← Patterns / SP-006

Wireless- Private Network Pattern

The Wireless Private Network pattern addresses the security architecture for deploying managed wireless networks within corporate or organisational premises. Unlike public hotspots where the infrastructure is untrusted, a private wireless network is designed to function as a logical extension of the trusted wired LAN -- with the critical caveat that radio frequency transmission introduces attack surfaces that do not exist on copper or fibre. The core security challenge is that wireless signals do not respect physical boundaries. A well-positioned access point inside a building will radiate signals outside it, creating an attack surface accessible from car parks, adjacent buildings, and public spaces. This makes encryption and authentication the primary security controls rather than physical access restrictions. The pattern mandates enterprise-grade encryption (WPA2-Enterprise minimum, WPA3-Enterprise preferred) combined with 802.1X port-based authentication using RADIUS and EAP-TLS with digital certificates. This eliminates the shared pre-shared key (PSK) vulnerability that plagues consumer and small business deployments. Rogue access point detection is a critical operational requirement. Attackers may deploy unauthorised access points to lure corporate devices into connecting to malicious infrastructure (evil twin attacks), or employees may inadvertently create security gaps by connecting personal hotspots or consumer-grade access points. Continuous wireless spectrum monitoring, combined with network-level detection of unauthorised BSSID addresses, provides defence against these threats. The pattern also addresses the network segmentation implications of wireless access. Even on a trusted private network, wireless segments should be treated with appropriate caution in firewall and VLAN design. Traffic from wireless segments should traverse network intrusion detection and prevention systems before reaching sensitive internal resources. This defence-in-depth approach ensures that a compromise of the wireless layer does not immediately grant unrestricted access to the entire corporate network. Operational security for private wireless includes regular vulnerability assessments of access point firmware and controller software, logging and monitoring of authentication events (successful and failed), physical security of access point hardware to prevent tampering, and incident response procedures specific to wireless security events such as deauthentication attacks, rogue AP detection, and suspected encryption compromise.

Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06

Assess

ATT&CK This pattern addresses 348 techniques across 13 tactics View on ATT&CK Matrix →

Click any control badge to view its details. Download SVG

Key Control Areas

Wireless Access and Device Control

AC-18 AC-19

These are the foundational access controls for this pattern. AC-18 governs wireless access restrictions including approved wireless technologies, authentication requirements, encryption standards, and usage constraints. Organisations should define which wireless protocols are permitted (WPA3-Enterprise, WPA2-Enterprise), explicitly prohibit legacy protocols (WEP, WPA-PSK in enterprise deployments), and specify connection requirements for corporate devices. AC-19 extends these controls to portable and mobile devices connecting to the wireless network, addressing device posture checks, MDM enrollment requirements, and restrictions on which device types may connect. Implementation should include 802.1X with EAP-TLS certificate-based authentication, MAC address logging (not filtering, which provides minimal security), and network access control (NAC) integration to verify device compliance before granting full network access.

Authentication and Device Identity

IA-02 IA-03

Strong authentication is the primary security mechanism for private wireless networks. IA-02 requires user identification and authentication via enterprise credentials integrated with 802.1X, ideally using certificate-based authentication where the device presents a machine certificate and the user authenticates via their directory credentials. IA-03 covers device identification and authentication, ensuring that only known, managed devices can connect. This typically involves machine certificates issued by the organisation's PKI, enrolled via MDM or Active Directory auto-enrollment. The combination of user and device authentication provides two-factor assurance that both the person and the endpoint are authorised. RADIUS server infrastructure must be properly secured and redundant, as it becomes a single point of failure for all wireless access.

Cryptographic Protection

SC-08 SC-09 SC-13

Encryption protects the confidentiality and integrity of data in transit over the wireless link. SC-08 (transmission integrity) and SC-09 (transmission confidentiality) are addressed through WPA2-Enterprise (AES-CCMP) or WPA3-Enterprise (AES-GCMP-256). SC-13 governs the overall use of cryptography, requiring FIPS-validated cryptographic modules where applicable and ensuring key management is properly handled. WPA3-Enterprise with 192-bit mode provides CNSA-grade encryption suitable for government and high-security environments. Organisations should ensure that access point firmware supports the required cryptographic standards, that session key rotation occurs at appropriate intervals, and that PMF (Protected Management Frames) is enabled to prevent deauthentication attacks.

