Configuring Wireless Network Profiles on IAPs

You can configure up to 14 SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks.

If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed.

This section describes the following topics:

Creating a Wireless Network Profile

To configure WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. settings, complete the following steps:

  1. In the Aruba Central app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click the WLANs tab.

    The WLANs details page is displayed.

  5. In the WLANs tab, click + Add SSID.

    The Create a New Network pane is displayed.

  6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box.
  7. Under Advanced Settings, configure the following parameters:

Table 1: Advanced Settings Parameters

Parameter

Description

Broadcast/Multicast

Broadcast filtering

Select any of the following values:

DTIM Interval

The DTIM Interval indicates the DTIM Delivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons.

The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving.

Multicast Transmission Optimization

Select the check-box if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps Megabits per second.

The default rate for sending frames for 2.4 GHz Gigahertz. is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.

Dynamic Multicast Optimization (DMO)

Select the check-box to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling DMO Dynamic Multicast Optimization. DMO is a process of converting multicast streams into unicast streams over a wireless link to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients. enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.

NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

DMO channel utilization threshold

Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link.

NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.

Transmit Rates (Legacy Only)

2.4 GHz

If the 2.4 GHz band Band refers to a specified range of frequencies of electromagnetic radiation. is configured on an AP, specify the minimum and maximum transmission rates.

Default value: The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.

5 GHz

If the 5 GHz band is configured on an AP, specify the minimum and maximum transmission rates.

Default value: The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.

Beacon Rate

2.4 GHz

If the 2.4 GHz band is configured on an AP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps.

5 GHz

If the 5 GHz band is configured on an AP, specify the transmission rates from the 5 GHz drop-down list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps.

Zone

Zone

Specify the zone for the SSID. If a zone is configured in the SSID, only the IAP in that zone broadcasts this SSID. If there are no IAPs in the zone, SSID is broadcast. If the IAP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values.

NOTE: Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.

Bandwidth Control

Airtime

Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.

Downstream

Enter the downstream rates within a range of 1 to 65,535 Kbps Kilobits per second. for the SSID users. If the assignment is specific for each user, select the Per User check-box.

NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

Upstream

Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box.

NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

Each Radio

Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.

Enable 11n

When this option is selected, there is no disabling of High-Throughput (HT High Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands.) on 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, HT is enabled on all SSIDs.

NOTE: If you want the 802.11ac 802.11ac is a wireless networking standard in the 802.11 family that provides high-throughput WLANs on the 5 GHz band. IAPs to function as 802.11n IAPs, clear this check-box to disable VHT Very High Throughput. IEEE 802.11ac is an emerging VHT WLAN standard that could achieve physical data rates of close to 7 Gbps for the 5 GHz band. on these devices.

Enable 11ac

When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs.

NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices.

Enable 11ax

When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs.

WiFi Multimedia

Background Wifi Multimedia Share

Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. mapping values within a range of 0–63 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.

Best Effort Wifi Multimedia Share

Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.. Specify the appropriate DSCP mapping values within a range of 0–63 for the best effort traffic in the corresponding DSCP mapping text-box.

Video Wifi Multimedia Share

Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 0–63 for the video traffic in the corresponding DSCP mapping text-box.

Voice Wifi Multimedia Share

Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 0–63 for the voice traffic in the corresponding DSCP mapping text-box.

NOTE: In a non-WMM Wi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.

Traffic Specification(TSPEC)

Select this check-box to set if you want the TSPEC Traffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE Institute of Electrical and Electronics Engineers. 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow.

TSPEC Bandwidth

Enter the bandwidth for the TSPEC.

Spectralink Voice Protocol(SVP)

Select this check-box to opt for SVP SpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN. protocol.

WiFi Multimedia Power Save (U-APSD)

Select this check-box to enable WiFi Multimedia Power Save (U-APSD Unscheduled Automatic Power Save Delivery. U-APSD is a part of 802.11e and helps considerably in increasing the battery life of VoWLAN terminals.). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS.

Miscellaneous

Band

Select a check-box to specify the band at which the network transmits radio signals in the Band. You can set the band to 2.4 GHz, 5 GHz, or 6 GHz.

