Configure AP Profiles

Note
For TQ series APs, LLDP, Ethernet, and HTTP/HTTPS configuration is only possible from the AP's own management web interface. Please follow the steps described in Configure AP through Its Own Web Interface to perform that configuration.
For detailed explanation on configuring TQ series APs, refer to the "TQ series Reference Manual" on our website.

Note
AP Profile and AP-specific configuration created in the AWC Plug-in are not instantly applied to wireless APs. They will be applied to APs when:

an AP is put under the AWC Plug-in's control

a user manually applys configuration

a scheduled task for applying configuration is run.

Create AP Profile

Note
To monitor an AP, you have to assign an AP Profile to the AP which has been added to the AWC Plug-in's database.

Select "Wireless Configuration" > "AP Profile" from the AWC Plug-in menu.
The AP Profile list screen will appear.
Click "Create" at the top right corner.

The "Select Country, AP Series and Profile Type" dialog box will appear.

Table 1: "Select Country Code/AP Series/Settting Type" dialog box
Item Name	Description
Country	Specify a country code for the AWC Plug-in's AP profile. It is used to properly configure APs for radio frequency regulation in the country. When a country code is set in the "User Management" screen of Vista Manager EX, the preferred country code will be selected as the default.
Series	Select an AP series. TQ Series: Select this to create an AP Profile for TQ series. Note The AWC Plug-in no longer supports the management of TQ2450, TQ3200, TQ3400, TQ3600, TQ4400, TQ4400e, and TQ4600 APs. Please note that the setting functions for these models of APs, such as the AP Profile Type, are retained for compatibility with the backup file of the previous version. TQ Series - SDN/OpenFlow Note The AWC Plug-in no longer supports the management of TQ series in SDN/OpenFlow mode or with the firmware that supports SDN/OpenFlow. Please note that the setting functions for these models of APs, such as the AP Profile Type, are retained for compatibility with the backup file of the previous version.
Profile Type	Select a Profile Type to match the model's radio specifications. TQ series Tri[11ax] Select this for TQ7403. Tri[11ax]-R Select this for TQ7403-R. Tri[11ax] GEN2 Select this for TQ6403 GEN2 and TQm6403 GEN2. Dual[11ax] GEN2 Select this for TQ6602 GEN2, TQ6702 GEN2, TQm6602 GEN2 and TQm6702 GEN2. Dual[11ax] GEN2 with External Antenna Select this for TQ6702e (indoor/outdoor). Dual[11ax] GEN2-R Select this for TQ6702 GEN2-R. Dual[11ax] Select this for TQ6602. Tri[11ac Wave2] Select this for TQ5403 and TQm5403. Tri[11ac Wave2] with External Antenna Select this for TQ5403e (indoor/outdoor). Dual[11ac Wave2] Select this for TQ1402 and TQm1402. Note The AWC Plug-in no longer supports the management of TQ4400, TQ4600 and TQ4400e AP. The setting items listed below are retained for compatibility with the backup file of the previous version. Please do not select: Dual[11ac] Dual[11n] 11ac with External Antenna Single TQ series (SDN/OpenFlow-capable firmware) Note The AWC lug-in no longer supports the management of TQ series in SDN/OpenFlow mode.
Location	If the Profile Type is "Dual[11ax] GEN2 with External Antenna" or "Tri[11ac Wave2] with External Antenna", select Location ("Indoor" or "Outdoor") to place the Wireless APs.
"OK" button	Create an AP Profile of the selected Profile Type.
"Cancel" button	Stop adding an AP Profile.

Select a Country.

Note
An AP Profile with a country code other than "JP - Japan" cannot be applied to Japanese models of TQ series.
Select an AP series to configure.
Select a Profile Type that matches the AP model's radio specifications.
If you chose "Dual[11ax] GEN2 with External Antenna" or "Tri[11ac Wave2] with External Antenna" in Step 6, in addition to the settings above, select "Location" from "Indoor" or "Outdoor". This is shown on the left side of the list.
Click "OK".

The AP Profile configuration page will appear.

The configuration items for an AP Profile may vary depending on the "Series" and "Profile Type". The following image shows a sample AP Profile for the "TQ Series" / "Tri[11ac Wave2]".

On the top right of the screen, you can switch the radio band, and save or cancel changes for the AP profile.

Table 2: AP Profile
Item Name	Description
Top right of the screen
"Radio 1" / "Radio 2" / "Radio 3" buttons	Select a radio to configure in the "Radio Configuration" and "VAP (Multiple SSID) Configuration" sections. The following buttons are displayed depending on the Profile Type. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2 Radio 1: 2.4GHz Radio 2: 5GHz (W52/W53) Radio3: 6GHz (UNII-5) Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna Radio 1: 2.4GHz Radio 2: 5GHz (W52/W53) Radio 3: 5GHz (W56) Dual[11ax] GEN2, Dual[11ax] GEN2-R, Dual[11ax], Dual[11ac Wave2] Radio 1: 2.4GHz Radio 2: 5GHz (W52/W53/W56)

Configure items as required.
Click "Add" at the top right corner.

Profile Configuration

Configure general parameters in the "Profile Configuration" section.

Table 3: AP Profile Configuration
Item Name	Description
AP Profile Name	Enter a name for the AP Profile. Should be 1 to 100 characters in length, with alphabets, numbers and symbols (including spaces). (mandatory) Note In the AT-VST-APL version, non-ASCII characters (full-width alphabets, numbers, kana, kanji, and symbols) cannot be used.
Profile Type	Shows the Profile Type you selected in the earlier step.
Location	Shows the Location (indoor/outdoor) you selected in the earlier step (TQ5403e, and TQ6702e GEN2 only).
Antenna Model	Note This item is not supported.
Country	Shows the Country Code you selected in the earlier step.
Series	Shows the Series you selected in the earlier step.
Management Group	Select Management Groups. You cannot uncheck "Default Wireless Group" (mandatory) Search Wireless Management Group: Groups in the list can be filtered by entering a partial name in the search box. The search field lets you enter a partial string to match. The screen displays entries with that string in their name. To remove the filter, delete the string from the search field and press enter. Note The search is case-sensitive.

Basic Configuration

You can specify the AP's system settings in the "Basic Configuration" section.

Table 4: AP Profile Basic Configuration
Item Name	Description
User Settings or User Information	Configure the user settings used to manage the AP. Depending on the setting type, either "User Settings", which are optional, or "User Settings", which must be set, will be displayed. User Settings If necessary, select whether to set the Username and Password for logging in to the AP's Web GUI all at once. Also, set whether to allow individual user settings to be specified for APs to which this AP Profile is applied. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type. By selecting "Enable", the additional items described below will be displayed. Username Password Password (Confirm) AP's User Settings User Information Set the Username and Password for logging in to the AP's CLI, which is necessary for managing the AP. Also, set whether to allow individual user information to be specified for APs to which this AP Profile is applied. Configure the following items. Username Password APs User Settings Note This setting is displayed when "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as Profile Type. For more details, refer to Additional options for User Information.
Timezone	Describe the timezone as a region name and a city name (e.g. "(UTC+09:00) Asia/Tokyo"). The default is "Not Set". You can also narrow down the options displayed in the drop-down list by entering a part of the timezone character string in the search field above the drop-down list. Note Some timezones (e.g. "(UTC+09:00) Asia/Tokyo") don't support Daylight Saving Time. If you select one of the timezones, additional items described below will appear. Only Tri[11ax] or Tri[11ax] GEN2 Timezone Name In common to all types Daylight Saving Time (When Daylight Saving Time is set to Enable) DST Start (24HR) DST End (24HR) DST Offset For more details, refer to Additional options for Timezone.
NTP Client	Specify whether to use clock synchronization using an NTP (Network Time Protocol) server. When enabled, AP clocks are synchronized to the NTP server. By using NTP, you can keep multiple systems' time as accurate as possible. When disabled, AP clocks are synchronized to the system clock of the PC (server) running Vista Manager EX and the AWC Plug-in. Select "Disable" when NTP servers are not available. Note that without NTP, clocks tend to get faster or slower, and AP clocks will become unsynchronized as time passes. Moreover, because APs do not have real time clocks, AP clocks are reset to the initial value (Wed Jan 01 2014 09:00:00 JST) after system restarts. The default is "Disable". By selecting "Enable", the additional items described below will be displayed. NTP Server IP Address / Hostname NTP Synchronization Interval For more details, refer to Additional options for NTP Client.
Syslog Client	Specify whether to use the Syslog Client function. When enabled, AP log messages can be sent to a Syslog server. By selecting "Enable", the additional items described below will be displayed. Syslog Server IP Address / Hostname Port Number Severity For more details, refer to Additional options for Syslog Client.
SNMP Agent	Specify whether to use the SNMP Agent function. By selecting "Enable", the additional items described below will be displayed. Version Read Only Community Name Port Number Full Name Password Restrict the source of SNMP requests Only allow from the designated hosts or subnets Community name for traps Trap types Trap Host IP Address/Hostname For more details, refer to Additional options for SNMP Agent.
MAC Address List	Select a MAC Address List (a whitelist or a blacklist). When you click the dropdown list, the "Select MAC Address List" dialog box will appear. Refer to Configure MAC Address List for detailed instructions on how to create a MAC Address List.
LED	Specify whether to turn on the LED. Select "Turn On" to turn on the LED. Otherwise select "Turn Off". The default is "Turn On". If you select "TQ Series" for Series and "Dual[11ax] GEN2" or "Dual[11ax]" for Profile Type, setting this item Enable will show an additional setting "PoE LED". For more details, refer to Additional option for LED.
Virtual IP Address for Captive Portal	Specify whether to use the virtual IP address on the captive portal, when Captive Portal is enabled. When enabled, you can specify the IP address to be used to display the captive portal. If disabled, the captive portal will be displayed using the IP address assigned to the wireless AP itself to which this AP profile has been applied. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.

Additional options for User Settings

If you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave 2] with External Antenna", and "Dual[11ac Wave2]", you can override the Username and Password to log into the AP's Web GUI.

Table 5: Additional options for User Settings
Item Name	Description
Username	Specify the username used to logon to the AP's management web interface. This setting is mandatory when you change "Password". If both "Username" and "Password" are left blank, they will stay at their previous value or the default value. 1 to 12 characters in length, with letters and digits. Must begin with a letter.
Password	Specify the password used to logon to the AP's management web interface. This setting is mandatory when you change "Username". If both "Username" and "Password" are left blank, they will stay at their previous value or the default value. Once the Password is set in the AP Profile and not being changed from that, the string "Configured" will be shown in this field. Should be 0 to 32 characters in length, with alphabets (case-sensitive), numbers and symbols (! # % ( ) + , - . / ; = ? @ [ \ ] ^ _ ` { \| } ~ may be used). The password is case-sensitive. Each character in the password is represented by a bullet.
Password (Confirm)	Enter the same login password for confirmation. Each character in the password is represented by a bullet.
AP's User Settings	Can prevent changing the user settings per AP by AP-Specific Configuration. When "Disable" is checked, individual settings are disabled and the only user settings specified for the AP Profile are commonly set for all APs to which this AP Profile is applied. Unchecking the checkbox allows you the individual settings. By default, this option is not checked.

Additional options for User Information

If the Profile Type is "Tri[11ax]-R" or "Dual[11ax] GEN2-R", you need to set an existing username and password for the AP to manage and configure from the AWC Plug-in.

Table 6: Additional options for User Information
Item Name	Description
Username	Specify the username used to logon to the AP's management web interface. This setting is mandatory when you change "Password". If both "Username" and "Password" are left blank, they will stay at their previous value or the default value. Should be 1 to 64 characters in length, with alphabets (case-sensitive), numbers and symbols (! " # $ % & ' ( ) * + , - . / : ; < = > @ [ \ ] ^ _ ` { \| } ~ may be used). The password is case-sensitive. Also note that the username must be started with alphabet, or the available symbols listed above, except a plus (+).
Password	Specify the password used to logon to the AP's management web interface. Should be 1 to 32 characters in length, with alphabets (case-sensitive), numbers and symbols (! " # $ % & ' ( ) * + , - . / : ; < = > @ [ \ ] ^ _ ` { \| } ~ may be used). The password is case-sensitive. Each character in the password is represented by a bullet.
APs User Settings	Can prevent changing the user information per AP by AP-Specific Configuration. When "Disable" is checked, individual settings are disabled and the only user information specified for the AP Profile are commonly set for all APs to which this AP Profile is applied. Unchecking the checkbox allows you the individual settings. By default, this option is not checked.

