AP Group

The AP Registration AP Group Screen displays information about configured AP Groups. The screen is also used to create, edit, and delete AP Groups. Stellar AP Series Devices are managed by AP Group. OmniVista does not manage individual APs. You must first add APs to AP Groups. The attributes configured for the AP Group (e.g., Management VLAN, RF Profile) are applied to all APs in the group. Note that only "Admin" users can add, edit, delete AP Groups.

Once an AP(s) are assigned to a group, you configure the APs in OmniVista (e.g., Notification traps, Resource Manager backups) by applying the configuration to the AP Group. In OmniVista applications (e.g., Notifications, Resource Manager), rather than presenting the user with individual APs when applying a configuration (as is done with AOS Devices), OmniVista presents the user with the option of applying a configuration to AOS Devices and/or AP Groups. Any configuration applied to an AP Group is applied to all APs in the group.

Important Note: OmniVista Cirrus supports up to 4,000 APs. However, when applying a configuration to a large number of APs, (e.g., performing a backup in the Configuration Manager application, applying Signature Profiles in the Application Visibility application), it is recommended that you apply the configuration to 500 APs at a time, and repeat if necessary.

Creating an AP Group

When an AP initially registers with OmniVista, the AP is placed into a pre-configured Default AP Group ("default group"). You can create new AP Groups containing specific APs. Create the AP Group as described below, then go to the Access Points Screen (Network - AP Registration - Access Points) and edit the Group Name to move the AP(s) into the new AP Group. An AP can belong to only one AP Group at a time. An AP Group can contain up to 512 APs.

Note: When OAW-AP1201BG APs initially register, they are placed into a pre-configured Default Beaconing Group ("default BLEGW group"). Both the "default group" and the "default BLEGW group" can be edited; however, they cannot be deleted.

Note: Do not add APs with different RF parameters to the same AP Group. For example, if some APs support 160 MHz Channel Width and others do not, then create two AP Groups and two RF Profiles. Group APs supporting 160MHz channel width into their own AP group and assign a 160 MHz RF profile to that AP group.

Click on the Add icon and complete the fields as described below to configure an AP Group. When you are finished. click on the Create button.

General

Group Name - Enter a unique name for the group (up to 64 characters).
Group Description - Enter an optional description for the group.
Auto Group VLANs - A list of VLAN IDs to allow auto grouping of APs during initial registration. Based on the management VLAN ID received by LLDP, the AP can automatically be assigned to the corresponding AP Group.
RF Profile - Select an RF Profile for the group. The RF profile contains the wireless attributes that are applied to all APs in the group. The RF Profile is configured using the RF Profile Screen (WLAN - RF - RP Profile).

Extended SSID Scale

Extended SSID Scale - Enables/Disables extending the number of SSIDs that can be assigned to the AP Group to 14. When enabled (On), only AP models that support up to 14 SSIDs can join the AP Group. When disabled (Off), any AP model can join the group, but the limit is 7 SSIDs per AP Group. (Default = Disabled)
- Stellar AP models that support up to 14 SSIDs: AP1201, AP1321, AP 1322, AP1261, AP1361D, AP1362, AP1301H, AP1331, AP1351, AP1451, AP1411, AP1431, AP1201BG.
- Note that the Extended SSID Scale status does not apply to 6GHz networks, which have a limit of 4 SSIDs per AP Group.

802.1X Supplicant on AP Management Port

This option configures APs in the group to operate as 802.1X clients. See AP Device as an 802.1X Client for more information. Note that when an AP is operating as an 802.1X client, the AP does not support untagged WLAN/SSID/client and cannot participate in a Mesh deployment.

