My approach is just setting proper firewall rules on a dedicated ESSID with a dedicated VLAN. A device on a restricted VLAN shouldn't be able talk to anything. The downside is its more work, but the plus side is it can be done on trusted firmware (OpenWRT) and not something that would require an entire code audit to determine if there are any logic flaws.
This doesn’t isolate the devices from each other, though. (Well, maybe if you have isolation set up on the AP and the devices are all connected to the same radio or isolation happens to work across radios and no one exploits any of the myriad ways in which Ethernet, on the same broadcast domain, is not a secure protocol.)
Lack of usable support from a lot of access points and management systems. Do any of the major multi-AP systems support it? UniFi has no support. I don’t think any of the Ruckus products support it.
(Also, “push the button” is a bit of an awkward concept with multiple APs.)
edit: it’s also a disaster due to a proliferation of crappy client devices that more or less require it.
I see. I'm using a normal router in bridge mode as an extender and that's been working well enough and comes with WPS built in so for instance, I can turn it on there if the printer is closer but of course it would be nice to turn it on in one place and have all the extenders have it on as well.
My approach is just setting proper firewall rules on a dedicated ESSID with a dedicated VLAN. A device on a restricted VLAN shouldn't be able talk to anything. The downside is its more work, but the plus side is it can be done on trusted firmware (OpenWRT) and not something that would require an entire code audit to determine if there are any logic flaws.