Additional options for Timezone

Table 7: Additional options for Timezone
Item Name	Description
Timezone Name	Specify a time zone name (time zone abbreviation: e.g., "JST" for Japan Standard Time) corresponding to the specified time zone with a string of 3 to 6 characters.
Daylight Saving Time	Enables or disables the daylight saving time settings. If you select "Enable", the following items are also displayed. The default is "Disable".
DST Start (24HR)	The menu pops up and lets you select the starting and ending date/time (week, day of the week, month, hour and minute) of DST. Only displayed when "Daylight Saving Time" is set to "Enable".
DST Start (24HR)
DST Offset	Specify an offset (minutes) for Daylight Saving Time. The method of specifying the setting varies depending on the Profile Type. Tri[11ax], Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 With External Antenna, Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] With External Antenna, Dual[11ac Wave2] From the drop-down menu, select 15, 30, 45, 60, 75, 90, 105, or 120. Only Tri[11ax] or Tri[11ax] GEN2 Enter a value from 1 to 180. The default is 60 (minutes). Only displayed when "Daylight Saving Time" is set to "Enable".

Additional options for NTP Client

Table 8: Additional options for NTP Client
Item Name	Description
NTP Server IP Address / Hostname	Enter an IP address or a hostname (FQDN) of the NTP server to synchronize. (Example) ntp.your.domain.com, 12.34.56.78 Note FQDN consists of labels (strings) and periods (.). Alphanumeric characters and hyphens can be used for each label. Labels can begin with a number. Labels cannot begin or end with a hyphen. Each label should be 63 or fewer characters in length. A label only cannot be entered. Use an FQDN which contains at least two labels and a period.
NTP Synchronization Interval	Specify a time between synchronizing the clock to the NTP server. It must be in the range of 1 to 9999 (minutes). The default is 10 minutes. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax]" for the Profile Type. Note When you use the AWC function, do not use an interval larger than the default of 10 minutes.

Additional options for Syslog Client

Table 9: Additional options for Syslog Client
Item Name	Description
Syslog Server IP Address / Hostname	Specify the Syslog server to send log messages to. Tri[11ax], Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 With External Antenna, Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] With External Antenna, Dual[11ac Wave2] Enter the IP address or hostname (FQDN). (Example) syslog.your.domain.com, 12.34.56.78 Note FQDN consists of labels (strings) and periods (.). Alphanumeric characters and hyphens can be used for each label. Labels can begin with a number. Labels cannot begin or end with a hyphen. Each label should be 63 or fewer characters in length. A label only cannot be entered. Use an FQDN which contains at least two labels and a period. Only Tri[11ax] or Tri[11ax] GEN2 Enter the IP address. You cannot specify with the hostname (FQDN).
Port Number	Specify a listening port number on the Syslog Server. The default is 514. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type.
Severity	Select the lowest log severity that will be sent to the Syslog Server. The default is "7: Debug". Severity is a value in the range of 0 to 7; the lower the number, the greater the importance. 0 : Emergency: System is unusable. 1 : Alert: Immediate action is required. 2 : Critical: System is in a critical condition. 3 : Error: An error has occured. 4 : Warning: Something has occurred that requires attention. 5 : Notice: A normal but important message. 6 : Informational: An informational message. 7 : Debug: Detailed information for debugging.

Additional options for SNMP Agent

Table 10: Additional options for SNMP Agent
Item Name	Description
Version	Select the SNMP version to be used from "v1/v2c" or "v3". The default is "v1/v2c". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.
Read Only Community Name	Enter the read-only SNMP community name. Should be 1 to 256 characters in length, with alphabets, numbers, and symbols (space ! # $ % ( ) * + , - . /) Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type, and specified "v1/v2c" as the SNMP Version; or if you select "Dual[11ac Wave2]" for the Profile Type.
Read Only Community Name / Community name for traps	Specify the trap SNMP community name, which is used for both reading SNMP MIB trees sending SNMP trap messages. Should be 1 to 20 characters in length, with alphabets (case-sensitive), numbers and symbols (! # % & ' ( ) * + , - . / : ; < = > @ [ ] ^ _ ` { \| } ~ may be used). The string is case-sensitive. The default is "public". Note This setting is displayed only when "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as Profile Type, and "v1/v2c" is specified for the SNMP Agent Version.
Port Number	Enter the UDP port that the SNMP agent listens on. The default is 161. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type. Note If the SNMP Plug-in is used for SNMP management of APs, leave it at the default setting.
Full Name	Enter the SNMPv3 username. Tri[11ax], Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 With External Antenna, Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] With External Antenna, Dual[11ac Wave2] Enter a name between 1 to 12 alphanumeric characters. (The string is case-sensitive) Only Tri[11ax] or Tri[11ax] GEN2 Should be 1 to 20 characters in length, with alphabets (case-sensitive), numbers and symbols (! # % & ' ( ) * + , - . / : ; < = > @ [ ] ^ _ ` { \| } ~ may be used). (The string is case-sensitive) Note This is displayed when "v3" is specified for the SNMP Agent Version.
Password	Enter the SNMPv3 authentication password. Tri[11ax], Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 With External Antenna, Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] With External Antenna, Dual[11ac Wave2] Should be 8 to 32 characters in length, with alphabets, numbers, and symbols (space ! # % ( ) + , - . / ; = ? @ [ \ ] ^ _ ` { \| } ~ may be used). Only Tri[11ax] or Tri[11ax] GEN2 Should be 1 to 20 characters in length, with alphabets (case-sensitive), numbers and symbols (! # % & ' ( ) * + , - . / : ; < = > @ [ ] ^ _ ` { \| } ~ may be used). (The string is case-sensitive) Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type, and "v3" is specified for the SNMP Agent Version.
Restrict the source of SNMP requests	Enable this to accept SNMP requests only from specific source addresses. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type, and specified "v1/v2c" as the SNMP Version; or if you select "Dual[11ac Wave2]" for the Profile Type.
Only allow from the designated hosts or subnets	Enter the IP address or hostname (FQDN) of the SNMP manager. (Example) snmpmgr.your.domain.com, 12.34.56.78 This is only displayed when "Restrict the source of SNMP requests" is enabled. Only one host can be set for this field. Note FQDN consists of labels (strings) and periods (.). Alphanumeric characters and hyphens can be used for each label. Labels can begin with a number. Labels cannot begin or end with a hyphen. Each label should be 63 or fewer characters in length. If the Profile Type is "Dual [11ac Wave2]", "Tri [11ac Wave2]", or "Tri [11ac Wave2] with External Antenna", you cannot enter only the label. Use an FQDN which contains at least two labels and a period. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type, and specified "v1/v2c" as the SNMP Version; or if you select "Dual[11ac Wave2]" for the Profile Type.
Community name for traps	Specify the trap SNMP community name. Should be 1 to 256 characters in length, with alphabets, numbers, and symbols (space ! # $ % ( ) * + , - . /) The string is case-sensitive. The default is "public". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type, and specified "v1/v2c" as the SNMP Version; or if you select "Dual[11ac Wave2]" for the Profile Type.
Trap types	Select the SNMP Trap types to generate. You can specify the following SNMP messages: Cold Start: sent when the SNMP Agent starts. Link Up/Down: sent when a wireless interface link up or down. Authentication: sent when an SNMP authentication fails.
Trap Host IP Address/Hostname or Trap Host IP Address	Specify IP addresses to which SNMP traps will be sent. The available format varies depending on the selected Profile Type. Trap Host IP Address/Hostname Specify IP addresses or hostnames (FQDNs). (Example) manager.your.domain.com, 12.34.56.78 Note FQDN consists of labels (strings) and periods (.). Alphanumeric characters and hyphens can be used for each label. Labels can begin with a number. Labels cannot begin or end with a hyphen. Each label should be 63 or fewer characters in length. A label only cannot be entered. Use an FQDN which contains at least two labels and a period. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type. Trap Host IP Address Specify the IP address. (Example) 12.34.56.78 You cannot specify with the hostname (FQDN). Note This setting is displayed when "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as Profile Type. Up to three hosts can be registered, each of which can be enabled or disabled.

LED Configuration

Note
TQ6602 firmware version 7.0.1-3.1 or later; or TQ6602 GEN2, TQ6702 GEN2 firmware version 8.0.2-0.1 or later is required.

Table 11: Additional options for LED
Item Name	Description
PoE LED	Select the color of the PoE LED when receiving PoE power, ether "Amber" or "Green". The default is "Amber".

LAN Configuration

In Port Configuration, you can configure the items relating to the operation of the LAN1 and LAN2 ports.

Note
This item is displayed if you select "Tri[11ax]2, "Tri[11ax] GEN2", "Dual[11ax] GEN2" or "Tri[11ac Wave2]" for Profile Type.

Table 12: AP Profile LAN Configuration
Item Name	Description
LAN 2 Port	Specifies TQ5403/6403 GEN2/6602 GEN2/6702 GEN2/7403 and TQm5403/6403 GEN2/6602 GEN2/6702 GEN2's LAN1 and LAN2 ports behavior, such as link aggregation or cascading. Static LAG: Enables link aggregation. A static LAG should also be configured on the switch ports to which the AP connects. Cascade: Enables cascading function, the LAN2 port will work as a cascade port. LACP: Enables LACP. If LACP is enabled on the switch to which the AP connects, a trunk group will be automatically configured. Note This setting is displayed when "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2" or "Dual[11ax]" is selected as Profile Type. Disable: Neither link aggregation nor cascading function will be enabled. The LAN2 port is also disabled. The AP can only use the LAN1/PoE port.

Wireless Configuration

You can specify configuration parameters for radio waves in the "Radio Configuration" section.
Depending on the selected "Profile Type", you can switch radios by clicking the "Radio 1", "Radio 2" and "Radio 3" buttons at the top right of the screen.

Note
Only the Radio 1/2/3 buttons available on the Profile Type will be displayed at the top of the screen.

