Home > GUI > Configuration > Wireless Network Additional Settings
|
Wireless Network Additional Settings
Select, modify, and enable and disable wireless network (SSID) availability schedules, advanced access security controls, optional settings, and client monitoring objects.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Wireless Networks > SSID_name > Additional Settings
When you configure your SSID, you can also configure and apply radio rates, DoS prevention settings, and traffic filters for your Extreme Networks devices. See Standard Wireless Network Settings.
To configure the SSID optional settings, select Customize in the Radios and Rates, DOS Prevention, MAC, filters section to display the Optional Settings dialog box. Continue with the following sections:
Radio and Rates
You can set the basic (mandatory) and optional data rates per SSID. Extreme Networks devices advertise their support of these rates in their beacons and probe responses. Clients must be able to support all the basic rates (Mbps rates for 802.11a/b/g clients, and MCS rates for 802.11n/ac clients) that an Extreme Networks device lists to be able to associate with that device.
The options in the drop-down list for each radio rate are Basic, which is a rate that the SSID announces it supports and that clients must also support to form an association and communicate with each other; Optional, which is a rate that the SSID announces it supports and that clients can use if possible; and N/A (not applicable), which is a rate that the SSID does not support.
Note
You can use these controls to prevent clients from connecting at low data rates on your SSID, which is one way to increase average data transfer rates.The maximum possible data rates supported by the IEEE 802.11 amendment in use are:
You can set 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps for 802.11a/b/g and MCS (modulation coding scheme) 0-15 or 0-23 for 802.11n. Because several factors determine the maximum data rate for 802.11n, refer to the table below for a guideline of what to set based on the way you configure the radio. Use the following buttons to view the data rates for the relevant number of spatial streams.
By default, Extreme Networks devices advertise support for all rates on their SSIDs. By setting specific rates, you can restrict access to just those clients that can support them.
Note
Because the 802.11n MCS indexing scheme uses a unique MCS index for each modulation, coding, and spatial stream combination, be mindful that the MCS indexes change when you change the number of spatial streams.1 Spatial Stream | 2 Spatial Streams | 3 Spatial Streams
|
HT MCSIndex |
Modulation TypeandCoding Rate | Data Rate(20 MHz) | Data Rate(40 MHz, channel bonding) | ||
|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | ||
| One Spatial Stream | |||||
| 0 | BPSK (1/2) | 6.5 | 7.2 | 13.5 | 15 |
| 1 | QPSK (1/2) | 13 | 14.4 | 27 | 30 |
| 2 | QPSK (3/4) | 19.5 | 21.7 | 40.5 | 45 |
| 3 | 16-QAM (1/2) | 26 | 28.9 | 54 | 60 |
| 4 | 16-QAM (3/4) | 39 | 43.3 | 81 | 90 |
| 5 | 64-QAM (2/3) | 52 | 57.8 | 108 | 120 |
| 6 | 64-QAM (3/4) | 58.5 | 65 | 121.5 | 135 |
| 7 | 64-QAM (5/6) | 65 | 72.2 | 135 | 150 |
|
HT MCSIndex |
Modulation TypeandCoding Rate | Data Rate(20 MHz) | Data Rate(40 MHz, channel bonding) | ||
|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | ||
| Two Spatial Streams | |||||
| 8 | BPSK (1/2) | 13 | 14.4 | 27 | 30 |
| 9 | QPSK (1/2) | 26 | 28.9 | 54 | 60 |
| 10 | QPSK (3/4) | 39 | 43.3 | 81 | 90 |
| 11 | 16-QAM (1/2) | 52 | 57.8 | 108 | 120 |
| 12 | 16-QAM (3/4) | 78 | 86.7 | 162 | 180 |
| 13 | 64-QAM (2/3) | 104 | 115.6 | 216 | 240 |
| 14 | 64-QAM (3/4) | 117 | 130 | 243 | 270 |
| 15 | 64-QAM (5/6) | 130 | 144.4 | 270 | 300 |
|
HT MCSIndex |
Modulation TypeandCoding Rate | Data Rate(20 MHz) | Data Rate(40 MHz, channel bonding) | ||
|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | ||
| Three Spatial Streams | |||||
| 16 | BPSK (1/2) | 19.5 | 21.7 | 40.5 | 45 |
| 17 | QPSK (1/2) | 39 | 43.3 | 81 | 90 |
| 18 | QPSK (3/4) | 58.5 | 65 | 121.5 | 135 |
| 19 | 16-QAM (1/2) | 78 | 86.7 | 162 | 180 |
| 20 | 16-QAM (3/4) | 117 | 130 | 243 | 270 |
| 21 | 64-QAM (2/3) | 156 | 173.3 | 324 | 360 |
| 22 | 64-QAM (3/4) | 175.5 | 195 | 364 | 405 |
| 23 | 64-QAM (5/6) | 195 | 216.7 | 405 | 450 |
With the ratification of the 802.11ac amendment, higher data rates are possible and the MSC indexing scheme is simplified. Likewise, the way that you choose your settings in ExtremeCloud IQ is simplified. Because support for MSC indexes 0 through 7 are mandatory, ExtremeCloud IQ allows you to choose the MCS index using a slider control with a range of 7 to 9. When you choose a specific MCS index here, you are choosing whether you want to allow 256-QAM (MCS 8 and 9) along with the coding rate (either 3/4 or 5/6).
