Configuring WLAN SSID Settings for Microbranch Deployments

After successfully creating a Microbranch group and provisioning the APs, the next step is to create an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. for the Microbranch group and broadcast it in the network. Note that, all Microbranch related configurations will be made at the group level which is then forwarded on to the individual devices.

The following sections describe the procedures for creating a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID in the Bridge mode or tunnel mode, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment, security profile, user role, and access policy configuration.

Creating a WLAN Profile

To configure WLAN settings, complete the following steps:

  1. In the Aruba Central app, set the filter to a group that contains at least one AP.
    The dashboard context for the group is displayed.
  2. Under Manage, click Devices > Access Points.
  3. Click the Config icon.
    The tabs to configure APs is displayed.
  4. Click Wireless > WLAN.
    The Wireless SSIDs table is displayed listing the existing SSID profiles.

    You can directly edit the SSID name under the Name column of the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.

  5. To create a new SSID profile, click + Add SSID.
    The Create a New Network page is displayed.
  6. Enter a SSID name in the Name (SSID) field.
  7. Under Advanced Settings, configure the parameters as mentioned in the following table.

    Table 1: Advanced WLAN Configuration Parameters

    Parameter

    Description

    Broadcast/Multicast

    Broadcast Filtering

    Select any of the following values:

    Default value: The default value is ARP.

    DTIM Interval

    The DTIM Interval indicates the DTIM Delivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode.

     

    Range: Range is 1 to 10 beacons.

     

    Default value: The default value is 1, which means the client checks for buffered data on the AP at every beacon. You can also configure a higher DTIM value for power saving.

    Dynamic Multicast Optimization (DMO)

    Select the check box to allow the AP to convert multicast streams into unicast streams over the wireless link. Enabling DMO Dynamic Multicast Optimization. DMO is a process of converting multicast streams into unicast streams over a wireless link to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients. enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.

    NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.

    DMO Channel Utilization Threshold

    Specify a value to set a threshold for DMO channel utilization. With DMO, the AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold.

    Default value: The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the AP sends multicast traffic over the wireless link.

    NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.

    DMO Client Threshold

    Specify a value to set a threshold for number of DMO Client. With DMO, the AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold.

    NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.

    Transmit Rates (Legacy Only)

    2.4 GHz

    If the 2.4 GHz Gigahertz. band Band refers to a specified range of frequencies of electromagnetic radiation. is configured on the AP, specify the minimum and maximum transmission rates.

    Default value: The default value for minimum transmission rate is 1 Mbps Megabits per second and maximum transmission rate is 54 Mbps.

    5 GHz

    If the 5 GHz band is configured on the AP, specify the minimum and maximum transmission rates.

    Default value: The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.

    Bandwidth Control

    Airtime

    Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.

    Downstream

    Enter the downstream rates within a range of 1 to 65,535 Kbps Kilobits per second. for the SSID users. If the assignment is specific for each user, select the Per User check-box.

    NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

    Upstream

    Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box.

    NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

    Each Radio

    Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.

    Enable 11n

    When this option is selected, there is no disabling of High-Throughput (HT High Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands.) on 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, HT is enabled on all SSIDs.

    NOTE: If you want the 802.11ac 802.11ac is a wireless networking standard in the 802.11 family that provides high-throughput WLANs on the 5 GHz band. APs to function as 802.11n APs, clear this check-box to disable VHT Very High Throughput. IEEE 802.11ac is an emerging VHT WLAN standard that could achieve physical data rates of close to 7 Gbps for the 5 GHz band. on these devices.

    Enable 11ac

    When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, VHT is enabled on all SSIDs.

    NOTE: If you want the 802.11ac APs to function as 802.11n APs, clear this check-box to disable VHT on these devices.

     

    Enable 11ax

    When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an AP, it is automatically enabled for all SSIDs configured on an AP. By default, VHT is enabled on all SSIDs.

    Wifi Multimedia

     

    Background Wifi Multimedia Share

    Allocate bandwidth for background traffic such as file downloads or print jobs.

    Range: Specify the appropriate DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. mapping values within a range of 0–63 for the background traffic in the corresponding DSCP mapping text box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.

