Best method for access control within WLAN?

Router: GL.iNET MT-6000 (Flint 2) running OpenWrt 25.12.2

Hi, I recently had a thought related to the efficiency of my current OpenWrt setup. I have 5 SSIDs/Interfaces/Firewall Zones. One is an “admin” SSID I use for access to the router itself and a wireguard peer, one is the main SSID for resident use, one is for guests, one is for IoT, and one is for Smart TVs. The reason Smart TVs have their own network is because I want use client/bridge isolation, which I do not want for my residents network. If I put the TVs on the guest network Chromecast/AirPlay will not work for guests as the guest network has client/bridge isolation turned on. I’m also able to use WPA3 on the TVs, where most IoT devices are still stuck on WPA2.

So a brief idea of this setup without giving my entire config (As I’m more looking for ideas rather than troubleshooting):
Admin → Can access anything/everything. Is routed through wireguard (WPA3)

Residents →Devices in this zone can talk between each other, but not to other zones except Smart TVs, routed through wan (WPA3)

Guests →Devices can not talk to each other nor any zone except Smart TVs, routed through wan (WPA3)

IoT → Devices can not talk to each other, nor any other zone, most devices blocked from wan (WPA2)

Smart TVs → Devices can not talk to each other, nor any other zone, routed through wan (WPA3)

Is there a better solution for access control than what I am currently doing? I am aware there is a method to use multiple VLANs assigned to different passkeys in a single SSID, but from what I could research, that only applies to WPA2, and not WPA3-SAE. I looked into FreeRADIUS for a little bit but it seemed somewhat confusing for someone who’s never used RADIUS, and I wasn’t sure I could get what I wanted out of it (Less SSIDs being broadcast while maintaining isolation of clients and WPA3).

If I could simplify my SSIDs down to one broadcast that is WPA3, and one that is WPA2 that would be nice. Ideally I just want to prevent specific clients from seeing other clients (So, I wouldn’t want my guests iPhone to see my Pixel, however I’d want both the iPhone and Pixel to see the Android TV, without the Android TV ever being able to figure out the iPhone nor Pixel were there without one of the two phones connecting to the TV first)

Any feedback/ideas are appreciated, have a nice day!

Given your requirements (TV isolation, guest isolation, everyone reaches TVs), you've got two paths:

Without RADIUS: Keep your 4-5 SSIDs, each maps to a fixed VLAN. You'll need an mDNS reflector and firewall rules to let Chromecast/AirPlay work across VLANs.

With RADIUS: Drop down to 2-3 SSIDs. RADIUS sorts users into VLANs based on login. Still need the mDNS reflector and firewall rules.

Either way, the reflector isn't optional. Chromecast/AirPlay rely on mDNS broadcasts that don't cross VLAN boundaries. ebtables isolation in a single VLAN won't cut it—devices can still hit each other directly by IP if they know the address.

I think that the "admin" could be unnecessary. Did you need full network access to all other devices? If not, you could allow the "residents" access the router Luci/ssh, and from that you could proxy to your IOT devices (ssh -D 1080 openwrt).

The admin interface, in addition to being for luci&ssh access, is also for connecting to a VPN provider, and would be somewhat inconvenient for most of the other people the router is shared with. I’m confused about what you’re saying by proxying the IoT devices and then providing an ssh command. What do you mean by that?

I do currently have avahi mDNS up and working so that is not a problem. Would you say that RADIUS adds any extra headache for end users, or opens any security holes? I would be willing to figure out how to use it as long as the people connecting to the network don’t feel encumbered by it, and I’m not creating a larger security headache by using it.

For example, if the only thing you need to access on your IoT devices is the web interface, instead of connecting to the IoT network (or the admin network on yout current setup), you can create a temporary SOCKS5 proxy through your router using a SSH connection (ssh -D 1080 router_ip) and configure the proxy in your browser (socks5://127.0.0.1:1080).

But yep, if other people also need to use the admin network recurrently, my suggestion probably is more headache :'D

RADIUS for end users: not really an issue. Once they enter username + password the first time, device remembers it and reconnects automatically. Only difference is two fields instead of one during initial setup.

Security: FreeRADIUS is solid. There was a critical vuln (CVE-2024-3596) back in mid-2024, patched in 3.2.5+. Like with any software, keeping it updated is on you.

For your setup: RADIUS would get you down from 5 SSIDs to maybe 2-3, but IoT still needs its own WPA2-PSK SSID anyway since most IoT devices don't do Enterprise auth. Whether that's worth the setup effort is your call—what you've got now works fine too.