| Network Name |
Enter a unique, user-friendly value that makes sense
for your business. Example: Staff |
| SSID |
Enter a character string to identify the wireless network. Maximum 32
characters. Upper and lowercase allowed. Example: PermanentStaff |
| Hotspot |
The following values are
valid for hotspot configuration:
- Disabled. Hotspot
functionality is not enabled. Default value.
- Enabled. Hotspots
are enabled for this WLAN.
- Privacy is
set by default to WPA.
- You must
configure Protected Management Frame (PMF).
- The authentication method
is set to AAA with External RADIUS Server. You can configure MBA, if
required.
- Auth Type is
WPA2-Enterprise (802.1x/EAP)
- You must disable the
Advanced network setting Client-Client
Communication.
- WBA
OpenRoaming. This associates the device with the OpenRoaming
profile. For more information, see Configure Hotspot for WBA OpenRoaming.
- OSU. Enables the
definition of Online Sign Up or OSEN WLAN. When configuring Online Signup for
the hotspot, you must configure a separate OSU WLAN. Then, specify that WLAN
on the Online Signup tab. Configure the policy and topology assigned to the
OSU WLAN to allow access only to the OSU server. No access to the internet.
Valid Auth Type values for OSU Hotspot are:
- Open
- WPA2-Enterprise
(802.1x/EAP)
Note: You must
specify a AAA policy when configuring OSU for Hotspot.
Note: After you have defined a WLAN
service with a hotspot, you cannot disable the hotspot. You can only delete the
WLAN service and recreate it.
For more information, see Hotspot.
|
| Status |
Enable or disable the network service. Disabling the network service
shuts off the service but does not delete it. |
| AuthType |
Define the
authorization type. Valid values are:
- Open —Anyone is authorized to use the network. This authorization
type has no encryption. The Default Auth role is the only supported policy
role.
- OWE — Opportunistic Wireless Encryption (OWE) offers security to open
networks, ensuring that traffic between an AP and a client is encrypted. Other clients
can sniff and record traffic, but cannot decrypt it.
- WEP —
Static Wired Equivalent Privacy (WEP) offers keys for a selected network, that match the
WEP mechanism used on the rest of the network. Each AP can participate in up to 50
networks. Specify one WEP key per network. This option is offered to support legacy
APs. See Privacy Settings for WEP.
- WPA2 with PSK —
Network access is allowed to any client that knows the pre-shared key (PSK). All data
between the client and the AP is AES encrypted using the shared secret. Privacy is based
on the IEEE standard, and privacy settings are editable. If MAC-based authentication
(MBA) is enabled, you can assign different roles to different devices with a PSK because
MBA distinguishes between different devices. If MBA is not enabled, then devices with a
PSK use the Default Auth role only. See Privacy Settings for WPA2 with PSK.
- WPA2 Enterprise w/
RADIUS — Supports 802.1X authentication with a RADIUS server, using AES encryption. This
method can be used with client certificate-based authentication (EAP-TLS). All 802.1X
protocols are supported.
Two-stage authentication is supported offering a combination of
MAC-Based (MBA) authentication and WPA2-Enterprise (802.1x/EAP). The wireless client
is first authenticated using MBA and then, in stage 2, the client authenticates with
WPA2-Enterprise (802.1x/EAP).
Note: Captive Portal is not
supported when using WPA2 Enterprise w/ RADIUS. An exception is Centralized Web Authentication
(CWA). CWA captive portal supports WPA2 Enterprise w/ RADIUS.
See Privacy Settings for WPA2 Enterprise with RADIUS.
- WPA3 -
Personal — 128-bit encryption.WPA3 uses a pre-shared key (PSK) and Simultaneous
Authentication of Equals (SAE) or Hash-to-Element (H2E). WPA3 offers an augmented
handshake and protection against future password compromises. See Settings for WPA3 Personal with SAE and H2E.
- WPA3-Compatibility — Option for mixed deployments of 802.11ax
APs and older AP models. For use when WPA2 and WPA3 are configured on the same network.
Clients that support either WPA3 Personal or WPA2 Personal can connect to this network
at the same time and on the same SSID. If you are unsure which method your device
supports, use WPA3-Compatibility. Note: When a device is assigned to 6 GHz radio, only
WPA3 Personal is assigned. See Settings for WPA3 Personal with SAE and H2E.
- WPA3-Enterprise
— WPA2-Enterprise with Protected Management Frames (PMF). This option requires and
enforces PMF enablement. The TKIP-CCMP option is disabled. For more information see,
Settings for WPA3 Enterprise.
- WPA3-Enterprise (192-bits) — WPA3-Enterprise with 192-bit security protocols (at a minimum) and
cryptographic tools to better protect sensitive data. For more information, see WPA3-Enterprise with 192-bit mode.