    Best Effort Wifi Multimedia Share

    Allocate bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.. Specify the appropriate DSCP mapping values within a range of 0–63 for the best effort traffic in the corresponding DSCP mapping text box.

    Video Wifi Multimedia Share

    Allocate bandwidth for video traffic generated from video streaming.

     

    Range: Specify the appropriate DSCP mapping values within a range of 0–63 for the video traffic in the corresponding DSCP mapping text box.

    Voice Wifi Multimedia Share

    Allocate bandwidth for voice traffic generated from the incoming and outgoing voice communication.

    Range: Specify the appropriate DSCP mapping values within a range of 0–63 for the voice traffic in the corresponding DSCP mapping text box.

    NOTE: In a non-WMM Wi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia Share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.

    Traffic Specification(TSPEC)

    Select this check box if you want TSPEC Traffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. for wireless network. The term TSPEC is used in wireless networks supporting the IEEE Institute of Electrical and Electronics Engineers. 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. Quality of Service standard. It defines a series of parameters, characteristics, and Quality of Service expectations for a traffic flow.

    TSPEC Bandwidth

    Enter the bandwidth for TSPEC.

    Spectralink Voice Protocol(SVP)

    Select this check box to opt for the SVP SpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN. protocol.

    WiFi Multimedia Power Save (U-APSD)

    Select this check box to enable WiFi Multimedia Power Save (U-APSD Unscheduled Automatic Power Save Delivery. U-APSD is a part of 802.11e and helps considerably in increasing the battery life of VoWLAN terminals.). The U-APSD is a power-save mechanism that is an optional part of the IEEE amendment 802.11e, QoS.

    Miscellaneous

    Band

    Select the band of radio involved in the wireless network. The options in the drop-down include All, 2.4 GHz , and 5 GHz.

    Default value: Default is All.

    Inactivity Timeout

    Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again.

    Range: You can specify a value within the range of 60–3600 seconds.

    Default value: The default value is 1000 seconds.

    Hide SSID

    Select this check box if you do not want the SSID to be visible to users.

    Max Clients Threshold

    Specify the maximum number of clients that can be configured for each BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on a WLAN. You can specify a value within the range of 0– 255. The default value is 64.

    ESSIDSpecify the identifier that serves as an identification and address for the device to connect to a wireless router which can then access the internet. If the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. value defined is not the same as the profile name, the SSID can be searched based on the ESSID value and not by its profile name.

    Local Probe Request Threshold

    Select either automatic or manual to set the Local Probe Request Threshold.

    automatic: The local probe request threshold value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.

    manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required.

    Min RSSI for auth request

    Select either automatic or manual to set the minimum RSSI Received Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. for authentication request.

    automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.

    manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0–100 dB Decibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels..

    Deauth Inactive Clients

    Select this option to allow the AP to send a deauthentication frame to the inactive client and the clear client entry.

    Can Be Used Without Uplink

    Select this check box if you do not want the SSID profile to use the uplink.

    Enable SSID When

    Enable the SSID based on the following OOS states of the AP:

    • Uplink down
    • Internet down
    • Primary uplink down

    The network turns out of service when the selected event occurs and the SSID is enabled according to the configuration settings applied. For example, if you select the Uplink down option from the drop-down list , the SSID is enabled when the uplink is down and is disabled when the uplink is restored.

    Configure a hold time interval in seconds.

    Range: Range of 30–300 seconds, after which the out-of-service operation is triggered. For example, if the uplink is down and the configured hold time is 45 seconds, the effect of this out-of-service state impacts the SSID availability after 45 seconds.

    Disable SSID When

    Disable the SSID based on the following OOS states of the AP:

    • Uplink down
    • Internet down
    • Primary uplink down

    The network turns out of service when the selected event occurs and the SSID is disabled according to the configuration settings applied. For example, if you select the Uplink down option from the drop-down list , the SSID is disabled when the uplink is down and is enabled when the uplink is restored.

    Configure a hold time interval in seconds.

    Range: Range of 30–300 seconds, after which the out-of-service operation is triggered. For example, if the uplink is down and the configured hold time is 45 seconds, the effect of this out-of-service state impacts the SSID availability after 45 seconds.