Note
Choosing to allow 256-QAM means that capable devices that are near the AP have the ability to achieve the extended data rate associated with MCS 8 and 9 if the RF environmental conditions allow for it. Likewise, choosing whether you want to use a coding rate of 3/4 versus 5/6 depends on the RF environment also. A coding rate of 3/4 means that 3 out of every 4 bits transmitted are user data bit with the one remaining bit for forward error correction; a coding rate of 5/6 means that 5 out of every 6 bits are user data bits. You might choose to use MCS 8 (coding rate 3/4) in a noisier RF environment where the extra forward error correction is the most helpful.Refer to the table below for available data rates when considering 802.11ac devices. Use the following buttons to view the data rates for the relevant number of spatial streams.
1 Spatial Stream | 2 Spatial Streams | 3 Spatial Streams
|
VHT MCSIndex |
Modulation Type andCoding Rate | Data Rate (20 MHz) | Data Rate (40 MHz) | Data Rate (80 MHz) | |||
|---|---|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | No SGI | SGI | ||
| One Spatial Stream | |||||||
| 0 | BPSK (1/2) | 6.5 | 7.2 | 13.5 | 15 | 29.3 | 32.5 |
| 1 | QPSK (1/2) | 13 | 14.4 | 27 | 30 | 58.5 | 65 |
| 2 | QPSK (3/4) | 19.5 | 21.7 | 40.5 | 4 | 87.8 | 97.5 |
| 3 | 16-QAM (1/2) | 26 | 28.9 | 54 | 60 | 117 | 130 |
| 4 | 16-QAM (3/4) | 39 | 43.3 | 81 | 90 | 175.5 | 195 |
| 5 | 64-QAM (2/3) | 52 | 57.8 | 108 | 120 | 234 | 260 |
| 6 | 64-QAM (3/4) | 58.5 | 65 | 121.5 | 135 | 263.3 | 292.5 |
| 7 | 64-QAM (5/6) | 65 | 72.2 | 135 | 150 | 292.5 | 325 |
| 8 | 256-QAM (3/4) | 78 | 86.7 | 162 | 180 | 351 | 390 |
| 9 | 256-QAM (5/6) | N/A | N/A | 180 | 200 | 390 | 433.3 |
Note
MCS 9 requires at least three spatial streams on a 20-MHz channel. MCS 6 data rate value is not valid for three spatial streams on an 80-MHz channel.|
VHT MCSIndex |
Modulation Type andCoding Rate | Data Rate (20 MHz) | Data Rate (40 MHz) | Data Rate (80 MHz) | |||
|---|---|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | No SGI | SGI | ||
| Two Spatial Streams | |||||||
| 0 | BPSK (1/2) | 13 | 14.4 | 27 | 30 | 58.5 | 65 |
| 1 | QPSK (1/2) | 26 | 28.9 | 54 | 60 | 117 | 130 |
| 2 | QPSK (3/4) | 39 | 43.3 | 81 | 90 | 175.5 | 195 |
| 3 | 16-QAM (1/2) | 52 | 57.8 | 108 | 120 | 234 | 260 |
| 4 | 16-QAM (3/4) | 78 | 86.7 | 162 | 180 | 351 | 390 |
| 5 | 64-QAM (2/3) | 104 | 115.6 | 216 | 240 | 468 | 520 |
| 6 | 64-QAM (3/4) | 117 | 130 | 243 | 270 | 526.5 | 585 |
| 7 | 64-QAM (5/6) | 130 | 144.4 | 270 | 300 | 585 | 650 |
| 8 | 256-QAM (3/4) | 156 | 173.3 | 324 | 360 | 702 | 780 |
| 9 | 256-QAM (5/6) | N/A | N/A | 360 | 400 | 780 | 866.7 |
Note
MCS 9 requires at least three spatial streams on a 20-MHz channel. MCS 6 data rate value is not valid for three spatial streams on an 80-MHz channel.|
VHT MCSIndex |
Modulation Type andCoding Rate | Data Rate (20 MHz) | Data Rate (40 MHz) | Data Rate (80 MHz) | |||
|---|---|---|---|---|---|---|---|
| No SGI | SGI | No SGI | SGI | No SGI | SGI | ||
| Three Spatial Streams | |||||||
| 0 | BPSK (1/2) | 19.5 | 21.5 | 40.5 | 45 | 87.8 | 97.5 |
| 1 | QPSK (1/2) | 39 | 43.3 | 81 | 90 | 175.5 | 195 |
| 2 | QPSK (3/4) | 58.5 | 65 | 121.5 | 135 | 263.3 | 292.5 |
| 3 | 16-QAM (1/2) | 78 | 86.7 | 162 | 180 | 351 | 390 |
| 4 | 16-QAM (3/4) | 117 | 130 | 243 | 270 | 526.5 | 585 |
| 5 | 64-QAM (2/3) | 156 | 173.3 | 324 | 360 | 702 | 780 |
| 6 | 64-QAM (3/4) | 175 | 195 | 364.5 | 405 | N/A | N/A |
| 7 | 64-QAM (5/6) | 195 | 216.7 | 405 | 450 | 877.5 | 975 |
| 8 | 256-QAM (3/4) | 234 | 260 | 486 | 540 | 1053 | 1170 |
| 9 | 256-QAM (5/6) | 360 | 288.9 | 540 | 600 | 1170 | 1300 |
Note
MCS 9 requires at least three spatial streams on a 20-MHz channel. MCS 6 data rate value is not valid for three spatial streams on an 80-MHz channel.Under normal circumstances, you probably want the SSID to support the maximum possible data rate. However, setting a slower transmission rate might be useful in specific cases. For example, if a number of devices connect to a switch that has a slow upstream link, you can avoid a bottleneck upstream by slowing down the wireless traffic before it reaches the switch.
