Configuring Wireless Network Profiles on Instant APs
You can configure up to 14 SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. By enabling in the > accordion, you can create up to 16 networks.
If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed.
This section describes the following topics:
Creating a Wireless Network Profile
Configuring VLAN Settings for Wireless Network
Configuring Security Settings for Wireless Network
Configuring ACLs for User Access to a Wireless Network
Creating a Wireless Network Profile
To configure WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. settings, complete the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the
view.3. Click the icon.
The tabs to configure the access points are displayed.
4. Click the tab.
The WLANs details page is displayed.
5. In the tab, click .
The
pane is displayed.6. In tab, enter a name that is used to identify the network in the Name (SSID) text-box.
7. Under , configure the following parameters:
Parameter |
Description |
|
|
|
Select any of the following values: Instant AP drops all broadcast and multicast frames except DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. and ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. , IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. group queries, and IPv6 neighbor discovery protocols. —TheInstant AP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the Instant AP is configured to ARP mode. —The—This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. Instant AP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces. —The |
|
The DTIMDelivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the Instant AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. indicates theThe default value is 1, which means the client checks for buffered data on the Instant AP at every beacon. You can also configure a higher DTIM value for power saving. |
|
Select the check-box if you want the Instant AP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 MbpsMegabits per second. The default rate for sending frames for 2.4 GHzGigahertz. is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default. |
|
Select the check-box to allow Instant AP to convert multicast streams into unicast streams over the wireless link. Enabling DMODynamic Multicast Optimization. DMO is a process of converting multicast streams into unicast streams over a wireless link to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients. enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. |
|
Specify a value to set a threshold for DMO channel utilization. With DMO, the Instant AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the Instant AP sends multicast traffic over the wireless link. This option will be enabled only when is enabled. |
|
|
|
If the 2.4 GHz bandBand refers to a specified range of frequencies of electromagnetic radiation. is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps. |
|
If the 5 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps. |
|
|
|
Specify the zone for the SSID. If a zone is configured in the SSID, only the Instant AP in that zone broadcasts this SSID. If there are no Instant APs in the zone, SSID is broadcast. If the Instant AP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. |
|
Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage. |
|
Enter the downstream rates within a range of 1 to 65,535 KbpsKilobits per second. for the SSID users. If the assignment is specific for each user, select the check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level. |
|
Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level. |
|
Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535. |
|
When this option is selected, there is no disabling of High-Throughput (HTHigh Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands.) on 802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, HT is enabled on all SSIDs. If you want the 802.11ac802.11ac is a wireless networking standard in the 802.11 family that provides high-throughput WLANs on the 5 GHz band. Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHTVery High Throughput. IEEE 802.11ac is an emerging VHT WLAN standard that could achieve physical data rates of close to 7 Gbps for the 5 GHz band. on these devices. |
|
When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs. If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices. |
|
When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs. |
|
|
|
Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. mapping values within a range of 0–63 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value. |
|
Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.. Specify the appropriate DSCP mapping values within a range of 0–63 for the best effort traffic in the corresponding DSCP mapping text-box. |
|
Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 0–63 for the video traffic in the corresponding DSCP mapping text-box. |
|
Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 0–63 for the voice traffic in the corresponding DSCP mapping text-box. In a non-WMMWi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for share and to allocate a higher bandwidth to clients transmitting best effort and voice traffic. |
|
Select this check-box to set if you want the TSPECTraffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. for the wireless network. The term TSPEC is used in wireless networks supporting the IEEEInstitute of Electrical and Electronics Engineers. 802.11e802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow. |
|
Enter the bandwidth for the TSPEC. |
|
Select this check-box to opt for SVPSpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN. protocol. |
|
