WiFi for Small Business

The SSID strategy for typical SMBs

Most offices benefit from 3-5 SSIDs, each mapped to a specific VLAN:

Three core principles:

1. One SSID per security boundary. Guest traffic is fundamentally different from employee traffic; they need different SSIDs and different VLANs.
2. Separate PSKs per SSID. Never share keys across security boundaries. A leaked guest password should not give access to IoT or employee networks.
3. Fewer SSIDs is better. Each SSID consumes airtime via beacon frames; more than 5-6 measurably degrades performance.

WPA3-Personal vs WPA3-Enterprise

The two flavors of WPA3:

WPA3-Personal (PSK)

Shared password across all clients. Simple to set up. Anyone with the password connects. Revoking individual access requires changing the password for everyone — operationally painful for offices with employee turnover.

Best for: offices under ~20 users, guest networks, IoT networks, POS networks where each network has a small known set of devices.

WPA3-Enterprise (802.1X / RADIUS)

Per-user authentication via 802.1X protocol against a RADIUS server. Each user logs in with their own credentials (typically tied to corporate identity — AD, Azure AD, Google Workspace, Okta). Revoking individual access is trivial — disable the user in the identity system.

Implementation options:

• Cloud RADIUS: Cloud-managed WiFi often includes integrated RADIUS (Meraki, Aruba Central, UniFi Identity). Subscription-based; easiest setup.
• Self-hosted RADIUS: FreeRADIUS on a Linux box, or Windows Network Policy Server. More control, more setup.
• Identity provider integration: JumpCloud RADIUS, Auth0, Foxpass, Cloud RADIUS — services that bridge cloud identity (Google Workspace, Microsoft 365) to RADIUS.

Best for: offices over ~20 users, regulated industries, anywhere employees come and go regularly.

Guest WiFi: the right way

Guest WiFi has specific requirements beyond just "open network":

• Captive portal for legal protection. Acceptable use policy acknowledgment shifts liability to the user.
• Client isolation enabled. Guest devices cannot see each other on the wireless network.
• Internet-only VLAN. No access to internal resources whatsoever.
• Bandwidth limits. Cap guest bandwidth (10-20 Mbps per client typical) so guest traffic cannot saturate your link.
• Session timeout. Guests get 4-8 hours then must reauthenticate. Discourages drive-by usage.
• Different DNS. Use a privacy/security-focused resolver (Cloudflare 1.1.1.1, OpenDNS Family) on guest VLAN.

Captive portal options for SMBs:

• Cloud-managed WiFi vendor portal (Meraki, Aruba Central, UniFi).
• Third-party guest WiFi platforms (Beambox, Eva.ai, Wifi-Soft) — feature-rich with marketing integration.
• Self-hosted captive portal (CoovaChilli, pfSense built-in) — more control.

IoT WiFi: the often-skipped network

Cameras, printers, smart sensors, thermostats, conference room hardware — all of these go on the IoT VLAN, separated from employee devices. Reasons:

• Most IoT devices have weak security and infrequent firmware updates.
• An IoT device compromise should not yield access to your employee network.
• Many IoT devices only support WPA2 (or worse); separating them lets the main employee SSID stay on WPA3.
• IoT traffic patterns (constant outbound to vendor cloud) can be monitored and rate-limited without affecting employees.

Common IoT firewall rules:

• Allow outbound to specific vendor cloud endpoints (Ring, Nest, Hue, printer vendor).
• Allow outbound DNS to internal resolver or 1.1.1.1.
• Block all other outbound.
• Block all initiating connections from IoT to Employee or Server VLANs.
• Allow inbound from Employee VLAN to IoT (so employees can use their printer or cast to a TV).

VLAN-to-SSID mapping in practice

On business-grade APs, each SSID can be tagged with a specific VLAN. Setup example for Ubiquiti UniFi:

SSID: YourCompany-Employee
  Security: WPA3-Personal
  VLAN: 10 (employee VLAN)

SSID: YourCompany-Guest
  Security: Open with portal
  VLAN: 20 (guest VLAN)

SSID: YourCompany-IoT
  Security: WPA3-Personal (different PSK)
  VLAN: 30 (IoT VLAN)

The switch and firewall must be configured to:

• Carry the VLAN tags on the trunk port to each AP.
• Route traffic between VLANs at the firewall with appropriate ACLs.
• Provide DHCP for each VLAN (different IP ranges).

The mapping is set once during deployment; clients connecting to each SSID automatically land on the right VLAN.

Roaming: making WiFi work as users walk around

Single-AP offices don't need roaming. Multi-AP offices do. Three IEEE standards make roaming work:

• 802.11k (Neighbor Reports): APs share information about their neighbors with clients, so clients know which AP to consider next.
• 802.11v (BSS Transition Management): APs can suggest to clients "you'd be better off on AP-2".
• 802.11r (Fast BSS Transition): Clients can reauthenticate to a new AP without redoing the full WPA3 handshake — typically 50 ms transition vs 500+ ms otherwise. Critical for voice calls.

For 802.11r to work, all APs must be from the same vendor and configured identically. Mixed-vendor deployments can still roam, but not seamlessly.

Tuning tips:

• Lower the minimum signal threshold. APs disconnect weak clients earlier, forcing them to find better APs.
• Disable lower data rates. 1, 2, 5.5 Mbps rates extend range but slow the air. Most enterprise deployments disable rates below 12 Mbps.
• Adjust transmit power. Lower power means clients leave the current AP sooner; helps roaming if neighbors are well-placed.

