Configuring WLAN SSID Settings

After successfully creating a Microbranch group and provisioning the APs, the next step is to create an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. for the Microbranch group and broadcast it in the network.

The following sections describe the procedures for creating a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID in bridge mode or tunnel mode, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment, security profile, user role, and access policy configuration.

Creating a WLAN Profile

To configure WLAN settings, complete the following steps:

1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
3. Click the Config icon.
   The tabs to configure APs is displayed.
4. Click Wireless > WLAN.
   The Wireless SSIDs table is displayed listing the existing SSID profiles.

   You can directly edit the SSID name under the Name column of the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.

5. To create a new SSID profile, click + Add SSID.
   The Create a New Network page is displayed.
6. Enter an SSID name in the Name (SSID) field.
7. Under Advanced Settings, configure the parameters as mentioned in the following table.

   Table 1: Advanced WLAN Configuration Parameters

   Parameter	Description
   Broadcast/Multicast
   Broadcast Filtering	Select any of the following values: Disabled—The AP forwards all the broadcast and multicast traffic to the wireless interfaces. ARP—The AP drops broadcast and multicast frames except DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. , IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the AP is configured to ARP mode. All—The AP drops all broadcast and multicast frames except DHCP, ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Unicast ARP Only—This options enables the AP to convert ARP requests to unicast frames and thereby sending them to the associated clients. Default value: The default value is ARP.
   DTIM Interval	The DTIM Interval indicates the DTIM Delivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode.   Range: Range is 1 to 10 beacons. Default value: The default value is 1, which means the client checks for buffered data on the AP at every beacon. You can also configure a higher DTIM value for power saving.
   Dynamic Multicast Optimization (DMO)	Toggle the switch to enable the AP to convert multicast streams into unicast streams over the wireless link. Enabling DMO Dynamic Multicast Optimization. DMO is a process of converting multicast streams into unicast streams over a wireless link to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients. enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.
   DMO Channel Utilization Threshold	Specify a value to set a threshold for DMO channel utilization. With DMO, the AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. Default value: The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the AP sends multicast traffic over the wireless link. This option will be enabled only when Dynamic Multicast Optimization is enabled.
   DMO Client Threshold	Specify a value to set a threshold for number of DMO Client. With DMO, the AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. This option will be enabled only when Dynamic Multicast Optimization is enabled.
   Transmit Rates (Legacy Only)
   2.4 GHz	If the 2.4 GHz Gigahertz. band Band refers to a specified range of frequencies of electromagnetic radiation. is configured on the AP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.
   5 GHz	If the 5 GHz band is configured on the AP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.
   Beacon Rate
   2.4 GHz	If the 2.4 GHz band is configured on an AP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps.
   5 GHz	If the 5 GHz band is configured on an AP, specify the transmission rates from the 5 GHz drop-down list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps.
   Bandwidth Control
   Airtime	Toggle the switch to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
   Downstream	Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check box. The bandwidth limit set in this method is implemented at the device level and not cluster level.
   Upstream	Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check box. The bandwidth limit set in this method is implemented at the device level and not cluster level.
   Each Radio	Toggle the switch to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.
   Enable 11n	When this option is enabled, there is no disabling of High-Throughput (HT High Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands.) on 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, HT is enabled on all SSIDs. If you want the 802.11ac 802.11ac is a wireless networking standard in the 802.11 family that provides high-throughput WLANs on the 5 GHz band. APs to function as 802.11n APs, clear this check box to disable VHT Very High Throughput. IEEE 802.11ac is an emerging VHT WLAN standard that could achieve physical data rates of close to 7 Gbps for the 5 GHz band. on these devices.
   Enable 11ac	When this option is enabled, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, VHT is enabled on all SSIDs. If you want the 802.11ac APs to function as 802.11n APs, clear this check box to disable VHT on these devices.
   Enable 11ax	When this option is enabled, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, VHT is enabled on all SSIDs.
   Wifi Multimedia
   Background Wifi Multimedia Share	Allocate bandwidth for background traffic such as file downloads or print jobs. Range: Specify the appropriate DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. mapping values within a range of 0–63 for the background traffic in the corresponding DSCP mapping text box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.
   Best Effort Wifi Multimedia Share	Allocate bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.. Specify the appropriate DSCP mapping values within a range of 0–63 for the best effort traffic in the corresponding DSCP mapping text box.