802.1x Supplicant - Enable/Disable 802.1x for APs in the group. If enabled:
- Certificate for 802.1x - Select the the "Built-in Certificate" or a custom 802.1x client certificate used for secure communication between the AP and an OmniSwitch.Note that out-of-the-box APs have a "Built-in Certificate" that is common to all APs. It is recommended that you use a custom 802.1x client certificate to improve network security. See AP Security Recommendations for more information.
Note: OAW-AP1101 does not support the AP 802.1X client feature due to low flash size. All other APs, including other low-end APs (OAW-AP1201H, OAW-AP1201L, OAW-AP1201HL), support this feature.

Time

Timezone - The timezone in which the APs are located.
Daylight Saving Time - Enable if Daylight Saving Time is in effect in the timezone.
NTP Server List - Enter the NTP Server List for this AP Group. This sets the server list or all APs in the group
NTP Server - The NTP Server configured for the network to which the APs are connected.

Syslog

Log Remote - Enable/Disable remote logging AP events.
Syslog Server
- IP - The IP address of the remote Syslog Server.
- Port - The port used to connect to the remote Syslog Server.
- TLS - Enable/Disable the use of the Transport Layer Security encryption method for remote logging of AP events.
  - Certificate - If TLS is enabled (On), select a Syslog Over TLS Certificate.
Log Level - Select a log level (e.g., Error, Warning, Notice) for each area. This sets the log levels for all APs in the group. Note that the System, Security, Wireless, Network, and User log levels must be equal to or higher than the AP Debug log level.

Post Mortem Dump

PMD - Enables/Disables Post Mortem Dump (PMD) of information for APs in the group.
TFTP Server - The IP address of the TFTP Server used for PMD.

SSH

SSH Login - Enables/Disables SSH login for APs in the group. If enabled:
- For Support Account - The SSH password used for an SSH connection to the AP.
  - Password - Enter a password that will be required to access an AP through SSH.
  - Confirm - Confirm the password.
- For Root Account - Configuring a Root Account Password Seed adds a second layer of security for AP access. When you configure a Password Seed, the Root Password is derived from a character string composed of two parts: the Password Seed and the Fixed Root Password. The Password Seed can be changed on demand. This feature is only supported on APs running AWOS 4.0.0 and higher. A Root Account Password Seed will not be configured for any APs in the group running a lower AWOS.
  - Password Seed - Enter a Root Account Password Seed for the APs in the group.
  - Confirm - Confirm the Password Seed.

AP Web

AP Web - Enables/Disables web management of APs in the group. If enabled, enter the following login information for the Administrator account:
- Password - Enter a password that will be required to access an AP through the Web Management UI.
- Confirm - Confirm the password.

Client-Context

Roaming Domain - Enter a password to use for the roaming domain. By default, the Roaming Domain is set to "automatic" (password is empty). Configuring a password for the roaming domain is particularly useful to secure roaming between APs across multiple Clusters or across multiple OmniVista managed APs.

Client Behavior Tracking

Upload To SFTP/TFTP Server - Enables/Disables uploading of a Client Behavior Log File to an FTP Server. If enabled, enter:
- Server Type - FTP Server type (SFTP/TFTP).
- Sever IP/Host Name - IP address or Host name of the FTP Server.
- Port - FTP port number.
- Remote Path - File path on the FTP Server storing the Client Behavior Log.
- User Name (SFTP Server only) - User name used to access the SFTP Server.
- Password (SFTP Server only) - Password used to access the SFTP Server.
- Confirm (SFTP Server only) - Re-enter the password used to access the SFTP Server.
- Log Upload Period - Frequency for uploading the Client Behavior Log to the FTP Server, in hours (Range = 1 - 24, Default = 1).
Upload to Syslog Server - Enables/Disables uploading of Client Behavior Syslog messages to a remote Syslog Server. If enabled, enter:
- Syslog Server IP - IP address of the Syslog Server.
- Syslog Port - Syslog Port number.

Certificate

Web Server - The Certificate used for communication between the AP Web Server and browser.
Third Party External Portal Server - The Certificate used to communicate with the third-party portal server.
Local LDAP - The Certificate used for secure communication between the AP and an LDAP Server if the user authentication source is the local LDAP Server.
Local RadSec - The Certificate used for secure communication between the AP and a local, third-party RADIUS Server that uses RadSec (RADIUS-over-TLS).

