doc title Help Center
You are here: Home > Bridge Mode Deployment > Configuring Security for a WLAN SSID Profile in Bridge Mode > Configuring Enterprise Security for a WLAN SSID Profile

Configuring Enterprise Security for a WLAN SSID Profile

To configure an enterprise security profile, complete the following procedure:

  1. To access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Creating a WLAN Profile in Tunnel and Mixed Mode.
  2. In the WLAN SSID configuration wizard, go to the Security tab.
  3. In Security Level, select Enterprise.
  4. Configure the following parameters:


    Table 1: Enterprise Security Profile Configuration Parameters

    Data pane item


    Key Management

    Select any of the following options from the Key Management drop-down list:

    Primary Server

    Specify a primary authentication server for client authentication.

    To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.

    Secondary Server

    Specify a secondary authentication server for client authentication.

    To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.

    Load Balancing

    Enable this option to load balance between the two authentication servers.

  5. Click Advanced Settings and configure the following parameters:

    Table 2: Advanced WLAN security Settings—Enterprise Security Profile

    Data pane item


    Use Session Key for LEAP

    Select this option to use the session key for Lightweight Extensible Authentication Protocol (LEAP)

    Perform MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication Before 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.

    Allows you to use 802.1X authentication after the client completes the MAC authentication successfully. You can configure the following parameters:

    • Delimiter Character—Specify a character as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. The supported characters are : (colon), / (slash), , (comma), - (dash), and % (percent).
    • Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    MAC Authentication Fail-Through

    On selecting this, the 802.1X authentication is attempted when the MAC authentication of an AP client fails.

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    On an SSID performing L2 authentication (MAC or 802.1X authentication)— When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.

    On an SSID performing L2 authentication (MAC with captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)— When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.


    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Max Authentication Failures

    Sets a value for the maximum allowed authentication failures. Enter a number between 1 and 10.

    Enforce DHCP

    To enforce DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

    • A layer-2 user entry is created when a client associates with an AP.
    • The client DHCP state and IP address are tracked.
    • When the client obtains an IP address from DHCP, the DHCP state changes to complete.
    • If the DHCP state is complete, a layer-3 user entry is created.
    • When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    Use IP for Calling Station ID

    Enable this option to configure client IP address as calling station ID.

    Called Station ID Type

    The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. Select any of the following options for configuring a called station ID:

    Called Station ID Include SSID

    Appends the SSID name to the called station ID.

    Called Station ID Delimiter

    Sets delimiter at the end of the called station ID.




    On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list:

    Disabled—To disable the accounting option.

    Use authentication server—To select authentication servers and the accounting time interval in minutes.

    Use separate servers— To select specific accounting and mention the accounting interval time in minutes.

    Accounting Interval

    Specify a number between 0 and 60 minutes.

    Fast Roaming


    Opportunistic Key Caching (OKC)

    Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) and use these keys when clients roam to a neighboring AP.

    NOTE: The Opportunistic Key Caching (OKC) toggle switch is disabled by default when you select any of the encryption types from the Key Management drop-down list.


    A mobility domain identifier (MDID). Enter a value between 1 and 65535.

    This option is available only when either Opportunistic Key Caching (OKC) or 802.11r toggle switch is turned on.


    Turn on the 802.11r toggle switch to enable 802.11r roaming. The 802.11r protocol enables fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS (AP) to another within the same cluster.

    NOTE: The 802.11r toggle switch is disabled by default when you select any of the encryption types from the Key Management drop-down list. However, the 802.11r toggle switch is not available when you select the WPA Enterprise encryption type from the Key Management drop-down list.

    802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN.

    Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.


    Turn on the 802.11v toggle switch to enable 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. based BSS transition. The 802.11v standard defines mechanisms for wireless network and BSS transition management. It allows the client devices to exchange information about the network topology and RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.

  6. Click Next.