   Video Wifi Multimedia Share	Allocate bandwidth for video traffic generated from video streaming. Range: Specify the appropriate DSCP mapping values within a range of 0–63 for the video traffic in the corresponding DSCP mapping text box.
   Voice Wifi Multimedia Share	Allocate bandwidth for voice traffic generated from the incoming and outgoing voice communication. Range: Specify the appropriate DSCP mapping values within a range of 0–63 for the voice traffic in the corresponding DSCP mapping text box. In a non-WMM Wi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia Share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.
   Traffic Specification(TSPEC)	Select this check box if you want TSPEC Traffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. for wireless network. The term TSPEC is used in wireless networks supporting the IEEE Institute of Electrical and Electronics Engineers. 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. Quality of Service standard. It defines a series of parameters, characteristics, and Quality of Service expectations for a traffic flow.
   TSPEC Bandwidth	Enter the bandwidth for TSPEC.
   Spectralink Voice Protocol(SVP)	Toggle this switch to opt for the SVP SpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN. protocol.
   WiFi Multimedia Power Save (U-APSD)	Toggle this switch to enable WiFi Multimedia Power Save (U-APSD Unscheduled Automatic Power Save Delivery. U-APSD is a part of 802.11e and helps considerably in increasing the battery life of VoWLAN terminals.). The U-APSD is a power-save mechanism that is an optional part of the IEEE amendment 802.11e, QoS.
   Miscellaneous
   ESSID	Specify the identifier that serves as an identification and address for the device to connect to a wireless router which can then access the internet. If the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. value defined is not the same as the profile name, the SSID can be searched based on the ESSID value and not by its profile name.
   Disable on 6GHz Mesh	Enable the toggle switch to stop the SSID from broadcasting on 6 GHz radio when mesh is enabled on the 6 GHz radio. The 6 GHz Mesh is only supported for devices with 6 GHz capability.
   Inactivity Timeout	Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. Range: You can specify a value within the range of 60–3600 seconds. Default value: The default value is 1000 seconds.
   Hide SSID	Enable the toggle switch if you do not want the SSID to be visible to users.
   Max Clients Threshold	Specify the maximum number of clients that can be configured for each BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on a WLAN. You can specify a value within the range of 0–1024. The default value is max. Specify max, MAX, or 1024 in the Max clients threshold text-box to set the threshold to maximum number of clients.
   Local Probe Request Threshold	Select either automatic or manual to set the Local Probe Request Threshold. automatic—The local probe-request threshold value changes to the recommended value provided by the AI Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. AI reduces trouble tickets by identifying the network entity that is facing problems through event correlation and root cause analysis. insights to improve the performance for the indoor Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual—Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required.
   Min RSSI for auth request	Select either automatic or manual to set the minimum RSSI Received Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. for authentication request. automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0–100 dB Decibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels..
   Deauth Inactive Clients	Enable the toggle switch to allow the AP to send a deauthentication frame to the inactive client and the clear client entry.
   Can Be Used Without Uplink	Enable the toggle switch if you do not want the SSID profile to use the uplink.
   Disable SSID When	Disable the SSID based on the following Out of Service (OOS) states of the AP: Tunnel down Uplink down Internet down None The network turns out of service when the selected event occurs and the SSID is disabled according to the configuration settings applied. For example, if you select the Uplink down option from the drop-down list , the SSID is disabled when the uplink is down and is enabled when the uplink is restored. Configure a hold time interval in seconds. Range: Range of 30–300 seconds, after which the out-of-service operation is triggered. For example, if the uplink is down and the configured hold time is 45 seconds, the effect of this out-of-service state impacts the SSID availability after 45 seconds.
   Deny Intra VLAN Traffice	Enable the toggle switch to disable intra-VLAN traffic. This enables client isolation and disables all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.
   Management Frame Protection	Enable the toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i 802.11i provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards. It requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). framework. For more information, see Configuring Management Frames Protection.
   Fine Timing Measurement (802.11mc) Responder Mode	Enable the toggle switch to enable the fine timing measurement (802.11mc) responder mode.
   Advertise AP Name	Enable the toggle switch to enable the advertising of AP name.
   PMK Cache	Enable the toggle switch to enable the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache that deletes the PMK cache entries. The users will not get different IP addresses as the authentication is skipped. The PMK cache stores the details of the connected clients to authenticate clients that are roaming between different APs. By default, the client details is stored for 8 hours after the client disconnects or gets timed out from the network. However, client details in the PMK cache can be deleted immediately after a client disconnects or gets timed out from the network.
   Time Range Profiles
   Time Range Profile	Ensure that the NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configure Time-based Services.

