Configuring Personal Security for a WLAN SSID Profile

To configure a personal security profile, complete the following steps:

1. To access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Configuring a WLAN SSID Profile in Tunnel and Mixed Mode.
2. In the WLAN SSID configuration wizard, click the Security tab.
3. In Security Level, select Personal.
4. Configure the parameters described in Table 1.
5. Click Advanced Settings and configure the parameters described in Table 2.
6. Click Next.

   The following table describes the configuration parameters for Personal security profile.

   Table 1: Personal Security Profile Configuration Parameters

   Parameter	Description
   Key Management	Select one of the following options from the drop-down list: WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-Personal—Includes wpa2-psk-aes. DPP Device Provisioning Protocol. DPP is a provisioning protocol certified by the Wi-Fi Alliance that allows onboarding IoT devices easily, securely, and on a large scale. WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. Personal—Includes wpa-psk-tkip and wpa-psk-aes. Both (WPA2 and WPA)—Includes wpa-psk-tkip,wpa-psk-aes,wpa2-psk-aes, and wpa2-psk-tkip. Static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. WPA3 Personal MPSK Multi Pre-Shared Key. The Cloud Authentication and Policy server enables MPSK in a WLAN network in Aruba Central, to provide seamless wireless network connection to the end-users and client devices. AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. MPSK Local
   Passphrase Format	Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. NOTE: The Passphrase Format parameter is available only when you select WPA2-Personal, WPA Personal, Both (WPA2 and WPA), or WPA3 Personal option from the Key Management drop-down list.
   Passphrase	Enter the passphrase of length between 8 and 63 characters. NOTE: The Passphrase parameter is available only when you select WPA2-Personal, WPA Personal, Both (WPA2 and WPA), or WPA3 Personal option from the Key Management drop-down list.
   Retype	Retype the password. NOTE: The Retype parameter is available only when you select WPA2-Personal, WPA Personal, Both (WPA2 and WPA), or WPA3 Personal option from the Key Management drop-down list.
   WEP Key Size	Specify a value from the WEP Key Size and TX Key drop-down lists. NOTE: The Retype parameter is available only when you select Static WEP option from the Key Management drop-down list.
   WEP Key	Enter a length of 26 hexadecimal characters. NOTE: The WEP Key parameter is available only when you select Static WEP option from the Key Management drop-down list.
   Retype WEP Key	Retype the WEP key. NOTE: The Retype WEP Key parameter is available only when you select Static WEP option from the Key Management drop-down list.
   Primary Server	Specify a primary authentication server for client authentication. To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile. NOTE: The Primary Server parameter is available only when you select MPSK-AES option from the Key Management drop-down list.
   Secondary Server	Specify a secondary authentication server for client authentication. To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile. NOTE: The Secondary Server parameter is available only when you select MPSK-AES option from the Key Management drop-down list.
   Load Balancing	Enable this option to load balance between the two authentication servers. NOTE: The Load Balancing parameter is available only when you select MPSK-AES option from the Key Management drop-down list.
   Personal Wireless Network	This option is available only when MPSK AES and Cloud Auth Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC). is selected. Enable this option to establish Personal Area Network (PAN) among a set of selected wireless devices in order to exchange information isolated from others on the same network. NOTE: The AP-3xx access points do not support the PAN feature. When PAN feature is enabled for APs in a group, do not include AP-3xx access points in the same group or as a neighbor AP. This is because the neighbor AP will get the other AP's mpskcache/pmkcache that has a PAN ID. So if AP-3xx access points have a client online, other APs that support PAN will get the wireless client PAN ID as 0. Then, when the client roams to an AP that supports PAN, it's PAN ID will still be 0, causing a mismatch.
   MPSK Local	Specify an MPSK Local profile for client authentication. To create a new MPSK Local profile, see Creating an MPSK Local Profile . NOTE: The MPSK Local parameter is available only when you select MPSK Local option from the Key Management drop-down list.

   The following table describes the advanced WLAN security settings for personal security profile.

   Table 2: Advanced WLAN Security Settings—Personal Security Profile

   Parameter	Description
   MAC Authentication	Turn on the toggle switch to enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication of clients. When MAC authentication is enabled, you can configure Reauth Interval. NOTE: This parameter is not available when you select MPSK AES option from the Key Management drop-down list.
   Reauth Interval	Enter a value in the text box. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. On an SSID performing L2 authentication (MAC or 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication), if re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentiation role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.
   Denylisting	Turn on the toggle switch to enable denylisting of the clients with a specific number of authentication failures. By default, the Denylisting parameter is disabled.
   Max Authentication Failures	Specify a value between 1 and 10. The users who fail to authenticate the number of times specified in Max Authentication Failures parameter are dynamically denylisted. NOTE: The Max Authentication Failures parameter is not available when you select WPA2-Personal option from the Key Management drop-down list.
   Enforce DHCP	Turn on the toggle switch to enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  and to block traffic for AP clients that do not obtain IP address from DHCP. When DHCP is enforced: A layer-2 user entry is created when a client associates with an AP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.
   Use IP for Calling Station ID	Turn on the toggle switch to configure client IP address as calling station ID.
   Called Station ID Type	For configuring a called station ID, select one of the following options from the drop-down list: Access Point Group—Uses the IP address of the AP as the called station ID. Access Point Name—Uses the host name of the AP as the called station ID. IP Address—Uses the IP address of the AP as the called station ID. MAC address—Uses the MAC address of the AP as the called station ID. VLAN ID—Uses the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID of the AP as the called station ID. NOTE: The Called Station ID Type parameter can be configured even if the Use IP for Calling Station ID parameter is set to disabled.
   Called Station ID Include SSID	Turn on the toggle switch to append the SSID name to the called station ID.
   Called Station ID Delimiter	Enter a delimiter at the end of the called station ID. NOTE: This parameter is available only when you enable the Called Station ID Include SSID parameter.
   Primary Server	Add a primary server. To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.
   Secondary Server	Add a secondary server. To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.
   Delimiter Character	Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.
   Uppercase Support	Turn on the toggle switch to allow the AP to use uppercase letters in MAC address string for MAC authentication.
   Fast Roaming
   802.11r	Turn on the toggle switch to enable 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming. Selecting this option enables fast BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The fast BSS transition mechanism minimizes the delay when a client transitions from [one BSS to another within the same cluster.
   MDID	Specify a mobility domain identifier (MDID). Enter a value between 1 and 65535. NOTE: This option is available only when you enable the 802.11r parameter.
   802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN.	Turn on the toggle switch to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
   802.11v	Turn on the toggle switch to enable 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. based BSS transition. The 802.11v standard defines mechanisms for wireless network and BSS transition management. It allows the client devices to exchange information about the network topology and RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.
   RRM Quiet IE	Turn on the toggle switch to configure radio resource management IE profile elements advertised by an AP. Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP advertises in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations do not transmit on that channel during the quiet interval.