Table 13: AP Profile Radio Configuration
Item Name	Description
Radio Transmission	Specify whether to transmit/receive in the selected frequency band. Select "Enable" to use the radio. Otherwise select "Disable" (mandatory). The default is "Enable" for all radio frequencies. However, depending on the Country and Profile Type selected, there may be cases where "Enable" cannot be selected due to legal restrictions. (For example: "JP-Japan" as Country, "Tri [11ac Wave2] with External Antenna" as Profile Type, and "Outdoor" as Location, Radio 2 (W52 / W53) only has the option "Disable"). Note If you disable all radios on an AP Profile, it is possible to apply the profile to APs of other Profile Types, this profile will not be valid. Make sure you apply an appropriate AP Profile to APs.
Band	Note This item is not supported.
Mode	Select a mode (protocol) to use on the Radio band. Available modes vary depending on the selected Profile Type. Tri[11ax], Tri[11ax]-R Radio 1: b/g, b/g/n, b/g/n/ax (default) Radio 2: a, a/n, a/n/ac, a/n/ac/ax (default) Radio 3: ax (default) Note To use IEEE 802.11n, IEEE 802.11ac or IEEE 802.11ax in the Profile Mode "Tri[11ax]", "Wi-Fi Multimedia (WMM)" must be enabled. Tri[11ax] GEN2 Radio 1: b/g, b/g/n, b/g/n/ax (default) Radio 2: a, a/n, a/n/ac, a/n/ac/ax (default) Radio 3: a, a/n, a/n/ac, a/n/ac/ax (default) Note To use IEEE 802.11n IEEE 802.11ac or IEEE 802.11ax, "Wi-Fi Multimedia (WMM)" must be enabled. Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R Radio 1: b/g, b/g/n, b/g/n/ax (default) Radio 2: a, a/n, a/n/ac, a/n/ac/ax (default) Note To use IEEE 802.11n, IEEE 802.11ac or IEEE 802.11ax in the Profile Mode "Dual[11ax] GEN2" or "Dual[11ax] with External Antenna, "Wi-Fi Multimedia (WMM)" must be enabled. Dual[11ax] Radio 1: b/g, b/g/n/ax (default) Radio 2: a, a/n/ac/ax (default) Note To use IEEE 802.11n IEEE 802.11ac or IEEE 802.11ax, "Wi-Fi Multimedia (WMM)" must be enabled. Tri[11ac Wave2] Radio 1: b/g, b/g/n (default) Radio 2: a, a/n/ac (default) Radio 3: a, a/n/ac (default) Note To use IEEE 802.11n or IEEE 802.11ac, "Wi-Fi Multimedia (WMM)" must be enabled. Tri[11ac Wave2] with External Antenna Radio 1: b/g, b/g/n (default) Radio 2: none Radio 3: a, a/n/ac (default) Note To use IEEE 802.11n or IEEE 802.11ac, "Wi-Fi Multimedia (WMM)" must be enabled. Dual[11ac Wave2] Radio 1: b/g, b/g/n (default) Radio 2: a, a/n/ac (default) Note To use IEEE 802.11n or IEEE 802.11ac, "Wi-Fi Multimedia (WMM)" must be enabled.
Bandwidth	Specify the bandwidth to use. IEEE 802.11n, IEEE 802.11ac, and IEEE 802.11ax allow two or four adjacent channels to be combined and used as a 40MHz or 80MHz bandwidth channel. In addition, 6 GHz radio 3 capable models can be used as 160 MHz bandwidth channels when a mode including IEEE 802.11ax support is selected. Select either "20MHz" or "40MHz" for IEEE 802.11n. Select either "20MHz", "40MHz", or "80MHz" for IEEE 802.11ac. In IEEE 802.11ax, the available bandwidth varies depending on the wireless band. Radio 1: "20MHz" and "40MHz" Radio 2: "20MHz", "40MHz", "80MHz", and "80+80MHz" (TQ6602 only) Radio 3 Tri[11ax], Tri[11ax] GEN2: "20MHz", "40MHz", "80MHz", and "160MHz" (TQ7403 and TQ7403-R only) The default is "20MHz". "40MHz", "80MHz", "80+80MHz", and "160MHz" give you higher traffic rates, but exhaust the number of available channels because they use two, four, or eight channels.
Use Conditions	Specify when to use the wireless feature. Select "Always" to always use the wireless feature. Select "Only Emergency Mode" to use the radio band only in emergency mode. The default is "Always". Refer to Enable Emergency Mode for more details. Note Emergency Mode cannot be used with channel blanket. You cannot use a channel blanket as an emergency Wi-Fi network. Do not set this item to "Emergency mode only" for the radio used for channel blanket.
Wireless Client Isolation	Specifies whether all VAPs in the relevant radio band are allowed to communicate with other connected wireless clients. The operation of this function depends on the profile type. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R: Specify "Within AP" to block communication between wireless clients connected to all VAPs in the AP, "Within VAP" to block communication between wireless clients connected to the same VAP, or "Disabled" to not block communication. The default is "Disable". When this product is set to "Disabled", you can select "Within AP", "Within VAP", or "Disabled" for each VAP in "Wireless Client Isolation" in the VAP (Multi-SSID) settings. When this item is set to "Within AP" or "Within VAP", only "Within AP" or "Within VAP" will be displayed in "Wireless Client Isolation" in the VAP (Multi-SSID) settings, respectively. Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2]: Select "Disable" to allow communications between wireless clients. Otherwise select "Enable". The default is "Disable". When this product is set to "Disable", you can select "Enable" or "Disable" for each VAP in "Wireless Client Isolation" in the VAP (Multi-SSID) settings. Setting this item "Enable" will activate Wireless Client Isolation for all VAPs, which blocks the communications between the clients connecting to the same VAP. Others: Select "Disable" to allow communications between wireless clients. Otherwise select "Enable". The default is "Disable". Setting this item "Enable" will activate Wireless Client Isolation for all VAPs, which blocks the communications between the clients connecting to the same VAP. Per-VAP setting can not performed.
Airtime Fairness	Specify whether to give each client an equal amount of airtime regardless of its speed. Available options vary depending on the selected Profile Type. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R Choose from the following three options. When "Manual" is selected, you can set the priority airtime to be allocated to each VAP in the VAP (Multiple SSID) configuration. All associated clients of a VAP are provided with airtime, divided "Pre-allocated Airtime Percentage" equally with the clients. The airtime of each VAP in the same radio band must be set so that the total airtime does not exceed 100%. The remaining bandwidth, that is the whole bandwidth minus the airtime allocated in priority to each VAP in the same radio band, is divided according to the ratio of airtime allocated. This means that a VAP with an airtime allocation rate of 0% will not be able to communicate when the total airtime consumed by other VAPs reaches 100%. Selecting "Evenly" provides equal airtime to all connected clients in the radio band. If "Disable" is selected, no airtime adjustment is provided to connected clients. If a slow wireless client and a fast wireless client try to receive large amounts of data at the same time, more time may be allocated to the slow wireless client, depriving the fast wireless client of communication opportunities and slowing down the entire network. Note To use the manual setting of airtime fairness, the AP must have the following firmware applied: TQ6403 GEN2 and TQm6403 GEN2 Firmware Version 9.0.4-0.1 or later TQ6602 GEN2, TQ6702 GEN2, TQm6602 GEN2, and TQm6702 GEN2 Firmware Version 8.0.4-1.1 or later TQ6702e GEN2 Firmware Version 9.0.4-3.1 or later TQ7403 Firmware Version 10.0.4-0.1 or later TQ6702 GEN2-R AlliedWare Plus Firmware Version 5.5.4-2.1 or later TQ7403-R AlliedWare Plus Firmware Version 5.5.4-2.1 or later Dual[[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2] Selecting "Enable" provides equal airtime to all connected clients in the radio band. If "Disable" is selected, no airtime adjustment is provided to connected clients. If a slow wireless client and a fast wireless client try to receive large amounts of data at the same time, more time may be allocated to the slow wireless client, depriving the fast wireless client of communication opportunities and slowing down the entire network.
Auto Channel Selection	Specify the channels to use. All channels are selected by default. When the Channel Bandwidth "80MHz" or "160MHz" is selected on the 5GHz/6GHz radio band (Radio 2 or 3), you can enable or disable the four or eight adjacent channels as a group, for example "36ch/40ch/44ch/48ch". At least one group must be enabled for Auto Channel Selection when "80MHz" or "160MHz" is selected for Channel Bandwidth. If Tri[11ax] is selected as the setting type, the "Preferred Scanning Channel" button is also displayed for Radio 3. Clicking on the "Preferred Scanning Channel" button causes only the preferred scanning channels to be selected according to the selected bandwidth in use.
Maximum Wireless Clients	Specify the maximum number of clients that can connect to the APs. The number of wireless clients that can connect to the AP counts for each wireless band (Wireless 1 to Wireless 3). When 0 is specified for a radio, no wireless client can connect to APs on the radio. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2 Radio 1/2: Specify a number between 0 to 500. The default is 500. Radio 3: Specify a number between 0 to 256. The default is 256. Dual[11ax] GEN2, Dual[11ax] GEN2-R Specify a number between 0 to 500. The default is 500. Dual[11ax] Specify a number between 0 to 320. The default is 200. Dual[11ac Wave2] Radio 1: Specify a number between 0 to 120. The default is 120. Radio 2: Specify a number between 0 to 200. The default is 200. Other than above Specify a number between 0 to 200. The default is 200.
Legacy Rate Sets	Specify valid rates to use when IEEE 802.11b/g or IEEE 802.11a is being used. Select required rates that must be supported on wireless stations (client or other APs) to be allowed to connect to the APs. When a station does not support one or more rates in this list, the station is not allowed to connect. Check the rates to select. All supported rates are selected by default. 2.4GHz: 54 48 36 24 18 12 11 9 6 5.5 2 1 (Mbps) Note If the Profile Type is set to Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, or Dual[11ac Wave2], for IEEE 802.11b wireless client communication, one or more out of 11, 5.5 , 2, or 1 (Mbps), from the above must be enabled to save the Profile. The profile types Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, and Dual[11ax] GEN2-R do not have the limitation that requires one or more of the following speeds to be enabled: 11, 5.5, 2, or 1(Mbps), to saving the Profile. However, if all of these are set to disabled, IEEE 802.11b clients cannot connect. 5GHz: 54 48 36 24 18 12 9 6 (Mbps)
Multicast Tx Rate	Specify a selection method for IEEE 802.3 multicast/broadcast rate. Available options vary depending on the selected Profile Type. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R Radio 1: 54 48 36 24 18 12 11 9 6 5.5 2 1 (Mbps) Radio 2 and Radio 3: 24 12 6 (Mbps) Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2] Radio 1: 54 48 36 24 18 12 11 9 6 5.5 2 1 (Mbps) Radio 2 and Radio 3: 54 48 36 24 18 12 9 6 (Mbps)
RTS Threshold	Specify the threshold for sending RTS (Request to Send) packets for IEEE 802.11b/g/a as a value from 0 to 2347. When a packet to send is larger than the specifed size, RTS is transmitted before the packet is sent. Specifying "2347" disables RTS transmission. The default is 2347 (do not transmit RTS). If you set the RTS threshold to a lower value, RTS packets are transmitted more frequently. It consumes more bandwidth and reduces throughput, but may alleviate collision and interference in a crowded network. Therefore we do not recommend changing the RTS threshold under normal circumstances. When using IEEE 802.11n or 802.11ac, RTS packets are transmitted regardless of the RTS Threshold setting. Note If you select "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna" or "Dual[11ac Wave2]" for Profile Type, and "IEEE 802.11a/n/ac" for Mode, RTS packets are not sent to wireless clients connected by IEEE 802.11a. This setting is ignored.
Band Steering	Specify whether to use Band Steering. When enabled, the AP encourages clients supporting both 2.4GHz and 5GHz to prefer a less congested frequency in order to reduce overall congestion. When disabled, the AP doesn't encourage clients to use other frequencies. In that case, a client keeps using the same band with which they connect, even if the client supports both 2.4GHz and 5GHz and the other band is less crowded. The default is "Disable". This item is displayed only for "Radio 1" (2.4GHz). To use this feature, make sure you enable two or more bands (Radio 1, 2 and 3) and configure a VAP with the same SSID and security for each radio. Note Band Steering cannot be used with channel blanket. Disable Band Steering on the AP Profile for APs using channel blanket.
Wi-Fi Multimedia (WMM)	Specify whether to use Wi-Fi Multimedia (WMM). When enabled, WMM information is included in the AP beacon. This shortens the frame transmission interval for video/audio streaming and VoIP traffic and therefore keeps communication quality high. The default is "Enable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type. Note To use IEEE 802.11n IEEE 802.11ac or IEEE 802.11ax, this must be enabled.
APSD	Specify whether to use APSD (Automatic Power Save Delivery). Enabling APSD can lower power consumption of mobile devices (VoIP) and therefore increase the battery life. The mobile device should also support APSD (U-APSD). The default setting varies depending on the selected Profile Type. Dual[11ax]: Enable Tri[11ax], Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2]: Disable Note This item is displayed if you select "Dual[11ax] GEN2", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna" or "Dual[11ac Wave2]" for Profile Type.
Neighbor AP Detection	Specify whether to detect Neighbor APs. When enabled, it scans in-use and other channels of the radio band for AWC Calculation. In this case, the channel currently being used is periodically stopped, so the performance of the wireless network service slightly decreases. When disabled, detection does not work. In this case, the effect of surrounding unmanaged APs may not be correctly reflected in the AWC Calculation. The default is "Enable". Also, if the Profile Type is "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna", a Scan Method can be specified when Neighbor AP Detection is enabled. For more details, refer to Additional options for Neighbor AP Detection. Scan Method Scan Interval Scan Duration Scan Data Keep Time Note If Neighbor AP Detection is supported on the management web interface of the AP system and set to "Enable" in the AWC Plug-in management, the Neighbor AP Detection setting will remain as "Enable". This is supported on TQ5403, TQ5403e and TQm5403 with firmware version 5.3.1 or later, TQ1402 and TQm1402 with firmware version 6.0.0-0.2 or later, and TQ6602 with firmware version 7.0.0 or later. If Neighbor AP Detection is not supported on the management web interface of the AP system, this feature is disabled in the AWC Plug-in management. Note For TQ6602 GEN2/6702 GEN2 and TQm6602 GEN2/6702 GEN2, when neighbor APs are detected, packet loss or communication delay shorter than 3 seconds (firmware version 8.0.3-0.1 or later) or 10 seconds (firmware version 8.0.2-x.x or earlier) may occur repeatedly up to 4 times, for approximately 20 seconds total. In environments where temporary performance degradation is unacceptable, disable neighbor AP detection in the AP profile for profile type "Dual [11ax] GEN2". If the Neighborhood AP Detection feature is disabled, the following features of the AWC plug-in are affected: The AWC calculation cannot select channels that take into account the signal conditions of unmanaged APs.
MU-MIMO	Select whether to enable or disable MU-MIMO (Multi-user MIMO). MU-MIMO allows multiple wireless clients to communicate simultaneously (upwards and downwards), thus increasing the communication speed. The default is "Disable". Note This item is displayed when "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", or "Dual[11ax]" is selected as the Profile Type, and a mode "ac" or "ax" is selected for the Radio Configuration.
OFDMA	Select whether to Enable or Disable OFDMA (Orthogonal Frequency Division Multiple Access). OFDMA allows multiple wireless clients to communicate simultaneously by dividing the channel into multiple RUs (resource units). The default is "Disable". Note This item is displayed when "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", or "Dual[11ax]" is selected as the Profile Type, and a mode "ax" is selected for the Radio Configuration.
Zero wait DFS	Specify whether to use Zero wait DFS. When the Zero Wait DFS function is set "Enable", the system constantly monitors for the best candidate channel to change to when a waveform that is considered as from a weather radar is detected, and immediately switches to that candidate channel once a radar is detected. The default is "Disable". Note This setting is displayed on "Radio 2" when "Dual[11ax] GEN2" or "Dual[11ax] GEN2 with External Antenna" is selected as Profile Type. Other Profile Types will not show this setting.
Spatial Streams	Select the number of spatial streams to use, either 4 or 8. The default is "8 Streams". Note This setting is displayed on "Radio 2" when "Dual[11ax] GEN2" is selected as Profile Type. Other Profile Types will not show this setting.

