Unless the wireless LAN is self-contained, a small network in a meeting room without Internet connections, for example the access point is connected to the corporate network. It serves as a bridge for wireless clients to enable their connections to your local wired network. So think of it as just that, a bridge from untrusted to trusted. It’s not that you should immediately consider all wireless users in your organization untrustworthy; it’s the unwanted connections you want to avoid.

To do so, use 802.1x where you can, and set up a VPN where you can’t. That way, an intruder may be able to make a connection to the access point but will not be able to access your network. The only way the intruder could access the corporate network would be to supply appropriate credentials to either the Virtual Private Network (VPN) or the RADIUS server.

You may also consider setting up a firewall. Just remember that placement is important here. If a single firewall is available, you don’t want to put the firewall between the access point and users attempting to connect to it. Instead, you want the firewall between the access point and your internal network.