Continuous Monitoring and Vulnerability Management

CA-07 RA-05 AU-02

Wireless networks require continuous monitoring beyond standard network monitoring. CA-07 encompasses continuous monitoring including wireless intrusion detection systems (WIDS) that scan for rogue access points, evil twin attacks, deauthentication floods, and other wireless-specific threats. RA-05 covers vulnerability scanning of access point firmware, wireless controller software, and RADIUS infrastructure. AU-02 defines auditable events for wireless: authentication successes and failures, rogue AP detections, RADIUS server events, channel utilisation anomalies, and client roaming events. Log data should feed into the organisation's SIEM for correlation with other security events.

Security Assessment and Compliance

CA-02

Regular security assessments (CA-02) of the wireless infrastructure should include penetration testing of wireless authentication, verification that encryption standards are enforced (not just configured), physical surveys to validate signal coverage and identify leakage beyond intended boundaries, and review of access point configurations for compliance with organisational policy. Assessments should verify that legacy protocols are actually disabled (not just deprioritised), that certificate revocation is functioning, and that the WIDS is detecting test rogue access points.

Incident Response for Wireless Events

IR-02 IR-04 IR-05 IR-06 IR-07

Wireless networks generate specific incident types that require dedicated response procedures. IR-04 (incident handling) should include playbooks for rogue access point detection and neutralisation, suspected encryption compromise, deauthentication attacks, unauthorised device connections, and wireless-based man-in-the-middle attempts. IR-05 (incident monitoring) covers the continuous tracking of wireless security events. IR-06 and IR-07 address the reporting chain and response assistance for wireless incidents, which may require specialist skills including RF analysis. IR-02 ensures that IT staff and security teams receive training specific to wireless threats and response techniques.

Awareness and Training for Wireless Security

AT-01 AT-03 AT-04

Users and IT staff require specific training on wireless security risks and organisational policy. AT-03 should include role-based training: end users need to understand the risks of connecting to unknown wireless networks (particularly when travelling), the importance of not sharing wireless credentials, and how to identify suspicious wireless behaviour. IT administrators need training on wireless security configuration, monitoring tools, and incident response for wireless events. AT-04 ensures training records demonstrate compliance with these requirements. AT-01 provides the policy foundation for the training program.

When to Use

Apply this pattern when providing wireless network access to corporate or organisational network resources from managed locations such as offices, campuses, and facilities where the organisation controls the wireless infrastructure. This is appropriate when the organisation manages the endpoint devices connecting to the network and can enforce configuration requirements including certificate enrollment and 802.1X supplicant configuration. This pattern does not cover Bluetooth, Infrared, or cellular connectivity.

When NOT to Use

This pattern is not appropriate for environments where guest or unmanaged device access is the primary use case -- use a separate guest network or the Wireless Public Hotspot pattern instead. In environments with extreme security requirements where the risk of wireless eavesdropping or signal interception cannot be tolerated, wired-only access should be mandated. The pattern also does not apply where the organisation does not control the wireless infrastructure (airports, hotels, co-working spaces) -- the Public Hotspot pattern applies in those scenarios. Environments with significant RF interference or contested spectrum may find wireless unreliable for business-critical connectivity.

Typical Challenges

Certificate lifecycle management is the most common operational challenge: certificate enrolment, renewal, and revocation must be automated as far as possible, since manual processes break down at scale and expired certificates cause service disruption. Most modern operating systems support 802.1X supplicants and can integrate with enterprise PKI for automatic certificate enrolment and renewal, but heterogeneous device environments (Windows, macOS, Linux, IoT) require careful per-platform configuration and testing. WPA3-Enterprise adoption may be constrained by legacy access points or client devices that do not support it, requiring a transitional period where WPA2-Enterprise remains available. WEP must never be used, as it is trivially broken with publicly available tools, and any environment still relying on WEP should treat the wireless segment as completely untrusted and require VPN overlay -- effectively degrading to the Public Hotspot pattern. Physical placement of access points requires balancing coverage requirements against signal leakage beyond the building perimeter. Guest wireless access should be provided on a separate SSID and VLAN with internet-only access, completely isolated from the corporate network.

