User Guide: AWC plug-in version 3.10.0 for VST-VRT

Configure CB Profile

Operation Reference > Channel Blanket > Configure CB Profile

Create CB Profile
Profile Configuration
VAP (Multiple SSID) Configuration
Additional options for Security
Additional options for Captive Portal
Additional options for MAC Access Control
Additional options for Fast Roaming
Edit CB Profile
Delete CB Profile
This section describes how to create, edit and delete a CB Profile.

Create CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
    The CB Profile list will appear.

  2. Click "Create" at the top right corner.
  3. The "Select an AP model that uses AWC-CB" dialog box will appear.

    Table 1: "Select an AP model that users AWC-CB" dialog box
    Item Name Description
    AP Model Select an AP model.

    • TQ6702 GEN2 / TQ6602 GEN2:
      Select this for TQ6602 GEN2 and TQ6702 GEN2.

    • TQ6602:
      Select this for TQ6602.

    • TQ5403 / TQ5403e:
      Select this for TQ5403 and TQ5403e.
  4. Select an AP model.
  5. Click "OK".
  6. The "Create CB Profile" screen will appear.

  7. Configure items in the Profile Configuration and VAP (Multiple SSID) Configuration sections as required.
  8. Click "Save" at the top right of the Content section to save the configuration.
    After saving the CB Profile, create a channel blanket, starting from step 4 of Operation Reference > Channel Blanket > Create Channel Blanket.

Profile Configuration

Table 2: Profile Configuration
Item Name Description
CB Profile Name Enter a name for the CB Profile. Should be 1 to 100 characters in length, with alphabets, numbers and symbols (including spaces). (mandatory)
Models Displays the AP model selected in the "Select an AP model that uses AWC-CB" dialog box.
Management Group Select a Management Group that you want to apply this CB Profile to. You cannot uncheck "Default Wireless Group" (mandatory)
  • Search Wireless Management Group: Groups in the list can be filtered by entering a partial name in the search box.
    The Search field lets you enter a partial string to match. The screen displays entries with that string in their name.
    To remove the filter, delete the string from the search field and press enter.
    Note
    The search is case-sensitive.

VAP (Multiple SSID) Configuration


Table 3: VAP (Multiple SSID) Configuration
Item Name Description
CB VAP List Shows a list of configured CB VAPs.
This includes the status, radio band, VAP number, SSID and security setting of the CB VAP.
+ Add VAP Creates a new CB VAP.

A CB VAP name is assigned a number sequentially from 1. Note that the number in the CB VAP Name has nothing to do with the "VAP Number" (described later) for the CB VAP. The number of VAPs that can be created depends on the AP model you select.
  • TQ6702 GEN2 / TQ6602 GEN2:
    7 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 14 CB VAPs in total
  • TQ6602:
    10 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 20 CB VAPs in total
  • TQ5403 / TQ5403e:
    3 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 6 CB VAPs in total
Note
It is recommended to use 5 or less VAPs per radio band in total, including both multi-channel and blanket VAPs.
Radio Select a radio band to use for this CB VAP, from Radio 1 (2.4GHz) and Radio 2 (5GHz W52) (mandatory)
Note
"Radio 2 - 5GHz W53" and "Radio 3 - W56" cannot be used for CB VAPs.
Note
When applying a CB profile to TQ6602, TQ6602 GEN2, and TQ6702 GEN2, if the bandwidth is set to 80+80MHz in Radio 2 of the AP profile, only W52 is used, because W53 cannot be used for CB VAP. The APs will operate with the 80 MHz bandwidth in that radio band.
VAP Specify a CB VAP Number (mandatory).
This can be specified as a number between 1 to 8 for TQ5403 and TQ5403e, and 1 to 16 for TQ6602, TQ6602 GEN2, and TQ6702 GEN2.
If you specify the same number for a CB Profile as an existing AP Profile, the CB VAP is used for the number (the AP Profile's VAP with the number is not used because it is overriden by the CB VAP with the same number).
Note
If you do not use multi-channel networks, create a dummy multi-channel VAP 1 in an AP Profile, then create a CB VAP with the "VAP number" of 1 to override the dummy multi-channel VAP. We recommend you configure security on the dummy VAP too.
Channel Select a channel to use for this CB VAP (mandatory)

  • Radio 1: 1ch to 13ch
  • Radio 2 (W52) : 36ch, 40ch, 44ch, 48ch
Note
Select a channel according to the bandwidth used for the corresponding band set in the AP Profile.
For example, if the bandwidth used for Radio 2 is 40MHz, when creating CB VAP for Radio 2, select the channel from either 36ch or 44ch. 40ch and 48ch are not supported.
Channels that can be selected can be confirmed by "Auto Channel Selection" in the AP Profile.
Note
Selecting a channel that is disabled in "Auto Channel Selection" in the AP Profile is not supported.
VAP Status Enable or disable the CB VAP.