    Deny Intra VLAN Traffice

    Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.

    Management Frame Protection

    Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i 802.11i provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards. It requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). framework. For more information, see Configuring Management Frames Protection.

    Fine Timing Measurement (802.11mc) Responder Mode

    Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.

    Advertise AP Name

    Turn on the toggle switch to enable the advertising of AP name.

    Time Range Profiles

     

    Time Range Profile

    Ensure that the NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server connection is active.

    Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list.

    Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-based Services for Microbranch.

  8. Click Next to configure VLAN settings.

You can input the fields in Advanced Settings only for network profiles with advanced configuration options.

Configuring VLAN Settings on a WLAN SSID

To configure VLAN settings for an SSID, complete the following steps:

  1. In the VLAN tab, select any of the following options in Traffic Forwarding Mode to create a Microbranch network.
    • L2 Forwarded—To forward client traffic to VPNC cluster, select the L2 Forwarded option.
    • L3 Routed/NATed—To forward client traffic to a VPNC cluster node in the Tunnel mode network, select the L3 Routed/NATed option. The radius proxy in Security tab should point to a VPNC cluster. If VPNC cluster is not selected, the traffic is forwarded as NATed. For more information of Security configuration, refer Configuring a Security Profile on a WLAN SSID.
    • Mixed—To use both L2 Forwarded and L3 Routed/NATed forwarding modes, select the Mixed option. To enable APs to Tunnel client traffic to a VPNC cluster in the Tunnel mode network, select a VPNC cluster from the Primary Gateway Cluster drop-down.
  2. Select a Primary Gateway Cluster through which the traffic from the APs is to be tunneled. This configuration is mandatory.
    • For site specific auto cluster, cluster drop-down list displays <group name:auto site cluster>

    • For manual cluster, cluster drop-down list displays <groupname:manualclusterprofilename>. For example, Group2:TestCluster123.

  3. Optionally, you can choose to configure a Secondary Gateway Cluster as a failover, in case the primary cluster is unavailable. Enable the Cluster Preemption check-box to allow the AP to switch back to the SSID of the primary gateway cluster, when it becomes available. Skip this step, if you do not wish to configure a secondary gateway cluster.
  4. Select the Client VLAN Assignment mode for WLAN clients and configure the following parameters:
    • Static —Allows you to specify a VLAN id of single VLAN, or a comma separated list of VLANS, or a range of VLANs for all clients on this network, in the VLAN ID text box. You can also select the VLAN name that is mapped to the VLAN id from the scroll-down list provided next to the VLAN ID text box. If a large number of clients need to be in the same subnet Subnet is the logical division of an IP network., you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.

    From Aruba Central 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.

    Ensure the branch VLAN ids of L3 Routed/NATed VLANs defined in the Microbranch groups are different than the VLAN ids specified in VPNC clusters. When a VLAN ID defined in VPNC clusters is assigned to the branch L3 Routed/NATed VLAN, clients on VLAN experience unexpected traffic behavior.

    • Dynamic—Assigns the VLANs dynamically from a DHCP server. You can also create a new VLAN assignment rules by clicking the + sign. The New VLAN Assignment Rule page is displayed to enter details such as attribute, operator, string and VLAN ID.
    • Native Vlan—Assigns the client VLAN to the native VLAN.
  5. Under VLAN Assignment Rules, click + Add Rule.

    The New VLAN Assignment Rule is displayed.

  6. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options.
  7. Select the operator from the Operator list. The following types of operators are supported:
    • contains—The rule is applied only if the attribute value contains the string specified in Operand.
    • Is the role—The rule is applied if the attribute value is the role.
    • equals—The rule is applied only if the attribute value is equal to the string specified in Operand.
    • not-equals—The rule is applied only if the attribute value is not equal to the string specified in Operand.
    • starts-with—The rule is applied only if the attribute value starts with the string specified in Operand.
    • ends-with—The rule is applied only if the attribute value ends with string specified in Operand.
    • matches-regular-expression—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients.
  8. Enter the string to match in the Stringor Integer box.
  9. Select the appropriate VLAN from the VLAN list.
  10. Click OK.
  11. In the Show Named VLANS settings, you can map the VLAN ID to a VLAN Name by clicking the Add Named VLAN option.
  12. Click Next to configure security settings.