DoS Prevention
You can configure defensive settings to protect against DoS (Denial of Service) attacks, and configure SSID access filters based on MAC addresses.
MAC-based DoS Prevention Rules For:
SSID: To protect against DoS attacks at the MAC layer (Layer 2) on the radio channel that an AP uses for SSID access traffic, select SSID. By default, all DoS detection types are enabled. The settings for SSID apply cumulatively to the total amount of Layer 2 traffic that an AP receives on the access channel for the SSID.
DoS Prevention Types for SSID
Probe Request: Set DoS detection and alarm parameters for the number of probe requests that a device receives during a 60-second interval on either the backhaul radio channel used for hive communications or the access radio channel for the selected SSID. The threshold determines the number of requests per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of probe requests continues to exceed the threshold.
By default, the SSID-level DoS threshold for probe requests is 12,000 ppm (packets per minute), and a new alarm occurs every 60 seconds if the number of probe requests remains above the threshold.
Probe Response: Set DoS detection and alarm parameters for the number of probe responses that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of responses per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of probe responses continues to exceed the threshold.
By default, the SSID-level DoS threshold for probe responses is 24,000 ppm, and a new alarm occurs every 60 seconds if the number of probe responses remains above the threshold.
(Re)Association Request: Set DoS detection and alarm parameters for the number of association requests that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of association requests per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of association requests continues to exceed the threshold.
By default, the SSID-level DoS detection threshold for association requests is 6000 ppm, and a new alarm occurs every 60 seconds if the number of association requests remains above the threshold.
Note
When using WPA or WPA2 key management and encryption with PSK or 802.1X authentication, a client sends an association request to the access point before authenticating itself. With 802.11 authentication (WEP key management and encryption with open or PSK authentication), the client authenticates itself before associating.Association Response: Set DoS detection and alarm parameters for the number of association responses that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of association responses per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of association responses continues to exceed the threshold.
By default, the SSID-level DoS detection threshold for association response messages is 2400 ppm, and a new alarm occurs every 60 seconds if the number of association responses remains above the threshold.
Disassociation: Set DoS detection and alarm parameters for the number of disassociation messages that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of disassociation messages per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of disassociation messages continues to exceed the threshold.
By default, the SSID-level DoS threshold for disassociation messages is 1200 ppm, and a new alarm occurs every 60 seconds if the number of disassociation messages remains above the threshold.
Authentication: Set DoS detection, response, and alarm parameters for the number of authentication messages that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of authentication messages per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of authentication messages continues to exceed the threshold.
By default, the SSID-level DoS threshold is 6000 ppm, and a new alarm occurs every 60 seconds if the number of authentication messages remains above the threshold.
Deauthentication: Set DoS detection and alarm parameters for the number of deauthentication messages that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of deauthentication messages per minute required to trigger an alarm that a possible DoS attack might be occurring. You can set the interval (in seconds) between repeated alarms when the number of deauthentication messages continues to exceed the threshold.
By default, the SSID-level DoS threshold for deauthentication messages is 1200 ppm, and a new alarm occurs every 60 seconds if the number of deauthentication messages remains above the threshold.
EAP over LAN (EAPOL): Set DoS detection, response, and alarm parameters for the number of EAPOL messages that a device receives during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID. The threshold determines the number of EAPOL messages per minute required to trigger an alarm that a possible DoS attack might be occurring. You can also set the interval (in seconds) between repeated alarms when the number of EAPOL messages continues to exceed the threshold.
By default, the SSID-level DoS threshold for EAPOL messages is 6000 ppm, and a new alarm occurs every 60 seconds if the number of EAPOL messages remains above the threshold.
Client: To protect against DoS (Denial of Service) attacks at the MAC layer (Layer 2) on the radio channel that an AP uses for SSID access traffic, select Client. By default, all DoS detection types are enabled, and the association request, authentication, and EAP over LAN detection types are set at a 60 second ban. The settings in the MAC DoS configuration object apply to the total amount of Layer 2 traffic that an AP receives on the access channel for the SSID from a single source; that is, from a single MAC address.
DoS Prevention Types for Client
Probe Request: Set DoS detection and alarm parameters for the number of probe requests that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval on either the backhaul radio channel or the access radio channel for the selected SSID.
The threshold determines the number of requests per minute required to trigger an alarm. You can set the interval (in seconds) between repeated alarms when the number of probe requests continues to exceed the threshold.
By default, the threshold for probe requests from a single source is 1200 ppm (packets per minute), and a new alarm occurs every 60 seconds if the number of probe requests remains above the threshold.
Probe Response: Set DoS detection and alarm parameters for the number of probe responses that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of responses per minute required to trigger an alarm. You can set the interval (in seconds) between repeated alarms when the number of probe responses continues to exceed the threshold.
By default, the threshold for probe responses from a single source is 2400 ppm, and a new alarm occurs every 60 seconds if the number of probe responses remains above the threshold.
(Re)Association Request: Set DoS detection and alarm parameters for the number of association requests that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of association requests per minute required to trigger an alarm and a response. The response can be a ban of all future connection attempts from that source for a specified length of time (in seconds) or permanently. You can also set the interval (in seconds) between repeated alarms when the number of association requests continues to exceed the threshold.
By default, the DoS threshold for association messages from a single source is 600 ppm, and a new alarm occurs every 60 seconds if the number of association requests remains above the threshold. A 60-second ban of new association requests is the default action.
