Hospitality guest Wi-Fi network design

It depends on guestroom wall construction and the brand standard. Full-service hotels and luxury resorts with tile bathrooms, steel-stud demising walls, and plumbing walls behind every headboard typically measure 12-18 dB of through-wall attenuation at 5 GHz per guestroom boundary, which drops hallway-AP RSSI to -72 to -78 dBm at the desk in the far corner of the room – below the -65 dBm target. In-room wall-plate placement (Ruckus H350 or H550, Cisco Catalyst 9166H, Aruba 515H) brings the AP into the guestroom itself and removes the per-wall attenuation penalty entirely.

Mid-scale and select-service properties with drywall-on-wood-stud guestroom walls can sometimes hit the -65 dBm target from hallway ceiling placement, but only after an AP-on-a-Stick validation pass confirms the measured attenuation in the real guestroom walls, not the assumed. The survey deliverable specifies in-room wall-plate versus hallway ceiling per-property based on measured walk data, not on a vendor default.

Passpoint on Juniper Mist (and on equivalent Cisco, Aruba, and Ruckus controller platforms) requires three distinct certificate chains: a Mist tenant certificate (or the vendor-tenant equivalent) that identifies the operator’s controller tenancy to the Passpoint federation; a RadSec RADIUS server certificate that authenticates the RADIUS realm to the guest device’s EAP stack under TLS (RFC 6614 / RFC 7360); and a per-AP certificate trust chain that binds each AP in the property to the controller tenancy for the Passpoint association signal.

All three certificates have issuance and renewal timelines that have to be scheduled – missing a RadSec server cert renewal silently breaks Passpoint attach for every guest device at the property until the cert is reissued. The RCOI (Roaming Consortium Organization Identifier) values embedded in the Passpoint advertisement are operator-specific and are not templatizable across properties or across brands. The SOW documents each certificate, its renewal cadence, and the per-property RCOI bundle so the operator’s Day-2 team is not surprised by a cert expiry at 2:00 AM on a Saturday.

Yes. PCI DSS v4.0.1 Requirement 11.2.1 applies to any property that has a cardholder data environment, regardless of whether the CDE is reachable over wireless. The rule is that the operator must detect “authorized and unauthorized wireless access points” and perform the detection at least once every three months – the requirement does not exempt properties that keep the POS on a hardwired VLAN. The audit liability is the same whether wireless is inside or outside the CDE boundary.

The operational answer is a WIPS scan across the full property footprint (guestroom corridors, ballroom, pre-function, F&B, back-of-house, pool deck, porte-cochere) at least once every 90 days, with documented results and audit-package artifacts the QSA can consume. Modern controller platforms (Cisco Catalyst 9800 WIPS, Aruba WIP, Juniper Mist rogue detection, Ruckus SmartZone WIPS) also run continuous rogue detection between the scheduled scans, which materially reduces the chance of a rogue AP appearing and disappearing between two quarterly scans. Both are scoped in the SOW.

Through an mDNS gateway (also known as a Bonjour gateway) on the wireless controller. On a Cisco Catalyst 9800 controller, the Local Area Bonjour Gateway (on current IOS-XE) or the legacy Bonjour Service picks up the service advertisement from the guestroom Apple TV or Chromecast VLAN, applies a per-guest policy sourced from the PMS room-to-guest mapping, and proxies the service record only to the specific guest VLAN associated with that guestroom. The guest’s phone sees exactly one device (the Apple TV or Chromecast in the room the guest was issued) and nothing from the adjacent guestrooms.

Aruba AirGroup on ArubaOS 10 / Central, the Juniper Mist mDNS gateway, and the Ruckus SmartZone mDNS proxy handle the same function on their respective platforms. The integration point that matters is the PMS feed – Oracle OPERA Cloud, Infor HMS, Mews, or Cloudbeds holds the real-time room-to-guest-to-VLAN mapping, and the controller’s mDNS gateway consumes that mapping through the HTNG Express interface or equivalent. Without that integration the mDNS gateway does not know which phone should see which Chromecast when a guest checks into Room 412.

