WLAN Service Settings

Table 1. WLAN Service Configuration Settings
Field Description
Network Name Enter a unique, user-friendly value that makes sense for your business. Example: Staff
SSID Enter a character string to identify the wireless network. Maximum 32 characters. Upper and lowercase allowed. Example: PermanentStaff
Hotspot The following values are valid for hotspot configuration:
  • Disabled. Hotspot functionality is not enabled. Default value.
  • Enabled. Hotspots are enabled for this WLAN.
    • Privacy is set by default to WPA.
    • You must configure Protected Management Frame (PMF).
    • The authentication method is set to AAA with External RADIUS Server. You can configure MBA, if required.
    • Auth Type is WPA2-Enterprise (802.1x/EAP)
    • You must disable the Advanced network setting Client-Client Communication.
  • WBA OpenRoaming. This associates the device with the OpenRoaming profile. For more information, see Configure Hotspot for WBA OpenRoaming.
  • OSU. Enables the definition of Online Sign Up or OSEN WLAN. When configuring Online Signup for the hotspot, you must configure a separate OSU WLAN. Then, specify that WLAN on the Online Signup tab. Configure the policy and topology assigned to the OSU WLAN to allow access only to the OSU server. No access to the internet. Valid Auth Type values for OSU Hotspot are:
    • Open
    • WPA2-Enterprise (802.1x/EAP)
Note: You must specify a AAA policy when configuring OSU for Hotspot.
Note: After you have defined a WLAN service with a hotspot, you cannot disable the hotspot. You can only delete the WLAN service and recreate it.

For more information, see Hotspot.
Status Enable or disable the network service. Disabling the network service shuts off the service but does not delete it.
AuthType Define the authorization type. Valid values are:
  • Open —Anyone is authorized to use the network. This authorization type has no encryption. The Default Auth role is the only supported policy role.
  • OWE — Opportunistic Wireless Encryption (OWE) offers security to open networks, ensuring that traffic between an AP and a client is encrypted. Other clients can sniff and record traffic, but cannot decrypt it.
  • WEP — Static Wired Equivalent Privacy (WEP) offers keys for a selected network, that match the WEP mechanism used on the rest of the network. Each AP can participate in up to 50 networks. Specify one WEP key per network. This option is offered to support legacy APs. See Privacy Settings for WEP.
  • WPA2 with PSK — Network access is allowed to any client that knows the pre-shared key (PSK). All data between the client and the AP is AES encrypted using the shared secret. Privacy is based on the IEEE standard, and privacy settings are editable. If MAC-based authentication (MBA) is enabled, you can assign different roles to different devices with a PSK because MBA distinguishes between different devices. If MBA is not enabled, then devices with a PSK use the Default Auth role only. See Privacy Settings for WPA2 with PSK.
  • WPA2 Enterprise w/ RADIUS — Supports 802.1X authentication with a RADIUS server, using AES encryption. This method can be used with client certificate-based authentication (EAP-TLS). All 802.1X protocols are supported.

    Two-stage authentication is supported offering a combination of MAC-Based (MBA) authentication and WPA2-Enterprise (802.1x/EAP). The wireless client is first authenticated using MBA and then, in stage 2, the client authenticates with WPA2-Enterprise (802.1x/EAP).

    Note: Captive Portal is not supported when using WPA2 Enterprise w/ RADIUS. An exception is Centralized Web Authentication (CWA). CWA captive portal supports WPA2 Enterprise w/ RADIUS.

    See Privacy Settings for WPA2 Enterprise with RADIUS.

  • WPA3-Enterprise Transition — WPA3-Enterprise Transition is mixed mode similar to current WPA3-Enterprise. Protected Management Frames (PMF) is enabled, but optional for 2.4 GHz and 5 GHz, and mandatory for 6 GHz. WPA3-Enterprise Transition allows for clients and APs to negotiate whether PMF is enforced on the client connection or not. This means devices can connect to a network even when some of the APs in that network do not support the strongest security mode.

    For 6 GHz-capable devices, WPA3-Enterprise Transition UI uses the following:

    • 2.4 GHz Radio - WPA3-Enterprise Transition: WPA2-Enterprise with PMF = Enabled
    • 5.0 Ghz Radio - WPA3-Enterprise Transition: WPA2-Enterprise with PMF = Enabled
    • 6.0 Ghz Radio - WPA3-Enterprise Transition: WPA2-Enterprise with PMF = Mandatory
  • WPA3 - Personal — 128-bit encryption.WPA3 uses a pre-shared key (PSK) and Simultaneous Authentication of Equals (SAE) or Hash-to-Element (H2E). WPA3 offers an augmented handshake and protection against future password compromises. See Settings for WPA3 Personal with SAE and H2E.
  • WPA3-Compatibility — Option for mixed deployments of 802.11ax APs and older AP models. For use when WPA2 and WPA3 are configured on the same network. Clients that support either WPA3 Personal or WPA2 Personal can connect to this network at the same time and on the same SSID. If you are unsure which method your device supports, use WPA3-Compatibility. Note: When a device is assigned to 6 GHz radio, only WPA3 Personal is assigned. See Settings for WPA3 Personal with SAE and H2E.
  • WPA3-Enterprise — WPA2-Enterprise with Protected Management Frames (PMF). This option requires and enforces PMF enablement. The TKIP-CCMP option is disabled. For more information see, Settings for WPA3 Enterprise.
  • WPA3-Enterprise (192-bits) — WPA3-Enterprise with 192-bit security protocols (at a minimum) and cryptographic tools to better protect sensitive data. For more information, see WPA3-Enterprise with 192-bit mode.
Note:
The World-Wide Universal Access Points 6 GHz radios support only the following Wi-Fi Alliance (WFA) 6E Compliant network authentication methods:
  • OWE (Opportunistic Wireless Encryption) for Open Networks
  • WPA3-Personal
  • WPA3-Enterprise
  • WPA3-Enterprise 192-bit mode
  • WPA3-Compatibility
    Note: WPA3-Compatibility is not WFA compliant. WPA3-Compatibility supports both WPA2 Personal and WPA3 Personal on the same network. If a WPA3-Compatibility network is assigned to 6 GHz radio, only WPA3 Personal is assigned, thus making the network compliant.