Channel planning

WiFi runs on shared frequency bands. Channel selection matters in dense environments:

2.4 GHz (b/g/n)

Only 3 non-overlapping channels in most regions: 1, 6, 11. With many APs, channels must be reused — adjacent APs should be on different channels. Modern APs auto-tune but you can override.

2.4 GHz also shares spectrum with Zigbee, Bluetooth, microwave ovens. Interference is a chronic problem in dense urban environments.

5 GHz (ac, ax)

25+ non-overlapping channels (depending on country and DFS rules). Much less crowded than 2.4 GHz; preferred for high-throughput devices.

DFS channels (the 5 GHz channels that detect and yield to radar) provide more options but APs must occasionally interrupt service to scan for radar. Disable DFS channels if the AP location occasionally detects radar — e.g., near airports.

6 GHz (WiFi 6E)

Newer band with much more spectrum. Only supported on WiFi 6E and WiFi 7 devices. Use it for the employee SSID where you have modern devices; leave guest/IoT on 2.4/5.

Coverage and capacity

Two different problems often conflated:

Coverage

Are there places where clients can't see a usable signal? Solution: more APs, better placement, or higher transmit power.

Survey tools — Hamina (free for SMBs), Ubiquiti Design Center, NetSpot, Ekahau — let you sketch the floor plan and predict signal levels. Always survey before final AP placement, especially in buildings with concrete walls or unusual geometry.

Capacity

Are there places where coverage is fine but performance is bad because too many devices share one AP? Solution: more APs (each handles fewer clients), or higher capacity APs (WiFi 6E with more streams).

Typical per-AP client capacity:

• Light use (web browsing, occasional video): 50-100 clients per AP.
• Office use (video calls, file transfers): 25-50 clients per AP.
• High density (conference rooms, classrooms): 15-30 clients per AP.
• Auditorium / stadium: 10-15 clients per AP with high-density mode tuning.

Common SMB WiFi mistakes

• One SSID for everyone. Guest devices on the employee network; cameras on the same network as laptops. Security and PCI failures waiting to happen.
• Sharing the guest password with employees. Defeats the entire purpose; employees end up on the slower / less-private guest VLAN unnecessarily.
• Hiding the SSID for "security". Hidden SSIDs are not actually hidden (any client probing reveals them). They just inconvenience legitimate users and provide zero real security.
• MAC address filtering as "security". MAC addresses are trivial to spoof. Adds operational burden, provides nothing meaningful.
• Same WiFi password for years. The longer it stays, the more it has leaked. Rotate annually at minimum.
• Wall-mounted APs. Designed for ceiling mounting; wall mounts create asymmetric coverage. Mount on ceilings.
• Single AP for a large office. One AP cannot cover a 4000 sqft office reliably regardless of marketing claims. Multiple APs in coordinated deployment is the right answer.

Frequently Asked Questions

How many SSIDs should a small business have?

Three to five typically. Standard set: Employee (WPA3-Enterprise, mapped to internal VLAN), Guest (open or PSK, mapped to isolated guest VLAN with internet-only access), and IoT (separate PSK for cameras/printers/sensors on a restricted VLAN). Add POS if you take card payments (separate PSK and VLAN for PCI compliance) and Voice if VoIP phones use WiFi rather than wired. More than 5 SSIDs degrades performance because each one adds beacon overhead to the air.

Should the guest WiFi use a captive portal?

For most SMBs, yes. A captive portal serves three purposes: (1) acceptable use policy acknowledgment for legal liability protection, (2) optional data capture (email collection for marketing), (3) optional time-limited access (visitors get 4 hours then must reauthenticate). Cloud-managed WiFi (Meraki, Aruba Instant On, UniFi) provides captive portals as a standard feature. Open networks without portals are higher legal risk; PSK-based guest networks are simpler but rotate the key regularly.

Is WPA3 ready for production business use?

Yes — WPA3 has been broadly supported since 2020 and all modern devices implement it. The main risk is older devices (pre-2020 phones, embedded IoT devices) that only support WPA2. Run your employee SSID in "WPA3-Personal Transition Mode" or "WPA2/WPA3 Mixed" to accept both. For enterprise environments, use WPA3-Enterprise (with RADIUS auth) which provides better cryptographic protection than WPA2-Enterprise.

Why does my office WiFi drop when I walk between rooms?

This is roaming behavior. WiFi clients don't switch APs until the current signal degrades severely; the new AP only becomes "better" once the current one is barely usable. Three fixes: enable 802.11k/v/r (fast roaming standards) on all APs, lower the minimum signal threshold so APs disconnect weak clients earlier (forcing them to find a better AP), and ensure overlapping AP coverage at typical client speeds (mobile speeds need denser coverage than desktop). Same vendor across all APs is necessary for seamless 802.11r.

What is the difference between WPA3-Personal and WPA3-Enterprise?

WPA3-Personal uses a shared password (PSK) for all clients — easier to set up but everyone with the password can connect. WPA3-Enterprise uses 802.1X authentication via RADIUS, with per-user credentials tied to your identity system (Active Directory, Azure AD, Google Workspace). Each user authenticates with their own credentials; you can revoke individual access without changing the network for everyone. WPA3-Enterprise is the standard for offices with more than ~20 users; smaller offices often stay on WPA3-Personal for simplicity.