Threat Resistance

This pattern provides resistance against wireless eavesdropping through WPA2/WPA3 enterprise encryption, preventing passive interception of corporate traffic over the air interface. Strong 802.1X authentication resists impersonation and unauthorised network access by requiring valid certificates and credentials. Rogue access point detection and wireless intrusion detection address evil twin attacks where adversaries set up fraudulent access points to intercept traffic. Device authentication prevents unauthorised or compromised devices from gaining network access. Network segmentation of wireless traffic limits lateral movement if a wireless client is compromised. The pattern does not fully mitigate denial-of-service attacks against the wireless medium (RF jamming, deauthentication floods with legacy protocols), though WPA3 Protected Management Frames significantly reduce deauthentication attack effectiveness.

Assumptions

The organisation manages its own wireless infrastructure with enterprise-grade access points and controllers. A RADIUS server and PKI infrastructure are available for 802.1X EAP-TLS authentication, or the organisation has the capability to deploy them. Managed endpoint devices support 802.1X supplicants and can be enrolled with machine certificates. Network segmentation exists or can be implemented to isolate wireless traffic from sensitive internal segments until it has been inspected.

Developing Areas

WPA3 Enterprise adoption remains stubbornly low despite being ratified in 2018. Industry surveys consistently show that fewer than 20% of enterprise wireless deployments have migrated to WPA3, primarily because mixed-mode environments (WPA2/WPA3 transition) introduce compatibility issues with older client devices and because the security benefits over WPA2-Enterprise with 802.1X are incremental rather than transformational. The result is that most enterprise wireless networks remain on WPA2-Enterprise, which is adequate but lacks the improved key exchange and Protected Management Frames that WPA3 mandates.
IoT device proliferation is overwhelming traditional wireless security models. Enterprise networks now carry traffic from building automation sensors, smart displays, IP cameras, medical devices, and industrial controllers -- devices that often lack 802.1X supplicants, cannot support certificate-based authentication, and run firmware with known vulnerabilities. Dedicated IoT VLANs with MAC-based authentication provide basic segmentation, but the sheer diversity of IoT protocols and the difficulty of maintaining firmware across thousands of devices make this a rapidly growing attack surface with no mature solution.
Rogue access point detection at enterprise scale faces new challenges as organisations adopt Wi-Fi 6E (6 GHz band) and anticipate Wi-Fi 7. The 6 GHz spectrum doubles the available channel space, meaning existing wireless intrusion detection systems (WIDS) need hardware upgrades to monitor the new band. Additionally, the proliferation of personal hotspots, USB tethering, and cellular failover on employee devices creates a constant stream of rogue AP false positives that erode confidence in detection systems.
Private 5G networks are emerging as an alternative to enterprise Wi-Fi for campus and industrial environments, offering dedicated spectrum, deterministic latency, and SIM-based device authentication. However, private 5G introduces an entirely new security stack (3GPP security architecture) that enterprise network teams have no experience managing. The intersection of IT wireless security and telecoms security is an unsettled discipline, and the tools for monitoring, threat detection, and incident response on private 5G networks are still being developed by a small number of specialist vendors.

Related Patterns

Patterns that operate within or alongside this one. Click any to view.

SP-001 Client Module SP-007 Wireless Public Hotspot SP-015 Consumer Devices for Enterprise SP-016 DMZ Module SP-024 iPhone Pattern SP-025 Advanced Monitoring and Detection

AC: 2AT: 3AU: 1CA: 2IA: 2IR: 5RA: 1SC: 3

AC-18 Wireless Access Restrictions

AC-19 Access Control For Portable And Mobile Devices

AT-01 Security Awareness And Training Policy And Procedures

AT-03 Security Training

AT-04 Security Training Records

AU-02 Auditable Events

CA-02 Security Assessments

CA-07 Continuous Monitoring

IA-02 User Identification And Authentication

IA-03 Device Identification And Authentication

IR-02 Incident Response Training

IR-04 Incident Handling

IR-05 Incident Monitoring

IR-06 Incident Reporting

IR-07 Incident Response Assistance

RA-05 Vulnerability Scanning

SC-08 Transmission Integrity

SC-09 Transmission Confidentiality

SC-13 Use Of Cryptography