Configuring Wireless Network Profiles on IAPs

You can configure up to 14 SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks.

This section describes the following topics:

• Creating a Wireless Network Profile
• Configuring VLAN Settings for Wireless Network
• Configuring Security Settings for Wireless Network
• Configuring ACLs for User Access to a Wireless Network
• Viewing Wireless SSID Summary

Creating a Wireless Network Profile

To configure WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. settings, complete the following steps:

1. In the WebUI, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click the WLANs tab.

   The WLANs details page is displayed. For more information on Wireless Details page, see Viewing the Wireless SSIDs Table.

5. In the WLANs tab, click + Add SSID.

   The Create a New Network pane is displayed.

6. In General tab, configure the following parameters:
   • Enter a name for the WLAN network in the Name (SSID) text-box.
   • Select the band Band refers to a specified range of frequencies of electromagnetic radiation.(s) from the Band check-box.
7. Under Advanced Settings, configure the following parameters:

Table 1: Advanced Settings Parameters

Parameter	Description
Broadcast/Multicast
Broadcast filtering	Select any of the following values: All—The IAP drops all broadcast and multicast frames except DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  and ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. , IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. group queries, and IPv6 neighbor discovery protocols. ARP—The IAP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the IAP is configured to ARP mode. Unicast ARP Only—This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. Disabled—The IAP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces.
DTIM Interval	The DTIM Interval indicates the DTIM Delivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving.
Multicast Transmission Optimization	Select the check box if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz Gigahertz. is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.
Dynamic Multicast Optimization (DMO)	Select the check box to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling DMO Dynamic Multicast Optimization. DMO is a process of converting multicast streams into unicast streams over a wireless link to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients. enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
DMO channel utilization threshold	Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link. NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.
DMO client threshold	Specify a value between 2 and 255 to set the DMO client threshold.
IPv6 RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. and ND Optimization	IPv6 RA and ND optimization allows local IPv6 hosts to automatically configure their own IP address based on information advertised by switches or routers operating on the network. Select one of the following options: None—Disables the IPv6 RA, NS, or NA packets optimization on the WLAN SSID. Convert to Unicast—Converts multicast IPv6 RA, NS, or NA packets to unicast.
Transmit Rates (Legacy Only)
2.4 GHz	If the 2.4 GHz band is configured on an AP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.
5 GHz	If the 5 GHz band is configured on an AP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.
Beacon Rate
2.4 GHz	If the 2.4 GHz band is configured on an AP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps.
5 GHz	If the 5 GHz band is configured on an AP, specify the transmission rates from the 5 GHz drop-down list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps.
Zone
Zone	Specify the zone for the SSID. If a zone is configured in the SSID, only the IAP in that zone broadcasts this SSID. If there are no IAPs in the zone, SSID is broadcast. If the IAP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. NOTE: HPE Aruba Networking recommends that you do not configure zones in both SSID and in the device specific settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.
Bandwidth Control
Airtime	Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
Downstream	Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.
Upstream	Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.
Each Radio	Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.
Enable 11n	When this option is selected, there is no disabling of High-Throughput (HT High Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands.) on 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, HT is enabled on all SSIDs. NOTE: If you want the 802.11ac 802.11ac is a wireless networking standard in the 802.11 family that provides high-throughput WLANs on the 5 GHz band. IAPs to function as 802.11n IAPs, clear this check box to disable VHT Very High Throughput. IEEE 802.11ac is an emerging VHT WLAN standard that could achieve physical data rates of close to 7 Gbps for the 5 GHz band. on these devices.
Enable 11ac	When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check box to disable VHT on these devices.
Enable 11ax	When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs.
WiFi Multimedia
Background Wifi Multimedia Share	Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. mapping values within a range of 0–63 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.
Best Effort Wifi Multimedia Share	Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.. Specify the appropriate DSCP mapping values within a range of 0–63 for the best effort traffic in the corresponding DSCP mapping text-box.