8. Click Next to configure VLAN settings.

Configuring VLAN Settings on a WLAN SSID

To configure VLAN settings for an SSID, complete the following steps:

1. In the VLAN tab, select any of the following options in Traffic Forwarding Mode to create a Microbranch network.
   • L2 Forwarded—To forward client traffic to VPNC cluster, select the L2 Forwarded option.
   • L3 Routed/NATed—To forward client traffic to a VPNC cluster node in the Tunnel mode network, select the L3 Routed/NATed option. The radius proxy in Security tab should point to a VPNC cluster. If VPNC cluster is not selected, the traffic is forwarded as NATed. For more information of Security configuration, refer Configuring a Security Profile on a WLAN SSID.
   • Mixed—To use both L2 Forwarded and L3 Routed/NATed forwarding modes, select the Mixed option. To enable APs to Tunnel client traffic to a VPNC cluster in the Tunnel mode network, select a VPNC cluster from the Primary Gateway Cluster drop-down.
2. Select a Primary Gateway Cluster through which the traffic from the APs is to be tunneled. This configuration is mandatory.

• For site specific auto cluster, cluster drop-down list displays <group name:auto site cluster>

• For manual cluster, cluster drop-down list displays <groupname:manualclusterprofilename>. For example, Group2:TestCluster123.​

3. Optionally, you can choose to configure a Secondary Gateway Cluster as a failover, in case the primary cluster is unavailable.
   1. Enable the Cluster Preemption check box to allow the AP to switch back to the SSID of the primary gateway cluster, when it becomes available. Skip this step, if you do not wish to configure a secondary gateway cluster.
4. Select the Client VLAN Assignment mode for WLAN clients and configure the following parameters:
   • Static —Allows you to specify a VLAN id of single VLAN, or a comma separated list of VLANS, or a range of VLANs for all clients on this network, in the VLAN ID text box. You can also select the VLAN name that is mapped to the VLAN id from the scroll-down list provided next to the VLAN ID text box. If a large number of clients need to be in the same subnet Subnet is the logical division of an IP network., you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.

   • The Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.

   • Ensure the branch VLAN ids of L3 Routed/NATed VLANs defined in the Microbranch groups are different than the VLAN ids specified in VPNC clusters. When a VLAN ID defined in VPNC clusters is assigned to the branch L3 Routed/NATed VLAN, clients on VLAN experience unexpected traffic behavior.

   • Dynamic—Assigns the VLANs dynamically from a DHCP server. You can also create a new VLAN assignment rules by clicking the + sign. The New VLAN Assignment Rule page is displayed to enter details such as attribute, operator, string and VLAN ID.
5. If Dynamic Client VLAN Assignment is selected, under VLAN Assignment Rules, click + Add Rule.

   The New VLAN Assignment Rule is displayed.

   1. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options.
   2. Select the operator from the Operator list. The following types of operators are supported:
      • contains—The rule is applied only if the attribute value contains the string specified in Operand.
      • Is the role—The rule is applied if the attribute value is the role.
      • equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
      • not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
      • starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
      • ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
      • matches-regular-expression—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients.
   3. Enter the string to match in the Stringor Integer box.
   4. Select the appropriate VLAN from the VLAN list.
   5. Click OK.
6. In the Show Named VLANS settings, you can map the VLAN ID to a VLAN Name by clicking the Add Named VLAN option.
7. Click Next to configure security settings.