Configuring a Security Profile on a WLAN SSID

You can configure the following types security profiles on a WLAN SSID:

Configuring an Enterprise Security Profile on a WLAN SSID

To configure an enterprise security profile, complete the following procedure:

  1. In the WLAN SSID configuration wizard, click the Security tab.
  2. In the Security tab, select the Enterprise security level, and configure the following parameters:

    Table 2: Enterprise Security Profile Configuration Parameters

    Data Pane Item

    Description

    Radius Proxy

    • Primary Server—To use an VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server.
    • Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.
    Key Management

    For Enterprise security level, select any of the following options from Key Management

    NOTE: When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. is enabled by default. If OKC is enabled, a cached PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.

    Primary Server

    Allows you to configure a primary authentication server. Select one of the following options from the drop-down list:

    To add a new server, click +.

    Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.

  3. Click Advanced Settings and configure the following parameters:

    Table 3: Advanced WLAN security Settings—Enterprise Security Profile

    Data pane item

    Description

    Use Session Key for LEAP

    Select this option to use the session key for Lightweight Extensible Authentication Protocol (LEAP)

    MAC Authentication

    To enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication of clients, configure the following parameters:

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    Denylisting

    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Enforce DHCP

    To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

    A layer-2 user entry is created when a client associates with an AP.

    The client DHCP state and IP address are tracked.

    When the client obtains an IP address from DHCP, the DHCP state changes to complete.

    If the DHCP state is complete, a layer-3 user entry is created.

    When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    Use IP for Calling Station ID

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    • Called Station ID Type—Select any of the following options for configuring called station ID:
      • Access Point Group—Uses the APs IP address as the called station ID.
      • Access Point Name—Uses the host name of the AP as the called station ID.
      • VLAN ID—Uses the VLAN ID of as the called station ID.
      • IP Address—Uses the IP address of the AP as the called station ID.
      • MAC address—Uses the MAC address of the AP as the called station ID.
    • Called Station Include SSID—Appends the SSID name to the called station ID.
    • Called Station ID Delimiter—Sets delimiter at the end of the called station ID.
    • Max Authentication Failures—Sets a value for the maximum allowed authentication failures.

    Authentication Survivability

    This option appears only when WPA2-Enterprise is selected in Key Management. Slide the toggle switch to the right to enable authentication survivability. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours.

    Passpoint Service Profile

    Select a Passpoint profile from the drop-down list. To add a new Passpoint profile, click Manage Passpoint Services.

    Accounting

    To enable accounting, select the Accounting option. On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list:

    Disabled-To disable the accounting option.

    Use authentication server—To select authentication servers and the accounting time interval in minutes.

    Use separate servers— To select specific accounting and mention the accounting interval time in minutes.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

  4. Click Next.

Configuring Personal Security Settings for a WLAN SSID

To configure a personal security profile, complete the following procedure:

  1. In the WLAN SSID configuration wizard, click the Security tab.
  2. In the Security tab, select the Personal security level.
  3. Select a cluster from Primary Server drop-down list.
  4. From the Key Management drop-down, select one of the following encryption settings on the SSID:
    • For WPA2-Personal, WPA Personal, Both (WPA2 & WPA), and WPA3-Personal keys, specify the following parameters:
      • Passphrase Format: Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
      • Enter a passphrase in Passphrase and reconfirm.
    • For Static WEP, specify the following parameters:
      • Select an appropriate value for WEP key size from the WEP Key Size. You can specify 64-bit or 128-bit.
      • Select an appropriate value for Tx key from Tx Key.
      • Enter an appropriate WEP Key and reconfirm.
    • For MPSK AES, configure authentication server.
      • Primary Server—Sets a primary authentication server. The Primary Server option appears only for Enterprise security level and external captive portal types. Select one of the following options from the drop-down list:
      • To add a new server, click +.
        • Secondary Server—To add another server for authentication, configure another authentication server.
    • For MPSK Local, select a MPSK-Local server from the drop-down list.
      • To add/edit MPSK local profile—Click to add a new server, For information on configuring MPSK-Local profile, see Configuring MPSK Local .
  5. Click Advanced Settings and configure the following parameters:

    Table 4: Advanced WLAN Security Settings—Personal Security Profile

    Data pane item

    Description

    MAC Authentication

    To enable MAC address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters:

    Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

     

    If MAC authentication is enabled, you can configure the following parameters:

    • Primary Server—To use an VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server.
    • Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.

