Cozy Bean Café
Wireless network blueprint · Assignment 5 — Securing a Small Wi-Fi Deployment
26 April 2026
Card A
Hardware
- 2×Ubiquiti U6-Lite (Wi-Fi 6, 2×2 MU-MIMO) or equivalent
- 1×UniFi Dream Router or Mikrotik hAP ax² (gateway + controller)
- +PoE switch with 4× PoE+ ports
Card B
Security
- ●WPA3-Personal (SAE) primary
- ●WPA3 Transition Mode for legacy devices
- ●PMF (Protected Management Frames) required
- ●WPS, UPnP, remote admin all disabled
- ●2.4 GHz channel plan: 1/6/11 spacing (we use 6 + 11)
Card C
Networks
| SSID | Band | VLAN | Auth | Isolation |
|---|---|---|---|---|
CozyBean-Guest | 2.4 + 5 | 20 | WPA3-SAE + captive portal | Client + AP |
CozyBean-Ops (hidden) | 5 only | 10 | WPA3-SAE, MAC allowlist | None (intra-VLAN OK) |
Card D
Operational policies
- Guest client isolation (no peer-to-peer discovery)
- VLAN 10 ↔ VLAN 20 firewall: deny all
- Per-client cap: 5 Mbps down / 2 Mbps up on guest
- Session timeout: 120 min, then re-auth via captive portal
- Captive portal: ToS + optional email opt-in (GDPR-compliant)
- Auto firmware updates: weekly check, security patches auto-applied
- Admin: 16+ char passphrase, TOTP 2FA, no default creds
- Quarterly staff PSK rotation; immediate on offboarding
- Connection logs retained 30 days (incident response only)
- Monthly RF scan for rogue APs / evil twins
Pitfalls to watch
2.4 GHz interferenceMicrowaves, Bluetooth speakers, neighbor APs all share the band.
Pre-2019 devices without WPA3Handled by WPA3 Transition Mode — no SAE downgrade attack surface.
Outdoor seating gapOptional 3rd AP in window, or accept as out-of-scope.
Firmware driftAuto-update mitigates; quarterly audit confirms.
Staff sharing guest passwordSeparate SSID + onboarding training; rotate quarterly.
Captive portal fatigue“Remember device for 7 days” cookie keeps regulars happy.