Link Search Menu Expand Document
calendar_month 02-Oct-25

Wireless Access Configuration

The primary function of the wireless access layer is to provide network connectivity anywhere on the campus for wireless devices. Wireless access must be secure, available, fault tolerant, and reliable to meet the demands of today’s users.

To satisfy the requirements for wireless access in a variety of network designs, the campus solution supports two modes of switching traffic between wireless and wired networks.

  • In bridged mode, the AP converts the 802.11 frame to an 802.3 Ethernet frame.
  • In tunneled mode, the AP encapsulates the 802.11 frame in a GRE packet and tunnels the traffic to a gateway device for decapsulation, additional inspection, and, if permitted, switching onto the correct VLAN.

An SSID is used to segment traffic between WLANs. A typical reason for using multiple SSIDs is to separate employee traffic from visitor traffic. Another reason is to separate IoT devices from other types of endpoints.

The large campus topology uses bridged mode for a Visitor SSID and for an SSID using pre-shared key authentication as might be required for devices in a warehouse or healthcare setting. The same topology implements tunneled mode for an 802.1X authenticated SSID.

The figure below shows the wireless APs in a campus topology.

The following table shows the access VLANs for bridge-mode SSIDs.

Example: AP Access VLANs

VLAN NameVLAN ID
EMPLOYEE3
BLDG_MGMT4
CAMERA5
PRINTER6
VISITOR12
REJECT_AUTH13
CRITICAL_AUTH14
MGMT15

The following table shows the ClearPass Policy Managers for the RADIUS server configuration.

Example: RADIUS Servers

HostnameIP AddressRole
CPPM-1.EXAMPLE.LOCAL10.2.120.94Publisher
CPPM-2.EXAMPLE.LOCAL10.2.120.95Subscriber
Table of contents

Configure the WPA3-Enterprise Wireless LAN

Use this procedure to configure a WPA3-Enterprise SSID.

WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices before they are granted access to the network. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.

Step 1 Navigate to Central and login using administrator credentials.

Step 2 On the Central Account Home page, launch the Network Operations app.

Step 3 In the dropdown, select an AOS10 Group name. On the left menu, select Devices.

Step 4 In the upper right of the Access Points page, select Config.

Step 5 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 6 In the Create a New Network page on the General tab, expand Advanced Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 7 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.

  • Name (SSID): EXAMPLE-8021X

  • Band: Check boxes for the desired bands

  • Broadcast filtering: ARP

  • 2.4 GHz: Min: 12

  • 5 GHz: Min: 12

    The rest should be default unless deemed required after design discussion.

Create New Network - General

Note: For greatest compatibility with all client devices, do not use spaces or special characters in the SSID name.

Note: Keep DMO disabled unless your deployment explicitly requires multicast group replication over WLAN. DMO should only be enabled after a design review confirms its benefit for the use case. If multicast traffic is necessary, consider involving your solutions architect to review design requirements and validate wireless readiness.

Note: Transmit rates should be selected based on the specific deployment environment. A starting recommendation for a balanced environment is a minimum transmit rate of 12 Mbps. For more guidance, refer to the Transmit and Basic Data Rates section.

Step 8 On the VLANs tab, assign the following settings, then click Next.

  • Traffic Forwarding Mode: Tunnel
  • Primary Gateway Cluster: UI-WIRELESS:SERVICES-7210
  • Secondary Gateway Cluster: None (default)
  • Client VLAN Assignment: Static (default)
  • VLAN ID: EMPLOYEE (103)

Note: The Primary Gateway Cluster and VLAN ID were created in the Configuring Gateway Devices section.
If they have not been configured, create the named VLANs for the SSID in this section.

Step 9 On the Security tab, assign the following settings.

  • Security Level: Slide to Enterprise
  • Key Management: WPA3 Enterprise(CMM 128)

Note: WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult endpoint documentation to confirm support.

Step 10 Click the + (plus sign) next to Primary Server.

Step 11 In the NEW SERVER window, assign the following settings, then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 12 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 13 On the Security tab, assign the following setting.

  • Load Balancing: Slide to the right

Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.

Step 14 Expand Advanced Settings, then click the + next to Fast Roaming and configure settings based on mobility needs. This example illustrates a balanced starting point, OKC and 802.11k enabled, 802.11r disabled. For more guidance, see the Roaming Best Practice section. Then click Next.

Step 15 On the Access tab, assign the following setting, then click Next.

  • Access Rules: Slide to Unrestricted

Note: The restrictions for this type of SSID are assigned in the gateway.

Step 16 On the Summary tab, review the settings and click Finish.

Configure ClearPass for the WPA3-Enterprise Wireless LAN

To support the WPA3-Enterprise WLAN created in the previous steps, ClearPass Policy Manager must be configured to receive, process, and respond to RADIUS authentication requests from this solution. For detailed guidance on configuring a ClearPass service to support WPA3-Enterprise authentication, refer to the Wireless 802.1X Authentication section of the Policy Deploy chapter in the VSG.

Configure the Pre-Shared Key Wireless LAN

Use this procedure to configure a WPA3-Personal SSID with a pre-shared key.

WPA3-Personal allows for authentication using a pre-shared key on a device that does not support 802.1X authentication.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 In the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.

  • Name (SSID): EXAMPLE-PSK

  • Band: Check boxes for the desired bands

  • Broadcast filtering: ARP

  • 2.4 GHz: Min: 12

  • 5 GHz: Min: 12

    The rest should be default unless deemed required after design discussion.

Note: For greatest compatibility with all client devices, do not use spaces or special characters in the SSID name.