  • If you select "Enable", the CB VAP is enabled on the APs that are applied to the CB Profile.
  • If you select "Disable", the CB VAP is not used. The VAP that is properly configured and enabled in the AP Profile will also be disabled.

The default is "Enable".
VLAN ID Specify a VLAN ID used for communication between the CB VAP and associated clients (mandatory)
Note
Specify a VLAN ID that is different from the AP's management VLAN. When the AP is detected as a guest device, a parent AMF device is configured to collect the guest device information automatically ("dynamic discovery"), and wireless clients get their IP addresses via DHCP.
SSID Specify an SSID (network name) to use on the CB VAP.

The SSID is mapped to the VLAN ID. Enter a name between 1 to 32 alphanumeric characters.
The default is "Default-X" (where X is an automatically assigned CB VAP number) (mandatory)
Broadcast SSID Specify whether to broadcast the SSID on the CB VAP.

  • When enabled, the SSID is included in beacons. When you configure a wireless client, you may be able to see the SSID in a list of wireless networks to connect. This setting also allows wireless clients to connect using an "ANY" connection.

  • When disabled, the SSID is not included in beacons. You may not be able to see the SSID in a wireless network list on a wireless client. In this case, you have to enter the same SSID as the AP on a wireless client. This setting also denies wireless clients from connecting using an "ANY" connection.

The default is "Enable".
Note
An "ANY" connection is a connection where a wireless client tries to connect to an AP by specifying a wildcard or null as the SSID. Even when an "ANY" connection is allowed, clients cannot connect to APs without knowing the correct security key.
Security Select a security mechanism to use.
The available options are "None", "Static WEP", "WPA Personal", and "WPA Enterprise".
The default is "None".
Note
"Static WEP" can be configured only on VAP1 of each radio. In addition, if the Security is set to Static WEP in the VAP Settings of CB Profile, do not use a "Mode" that contains IEEE 802.11n in the Radio Configuration of the AP Profile. Select IEEE 802.11b/g on Radio 1 or IEEE 802.11a on Radio 2 instead.

  • None:
    No authentication or encryption is performed. Everyone can connect to the CB VAP.
    Note
    If you use "None" to build a network such as a guest hotspot, you should consider the consequences for the overall security of your entire network.

  • Static WEP:
    Uses RC4 encryption with fixed keys. Per-client authentication is not performed. We recommend using "WPA Personal" for fixed key security because WEP is vulnerable.

  • WPA Personal:
    Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated from a pre-shared key (PSK). It uses CCMP (AES) as the encryption algorithm.

  • WPA Enterprise:
    Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated on a RADIUS server. It uses CCMP (AES) as the encryption algorithm.

When "Static WEP", "WPA Personal", or "WPA Enterprise" is selected, additional options will be displayed for each security method.
For more details, refer to Additional options for Security.
Captive Portal Specify whether to use Captive Portal on the VAP. Captive Portal displays an authentication page before granting web access.

When either option is selected, wireless clients connected to the corresponding CB VAP will be directed to a page (Captive Portal) that contains text such as licensing and authentication dialogs when they attempt to access any web page with a Web browser. Wireless APs that have applied the CB profile will allow or deny wireless clients according to the options specified in this item. Once successfully authenticated, wireless clients can continue to communicate through the VAP until a certain amount of time has elapsed.

  • External RADIUS:
    The APs will query the RADIUS server.
  • Click-through:
    The APs will display a Click-through page instead of performing RADIUS authentication. The Click-through page does not require authentication with a username/password pair, but can be configured to show an arbitrary "Terms of Use" that users have to accept before use, or to redirect to an external page.
  • External Page Redirect:
    The clients will be able to connect using third-party web credentials such as social networking sites.
  • Disable:
    Select to not use Captive Portal.
The default is "Disable".
If you select "External RADIUS", "Click-through", or "External Page Redirect", the following additional items are displayed:
For more details, refer to Additional options for Captive Portal.
Note
This setting is displayed when "TQ6702 GEN2 / TQ6602 GEN2" or "TQ6602" is selected as AP Model.
Note
Do not enable Captive Portal on the radio used for the WDS connection.
MAC Access Control Select the MAC Access Control method to apply to the relevant VAPs.

