WLAN Service (Expert)

The Unified Profile WLAN Service (Expert) Screen displays all configured WLAN Service Profiles and is used to create, clone, edit, and delete WLAN Services and assign the service to devices on the network.

Creating a WLAN Service Profile

Click on the Add icon. Enter a Service Name and configure the profile as described below, then click on the Create button. When you are finished, select the checkbox next to the profile and click on the Apply to Devices button to assign the profile to wireless devices on the network.

SSID Settings

Basic

• SSID - User configured name that uniquely identifies a wireless network (up to 32 characters).
• Hide SSID - Enables/Disables SSID in beacon frames. Note that hiding the SSID does very little to increase security. (Default = Disabled)
• UAPSD - Enables/Disables Unscheduled Automatic Power Save Delivery (UAPSD) on the SSID. UAPSD is a QoS facility defined in IEEE 802.11e that extends the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic flow that is delivered over the wireless media. Because UAPSD does not require the client to poll each individual packet that is buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink trigger packet. (Default = Enabled)
• Enable SSID - Enables/Disables the SSID.
• Allowed Band - The band(s) available on the service:
  • 2.4 GHz
  • 5.0 GHz
  • 6.0 GHz
  • All - 6.0 GHz, 5.0 GHz and 2.4 GHz

Security

• Security Level - Select the security level for the WLAN Service:
  • Open - The WI-FI will be unsecured. However, you can configure a default role or enable MAC Authentication to assign a role for clients (Default).
  • Enhanced Open -Enables/Disables the use of Wi-Fi Enhanced Open™ to secure an open SSID. Wi-Fi Enhanced Open™ is a security standard that is based on Opportunistic Wireless Encryption (OWE). When enabled, OWE is used to ensure that communication between each pair of endpoints is protected from other endpoints. Data sent between a client and an AP is provided individualized data protection. Wi-Fi Enhanced Open™ offers improved data privacy, while maintaining convenience and ease-of-use. This functionality is particularly useful for provisioning a secure open SSID in public spaces. Configuring the enabled/disabled status of this attribute is based on the following:
    • If 2.4 GHz and/or 5.0 GHz is the allowed band (not 6.0 GHz), you can enable or disable Enhanced Open status
    • If 6.0 GHz is the allowed band, then Enhanced Open is automatically enabled, whether or not 2.4 GHz or 5.0 GHz is selected. You cannot disable the Enhanced Open status.
  • Enterprise - An authentication server will be used to authenticate the connecting client via 802.1x Authentication. Select an Encryption Type from the drop-down menu:
    • DYNAMIC_WEP - WEP with dynamic keys.
    • WPA_TKIP - WPA with TKIP encryption and dynamic keys using 802.1X.
    • WPA_AES - WPA with AES encryption and dynamic keys using 802.1X.
    • WPA2_TKIP - WPA2 with TKIP encryption and dynamic keys using 802.1X.
    • WPA2_AES - WPA2 with AES encryption and dynamic keys using 802.1X.
    • WPA3_AES256 - WPA3 with CNSA (Suite B) using 802.1X. Note that when WPA3_AES256 encryption is applied to an AP that does not support it, the encryption will automatically fall back to WPA2_AES. OAW-AP1101 full band, OAW-AP1201H 2.4G band, and OAW-AP1201L 2.4G band do not support WPA3_AES256 authentication.
    • WPA3_AES - WPA3 with AES encryption and dynamic keys using 802.1X. Note that Stellar AP Models AP1101, AP1201H, and AP1201L do not support WPA3 authentication.
  • Personal - The WI-FI will be protected by a key. Select an Encryption Type from the drop-down menu, then enter a Passphrase.
    • STATIC_WEP - Authentication with Static Wired Equivalent Privacy security algorithm.
    • WPA_PSK_TKIP - WPA with TKIP encryption using a preshared key.
    • WPA_PSK_AES - WPA with AES encryption using a preshared key.
    • WPA_PSK_AES_TKIP - WPA with TKIP and AES mixed encryption using a preshared key.
    • WPA2_PSK_TKIP - WPA2 with TKIP encryption using a preshared key.
    • WPA2_PSK_AES - WPA2 with AES encryption using a preshared key.
    • AUTO_WPA_WPA2- WPA or WPA2 mixed mode, which allows both WPA capable client and WPA2 capable client access.
    • WPA3_SAE_AES - WPA3 with AES encryption using a preshared key, which ONLY allow WPA3 capable client accessing.
    • WPA3_PSK_SAE_AES - WPA3 and WPA2 mixed mode, which allow both WPA3 capable client as well as ONLY WPA2 capable client accessing.
• MAC Auth - Enables/Disables MAC Authentication.
