KADERA
Dashboard Districts Assessments Reports Vendors Renewals E-rate
Break glass
JR
Wireless
How the district's wireless fleet is deployed, how SSIDs are architected and authenticated, and how the airspace itself is monitored for rogue devices and kept current.
Capture progress
9 of 9 fields captured
Maturity preview · Defined

AP fleet & coverage

All wireless access points in production, grouped by vendor and model.

Total: 187 APs

How AP placement was determined and how often coverage is re-evaluated. Heat-map or walking survey on a documented cadence is best practice; ad hoc placement is a hard finding regardless of how recent the “last review” was — there's no methodology to anchor it to.

Long stale · 32 mo ago

SSID architecture & authentication

Active SSIDs broadcast across the district. The list isn't a checklist — IoT / AV and Voice / VoIP are operational, not posture signals — but the absenceof a documented SSID architecture is itself the finding. “Not sure” is valid as a partial-knowledge signal; an empty selection is a hard finding.

Practical floor is WPA2-Enterprise + 802.1X. WPA2-PSK or Open + captive on staff/student SSIDs is a hard finding by itself — shared keys and captive portals don't survive contact with student devices, and treat the SSID as a soft authentication boundary that it isn't.

Layered isolation (VLAN + firewall + captive + rate-limit) is the target. The guest SSID is the most likely vector for an uncurated client to reach an internal resource — bridging it to the internal network is a hard finding.

Cert-based + MDM-enrolled is the target. PSK-rotated is a documentation gap — it works until a rotation is missed. See EUC for the device-side MDM posture this depends on.

Wireless security & lifecycle

Continuous rogue detection is the modern floor; containment and spectrum analysis are next-tier capabilities. Scheduled or manual scans alone are thin but not absent. Empty selection is a hard finding — no documented controls means the airspace isn't being watched. “Not sure” is valid when the responder lacks visibility into the controller config.

Client isolation prevents lateral movement between devices on the same SSID. Most relevant on guest/BYOD where the client population is uncurated; less material on staff/student SSIDs that are already 802.1X-authenticated to known users.

How often AP firmware is reviewed and applied, and when the last update ran. See ARC F9 for broader firmware posture and SW F3 for switch firmware — wireless firmware is usually managed alongside controller updates rather than per-AP. “Never” is a hard finding.

Current · 4 mo ago

Notes