Configuring a Security Profile on a WLAN SSID

You can configure the following types security profiles on a WLAN SSID:

Configuring an Enterprise Security Profile on a WLAN SSID

To configure an enterprise security profile, complete the following procedure:

1. In the WLAN SSID configuration wizard, click the Security tab.
2. In the Security tab, select the Enterprise security level, and configure the following parameters:

   Table 2: Enterprise Security Profile Configuration Parameters

   Data Pane Item	Description
   Key Management	For Enterprise security level, select any of the following options from Key Management WPA-2 Enterprise—Select this option to use WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 security. The WPA-2 Enterprise requires user authentication and requires the use of a RADIUS server for authentication. WPA Enterprise—Select this option to use both WPA Enterprise. Both (WPA-2 & WPA)—Select this option to use both WPA-2 and WPA security. Dynamic WEP with 802.1X—If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, set Session Key for LEAP to Enabled. This is required for old printers that use dynamic WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. through LEAP Lightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication. The Session Key for LEAP feature is Disabled by default. WPA-3 Enterprise(CCM 128)—Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. WPA-3 Enterprise(GCM 256)—Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. is enabled by default. If OKC is enabled, a cached PMK is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.
   Primary Server	Allows you to configure a primary authentication server. Select one of the following options from the drop-down list: Cloud Auth Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC).—Authentication through Cloud Identity provider. CPPM—Authentication through CPPM as an SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. service provider. To add a new server, click +. Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.

3. Click Advanced Settings and configure the following parameters:

   Table 3: Advanced WLAN security Settings—Enterprise Security Profile

   Data pane item	Description
   Use Session Key for LEAP	Select this option to use the session key for Lightweight Extensible Authentication Protocol (LEAP)
   MAC Authentication	To enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication of clients, configure the following parameters: Perform MAC Authentication Before 802.1X — Allows you to use 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication after the client completes the MAC authentication successfully. MAC Authentication Fail-Through — On selecting this, the 802.1X authentication is attempted when the MAC authentication of an AP client fails.
   Reauth Interval	Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. The following events occur when the re-authentication interval is configured on WLAS SSIDs: On an SSID performing L2 authentication (MAC or 802.1X authentication)— When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing both L2 authentication (MAC with captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
   Denylisting	To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
   Max Authentication Failures	Enter a value for the maximum allowed authentication failures.
   Enforce DHCP	To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced: A layer-2 user entry is created when a client associates with an AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.
   Use IP for Calling Station ID	Enable this option to configure client IP address as calling station ID.
   Called Station ID Type	Select any of the following options for configuring called station ID: Access Point Group—Uses the APs IP address as the called station ID. Access Point Name—Uses the host name of the AP as the called station ID. IP Address—Uses the IP address of the AP as the called station ID. MAC address—Uses the MAC address of the AP as the called station ID. VLAN ID—Uses the VLAN ID of the AP as the called station ID.
   Called Station ID Include SSID	Enable the toggle switch to append the SSID name to the called station ID.
   Called Station ID Delimiter	Enter the delimiter at the end of the called station ID. This field is available only if Called Station ID Include SSID is enabled.
   Uppercase Support	Enable the toggle switch to allow the AP to use uppercase letters in MAC address string for MAC authentication.
   WPA3 Transition	Enable this option to allow WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. and WPA3 clients to be on the same SSID. NOTE: The WPA3 Transition is available only when WPA-3 Enterprise(CCM 128) option is selected from the Key Management drop-down list for Enterprise security level.
   Passpoint Service Profile	Select a Passpoint Passpoint is a Wi-Fi certified solution that enables the mobile devices to automatically authenticate on enterprise Wi-Fi networks using their cellular credentials. profile from the drop-down list. To add a new Passpoint profile, click Manage Passpoint Services.
   Fast Roaming	Enable the following fast roaming features as per your requirement: Opportunistic Key Caching (OKC)——Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) and use these keys when clients roam to a neighbouring AP. The Opportunistic key caching (OKC) toggle switch is disabled by default when you select any of the encryption types from the Key Management drop-down list. 802.11r—Select 802.11r option to enable 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming. Selecting this enables fast BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS (AP) to another within the same cluster. When 802.11r is enabled, you can configure MDID(Mobility Domain Identifier). In a network of standalone APs with the same management VLAN, 802.11r roaming is not supported as MDIDs do not match across APs. They are auto-generated based on a AP key. To enable 802.11r, you can configure an MDID with the same value. 802.11k—Select 802.11k to enable 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. RRM Quiet IE—Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP will advertise in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations will not transmit on that channel during the quiet interval.

