SkarpSkarp

Chapter 10 of 27

Wireless LAN Principles and Secure Access

Cut the cord and see how 802.11 wireless networks integrate with your wired campus, including SSIDs, basic RF concepts, and secure client access.

27 min readen

Wireless LAN Building Blocks: APs, Controllers, and SSIDs

The WLAN Big Picture

In a campus, Wi‑Fi is just another access technology. The key components are Access Points (APs), Wireless LAN Controllers (WLCs), and SSIDs that users see as network names.

Access Points (APs)

APs speak 802.11 over the air and Ethernet on the wire. They are usually PoE‑powered, and in campus designs they are lightweight APs managed by a central controller.

Wireless LAN Controllers (WLCs)

A WLC centrally manages many APs. It pushes SSID, security, and RF configs, and often handles client authentication and sometimes data forwarding over CAPWAP tunnels.

SSIDs as Logical WLANs

An SSID is the network name like `Campus-Secure`. Each SSID carries its own security, VLAN, and policy set. One AP can broadcast multiple SSIDs at the same time.

Putting It Together

You configure SSIDs and policies on the WLC. APs broadcast them to clients. Switches just see AP uplinks; wireless users appear as hosts in VLANs on the wired network.

Basic RF Concepts: Frequencies, Channels, and Coverage

Why RF Matters

Wi‑Fi uses RF signals instead of cables. To design or troubleshoot WLANs, you must understand bands, channels, and how coverage cells overlap across a building.

2.4 GHz Band

2.4 GHz has few non‑overlapping channels (1, 6, 11 in North America). It reaches farther and penetrates walls better, but it is crowded and prone to interference.

5 GHz and 6 GHz Bands

5 GHz offers many more channels and usually less interference, ideal for dense deployments. 6 GHz (Wi‑Fi 6E) adds even more clean spectrum but needs newer APs and clients.

Channels and Width

A channel is a slice of spectrum. APs and clients must share a channel. Wider channels increase throughput but consume more spectrum and risk more interference.

Coverage Cells

Each AP radio creates a coverage cell. Cells should slightly overlap for roaming, but neighboring cells should use different non‑overlapping channels to limit interference.

Interference, Co-channel Contention, and Roaming

RF Is Shared

On Wi‑Fi, many devices share one channel and must take turns. Unlike full‑duplex Ethernet, RF is a shared medium, so interference and contention strongly affect throughput.

Co-channel Contention

When APs share the same channel in overlapping cells, they must politely take turns using CSMA/CA. Frames are not usually corrupted, but throughput drops as users share airtime.

Adjacent-channel Interference

Using overlapping channels, like 1 and 2 in 2.4 GHz, causes partial frequency overlap and real collisions, forcing retransmissions and degrading performance.

Non-Wi‑Fi Interference

Microwaves, Bluetooth, and other devices add RF noise, lowering SNR. This leads to lower data rates and more retries, especially in the 2.4 GHz band.

Roaming Basics

Clients decide when to roam as signal strength changes. Neighbor APs must share the same SSID and security so users can move seamlessly across the campus.

Wireless Security Standards: WPA2-PSK, WPA2-Enterprise, WPA3

The Key Security Standards

You must know this exact list: WPA2-PSK, WPA2-Enterprise, WPA3. Older WEP and WPA/TKIP are insecure and largely deprecated in modern WLANs.

WPA2-PSK

WPA2‑PSK (Personal) uses a single shared passphrase for all users. It is simple to deploy but hard to manage securely, since one leaked key compromises the whole WLAN.

WPA2-Enterprise

WPA2‑Enterprise uses 802.1X with a RADIUS server. Each user has individual credentials, enabling per‑user logging, revocation, and dynamic policies like VLAN assignment.

WPA3 Overview

WPA3 is the latest standard. WPA3‑Personal uses SAE for stronger password security; WPA3‑Enterprise improves encryption strength for high‑security environments.

Exam Comparison

On exams, match scenarios: home or guest = WPA2‑PSK; campus secure user access = WPA2‑Enterprise; modern high‑security or new deployments increasingly favor WPA3.

From SSID to VLAN: How WLANs Integrate with the Wired Network

VLANs Meet Wi‑Fi

Wireless clients must join existing VLANs so they can use the same subnets and policies as wired hosts. Each SSID typically maps to a single VLAN on the wired network.

SSID-to-VLAN Mapping

Example: `Campus-Secure` → VLAN 10, `Faculty-Secure` → VLAN 20, `Guest-WiFi` → VLAN 30. The WLC holds this mapping and tells APs how to treat each SSID.

Why Mapping Matters

The VLAN determines the client’s IP subnet, DHCP scope, ACLs, and reachable resources. SSIDs are just entry points into wired broadcast domains and their policies.