Video Wifi Multimedia Share	Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 0–63 for the video traffic in the corresponding DSCP mapping text-box.
Voice Wifi Multimedia Share	Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 0–63 for the voice traffic in the corresponding DSCP mapping text-box. NOTE: In a non-WMM Wi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.
Traffic Specification(TSPEC)	Select this check box to set if you want the TSPEC Traffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE Institute of Electrical and Electronics Engineers. 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow.
TSPEC Bandwidth	Enter the bandwidth for the TSPEC.
Spectralink Voice Protocol(SVP)	Select this check box to opt for SVP SpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN. protocol.
WiFi Multimedia Power Save (U-APSD)	Select this check box to enable WiFi Multimedia Power Save (U-APSD Unscheduled Automatic Power Save Delivery. U-APSD is a part of 802.11e and helps considerably in increasing the battery life of VoWLAN terminals.). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS.
Miscellaneous
Disable on 6GHz Mesh	Turn on the toggle switch to stop the SSID from broadcasting on 6 GHz radio when mesh is enabled on the 6 GHz radio.
Content Filtering	Select this option to route all DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests for the non-corporate domains to OpenDNS on this network.
Primary Usage	Based on the type of network profile, select one of the following options: Mixed Traffic—Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. network. The VC assigns the IP address for the guest clients. Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. Voice Only—Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization. NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS.
Inactivity timeout	Specify an interval for session timeout in seconds, minutes, or hours. If a client session is inactive for the specified duration, the session expires and the user is required to log in again. You can specify a value within the range of 60–86,400 seconds (24 hours) for a client session. The default value is 1000 seconds.
Hide SSID	Select this option if you do not want the SSID to be visible to users.
Disable Network	Select this option if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled.
Max clients threshold	Specify the maximum number of clients that can be configured for each BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on a WLAN. You can specify a value within the range of 0–1024. The default value is max. NOTE: Specify max, MAX, or 1024 in the Max clients threshold text-box to set the threshold to maximum number of clients.
Local Probe Request Threshold	Select either automatic or manual to set the Local Probe Request Threshold. automatic: The local probe request threshold value changes to the recommended value provided by the AI Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. AI reduces trouble tickets by identifying the network entity that is facing problems through event correlation and root cause analysis. insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required.
Min SNR for auth request	Select either automatic or manual to set the minimum SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. for authentication request. automatic: The minimum SNR for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Enter the minimum SNR threshold for authentication requests. You can specify an SNR value within the range of 0–100 dB Decibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels..
Deauth inactive clients	Select this option to allow the IAP to send a de-authentication frame to the inactive client and the clear client entry.
Can be used without uplink	Select this option if you do not want the SSID profile to use the uplink.
Deny inter user bridging	Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
Enable SSID when	Select an option from the drop-down list and specify the time period.
Disable SSID when	Select an option from the drop-down list and specify the time period.
Deny Intra VLAN Traffic	Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.
Management Frame Protection	Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i 802.11i provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards. It requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). framework. For more information, see Configuring Management Frames Protection.
Fine Timing Measurement (802.11mc) Responder Mode	Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.
Advertise AP Name	Turn on the toggle switch to enable the advertising of AP name.
Advertise AP Name for 6G	Turn on the toggle switch to enable the advertising of AP name for 6 GHz radio.
MBO	Turn on the toggle switch to enable multi-band operation on the SSID profile.
MBO for 6G	Turn on the toggle switch to enable multi-band operation on the SSID profile for 6 GHz radio.
PMK Cache	Turn on the toggle switch to enable the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache that deletes the PMK cache entries, thereby the users will not get different IP addresses as the authentication is skipped. The PMK cache stores the details of the connected clients for authenticating clients roaming between different APs. By default, the client details is stored for 8 hours after the client disconnects or gets timed out from the network. However, client details in the PMK cache can be deleted immediately after a client disconnects or gets timed out from the network.
Time Range Profiles
Time Range Profiles	Ensure that the NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles.

