LAN / WiFi Network Segmentation - Introduction

Network Segmentation

This setup is a guidance for LAN and WiFi segmentation.


You need to proceed in this order.



Windows Server 2016

Certificate Authority

src="" alt="" />

How To Install Certificate Services and Deploy

Installing the standalone offline root CA:

To install the standalone Root CA Role:

Configuring a Webserver for CRL and CPS

Installing the Enterprise Subordinate CA:



NPS Role

Cisco Catalyst Switches

VTP Setup

VLAN Configuration

PoE Zyxel Switch for Aruba Access Points Power Feeds.

Aruba Access Points / WPA2 Enterprise


Windows Clients and Group Policy

MAC OSX Clients

Linux Clients – Not Covered – Reference link

Default Guest VLAN (Last Thing to do)


  1. At First you need an working environment already to fall back on if your changes did not succeeded.
    1. The method needed for that is basic access to the network and internet.
  2. In case of misconfiguration / not being able to retrieve an certificate, you need an VLAN whereas remediation can take place. In the current setup, that would be your default VLAN1
  3. Standby with an preconfigured command, to execute on a certain port for your client on that particular switchport so that they are not in the limited guest vlan with no access to the servers.


Windows Server 2016

Is the environment this guide is intended for. I see no reason why other Windows Server OS’s would deviate from this process.