    Authentication Survivability

    This option appears only when MPSK-AES is selected in Key Management. Slide the toggle switch to the right to enable authentication survivability. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours.

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    • On an SSID performing L2 authentication (MAC or 802.1X authentication)—When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.
    • On an SSID performing both L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.

    Denylisting

    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    NOTE: Max Authentication Failures field is not applicable for WPA2-Personal key management.

    Enforce DHCP

    To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

    A layer-2 user entry is created when a client associates with an AP.

    The client DHCP state and IP address are tracked.

    When the client obtains an IP address from DHCP, the DHCP state changes to complete.

    If the DHCP state is complete, a layer-3 user entry is created.

    When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    WPA3 Transition

    This option appears when you select WPA3-Personal option in the Key Management drop-down list. This option allows the encryption format from WPA3 to WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES..

    Use IP for Calling Station

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    • Called Station ID Type—Select any of the following options for configuring called station ID:
      • Access Point Group—Uses the AP's IP address as the called station ID.
      • Access Point Name—Uses the host name of the AP as the called station ID.
      • VLAN ID—Uses the VLAN ID of as the called station ID.
      • IP Address—Uses the IP address of the AP as the called station ID.
      • MAC address—Uses the MAC address of the AP as the called station ID.
    • Called Station Include SSID—Appends the SSID name to the called station ID.
    • Called Station ID Delimiter—Sets delimiter at the end of the called station ID.
    • Max Authentication Failures—Sets a value for the maximum allowed authentication failures.
    Primary Server

    In the Primary Server field, select one of the following option:

    • Cloud Auth—Authentication through Cloud Identity provider. To add a new server, click +.
    • CPPM—Authentication through CPPM as an SAML service provider.

    Secondary ServerIn the Secondary Server field, select a server. Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.

    Accounting

    To enable accounting, select the Accounting option. On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list:

    Disabled-To disable the accounting option.

    Use authentication server—To select authentication servers and the accounting time interval in minutes.

    Use separate servers— To select specific accounting and mention the accounting interval time in minutes.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

    • 802.11k—Select 802.11k to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
    • RRM Quiet IE—Configures a radio resource management IE profile elements advertised by an AP.
  6. Click Next.

Configuring Visitors Security Profile for Guest User Access

To configure captive portal security profile for guest user access:

  1. In the WLAN SSID configuration wizard, click the Security tab.
  2. In the Security tab, select the Visitorsl security level.
  3. Select a cluster from Primary Proxy Server drop-down list.
  4. Configure the following parameters:

    Table 5: Captive Portal Security Profile

    Parameter

    Description

    Radius Proxy

    • Primary Proxy Server—To use an VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server.
    • Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.

    Type > Cloud Guest

    To configure a captive portal security profile with Cloud Guest, select the Cloud Guest for Type. Select a profile from the Guest Captive Portal drop-down list.

    To add a new guest profile name, enter a name in Name field.

    NOTE: The newly added guest profile has default settings.

    Type > External Captive Portal

    To configure captive portal authentication with a Splash Page using an external captive portal authentication profile, select External from the Captive Portal Type drop-down. The external captive portal serves are used for authenticating guest users in a WLAN.

    When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID, the users connecting to the SSID are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP traffic between the client and network, and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal unless explicitly permitted.

    Captive Portal Profile

    To use the default captive portal profile, select Default.

    To use a custom Splash Page profile, click + and configure the following parameters:

    Name—Enter a name for the profile.

    Type— Select any one of the following types of authentication:

    • Radius Authentication—Select this option to enable user authentication against a RADIUS server.
    • Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

    IP or Hostname—Enter the IP address or the host name of the external splash page server.