Additional options for Neighbor AP Detection

Table 14: Additional options for Neighbor AP Detection
Item Name	Description
Scan Method	Specify the target(s) to be scanned when Neighbor AP Detection is enabled. All Channels Runs all channels in the selected Radio for Neighbor AP Detection. This is the same method as the conventional Neighbor AP Detection. Neighbor AP detection stops its own radio output and detects the presence of surrounding radio output. While it can detect the presence of Neighbor APs even if they are using different channels, it requires longer outage time than when detecting Neighbor APs on only one channel, resulting in packet loss and communication delays. In environments where transient performance degradation is not tolerable, specify scanning of only one channel or set the neighbor AP detection function itself to disabled. Note that if the Neighbor AP Detection function is disabled, the following functions of the AWC Plug-in will be affected: The AWC calculation cannot select channels that take into account the signal conditions of unmanaged APs. One Channel Neighbor AP Detection is performed for only the channel currently in use. Although it takes less time than targeting all channels, it cannot detect the influence of adjacent channels with overlapping radio bands, such as channels 5 and 6, for example. For this reason, the AWC calculation cannot select channels that take into account the signal conditions of unmanaged APs. Note To use this setting, the AP must have one of the following firmware applied: TQ7403 Firmware Version 10.0.4-3.1 or later TQ6403 GEN2 and TQm6403 GEN2 Firmware Version 9.0.4-3.1 or later TQ6602 GEN2, TQ6702 GEN2, TQm6602 GEN2, and TQm6702 GEN2 Firmware Version 8.0.4-1.1 or later TQ6702e GEN2 Firmware Version 9.0.4-3.1 or later The default is "All Channels". If "One Channel" is selected, set additional options; Scan Interval, Scan Duration, and Scan Data Keep Time.
Scan Interval	Specify the scan interval with a value from 30 to 120 (unit: seconds). The default is 60 (seconds). This is displayed when "One Channel" is specified for Scan Method of the Neighbor AP Detection.
Scan Duration	Specify the scan duration with a value from 10 to 2000 (unit: milliseconds). The default is 50 (milliseconds). This is displayed when "One Channel" is specified for Scan Method of the Neighbor AP Detection.
Scan Data Keep Time	Specify the retention time of the scan data with a value from 1000 to 7200 (unit: seconds). The default is 3600 (seconds). This is displayed when "One Channel" is specified for Scan Method of the Neighbor AP Detection.

VAP (Multiple SSID) Configuration

Configure VAPs in the "VAP (Multiple SSID) Configuration" section.
Depending on the selected "Profile Type", you can switch radios to create VAPs by clicking the "Radio 1", "Radio 2" and "Radio 3" buttons at the top right of the screen.

Note
Only the Radio 1/2/3 buttons available on the Profile Type will be displayed at the top of the screen.

Table 13: AP Profile VAP (Multiple SSID) Configuration
Item Name	Description
VAP List	Shows a list of configured VAPs (Virtual Access Points). Here you can view the status, VLAN ID, SSID, and security settings for each VAP.
+ Add VAP	Creates a new VAP. The VAPs will be automatically numbered, starting from 1. The number of VAPs that can be created varies depending on the selected Profile Type. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2 16 VAPs per band (Radio 1, Radio 2, Radio 3) Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R, Dual[11ax] 16 VAPs per band (Radio 1, Radio 2) Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2] 8 VAPs per band (Radio 1, Radio 2, Radio 3) Note It is recommended to use 5 or less VAPs per radio band in total, including both multi-channel and blanket VAPs.
VAP Status	Enables or disables the VAP. When set to Enabled, the VAP is always used on the APs to which this AP Profile is applied. When set to Disabled, the VAP is not used. When set to Emergency, the VAP becomes active only when the Emergency Mode is enabled in the Management Group. For VAP 1, "Enable" and "Disable" are displayed when "Use Conditions" is set to "Always", and "Disable" and "Emergency" are displayed when "Use Conditions" is set to "Only Emergency Mode". For other VAPs, all three options, "Enable", "Disable", and "Emergency" are displayed. The default is "Enable". Note Emergency Mode cannot be used with channel blanket. You cannot use a channel blanket as an emergency Wi-Fi network. Do not set this item to "Emergency" for the VAP whose number is the same as the CB VAP (VAP for channel blanket).
VLAN ID	Specify a VLAN ID (between 1 and 4094) to use on the VAP (mandatory) Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2]" for the Profile Type. Note Specify a VLAN ID that is different from the AP's management VLAN. When the AP is detected as a guest device, a parent AMF device is configured to collect the guest device information automatically ("dynamic discovery"), and wireless clients get their IP addresses via DHCP.
SSID	Specify an SSID (network name) to use on the VAP. The SSID is mapped to the VLAN ID. Enter a name between 1 to 32 alphanumeric characters. The default is "Default-X" (where X is a VAP number) (mandatory)
Broadcast SSID	Specify whether to broadcast the SSID on the VAP. When enabled, the SSID is included in beacons. When you configure a wireless client, you may be able to see the SSID in a list of wireless networks to connect. This setting also allows wireless clients to connect using an "ANY" connection. When disabled, the SSID is not included in beacons. You may not be able to see the SSID in a wireless network list on a wireless client. In this case, you have to enter the same SSID as the AP on a wireless client. This setting also denies wireless clients from connecting using an "ANY" connection. The default is "Enable". Note An "ANY" connection is a connection where a wireless client tries to connect to an AP by specifying a wildcard or null as the SSID. Even when an "ANY" connection is allowed, clients cannot connect to APs without knowing the correct security key.
Security	Select a security mechanism to use. The available options are "None", "Static WEP", "Enhanced Open", "Enhanced Open Transition Mode", "WPA Personal", "WPA Enterprise", and "OSEN". The default is "None". None: No authentication or encryption is performed. Everyone can connect to the VAP. Note If you use "None" to build a network such as a guest hotspot, you should consider the consequences for the overall security of your entire network. Static WEP: Uses RC4 encryption with fixed keys. Per-client authentication is not performed. We recommend using "WPA Personal" for fixed key security because WEP is vulnerable. Note "Static WEP" is not displayed when the selected Mode contains "IEEE 802.11n". This can be configured only on VAP 1 of each radio. Note "Static WEP" can be configured on VAP1 of each radio, only when "b/g" or "a" is specified as Mode. Enhanced Open: Open authentication enables connection to the network without entering a user ID or password, but after open authentication, data between the AP and client is encrypted using the Opportunistic Wireless Encryption (OWE) protocol (128-bit CCMP/AES). Note The "Enhanced Open" is only displayed when "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as Profile Type. Enhanced Open Transition Mode: Uses VAP1 and VAP2 in a mode that can be configured without concern for whether the wireless client supports Enhanced Open or not. Enhanced Open-enabled clients communicate with the product using VAP2 encrypted with the OWE protocol after open authentication, while Enhanced Open-unenabled clients communicate with the product using VAP1 without OWE encryption after open authentication. Note When VAP1 security is set to "Enhanced Open Transition Mode", VAP2 security will be also set to "Enhanced Open Transition Mode" and the VAP status will be "Enabled". In this case, the VAP2 broadcast is also set to "Disable". Note The "Enhanced Open Transition Mode" is only displayed in Radio 1 and Radio 2 when "TQ Series" is selected for the Series and "Tri[11ax]" or "Tri[11ax]-R" for the Profile Type. WPA Personal: Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated from a pre-shared key (PSK). It uses CCMP (AES) or TKIP for the encryption algorithm. WPA Enterprise: Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated on a RADIUS server. It uses CCMP (AES) or TKIP for the encryption algorithm. OSEN: Used by the VAP for online sign-up and to configure security settings when communicating with the OSU server. Note "OSEN" is displayed if you select "Tri[11ac]" or "Tri[11ac] with External Antenna" for Profile Type. If you select one of the options other than "None", additional setting items will be displayed according to the respective security method. For more details, refer to Additional options for Security.
Captive Portal	Specify whether to use Captive Portal on the VAP. Captive Portal displays an authentication page before granting web access. When either option is selected, wireless clients connected to the corresponding VAP will be directed to a page (Captive Portal) that contains text such as licensing and authentication dialogs when they attempt to access any web page with a Web browser. Wireless APs that have applied the AP profile will allow or deny wireless clients according to the options specified in this item. Once successfully authenticated, wireless clients can continue to communicate through the VAP until a certain amount of time has elapsed. External RADIUS: The APs will query the RADIUS server. Click-through: The APs will display a Click-through page instead of performing RADIUS authentication. The Click-through page does not require authentication with a username/password pair, but can be configured to show an arbitrary "Terms of Use" that users have to accept before use, or to redirect to an external page. External Page Redirect: The clients will be able to connect using third-party web credentials such as social networking sites. Disable: Select to not use Captive Portal. The default is "Disable". If you select "External RADIUS", "Click-through", or "External Page Redirect", the following additional items are displayed: For more details, refer to Additional options for Captive Portal. Note "External Page Redirect" will appear when you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]" or "Tri[11ac Wave2] with External Antenna" for Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported. Note Do not enable Captive Portal on the radio used for the WDS connection.
MAC Access Control	Select the MAC Access Control method to apply to the relevant VAPs. MAC Address List: Selecting this option will allow or deny connections only to the MAC addresses recorded in the list, according to the MAC address list selected in the MAC Address List field at the top of the screen. External RADIUS: The APs will query the RADIUS server. MAC Address List + External RADIUS: Selecting this option allows or denies connections only to the MAC addresses recorded in the list. This list refers to both the MAC address list selected in the MAC address list field at the top of the screen and the external RADIUS server. Firstly, it will try to authenticate using the MAC Address List. If a connection cannot be established, it will try to authenticate the connection using an External RADIUS server. If the preceding MAC address list allows a user to connect, the user can still connect even if the external RADIUS server does not grant the access. AMF Application Proxy: Selecting "AMF Application Proxy" allows you to query the whitelist and blacklist of our AMF-SECurity Controller AT-SecureEnterpriseSDN Controller (AT-SESC) or AMF Security mini. You can then take actions such as allowing, denying or quarantining client devices that attempt to connect to the wireless AP, disconnecting connected devices or changing VLANs. Disable: No MAC access control is performed. The default is "Disable". When you select either "External RADIUS", "MAC Address List", or "MAC Address List + External RADIUS", additional items are also displayed. For more details, refer to Additional options for MAC Access Control. Note "MAC Address List" and "MAC Address List + External RADIUS" are only available when any of MAC Address List is selected in the "Basic Configuration" section. Note "MAC Address List + External RADIUS" is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported. Note "AMF Application Proxy" is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.
Fast Roaming	Specify whether to use Fast Roaming of wireless clients. The default is "Disable". By selecting "Enable", the additional items described below will be displayed. 802.11r FT FT over DS Mobility Domain R0 key Lifetime AES Key IEEE 802.11k RRM IEEE 802.11v WNM For more details, refer to Additional options for Fast Roaming. Note This item is displayed if you select "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna" or "Dual[11ac Wave2]" for Profile Type, and "WPA Personal", "WPA Enterprise" or "OSEN" for Security of VAP. Only "Disable" is available when you select "Dual[11ax]" for Profile Type, and "WPA2/WPA3" or "WPA3" for WPA versions.
Wireless Client Isolation	Specify whether to block communication between wireless clients connected to the same VAP. The choices for this item vary depending on the Profile Type and "Radio Configuration" settings. Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R: If "Wireless Client Isolation" for the entire radio is set to "Within AP" or "Within VAP", only the same option as selected will be displayed in this field. If Wireless Client Isolation for the entire radio is set to "Disable", you can specify whether or not to allow communication between wireless clients in individual VAPs in this field. Specify "Within AP" to block communication between wireless clients connected to all VAPs in the AP, "Within VAP" to block communication between wireless clients connected to the same VAP, or "Disabled" to not block communication. The default is "Disable". Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna: If "Wireless Client Isolation" for the entire radio is set to " Enable", only "Enable" will be displayed in this field. If Wireless Client Isolation for the entire radio is set to "Disable", you can specify whether or not to allow communication between wireless clients in individual VAPs in this field. Select "Disable" to allow communications between wireless clients connected to the same VAP. Otherwise select "Enable". The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.
Inactivity Timer	Specify the time, between 5 and 65535 seconds, after which a client will be disconnected if it disappears without disassociating from an AP. It should also be specified in multiples of 15. If you specify a value that is not a multiple of 15, it will be converted to the nearest multiple greater than the specified value. The default is 300 (seconds). Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type. Note This feature cannot be used with the OpenFlow feature. Use the default setting. Note If you select "Dual[11ax]" for the Profile Type, the setting of this item in any VAP will take effect on the VAPs in the same radio band. Note If you select "Dual[11ac]" for the Profile Type, this setting is not supported for Radio 1. Use the default setting.
Duplicate AUTH received	Select how to process connection requests from clients that have maintained a connection. If you select "Disconnect", it disconnects the previous connection and then accepts the new connection. If you select "Ignore", it connects as normal, without disconnecting. The default is "Disconnect". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type. Note This feature cannot be used with the OpenFlow feature. Use the default setting. Note When "Management Frame Protection" is set to "Enable", "Disconnect" is used regardless of this item's setting.
Association Advertisement	Specify whether to use Association Advertisement. When enabled, a notification broadcast frame is sent to the network configured in Control VLAN when a Wireless Client connects to the AP. The AP that receives this frame updates its wireless client connection information. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type. Note To make this function take effect, APs on the same subnet must have "Roaming Notification" set to "Enable" for each other.
DTIM Period	Specify how frequently to insert a DTIM (Delivery Traffic Indication Map) in the AP's beacons (every 1 to 5 beacons). This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. The default is 1. The value of 1 means that a DTIM is inserted in every beacon. For example, if you set the DTIM interval to 2, one in two beacons has a DTIM inserted (i.e. a beacon with a DTIM and one without a DTIM are transmitted in turn). When a wireless client operates in power-saving mode, DTIM notifies the client that there is a packet to send to the client. The AP will send the packet to the client once the client is ready to communicate. Increasing the DTIM Interval reduces power consumption but also makes communication less responsive.
Proxy ARP	Specify whether to use Proxy ARP. If enabled, when a managed wireless AP receives an ARP request for a connected client, the wireless AP that has a connection to the client will send an ARP response on behalf of the client. The wireless AP that does not have a connection to the client will discard the ARP request, thereby reducing unnecessary traffic. If you select "Disable", Proxy ARP will not be activated. That means ARP requests are broadcasted from all wireless APs to their subordinate clients. The corresponding clients send ARP responses themselves. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.
Multicast to Unicast Conversion	Specify whether to convert multicast packets to unicast packets. The default is "Disable". When "Enabled" is selected, broadcast/multicast packets sent to associated wireless clients are converted to the unicast address of each client and sent, preventing packets from being sent to non-target clients. Note Enabling this function may result in reduced throughput. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" for the Profile Type.
Pre-allocated Airtime Percentage	When the Airtime Fairness in the Radio Configuration is set to "Manual", you can set the communication time (airtime) to be assigned in priority to this VAP. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" for the Profile Type, and "Manual" for "Airtime Fairness".
Passpoint	Specify whether to use Passpoint (Hotspot 2.0). Passpoint is a feature developed by the Wi-Fi Alliance to create a seamless network. By using a wireless client that implements Passpoint, users can automatically sign up and roam within Passpoint-enabled networks without the hassle of having to sign up for each network. Users can also automatically connect to the network when they enter a Passpoint-enabled area. By selecting "Enable", the additional items for Passpoint described below will be displayed. For more details, refer to Additional options for Passpoint. Note To enable Passpoint, WPA Enterprise must be used as security mode. When enabling this item, a confirmation dialog will appear asking if you allow to change the security mode to WPA Enterprise to continue Passpoint setting. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.