Note: Keep DMO disabled unless your deployment explicitly requires multicast group replication over WLAN. DMO should only be enabled after a design review confirms its benefit for the use case. If multicast traffic is necessary, consider involving your solutions architect to review design requirements and validate wireless readiness.

Note: Transmit rates should be selected based on the specific deployment environment. A starting recommendation for a balanced environment is a minimum transmit rate of 12 Mbps. For more guidance, refer to the Transmit and Basic Data Rates section.

Step 4 On the VLANs tab, assign the following settings, then click Next:

  • Traffic Forwarding Mode: Bridge
  • Client VLAN Assignment: Static
  • VLAN ID: PRINTER(6)

Step 5 On the Security tab, assign the following settings.

  • Security Level: Slide to Personal
  • Key Management: WPA3 Personal
  • Passphrase: passphrase
  • Retype: passphrase

Step 6 Expand Advanced Settings, then click the + next to Fast Roaming and configure settings based on mobility needs. This example illustrates a balanced starting point with 802.11k enabled, 802.11r disabled. For more guidance, see the Roaming Best Practice section. Then click Next.

Step 7 On the Access tab, assign the following setting, then click Next.

  • Access Rules: Slide to Unrestricted

Note: The restrictions for this type of SSID are made in the switch network.

Step 8 On the Summary tab, review the settings and click Finish.

Configure the Visitor Wireless LAN

Use this procedure to configure a visitor SSID.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 On the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), then assign the following settings.

  • Name (SSID): EXAMPLE-VISITOR
  • Band: Check boxes for the desired bands

  • Broadcast filtering: ARP

  • 2.4 GHz: Min: 12

  • 5 GHz: Min: 12

    The rest should be default unless deemed required after design discussion.

Note: For greatest compatibility with all client devices, do not use spaces or special characters in the SSID name.

Note: Keep DMO disabled unless your deployment explicitly requires multicast group replication over WLAN. DMO should only be enabled after a design review confirms its benefit for the use case. If multicast traffic is necessary, consider involving your solutions architect to review design requirements and validate wireless readiness.

Note: Transmit rates should be selected based on the specific deployment environment. A starting recommendation for a balanced environment is a minimum transmit rate of 12 Mbps. For more guidance, refer to the Transmit and Basic Data Rates section.

Step 4 On the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 4 On the General tab, scroll down and click the + (plus sign) to expand Time Range Profiles. In the middle of the section, click + New Time Range Profile.

Step 5 In the New Profile window, assign the following settings, then click Save.

  • Name: Visitor Weekdays
  • Type: Periodic
  • Repeat: Daily
  • Day Range: Monday - Friday (Weekdays)
  • Start Time Hours: 7 Minutes: 0
  • End Time Hours: 18 Minutes: 0

Step 7 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.

Step 8 On the VLANs tab, assign the following settings, then click Next.

  • Traffic Forwarding Mode: Bridge

  • Client VLAN Assignment: Static

  • VLAN ID: VISITOR(12)

Step 9 On the Security tab, assign the following settings.

  • Security Level: Slider to Captive Portal
  • Captive Portal Type: External

Step 10 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.

Step 11 In the External Captive Portal-New window, assign the following settings, then click OK.

  • Name: CPPM-Portal
  • Authentication Type: RADIUS Authentication
  • IP or Hostname: cppm.example.local
  • URL: /guest/example_guest.php
  • Port: 443
  • Redirect URL: http://arubanetworking.hpe.com

Step 12 On the Security tab in the Splash Page section, click the + (plus sign) next to Primary Server.

Step 13 In the New Server window, assign the following settings, then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

Step 14 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 15 On the Security tab in the Splash Page section, assign the following settings, then click Next.

  • LOAD BALANCING: slide to the right
  • Encryption: slide to the left
  • Key Management: Enhanced Open

Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.

Step 16 Expand Advanced Settings, then click the + next to Fast Roaming and configure settings based on mobility needs. This example illustrates a balanced starting point with 802.11k enabled. For more guidance, see the Roaming Best Practice section. Then click Next.

Visitor Fast Roaming

Step 17 On the Access tab, move the slider to Network Based, select the Allow any to all destinations rule, then click the edit (pencil) icon.

Step 18 In the Access Rules window, assign the following settings, then click OK.

  • Action: Deny

Caution: This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line always must be the last entry in the Access Rules to prevent unauthorized access to internal network resources.

Step 19 On the Access tab, select + Add Rule.

In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. Allow access to DHCP servers on the internal network and allow DNS to two well-known DNS servers. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.

Example: Access Rules for Visitors

Rule TypeService typeService nameActionDestination
Access controlNetworkDHCPAllow10.2.120.98 (internal DHCP server)
Access controlNetworkDHCPAllow10.2.120.99 (internal DHCP server)
Access controlNetworkDNSAllow8.8.4.4 (well-known DNS server)
Access controlNetworkDNSAllow8.8.8.8 (well-known DNS server)
Access controlNetworkHTTPAllowTo all destinations, except internal
Access controlNetworkHTTPSAllowTo all destinations, except internal
Access controlNetworkAnyDenyTo all destinations

Step 20 In the Access Rules window, assign the following settings, then click OK.

  • Rule Type: Access Control
  • Service: Network
  • Service: Dropdown: dhcp
  • Action: Allow
  • Destination: To a particular server
  • IP: 10.2.120.98
  • Options: none selected

Note: When using the provided table, the easiest way to add the rules is from the bottom up to ensure they are in the correct order when finished.

Step 21 Repeat the previous two steps to add all the rules in the table.

Step 22 On the Access tab, click Next.

Step 23 On the Summary tab, review the settings, and select Finish.