Steps to take:
1. Use the SSIDs, MAC filters and 128-bit WEP keys on all devices - preferably with LEAP to rotate keys as often as possible.
2. Create a new, isolated VLAN with a separate IP subnet. All APs will connect to the new VLAN only. Use static addresses for the APs.
3. Connect the isolated VLAN/subnet through a firewall to the rest of the network. This will allow you to set separate policies.
4. Install a network management package, and possible an Intrusion Detection System to monitor traffic on the new VLAN/subnet and the firewall port.
5. If the end-user devices allow it, add a VPN.
Matthew Wheeler
Blue Modal