What’s wrong with letting guests and employees share the same wireless?
Partially a security question, partially a CMMC question.
Let’s say you have a WPA3 PSK wireless network that employee CUI laptops, employee personal devices, AND guests are allowed to use. Client isolation is enabled and the wireless is logically segmented from the rest of the office network/resources.
Why isn’t this sufficient? It meets 3.1.16 and 3.1.17 as long your documentation is in place, doesn’t it? Or does this hurt a broader control?
EDIT: CUI laptops generally connect to the wired Ethernet, but no mechanism exists to enforce that. Even if I made a separate WAP for employees or employee personal devices, there’s nothing stopping them from connecting to the guest network anyway.