SNMP Setting

This option allows third-party SNMP-based platforms to monitor APs in a group using SNMP. OmniVista Cirrus does not use SNMP to manage Stellar APs. With defined SNMP MIBs, an Administrator can monitor APs, configured services, and wireless clients and their traffic utilization.

SNMP Agent
- SNMP Service - Enables/Disables (On/Off) the SNMP Service on APs in the AP Group.
- Version - The SNMP version. Select v3 or v2c. (Default = v3)
  - v3 - When SNMP v3 is selected, complete the following:
    - User Name - The user account name.
    - Password - The password for the user account.
    - Confirm - Confirm the specified password.
  - v2c - When SNMP v2c is selected, complete the following field:
    - Read Community - The credential used for communication between the network management system and APs.
Trap
- Trap Service - Enables/Disables (On/Off) SNMP Trap Service on APs in the AP Group.
- Version - The SNMP version. Select v3 or v2c. (Default = v3)
  - v3 - When SNMP v3 is selected, complete the following fields:
    - User Name - The user account name.
    - Password - The password for the user account.
    - Confirm - Confirm the specified password.
    - Server IP - The server to which AP trap messages are sent. This is the IP address of the network management server you are using. It is not recommended that you use the OmniVista Cirrus Server IP address to avoid the posting of duplicate traps in OmniVista
  - v2c - When SNMP v2c is selected, complete the following fields:
    - Community - The credential used for communication between the network management system and APs.
    - Server IP - The server to which AP trap messages are sent. This is the IP address of the network management server you are using. It is not recommended that you use the OmniVista Cirrus Server IP address to avoid the posting of duplicate traps in OmniVista.

Note: The Privacy and Authentication Protocol used by APs is SHA+AES, and the APs use the same Auth and Priv passwords.

IoT Radio Configuration

IoT Radio Mode - Select BLE to configure the IoT Radio Mode. If an AP in the group supports BLE Beaconing the BLE configurations (below) will be applied to the AP(s).

BLE Configuration

This option is used to enable/disable BLE Beaconing for APs in the group. BLE Beaconing is used by the Location Service to deliver location services like way-finding, geo-location, geo-notification, and geo-fencing.

Advertising
- Advertising - Enables/Disables the BLE advertising function for the AP. If Advertising is enabled, the AP will broadcast BLE packets. If disabled, the AP will detect surrounding BLE Tags/Beacons and will report information to the server for analysis. Note that BLE Advertising must be enabled for Stellar Asset Tracking.
- Emission Frequency - The time circle during which the BLE packets will be broadcast, in milliseconds. (Range = 20 - 9,000,000, Default = 200)
- Tx Power - The transmit power used to broadcast BLE packets, in dBm. (Range = -20 - 10, Default = 4)
- Tx Channel - The transmit channel used to broadcast BLE packets. It is recommended that you use a different channel than the channel used for the WLAN.
- Advertising Protocol - Specify the BLE protocol used to define the broadcasting BLE beacon format.
  - iBeacon - Apple iBeacon format. Note that you must select iBeacon for Stellar Asset Tracking.
  - Eddystone-URL - Google Eddystone format. A compressed URL that, once parsed and decompressed, is directly usable by the client.
  - Eddystone-UID - Google Eddystone format. A unique static ID with a 10-byte Namespace component and a 6-byte Instance component.
    - Namespace - 20 characters containing 0-9a-f.
Scanning
- Scanning - Enables/Disables the Bluetooth beacon scanning function for the AP. Note that BLE Scanning must be enabled for Stellar Asset Tracking.
- Discover All Devices - Enables/Disables the discovery of all devices. Enable this option to discover custom iBeacon BLE Tags/Beacons.
- Scanning Interval - The Bluetooth scanning interval for the AP, in milliseconds. (Range = 4 -10240, Default = 100)
- OUI Allowlist - Specify the MAC OUI Allowlist to filter devices for BLE beacon broadcasting. Only those beacons broadcasting from the devices within the OUI Allowlist are valid and will be reported.

