits are enforced by the access point or controller, not by IronWiFi directly. Most enterprise APs support WISPr bandwidth attributes. Check your AP documentation to confirm support.

Single-SSID vs. Multi-SSID Design

Single SSID with dynamic VLAN assignment

All users connect to one SSID. IronWiFi assigns the appropriate VLAN based on the user's group.

Advantages:

  • Simpler for users (one network name to remember)
  • Reduced RF overhead (each SSID adds management frame overhead)
  • Centralized policy control through IronWiFi Groups

Disadvantages:

  • Requires 802.1X or captive portal for all devices
  • IoT devices may not support 802.1X (use MAC auth fallback)

Multiple SSIDs with different policies

Create separate SSIDs for each user type (e.g., 

CorpWiFi
, 
GuestWiFi
, 
IoT-Devices
).

Advantages:

  • Clear separation visible to users
  • Different security types per SSID (WPA2-Enterprise vs. Open with captive portal)
  • Easier troubleshooting

Disadvantages:

  • More RF overhead
  • More configuration to manage
  • Users may connect to the wrong SSID
tip

For most deployments, a hybrid approach works best: use a WPA2-Enterprise SSID for corporate users (with dynamic VLAN assignment via IronWiFi) and a separate open SSID with a captive portal for guests. IoT devices connect to the enterprise SSID via MAC authentication and are assigned to the IoT VLAN dynamically.

Testing Segmentation

Verify VLAN assignment

  1. Connect a test user from each Group to the WiFi network
  2. Check the assigned IP address -- it should be in the correct VLAN's subnet
  3. Verify in IronWiFi Reports > Authentication that the 
    Tunnel-Private-Group-ID
    attribute is present in the reply

Verify isolation

  1. From a guest device, try to ping a corporate device -- should fail
  2. From a guest device, try to access the internet -- should succeed
  3. From an IoT device, try to reach an internal server -- should fail
  4. From a corporate device, try to reach all authorized resources -- should succeed

Verify bandwidth limits

  1. Connect as a guest user
  2. Run a speed test (e.g., speedtest.net)
  3. Verify the download and upload speeds match the configured limits (within ~10% variance)

Was this page helpful?