Select this check-box to enable WiFi Multimedia Power Save (U-APSDUnscheduled Automatic Power Save Delivery. U-APSD is a part of 802.11e and helps considerably in increasing the battery life of VoWLAN terminals.). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS. |
|
|
|
Select a value to specify the band at which the network transmits radio signals in the drop-down list. You can set the band to , , or . The option is selected by default. |
|
Select this check-box to route all DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests for the non-corporate domains to OpenDNS on this network. |
|
Based on the type of network profile, select one of the following options: 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. network. The VC assigns the IP address for the guest clients. Captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. —Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or—Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization. When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS. |
|
Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 60–3600 seconds. The default value is 1000 seconds. |
|
Select this check-box if you do not want the SSID to be visible to users. |
|
Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled. |
|
Specify the maximum number of clients that can be configured for each BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on a WLAN. You can specify a value within the range of 0–255. The default value is 64. |
|
Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests if required. You can specify a RSSIReceived Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. value within range of 0–100 dBDecibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels.. |
|
Enter the minimum RSSI threshold for authentication requests. |
|
Select this option to allow the Instant AP to send a de-authentication frame to the inactive client and the clear client entry. |
|
Select this check-box if you do not want the SSID profile to use the uplink. |
|
Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. |
|
Select an option from the drop-down list and specify the time period. |
|
Select an option from the drop-down list and specify the time period. |
|
Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to controller traffic from clients to flow in the network. All other traffic from the client that is not destined to the controller or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Enabling Client Isolation Feature for Wireless Networks in Aruba Central. |
|
Turn on the 802.11i802.11i provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards. It requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). framework. For more information, see Enabling Management Frames Protection Feature for Wireless Networks in Aruba Central. toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using |
|
Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode. |
|
|
|
Ensure that the NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server connection is active. Select a time range profile from the list and apply a status form the drop-down list.Click Configuring Time-Based Services for Wireless Network Profiles. to create a new time range profile. For more information, see |
Configuring VLAN Settings for Wireless Network
To configure VLANs settings for an SSID, complete the following steps:
1. In the VLANs tab, select any of the following options for :
—When selected, the client obtains the IP address from the VC.
—When selected, the client obtains the IP address from the network.
2. Based on the type of client IP assignment mode selected, configure the following parameters:
Parameter |
Description |
---|---|
|
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnetSubnet is the logical division of an IP network. and VLAN on the Instant AP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs. If this option is selected, specify any of the following options in :Instant APs. By default, the client VLAN is assigned to the native VLAN on the wired network. —Assigns IP address to the client in the same subnet as the—Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the drop-down list. |
|
When this option is selected, specify any of the following options in :—In , specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click .Click the , to view the Named VLAN table. To add a new Named VLAN, complete the following steps:Click . The window is displayed.Enter the and details, and then click .—Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: Click in the window. The page is displayed.Enter the , , , and details, and then click .To delete a VLAN assignment rule, select a rule in the window, and then click the delete icon.To show or hide the Named VLANs, click .Click the , to view the Named VLAN table. To add a new Named VLAN, complete the following steps:Click . The window is displayed.Enter the and details, and then click .To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. —Assigns the client VLAN is assigned to the native VLAN. |
3. Click .
Configuring Security Settings for Wireless Network
To configure security settings for mixed traffic or voice network, complete the following steps:
1. In the tab, specify any one of the following options in the :
Enterprise—On selecting security level, the authentication options applicable to the network are displayed.
Personal—On selecting security level, the authentication options applicable to the personalized network are displayed.
—On selecting Captive Portal security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, seeOpen—On selecting security level, the authentication options applicable to an open network are displayed.
The default security setting for a network profile is Personal.