Additional options for Security

◼ Static WEP Configuration
Selecting "Static WEP" for Security will show you the following additional items:

Table 16: Additional options for Static WEP
Item Name	Description
Key Length	Select the WEP key length. The default is 128bit. 64bit: You can directly enter a WEP key with 10 hex digits. Or you can enter 5 ASCII characters to automatically generate a WEP key. 128bit: You can directly enter a WEP key with 26 hex digits. Or you can enter 13 ASCII characters to automatically generate a WEP key.
Key Type	Select a generation method for the WEP key. The default is "Hex". ASCII: Lets you enter an arbitrary string to automatically generate a WEP key. The string is case-sensitive. Hex: Lets you directly enter a WEP key with hexadecimal characters (0 to 9, A to F, a to f). Hex characters are not case-sensitive.
Key Index	Specify a key to use. The default is 1.
Security Key (WEP Key)	Enter a WEP key (in hex) or a seed of a key (in ASCII) according to the selected "Key Length" and "Key Type". You have to enter the same WEP key as the one specified by "Key Index" on the wireless client.
WEP Authentication Method	"Open System" is the recommended option here. The default is "Open System". It is recommended to use the default "Open System" for security. Open System: All wireless clients are allowed to connect regardless of whether they have the correct WEP key. But as wireless clients are only allowed to connect, they cannot communicate without a valid WEP key. This option is not only for "WEP" but is also used for "None", "WPA Personal" and "WPA Enterprise". Shared Key: Only wireless clients with the correct WEP key can connect. Wireless clients cannot connect without a valid key.

◼ Enhanced Open Configuration
Selecting "Enhanced Open" for Security will show you the following additional items:

Table 17: Additional options for Enhanced Open
Item Name	Description
OWE	Uses Opportunistic Wireless Encryption (OWE) protocol for encryption. After open authentication, data between the wireless client and the AP is encrypted with 128-bit CCMP/AES encryption. Only "Enable" can be selected.
Management Frame Protection (MFP)	Protects IEEE 802.11 management frames. Only "Required" can be selected.

◼ Enhanced Open Transition Mode Configuration
Selecting "Enhanced Open Transition Mode" for Security will show you the following additional items:

Table 17: Additional options for Enhanced Open Transition Mode
Item Name	Description
OWE	Uses Opportunistic Wireless Encryption (OWE) protocol for encryption. After open authentication, data between the wireless client and the AP is encrypted with 128-bit CCMP/AES encryption. Only "Disable" is set for VAP1 and "Enable" is set for VAP2.
Management Frame Protection (MFP)	Protects IEEE 802.11 management frames. It appears only in VAP2 and cannot be selected other than "Required".

◼ WPA Personal Configuration
Selecting "WPA Personal" for Security will show you the following additional items:

Table 19: Additional options for WPA Personal

Item Name

Description

Security Key (WPA-PSK)

Specify an encryption key for the VAP. The key should contain 8 to 63 alphanumeric and symbol characters. The key is case-sensitive.

WPA Versions

Select the WPA version(s) to use.
Select both for a mixed environment. In that case, the security level of the wireless network is the same as the older version.
Available options vary depending on the selected Profile Type.

Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R:
- WPA3
- WPA3 / WPA2
- WPA2
- WPA2 / WPA
Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna:
- WPA3
- WPA2
- WPA2 / WPA
Dual[11ac Wave2]:
- WPA2
- WPA2 / WPA

The default is "WPA2".

Encryption Protocol

Select the encryption protocol to use.
Available options vary depending on the selected Profile Type and WPA Version(s).

Profile Type	WPA Versions	Available options
Tri[11ax] Tri[11ax]-R Tri[11ax] GEN2 Dual[11ax] GEN2 Dual[11ax] GEN2 with External Antenna Dual[11ax] GEN2-R	WPA3 WPA3 / WPA2 WPA2	CCMP
	WPA2 / WPA	CCMP / TKIP
Dual[11ax] Tri[11ac Wave2] Tri[11ac Wave2] with External Antenna	WPA3 WPA2 WPA2 / WPA	CCMP (default) or CCMP / TKIP
Dual[11ac Wave2]	WPA2 WPA2 / WPA	CCMP (default) or CCMP / TKIP

Management Frame Protection (MFP)

Specify whether to protect Management Frames.
Available options vary depending on the selected Profile Type.

Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R, Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna
The following configuration can be set depending on the choice of WPA version.
- WPA3: Fixed to "Required".
- Both WPA3 and WPA2: Fixed to "Capable".
- WPA2: Select from "Capable" or "Disable". The default is "Capable".
- Both WPA2 and WPA: Fixed to "Disable".
Dual[11ax], Dual[11ac Wave2]
Select "Enable" to use MFP. Otherwise select "Disable". The default is "Enable".

Broadcast Key Refresh Rate

Specify an interval at which to refresh the broadcast key that is sent to clients on the VAP. Specify an interval between 0 and 86400 (seconds). A value of 0 means that the key is never refreshed. The default is 0.

◼ WPA Enterprise Configuration
Selecting "WPA Enterprise" for Security will show you the following additional items:

Table 20: Additional options for WPA Enterprise

Item Name

Description

RADIUS Server Primary IP Address

Enter the IP address of the primary RADIUS server. (mandatory)
If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.

RADIUS Server Primary Secret

Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (mandatory)

RADIUS Server Secondary IP Address

Enter the IP address of the secondary RADIUS server. Leave blank if you are not using a secondary RADIUS server.
If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.

RADIUS Server Secondary Secret

Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave blank if you are not using a secondary RADIUS server.

Port Number

Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.

Pre-authentication

When enabled and a client is about to roam, the source (current) AP forwards the client's pre-authentication information to the destination AP. The default is "Enable". This reduces the time required for authentication of roaming clients.

Note
This setting is displayed when Profile Types other than "Dual[11ax]" is selected.

Note
If Profile Type is "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Tri[11ac Wave2]" or "Dual [11ac Wave2]", this item can be configured only on VAP1 of each radio. When you select "Enable", this function is valid for all VAP.

WPA Versions

Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R:
- WPA3
- WPA3 / WPA2
- WPA2
- WPA2 / WPA
Dual[11ax], Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna:
- WPA3
- WPA2
- WPA2 / WPA
Dual[11ac Wave2]:
- WPA2
- WPA2 / WPA

The default is "WPA2".

Encryption Protocol

Select the encryption protocol to use.
Available options vary depending on the selected Profile Type and WPA Version(s).

Profile Type	WPA Versions	Available options
Tri[11ax] Tri[11ax]-R Tri[11ax] GEN2 Dual[11ax] GEN2 Dual[11ax] GEN2 with External Antenna Dual[11ax] GEN2-R	WPA3	CCMP or GCMP (default)
	WPA3 / WPA2 WPA2	CCMP
	WPA2 / WPA	CCMP / TKIP
Dual[11ax] Tri[11ac Wave2] Tri[11ac Wave2] with External Antenna	WPA3	GCMP
	WPA2 WPA2 / WPA	CCMP (default) or CCMP / TKIP
Dual[11ac Wave2]	WPA2 WPA2 / WPA	CCMP (default) or CCMP / TKIP

Management Frame Protection (MFP)

Specify whether to protect Management Frames.
Available options vary depending on the selected Profile Type.

Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R, Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna
The following configuration can be set depending on the choice of WPA version.
- WPA3: Fixed to "Required".
- Both WPA3 and WPA2: Fixed to "Capable".
- WPA2: Select from "Capable" or "Disable". The default is "Capable".
- Both WPA2 and WPA: Fixed to "Disable".
Dual[11ax], Dual[11ac Wave2]
Select "Enable" to use MFP. Otherwise select "Disable". The default is "Enable".

Broadcast Key Refresh Rate

Session Key Refresh Interval

Specify an interval at which to refresh the unicast session key that is sent to clients on the VAP. Specify an interval between 0 and 86400 (seconds). A value of 0 means that the key is never refreshed. The default is 0.
Because keys are generated for every session, there is little need to refresh the key, given that a strong encryption algorithm such as CCMP is used in "WPA Enterprise". A shorter interval may decrease the AP's performance.

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type.

Session Key Refresh Action

Select the action to be taken when the session key is updated, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type.

Verify RADIUS packets

Specify whether RADIUS packet verification is performed.

Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute.
When set to "Disable", use of the RADIUS Message-Authenticator attribute is not mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect.

The default is "Capable".

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.

RADIUS Accounting

Specify whether to use RADIUS accounting server to record the resources (such as connection time) used by each user. Select "Enable" to perform accounting. Otherwise select "Disable". The default is "Disable".

RADIUS Accounting Port Number

Specify a port number on which the RADIUS accounting server is listening. This is valid only when RADIUS Accounting is enabled. The default is 1813.

RADIUS Timeout

Specify the timeout period for a RADIUS Access-Request message with a value from 1 to 29 (unit: second).
If no response is received after the packet is sent to the RADIUS server beyond the value of this setting, the access request is retransmitted or treated as an authentication failure.
In this case, the total time for the transmission sequence of the specified number of times (first time + retransmission count) to the primary RADIUS server and secondary RADIUS server is set to 29 seconds or less. For example, the calculation is as follows:

When the secondary RADIUS server is not used and the number of RADIUS Retransmit is set to "4":
The primary RADIUS server is attempted a maximum of 5 authentication requests (first time and 4 retransmissions). Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout must be set to "5" or less.
When using the both primary/secondary RADIUS servers and setting the number of RADIUS Retransmit to "2":
Three authentication requests (the first attempt and two retries) are attempted for each RADIUS server, for a total of up to 6 authentication requests. Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout should be set to "4" or less.

