Enterprise Wireless Network Design Services: Predictive Design, Capacity Modeling, AP-on-a-Stick Validation

Three architectural shifts. First, channel width: Wi-Fi 6E maxes at 160 MHz; Wi-Fi 7 supports 320 MHz, doubling the per-channel capacity but requiring 6 GHz UNII-5/6/7/8 deployment to host it. Second, modulation: Wi-Fi 7 4096-QAM carries 12 bits per symbol versus Wi-Fi 6E’s 1024-QAM (10 bits) — approximately 20% theoretical PHY-rate gain, but only at ~35 dB SNR, achievable only close to the AP. Third, Multi-Link Operation: Wi-Fi 7 lets a single client/AP association use 2.4, 5, and 6 GHz simultaneously per HPE Aruba’s TechDocs Wi-Fi 7 features, with the 5+6 GHz pairing being the most practical real-world combination through 2026. The design phase models all three against the actual client fleet.

AP count is a capacity-and-coverage reconciliation, not a square-footage formula. The capacity input comes from the concurrent-client model at the application bandwidth budget — voice handset count plus laptop count plus IoT device count plus AGV count — multiplied by the realistic MCS distribution from the IEEE 802.11ax / 802.11be tables. The coverage input comes from the design dBm target at the application class — -65 dBm primary for voice or RTLS, -67 to -70 dBm for general data per CWNP CWDP forum guidance. The two inputs reconcile against the controller scale ceiling — Catalyst 9800-CL scales 1,000 to 6,000 APs depending on resource allocation per Cisco’s published 9800 FAQ. The design output is an AP placement schedule with per-AP justification, not a number pulled from a square-footage table.

AFC Standard Power applies only in UNII-5 and UNII-7 of the 6 GHz band and is required for transmit power above the Low-Power Indoor cap (up to 36 dBm EIRP / 4 W for Standard Power). Per FCC OET DA-24-166 (Feb 2024), the initial batch of seven AFC operators included Broadcom, Federated Wireless, Qualcomm, Sony Group, Wireless Broadband Alliance, Wi-Fi Alliance, and CommScope; subsequent OET DAs have expanded the operator list. The coordination workflow runs the AP geolocation against the AFC operator’s database query, returns the channel-and-power table the AP is allowed to use at that location, and refreshes on the cadence the operator publishes. Indoor LPI and Very-Low-Power operate without AFC across the full 1200 MHz band. The design phase confirms which deployment sites need Standard Power and registers them with the chosen AFC operator.

Clinical voice carries the most aggressive roaming target on the floor. The Vocera Infrastructure Planning Guide specifies a -70 dBm minimum RSSI with handsets performing roam scans every 5 seconds when below the configured roam threshold and proactive scans every 10 seconds when above. The Spectralink Versity Best Practice Guide targets -67 dBm primary cell with -72 dBm secondary roaming threshold. The reconciled design anchor is -65 dBm primary, -67 dBm voice, -70 dBm marginal — with 802.11r FT enabled and reassociation under 50 ms per Cisco’s published 802.11r BSS Fast Transition documentation. Cisco’s Spectralink VIEW Certified Configuration Guide for the Catalyst 9800-CL enumerates the WLC settings that meet this profile.

A 1:1 K-12 classroom typically hosts 30 students with 2-3 devices, yielding 60-90 concurrent associations per classroom AP; a lecture hall can require capacity for 600+ clients. The capacity model multiplies the concurrent-device count by the application bandwidth budget — video streaming, instructional apps, testing platforms — and reconciles against the per-AP ceiling at the realistic MCS distribution. CIPA (47 USC § 254) requires E-Rate-funded schools to implement internet content filtering. The USAC E-Rate Eligible Services List defines what equipment a school can fund through the Universal Service Fund — including internal connections under Category Two. The design phase produces the capacity model that justifies the AP count under the funding ceiling.

NIGC Class III Minimum Internal Control Standards were originally promulgated in 1999 and re-issued as non-binding NIGC Bulletin 2018-3 in August 2018; 25 CFR Part 542 codifies MICS in federal regulations. Gaming Laboratories International publishes GLI-13 (wireless LAN systems) and GLI-26 (wireless gaming systems) — GLI certifications are issued per system-vendor-jurisdiction combination, so a vendor’s “GLI-13 certified” claim must be tied to a specific cert number. The design phase isolates the SOGS / EGM control plane from the surveillance network and from the guest / employee wireless via VLAN segmentation and per-SSID role-based access; PCI DSS 4.0 Requirement 11.2 mandates rogue-AP scans at least quarterly per the PCI DSS Wireless Guidelines.

Standard 802.11r FT typically completes reassociation under 50 ms per Cisco’s published 802.11r BSS Fast Transition documentation — fast enough for a human walking down a corridor, but not for an AGV crossing AP cells at 1 Hz with a safety-PLC watchdog timer measured in tens of milliseconds. At sustained 1 Hz roam, the cumulative offline window during reassociation exceeds the safety-PLC tolerance, and the AGV either fails-safe to a stop or loses control-plane visibility. Cisco’s Ultra-Reliable Wireless Backhaul on the IW9165 / IW9167E in URWB mode runs the Fluidity protocol — a make-before-break handoff with millisecond-range packet-lossless transition — designed for high-mobility AGV / AMR / vehicle backhaul. ANSI/RIA R15.08-1-2020 governs the IMR safety risk-assessment framework that includes wireless control reliability.

All three contribute. Cisco’s published 802.11r BSS Fast Transition documentation describes 802.11r-2008 as reducing reassociation time by piggybacking PTK and QoS admission control on Authentication and Reassociation messages — typically under 50 ms reassociation gap. 802.11k provides Neighbor Reports, a candidate-AP list the client can pre-evaluate before deciding to roam — client-driven hint, not AP-enforced. 802.11v BSS Transition Management lets the AP request that the client roam (BTM Request). Best results require all three enabled on the infrastructure AND supported by the client; modern Apple iOS, Android, and Windows 10/11 all support v. The three protocols complement each other: k informs the decision, v requests it, r accelerates the execution.

802.11r FT is standards-based; cross-vendor FT works in principle. In practice, mixed-vendor airspace is rarely configured for FT because the controllers do not share the FT-key cache. Per Cisco’s Catalyst 9800 Best Practices Guide, FT-Adaptive mode publishes the FT BSSID only to clients that advertise FT support — important for legacy-client interop. HPE Aruba supports 802.11r FT, OKC (Opportunistic Key Caching, Aruba-proprietary, predates 802.11r), and PMK caching as roaming-acceleration mechanisms in ArubaOS 8.x and ArubaOS 10. The pragmatic design decision in mixed-vendor airspace is to run separate SSIDs with separate FT domains, accepting slower roams across the boundary; or standardize the airspace on one controller stack to keep FT-key cache coherent.

Coastal salt-fog environments require NEMA 4X (or equivalent IP66 / IP67) enclosures and corrosion-resistant mounting hardware per NEMA Standard 250 (Enclosures for Electrical Equipment). NEMA 4X specifies enclosures intended for indoor or outdoor use that provide a degree of protection against corrosion, falling dirt, and rain — and is the published anchor for harbor, coastal, and salt-fog deployments. Cisco’s Catalyst CW9163E outdoor AP carries IP67 rating per the CW9163E datasheet and operates from -40°C to +65°C with 100 mph sustained wind rating. Mounting hardware — brackets, lag bolts, conduit — must match the AP corrosion rating, otherwise the mounting layer fails before the AP does.

Desert ambient peaks above 45°C in summer at Palm Springs, Indio, Mojave, Victorville, and the Imperial Valley; outdoor AP selection has to handle the thermal envelope. Cisco’s Catalyst CW9163E data sheet confirms an operating range of -40°C to +65°C — sufficient headroom for desert peaks across the Palm Desert survey Coachella Valley footprint. Mounting hardware must account for solar loading, which can drive enclosure surface temperature 15-20°C above ambient. UV degradation on cable jacketing requires UV-resistant outdoor cable rated for direct sunlight. Lightning protection per NFPA 780 applies in monsoon-prone desert zones; surge containment on the PoE+ uplink protects the switch port behind the AP.

Per the FCC FACT SHEET — Unlicensed Use of the 6 GHz Band (2020), the 6 GHz band spans 5.925-7.125 GHz (1200 MHz total) divided into UNII-5, UNII-6, UNII-7, UNII-8. Low-Power Indoor (LPI) operates across the full 1200 MHz at lower transmit power without AFC; Very-Low-Power operates similarly across the full band. Standard Power (up to 36 dBm EIRP / 4 W) operates only in UNII-5 and UNII-7 and requires AFC registration per FCC OET DA-24-166. The operational boundary: indoor deployments generally use LPI on the full UNII-5/6/7/8 channel set; outdoor deployments require SP on UNII-5 / UNII-7 only with AFC, or LPI / VLP equivalents where the lower-power profile is sufficient.

Vendor selection follows the workload, the existing operations stack, and the compliance posture. Cisco wins when the customer runs a Cisco-heavy DC and campus stack with DNAC / Catalyst Center observability already in production, or when FedRAMP Moderate via Meraki for Government applies. HPE Aruba wins on FIPS 140-3 Level 2 validation across the AP-7xx fleet, on AOS 10 cloud-managed deployments where Aruba Central is the operations console, and on customers running ClearPass for NAC. Juniper Mist wins on AI-Ops via Marvis where SLE-driven assurance is the operations model. Ruckus wins in high-density venue deployments with SmartZone scaling to 6,000 APs per cluster and the SZ-144 Federal variant for FIPS markets. Extreme wins on ExtremeCloud IQ shops with AP5xx Wi-Fi 7 already standardized. The decision matrix weighs license-cost trajectory, AI-Ops surface, and AFC SP support cadence against the workload.

FBI CJIS Security Policy v6.0 (released 2024-12-27) governs handling of Criminal Justice Information; Section 5.20.1.1 covers 802.11 Wireless Protocols. CJIS v6 retains AES-256 at rest. The design phase satisfies CJIS by enforcing WPA3-Enterprise (or equivalent EAP-TLS) on the wireless access layer, by requiring FIPS 140-3 cryptographic modules on the infrastructure (NIST CMVP-validated AP and controller firmware), by maintaining audit trails and access controls aligned to the policy’s identification and authentication requirements, and by isolating CJIS-scoped traffic from general-enterprise traffic via VLAN segmentation and per-SSID role-based access. Cisco Catalyst 9800 / IOS-XE supports FIPS 140 validation per the NIST CMVP; Aruba AP-514 / 515 / 534 / 535 / 584 / 585 / 587 / 635 / 655 are FIPS 140-3 Level 2 validated.

eduroam is operated in the United States by Internet2. Per the GÉANT eduroam advanced deployment documentation, the federation uses IEEE 802.1X with EAP framework over a hierarchical RADIUS proxy mesh that routes authentication to the user’s home Identity Provider via realm forwarding. The design phase confirms that the campus RADIUS infrastructure proxies cleanly to the Federation Level RADIUS Server (FLRS), that the realm forwarding rules are configured correctly, that the attribute filters strip non-routable attributes per the Internet2 attribute guide, and that the per-SSID dynamic VLAN assignment lands the federated user on the appropriate campus network segment. The design output includes the RADIUS topology diagram, the realm-forwarding rule set, and the per-SSID landing-network table.

Design and survey run as one continuous engineering scope, not as sequential gates. The CWNP CWDP-304 exam objectives describe predictive surveys as software-modeled coverage informed by floor plans, AP placements, and wall material attenuation — the predictive design pass produces the AP count and channel plan inputs that the on-site validation tests against. Where the predictive model survives validation unchanged, the AP placement schedule ships as-is; where validation diverges materially (different wall attenuation, different AP visibility, different DFS channel availability per FCC 47 CFR § 15.407), the design adjusts before installation. Wi-Fi 7’s 320 MHz channels and 4K-QAM thresholds make on-site validation mandatory because the SNR margin needed to hold 4K-QAM is unforgiving in mixed-construction environments. Source: CWNP CWDP-304 objectives.

The predictive model is an engineering hypothesis, not a finished design. Per the CWNP CWDP-304 exam objectives, predictive surveys model RF coverage from floor plans, AP placements, and wall material attenuation in software (Ekahau Pro / AI Pro). The model is only as good as the wall calibration, the AP attenuation profiles, and the assumed client fleet. In greenfield builds with well-documented construction, the predictive model often survives validation with minor channel-plan adjustments. In brownfield environments — adaptive reuse, mixed-construction tilt-up, multi-tenant office buildings such as those covered in the Los Angeles survey and San Fernando Valley survey flows — discrepancies between predictive and measured drive AP placement adjustments before installation. The discipline is to validate every predictive design with a Sidekick walk; the discipline is not to ship the predictive model as final.

Per the CWNP CWAP curriculum, passive surveys collect actual RF measurements (RSSI, SNR, AP visibility) from the live environment without associating to any SSID — the survey radio listens to beacons and channel activity, capturing what the client would see at that location. Passive surveys validate coverage and identify co-channel and adjacent-channel interference. Active surveys associate to the target SSID and measure throughput, packet loss, retry rate, and roaming behavior — the survey client behaves like a production endpoint and captures what the user actually experiences. Active surveys are required for voice and RTLS validation. The WFHS deliverable runs both: passive for coverage and SNR, active for throughput and roam behavior, with iPerf3 to AP for the actual capacity number.

AP-on-a-stick is a mobile-AP validation technique: a single AP is mounted on a survey stand at the predicted placement location, powered, and configured to broadcast a test SSID. The Sidekick 2 walks the floor and captures actual RF coverage from that single AP, validating the wall calibration and AP attenuation profile in the predictive model before the full installation commits to the placement schedule. AP-on-a-stick is required when the predictive model has high uncertainty — adaptive reuse construction, mixed-material walls, brownfield environments where the existing building has not been instrumented before, including the warehouse-corridor builds covered in the Inland Empire survey flow. Greenfield builds with well-documented construction can ship from predictive alone, with post-install validation as the acceptance gate. The CWNP CWDP curriculum anchors both methodologies.

Spectrum analysis is required when the predictive model assumes a clean RF environment that the real site does not provide. Brownfield buildings with pre-existing wireless infrastructure, multi-tenant offices with adjacent-floor RF leakage, industrial sites with non-Wi-Fi RF emitters (microwave ovens, video bridges, two-way radio), and DFS-channel deployments adjacent to military or FAA radar all demand spectrum analysis to characterize the real channel environment before the channel plan locks. The Sidekick 2 includes an integrated spectrum analyzer covering 2.4, 5, and 6 GHz. Per the CWNP CWAP curriculum, spectrum analysis identifies non-802.11 interferers that no Wi-Fi-only survey will detect. Greenfield builds may skip spectrum analysis if the post-install walk confirms a clean environment, but the discipline is to capture spectrum where uncertainty exists.

San Diego sits adjacent to MCAS Miramar, NAS North Island, and several FAA / Coast Guard radar installations; DFS-required channels on UNII-2A and UNII-2C see frequent radar detection events, which trigger the FCC-mandated 10-second cease-transmission window per eCFR 47 CFR § 15.407. DFS-capable devices must perform a 60-second Channel Availability Check before transmitting on a DFS channel, must monitor for radar continuously, and cannot have DFS disabled by the operator. The practical design implication: in San Diego, the channel plan favors UNII-1, UNII-3, and 6 GHz LPI / Standard Power channels over UNII-2A / 2C, accepting the lower channel count to avoid the constant DFS hits. The San Diego survey flow runs the on-site spectrum capture that confirms which DFS channels are actually viable site-by-site.

Greater Los Angeles hosts LAX terminal radar, NOAA NEXRAD weather radar (KSOX, KVTX coverage), and dense FAA approach-control radar across the basin. UNII-2A and UNII-2C DFS channels see frequent radar detection events that force the 10-second cease-transmission window per eCFR 47 CFR § 15.407(h). DFS cannot be operator-disabled. The 60-second Channel Availability Check applies before any DFS-channel transmission begins. Urban DFS density typically pushes the channel plan toward UNII-1, UNII-3, and 6 GHz where AFC permits Standard Power — accepting the spectrum compression as the cost of avoiding constant DFS interruption. The Los Angeles survey flow captures the on-site spectrum reading that identifies which DFS channels survive at the specific deployment address.

The Antelope Valley survey flow handles Edwards AFB / Palmdale Plant 42 / Mojave Air & Space Port aerospace sites where NEC NFPA 70 Article 500 hazardous-location classification applies. Class I Div 2 zones require AP equipment compliant with ANSI/UL 121201 (Nonincendive Electrical Equipment); Cisco’s IW6300 and IW9167E include Class I Div 2 / ATEX / IECEx variants for hazardous-location deployments. The survey confirms the Cl I Div 2 SKU table at design time because Cisco’s hazardous-location catalog evolves, validates the predictive AP placement against the actual Class I boundary as drawn on the facility’s electrical plans, and confirms the explosion-proof junction-box mounting and intrinsically-safe cable-routing per NFPA 70 Article 501 wiring methods. The design output includes the Cl I Div 2 BOM, the boundary diagram, and the wiring-method confirmation.

The Bakersfield survey flow handles Kern County agricultural-processing, food-and-beverage cold storage, and oil-and-gas industrial deployments where Class I Div 1 or Div 2 hazardous classification applies on wellhead pads, refinery zones, and cold-storage washdown environments. The AP environmental rating envelope spans cold-storage sub-zero ambient (Cisco’s IW9167EH operating range -40°C to +70°C per the data sheet) to outdoor summer thermal extremes near 45°C. Corrosion-resistant mounting hardware is mandatory in food-processing wash-down zones; outdoor APs on the Highway 99 corridor must account for sustained-wind loading from the Tehachapi Pass venturi effect per NOAA NCEI Storm Events climatology. The design output includes the AP-by-AP environmental-rating table, the hazardous-location SKU confirmation, and the wind-load-rated mounting-hardware spec.

Eight artifacts. Ekahau .esx project file containing floor plans, survey data, AP placements, walls, channel and power plans, and heatmaps — the buyer owns this file and can revise it during a future expansion. Predictive heatmap PDF at design dBm tiers (-67 / -70 / -75 typical per CWNP CWDP planning bands). Passive validation heatmap (post-install Sidekick walk capturing actual RSSI, SNR, AP visibility). Active validation report (Sidekick plus iPerf3 — throughput, retry rate, roam-time per zone). Channel and AP power table (per-AP channel, transmit power, antenna pattern). Bill of Materials with vendor SKUs (AP, mount, cable, PoE injector, antenna). Escalation runbook (roaming-issue triage, RF-anomaly check, controller-failover procedure). CWNE-signed letter where the engagement complexity warrants it, anchored to the CWNP CWNE certification.

Because the buyer paid for it. The .esx file is the canonical Ekahau format containing every floor plan, AP placement, wall calibration, channel plan, and heatmap captured during the engagement. Withholding the file locks the buyer out of revisions during a future expansion, locks them into the original engineering firm for any re-walk, and leaves them with a heatmap PDF that they cannot edit, audit, or extend. Per the published Ekahau Pro and Ekahau AI Pro file format documentation, the .esx is the complete project artifact. WFHS treats the .esx as part of the buyer’s engineering inventory — they own it, they keep it, and they can hand it to a different firm next year or open it themselves to validate an expansion. The fixed-fee SOW pays for the engineering, not for hostage-keeping.

The 802.11r FT roaming decision log is captured during the active validation walk. The Sidekick 2 plus the active-test client traverses the floor at the application’s normal walking speed, associating to the wireless and triggering reassociation events as the client crosses AP cells. Each reassociation captures the source AP, the target AP, the timing, and the gap in milliseconds — typically under 50 ms with FT enabled per Cisco’s published 802.11r BSS Fast Transition documentation. For voice, MOS-to-AP per ITU-T G.107 E-model quantifies the call quality during roam events. For AGV / AMR, the same capture confirms whether standard FT meets the roam timing or whether the workload needs Cisco URWB Fluidity for make-before-break handoff. The deliverable is the roaming decision matrix, not a controller telemetry screenshot.

Backhaul. Rural CA — Eureka, Redding, Crescent City, Bishop, Ridgecrest — has limited fiber availability, and Critical Access Hospital sites often depend on PtP / PtMP wireless backhaul to reach the regional carrier hand-off. The design phase plans the backhaul layer alongside the AP layer because the two are inseparable. FCC USF Rural Health Care Program funding supports eligible health-care providers in rural areas; the design has to align to the eligible-services structure to qualify. AP density is generally lower than urban deployments, but backhaul resilience matters more — link-aggregation, secondary radio paths, and lightning protection per NFPA 780 all enter the design. Outdoor APs require NEMA 4X / IP67 enclosures per NEMA Standard 250 where coastal corrosion or weather exposure applies.

Tribal-sovereign reservations operate under sovereign-nation IT standards that may differ from California state regulatory frameworks; gaming-floor wireless on tribal casinos falls under NIGC Class III MICS per NIGC Bulletin 2018-3 and 25 CFR Part 542. GLI-13 and GLI-26 wireless gaming standards apply to the gaming-system platforms; certifications are issued per system-vendor-jurisdiction combination. The design phase isolates the SOGS / EGM control plane from the surveillance network and from guest / employee wireless via VLAN segmentation, satisfies PCI DSS 4.0 Requirement 11.2 rogue-AP scan cadence (at least every three months), and aligns to the tribe’s IT governance for change-control and incident-response procedures. Tribal IT leadership is the design authority on the reservation; the engineering scope respects that authority.

WFHS prices fixed-fee, not hourly. The fixed-fee SOW scopes the site list, the AP count target, the validation methodology (predictive only, predictive plus passive validation, predictive plus passive plus active validation), the closeout deliverables, and the timeline. A single-site predictive design with on-site validation runs 2-4 weeks from kickoff to closeout package; a multi-site CA enterprise of 10-20 sites across LA basin, Bay Area, and Inland Empire typically runs 8-16 weeks with parallel survey teams, including the Orange County survey flow where multi-vertical mix drives parallel scoping. State-wide CA programs (50+ sites across all eight regions) run on a 3-6 month cadence with phased deliveries by region. Change orders apply only if the site list expands or the validation scope deepens after the SOW signs. The CWNP CWDP curriculum anchors the predictive-validation-acceptance discipline.