Note
When using WPA or WPA2 key management and encryption with PSK or 802.1X authentication, a client sends an association request to the access point before authenticating itself. With 802.11 authentication (WEP key management and encryption with open or PSK authentication), the client authenticates itself before associating.Association Response: Set DoS detection and alarm parameters for the number of association responses that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of association responses per minute required to trigger an alarm. You can set the interval (in seconds) between repeated alarms when the number of association responses continues to exceed the threshold.
By default, the DoS threshold for association responses from a single source is 240 ppm, and a new alarm occurs every 60 seconds if the number of association responses remains above the threshold.
Disassociation: Set DoS detection and alarm parameters for the number of disassociation messages that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of disassociation messages per minute required to trigger an alarm. You can set the interval (in seconds) between repeated alarms when the number of disassociation messages continues to exceed the threshold.
By default, the DoS threshold for disassociation messages from a single source is 120 ppm, and a new alarm occurs every 60 seconds if the number of disassociation messages remains above the threshold.
Authentication: Set DoS detection, response, and alarm parameters for the number of authentication messages that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of authentication messages per minute required to trigger an alarm and a response. The response can be a ban of all future connection attempts from that client for a specified length of time (in seconds) or permanently. You can also set the interval (in seconds) between repeated alarms when the number of authentication messages continues to exceed the threshold.
By default, the threshold for authentication messages from a single source is 600 ppm, and a new alarm occurs every 60 seconds if the number of authentication messages remains above the threshold. A 60-second ban is the default action.
Deauthentication: Set DoS detection and alarm parameters for the number of deauthentication messages that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of deauthentication messages per minute required to trigger an alarm. You can set the interval (in seconds) between repeated alarms when the number of deauthentication messages continues to exceed the threshold.
By default, the threshold for deauthentication messages from a single source is 120 ppm, and a new alarm occurs every 60 seconds if the number of deauthentication messages remains above the threshold.
EAP over LAN (EAPOL): Set DoS detection, response, and alarm parameters for the number of EAPOL messages that the device receives on its wireless backhaul channel or the access channel for the selected SSID from a single source during a 60-second interval.
The threshold determines the number of EAPOL messages per minute required to trigger an alarm and a response. The response can be a ban of all future connection attempts from that device (client) for a specified length of time (in seconds) or permanently. You can also set the interval (in seconds) between repeated alarms when the number of EAPOL messages continues to exceed the threshold.
By default, the threshold for EAPOL messages from a single source is 600 ppm, and a new alarm occurs every 60 seconds if the number of EAPOL messages remains above the threshold. A 60-second ban is the default action.
IP Based DoS Prevention Rules For:
SSID: To protect against DoS (Denial of Service) attacks at the IP layer (Layer 3) on the radio channel that an AP uses for SSID access traffic, select SSID. By default, all DoS screening options are disabled. The settings in the IP DoS configuration object apply cumulatively to the total amount of Layer 3 traffic that an AP receives on the access channel for the SSID.
IP DoS Screening Options and Thresholds
The type of screening options and their respective thresholds are described below:
ICMP Flood
When you enable ICMP flood screening, you set a threshold that—when reached or exceeded—causes the AP to perform one of several actions for a specified duration. The threshold is based on the percent of air time that ICMP echo requests (pings) from a single IP address consume per second. The default ICMP flood threshold is reached when 20% of all air time from a single IP address consists of pings. You can change the threshold to any percent from 1 to 100. If you are getting a large number of false alarms, you might want to raise the threshold by increasing the percent. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the percent.
Note
The threshold is not based on the total number of pings per second from a single IP address but on the total percent of air time that the pings from that IP address consume.If the percent of pings reaches or exceeds the threshold, the device can take one of several actions.
ICMPV6 Flood
The default value is 20% of Airtime and the range is 1-100% of Airtime.
UDP Flood
When you enable UDP flood screening, you set a threshold that—when reached or exceeded—causes the device to perform one of several actions for a specified duration. The threshold is based on the percent of airtime that UDP datagrams from a single IP address consume per second. The default UDP flood threshold is reached when 50% of all airtime from a single IP address consists of UDP datagrams. You can change the threshold to any percent from 1 to 100. If you are getting a large number of false alarms, you might want to raise the threshold by increasing the percent. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the percent.
Note
The threshold is not based on the total number of UDP datagrams per second from a single IP address but on the total percent of airtime that the UDP datagrams from that IP address consume.SYN Flood
When you enable SYN flood screening, you set a threshold that—when reached or exceeded—causes the device to perform one of several actions for a specified duration. The threshold is based on the number of IP packets containing SYN segments (that is, TCP segments in which the SYN flag is set) from a single IP address per second. The default SYN flood threshold is reached when the device detects 1000 IP packets containing SYN segments from a single IP address in one second. You can change the threshold to any number from 1 to 1000000. If you are getting a large number of false alarms, you might want to raise the threshold by increasing the number of packets per second. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the number of packets per second.
If the number of IP packets containing SYN segments per second reaches or exceeds the threshold, the AP can take one of several actions.
ARP Flood
When you enable ARP flood screening, you set a threshold that—when reached or exceeded—causes the device to perform one of several actions for a specified duration. The threshold is based on the number of ARP requests from a single IP address per second. The default ARP flood threshold is reached when the device detects 100 ARP requests from a single MAC address in one second. You can change the threshold to any number from 1 to 1000000. If you are getting a large number of false alarms, you might want to raise the threshold by increasing the number of ARP requests per second. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the number of requests per second.