The default is 3 (seconds).

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.

RADIUS Retransmit

Specify the number of retransmissions of Access-Request messages to the RADIUS server with a value from 0 to 8 (unit: times).
Together with the first transmission, a maximum of this setting plus one authentication request will be made to the RADIUS server.
If primary and secondary RADIUS servers are configured, the primary RADIUS server will be sent this configuration plus one authentication request, and then the secondary RADIUS server will be sent this configuration plus one authentication request in the same manner.
If there is no response to any of these authentication requests, it is treated as an authentication failure.
The default is 1 (time). This means that up to two authentication requests will be made to the primary/secondary RADIUS servers, respectively.

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.

Retry Interval for Primary

Specify the time from 0 to 600 (in seconds) to return to the primary RADIUS server again after communication to the primary RADIUS server fails and the authentication destination falls back to the secondary RADIUS server.

Note
This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.

Dynamic VLAN

When enabled, the VLAN included in a RADIUS response is assigned to the user.
When disabled, the VLAN configured for the VAP is always applied to the user regardless of the VLAN information in a RADIUS response.
The default setting varies depending on the selected Profile Type.

Tri[11ax], Tri[11ax]-R, Tri[11ax] GEN2, Dual[11ax] GEN2, Dual[11ax] GEN2 with External Antenna, Dual[11ax] GEN2-R, Dual[11ax]
The default is "Disable".
Tri[11ac Wave2], Tri[11ac Wave2] with External Antenna, Dual[11ac Wave2]
The default is "Enable".

◼ OSEN Configuration
Selecting "OSEN" for Security will show you the following additional items:

Table 21: Additional options for OSEN
Item Name	Description
RADIUS Server Primary IP Address	Enter the IP address of the primary RADIUS server. (mandatory)
RADIUS Server Primary Secret	Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (mandatory)
RADIUS Server Secondary IP Address	Enter the IP address of the secondary RADIUS server. Leave blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret	Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave blank if you are not using a secondary RADIUS server.
Port Number	Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Pre-authentication	When enabled and a client is about to roam, the source (current) AP forwards the client's pre-authentication information to the destination AP. The default is "Enable". This reduces the time required for authentication of roaming clients. Note This can be configured only on VAP1 of each radio. When you select "Enable", this function is valid for all VAP.
WPA Versions	Select the WPA version(s) to use. Radio 2: You can select "WPA3" only, "WPA2" only, or both "WPA" and "WPA2". You cannot select both "WPA3" and "WPA2", or both "WPA3" and "WPA". "WPA" can be selected only together with "WPA2". The default is "WPA2". Select both for a mixed environment. In that case, the security level of the wireless network is the same as WPA. Note WPA is based on a draft of IEEE 802.11i while WPA2 is based on the final version of IEEE 802.11i and therefore meets all mandatory items required by the standard.
Encryption Protocol	You can select "CCMP" only, or both "TKIP" and "CCMP". The default is "CCMP". Although "TKIP" uses RC4 as WEP does, TKIP uses a separate encryption key for each client and changes the key after using it for some time. "CCMP" uses the standard encryption algorithm approved by the US Secretary of Commerce. This standard has a strong algorithm. Note According to the WPA standard, TKIP is mandatory while CCMP is optional. Our products implement both algorithms. Note If the WPA version includes "WPA3", only "CCMP" can be selected. "TKIP" is not displayed. Note If the WPA version is set to "WPA2", or both "WPA2" and "WPA", "TKIP" can be selected as necessary.
Management Frame Protection (MFP)	Specify whether to protect Management Frames. The following configuration can be set depending on the choice of WPA version. WPA3: Fixed to "Required". Both WPA3 and WPA2: Fixed to "Capable". WPA2: Select from "Capable" or "Disable". The default is "Capable". Both WPA2 and WPA: Fixed to "Disable". Note If the Profile Type is set to "Dual[11ax] GEN2", and the WPA version is set to "WPA2" solely, please do not set to "Required".
Broadcast Key Refresh Rate	Specify an interval at which to refresh the broadcast key that is sent to clients on the VAP. Specify an interval between 0 and 86400 (seconds). A value of 0 means that the key is never refreshed. The default is 0.
Dynamic VLAN	When enabled, the VLAN included in a RADIUS response is assigned to the user. When disabled, the VLAN configured for the VAP is always applied to the user regardless of the VLAN information in a RADIUS response. The default is "Enable".

Additional options for Captive Portal

◼ External RADIUS Configuration
If you select "External RADIUS" for Captive Portal, configure the following items:

Table 22: Additional options for External RADIUS in Captive Portal
Item Name	Description
Authentication Page Proxy	Specify whether to use an external authentication page or not. Enable: shows an external authentication page. Specify the page URL in "Base URL". Base URL: Specify the base URL of the external web authentication page. Clients will access the page through the AP's proxy feature instead of direct connection. The HTML filename of the external authentication page must be "radius_login.html". The AP's proxy will get the page from "Base URL/radius_login.html" and send it back to clients. For example, when you specify "http://www.example.com/captive_portal" in "Base URL", the APs will present the content of the page at "http://www.example.com/captive_portal/radius_login.html" to connecting clients. For details of the format of radius_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal. Disable: Shows an authentication page embedded in the APs. When "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" is selected for Profile Type, set the display language of the authentication page in addition. Authentication Page Language: Select the display language of the authentication page from "Japanese" or "English". The default is "English". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type.
RADIUS Server Primary IP Address	Enter the IP address of the primary RADIUS server. (mandatory) If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Primary Secret	Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (mandatory)
RADIUS Server Secondary IP Address	Enter the IP address of the secondary RADIUS server. Leave blank if you are not using a secondary RADIUS server. If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Secondary Secret	Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number	Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets	Specify whether RADIUS packet verification is performed. Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute. When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
RADIUS Accounting	Specify whether to use the RADIUS Accounting. Enable: Uses RADIUS Accounting. With an external RADIUS server that has authenticated the user, it is possible to record the resources (such as connection time) used by each user during the session. You can also use features such as those provided by external RADIUS. Specify the "RADIUS accounting port" in addition. RADIUS Accounting Port Number: Enter the port number of the accounting port of the external RADIUS server in the range 0-65535. The default is 1813. Disable: Does not use RADIUS Accounting. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
Redirect type (after user is authenticated)	Specify a page to be shown after the user passes web authentication. Keep Session: Show the original URL that was entered in the client's browser before web authentication. Fixed URL: Always show a fixed URL that you specify. Should be 1 to 128 characters in length, with alphabets, numbers and symbols (including spaces). Disable: Do not redirect the browser after successful web authentication.
Walled Garden	Shows the number of entries on the page that uses the Walled Garden feature. The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again. Clicking on this will bring up the "Walled Garden List" dialog box. Walled Garden List You can register addresses to use the Walled Garden feature. Address: The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered. When "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" is selected as the Profile Type, one asterisk () can be used as a wildcard when specifying the FQDN in the walled garden entry. For example, ".example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example." will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., ".example.*") are not allowed. "Add" button: Registers the address entered in the Address field to the list. "Clear" button: Deletes the entry of the Address field. "Import from CSV file" button: Imports the addresses from a CSV file. The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask. X Address: Shows the number of address entries registered to the list. Search Walled Garden Address: Shows a list of registered addresses that contain the input string. Address: Shows an address entry. Delete: Deletes the selected entry. "Save" button: Saves changes to the Walled Garden List. "Close" button: Discard the changes to the Walled Garden List and close the Walled Garden List dialog box. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
DNS Proxy for Walled Garden	Specifies whether DNS proxying is performed in the walled garden. Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected under this item. The default is "Disable". If at least one wildcard is used in a walled garden entry, it is fixed as "Enable". Note This setting is displayed when "Dual[11ax] GEN2" or "Dual[11ax] GEN2-R" is selected as Profile Type.
Virtual IP Address for Captive Portal	Shows the setting you made on the "Virtual IP Address for Captive Portal" in "Basic Configuration" section. By clicking on the link icon, you can jump to the section. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
Session Timeout	Specify the client's authentication session timeout; between 0 and 86400 (seconds). After the client is successfully authenticated, the session will be automatically terminated when the time set for timeout elapses. The default is 3600.
Session Timeout Action	Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection". The default is "Reauthentication".

◼ Click-through Configuration
If you select "Click-through" for Captive Portal, configure the following items:

Table 23: Additional options for Click-through in Captive Portal
Item Name	Description
Authentication Page Proxy	Specify whether to use an external authentication page or not. Enable: shows an external authentication page. Specify the page URL in "Base URL". Base URL: Specify the base URL of the external web authentication page. Clients will access the page through the AP's proxy feature instead of direct connection. The HTML filename of the external authentication page must be "radius_login.html". The AP's proxy will get the page from "Base URL/radius_login.html" and send it back to clients. For example, when you specify "http://www.example.com/captive_portal" in "Base URL", the APs will present the content of the page at "http://www.example.com/captive_portal/radius_login.html" to connecting clients. For details of the format of radius_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal. Disable: Shows an authentication page embedded in the APs. When "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" is selected for Profile Type, set the display language of the authentication page, and the text to show as the Terms of Use in addition. Authentication Page Language: Select the display language of the authentication page from "Japanese" or "English". The default is "English". Agreement Message: Create the text of the Terms of Use to be displayed on the AP's authentication page with a maximum length of 1,024 characters. Each line break counts as four characters. Formatting (font size, color, etc.) is not available. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", "Tri[11ac Wave2] with External Antenna", or "Dual[11ac Wave2] for the Profile Type.
Redirect type (after user is authenticated)	Specify a page to be shown after the user passes web authentication. Keep Session: Show the original URL that was entered in the client's browser before web authentication. Fixed URL: Always show a fixed URL that you specify. Should be 1 to 128 characters in length, with alphabets, numbers and symbols (including spaces). Disable: Do not redirect the browser after successful web authentication.
Walled Garden	Shows the number of entries on the page that uses the Walled Garden feature. The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again. Clicking on this will bring up the "Walled Garden List" dialog box. Walled Garden List You can register addresses to use the Walled Garden feature. Address: The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered. When "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" is selected as the Profile Type, one asterisk () can be used as a wildcard when specifying the FQDN in the walled garden entry. For example, ".example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example." will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., ".example.*") are not allowed. "Add" button: Registers the address entered in the Address field to the list. "Clear" button: Deletes the entry of the Address field. "Import from CSV file" button: Imports the addresses from a CSV file. The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask. X Address: Shows the number of address entries registered to the list. Search Walled Garden Address: Shows a list of registered addresses that contain the input string. Address: Shows an address entry. Delete: Deletes the selected entry. "Save" button: Saves changes to the Walled Garden List. "Close" button: Discard the changes to the Walled Garden List and close the Walled Garden List dialog box. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
DNS Proxy for Walled Garden	Specifies whether DNS proxying is performed in the walled garden. Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected under this item. The default is "Disable". If at least one wildcard is used in a walled garden entry, it is fixed as "Enable". Note This setting is displayed when "Dual[11ax] GEN2" or "Dual[11ax] GEN2-R" is selected as Profile Type.
Virtual IP Address for Captive Portal	Shows the setting you made on the "Virtual IP Address for Captive Portal" in "Basic Configuration" section. By clicking on the link icon, you can jump to the section. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
Session Timeout	Specify the client's authentication session timeout; between 0 and 86400 (seconds). After the client is successfully authenticated, the session will be automatically terminated when the time set for timeout elapses. The default is 3600.
Session Timeout Action	Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection". The default is "Reauthentication".

◼ External Page Redirect Configuration
If you have selected "External Page Redirect" on the Captive Portal, you will need to configure the following items.

