Were your access points part of your original equipment when the rest of your network was planned/built? Probably Not. New installs, or green field installations, are networks with an existing physical LAN that an organizations wishes to add access points(APs) to. This is done to extend the network to accommodate the growing number of users, devices, and visitors.
In most cases APs are evaluated and installed without considering or leveraging existing security devices. For existing users they may be able to roam with their existing Ldap inspired credentials via a back-up authentication method. In modern networks that does not include everybody. Thankfully, modern APs have guest network options which can be set up. Some even have a check box for client isolation. Some check it, others will leave unchecked. Why? Because they may need a resource on your network.
In this now merged network we can see employees, visitors/guests with tablets, cell phones, PCs, etc. We need a way to corral, protect, and prevent. The access point may be a gateway in a bad way. It could be a "rogue access point." Organizations need to determine how to allow access to the network for known resources while blocking those the company does not want to have access. It's a relationship that goes both ways because devices need "protected" status access to and from the network.
The APs should be set up so that no malware should be sent or received, a strong password is established for guests and the guest account password needs to change and be easy to convey. Much has been written about simple passwords for account access. Those simple passwords have found their way to access points as well.
Start with the who, what, where and how list. Ask yourself:
Who needs access? Employees, contractors, guests, those people slowly driving by in their car? The answer: Employees get WPA-*.* tied to their Ldap account which equals authentication, encryption, and allowed destinations. Contractors may have a temporary account linked to another SSID with a similar set up as employees. Guest and those who are just driving by: What do they get? We know the new 802.11n standard registers some impressive distances.
What needs access?
PCs, tablets, Wi-Fi enabled-phones.
Where do they need to go?
Printers, servers, the Internet (with or without filtering). Those guests might need access back to their corporate network.
How are they going to be allowed?
Through firewall rules,web filter, AV filter, etc.
So with this short list you can plan, design and execute a Wi-Fi policy that make sense and is enforceable. In our audit-required world we need to prove the policy through logging and reporting as well. But that is a subject for another post.