IoT/Location/Advanced Analytics Server

This option is used to set an IoT/Location/Advanced Analytics Server Profile for APs in the group. If the location service is enabled, APs in the group will report IoT/wireless scanning data/advanced analytics data to the selected server(s). IoT/Location/Advanced Analytics Servers are configured on the AP Registration IoT/Location/Advanced Analytics Server Screen. Select a server from the drop-down list.

WiFi RTLS Server Profile - Select a Wi-Fi RTLS Server Profile for APs. You can select a sub profile based on the engine type (Aeroscout or OmniVista Cirrus WiFi RTLS) and configure the necessary server parameters.
Advanced Analytics Server Profile - Select a Wi-Fi Analytics Server profile for APs. The system default profile (Simple-Event-Collection) is only for AP event collection for the purpose of troubleshooting, For advanced analytics, must create and select an OmniVista Cirrus Advanced Analytics Profile for APs to send advanced analytics data to OmniVista Cirrus 10.1 and above.
OmniVista Cirrus Advanced Analytics - If you select an OmniVista Cirrus Advanced Analytics Profile, select On to enable advanced analytics collection for OmniVista Cirrus 10.
BLE LBS Profile - BLE Location. Stellar Location Engine (OmniAccess Stellar Asset Tracking)

Data VPN Setting

Data VPN Server(s) -Select the VPN Server used for the Data VPN Tunnel. The user traffic will be carried in the data VPN tunnel between the APs and selected VPN Server.

Web Content Filtering

Web Content Filtering (WCF) enables you to allow/deny Stellar AP access to web sites based on specific security or content filters (e.g., Malware Sites, Gambling). WCF Profiles, configured on the WCF Profile Screen (UPAM - Web Content Filtering - WCF Profile), contain the condition(s) and actions to allow/deny access to these sites. A WCF Profile is included as part of an Access Role Profile or SSID and pushed to an AP Group(s). However, Web Content Filtering must first be enabled on an AP(s).

Web Content Filtering - Enables/Disables Web Content Filtering for all APs in the AP Group.

Web Content Filtering can be enabled at the AP Group Level or individual AP level. If enabled at the AP Group level, all APs in the group that support Web Content Filtering are enabled. However, you can override that configuration on an individual AP(s) in a group by editing the Web Content Filtering configuration for the AP(s) on the Access Points Screen.

Miscellaneous

Virtual IP Address - The virtual IP address used for Captive Portal redirection in the AP. You can customize the Virtual IP address according to your network deployment to avoid exposing the AP management interface.
Called Station ID - RADIUS attribute. You can define a message in the Called-Station-Id attribute and utilize it for communication between a NAS client and RADIUS Server. For example, in a multiple-branch scenario, you can define the AP location in the Called-Station-Id sent to RADIUS server, so when a client sends an authentication request to the RADIUS Sever, the server will the AP forwarding the client traffic.
IPv6 Service - Enables/Disables the IPv6 service on APs. Once enabled, IPv6 packets received by APs will be handled at the application level and forwarded on Layer 3. By default, the IPv6 service is disabled.

Editing an AP Group

Select an AP Group in the AP Group List and click on the Edit icon to bring up the Edit Group Wizard. On the Edit Group screen, edit the fields as described above, then click on the Next button. The Review screen will appear. Review any changes, then click the Commit button. If necessary, click the Back button to make any additional changes before clicking on the Commit button. You cannot edit the Group Name field. Also note that the RF Profile must be from the same country. You cannot edit an AP Group with an RF Profile from a different country.