Table 24: Additional options for External Page Redirect in Captive Portal
Item Name	Description
External Page URL	Enter the URL of which the APs redirect the users with 1 to 128 alphanumeric characters. The default is empty.
RADIUS Server Primary IP Address	Enter the IP address of the primary RADIUS server. (mandatory) If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Primary Secret	Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters. (mandatory) If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Secondary IP Address	Enter the IP address of the secondary RADIUS server. Leave blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret	Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number	Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets	Specify whether RADIUS packet verification is performed. Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute. When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
RADIUS Accounting	Specify whether to use the RADIUS Accounting. Enable: Uses RADIUS Accounting. With an external RADIUS server that has authenticated the user, it is possible to record the resources (such as connection time) used by each user during the session. You can also use features such as those provided by external RADIUS. Specify the "RADIUS accounting port" in addition. RADIUS Accounting Port Number: Enter the port number of the accounting port of the external RADIUS server in the range 0-65535. The default is 1813. Disable: Does not use RADIUS Accounting. The default is "Disable".
Redirect type (after user is authenticated)	Specify a page to be shown after the user passes web authentication. Keep Session: Show the original URL that was entered in the client's browser before web authentication. Fixed URL: Always show a fixed URL that you specify. Should be 1 to 128 characters in length, with alphabets, numbers and symbols (including spaces). Disable: Do not redirect the browser after successful web authentication.
Walled Garden	Shows the number of entries on the page that uses the Walled Garden feature. The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again. Clicking on this will bring up the "Walled Garden List" dialog box. Walled Garden List You can register addresses to use the Walled Garden feature. Address: The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered. When "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" is selected as the Profile Type, one asterisk () can be used as a wildcard when specifying the FQDN in the walled garden entry. For example, ".example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example." will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., ".example.*") are not allowed. "Add" button: Registers the address entered in the Address field to the list. "Clear" button: Deletes the entry of the Address field. "Import from CSV file" button: Imports the addresses from a CSV file. The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask. X Address: Shows the number of address entries registered to the list. Search Walled Garden Address: Shows a list of registered addresses that contain the input string. Address: Shows an address entry. Delete: Deletes the selected entry. "Save" button: Saves changes to the Walled Garden List. "Close" button: Discard the changes to the Walled Garden List and close the Walled Garden List dialog box. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax] GEN2-R", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
DNS Proxy for Walled Garden	Specifies whether DNS proxying is performed in the walled garden. Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected under this item. The default is "Disable". If at least one wildcard is used in a walled garden entry, it is fixed as "Enable". Note This setting is displayed when "Dual[11ax] GEN2" or "Dual[11ax] GEN2-R" is selected as Profile Type.
Virtual IP Address for Captive Portal	Shows the setting you made on the "Virtual IP Address for Captive Portal" in "Basic Configuration" section. By clicking on the link icon, you can jump to the section. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Dual[11ax]", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. This item is displayed if you select "Dual[11ac Wave2]" for Profile Type, however, it is not supported.
Session Timeout	Specify the client's authentication session timeout; between 0 and 86400 (seconds). After the client is successfully authenticated, the session will be automatically terminated when the time set for timeout elapses. The default is 3600.
Session Timeout Action	Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection". The default is "Reauthentication".

Additional options for MAC Access Control

◼ When "MAC Address List" or "MAC Address List + External RADIUS" is selected

Table 25: Additional options for MAC Address List in MAC Access Control
Item Name	Description
Selected List	Shows the name of the "MAC Address List" selected in the AP Profile's "System" section. Note You cannot use a different MAC Address List for each radio or VAP. A single list is used for all radios (Radio 1/Radio 2/Radio 3) and VAPs in an AP Profile.
Two-step auth with Captive Portal	When any authentication method except "None" is selected for Captive Portal, the authentication will be performed in two steps: Captive Portal and MAC Access Control. When you select "Enable", only the wireless clients which succeeded authenticating with MAC Access Control and Captive Portal, will be able to communicate via the relevant VAP. When you select "Disable", the wireless clients which have succeeded authenticating with either MAC Access Control, or Captive Portal separately will be able to communicate via the relevant VAP. Note This item is displayed if you select "Dual[11ax] GEN2", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.

◼ When "External RADIUS" or "MAC Address List + External RADIUS" is selected

Table 26: Additional options for External RADIUS in MAC Accessc Control
Item Name	Description
RADIUS Server Primary IP Address	Enter the IP address of the primary RADIUS server. (mandatory) If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Primary Secret	Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters.
RADIUS Server Secondary IP Address	Enter the IP address of the secondary RADIUS server. Leave blank if you are not using a secondary RADIUS server. If "Tri[11ax]-R" or "Dual[11ax] GEN2-R" is selected as the Profile Type, the loopback address (127.0.0.1) can be specified by checking the "Use Local RADIUS Server" checkbox.
RADIUS Server Secondary Secret	Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave blank if you are not using a secondary RADIUS server.
Port Number	Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets	Specify whether RADIUS packet verification is performed. Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute. When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
RADIUS Timeout	Specify the timeout period for a RADIUS Access-Request message with a value from 1 to 29 (unit: second). If no response is received after the packet is sent to the RADIUS server beyond the value of this setting, the access request is retransmitted or treated as an authentication failure. In this case, the total time for the transmission sequence of the specified number of times (first time + retransmission count) to the primary RADIUS server and secondary RADIUS server is set to 29 seconds or less. For example, the calculation is as follows: When the secondary RADIUS server is not used and the number of RADIUS Retransmit is set to "4": The primary RADIUS server is attempted a maximum of 5 authentication requests (first time and 4 retransmissions). Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout must be set to "5" or less. When using the both primary/secondary RADIUS servers and setting the number of RADIUS Retransmit to "2": Three authentication requests (the first attempt and two retries) are attempted for each RADIUS server, for a total of up to 6 authentication requests. Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout should be set to "4" or less. The default is 3 (seconds). Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
RADIUS Retransmit	Specify the number of retransmissions of Access-Request messages to the RADIUS server with a value from 0 to 8 (unit: times). Together with the first transmission, a maximum of this setting plus one authentication request will be made to the RADIUS server. If primary and secondary RADIUS servers are configured, the primary RADIUS server will be sent this configuration plus one authentication request, and then the secondary RADIUS server will be sent this configuration plus one authentication request in the same manner. If there is no response to any of these authentication requests, it is treated as an authentication failure. The default is 1 (time). This means that up to two authentication requests will be made to the primary/secondary RADIUS servers, respectively. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
Retry Interval for Primary	Specify the time from 0 to 600 (in seconds) to return to the primary RADIUS server again after communication to the primary RADIUS server fails and the authentication destination falls back to the secondary RADIUS server. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
User-Name Format Separator	A client's MAC address is sent to the RADIUS server as a User-Name attribute. Specify an octet delimiter to use in a User-Name attribute from "Hyphen", "Colon" and "None". The default is "Hyphen".
User-Name Format Letter Case	Specify which case to use in a User-Name attribute from "Upper" and "Lower". The default is "Lower".
User-Password Format	Specify what is used for a User-Password attribute when a client MAC address is sent to the RADIUS server for authentication. The default is "User Name". If you select "Fixed Password", a string specified in "User-Password Format Password" is always used as the value of the User-Password attribute. If you select "User Name", the same string as the User-Name attribute (MAC Address) is sent to the RADIUS server as the value of the User-Password attribute.
User-Password Format Password	Specify a fixed password string which is used when "User-Password Format Type" is set to "Fixed Password".
Dynamic VLAN	When enabled, the VLAN included in a RADIUS response is assigned to the user. When disabled, the VLAN configured for the VAP is always applied to the user regardless of the VLAN information in a RADIUS response. The default is "Enable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax]-R", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax] GEN2-R" for the Profile Type.
Two-step auth with Captive Portal	When any authentication method except "None" is selected for Captive Portal, the authentication will be performed in two steps: Captive Portal and MAC Access Control. When you select "Enable", only the wireless clients which succeeded authenticating with MAC Access Control and Captive Portal, will be able to communicate via the relevant VAP. When you select "Disable", the wireless clients which have succeeded authenticating with either MAC Access Control, or Captive Portal separately will be able to communicate via the relevant VAP. Note This item is displayed if you select "Dual[11ax] GEN2", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.

By default (where "User-Name Format Delimiter" is "Hyphen", "User-Name Format Case" is "Lower" and "User-Password Format Type" is "User Name"), authentication credentials (User-Name and User-Password attributes) of a client will be sent to the RADIUS server as follows:

User-Name ab-cd-ef-12-34-56
User-Password ab-cd-ef-12-34-56

◼ When "AMF Application Proxy" is selected:
Specify the information of AMF Application Proxy server which contains the device list to allow, deny, or quarantine.

Table 27: Additional options for AMF Application Proxy in MAC Access Control
Item Name	Description
Redirect-URL	Specifies whether the wireless client detected as a "suspected node" by the AMF Application Proxy server is forwarded to the external page URL. When set to "Enable", you can specify the URL to which the wireless client detected as a suspected node by the IP Filter action is forwarded in the External page URL field that is displayed additionally. When set to "Disable", the Redirect-URL function is not used. The suspected node will not be allowed to connect to any page. The default is "Disable". Normally, when a user of a suspected node tries to access a website, the loading session of the web page times out and the user cannot know the reason for the denial of access. By using Redirect-URL function, Web access from the user in question can be redirected to a pre-designated URL, and by preparing a page explaining the situation at the same URL, the reason for the block and contact information can be provided to the user. Note Web page used in Redirect-URL should not be placed on a server that handles sensitive information. When a Redirect-URL is used, the host (IP address or domain) specified in the "External Page URL" will be registered in the walled garden information inside the wireless AP. Thus, even a suspected node that has not been authenticated can browse to any page on the server to which it has been redirected by entering the path in the address field of its Web browser. Note This item is displayed if you select "Dual[11ax] GEN2", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type. Note Redirect-URL cannot be used in conjunction with Captive Portal. Note If the suspected node uses HTTPS instead of HTTP for access, the user of the node may see screens such as "Your connection is not private", "Your connection is not secure", "Connect to Wi-Fi hotspot", "Connect to Wi-Fi", or "Log in to network". In that case, the user will be redirected to the Redirect-URL page by selecting Refresh, Reload or Connect button on her/his Web browser. However, due to Web browser specifications, s/he may not be redirected to the Redirect-URL page even if s/he select Refresh or Connect button. In this case, the user will be redirected to the Redirect-URL page by accessing the site via HTTP.
External Page URL	Enter the URL to be redirected to using 1 to 128 alphanumeric characters (including spaces). The default is empty.
AMF Application Proxy Server Primary IP Address	Enter the IP address of the primary AMF Application Proxy server (mandatory)
AMF Application Proxy Server Primary Secret	Enter the pre-shared key to connect to the primary AMF Application Proxy server using up to 128 alphanumeric characters (including spaces).
AMF Application Proxy Server Secondary IP Address	Enter the IP address of the secondary AMF Application Proxy server. Leave blank if you are not using a secondary AMF Application Proxy server. Note In this version, the secondary AMF Application Server is not available.
AMF Application Proxy Server Secondary Secret	Enter the pre-shared key to connect to the secondary AMF Application Proxy server using up to 128 alphanumeric characters (including spaces). Leave blank if you are not using a secondary AMF Application Proxy server. Note In this version, the secondary AMF Application Server is not available.
AMF Application Proxy Server Port Number	Enter a port number between 1 and 65535 on which the primary and secondary AMF Application Proxy server is listening. The default is 1812.
Verify RADIUS packets	Specify whether RADIUS packet verification is performed. Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute. When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect. The default is "Disable". Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", or "Dual[11ax] GEN2 with External Antenna" for the Profile Type.
Critical Mode	Specify whether to enable or disable Critical Mode. The default is "Disable". With "Enable" selected, in the event the connection between the AWC Plug-in and AMF Application Proxy server is lost, all new client connection requests will be allowed. Note When using the VAP security method together with AMF Application Proxy, only wireless clients that have successfully authenticated using the security method can communicate. When you select "Disable", all new client connection requests will be rejected. The clients that are already connected before the connection between the AWC Plug-in and AMF Application Proxy server got lost, can now continue the communication.
Two-step auth with Captive Portal	When any authentication method except "None" is selected for Captive Portal, the authentication will be performed in two steps: Captive Portal and MAC Access Control. Only the supplicants (wireless clients) which have been granted by both MAC Access Control, then Captive Portal, will be able to communicate via the relevant VAP. When AMF Application Proxy is selected, only "Enable" is displayed for the option of Two-step auth with Captive Portal. Note This item is displayed if you select "Tri[11ax]", "Tri[11ax] GEN2", "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", "Tri[11ac Wave2]", or "Tri[11ac Wave2] with External Antenna" for the Profile Type.

Note
When using the dynamic VLAN feature of WPA Enterprise together, if a VLAN is assigned by the RADIUS server, the wireless device will be assigned to the VLAN ID of the dynamic VLAN.
If a VLAN is not assigned by the RADIUS server, the wireless device will be assigned to the VLAN ID specified by the AMF Application Server. If a VLAN is neither assigned by the RADIUS server nor assigned by the security policy on the AMF Application Proxy server, the wireless device will be assigned to the VLAN ID of VAP.
If the action on the AMF application proxy server side is quarantine, the VLAN ID of quarantine network will be applied regardless whether the dynamic VLAN has a VLAN ID or not.