4. Click Next.

Configuring Personal Security Settings for a WLAN SSID

To configure a personal security profile, complete the following procedure:

1. In the WLAN SSID configuration wizard, click the Security tab.
2. In the Security tab, select the Personal security level.
3. Select a cluster from Primary Server drop-down list.
4. From the Key Management drop-down, select one of the following encryption settings on the SSID:
   • For WPA2-Personal, WPA Personal, Both (WPA2 & WPA), and WPA3-Personal keys, specify the following parameters:
     • Passphrase Format: Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
     • Enter a passphrase in Passphrase and reconfirm.
   • For Static WEP, specify the following parameters:
     • Select an appropriate value for WEP key size from the WEP Key Size. You can specify 64-bit or 128-bit.
     • Select an appropriate value for Tx key from Tx Key.
     • Enter an appropriate WEP Key and reconfirm.
   • For MPSK AES, configure authentication server.
     • Primary Server—Sets a primary authentication server. The Primary Server option appears only for Enterprise security level and external captive portal types. Select one of the following options from the drop-down list:
     • To add a new server, click +.
       • Secondary Server—To add another server for authentication, configure another authentication server.
   • For MPSK Local, select a MPSK Multi Pre-Shared Key. The Cloud Authentication and Policy server enables MPSK in a WLAN network in Aruba Central, to provide seamless wireless network connection to the end-users and client devices.-Local server from the drop-down list.
     • To add/edit MPSK local profile—Click to add a new server. For information on configuring MPSK-Local profile, see Configuring Client Authentication.
5. Click Advanced Settings and configure the following parameters:

   Table 4: Advanced WLAN Security Settings—Personal Security Profile

   Data pane item	Description
   MAC Authentication	Toggle the switch to enable MAC address based authentication of clients. When MAC authentication is enabled, you can configure the following parameters: Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.   If MAC authentication is enabled, you can configure the following parameters: Primary Server—To use an VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server. Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.
   Authentication Survivability	This option appears only when MPSK-AES is selected in Key Management. To enable authentication survivability: Slide the toggle switch to the right. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within the range of 1 to 99 hours.
   Reauth Interval	Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. The following events occur when the re-authentication interval is configured on WLAS SSIDs: On an SSID performing L2 authentication (MAC or 802.1X authentication)—When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing both L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
   Denylisting	To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled. Max Authentication Failures field is not applicable for WPA2-Personal key management.
   Enforce DHCP	To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced: A layer-2 user entry is created when a client associates with an AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.
   WPA3 Transition	This option appears when you select WPA3-Personal option in the Key Management drop-down list. This option allows the encryption format from WPA3 to WPA2.
   Use IP for Calling Station	Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: Called Station ID Type—Select any of the following options for configuring called station ID: Access Point Group—Uses the AP's IP address as the called station ID. Access Point Name—Uses the host name of the AP as the called station ID. VLAN ID—Uses the VLAN ID of the AP as the called station ID. IP Address—Uses the IP address of the AP as the called station ID. MAC address—Uses the MAC address of the AP as the called station ID. Called Station Include SSID—Appends the SSID name to the called station ID. Called Station ID Delimiter—Sets delimiter at the end of the called station ID. Max Authentication Failures—Sets a value for the maximum allowed authentication failures.
   Primary Server	In the Primary Server field, select one of the following options: Cloud Auth—Authentication through Cloud Identity provider. To add a new server, click +. CPPM—Authentication through CPPM as an SAML service provider.
   Secondary Server	To select a server: In the Secondary Server field, select a server. Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.
   Accounting	To enable accounting, select the Accounting option. On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list: Disabled-To disable the accounting option. Use authentication server—To select authentication servers and the accounting time interval in minutes. Use separate servers— To select specific accounting and mention the accounting interval time in minutes.
   Fast Roaming	Enable the following fast roaming features as per your requirement: 802.11k—Select 802.11k to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. RRM Quiet IE—Configures a radio resource management IE profile elements advertised by an AP.