Note:
The World-Wide Universal Access Points 6 GHz radios support only the following Wi-Fi
Alliance (WFA) 6E Compliant network authentication methods:
- OWE (Opportunistic Wireless Encryption)
for Open Networks
- WPA3-Personal
- WPA3-Enterprise
- WPA3-Enterprise 192-bit
mode
- WPA3-Compatibility
Note: WPA3-Compatibility is
not WFA compliant.
WPA3-Compatibility supports both WPA2 Personal and WPA3 Personal on the same network.
If a WPA3-Compatibility network is assigned to 6 GHz radio, only WPA3 Personal is
assigned, thus making the network compliant.
ExtremeCloud IQ
Controller
requires that your 6 GHz radio network assignment be WFA 6E compliant. It rejects network
configuration changes that result in 6 GHz radio network assignments that are not compliant.
It might be necessary to redefine your networks when configuring the 6 GHz radio on the Universal Access
Points.
A green icon displays on the user interface when the Auth
Type is 6E WFA Compliant.
|
| Enable Captive Portal |
Check this option to enable captive portal support
on the network service. |
| Captive Portal Type |
See Captive Portal Settings. |
| MAC-based Authentication |
The following
parameter displays when MAC-based Authentication is enabled:
- MBA Timeout Role.
Select the role that will be assigned to a wireless client during MAC-based
authentication (MBA) if the RADIUS server access request times out. If no MBA
Timeout Role is selected, then a RADIUS server timeout is treated like an
Access-Reject, which prevents the client from accessing the network. Other
options:
 — create a new role — edit role — delete role
- Two-stage authentication is supported offering a combination of
MAC-Based (MBA) authentication and WPA2-Enterprise (802.1x/EAP). The wireless client
is first authenticated using MBA and then, in stage 2, the client authenticates with
WPA2-Enterprise (802.1x/EAP).
|
| Authentication Method |
Displayed after Captive
Portal or MBA is selected.Select from the
following authentication values:
- Default. Select Configure Default
AAA.
- Proxy RADIUS (Failover).
Configure up to 4 RADIUS servers for redundancy.
- Proxy RADIUS (Load
Balance). Configure up to 4 RADIUS servers for load balancing.
- Local. Look up in the local
password repository.
- LDAP. Look up on a remote
LDAP server. This option enables LDAP Configuration.
|
| AAA Policy |
Select a AAA policy or select to add
a new policy. Alternatively, you can select to
edit an existing policy. To see the list of configured AAA policies, go to
. This option is not displayed for WLAN Networks that do not
require authentication or authorization. The value Local Onboarding refers to RADIUS
requests that are directed through the ExtremeCloud IQ
Controller. Local Onboarding is the default value for WLAN Networks configured
for Internal Captive Portal. AAA Policy can only be configured for WLAN Networks requiring
MACAUTH, External Captive Portal, or EAP.
Note: Specify a AAA policy when configuring OSU for
Hotspot.
|
| Default AAA
Authentication Method |
Indicates the
default authentication method that is configured when you select
Configure Default AAA. |
| Primary RADIUS |
IP address of primary RADIUS server. |
| Backup RADIUS |
IP address of backup RADIUS server. |
| LDAP
Configuration |
Lightweight
Directory Access Protocol. Select a configuration or select the plus sign to add a
new configuration. |
| Authenticate
Locally for MAC |
Authenticate the MAC address on ExtremeCloud IQ
Controller. Do not authenticate MAC address on the RADIUS server.
This setting is not available when you have selected Default as the
Authentication Method. |
| Default UnAuth
Role |
The default network policy roles for
an unauthenticated client. Select a role from the list. Other options:
- — create a new role
- — edit selected role
- — delete selected role
|
| Default Auth
Role |
The default
network policy roles for an authenticated client. Select a role from the list.
Other options:
- — create a new role
- — edit selected role
- — delete selected role
Select the policy role as the default authentication policy role.
Typically, Enterprise
User is the Default Auth Role. You can select any of the configured roles.
To configure a new role:
- Go to .
- Go to and edit a policy rule, specifying Default Auth Role in the
Accept Policy field.
|
| Default
VLAN |
The default network topology. A topology can be thought of as a VLAN
(Virtual LAN) with at least one egress port, and optionally include: sets of services,
exception filters, and multicast filters. Examples of supported topology modes are Bridged
at AP and Bridged at AC. Select a VLAN from the list. Other options:
- — create a new VLAN
- — edit selected VLAN
- — delete selected VLAN
|
| Scheduling |
Note: Scheduling is unavailable until you install and run Scheduler for ExtremeCloud IQ Controller.
Select Scheduling to open the Scheduler application. This is a Docker application that resides on ExtremeCloud IQ
Controller. Download Scheduler for ExtremeCloud IQ Controller from the
Extreme Networks support portal, and install the application.
|