If the number of ARP requests per second reaches or exceeds the threshold, the device can take one of several actions.
Address Sweep
When you enable address sweep screening, you set a threshold that—when reached—causes the device to perform one of several actions for a specified duration. The threshold is reached when the device detects a single IP address sending ICMP echo requests (pings) to 10 different IP addresses in a defined interval. The default interval for an address sweep is 100 milliseconds (0.1 second). You can change the interval to any number from 1 to 10,000 milliseconds (10 seconds). If you are getting a large number of false alarms, you might want to raise the threshold by increasing the interval. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the interval.
If a single IP address pings at least 10 different IP addresses within x milliseconds, the device can take one of several actions.
IPv6 Address Sweep
The default is 100 ms per 10 packets, and the range is 1-10,000 ms per 10 packets.
Port Scan
When you enable port scan screening, you set a threshold that—when reached—causes the device to perform one of several actions for a specified duration. The threshold is reached when the device detects a single IP address sending IP packets containing SYN segments (that is, TCP segments with the SYN flag set) to 10 different port numbers at the same destination IP address in a defined interval. The default interval for a port scan is 100 milliseconds (0.1 second). You can change the interval to any number from 1 to 10,000 milliseconds (10 seconds). If you are getting a large number of false alarms, you might want to raise the threshold by increasing the interval. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the interval.
If a single IP address sends SYN segments to at least 10 different port numbers at the same destination IP address within x milliseconds, the device can take one of several actions.
IP Spoof
When you enable IP spoof screening, you set a threshold that—when reached or exceeded—causes the device to perform one of several actions for a specified duration. The threshold is reached when the device detects traffic coming from a defined number of different IP addresses sharing the same MAC address. The default number of different IP addresses per MAC address is 3. You can change the number of different IP addresses from 2 to 10. If you are getting a large number of false alarms, you might want to raise the threshold by increasing the number of different IP addresses per MAC address. If you suspect that anomalous activity is occurring just below the threshold, you might want to lower the threshold by decreasing the number of IP addresses per MAC address.
If the number of IP addresses per MAC address reaches or exceeds the threshold, the device can take one of several actions.
IPv6 Spoof
The default is 6 source IPs per source MAC, and the range is 2 - 10 IPs per source MAC.
RADIUS Attack
When you enable RADIUS attack screening, you set a threshold for an unacceptable number of Access-Reject messages from a RADIUS authentication server in response to requests from a single MAC address within a specified interval. When using IEEE 802.1X authentication, the RADIUS server can receive several Access-Request messages (sometimes more than ten) before it responds with an Access-Accept or Access-Reject message. A bombardment of bogus Access-Request messages can exhaust the resources of a RADIUS server. Even though the server ultimately rejects these requests, processing a large number of them can still affect its performance and ability to respond to valid authentication requests.
The RADIUS attack threshold is reached when the RADIUS server sends 10 Access-Reject messages in response to requests from a single MAC address within a specified interval (the default interval in 5 seconds). You can change the number of seconds for the RADIUS attack threshold interval to any number from 1 to 3600. If you are seeing a large number of false alarms, you might want to raise the threshold by increasing the number of Access-Reject messages per MAC address. If you suspect that anomalous activity is occurring below the threshold, you might want to lower the threshold by decreasing the number of Access-Reject messages per MAC address.
If the number of RADIUS Access-Reject messages per MAC address reaches or exceeds the threshold, the device can take one of several actions.
Enable TCP SYN Check
When enabled, the IP session idle timeout is 10 seconds until the TCP three-way handshake is complete.
IP DoS Response Actions and Durations
Actions and Durations
For each type of screening, you can select one of the following response actions and set the duration for enforcing that response. (For the actions "Disconnect" and "Ban Forever", there is no duration to specify.) You can set the duration to any number from 1 to 1000000 seconds.
Alarm: The device generates an alarm for a specified period of time but continues passing traffic from the source of the suspicious activity. If the condition continues beyond the specified time, the device generates another alarm when the current alarm period ends. The default alarm period lasts 10 seconds.
Drop: When a threshold is reached, the device continues to maintain a connection with the source of the anomalous traffic but drops further packets from the source for a specified period of time. The default length of time for dropping traffic is 1 second.
Disconnect: When a threshold is reached, the device disconnects the wireless link to the source of the suspicious traffic.
Ban: When a threshold is reached, the device disconnects the wireless link to the source of the suspicious traffic and bans further traffic from that source for a specified period of time. The default length of time for banning traffic from a specific source is 3600 seconds (1 hour).
Ban Forever: When a threshold is reached, the device disconnects the wireless link to the source of the suspicious traffic and bans further traffic from that source indefinitely.
Enable MAC Based Filters: Use one or more previously defined MAC filters to filter the traffic arriving on the access radio channel for this SSID—by source MAC address or OUI (organizationally unique identifier, described in MAC Objects and MAC OUIs). For example, you might set MAC filters to permit wireless traffic coming only from the MAC addresses of a certain group of laptops or from the MAC OUI of a certain type of VoIP phone.
To apply a MAC filter to the SSID, select 
, and select an existing MAC OUI, and then select Add to permit or deny traffic. If you do not see a MAC filter that you want to use, select 
and define a new one.
Default Action: Define the default action to apply to clients whose MAC address or MAC OUI does not match one of the selected filters. Choose Permit to allow traffic from clients that do not match one of the selected filters, or choose Deny to block traffic from clients that do not match any of the selected MAC filters.