6. Click Next.

Configuring Visitors Security Profile for Guest User Access

To configure captive portal security profile for guest user access:

1. In the WLAN SSID configuration wizard, click the Security tab.
2. In the Security tab, select the Visitorsl security level.
3. Select a cluster from Primary Proxy Server drop-down list.
4. Configure the following parameters:

   Table 5: Captive Portal Security Profile

   Parameter	Description
   Radius Proxy	Select any one of the following options: Primary Proxy Server—To use a VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server. Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.
   Type > Cloud Guest	To configure a captive portal security profile with Cloud Guest: Select the Cloud Guest for Type. Select a profile from the Guest Captive Portal drop-down list. To add a new guest profile name, enter a name in Name field. The newly added guest profile has default settings.
   Type > External Captive Portal	To configure captive portal authentication with a Splash Page using an external captive portal authentication profile, select External from the Captive Portal Type drop-down. The external captive portal servers are used for authenticating guest users in a WLAN. When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID, the users connecting to the SSID are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP traffic between the client and network, and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal unless explicitly permitted.
   Captive Portal Profile	To use the default captive portal profile, select Default. To use a custom Splash Page profile, click + and configure the following parameters: Name—Enter a name for the profile. Type— Select any one of the following types of authentication: Radius Authentication—Select this option to enable user authentication against a RADIUS server. Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication. IP or Hostname—Enter the IP address or the host name of the external splash page server. URL—Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server. Port—Enter the port number that is used for communicating with the external captive portal server. Use HTTPS—Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected. Captive Portal Failure—This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network. Automatic URL Allowlisting—On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted. Server Offload—Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server. Prevent Frame Overlay—Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page. Redirect URL—Specify a redirect URL if you want to redirect the users to another URL.
   Primary Server	In the Primary Server field, select one of the following option: Cloud Auth—Authentication through Cloud Identity provider. To add a new server, click +. CPPM—Authentication through CPPM as an SAML service provider.
   Secondary Server	In the Secondary Server field, select a server. Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.
   Encryption	To enable encryption settings, turn on the Encryption toggle switch and select an encryption key from Key Management: For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 keys, configure the following parameters: Passphrase Format: Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. Enter a passphrase in Passphrase and reconfirm. For Static WEP, specify the following parameters: Select an appropriate value for WEP key size from the WEP Key Size. You can define 64-bit or 128-bit. Select an appropriate value for Tx key from Tx Key. Enter an appropriate WEP Key and reconfirm. If encryption settings are not enabled, select Open or Enhanced Open from the Key Management drop-down list.

5. Click Advanced Settings and configure the following parameters:

   Table 6: Advanced WLAN Security Settings—Captive Portal Security Profile

   Data pane item	Description
   Captive Portal Proxy Server IP	To configure a captive portal proxy server or a global proxy server to match your browser configuration, enter the proxy server IP address.
   Captive Portal Proxy Server Port	If the captive portal proxy server IP address is configured, enter the captive portal proxy server port.
   MAC Authentication	To enable MAC address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters: Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
   Use IP for Calling Station	Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: Called Station ID Type—Select any of the following options for configuring called station ID: Access Point Group—Uses the AP's IP address as the called station ID. Access Point Name—Uses the host name of the AP as the called station ID. VLAN ID—Uses the VLAN ID of the AP as the called station ID. IP Address—Uses the IP address of the AP as the called station ID. MAC address—Uses the MAC address of the AP as the called station ID. Called Station Include SSID—Appends the SSID name to the called station ID. Called Station ID Delimiter—Sets delimiter at the end of the called station ID. Max Authentication Failures—Sets a value for the maximum allowed authentication failures.
   Authentication Survivability	To enable authentication survivability: Slide the toggle switch to the right. Specify a value in hours for Cache timeout (global), to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within a range of 1 to 99 hours.
   Reauth Interval	Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. The following events occur when the re-authentication interval is configured on WLAS SSIDs: On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing both L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
   Denylisting	To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
   Enforce DHCP	To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced: A layer-2 user entry is created when a client associates with an AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.
   WPA3 Transition	Enable this option to allow WPA2 and WPA3 clients to be on the same SSID. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
   Accounting	To enable accounting, select the Accounting option. On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list: Disabled—To disable the accounting option. Use authentication server—To select authentication servers and the accounting time interval in minutes. Use separate servers— To select specific accounting and mention the accounting interval time in minutes.
   Disable If Uplink Type Is	To exclude Ethernet Ethernet is a network protocol for data transmission over LAN., or 3G Third Generation of Wireless Mobile Telecommunications Technology. See W-CDMA./4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. uplinks from authentication, select the uplink type.