Primary coverage at -65 dBm RSSI at every seat in every guestroom, ballroom, pre-function, and outdoor guest-facing zone; minimum 25 dB SNR; secondary-AP coverage at -75 dBm for 802.11k/v/r roaming handoffs; channel utilization held below 30% under concurrent peak-conference load; and 802.11r fast BSS transition under 50 ms with the FT cache pre-populated across the AP set for voice-grade Wi-Fi calling continuity across the property footprint.

Density assumptions: 1 AP per guestroom for in-room wall-plate deployments at premium properties, or 1 AP per 2-4 guestrooms for hallway-only deployments at mid-scale properties where guestroom walls support it. Ballroom capacity targets 40-50 concurrent client associations per AP radio under 20 MHz channel width in 5 GHz – which drives 1 AP per 800-1,200 square feet in a densely-seated ballroom with 1.8-2.5 devices per attendee. The deliverable documents measured RSSI per guestroom and ballroom zone and flags any area that does not meet the target for remediation.

Most full-service hospitality properties in 2026 are better served by standing up Passpoint first and layering OpenRoaming on later as the identity-provider federation footprint matures. Passpoint gives the property zero-touch onboarding against operator-specific RCOIs and credentials (loyalty program, partner-carrier SIM, corporate SSO). OpenRoaming (Wireless Broadband Alliance) extends that into a federation that accepts Apple ID, Samsung Account, Google Account, and federated enterprise SSO as the guest credential – which removes the operator-specific onboarding friction entirely for devices that are federated in.

The answer depends on what fraction of the property’s guest fleet is plausibly federated through OpenRoaming at the time of the engagement, and on the operator’s appetite for adding an identity-provider dependency that is not under the operator’s direct control. The SOW scopes Passpoint for the near-term attach path and specifies the OpenRoaming federation layer as an additive workstream that lands once the federation coverage matches the property’s guest demographics.

Hospitality survey work is almost always scheduled around the property’s revenue schedule, not against it. The Ekahau Sidekick 2 listens passively and does not disrupt the guest Wi-Fi, the in-room IPTV, the door-lock radio network, or the POS – the surveyor walks with a survey laptop and a telescopic pole and captures measurements without associating to any production SSID. That makes guestroom-corridor and back-of-house walks workable during operating hours. Ballroom and pre-function walks are typically scheduled during an off-peak window (late morning, early afternoon, or overnight) to avoid an active event.

Occupied-guestroom interior walks require per-guest coordination with the front desk or are deferred to a checkout-to-check-in turnaround window. The pre-survey coordination document identifies which phases require which access windows and specifies the event-calendar embargoes (wedding blocks, peak-season arrivals, sold-out convention weeks) that are out of scope for any on-property walking. Post-install active validation is scheduled during the same off-peak windows and is sequenced to avoid the quarterly rogue-AP scan and any PCI compensating-control testing.

The fixed-fee SOW covers the defined scope. If the survey uncovers something outside that scope – an Emergency Responder Radio Coverage System (ERRCS) gap at a high-rise hotel tower requiring a licensed BDA integrator, a structured cabling deficiency that has to be remediated before wall-plate APs can be installed, a PoE budget constraint at the IDF switch that cannot support the new 802.3bt PoE++ load, a dormakaba or ASSA ABLOY door-lock radio network using a channel band that conflicts with the proposed Wi-Fi channel plan, or an HVAC-zone control network (BACnet / KNX) bleeding into the 2.4 GHz space – we document the finding in the validation report with a clear description of the issue, its location, and the appropriate specialist.

We then issue a separate change-order estimate for any additional WFHS scope, and where the finding is outside wireless engineering (ERRCS installation, asbestos abatement, HVAC networking, door-lock vendor coordination) we refer to the appropriate licensed contractor or to the operator’s approved vendor-of-record. The property is never billed above the SOW total without a signed change order first. That is the operational definition of a fixed-fee engagement and is the reason multi-property hospitality operators on a firm capex budget work with us instead of time-and-materials integrators.