Someone more experienced could probably answer but for that large of job and that many drops into each of those closets shielded cable may be the way to go so that you are not worried about the initial crank up or later down the road wierd issues creeping up on you.
1 Like
Yes.
When you do auth using radius, a radius server (like freeradius for example), will reply with one of the parameters indicating a VLAN number, and the accesspoint will just stick a VLAN header to that users frames. APs are usually configurable on how they end up populating radius requests.
For example, eduroam - the university network does this, and they authenticate users using 802.1x EAP-PEAP (server side TLS cert and username and password client side). This is textbook 802.1x
But you can use radius without 802.1x too. Mikrotik can then use a mac address as a radius username, for example. Ruckus and aerohive and just plain old hostapd (e.g. OpenWRT) support this with plain WPA2 PSK auth - depending on what password clients use, that information is relayed to radius, and radius server replies with a VLAN number, and they get dropped into a particular VLAN (whatever radius replies with). Making it easier for the average Joe (WPA2-PSK easier than WPA2-EAP)
So, yes, as far as wifi goes, you can have a VLAN for guests and random devices with broadcast disabled except for very selective DHCP, and one VLAN per user at the same time, on the same SSID ESS set of APs with the same crypto… but you need to check which APs support which features. VLANs per mac address are not exactly the paragon of security, but are widely supported, and they’d help you segment the network while keeping it usable.