    URL—Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.

    Port—Enter the port number that is used for communicating with the external captive portal server.

    Use HTTPS—Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.

    Captive Portal Failure—This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.

    Automatic URL Allowlisting—On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.

    Server Offload—Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.

    Prevent Frame Overlay—Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.

    Redirect URL—Specify a redirect URL if you want to redirect the users to another URL.

    Primary Server

    In the Primary Server field, select one of the following option:

    • Cloud Auth—Authentication through Cloud Identity provider. To add a new server, click +. .
    • CPPM—Authentication through CPPM as an SAML service provider.

    Secondary ServerIn the Secondary Server field, select a server. Enable Load Balancing toggle switch to balance the traffic between primary and secondary servers. Load Balancing appears when secondary server is selected.

    Encryption

    To enable encryption settings, turn on the Encryption toggle switch and select an encryption key from Key Management:

    For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 keys, configure the following parameters:

    Passphrase Format: Select a passphrase format. The options are available are 8-63 alphanumeric characters and 64 hexadecimal characters.

    Enter a passphrase in Passphrase and reconfirm.

    For Static WEP, specify the following parameters:

    Select an appropriate value for WEP key size from the WEP Key Size. You can define 64-bit or 128-bit.

    Select an appropriate value for Tx key from Tx Key.

    Enter an appropriate WEP Key and reconfirm.

    If encryption settings are not enabled, select Open or Enhanced Open from the Key Management drop-down list.

  5. Click Advanced Settings and configure the following parameters:

    Table 6: Advanced WLAN Security Settings—Captive Portal Security Profile

    Data pane item

    Description

    Captive Portal Proxy Server IP

    To configure a captive portal proxy server or a global proxy server to match your browser configuration, enter the proxy server IP address.

    Captive Portal Proxy Server Port

    If the captive portal proxy server IP address is configured, enter the captive portal proxy server port.

    MAC Authentication

    To enable MAC address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters:

    Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Use IP for Calling Station

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    • Called Station ID Type—Select any of the following options for configuring called station ID:
      • Access Point Group—Uses the AP's IP address as the called station ID.
      • Access Point Name—Uses the host name of the AP as the called station ID.
      • VLAN ID—Uses the VLAN ID of as the called station ID.
      • IP Address—Uses the IP address of the AP as the called station ID.
      • MAC address—Uses the MAC address of the AP as the called station ID.
    • Called Station Include SSID—Appends the SSID name to the called station ID.
    • Called Station ID Delimiter—Sets delimiter at the end of the called station ID.
    • Max Authentication Failures—Sets a value for the maximum allowed authentication failures.

    Authentication Survivability

    Slide the toggle switch to the right to enable authentication survivability. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours.

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    On an SSID performing L2 authentication (MAC or 802.1X authentication)—When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.

    On an SSID performing both L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.

    Denylisting

    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Enforce DHCP

    To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

    A layer-2 user entry is created when a client associates with an AP.

    The client DHCP state and IP address are tracked.

    When the client obtains an IP address from DHCP, the DHCP state changes to complete.

    If the DHCP state is complete, a layer-3 user entry is created.

    When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    WPA3 Transition

    Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.

    Accounting

    To enable accounting, select the Accounting option. On enabling this option, the APs post accounting information to the RADIUS server at the specified Accounting Interval. Select one of the following options from the drop-down list:

    Disabled-To disable the accounting option.

    Use authentication server—To select authentication servers and the accounting time interval in minutes.

    Use separate servers— To select specific accounting and mention the accounting interval time in minutes.

    Disable If Uplink Type Is

    To exclude Ethernet Ethernet is a network protocol for data transmission over LAN., or 3G Third Generation of Wireless Mobile Telecommunications Technology. See W-CDMA./4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. uplinks from authentication, select the uplink type.

