# WiFi Configuration (UniFi)

## SSIDs (3)
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|------|-------------------|----------|-------|----------|---------|
| **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. |
| **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |

## UniFi Network Definitions

### Infrastructure Networks
| Network Name | VLAN ID | Gateway | Subnet | Notes |
|-------------|---------|---------|--------|-------|
| Default | 1 (native) | Third-party (pfSense) | 192.168.0.0/22 | Main LAN — servers, infra, APs |
| Guest | **50** | Third-party (pfSense) | 10.0.50.0/24 | Guest WiFi isolation (added 2026-03-06) |
| CSC Internal Network | **10** | Third-party (pfSense) | - | **Mismatch: pfSense has INTERNAL on VLAN 20, not 10** |
| Internal | **20** | Third-party (pfSense) | - | Staff VLAN (10.0.20.0/24) — matches pfSense |
| 999 - Test | 999 | Third-party (pfSense) | - | GuruTestNet |

### Room VLANs (238 total)
All room VLANs are defined in UniFi as "Third-party Gateway" networks. VLAN IDs match room numbers.

**Floor 1 (44):** 101-149 (missing: 113, 114, 139, 141)
**Floor 2 (46):** 201-249 (missing: 213, 214, 239)
**Floor 3 (48):** 301-350 (missing: 313, 314)
**Floor 4 (47):** 401-449 (missing: 413, 414)
**Floor 5 — MemCare (21):** 501-522 (missing: 513)
**Floor 6 — MemCare (29):** 603-631

## Issues

### ~~1. Guest WiFi on Native LAN — NO ISOLATION (High)~~ FIXED 2026-03-06
Guest SSID moved to VLAN 50 (10.0.50.0/24) with internet-only firewall rules. All RFC1918 ranges blocked. DHCP scope: 10.0.50.50–10.0.50.239 (190 addresses). **Needs onsite testing to verify isolation.**

### 2. CSC Internal Network VLAN Mismatch (Medium)
UniFi defines "CSC Internal Network" as VLAN 10, but pfSense has the INTERNAL interface on VLAN 20 (igc1.20, 10.0.20.0/24). UniFi also has "Internal" on VLAN 20 (correct). The VLAN 10 network may be unused/orphaned, or it could cause tagging issues if any port or SSID references it.

**Fix:** Verify if VLAN 10 is used anywhere. If not, delete "CSC Internal Network" from UniFi to avoid confusion.

### 3. All SSIDs Use WPA2 Only (Low)
WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode would improve security for newer devices while maintaining compatibility.

### 4. Kitchen iPads Not Restricted (Medium — Security)
9 kitchen iPads are on INTERNAL VLAN (10.0.20.x) with full access to staff resources. They are food-service only (NOT medical) — used for taking orders and printing to kitchen thermal receipt printers. They should be restricted to kitchen printer access only to prevent lateral movement into PHI networks if a device is compromised.

**Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`.

### 5. No Band Steering or Separate SSIDs (Low)
All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room.

## Migration Plan — WiFi Changes (Phase 1.1)

### Guest SSID → VLAN 50

The Guest SSID will be reassigned from the Default (native LAN) network to a new Guest network on VLAN 50 (10.0.50.0/24). This isolates guest traffic from all internal resources.

**UniFi changes:**
1. Create "Guest" network: VLAN 50, third-party gateway
2. Change Guest SSID network assignment: Default → Guest (VLAN 50)

**Note:** Guest WiFi will briefly disconnect during SSID reassignment.

### Delete CSC Internal Network (VLAN 10)

After verifying VLAN 10 is not referenced by any port profile or SSID, delete "CSC Internal Network" from UniFi to avoid confusion with the correct "Internal" network on VLAN 20.

See `migration/phase1-network.md` for full steps.