Note that each MAC filter either permits or denies traffic from the specified MAC address or OUI. You can use the action specified in the first filter that you add to determine the default filtering action and which other MAC filters you add. For example, if the action in the first filter you add is "Permit", then make the default filtering action for traffic arriving on the access radio channel "Deny"; that is, an AP only permits traffic originating from the MAC address or MAC OUI specified in the MAC filter, and it denies traffic from all other sources. Because the default action is to deny traffic, you might want to add only other MAC filters that permit traffic to the list of MAC filters for the SSID.Similarly, if the action in the first filter is "Deny", then make the default filtering action "Permit" and only add additional MAC filters that also deny traffic from specific MAC addresses or OUIs.
Traffic Filters
In this section, you can control which management and diagnostic services an AP is permitted to receive and whether it allows traffic between clients connected to the AP by selection traffic filters. By default, APs allow SSH (Secure Shell), pings to access the mgt0 interface, and inter-station traffic.
To permit specific types of management and diagnostic access to the Mgt0 interface and allow traffic between clients connected to the AP, select the appropriate check boxes. Clear the check boxes to deny access.
Enable SSH: Permits an SSH connection to the mgt0 interface. By default, access to mgt0 for SSH traffic is enabled.
Enable Telnet: Permits a Telnet connection to the mgt0 interface. By default, access to mgt0 for Telnet traffic is disabled.
Enable Ping: Permits ICMP echo requests (pings) to reach the mgt0 interface. By default, access to mgt0 for Telnet traffic is disabled.
Enable SNMP: Permits an SNMP (Simple Network Management Protocol) connection to the mgt0 interface. By default, access to mgt0 for SNMP traffic is disabled.
Enable Inter-station Traffic: Permits traffic between stations connected to one or more access interfaces on the AP. Clear the check box to disable it. If inter-station-traffic is disabled on an interface, all stations connected to the AP through that interface is unable to send or receive traffic from other stations connected to the AP through the same interface or through a different interface. By default, traffic between stations is enabled.
Note
When an Ethernet interface is in access mode, stations can communicate directly with each other without sending traffic through the AP. In this case, the AP cannot control their traffic; however, the AP can block traffic between stations connected to an Ethernet interface and stations connected to a wireless interface through an SSID.Apply User Profile As Specified By
In cases where different components in the SSID reference different user profiles, you can specify which one you want to apply to user traffic. For example, in addition to the user profile that you specify in an SSID profile for traffic management, the SSID might also include MAC authentication and a captive web portal with user authentication—and each of the latter two authentication mechanisms can also invoke user profiles from returned RADIUS server attributes or the default user profile set for the SSID. By default, an AP applies user profiles in the following order (the last one is what the AP ultimately applies to user traffic):
First, the AP applies the user profile indicated by attributes returned by a RADIUS server performing MAC authentication.
Second, the AP applies the user profile specified in an SSID for traffic management. This overrides the first user profile.
Third, the AP applies the user profile indicated by attributes returned from a RADIUS server when a captive web portal requires user authentication. This user profile overrides both the first and second profiles.
However, if you want to give priority to a user profile by applying it later in the sequence, you can do so by reordering them.
Voice Enterprise
The Extreme Networks Voice Enterprise feature offers several controls to fine tune the ability of the network to handle voice traffic, allowing you to combine radio resource measurement (802.11k), allowing you to combine WMM-AC (Wireless Multimedia-Admission Control), wireless network management (802.11v), and fast BSS transition (802.11r) into a customizable, comprehensive, and responsive network well-suited to voice traffic.
Extreme Networks uses radio resource management (802.11k) to monitor the performance of the network with respect to the RF environment, such as noise, channel load, and station statistics. Using 802.11k, Extreme Networks devices can collect information and make intelligent decisions about client roaming and channel usage.
Extreme Networks uses a similar technology, wireless network management (802.11v), to allow clients to share information regarding the WLAN environment, including maintaining a list of neighbors. Sharing information in this way allows wireless devices to make real-time adjustments to the WLAN to optimize network performance. Location services are more accurate under 802.11v because stations can use the frame TOA (time of arrival) to determine relative positions of one another.
Fast BSS transition (802.11r) is also part of the Extreme Networks implementation of Voice Enterprise. Fast BSS transition introduces streamlined hand-off protocols by requiring stations to establish the QoS state and to negotiate encryption keys before the transition occurs. This way, when the transition occurs, there are no delays due to renegotiation of the keys and QoS assignment.
Enable Voice Enterprise: Select to enable all options that are required for full Voice Enterprise support. However, this feature is not supported on AP110, AP120, AP170, AP1130, AP320, AP340, AP370 and AP390.
Custom: Select one or all of the following:
Enable 802.11k (Radio Resource Measurement of Wireless LANs): Select to enable the Extreme Networks devices to monitor the RF environment and network performance to help manage network usage and client roaming.
Enable 802.11v (IEEE 802.11 Wireless Network Management): Select to enable network devices and clients to share information such as location and neighbor information.
Enable 802.11r (Fast BSS Transition): Select to optimize roaming by forcing stations to forward QoS state and encryption keys preemptively.
Because ExtremeCloud IQ selects the 802.11k/r/v options when you enable Voice Enterprise, the 802.11k/r/v option disappears from the GUI interface. Despite being invisible, the 802.11k/r/v options are enabled. If you do not enable Voice Enterprise explicitly, you can still select 802.11k, 802.11v, and 802.11r separately when you select Custom. This approach has the same effects as selecting Voice Enterprise.
To Enable Voice Enterprise or 802.11r, the SSID must be configured to use WPA2 key management.