6 GHz band is only supported for devices with 6 GHz capability.

6GHz Mesh

Turn on the toggle switch to enable 6 GHz mesh, to allow mesh access points to form mesh network.

6 GHz Mesh is only supported for devices with 6 GHz capability.

Content Filtering

Select this option to route all DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests for the non-corporate domains to OpenDNS on this network.

Primary Usage

Based on the type of network profile, select one of the following options:

NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS.

Inactivity timeout

Specify an interval for session timeout in seconds, minutes, or hours. If a client session is inactive for the specified duration, the session expires and the user is required to log in again. You can specify a value within the range of 60–86,400 seconds (24 hours) for a client session. The default value is 1000 seconds.

Hide SSID

Select this option if you do not want the SSID to be visible to users.

Disable Network

Select this option if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled.

Max clients threshold

Specify the maximum number of clients that can be configured for each BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on a WLAN. You can specify a value within the range of 0–255. The default value is 64.

ESSID

Specify the identifier that serves as an identification and address for the device to connect to a wireless router which can then access the internet. If the ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. value defined is not the same as the profile name, the SSID can be searched based on the ESSID value and not by its profile name.

Local Probe Request Threshold

Select either automatic or manual to set the Local Probe Request Threshold.

automatic: The local probe request threshold value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.

manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required.

Min RSSI for auth request

Select either automatic or manual to set the minimum RSSI Received Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. for authentication request.

automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.

manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0–100 dB Decibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels..

Deauth inactive clients

Select this option to allow the IAP to send a de-authentication frame to the inactive client and the clear client entry.

Can be used without uplink

Select this option if you do not want the SSID profile to use the uplink.

Deny inter user bridging

Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.

Enable SSID when

Select an option from the drop-down list and specify the time period.

Disable SSID when

Select an option from the drop-down list and specify the time period.

Deny Intra VLAN Traffic

Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.

Management Frame Protection

Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i 802.11i provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards. It requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). framework. For more information, see Configuring Management Frames Protection.

Fine Timing Measurement (802.11mc) Responder Mode

Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.

Advertise AP Name

Turn on the toggle switch to enable the advertising of AP name.

Time Range Profiles

Time Range Profiles

Ensure that the NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server connection is active.

Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list.

Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles.

Configuring VLAN Settings for Wireless Network

To configure VLANs settings for an SSID, complete the following steps:

  1. In the VLANs tab, select any of the following options for Client IP Assignment:
    • Instant AP assigned—When selected, the client obtains the IP address from the VC.
    • External DHCP server assigned—When selected, the client obtains the IP address from the network.
  2. Based on the type of client IP assignment mode selected, configure the following parameters:

    Table 2: VLANs Parameters

    Parameter

    Description

    Instant AP assigned

    When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet Subnet is the logical division of an IP network. and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs.

    If this option is selected, specify any of the following options in Client VLAN Assignment:

    • Internal VLAN—Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network.
    • Custom—Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.

    External DHCP server assigned

    When this option is selected, specify any of the following options in Client VLAN Assignment:

    • Static—In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.
      •  To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
        1. Click +Add Named VLAN. The Add Named VLAN window is displayed.
        2. Enter the VLAN Name and VLAN details, and then click OK.
    • Dynamic—Assigns the VLANs dynamically from a DHCP server.
      •  To add a new VLAN assignment rule, complete the following steps:
        1. Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed.
        2. Enter the Attribute, Operator, String, and VLAN details, and then click OK.
      • To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon.
      • To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
        1. Click +Add Named VLAN. The Add Named VLAN window is displayed.
        2. Enter the VLAN Name and VLAN details, and then click OK.
      • To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon.
    • Native VLAN—Assigns the client VLAN is assigned to the native VLAN.

    From Aruba Central 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.

  3. Click Next.

Configuring Security Settings for Wireless Network

To configure security settings for mixed traffic or voice network, complete the following steps:

  1. In the Security tab, specify any one of the following options in the Security Level:
    • Enterprise—On selecting Enterprise security level, the authentication options applicable to the network are displayed.
    • Personal—On selecting Personal security level, the authentication options applicable to the personalized network are displayed.
    • Visitors—On selecting Visitors security level, the authentication options applicable to the visitors network are displayed. For more information on visitors security level, see Configuring Wireless Networks for Guest Users on IAPs.
    • Open—On selecting Open security level, the authentication options applicable to the open network is displayed.