2. Based on the security level specified, configure the following basic parameters:
Data Pane Item |
Description |
---|---|
|
For Key Management drop-down list: security level, select an encryption key fromWPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 security. The WPA-2 Enterprise requires user authentication and requires the use of a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server for authentication. —Select this option to use—Select this option to use both WPA Enterprise. —Select this option to use both WPA-2 and WPA security. Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. through LEAPLightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication. The Use Session Key for LEAP feature is Disabled by default. —If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the—Select this option to use WPA-3 security employing CNSA encryption. —Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. —Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. When OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. is enabled by default. If OKC is enabled, a cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the security level. and encryption types are selected and if 802.1x authentication method is configured, |
For Key Management drop-down list. security level, select an encryption key fromFor , , , and keys, specify the following parameters:—Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. —Enter a passphrase in —Retype the passphrase to confirm. For Static WEP, specify the following parameters: Tx Key drop-down list. —Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the—Enter an appropriate WEP key. —Retype the WEP key to confirm. For , select a primary server from the drop-down list.For , select a Mpsk Local server from the drop-down list. |
|
For Key Management. security level, select an encryption key fromFor , , , and keys, specify the following parameters:—Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. —Enter a passphrase in —Retype the passphrase to confirm. For Static WEP, specify the following parameters: Tx Key drop-down list. —Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the—Enter an appropriate WEP key. —Retype the WEP key to confirm. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on Instant APs. |
|
For security level, the includes and options. |
|
|
This option is applicable to EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the toggle switch. Enabling can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server. security levels only. To terminate theInstant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID. If you are using LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. for authentication, ensure that Instant AP termination is configured to support EAP. |
|
Configure the following parameters: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for , , and security levels. —Turn on the toggle switch to allow—Set a primary authentication server. The option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: Users to add the users. —To use an internal server, select and add the clients that are required to authenticate with the internal RADIUS Server. ClickTo add a new server, click Configuring Authentication and Security Profiles on Instant APs. . For information on configuring external servers, seeAruba Central allows you to configure an external RADIUS server, TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. or LDAP server, and External Captive Portal for user authentication. —To add another server for authentication, configure another authentication server. —If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled. Configuring Authentication and Security Profiles on Instant APs. —Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see |
|
Click to add the users. The registered users of type will be able to access the users of network. To add a new user, click and enter the new user in the pane. The option appears only for security level, , and . |
3. Based on the security level specified, specify the following parameters in the section:
Data pane item |
Description |
|
Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for level. |
|
toggle switch to reduce the time needed for authentication. When OKC is used, multiple APs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current AP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on |
|
To enable MAC address based authentication for and security levels, turn on the toggle switch to enable . For security level, the following options are available:—Select this to use 802.1X authentication only when the MAC authentication is successful. —On selecting this, the 802.1X authentication is attempted when the MAC authentication fails. If is enabled, configure the following parameters:Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. —Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, theInstant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. —Turn on the toggle switch to allow the |
|
Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured: On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client. On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access. |
|
By default, this option is disabled. To enable blacklisting of the clients with a specific number of authentication failures, select and specify a value for . The users who fail to authenticate the number of times specified in field are dynamically blacklisted. By default, the option is disabled. |
|
Enforces WLAN SSID on Instant AP clients. When DHCP is enforced: A layer-2 user entry is created when a client associates with an Instant AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the Instant APs, the DHCP state and the client IP address is synchronized with the new Instant AP. |
|
Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the for , , and level. |
|
Enable this option to allow backward compatibility of encryption modes in networks. The appears only when WPA3 is selected in the for , , and level. |
|
Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: —Select any of the following options for configuring called station ID: —Uses the VC ID as the called station ID. Instant AP as the called station ID. —Uses the host name of the—Uses the VLAN ID of as the called station ID. Instant AP as the called station ID. —Uses the IP address of theInstant AP as the called station ID. —Uses the MAC address of the—Appends the SSID name to the called station ID. The detail can be configured even if the is set to disabled. —Sets delimiter at the end of the called station ID. —Sets a value for the maximum allowed authentication failures. |
|
Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. |
|
Select this option to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. |
|
Enable the following fast roaming features as per your requirement: 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming. The 802.11k protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. —Turn on the toggle switch to enable
|
4. Click .
Configuring ACLs for User Access to a Wireless Network
You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:
1. In the tab, turn on the toggle switch to allow downloading of pre-existing user roles. For more information, see ClearPass Policy Manager Certificate Validation for Downloadable Role.
The
feature is optional.The Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPassClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.
feature is available only for networks that include APs that run a minimum ofAt least one radius server must be configured to apply the External RADIUS Server
feature. For more information on configuring radius server, see2. Click the action corresponding to the server. The page is displayed.
Viewing Wireless SSID Summary
In the
tab, the page displays all the settings configured in the , , , and tabs.Click Save Settings to complete the network profile creation and save the settings.