• Device Specific PSK - Enables/Disables Device Specific PSK. Device Specific PSK provides more security than traditional PSK. If Device Specific PSK is enabled and a device is configured for Device Specific PSK, when the AAA Server sends the Radius Access Accept for MAC Authentication for the device, it will also send the specific pre-shared key for that device, differentiated by the device's MAC Address. This means that each device will have a different key. This option is available when the Security Level is set to "Personal" with a "PSK" Encryption Type. If enabled:
  • Prefer Device Specific PSK - If the AAA Server sends the "AES-CBC-128" attribute along with the Radius Access Accept response, this value will be used. If the AAA server does NOT send the "AES-CBC-128" attribute, the key configured in the SSID will be used.
  • Force Device Specific PSK - The value of "AES-CBC-128" attribute returned by AAA Server will be always used, whether it exists or not.
    Note: Device Specific PSK will only work with a UPAM RADIUS Server and does not support AUTO_WPA_WPA2 encryption. Devices are configured for Device Specific PSK on the Company Property Screen (UPAM - Authentication - Company Property). See the Company Property online help for more information. You can also configure a device for Device Specific PSK from the Authentication Record List (UPAM - Authentication - Authentication Record). See the Authentication Record online help for more information.
• Private Group PSK - Enables/Disables the grouping of Device Specific PSKs. When a PSK-enabled SSID is created, you can either create a static PSK or enforce Device Specific PSK. This provides a common Passphrase key, which is suitable for networks requiring network-wide common PSK. Enabling Private Group PSK (PPSK) allows you to create private groups of client devices based on a PPSK Entry. Each client device specifies a Passphrase when connecting to an SSID. If the passphrase matches any of the PPSK Entry, the client is placed in the specified Access Role Profile. Configuring the Private Group PSK attribute is offered only when Device Specific PSK is Disabled or set to "Prefer Device Specific PSK". When the Device Specific PSK is set to "Force Device Specific PSK", OmniVista will not display the Private Group PSK attribute because the Passphrase specified in Company Property is used instead. If Private Group PSK is enabled, complete the following fields to configure a PPSK Entry:
  • PPSK Entries - At least one PPSK Entry is required with the following parameters defined. Note that each SSID can have up to 16 PPSK Entries. The total number of entries across all SSIDs that exist on an AP cannot exceed 64 on any AP.
    • Name - Enter a unique name to identify the PPSK Entry. No two Entries can have the same Name.
    • Passphrase - Enter a unique PSK Passphrase for authentication. No two Entries can have the same Passphrase.
    • Access Role Profile - Select the name of an Access Role Profile.
• AAA Profile - Select an AAA Profile to use for authentication. An AAA profile is required if the Security Level is set to "Enterprise" (to perform 802.1x authentication) or if MAC Authentication is enabled. This AAA Profile will be also used for Accounting purposes.
• Classification Status - Enables/Disabled classification. If classification is enabled, traffic will be classified to a role based on the configured classification rules. Note that the precedence of role assignment methods is important. Classification Rules are only used if 802.1x/MAC authentication does not return a role, or the returned role is not matched with any configured roles in the device.
• MAC Pass Auth - If MAC Authentication is enabled, select an Access Role Profile to assign to clients that pass MAC Authentication.
• Default Access Role Profile - Select the default Access Role Profile that will be applied to clients if a role cannot be assigned by other role assignment methods.
• Client Isolation - Enables/Disables Client Isolation. If enabled, traffic between clients on the same AP in the SSID is blocked; client traffic can only go toward the router. (Default = Disabled)
• Protected Management Frame - Configures whether connections are accepted from clients supporting Protected Management Frame for certain Security Levels/Encryption Types (Enterprise - WPA2_AES/WPA3_AES256/ WPA3AES, Personal - WPA2_PSK_AES/WPA3_SAE_AES/WPA3_PSK_SAE_AES)
  • Disabled - Disables Protected Management Frame requirements.
  • Optional - Allows connections from clients supporting Protected Management Frame and clients that do not.
  • Required - Only allows connections from clients supporting Protected Management Frame.

