Before defining a profile's captive portal, DHCP and RADIUS services configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective:
A profile plan should consider the number of wireless clients allowed on the captive portal and the services provided, or if the profile should support captive portal access at all, since captive portals do increase the risk to the wireless network versus more secure access methods.
Profile configurations supporting a captive portal should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from captive portals.
DHCP's lack of an authentication mechanism means a DHCP server supported profile cannot check if a client or user is authorized to use a given user class. This introduces a vulnerability when using user class options. Ensure a profile using an internal DHCP resource is also provisioned with a strong user authorization and validation configuration.