Note
When using the Dynamic VLAN feature of WPA Enterprise together, the VLAN IDs of wireless clients already connected to the network will not be changed even if the VLAN ID of the network specified in the security policy of the AMF application proxy server is changed.

Note
If a wireless client already connected to a Quarantine VLAN is allowed by the AMF application proxy server to connect to the VLAN ID of the network specified in the security policy, the VLAN ID of the wireless client will be changed to the VLAN ID of the network specified in the security policy.
However, if a high-priority action results in an assignment from one quarantine VLAN to another quarantine VLAN, the VLAN ID to which the wireless client belongs will not change.

Note
MAC Access Control with AMF Application Proxy cannot be used with Channel Blanket. If you want to use the AP as part of a Channel Blanket, do not assign the AP profile which the MAC Access Control with AMF Application Proxy is enabled.

Additional options for Fast Roaming

Table 28: Additional options for Fast Roaming
Item Name	Description
802.11r FT	Specify whether to use IEEE 802.11r (Fast Basic Service Set Transition). When enabled, wireless clients can do IEEE 802.11r fast transition when roaming from one AP to another. The default is "Disable". An AP profile that contains VAPs using both WPA Enterprise and Fast Transition behaves as follows: When the number of APs using this AP profile changes, the configuration status of the APs that use this AP profile becomes "Modified". If you make a change that affects the number of APs that use this AP Profile on the Wireless Configuration > AP Settings page, a dialog box will ask you whether to apply the configuration to all APs that use this AP Profile. If you click "OK", the configuration will be applied to all APs that use this AP profile.
FT over DS	Specify whether to request authentication via distributed system (DS). When enabled, wireless clients send an authentication request to the destination AP via the current (source) AP. (Over The DS.) When disabled, wireless clients send an authentication request to the destination AP directly over the radio. (Over The Air) The default is "Disable". Note Fast roaming with FT over DS enabled is not supported on TQ7403 Radio 3. When "Tri[11ax]" is selected for Profile Type, set this item to "Disable" when using the Fast Roaming function on Radio 3.
Mobility Domain	Specify a mobility domain with 4 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive. A wireless client can perform IEEE 802.11r fast transition between the APs in the same mobility domain. The default is "a1b2".
R0 key Lifetime	Specify a PMK-R0 lifetime, between 1 and 65535 minutes. Once the lifetime expires, IEEE 802.11r fast transition is not performed. The default is 10000.
AES Key	Specify an AES key that is used to exchange PMK-R1 between APs with 32 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive. The default is empty. Note This is mandatory for every function in the "Fast Roaming" section. Configure this item even if you only use IEEE 802.11k or IEEE 802.11v and you are not going to use IEEE 802.11r fast transition.
802.11k RRM	Specify whether to use IEEE 802.11k RRM (Radio Resource Management). The default is "Disable". When "Dual[11ax] GEN2", "Dual[11ax] GEN2 with External Antenna", or "Dual[11ax]" is selected for Profile Type, the 802.11k RRM setting for VAP 1 is also applied to VAP 2 through VAP 16. When you want to use "IEEE 802.11k RRM" enabled on any of VAP 2 to 16, enable it on VAP 1.
802.11v WNM	Specify whether to use IEEE 802.11v WNM (Wireless Network Management). The default is "Disable".

Additional options for Passpoint

Table 29: Additional options for Passpoint
Item Name	Description
Access Network Type	Specify a network type. Private network: A network which unauthorized users cannot access. Private network with guest access: A private network that offers guest access to unauthorized users. Chargeable public network: A network that can be accessed by anyone at anytime for a charge. The billing system and other information can be obtained in other ways (IEEE 802.21, http/https redirect or DNS redirection) Free public network: A network that can be accessed by anyone at anytime for free. Personal device network: A network for personal devices such as a camera and printer. Emergency service-only network: A network for limited use for the emergency services (police or fire/disaster management). Test or experimental: A network for testing or experiments. Wildcard: A wildcard access network.
Internet Access	Specify whether the access to the Internet is enabled or disabled. The default is "Enable".
Homogeneous ESS Identifier(HESSID)	Specify the same ESSID as the other APs in the Passpoint network. MAC address is in the format xx:xx:xx:xx:xx:xx (where x is a hexadecimal number). The default is "00:00:00:00:00:00", which is regarded as "value omitted" by the wireless AP.
Roaming Consortium List	Specify a list of Organization Indicators (OIs). A single OI can be specified in hexadecimal numbers from 3 to 15 octets, and not more than 100 octets in a whole list. The number of OIs that can be registered is limited to 15, separated by commas (,) (e.g. 021122,2233445566). Please specify the OI as an even number of digits. When specifying an odd-numbered OI, enter it as an even-numbered digit by adding a leading "0(zero)". For example, "1234567" becomes "01234567". When specifying a value of less than 3 octets, pad leading zeros so that the value is at least 6 digits long. For example, "123" becomes "000123". The default is empty. This setting is optional when "Dual[11ax] GEN2" is selected as Profile Type.
Domain Name	Specify the domain name(s) used for the certificate with up to 100 characters in length. To specify more than one domain, separate them with a comma (,). The default is empty.
3GPP Cellular Network Information	Specify the 3GPP Cellular Network Information. The default is empty.
NAI Realm Information 1 - 5 NAI Realm	Specify the NAI Realm in FQDN format. To specify more than one, separate them with a semicolon (;).
NAI Realm Information 1 - 5 EAP Method	Select the EAP Method to use for the NAI Realm with the same number from following list (multiple choices area allowed). EAP-TLS EAP-TTLS/MSCHAPv2 EAP-SIM EAP-AKA
Operator Friendly Name	The name of the operator providing the service, as a display language/string pair. You can register pairs in several languages.
Disable Downstream Group-Addressed Forwarding(DGAF)	Specify whether to disable sending multicast and broadcast frames. By selecting "Enable", these frames will not be sent. The default is "Disable".
L2 Traffic Inspection and Filtering	Specifies whether to discard L2 traffic (ARP, ICMP, TDKS) between VAPs. By selecting "Enable", these traffic will be discarded. The default is "Disable".

Network Configuration

When the Profile Type is "Tri[11ax]-R" or "Dual[11ax] GEN2-R", configure the 802.1Q subinterfaces and bridge groups on the bridge interface in "Network Configuration".
Here you can make settings across all radio bands, regardless of whether you choose the "Radio 1", "Radio 2", or "Radio 3" at the top of the screen.

Overview

When communicating from a VAP to other VAPs or other wired-connected devices, the following two major methods are used to separate communications for each VAP.

Separate communication for each VAP by VLAN
Attach each VAP's communication to separate bridge

◼ Separate communications for each VAP by VLAN
The network design will be the same as the existing TQ series APs.
To achieve this, the following configuration is required.

In "Bridge Configuration, assign the VAP interface to the VLAN-enabled bridge br0.
At this time, specify the native VLAN ID for each VAP, so that untagged packets in the relevant VAP are treated as belonging to the specified VLAN.
In "Interface Configuration", create an 802.1Q sub-interface in the VLAN-enabled bridge br0 that bridges the communication for each VLAN specified above.

You can assign IP addresses to the 802.1Q sub-interfaces on the VLAN-enabled bridge separately in "Wireless AP Individual Configuration".
If the communication from the VAP needs to be forwarded to the Ethernet interface, the Ethernet interface must be assigned to the VLAN-enabled bridge br0 separately.

◼ Attach each VAP's communication to separate bridge
This one is designed to communicate as all untagged packets without using VLANs.

In "Bridge Configuration", assign a VAP interface to a bridge with any bridge ID.
"Interface Settings" is not used in this case.

You can assign IP addresses to bridges separately in "Wireless AP Individual Configuration".
If communication from the VAP needs to be forwarded to the Ethernet interface, an 802.1Q sub-interface must be separately created on the Ethernet interface and assigned to each bridge group.

Interface Configuration

On VLAN-enabled bridge br0, create an 802.1Q sub-interface for bridging per-VLAN communication.

Table 30: AP Profile Interface Configuration
Item Name	Description
X Interfaces	Displays the number of registered VLAN-enabled bridge interface and 802.1Q sub-interfaces.
Add Interface	Displays "Add 802.1Q Sub-interface" dialog box. Up to 10 additional 802.1Q sub-interfaces can be added.
Interface Name	Lists the VLAN-enabled bridge and registered 802.1Q sub-interfaces. By default, only "br0", the VLAN-enabled bridge, is displayed.
VLAN ID	Displays the VLAN ID corresponding to the 802.1Q sub-interface.
Edit	Change VLAN ID of the relevant 802.1Q sub-interface.
Delete	Delete the 802.1Q sub-interface.

Add 802.1Q Sub-interface

Table 31: AP Profile Add 802.1Q Sub-interface
Item Name	Description
VLAN ID	Enter the VLAN ID of the 802.1Q sub-interface to be added to br0 with a value from 1 to 4094. The 802.1Q sub-interface to be created will be assigned the interface name "br0.X" (X: the VLAN ID specified in this dialog).
Add	Create an 802.1Q sub-interface with the entered VLAN ID and add it to the list.
Delete	Discard your edits and close the dialog box.

Edit 802.1Q Sub-interface

Table 32: AP Profile Edit 802.1Q Sub-interface
Item Name	Description
VLAN ID	Enter the VLAN ID of the 802.1Q sub-interface to be added to br0 with a value from 1 to 4094. The 802.1Q sub-interface to be edited will be renamed to the interface name "br0.X" (X: the VLAN ID specified in this dialog).
Save	Change VLAN ID of the relevant 802.1Q sub-interface.
Cancel	Discard your edits and close the dialog box.

Bridge Configuration

Assign a VAP interface for each radio band to the bridge group.
On the AP's configuration, VAP interfaces are distinguished by a combination of radio band and VAP number. In this case, the VAP number on the configuration is "VAP number on AWC Plug-in - 1". For example, "VAP 1" in the radio band "Radio 1" will be assigned the interface name "vap1.0".
Assigning this VAP interface to the bridge allows L2 communication with other VAPs and Ethernet interface.

Table 33: AP Profile Bridge Configuration
Item Name	Description
Bridge List	The VLAN-enabled bridge and software bridges that have been created are listed. To assign a VAP interface, click on the bridge name from the list.
Add Bridge	Create the software bridge.
Delete	Deletes the selected bridge.
Bridge ID	Specify the ID of the bridge with a value from 1 to 255.
Bridge Name	The interface name based on the bridge ID, "brX" (X: the bridge ID) is displayed.
VAP Interface
Add VAP INterface	Add the VAP interface to be assigned to the bridge. Up to 10 VAP interfaces can be added per bridge.
Delete	Delete the VAP interface.
Radio	Select the VAP radio band to assign as the VAP interface to the bridge.
VAP	Specify the number of the VAP to be assigned as the VAP interface. VAP interfaces with the same radio band and VAP number cannot be assigned to more than one bridge.
VLAN ID	Only for VAP interfaces assigned to VLAN-enabled bridge br0, specify the native VLAN with a value from 1 to 4094.
Port-protected	Select whether to protect L2 communication on the VAP interface from Enable or Disable. The default is "Disable". When the protected port function of the VAP interface is enabled, L2 communication (bridging) is not performed with other protected ports belonging to the same bridge. L2 communication between protected ports and normal ports (interfaces that do not have Port-protected enabled) and between two normal ports interfaces will take place. Note Only L2 communication is covered by the protected port. L3 communication through the bridge interface must be controlled by a separate firewall or other means.

Edit AP Profile

Select "Wireless Configuration" > "AP Profile" from the AWC Plug-in menu.
Click "Detail" (magnifying glass icon) of the AP Profile to edit from the List of AP Profiles.
The selected AP Profile will be displayed. Click "Edit" at the top right of the Content section.
Change the information as needed.
Click "Save" at the top right of the Content section.

Copy AP Profile

Select "Wireless Configuration" > "AP Profile" from the AWC Plug-in menu.
Select (Check) the AP Profile to be copied from the list of AP Profiles.
Click "Copy" at the top right of the Content section.
The selected AP Profile is duplicated.
The duplicated AP Profile gets a temporary name, which is made by appending "_copy" to the original AP Profile name. Rename it on the Edit page as required.

Note
An AP profile cannot be copied if its name plus a string "_copy" exceeds 101 characters in length.
In that case, a dialog box will appear and tell you that the profile was not copied.

Delete AP Profile

Select "Wireless Configuration" > "AP Profile" from the AWC Plug-in menu.
Click "Detail" (magnifying glass icon) of the AP Profile to delete from the List of AP Profiles.
The selected AP Profile will be displayed. Click "Delete" at the top right of the Content section.
The "Confirm" dialog box will appear.
Click "Delete".

C613-04185-00 Rev A

29 Apr 2025 14:51