MultiLink Operation (MLO)

• MLO - Enables/Disables MultiLink Operation (MLO). MLO allows for the simultaneous sending and receiving of data between different frequency bands and channels.
  • MLO Band - When MLO is enabled, the bands selected are taken from the Allowed Band setting. For example, if Allowed Band is set to 2.4GHz and 5GHz, then the MLO band is set to 2.4GHz and 5GHz by default when MLO is enabled. When the Allowed Band is set to 2.4GHz, 5GHz, and 6GHz, you can change the MLO bands as needed. Note that when you change the MLO bands, it does not change the Allowed Bands..

Note: The MLO function also relies on the radio status and the radio Extremely High Throughput (EHT) setting. Make sure the corresponding radio and the radio EHT are enabled to activate MLO.

Hotspot 2.0

• Hotspot 2.0 - Enables/Disables Hotspot 2.0. Hotspot 2.0 is a new standard for public-access Wi-Fi that enables seamless roaming among Wi-Fi networks and between Wi-Fi and cellular networks. Hotspot 2.0 was developed by the Wi-Fi Alliance and the Wireless Broadband Association to enable seamless hand-off of traffic without requiring additional user sign-on and authentication. Note that Hotspot 2.0 is only supported with Enterprise WPA2_AES or Enterprise WPA3_AES256 Encryption. You must first select one of these Encryption types before you can enable Hotspot 2.0.
• Operator Name - The operator providing the Hotspot service (0 - 252 characters).
• Venue Name - The venue where the Hotspot is hosted (0 - 252 characters).
• Venue Type - The type of venue hosting the Hotspot.
• Network Detail - The type of Hotspot network.
• Domain List - The list of Hotspot Domains. You can have up to 16 Domain Names (1 - 255 characters each).
• Roaming OIs - The Roaming Organization Identifier. You can have up to 16 OIs. Each OI field is 3 octets in length if the organizationally unique identifier is an OUI, or 5 octets in length if the organizationally unique identifier is an OUI-36.
• NAI Realms - The Network Access Identifier (NAI) realm that provides client access through the AP to the operator providing the Hotspot service. Creating an NAI Realm profile is required to use the Ameriband (American Bandwidth) Hotspot service provider. You can select a profile from the drop-down list or click on the Add icon to create a new profile by completing the fields below. You can create up to eight NAI Realm hotspot profiles per SSID.
  • Name - Enter the Name to identify the NAI Realm profile. The domain name of the service provider is often used for this field value.
  • Encoding - Select "utf8"or "rfc4282" to specify the encoding of the NAI Realm name.
  • Method Group - Configure the EAP authentication method for the NAI Realm. You can create up to four Method Groups per NAI Realm profile.
    • EAP Methods - Select one of the following options to identify the EAP method supported by the Hotspot realm:
      • IDENTITY-1: Use EAP Identity type.
      • NOTIFICATION-2: Allow the hotspot realm to use EAP Notification messages for authentication.
      • ONE-TIME-PASSWORD-5: Use Authentication with a single-use password.
      • GENERIC-TOKEN-CARD-6: Use EAP-GTC.
      • EAP-TLS-13: Use EAP-TLS.
      • EAP-SIM-18: Use EAP for GSM SIM.
      • EAP-TTLS-21: Use EAP-TTLS.
      • EAP-AKA-23: To use EAP for UMTS Authentication and Key Agreement.
      • PEAP-25: Use PEAP.
      • CRYPTO-CARD-28: Use crypto card authentication.
      • PEAPMSCHAPV2-29: Use PEAP with MSCHAPv2.
      • EAP-AKA-50: "EAP-AKA" to use EAP for UMTS Authentication and Key Agreement.
    • Auth Param ID/Auth Value - Select one of the following authentication methods and coresponding authentication value to send to the NAI Realm:

      Auth Param ID	Auth Value
      Reserved-0	--
      Non-EAP-Inner-Auth-2	Reserved-0 PAP-1 CHAP-2 MSCHAP-3 MSCHAPv2-4
      EAP-Inner-Auth-3	Reserved-0 PAP-1 CHAP-2 MSCHAP-3 MSCHAPv2-4
      Credential-5	SIM-1 USIM-2 NFC-Secure-3 HW-Token-4 Softoken-5 Certificate-6 Username-Passward-7 None-8 Reserved-9

• MCC/MNCs - The 3GPP Mobile Country Codes/Mobile Network Codes combination to assist with selecting an AP to access 3GPP cellular networks. Click here to locate the MCC/MNC values for a specific Hotspot service provider. You can add up to 16 MCC/MNC values. Click on the Add icon to enter the MCC/MNC values with a comma separating each code. For example, if MCC = 310 and MNC = 260, you would enter "310,260".