Configuring VLAN Settings for Wireless Network

To configure VLANs settings for an SSID, complete the following steps:

1. In the VLANs tab, select any of the following options for Client IP Assignment:
   • Instant AP assigned—When selected, the client obtains the IP address from the VC.
   • External DHCP server assigned—When selected, the client obtains the IP address from the network.
2. Based on the type of client IP assignment mode selected, configure the following parameters:

   Table 2: VLANs Parameters

   Parameter	Description
   Instant AP assigned	When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet Subnet is the logical division of an IP network. and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment: Internal VLAN—Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. Custom—Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.
   External DHCP server assigned	When this option is selected, specify any of the following options in Client VLAN Assignment: Static—In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID.  To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: Click +Add Named VLAN. The Add Named VLAN window is displayed. Enter the VLAN Name and VLAN details, and then click OK. Dynamic—Assigns the VLANs dynamically from a DHCP server.  To add a new VLAN assignment rule, complete the following steps: Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. Enter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: Click +Add Named VLAN. The Add Named VLAN window is displayed. Enter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. Native VLAN—Assigns the client VLAN is assigned to the native VLAN. From HPE Aruba Networking Central 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.

3. Click Next.

Configuring Security Settings for Wireless Network

To configure security settings for mixed traffic or voice network, complete the following steps:

1. In the Security tab, specify any one of the following options in the Security Level:
   • Enterprise—On selecting Enterprise security level, the authentication options applicable to the network are displayed.
   • Personal—On selecting Personal security level, the authentication options applicable to the personalized network are displayed.
   • Visitors—On selecting Visitors security level, the authentication options applicable to the visitors network are displayed. For more information on visitors security level, see Configuring Wireless Networks for Guest Users on IAPs.
   • Open—On selecting Open security level, the authentication options applicable to the open network is displayed.

     The default security setting for a network profile is Personal.

2. Based on the security level specified, configure the following basic parameters:

   Table 3: Basic WLAN Security Parameters

   Data Pane Item	Description
   Key Management	For Enterprise security level, select an encryption key from Key Management drop-down list: WPA2-Enterprise—Select this option to use WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. security. The WPA2 Enterprise requires user authentication and requires the use of a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for authentication. WPA-Enterprise—Select this option to use both WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. Enterprise. Both (WPA2 & WPA)—Select this option to use both WPA2 and WPA security. Dynamic- WEP with 802.1X—If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. through LEAP Lightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication. The Use Session Key for LEAP feature is Disabled by default. WPA3-Enterprise(CNSA)—Select this option to use WPA3 security employing CNSA encryption. WPA3-Enterprise(CCM 128)—Select this option to use WPA3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. WPA3-Enterprise(GCM 256)—Select this option to use WPA3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. NOTE: When either WPA2-Enterprise or Both (WPA2 & WPA) encryption type is selected and if 802.1x authentication method is configured, ensure that you turn on the Opportunistic key caching (OKC) toggle switch under Advanced Settings to enable OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. . When OKC is enabled, a cached Pairwise Master Key (PMK) is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.
   	For Personal security level, select an encryption key from Key Management drop-down list. For WPA2-Personal, WPA-Personal, Both (WPA2 & WPA), and WPA3-Personal keys, specify the following parameters: Passphrase Format—Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. Passphrase—Enter a passphrase. Retype—Retype the passphrase to confirm. For Static WEP, specify the following parameters: WEP Key Size—Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list. WEP Key—Enter an appropriate WEP key. Retype WEP Key—Retype the WEP key to confirm. For MPSK AES, select a primary server from the drop-down list. For MPSK LOCAL, select a MPSK Multi Pre-Shared Key. The Cloud Authentication and Policy server enables MPSK in a WLAN network in Aruba Central, to provide seamless wireless network connection to the end-users and client devices. Local server from the drop-down list.
   	For Visitors security level, select an encryption key from Key Management. Select Open or Enhanced Open from the drop-down list. For information on visitors security level, see Configuring Wireless Networks for Guest Users on IAPs.
   	For Open security level, the Key Management includes Open and Enhanced Open options.
   EAP offload	This option is applicable to Enterprise security levels only. To terminate the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server. Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID. If you are using LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. for authentication, ensure that Instant AP termination is configured to support EAP.
   Authentication Server	Configure the following parameters: MAC Authentication—Turn on the MAC Authentication toggle switch to allow MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for Personal, Visitors, and Open security levels. Primary Server—Set a primary authentication server. The Primary Server option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: Internal Server—To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs. HPE Aruba Networking Central allows you to configure an external RADIUS server, TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. or LDAP server, and External Captive Portal for user authentication. Secondary Server—To add another server for authentication, configure another authentication server. Authentication Survivability—If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled. Load Balancing—Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers.
   Users	Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal.