WMM
By default, Extreme Networks devices support WMM® (Wi-Fi Multimedia™) traffic prioritization and advertise such support in the beacons they transmit. Leave the check box selected to enable support of WMM-marked frames for traffic categorization and QoS (Quality of Service) purposes.
In addition to using WMM for QoS, 802.11n HT (High Throughput) aggregation mechanisms such as block acknowledgments (block ACKs) rely on the WMM Traffic Identifier (TID) subfield in frame headers to function. To provide HT for 802.11n wireless clients, keep the check box selected. Otherwise, the maximum link rate for all clients, including those that support 802.11n, will be 54 Mbps.
You can disable WMM functionality if the SSID needs to support wireless devices, such as some older VoIP phone models, that are incompatible with the Extreme Networks WMM implementation. To disable WMM, clear the check box.
Note
Disabling WMM affects both 802.11n and 802.11ac clients by preventing connections operating at data rates higher than 54MMbps. For most implementations including 802.11n and 802.11ac clients, make sure to enable WMM.On the AP121, AP141, AP330, and AP350, WMM-AC uses QoS controls and bandwidth management techniques to augment existing WMM capabilities. It does this by monitoring the channel conditions and load to determine whether a device can support the traffic requested to be transmitted. If the device determines that the current channel conditions cannot support the extra traffic, then it will deny the traffic, causing the transmitting station to seek another path. If the channel conditions are determined to be healthy enough to support the extra traffic, then the device allows the traffic. In this way, WMM-AC prevents voice degradation due to channel conditions and management.
Enable WMM: Select to enable Wi-Fi Multimedia[(tm)] to prioritize network traffic.
Voice: Select to enable admission control algorithms for voice traffic.
Video: Select to enable admission control algorithms for video traffic.
Enable Unscheduled Automatic Power Save Delivery: Select to allow stations to request queued traffic at any time, rather than receiving queued traffic scheduled with the beacon.
Convert IP Multicast to Unicast
Video streaming typically makes use of multicasting as its transport. With multicasting, a data stream from a single source reaches multiple subscribers identified by their multicast group IP address. These subscribers notify their network routers and switches when they belong to a particular group and are interested in receiving data. When a router or switch receives such a notification, it then forwards any multicast stream for that group onto the network segment from which it received the notification. If there are no subscribers on a particular segment, the forwarding device stops transmitting the stream to conserve bandwidth.
On a wireless network, data transmitted by multiple stations on the same RF channel in an overlapping area must share the same physical transportation resource: the available airtime. When an access point transmits unicast traffic, it uses a rate-adaptation algorithm to determine the fastest data rate at which it can communicate with each station. When transmitting multicast traffic, the access point must choose the best data rate all the group members can support. If one group member has a slow connection, the access point must transmit at that speed to all group members. This not only slows down data transmissions to other members with stronger connections, it also uses up more airtime that otherwise would be available for use by other wireless stations in the area.
To reduce unnecessary airtime usage for multicast transmissions, an Extreme Networks device can convert multicast frames to unicast frames under certain conditions or at all times, and it can also drop multicast frames when there are no group members present to receive them. In addition to reducing airtime usage, another benefit of using unicast traffic is the increased reliability of video delivery. If a wireless client does not receive a unicast frame and does not reply with an ACK, the access point will retransmit it. However, multicast traffic does not support wireless frame delivery confirmation as unicast traffic does.
When an Extreme Networks device is enabled to convert multicast frames to unicast, it performs the conversion when the percent of channel usage exceeds a specified threshold or when the number of multicast group members drops below a specified threshold.
Auto: Extreme Networks device is enabled to convert multicast frames to unicast when the channel utilization or membership count conditions are met.
Always: Extreme Networks device makes the conversion unconditionally.
Disable: Extreme Networks device does not use the multicast-to-unicast conversion feature, but instead follows the standard 802.11 behavior for sending multicast frames.
Channel utilization threshold: By default, the channel utilization threshold is 60%. You can change the channel utilization threshold from 1 to 100% for the SSID.
Membership count threshold: By default, the membership count threshold is 10. You can change the membership count threshold from 1 to 30 for the SSID.
Client Related Network Settings
In this section, you define client usage parameters controlling how devices in the SSID transmit data, parameters determining how neighboring Extreme Networks devices exchange information with each other, and the maximum number of clients that the SSID supports.
Maximum client limit: Set the maximum number of clients that can associate with an SSID on an Extreme Networks device. The default is 100 clients, which is the maximum number of clients that a single radio supports. You can change this to another maximum between 1 and 255. For example, if you want one SSID to be able to serve a certain number of clients—say 40—you can limit all the other SSIDs on that radio so that the sum of their maximum client settings does not exceed 60. Doing so thus ensures that the first SSID is able to serve 40 clients before the 100-client per radio maximum is reached.
After the maximum number of clients for an SSID is reached, the Extreme Networks device rejects new association requests on the SSID. The rejected clients then scan for another access point with which they can associate.
Inactive client ageout: Set the length of time to age out inactive clients and automatically disassociate them. By default, Extreme Networks devices age out a client after five minutes of inactivity. You can change the period of inactivity required to trigger an AP to age out a client from 1 to 30 minutes.
RTS threshold: The RTS (request-to-send) threshold indicates the minimum packet size to trigger an RTS/CTS (request-to-send/clear-to-send) exchange. Before any device in the SSID sends a packet larger than the RTS threshold, it must first send an RTS frame and receive a CTS frame from the intended recipient of the packet in response. All other stations within range of the RTS and CTS frames refrain from transmitting data for the duration specified in the control frames. (If the stations detect an RTS frame but not a CTS frame, they need not restrain their activities.) The purpose of this exchange is to reserve the medium and thereby reduce collision interference.
