Everything here is my opinion. I do not speak for your employer.
Oh good grief. They validate only half of a 7-digit (+checksum digit) number at once, and tell you whether you got the first half right before asking for the second half? I don't know anything about encryption algorithms, and even I know not to do that.
Bonus points for limiting the PIN to a very restricted set of characters (0-9), making it fixed length, and making it immutable for any given AP.
Try Tailscale: mesh networking, centralized administration, WireGuard.
Why would you follow me on twitter? Use RSS.