  • External RADIUS:
    The APs will query the RADIUS server.
  • MAC Address List:
    Selecting this option will allow or deny connections only to the MAC addresses recorded in the list, according to the MAC address list selected in the MAC Address List field.
  • MAC Address List + External RADIUS:
    Selecting this option allows or denies connections only to the MAC addresses recorded in the list. This list refers to both the MAC address list selected in the MAC address list field at the top of the screen and the external RADIUS server.
    Firstly, it will try to authenticate using the MAC Address List. If a connection cannot be established, it will try to authenticate the connection using an External RADIUS server. If the preceding MAC address list allows a user to connect, the user can still connect even if the external RADIUS server does not grant the access.
  • Disable:
    No MAC access control is performed.

The default is "Disable".

When you select either "External RADIUS" or "MAC Address List + External RADIUS", additional items are also displayed.
For more details, refer to Additional options for MAC Access Control.
Note
When using MAC Access Control with "External RADIUS" on CB VAP, one of the following firmware is required depending on your model.
  • TQ5403 and TQ5403e firmware version 6.0.1-2.x or later
  • TQ6602 firmware version 7.0.1-0.1 or later
  • TQ6602 GEN2 and TQ6702 GEN2 firmware version 8.0.2-1.1 or later
Note
"MAC Address List" is only available if you have selected "TQ Series" for Series and selected a "MAC Address List" in the "Basic Configuration" section in the AP profile.
Note
The option "MAC Address List + External RADIUS" is displayed with selecting "TQ5403 / TQ5403e" or "TQ6702 GEN2 / TQ6602 GEN2" for AP model in "Select an AP model that uses AWC-CB" dialog box.
Fast Roaming Specify whether to use Fast Roaming of wireless clients.
The default is "Disable".
When you select "Enable", you can configure various fast roaming functions.
  • 802.11r FT
  • FT over DS
  • Mobility Domain
  • R0 key Lifetime
  • AES Key
  • IEEE 802.11k RRM
  • IEEE 802.11v WNM
For more details, refer to Additional options for Fast Roaming.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
Wireless Client Isolation Specify whether to block communications between wireless clients connected to the same CB VAP. Select "Disable" to allow communications between wireless clients. Otherwise select "Enable". The default is "Disable".
Inactivity Timer
Note
With this version, combining usage with Inactivity Timer is not supported on CB VAPs. Use the default setting.
Specify the time, between 5 and 65535 seconds, after which a client will be disconnected if it disappears without disassociating from an AP.
It should also be specified in multiples of 15. If you specify a value that is not a multiple of 15, it will be converted to the nearest multiple greater than the specified value.
The default is 300 (seconds).
Duplicate AUTH received Select how to process connection requests from clients that have maintained a connection.
If you select "Disconnect", it disconnects the previous connection and then accepts the new connection.
If you select "Ignore", it connects as normal, without disconnecting.
The default is "Disconnect".
Note
When "Management Frame Protection" is set to "Capable", "Disconnect" is used regardless of this item's setting.
Association Advertisement Specify whether to use Association Advertisement.
When enabled, a notification broadcast frame is sent to the network configured in Control VLAN when a Wireless Client connects to the AP. The AP that receives this frame updates its wireless client connection information.
The default is "Disable".
Note
To make this function take effect, APs on the same subnet must have "Roaming Notification" set to "Enable" for each other.
DTIM Period Specify how frequently to insert a DTIM (Delivery Traffic Indication Map) in the AP's beacons (every 1 to 5 beacons).
The default is 1. The value of 1 means that a DTIM is inserted in every beacon.

For example, if you set the DTIM interval to 2, one in two beacons has a DTIM inserted (i.e. a beacon with a DTIM and one without a DTIM are transmitted in turn).