  6. Click Next.

Configuring an Open Network

  1. In the WLAN SSID configuration wizard, click the Security tab.
  2. In the Security tab, select the Open security level.
  3. Select a cluster from Primary Proxy Server drop-down list.
  4. For Open security level, the Key Management includes Open, and Enhanced Open options. No encryption policy is required for both Open and Enhanced Open options.
  5. Click Advanced Settings and configure the following parameters:

    Table 7: Advanced WLAN Security Settings—Open Network Profile

    Data pane item

    Description

    MAC Authentication

    To enable MAC address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters:

    Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

     

    If MAC authentication is enabled, you can configure the following parameters:

    • Primary Server—To use an VPNC Cluster, select VPNC cluster to authenticate with the RADIUS proxy server.
    • Secondary Server—To add another server for authentication, configure another authentication server. Skip this step, if you do not wish to configure a secondary VPNC cluster.

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    On an SSID performing L2 authentication (MAC or 802.1X authentication)— When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.

    On an SSID performing L2 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.

    Denylisting

    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Enforce DHCP

    To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP.When DHCP is enforced:

    A layer-2 user entry is created when a client associates with an AP.

    The client DHCP state and IP address are tracked.

    When the client obtains an IP address from DHCP, the DHCP state changes to complete.

    If the DHCP state is complete, a layer-3 user entry is created.

    When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    WPA3 Transition

    Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.

    Use IP for Calling Station

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    • Called Station ID Type—Select any of the following options for configuring called station ID:
      • Access Point Group—Uses the APs IP address as the called station ID.
      • Access Point Name—Uses the host name of the AP as the called station ID.
      • VLAN ID—Uses the VLAN ID of as the called station ID.
      • IP Address—Uses the IP address of the AP as the called station ID.
      • MAC address—Uses the MAC address of the AP as the called station ID.
    • Called Station Include SSID—Appends the SSID name to the called station ID.
    • Called Station ID Delimiter—Sets delimiter at the end of the called station ID.
    • Max Authentication Failures—Sets a value for the maximum allowed authentication failures.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

    • 802.11k—Select 802.11k to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
    • RRM Quiet IE—Configures a radio resource management IE profile elements advertised by an AP.
  6. Click Next.

Configuring ACLs for User Access to a WLAN

You can configure up to 64 access rules for a wireless network profile.

Configuration of ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for User Access is not applicable for Open network.

To configure access rules for a network, complete the following steps:

  1. In the WLAN SSID configuration wizard, click the Access tab.
  2. In Access Rules, select any of the following types of access control:
    • Role Based-based—Allows the users to obtain access based on the roles assigned to them.
    • Network-Based—Allows the users to be authenticated based on access rules specified for a network.
    • Unrestricted—Allows the users to obtain unrestricted access on the port.
  3. If the Role Based access control is selected:
    1. Under Role, select an existing role for which you want to apply the access rules, or click + Add Role and add the required role. To add a new access rule, click + Add Rule under Access Rules For Selected Roles.

      If a policy is created with rule type as Policy-based Routing, only a default rule is assigned. To add more Policy-based Routing rules, refer Configuring Policy-based Routing.

    2. Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules.
    3. Under New Role Assignment Rule:
      1. Select an attribute.
      2. Specify an operator condition.
      3. Enter a String.
      4. Select a role.
      5. Click Save.
  4. (Optional) Select the Enforce Machine Authentication check box, and select a role for the following drop-down list.
    • Machine Auth Only
    • UserAuth Only
  5. Click Next.

Viewing Network Summary

The Network Summary page now displays all the settings configured in the General, Security, VLANs, and Access tabs.

Click Finish to create a WLAN successfully

Viewing WLAN SSIDs Summary Table

You can view the list of wireless SSIDs that have been configured in the Wireless Management > Wireless SSIDs page. The table includes the list of wireless SSIDs with the following details:

  • Name—This column displays the name provided to the SSID profile.
  • Security—This column displays the encryption mode configured for wireless SSIDs such as WPA2-AES, WPA-3, MPSK-AES, and so on.
  • Access Type—This column displays scope of access to the SSID profile, for example, Unrestricted, or Restricted.
  • Traffic Forwarding Mode—This column displays the type of traffic forwarding mode, for example L3 Routed/NATed.
  • Network Enabled—This column displays the status of the network configured in the General > Advanced Settings > Miscellaneous > Disable Network option.