Central vs Local Switching

In centralized designs, traffic is tunneled to the WLC then placed in a VLAN. In local switching, APs tag traffic into VLANs on their switch ports. CCNA focuses on the concept.

Mental Picture

Think: SSID → VLAN → subnet → routing and ACLs. When a user joins `Guest-WiFi`, the network treats them as any other host in the Guest VLAN.

802.1Q Tagging and Trunks for Wireless Traffic

802.1Q Refresher

An 802.1Q trunk carries multiple VLANs by tagging frames with VLAN IDs. Trunks connect switches and also connect switches to APs or WLCs in WLAN designs.

AP Uplinks

If an AP serves many SSIDs mapped to VLANs 10, 20, and 30, its switch port is usually a trunk that allows those VLANs. The AP tags frames with the correct VLAN ID.

WLC Connections

The WLC connects via a trunk too. Each WLC interface maps to a VLAN, and the trunk carries all these VLANs back into the campus core or distribution switches.

Troubleshooting Angle

If clients on an SSID cannot reach the network, verify that the VLAN exists, is allowed on trunks to the AP and WLC, and that the correct default gateway is reachable.

Key Takeaway

Once traffic hits the AP, Wi‑Fi is just Ethernet plus 802.1Q tags. Your trunking and VLAN knowledge directly applies to wireless integration.

Worked Example: Designing a Simple Campus WLAN

Scenario Overview

A university building needs Wi‑Fi for students, faculty, and guests. Each group maps to an existing VLAN and must get different security and access policies.

SSIDs and Security Choices

`Campus-Student` and `Campus-Faculty` use WPA2-Enterprise with 802.1X. `Campus-Guest` uses WPA2-PSK with a shared passphrase for simple guest access.

SSID-to-VLAN Mapping

`Campus-Student` → VLAN 10, `Campus-Faculty` → VLAN 20, `Campus-Guest` → VLAN 30. These mappings are configured on the WLC using separate interfaces.

Trunking the Traffic

AP uplinks and the WLC uplink are configured as 802.1Q trunks allowing VLANs 10, 20, and 30 so all WLAN traffic can traverse the wired campus.

Routing and Policies

SVIs on a Layer 3 switch provide default gateways per VLAN. ACLs on these SVIs or a firewall enforce that guests reach only the internet, while others reach internal services.

Thought Exercise: Diagnose a Broken SSID

Use this scenario to practice troubleshooting WLAN–VLAN integration using the concepts you have learned.

Scenario

You are called to troubleshoot the `Guest-WiFi` SSID in a campus building. Symptoms:

  • Clients can see and connect to `Guest-WiFi` using WPA2-PSK.
  • They receive IP addresses in the 10.30.30.0/24 range from DHCP.
  • They cannot reach the internet, but `Campus-Secure` users on VLAN 10 can.

Network facts:

  • `Guest-WiFi` SSID is mapped to VLAN 30 on the WLC.
  • The WLC uplink to the distribution switch is an 802.1Q trunk.
  • The firewall provides internet access and has rules allowing VLAN 30 to the internet.

Your task

Mentally walk through these questions and answer them for yourself before checking the explanation:

  1. On the access switch ports to the APs, what mode and VLAN settings should you verify?
  2. On the distribution switch, what should you check about VLAN 30 and the trunk toward the WLC?
  3. On the Layer 3 device or firewall, what default gateway and routing aspects matter for VLAN 30?
  4. Based on the symptoms (DHCP works, but internet does not), which layer of the path is most likely misconfigured: RF, VLAN/trunking, or routing/firewall?

Suggested reasoning path

Think step by step:

  • RF is probably fine because clients see and join the SSID.
  • DHCP works, so VLAN 30 exists somewhere and can reach the DHCP server.
  • The remaining common issues are:
  • VLAN 30 not allowed on some trunk.
  • Missing or wrong default gateway for VLAN 30.
  • Missing route or NAT rule for VLAN 30 on the firewall.

Pause and decide which is most consistent with the information given. Then, compare with the model solution in your notes or discuss with a peer.

Quiz 1: WLAN Components and RF Basics

Answer this question to check your understanding of WLAN components and RF.

In a controller-based campus WLAN, which statement best describes the role of the Wireless LAN Controller (WLC)?

  1. It directly connects wireless clients to the internet using built-in NAT, while APs just provide power.
  2. It centrally manages AP configuration, SSIDs, and security policies, and often terminates CAPWAP tunnels carrying client traffic.
  3. It replaces all access switches by providing both Ethernet switch ports and wireless radios in one device.
  4. It operates only at Layer 1, adjusting RF power and channels, while APs handle all higher-layer functions.
Show Answer

Answer: B) It centrally manages AP configuration, SSIDs, and security policies, and often terminates CAPWAP tunnels carrying client traffic.