ExtremeCloud IQ Controller requires that your 6 GHz radio network assignment be WFA 6E compliant. It rejects network configuration changes that result in 6 GHz radio network assignments that are not compliant. It might be necessary to redefine your networks when configuring the 6 GHz radio on the Universal Access Points.

A green icon displays on the user interface when the Auth Type is 6E WFA Compliant.
Enable Captive Portal Check this option to enable captive portal support on the network service.
Captive Portal Type See Captive Portal Settings.
MAC-based Authentication The following parameter displays when MAC-based Authentication is enabled:
  • MBA Timeout Role. Select the role that will be assigned to a wireless client during MAC-based authentication (MBA) if the RADIUS server access request times out. If no MBA Timeout Role is selected, then a RADIUS server timeout is treated like an Access-Reject, which prevents the client from accessing the network. Other options:
    • — create a new role
    • — edit role
    • — delete role
  • Two-stage authentication is supported offering a combination of MAC-Based (MBA) authentication and WPA2-Enterprise (802.1x/EAP). The wireless client is first authenticated using MBA and then, in stage 2, the client authenticates with WPA2-Enterprise (802.1x/EAP).
Authentication Method Displayed after Captive Portal or MBA is selected.
Select from the following authentication values:
  • Default. Select Configure Default AAA.
  • Proxy RADIUS (Failover). Configure up to 4 RADIUS servers for redundancy.
  • Proxy RADIUS (Load Balance). Configure up to 4 RADIUS servers for load balancing.
  • Local. Look up in the local password repository.
  • LDAP. Look up on a remote LDAP server. This option enables LDAP Configuration.
AAA Policy Select a AAA policy or select to add a new policy. Alternatively, you can select to edit an existing policy. To see the list of configured AAA policies, go to Configure > AAA Policy.

This option is not displayed for WLAN Networks that do not require authentication or authorization. The value Local Onboarding refers to RADIUS requests that are directed through the ExtremeCloud IQ Controller. Local Onboarding is the default value for WLAN Networks configured for Internal Captive Portal. AAA Policy can only be configured for WLAN Networks requiring MACAUTH, External Captive Portal, or EAP.

Note: Specify a AAA policy when configuring OSU for Hotspot.
Default AAA Authentication Method Indicates the default authentication method that is configured when you select Configure Default AAA.
Primary RADIUS IP address of primary RADIUS server.
Backup RADIUS IP address of backup RADIUS server.
LDAP Configuration Lightweight Directory Access Protocol. Select a configuration or select the plus sign to add a new configuration.
Authenticate Locally for MAC Authenticate the MAC address on ExtremeCloud IQ Controller. Do not authenticate MAC address on the RADIUS server. This setting is not available when you have selected Default as the Authentication Method.
Default UnAuth Role The default network policy roles for an unauthenticated client. Select a role from the list. Other options:
  • — create a new role
  • — edit selected role
  • — delete selected role
Default Auth Role The default network policy roles for an authenticated client. Select a role from the list. Other options:
  • — create a new role
  • — edit selected role
  • — delete selected role

Select the policy role as the default authentication policy role. Typically, Enterprise User is the Default Auth Role. You can select any of the configured roles.

To configure a new role:
  1. Go to Configure > Policy > Roles.
  2. Go to Onboard > Rules and edit a policy rule, specifying Default Auth Role in the Accept Policy field.
Default VLAN The default network topology. A topology can be thought of as a VLAN (Virtual LAN) with at least one egress port, and optionally include: sets of services, exception filters, and multicast filters. Examples of supported topology modes are Bridged at AP and Bridged at AC. Select a VLAN from the list. Other options:
  • — create a new VLAN
  • — edit selected VLAN
  • — delete selected VLAN
Scheduling
Note: Scheduling is unavailable until you install and run Scheduler for ExtremeCloud IQ Controller.

Select Scheduling to open the Scheduler application. This is a Docker application that resides on ExtremeCloud IQ Controller. Download Scheduler for ExtremeCloud IQ Controller from the Extreme Networks support portal, and install the application.
9038996-00 Rev. AB