3. Based on the security level specified, specify the following parameters in the Advanced Settings section:

   Table 4: Advanced WLAN Security Parameters

   Data pane item	Description
   Use Session Key for LEAP	Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level.
   Opportunistic Key Caching (OKC)	Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current AP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on WPA2 SSIDs only.
   MAC Authentication for Enterprise Networks	To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available: Perform MAC authentication before 802.1X—Select this to use 802.1X authentication only when the MAC authentication is successful. MAC Authentication Fail-Through—On selecting this, the 802.1X authentication is attempted when the MAC authentication fails. If MAC Authentication is enabled, configure the following parameters: Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support—Turn on the toggle switch to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
   Reauth Interval	Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured: On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. On an SSID performing both L2 and L3 authentication (MAC with visitors security level authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client. On an SSID performing only L3 authentication (visitors security level authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through visitors security level authentication to regain access.
   Denylisting	By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
   Enforce DHCP	Enforces WLAN SSID on IAP clients. When DHCP is enforced: A layer-2 user entry is created when a client associates with an IAP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP.
   WPA3 Transition	Enable this option to allow WPA2 and WPA3 clients to be on the same SSID. The WPA3 Transition is available only when WPA3-Enterprise(CCM 128) option is selected from the Key Management drop-down list for Enterprise security level.
   Legacy Support	Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Visitors, and Open level.
   Use IP for Calling Station ID	Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: Called Station ID Type—Select any of the following options for configuring called station ID: Access Point Group—Uses the VC ID as the called station ID. Access Point Name—Uses the host name of the IAP as the called station ID. VLAN ID—Uses the VLAN ID of as the called station ID. IP Address—Uses the IP address of the IAP as the called station ID. MAC address—Uses the MAC address of the IAP as the called station ID. Called Station ID Include SSID—Appends the SSID name to the called station ID. NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. Called Station ID Delimiter—Sets delimiter at the end of the called station ID. Max Authentication Failures—Sets a value for the maximum allowed authentication failures.
   Delimiter Character	Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
   Uppercase Support	Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
   Passpoint Service Profile	Select the passpoint service profile from the drop-down. For more information, see Configuring a Passpoint Service Profile in a WLAN Network.
   Fast Roaming	Enable the following fast roaming features as per your requirement: 802.11k—Turn on the 802.11k toggle switch to enable 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other. 802.11v—Turn on the 802.11v toggle switch to enable 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. based BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam. RRM Quiet IE—Configures a radio resource management IE profile elements advertised by an AP. 802.11r—Turn on the 802.11r toggle switch to enable 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming. Selecting this enables fast BSS transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster. The 802.11r option is not available for Enterprise level. Once you enable the 802.11r, the following text-box is displayed: MDID—In the MDID text-box, enter the mobility domain identifier to configure a mobility domain identifier. In a network of standalone Instant APs within the same management VLAN, 802.11r roaming does not work. This is because the mobility domain identifiers do not match across Instant APs. They are auto-generated based on a virtual controller key. You can set a mobility domain identifier for 802.11r SSIDs. For standalone Instant APs in the same management VLAN, 802.11r roaming works only when the mobility domain identifier is configured with the same value.

4. Click Next.

Configuring ACLs for User Access to a Wireless Network

You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:

1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. For more information, see Configuring Downloadable Roles.
   • The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.
   • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
2. Click the action corresponding to the server. The Edit Server page is displayed.

Viewing Wireless SSID Summary

In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.