The default RTS threshold is 2346 bytes. You can change the threshold from 1 to 2346 bytes.
Fragment threshold: The fragment threshold indicates the minimum packet size to begin fragmenting packets before transmitting them. If there is a high level of interference, smaller packet sizes can reduce the need to retransmit packets and improve performance.
The default fragment threshold is 2346 bytes. You can change the threshold from 256 to 2346 bytes.
Note
Setting the fragment and RTS thresholds to the same size is commonly done.DTIM settings: Extreme Networks devices include DTIM (delivery traffic indication messages) in beacons at scheduled intervals. DTIMs indicate if there is buffered broadcast and multicast traffic awaiting delivery to associated stations in power-save mode. TIMs—traffic indication messages—are also in beacons and indicate if there is buffered unicast traffic awaiting delivery to stations in power-save mode. TIMs are included in every beacon. DTIMs are included in beacons according to the DTIM period that you set.
A common DTIM setting to support devices in power-save mode is to send DTIMs in every beacon or in every second or third beacon. For example, setting the DTIM to be in every third beacon would create a pattern like this: beacon(DTIM)—beacon—beacon—beacon(DTIM)—beacon—beacon—beacon (DTIM) and so on. This allows idle stations in power-save mode to doze longer and conserve more battery life.
However, setting a shorter interval for DTIMs, such as in every beacon or in every second beacon, helps increase the time a client is available to receive broadcast and multicast traffic and thereby improves performance. By default, an Extreme Networks device sends DTIMs every beacon. If you want to increase the DTIMsetting to improve battery life of these devices or shorten it to deliver buffered broadcast and multicast traffic more frequently, you can change the DTIM interval from 1 to 255.
Note
Any station in power-save mode that associates with the AP adopts the interval that the AP announces in its beacons. Idle stations "doze" to conserve energy and "wake" periodically to check if there is any new traffic. A station can lightly doze, waking up to check every TIM, or it can deeply doze, waking up to check each DTIM. When the station learns of buffered traffic awaiting transmission, it sends the AP a ps-poll frame to elicit it.Roaming Cache Settings
When using 802.1X authentication, the RADIUS authentication server sends the wireless client (or supplicant) a master key from which the client derives a PMK (pairwise master key). Using the same computations as the client, the RADIUS server derives an identical PMK and sends that to the access point (authenticator). When using WPA/WPA2 PSK (Personal) for access security, the preshared key acts as the PMK.
The client and access point then perform a four-way handshake, using the PMK to establish a PTK (pairwise transient key). Next, they use that PTK to encrypt unicast traffic between themselves. The access point also makes a GMK (group master key) from which it derives a GTK (group temporal key) for encrypting and decrypting broadcast and multicast traffic. Using the secure connection established for unicast traffic, the access point sends the GTK to the client.
Every time a wireless client using 802.1X authentication sends an association request to an access point, it includes a PMK (pairwise master key) ID list. When a client initially associates with an access point, the list is empty. When the client roams and sends a reassociation request to a new access point, the PMK ID list can contain the PMK ID from the first association, a new PMK ID based in part on the MAC address of the new access point (which the client learned from its beacon), or another empty list. The new access point then searches its PMK ID list for a match with the PMK ID that the client sends. If it finds a match, it uses that PMK when performing another four-way handshake to establish a new PTK. If it does not find a match, then the client, access point, and authentication server must go through the entire 802.1X authentication sequence again.
APs keep PMKs that their neighbors send them in their roaming cache. The following settings control how often Extreme Networks devices send roaming cache updates to their neighbors and when to age out and remove old entries from the roaming cache.
Roaming cache update interval: By default, an Extreme Networks AP sends updates to its neighbors about the clients currently associated with it every 60 seconds. The neighboring APs use this information to update their roaming caches—if necessary—with the most up-to-date client information from their neighboring APs. You can change the frequency for sending roaming cache updates to neighbors from 10 and 36,000 seconds (10 hours).
Roaming cache ageout: By default, an Extreme Networks device removes an entry from its roaming cache if it is absent from 60 consecutive updates from a neighbor. You can change how many times an entry must be absent from a neighbor's updates before removing it from the roaming cachefrom just once to 1000 consecutive times.
Note
To calculate the length of time required for a PMK to age out, multiply the update interval by the ageout value. Using the default settings 60 seconds (interval) x 60 (absences), a PMK ages out after 60 minutes.You can modify the roaming cache settings here for an SSID, where they apply to clients that use this SSID, or at the hive level, where they apply to all clients. The following rules govern when one setting overrides the other:
If you leave the SSID-level roaming cache settings at their default values but change them for the hive, then the AP applies the hive-level settings.
If you change the roaming cache settings for an SSID, then the AP applies those settings to clients using that SSID whether or not you change the hive-level settings.
Ignore broadcast probe requests: Select the check box to enable Extreme Networks devices hosting this SSID to ignore probe requests that wireless clients broadcast. A client broadcasts probe requests to discover available SSIDs within range. If the SSID is already configured on a client, it does not need to broadcast probe requests to learn it. Clear the check box to enable APs hosting this SSID to respond to broadcast probe requests with information about the SSID. By default, this check box is cleared.
Select Save and then Next to apply your network policy to selected Extreme Networks devices. To deploy your network policy, select Upload.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.