In a controller-based WLAN, the WLC centrally manages lightweight APs: it pushes SSID, security, and RF configs, and typically terminates CAPWAP tunnels that carry client control (and often data) traffic. It does not replace all switches, and it certainly operates at multiple layers, not just Layer 1.

Quiz 2: Security and VLAN Integration

Check your understanding of wireless security standards and VLAN mapping.

A campus wants per-user authentication for employees, the ability to revoke individual access easily, and to place different users into different VLANs dynamically over Wi‑Fi. Which combination is most appropriate?

  1. Single SSID using WPA2-PSK, with static VLAN assignment on AP switch ports.
  2. Multiple SSIDs using WPA3, but all mapped to the same VLAN to simplify routing.
  3. Single SSID using WPA2-Enterprise with 802.1X and RADIUS, using dynamic VLAN assignment.
  4. Separate SSIDs per user, each using WEP with a unique key, mapped to separate VLANs.
Show Answer

Answer: C) Single SSID using WPA2-Enterprise with 802.1X and RADIUS, using dynamic VLAN assignment.

WPA2-Enterprise with 802.1X and RADIUS provides per-user authentication and supports dynamic VLAN assignment based on user or group. WPA2-PSK uses a shared key, WPA3 alone does not imply per-user VLANs, and WEP is insecure and deprecated.

Key Term Review: WLAN and Security

Flip through these cards to reinforce the core WLAN and security terms you need for CCNA.

Access Point (AP)
A device that provides 802.11 wireless connectivity to clients and bridges their traffic to the wired Ethernet network, often managed by a Wireless LAN Controller in campus designs.
Wireless LAN Controller (WLC)
A centralized device that manages multiple lightweight APs, pushing SSID, security, and RF configurations and often terminating CAPWAP tunnels that carry client traffic.
SSID (Service Set Identifier)
The network name that identifies a WLAN to users; each SSID is associated with specific security settings and is typically mapped to a single VLAN on the wired network.
VLAN (definition)
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
Common wireless security standards (full list)
The three common wireless security standards you must know, in order, are: WPA2-PSK, WPA2-Enterprise, WPA3.
WPA2-PSK
A Wi‑Fi security mode (WPA2-Personal) where all clients share a single pre-shared passphrase; simple to deploy but harder to manage securely and not tied to individual identities.
WPA2-Enterprise
A Wi‑Fi security mode that uses 802.1X and a RADIUS server to authenticate users individually, enabling per-user credentials, logging, and features like dynamic VLAN assignment.
WPA3
The latest generation Wi‑Fi security standard, improving resistance to password guessing (via SAE in WPA3-Personal) and offering stronger encryption options in WPA3-Enterprise.
802.1Q trunk
An Ethernet link that carries multiple VLANs simultaneously by tagging frames with VLAN IDs, used between switches and also between switches, APs, and WLCs in WLAN designs.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Key Terms

SSID
The Service Set Identifier; the Wi‑Fi network name that identifies a WLAN to users and is associated with particular security settings and a VLAN.
VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
WPA3
The latest Wi‑Fi security standard that strengthens protection against password attacks and offers enhanced encryption options for personal and enterprise networks.
WPA2-PSK
A Wi‑Fi security mode using a shared pre-shared key (passphrase) for all clients; simple but less manageable and less secure than per-user authentication.
802.1Q trunk
An Ethernet link that can carry multiple VLANs by tagging frames with VLAN IDs, used to connect switches and to carry WLAN traffic between APs/WLCs and the wired network.
Coverage cell
The area in which a particular AP radio can reliably communicate with clients; WLAN design involves planning overlapping cells on non-overlapping channels.
WPA2-Enterprise
A Wi‑Fi security mode using 802.1X and a RADIUS server to authenticate users individually and optionally assign dynamic policies such as VLANs.
Access Point (AP)
A device that provides 802.11 wireless connectivity to clients and bridges their traffic to the wired Ethernet network, often managed by a Wireless LAN Controller in campus designs.
Co-channel interference
Contention that occurs when multiple APs and clients use the same channel in overlapping coverage areas, forcing them to share airtime and reducing throughput.
Adjacent-channel interference
RF interference caused by APs using overlapping channels (such as channels 1 and 2 in 2.4 GHz), leading to collisions and retransmissions.
Wireless LAN Controller (WLC)
A centralized device that manages multiple lightweight APs, pushing SSID, security, and RF configurations and often terminating CAPWAP tunnels that carry client traffic.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself