Hospitality guest Wi-Fi network design

It depends on guestroom wall construction and the brand standard. Full-service hotels and luxury resorts with tile bathrooms, steel-stud demising walls, and plumbing walls behind every headboard typically measure 12-18 dB of through-wall attenuation at 5 GHz per guestroom boundary, which drops hallway-AP RSSI to -72 to -78 dBm at the desk in the far corner of the room – below the -65 dBm target.

In-room wall-plate placement (Ruckus H350 or H550, Cisco Catalyst 9166H, Aruba 515H) brings the AP into the guestroom itself and removes the per-wall attenuation penalty entirely.

Mid-scale and select-service properties with drywall-on-wood-stud guestroom walls can sometimes hit the -65 dBm target from hallway ceiling placement, but only after an AP-on-a-Stick validation pass confirms the measured attenuation in the real guestroom walls, not the assumed.

The survey deliverable specifies in-room wall-plate versus hallway ceiling per-property based on measured walk data, not on a vendor default.

Passpoint on Juniper Mist (and on equivalent Cisco, Aruba, and Ruckus controller platforms) requires three distinct certificate chains: a Mist tenant certificate (or the vendor-tenant equivalent) that identifies the operator’s controller tenancy to the Passpoint federation;

a RadSec RADIUS server certificate that authenticates the RADIUS realm to the guest device’s EAP stack under TLS (RFC 6614 / RFC 7360); and a per-AP certificate trust chain that binds each AP in the property to the controller tenancy for the Passpoint association signal.

All three certificates have issuance and renewal timelines that have to be scheduled – missing a RadSec server cert renewal silently breaks Passpoint attach for every guest device at the property until the cert is reissued.

The RCOI (Roaming Consortium Organization Identifier) values embedded in the Passpoint advertisement are operator-specific and are not templatizable across properties or across brands.

The SOW documents each certificate, its renewal cadence, and the per-property RCOI bundle so the operator’s Day-2 team is not surprised by a cert expiry at 2:00 AM on a Saturday.

Yes. PCI DSS v4.0.1 Requirement 11.2.1 applies to any property that has a cardholder data environment, regardless of whether the CDE is reachable over wireless. The rule is that the operator must detect “authorized and unauthorized wireless access points” and perform the detection at least once every three months – the requirement does not exempt properties that keep the POS on a hardwired VLAN.

The audit liability is the same whether wireless is inside or outside the CDE boundary.

The operational answer is a WIPS scan across the full property footprint (guestroom corridors, ballroom, pre-function, F&B, back-of-house, pool deck, porte-cochere) at least once every 90 days, with documented results and audit-package artifacts the QSA can consume.

Modern controller platforms (Cisco Catalyst 9800 WIPS, Aruba WIP, Juniper Mist rogue detection, Ruckus SmartZone WIPS) also run continuous rogue detection between the scheduled scans, which materially reduces the chance of a rogue AP appearing and disappearing between two quarterly scans.

Both are scoped in the SOW.

Through an mDNS gateway (also known as a Bonjour gateway) on the wireless controller. On a Cisco Catalyst 9800 controller, the Local Area Bonjour Gateway (on current IOS-XE) or the legacy Bonjour Service picks up the service advertisement from the guestroom Apple TV or Chromecast VLAN, applies a per-guest policy sourced from the PMS room-to-guest mapping, and proxies the service record only to the specific guest VLAN associated with that guestroom.

The guest’s phone sees exactly one device (the Apple TV or Chromecast in the room the guest was issued) and nothing from the adjacent guestrooms.

Aruba AirGroup on ArubaOS 10 / Central, the Juniper Mist mDNS gateway, and the Ruckus SmartZone mDNS proxy handle the same function on their respective platforms.

The integration point that matters is the PMS feed – Oracle OPERA Cloud, Infor HMS, Mews, or Cloudbeds holds the real-time room-to-guest-to-VLAN mapping, and the controller’s mDNS gateway consumes that mapping through the HTNG Express interface or equivalent.

Without that integration the mDNS gateway does not know which phone should see which Chromecast when a guest checks into Room 412.

Primary coverage at -65 dBm RSSI at every seat in every guestroom, ballroom, pre-function, and outdoor guest-facing zone; minimum 25 dB SNR; secondary-AP coverage at -75 dBm for 802.11k/v/r roaming handoffs; channel utilization held below 30% under concurrent peak-conference load; and 802.11r fast BSS transition under 50 ms with the FT cache pre-populated across the AP set for voice-grade Wi-Fi calling continuity across the property footprint.

Density assumptions: 1 AP per guestroom for in-room wall-plate deployments at premium properties, or 1 AP per 2-4 guestrooms for hallway-only deployments at mid-scale properties where guestroom walls support it.

Ballroom capacity targets 40-50 concurrent client associations per AP radio under 20 MHz channel width in 5 GHz – which drives 1 AP per 800-1,200 square feet in a densely-seated ballroom with 1.8-2.5 devices per attendee.

The deliverable documents measured RSSI per guestroom and ballroom zone and flags any area that does not meet the target for remediation.

Most full-service hospitality properties in 2026 are better served by standing up Passpoint first and layering OpenRoaming on later as the identity-provider federation footprint matures. Passpoint gives the property zero-touch onboarding against operator-specific RCOIs and credentials (loyalty program, partner-carrier SIM, corporate SSO).

OpenRoaming (Wireless Broadband Alliance) extends that into a federation that accepts Apple ID, Samsung Account, Google Account, and federated enterprise SSO as the guest credential – which removes the operator-specific onboarding friction entirely for devices that are federated in.

The answer depends on what fraction of the property’s guest fleet is plausibly federated through OpenRoaming at the time of the engagement, and on the operator’s appetite for adding an identity-provider dependency that is not under the operator’s direct control.

The SOW scopes Passpoint for the near-term attach path and specifies the OpenRoaming federation layer as an additive workstream that lands once the federation coverage matches the property’s guest demographics.

Hospitality survey work is almost always scheduled around the property’s revenue schedule, not against it. The Ekahau Sidekick 2 listens passively and does not disrupt the guest Wi-Fi, the in-room IPTV, the door-lock radio network, or the POS – the surveyor walks with a survey laptop and a telescopic pole and captures measurements without associating to any production SSID.

That makes guestroom-corridor and back-of-house walks workable during operating hours.

Ballroom and pre-function walks are typically scheduled during an off-peak window (late morning, early afternoon, or overnight) to avoid an active event.

Occupied-guestroom interior walks require per-guest coordination with the front desk or are deferred to a checkout-to-check-in turnaround window. The pre-survey coordination document identifies which phases require which access windows and specifies the event-calendar embargoes (wedding blocks, peak-season arrivals, sold-out convention weeks) that are out of scope for any on-property walking.

Post-install active validation is scheduled during the same off-peak windows and is sequenced to avoid the quarterly rogue-AP scan and any PCI compensating-control testing.

The fixed-fee SOW covers the defined scope. If the survey uncovers something outside that scope – an Emergency Responder Radio Coverage System (ERRCS) gap at a high-rise hotel tower requiring a licensed BDA integrator, a structured cabling deficiency that has to be remediated before wall-plate APs can be installed, a PoE budget constraint at the IDF switch that cannot support the new 802.3bt PoE++ load, a dormakaba or ASSA ABLOY door-lock radio network using a channel band that conflicts with the proposed Wi-Fi channel plan, or an HVAC-zone control network (BACnet / KNX) bleeding into the 2.4 GHz space – we document the finding in the validation report with a clear description of the issue, its location, and the appropriate specialist.

We then issue a separate change-order estimate for any additional WFHS scope, and where the finding is outside wireless engineering (ERRCS installation, asbestos abatement, HVAC networking, door-lock vendor coordination) we refer to the appropriate licensed contractor or to the operator’s approved vendor-of-record.

The property is never billed above the SOW total without a signed change order first.

That is the operational definition of a fixed-fee engagement and is the reason multi-property hospitality operators on a firm capex budget work with us instead of time-and-materials integrators.

Passpoint Release 3 supports three credential types: username/password using EAP-TTLS (EAP type 21), digital certificates using EAP-TLS (EAP type 13), and SIM-based credentials using EAP-SIM/AKA/AKA’ (EAP types 18/23/50). Hotels can issue any of the three to transient guests, loyalty members, or carrier-roaming partners depending on the provisioning method.

Our default hospitality wireless design uses EAP-TLS for brand-issued credentials (loyalty membership number plus a signed device cert pushed through the brand mobile app). EAP-TTLS/MSCHAPv2 is the fallback when the legacy RADIUS stores plaintext-equivalent passwords. SIM-based paths only matter when carrier-Wi-Fi offload or OpenRoaming federation is layered on top of the brand SSID.

Passpoint R3 added Operator Icon Metadata, Venue URL, and Advice of Charge, along with Terms-and-Conditions acceptance and the Roaming Consortium Selection element. These ride on IEEE 802.11u ANQP frames and deliver venue-specific information (maps, directories, amenity guides) through the native Wi-Fi picker before the device associates.

The T&C URL must use HTTPS per the R3 spec. For hotel deployments subject to EU or state-AG guest Wi-Fi acceptance laws, the T&C element lets you satisfy acceptance requirements without a captive-portal click-through — the prompt renders inside iOS and Android Settings before the 4-way handshake. Misconfigured ANQP is the top silent-failure mode we see when auditing brand Passpoint rollouts.

The Nomadix AG 5900 supports 500 to 8,000 simultaneous devices on a single appliance and tens of thousands when clustered, with a 3.5 Gbps throughput ceiling. We size the AG 5900 for 800-plus room properties and convention centers; the AG 5800 fits mid-scale 200 to 500 room deployments.

For 2,000-room resorts with ballroom volume, we either cluster two AG 5900s or step up to the Nomadix Cloud gateway tier. The 3.5 Gbps ceiling drives the design — a 10 Gb symmetrical circuit needs gateway pairing or it becomes the bottleneck before the WAN does. Authentication support covers Passpoint, PMS bind, MAC auth, SMS, vouchers, loyalty codes, and social logins on one box.

PCI DSS v4.0.1 Requirement 11.2.1 mandates rogue-wireless-access-point detection at least once every three months, even when wireless is prohibited in the cardholder data environment. Hotels must scan the full property — guest rooms, back-of-house, POS floors, loading docks — and maintain an authorized-AP inventory with documented business justification.

Our PCI hospitality deliverable includes quarterly WIPS scan reports on a 90-day calendar and continuous rogue-AP detection between scans using the platform-native WIPS — Meraki Air Marshal, Aruba WIP, Juniper Mist rogue detection, or Ruckus SmartZone rogue AP. The authorized-AP inventory is delivered as a CSV in the runbook with MAC, location, SSID list, and business justification.

PCI DSS v4.0.1 Requirements 1.2.1, 1.3.1, and 1.4.2 require Network Security Controls (formerly firewalls) between all wireless networks and the CDE, with all wireless traffic into the CDE denied by default. VLANs alone are explicitly insufficient — stateful inspection must separate wireless from the CDE regardless of whether the wireless network is itself in scope.

We deliver a stateful firewall (Meraki MX, Palo Alto, or Fortinet) between the wireless VLANs and the POS VLAN, with an explicit allow-list from POS terminals to the payment-processor IP only.

The firewall ruleset and data-flow diagram are part of the Requirement 1.2.4 compliance deliverable — both artifacts live in the runbook we hand to the property’s QSA at audit time.

The Cisco Meraki MR36H is the Meraki-standard wall-plate hospitality AP — a dual-band 802.11ax 2×2:2 Wi-Fi 6 access point with four 10/100/1000 BASE-T Ethernet ports (one with 802.3af PoE-out), a dedicated WIDS/WIPS radio, and an integrated BLE beacon and scanning radio. One Cat6A run per room replaces a standard wall jack.

For Ruckus-standard properties we substitute the H350 entry model or H550 premium with quad-concurrent IoT. For Wi-Fi 7 new-builds we specify the Ruckus H670 (tri-band MLO, 9.34 Gbps aggregate).

We always pull Cat6A to the desk location rather than the hallway — an in-room AP beats hallway penetration through tile, concrete, and steel-stud construction every time.

Juniper Mist’s hospitality design framework specifies a minimum primary signal of -65 dBm with a 25 dB signal-to-noise ratio on both 2.4 GHz and 5 GHz, with access points placed inside the guest room rather than the hallway.

Our Ekahau site surveys for hotels set heatmap thresholds at -65 dBm primary and -75 dBm secondary for roaming, with the 25 dB SNR floor held across both bands.

In-room AP count is driven by wall construction: one AP per room for tile or steel-stud, one per two rooms for heavy drywall, one per three rooms for modern light drywall — always validated with an AP-on-a-Stick survey before BOM lock so the count matches the actual envelope, not a generic template.

The Ruckus H670 is a tri-radio Wi-Fi 7 wall-mount AP with dual-concurrent IoT radios (Zigbee plus BLE running simultaneously), a 5 Gbps Ethernet uplink, and four 2.5 Gbps downlink ports — two with PoE-out for in-room IP phones, cameras, and sensors.

Aggregate Wi-Fi data rate reaches 9.34 Gbps with Multi-Link Operation, 4K QAM, preamble puncturing, and 320 MHz channels. We specify the H670 for new-build luxury and resort deployments where Zigbee locks (VingCard, Assa Abloy) and BLE beacons must run alongside Wi-Fi on the same wall plate.

It eliminates the need for a separate IoT gateway per room. The 6 GHz radio runs LPI mode indoors, which is the standard mode for guest rooms and needs no AFC.

WPA3-Enterprise 192-bit mode requires EAP-TLS with client certificates on every supplicant and on the RADIUS server, which is not practical for transient guests who cannot pre-enroll certificates. Our default guest-SSID design is WPA3-Personal/SAE transition mode with a rotating daily PSK posted in the room, or Wi-Fi Enhanced Open (OWE) for zero-friction UX.

Staff SSIDs run WPA3-Enterprise with EAP-TLS and certs issued through Intune or Jamf. The brand Passpoint SSID runs WPA3-Enterprise with the brand’s EAP-TLS CA and roaming consortium OI. 192-bit mode aligns to the CNSA/NSA Suite B baseline and belongs on staff or administrative SSIDs, not on anything a front-desk agent hands out at check-in.

6 GHz outdoor operation requires standard-power access points operating under Automated Frequency Coordination, limited to U-NII-5 (5.925-6.425 GHz) and U-NII-7 (6.525-6.875 GHz) — roughly 800 MHz of spectrum — at a maximum 36 dBm EIRP or 23 dBm/MHz PSD. Low-power indoor devices cannot operate outdoors.

Our outdoor resort deployments specify FCC-certified AFC-client access points: Cisco Catalyst 9130AXE standard-power variants, Aruba AP-685/AP-687 (outdoor Wi-Fi 6E), Ruckus T770 (outdoor Wi-Fi 7 variant) with standard-power firmware, or Juniper Mist AP47 standard-power.

Each AP performs a daily AFC check-in, supplies GPS coordinates and antenna height, and accepts the channel-and-power set returned by the AFC system. U-NII-6 and U-NII-8 remain indoor/LPI-only and cannot be used for outdoor coverage.

Yes. The Oracle Hospitality Integration Platform exposes OPERA Cloud functionality through REST APIs with OAuth 2.0 authentication, with specifications and Postman collections published to the oracle/hospitality-api-docs GitHub repository. OPERA Cloud Property 25.4 is the current API release. Legacy OXI (OPERA Exchange Interface) and OWS (OPERA Web Services) remain supported for hosted and on-premises deployments.

For captive-portal guest lookup, our integration pattern is OHIP REST plus OAuth 2.0 — on guest login, the portal sends the room number and last name to the OHIP gateway, validates against the reservation record, and returns the folio ID for session binding. Legacy OPERA on-premises that has not migrated to OHIP uses OXI with a partner-certified adapter (Nomadix, Blueprint RF, Elcom).

WBA OpenRoaming is a global federation built on top of Wi-Fi CERTIFIED Passpoint: properties deploy Passpoint-enabled Wi-Fi and join the federation so users authenticated by partner identity providers (Apple ID, Google Account, Samsung, carrier SIMs, enterprise IdPs) auto-connect without creating new credentials.

The framework uses WBA WRIX standards and an automated Roaming Consortium OI codes system. We advise hotel chains to deploy brand Passpoint first with the brand RCOI (internal loyalty federation), then layer OpenRoaming RCOI once identity-provider federation matures — Apple ID and Google Account federation is the highest-value add.

Certificate work covers one RadSec cert from the broker (Cisco OpenRoaming, GlobalReach, Single Digits), a separate RADIUS cert for AAA, and a per-AP cert chain for SSID trust.

Aruba’s Very-High-Density VRD specifies an average of one user per 1-2 m² (11-22 ft²) in auditoriums and ballrooms, with as many as 24 access points deployed in a single auditorium depending on the associated-device-capacity target and available channels.

APs are typically placed along the room perimeter on speaker stands or temporary tables — not ceiling-mounted — when ceilings are high. Our ballroom design for a 1,000-attendee corporate event targets 40-50 clients per radio at 20 MHz 5 GHz (narrow channels preserve reuse across the room), producing 20-25 APs at 8-10 ft stand height.

For weddings and galas with lower device counts, we drop to 12-15 APs. Every VHD design goes through Ekahau predictive and on-site validation — generic “1 AP per 800 sqft” templates do not hold at this density.

EAP-TLS is certificate-based mutual authentication — both client and RADIUS server must present certificates, and it is the only EAP method that meets WPA3-Enterprise 192-bit security. EAP-TTLS wraps a password exchange (typically MSCHAPv2) inside a TLS tunnel authenticated by a server certificate only, with no client cert required.

Our brand-Passpoint default is EAP-TLS with brand-issued client certs provisioned through the brand mobile app’s OSU flow. When a chain cannot enroll certs on every device — international or transient guests especially — we fall back to EAP-TTLS/MSCHAPv2 with the loyalty number as username and a rotating server-side password hash. PAP is never used as the inner method; it transmits the password in clear text through the tunnel.

IEEE 802.11r-2008 Fast BSS Transition pre-computes roaming keys through a three-level hierarchy — PMK-R0, PMK-R1, PTK — at the R0 Key Holder, which derives PMK-R1s and distributes them to each AP’s R1 Key Holder.

This eliminates the full 802.1X re-authentication on every roam, producing sub-50 ms handoffs suitable for voice, video, and guest roaming between corridors, rooms, and meeting space without session drops.

Our hospitality design enables 802.11r over-the-DS (through the controller or cloud) rather than over-the-air for multi-AP roaming without voice drops. 802.11k neighbor reports and 802.11v BSS transition management are enabled alongside r so iOS and Android clients receive candidate-AP lists ahead of the roam decision.

We validate the 50 ms handoff budget in Ekahau post-install verification before project closeout — if it misses, the design goes back on the table.