6. Click Next.

Configuring an Open Network

1. In the WLAN SSID configuration wizard, click the Security tab.
2. In the Security tab, select the Open security level.
3. Select a cluster from Primary Proxy Server drop-down list.
4. For Open security level, the Key Management includes Open, and Enhanced Open options. No encryption policy is required for both Open and Enhanced Open options.
5. Click Advanced Settings and configure the following parameters:

   Table 7: Advanced WLAN Security Settings—Open Network Profile

   Data pane item	Description
   MAC Authentication	To enable MAC address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters: Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. If MAC authentication is enabled, you can configure the following parameters: Primary Server—To use a VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server. Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not want to configure a secondary VPNC cluster.
   Reauth Interval	Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. The following events occur when the re-authentication interval is configured on WLAS SSIDs: On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
   Denylisting	To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
   Enforce DHCP	To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced: A layer-2 user entry is created when a client associates with an AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.
   WPA3 Transition	Enable this option to allow WPA2 and WPA3 clients to be on the same SSID. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
   Use IP for Calling Station	Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: Called Station ID Type—Select any of the following options for configuring called station ID: Access Point Group—Uses the APs IP address as the called station ID. Access Point Name—Uses the host name of the AP as the called station ID. VLAN ID—Uses the VLAN ID of the AP as the called station ID. IP Address—Uses the IP address of the AP as the called station ID. MAC address—Uses the MAC address of the AP as the called station ID. Called Station Include SSID—Appends the SSID name to the called station ID. Called Station ID Delimiter—Sets delimiter at the end of the called station ID. Max Authentication Failures—Sets a value for the maximum allowed authentication failures.
   Fast Roaming	Enable the following fast roaming features as per your requirement: 802.11k—Select 802.11k to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. RRM Quiet IE—Configures a radio resource management IE profile elements advertised by an AP.

6. Click Next.

Configuring ACLs for User Access to a WLAN

You can configure up to 64 access rules for a wireless network profile.

To configure access rules for a network, complete the following steps:

1. In the WLAN SSID configuration wizard, click the Access tab.
2. In Access Rules, select any of the following types of access control:
   • Role-Based—Allows the users to obtain access based on the roles assigned to them.
   • Network-Based—Allows the users to be authenticated based on access rules specified for a network.
   • Unrestricted—Allows the users to obtain unrestricted access on the port.
3. If the Role-Based access control is selected:
   1. Under Role, select an existing role for which you want to apply the access rules, or click + Add Role and add the required role. To add a new access rule, click + Add Rule under Access Rules For Selected Roles.

      If a policy is created with rule type as Policy-based Routing, only a default rule is assigned. To add more Policy-based Routing rules, refer Configuring Policy-based Routing.

   2. Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules.
   3. Under New Role Assignment Rule:
      1. Select an attribute.
      2. Specify an operator condition.
      3. Enter a String.
      4. Select a role.
      5. Click Save.
4. (Optional) Select the Enforce Machine Authentication check box, and select a role for the following drop-down list.
   • Machine Auth Only
   • UserAuth Only
5. Click Next.

Viewing Network Summary

The Network Summary page now displays all the settings configured in the General, Security, VLANs, and Access tabs.

Click Finish to create a WLAN successfully.

Viewing WLAN SSIDs Summary Table

You can view the list of wireless SSIDs that have been configured in the Wireless Management > Wireless SSIDs page. The table includes the list of wireless SSIDs with the following details:

• Name—This column displays the name provided to the SSID profile.
• Security—This column displays the encryption mode configured for wireless SSIDs such as WPA2-AES, WPA-3, MPSK-AES, and so on.
• Access Type—This column displays scope of access to the SSID profile, for example, Unrestricted, or Restricted.
• Traffic Forwarding Mode—This column displays the type of traffic forwarding mode, for example L3 Routed/NATed.
• Network Enabled—This column displays the status of the network configured in the General > Advanced Settings > Miscellaneous > Disable Network option.