Advanced

Roaming Controls

• L3 Roaming - Enables/Disables Layer 3 roaming. Layer 3 roaming allows client to move between Access Points and connect to a new IP subnet and VLAN.
• FBD Update on Association - Enables/Disables FDB update on Association. If enabled, when a client roams to a new AP, the AP will send ARP packets to the uplink switch to notify the switch to change the downstream forwarding port for the wireless client's traffic.
• 802.11r - Enables/Disables IEEE 802.11r (Fast BSS Transition). The Fast BSS Transition mechanism minimizes the delay when a client transitions from one BSS to another within the same group.
• OKC - Enables/Disables OKC Roaming. If OKC Roaming is enabled, a cached Pairwise Primary Key is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication.
• 802.11k Status - Enables/Disables 802.11k. The 802.11k protocol enables APs and clients to dynamically measure the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
• 802.11v Status - Enables/Disables 802.11v. 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an Instant AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a client due to network load balancing or BSS termination. It also helps the client identify the best AP to transition to as they roam.

Client Controls

• Max Number of Clients Per Band - The maximum number of clients allowed in each band. (Range = 1 - 256, Default = 64)
• 802.11b Support - Enables/Disables allowing 11b legacy clients to connect to Stellar APs.
• 802.11a/g Support - Enables/Disables allowing 11a/g legacy clients to connect to Stellar APs.

Minimum Client Data Rate Controls

• 2.4GHz Minimum Client Data Rate Controller - Enables/Disables 2.4G band access control based on client data rate.
• 2.4GHz Minimum Client Data Rate - 2.4G band client with lower data speed will not be given access.
• 5GHz Minimum Client Data Rate Controller - Enables/Disables 5G band access control based on client data rate.
• 5GHz Minimum Client Data Rate - 5G band client with lower data speed will not be given access.
• 6GHz Minimum Client Data Rate Controller - Enables/Disables 6G band access control based on client data rate.
• 6GHz Minimum Client Data Rate - 6G band client with lower data speed will not be given access.
• Notes:
  • Disabling lower bands has an impact on the coverage area.
  • Depending on the environment, we recommend 12 Mbps or 24 Mbps setting for minimum client data rates.
  • Higher Mbps value means less coverage; lower value means larger coverage.

Minimum MGMT Rate Controls

• 2.4GHz Minimum MGMT Rate Controller - Enables/Disables 2.4G band wireless management frame rate control.
• 2.4GHz Minimum MGMT Rate - 2.4G band wireless management frame transmit rate.
• 5GHz Minimum MGMT Rate Controller - Enables/Disables 5G band wireless management frame rate control.
• 5GHz Minimum MGMT Rate - 5G band wireless management frame transmit rate.
• 6GHz Minimum MGMT Rate Controller - Enables/Disables 6G band wireless management frame rate control.
• 6GHz Minimum MGMT Rate - 6G band wireless management frame transmit rate.
• Notes:
  • Disabling lower bands has an impact on the coverage area.
  • Depending on the environment, we recommend 12 Mbps or 24 Mbps setting for minimum management rates.
  • Higher Mbps value means less coverage; lower value means larger coverage.

High-Throughput Control

• A-MSDU - Enables/Disables Aggregate MAC Service Data Unit. A-MSDU is a structure containing multiple MSDUs, transported within a single (unfragmented) data MAC MPDU.
• A-MPDU - Enables/Disables Aggregate MAC Protocol Data Unit. A-MPDU is a method of frame aggregation, where several MPDUs are combined into a single frame for transmission.

Power Save Controls

• DTIM Interval - The Delivery Traffic Indication Message (DTIM) period in beacons. The DTIM interval determines how often the AP should deliver the buffered broadcast and multicast frames to associated clients in the "power save" mode. The default value is 1, which means the client checks for buffered data on the OAW-IAP at every beacon. You can configure a higher DTIM value for power saving (Range = 1 - 255).

802.11 Frame Controls

• Advertise AP Name - Enables/Disables the advertising of the AP name in the standard 802.11 beacon frame with a vendor-specific tag. When enabled, the AP name is displayed instead of the AP MAC address.

QoS Settings

Configure the wireless QoS Settings for the profile as detailed below.