      The default security setting for a network profile is Personal.

  2. Based on the security level specified, configure the following basic parameters:

    Table 3: Basic WLAN Security Parameters

    Data Pane Item

    Description

    Key Management

    For Enterprise security level, select an encryption key from Key Management drop-down list:

    NOTE: When either WPA-2 Enterprise or Both (WPA2-WPA) encryption type is selected and if 802.1x authentication method is configured, ensure that you turn on the Opportunistic key caching (OKC) toggle switch under Advanced Settings to enable OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. . When OKC is enabled, a cached Pairwise Master Key (PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ) is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.

    For Personal security level, select an encryption key from Key Management drop-down list.

    • For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters:
      1. Passphrase Format—Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
      2. Passphrase—Enter a passphrase.
      3. Retype—Retype the passphrase to confirm.
    • For Static WEP, specify the following parameters:
      1. WEP Key Size—Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list.
      2. WEP Key—Enter an appropriate WEP key.
      3. Retype WEP Key—Retype the WEP key to confirm.
    • For MPSK-AES, select a primary server from the drop-down list.
    • For MPSK-LOCAL, select a Mpsk Local server from the drop-down list.

    For Visitors security level, select an encryption key from Key Management.

    • Select Open or Enhanced Open from the drop-down list.

    For information on visitors security level, see Configuring Wireless Networks for Guest Users on IAPs.

    For Open security level, the Key Management includes Open and Enhanced Open options.

    EAP offload

    This option is applicable to Enterprise security levels only. To terminate the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.

    Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID.

    If you are using LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. for authentication, ensure that Instant AP termination is configured to support EAP.

    Authentication Server

    Configure the following parameters:

    Users

    Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal.

  3. Based on the security level specified, specify the following parameters in the Advanced Settings section:

    Table 4: Advanced WLAN Security Parameters

    Data pane item

    Description

    Use Session Key for LEAP

    Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level.

    Opportunistic Key Caching (OKC)

    Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current AP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. SSIDs only.

    MAC Authentication for Enterprise Networks

    To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available:

    • Perform MAC authentication before 802.1X—Select this to use 802.1X authentication only when the MAC authentication is successful.
    • MAC Authentication Fail-Through—On selecting this, the 802.1X authentication is attempted when the MAC authentication fails.
    • If MAC Authentication is enabled, configure the following parameters:
    • Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
    • Uppercase Support—Turn on the toggle switch to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Reauth Interval

    Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    If the re-authentication interval is configured:

    • On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.
    • On an SSID performing both L2 and L3 authentication (MAC with visitors security level authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
    • On an SSID performing only L3 authentication (visitors security level authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through visitors security level authentication to regain access.

    Denylisting

    By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Enforce DHCP

    Enforces WLAN SSID on IAP clients. When DHCP is enforced:

    • A layer-2 user entry is created when a client associates with an IAP.
    • The client DHCP state and IP address are tracked.
    • When the client obtains an IP address from DHCP, the DHCP state changes to complete.
    • If the DHCP state is complete, a layer-3 user entry is created.
    • When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP.

    WPA3 Transition

    Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Visitors, and Open level.

    Legacy Support

    Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Visitors, and Open level.

    Use IP for Calling Station ID

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    • Called Station ID Type—Select any of the following options for configuring called station ID:
      • Access Point Group—Uses the VC ID as the called station ID.
      • Access Point Name—Uses the host name of the IAP as the called station ID.
      • VLAN ID—Uses the VLAN ID of as the called station ID.
      • IP Address—Uses the IP address of the IAP as the called station ID.
      • MAC address—Uses the MAC address of the IAP as the called station ID.
    • Called Station ID Include SSID—Appends the SSID name to the called station ID.

    NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.

    • Called Station ID Delimiter—Sets delimiter at the end of the called station ID.
    • Max Authentication Failures—Sets a value for the maximum allowed authentication failures.

    Delimiter Character

    Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Uppercase Support

    Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

  4. Click Next.

Configuring ACLs for User Access to a Wireless Network

You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:

  1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. For more information, see Configuring Downloadable Roles.
  2. Click the action corresponding to the server. The Edit Server page is displayed.

Viewing Wireless SSID Summary

In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.