Note: You cannot edit the Group Name, Group Description, or Auto Group VLANs fields on the Default AP Group or Default BLEGW Group.

Deleting an AP Group

Select an AP Group(s) in the AP Group List and click on the Delete icon. Click OK at the Confirmation Prompt. APs in the deleted group(s) will be moved to the Default AP Group. You cannot delete the Default AP Group or Default BLEGW Group.

AP Group List

The AP Group List displays basic information about AP Groups. Click on a group in the list to display detailed information broken down by category.

Basic Information

Group Name - User-configured name for the AP Group.
Auto Group VLANs - A list of VLAN IDs used to allow auto grouping of APs during initial registration.
Group Description - User-configured description for the group.
Managed AP Count - The number of Managed APs in the group.
Unmanaged AP Count - The number of Unmanaged APs in the group.
Client Count - The number of clients connected to the AP.
RF Profile - The RF Profile associated with the group. The RF profile contains the wireless attributes that are applied to all APs in the group.
Extendid SSID Scale - Whether the number of SSIDs that can be assigned to the AP Group is extended (On/Off)..
Timezone - The timezone in which the APs are located.
NTP Server List - The NTP Server List for this AP Group.
Log Level - The log level for configured for AP events for APs in the group, if applicable.
Log Remote - The IP address of the remote Syslog Server, if applicable.
Syslog Server IP - The port used to connect to the remote Syslog Server, if applicable.
PMD - Post-Morten Dump status (On/Off).
TFTP Server - The IP address of the TFTP Server used for PMD, if applicable.
SSH Login - SSH Login status (On/Off).
AP Web - AP web management status (On/Off).
Upload to SFTP/TFTP Server - Client Behavior Tracking File Upload to FTP Server administrative status (On/Off).
Server Type - The FTP Server type used for client behavior tracking (SFTP/TFTP).
Server IP/Host Name - The IP address or Host name of the FTP Server used for client behavior tracking.
Port - The FTP port used for client behavior tracking.
Remote Path - File path on the FTP Server storing the client behavior log.
User Name - User name used to access the FTP Server for client behavior tracking.
Log Upload Period - Frequency for uploading the Client Behavior Log to the FTP Server, in hours (Range = 1 - 24, Default = 1).
SNMP Service - Administrative status of the SNMP Service on APs in the group (On/Off).
SNMP Version - The SNMP service version (v3 or v2c).
Trap Service - Administrative status of the Trap Service on APs in the group (On/Off).
Trap Community - The credential used for communication between the network management system and APs.
Trap Server IP - The server to which AP trap messages are sent. This is the IP address of the network management server being used.
IoT Location Server - The LBS Profile configured for the AP Group.
Virtual IP Address -The virtual IP address used for Captive Portal redirection in the AP.
Upload to Syslog Server - Client Behavior Tracking File Upload to Syslog Server administrative status (On/Off).
Syslog Server IP - The remote Syslog Server IP address, if applicable.
Syslog Port - The Syslog Server Port.
Called Station ID - A message in the Called-Station-Id attribute used for communication between a NAS client and RADIUS Server.
Data VPN Server(s) - The data VPN server(s) configured for Remote APs.
IPv6 L3 Forwarding - The administrative status of the IPv6 service for APs in the group (On/Off).
IoT Radio Mode - The IoT Radio Mode (BLE, Disabled).
Web Content Filtering - The administrative status of Web Content Filtering on the AP.
802.1X Supplicant - The status of 802.1x for APs in the group (On/Off).
Certificate for 802.1X - The 802.1x certificate used to secure communication between the AP and an OmniSwitch (Built-in Certificate or the name of a custom certificate). if 802.1x is disabled (Off) for the AP), this field is blank.
Local RadSec - The Certificate used for secure communication between the AP and a local, third-party RADIUS Server that uses RadSec (RADIUS-over-TLS).
IGMP Snooping - The administrative status of the IGMP Snooping function on the AP.

Detailed Information