Bandwidth Contract

• Upstream Bandwidth - The maximum bandwidth for traffic from the switch to the client
• Downstream Bandwidth - The maximum bandwidth for traffic from the client to the switch.
• Upstream Burst - The maximum bucket size used for traffic from the switch to the client. The bucket size determines how much the traffic can burst over the maximum bandwidth rate
• Downstream Burst -The maximum bucket size used for traffic from the client to the switch. The bucket size determines how much the traffic can burst over the maximum bandwidth rate

Broadcast/Multicast Optimization

• Broadcast Key Rotation - Enables/Disables the broadcast key rotation function. If enabled, the broadcast key will be rotated after every interval time.
• Broadcast Key Rotation Time Interval - The interval, in minutes, to rotate the broadcast key (Range = 1 - 1440, Default = 15).
• Broadcast Filter All - This attribute is applicable to Stellar APs only. If enabled, all broadcast frames are dropped, except DHCP and Address Resolution Protocol (ARP) frames.
• Broadcast Filter ARP - This attribute is applicable to Stellar APs only. If enabled, the AP will act as an "ARP Proxy". If the ARP-request packet requests a client's MAC address and the AP knows the client's MAC and IP address, the AP will respond to the ARP-request but not forward the ARP-request (broadcast) to all broadcast domains. This reduces ARP broadcast packet forwarding and significantly improves network performance. Note that Stellar APs do not act as ARP proxy for Gratuitous ARP packets. When the station gets an IP from DHCP or IP release/ renew, the station will send Gratuitous ARP packets. AP will not respond to such special ARP packets and broadcast them normally.
• Multicast Optimization - Enable/Disables multicast traffic rate optimization.
• Multicast Based Channel Utilization - Configures based channel utilization optimization percentage. (Range = 0 - 100, Default = 90)
• Number Of Clients - Configure the threshold for multicast optimization. This is the maximum number of high-throughput stations.

802.1p Mapping

Used to configure the uplink and downlink mapping mechanism between Wi-Fi Multimedia (WMM) Access Categories and 802.1p priority. Uplink traffic can only be mapped to a single value. Downlink traffic can be mapped to multiple values. Fields are populated with the default values. To modify a default uplink value, enter a new value in the field. To modify a default downlink value, enter a new value and click on the Add icon . To remove a value, click on the "x" next to the value.

• Background - WMM Background will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 1)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 1, 2)
• Best Effort - WMM Best Effort will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 0)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 0, 3)
• Video - WMM Video will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 4)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 4, 5)
• Voice - WMM Voice will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 6)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 6, 7)

DSCP Mapping

Used to configure the uplink and downlink mapping mechanism between Wi-Fi Multimedia (WMM) Access Categories and DSCP priority. Uplink traffic can only be mapped to a single value. Downlink traffic can be mapped to multiple values. Fields are populated with the default values. To modify a default uplink value, enter a new value in the field. To modify a default downlink value, enter a new value and click on the Add icon . To remove a value, click on the "x" next to the value.

• Background - WMM Background will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 10)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 2, 10)
• Best Effort - WMM Best Effort will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 0)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 0, 18)
• Video - WMM Video will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 40)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 24, 36, 40)
• Voice - WMM Voice will be mapped to the 802.1p value.
  • Uplink - Maps uplink traffic (from AP to network). (Range = 0 - 7, Default = 46)
  • Downlink - Maps downlink traffic (from network to AP). (Range = (Range = 0 - 7, Default = 46, 48, 56)

Cloning a WLAN Service Profile

You can quickly create an WLAN Service Profile by selecting a profile in the WLAN Service Profile List, clicking on the Clone button and modifying the profile to create a new one. Click on the Copy button to create the new profile.

Assigning a WLAN Service Profile

When you click the Apply to Devices button, the WLAN Service Assignments Screen appears. Click on the Devices ADD button and/or the AP Group ADD button to select devices. The device(s) will appear in the List of Selected Devices. If necessary, click on the Devices EDIT button and/or the AP Group EDIT button to add/remove devices from the list. When you are finished, click on the Apply button.

Note: Each AP allows a maximum of 7 SSIDs per band. This means up to 7 SSIDs with Allowed Band = 2.4GHz, up to 7 SSIDs with Allowed Band = 5GHz, and up to 7 SSIDs with Allowed Band = 6GHz. Alternatively, you can have up to 7 SSIDs with Allowed Band = All. If you apply an SSID to an AP Group and it causes a breach of this maximum limit, the "Apply" operation will fail on that AP Group.

Editing a WLAN Service Profile

Select the profile in the WLAN Service Profile Screen and click on the Edit icon to bring up the Edit WLAN Service Profile Screen. Edit the fields as described above then click on the Apply button to save the changes to the server.

Deleting a WLAN Service Profile

Select the profile in the WLAN Service Profile Screen, click on the Delete icon, then click OK at the confirmation prompt. This removes the profile from the server.