When a wireless client operates in power-saving mode, DTIM notifies the client that there is a packet to send to the client. The AP will send the packet to the client once the client is ready to communicate.
Increasing the DTIM interval reduces power consumption but also makes communication less responsive.
Note
This setting is used for support purposes. We do not recommend changing the value.
RSSI Threshold Specify the numerical value of the parameter related to beacon control of CB VAP, in the range of 0 to 91.
Adjusting this parameter may improve the connection / communication status in a Channel Blanket environment.
The default is 30.
Note
This setting is used for support purposes. We do not recommend changing the value.
Tx Power The AP's transmission power can be selected from five levels: "Min", "Low", "Middle", "High" and "Max".
The default is "Max".
Note
This setting is used for support purposes. We do not recommend changing the value.
Note
If you change the Tx Power in the AP-specific configuration settings, the AP-specific setting has priority.
Proxy ARP Specify whether to use Proxy ARP.
  • If enabled, when a managed wireless AP receives an ARP request for a connected client, the wireless AP that has a connection to the client will send an ARP response on behalf of the client. The wireless AP that does not have a connection to this client will discard the ARP request, thereby reducing unnecessary traffic.
    If enabled, when a managed wireless AP receives an ARP request for a connected client, the wireless AP that has a connection to the client will send an ARP response on behalf of the client. The wireless AP that does not have a connection to this client will discard the ARP request, thereby reducing unnecessary traffic. In this case, since multiple wireless APs have connections to the client in a channel blanket, the wireless AP with the strongest connection will send the ARP response representing all the connected APs.
  • If you select "Disable", Proxy ARP will not be activated. That means ARP requests are broadcasted from all wireless APs to their subordinate clients. The corresponding clients send ARP responses themselves.
The default is "Disable".
Force Power Save Disabled Specify whether to force the wireless client to disable the wireless power saving setting.
  • Selecting "Enable" will force the wireless power saving setting to be deactivated for the associating clients of the APs under management.
    Although it may eliminate the unstable connectivity caused by the wireless power saving setting, wireless clients such as laptops, smart phones, and tablets may experience shorter battery life than when this setting is disabled.
  • When "Disable" is selected, the wireless power saving setting will not be removed for the associating clients of the APs under management. Wireless clients such as laptops, smartphones, and tablets may experience longer battery life than when this setting is enabled, but at the same time, their wireless associations may become unstable.
The default is "Disable".
Note
TQ6602 does not support this feature.

Additional options for Security

◼ Static WEP Configuration
Selecting "Static WEP" for Security will show you the following additional items:
Table 4: Additional options for WPA Personal
Item Name Description
Key Length Select the WEP key length. The default is 128bit.
  • 64bit:
    You can directly enter a WEP key with 10 hex digits. Or you can enter 5 ASCII characters to automatically generate a WEP key.
  • 128bit:
    You can directly enter a WEP key with 26 hex digits. Or you can enter 13 ASCII characters to automatically generate a WEP key.
Key Type Select a generation method for the WEP key. The default is "Hex".
  • ASCII:
    Lets you enter an arbitrary string to automatically generate a WEP key. The string is case-sensitive.
  • Hex:
    Lets you directly enter a WEP key with hexadecimal characters (0 to 9, A to F, a to f). Hex characters are not case-sensitive.
Key Index Specify a key to use. The default is 1.
Security Key (WEP Key) Enter a WEP key (in hex) or a seed of a key (in ASCII) according to the selected "Key Length" and "Key Type".
You have to enter the same WEP key as the one specified by "Key Index" on the wireless client.
WEP Authentication Method "Open System" is the recommended option here. The default is "Open System".
It is recommended to use the default "Open System" for security.
  • Open System:
    All wireless clients are allowed to connect regardless of whether they have the correct WEP key. But as wireless clients are only allowed to connect, they cannot communicate without a valid WEP key.
    This option is not only for "WEP" but is also used for "None", "WPA Personal" and "WPA Enterprise".
  • Shared Key:
    Only wireless clients with the correct WEP key can connect. Wireless clients cannot connect without a valid key.
  • Open System and Shared Key:
    A client configured to use Shared Key can connect if it has a valid WEP key.
    A client configured to use Open System can connect regardless of whether it has a correct key.

◼ WPA Personal Configuration
Selecting "WPA Personal" for Security will show you the following additional items:
Table 5: Additional options for WPA Personal
Item Name Description
Security Key (WPA-PSK) Specify an encryption key for the VAP. The key should contain 8 to 63 alphanumeric and symbol characters. The key is case-sensitive.
WPA Versions Select the WPA version(s) to use.
You can select "WPA2" only, or both "WPA2" and "WPA".
The default is "WPA2". Select both for a mixed environment. In that case, the security level of the wireless network is the same as WPA.
Note
WPA is based on a draft of IEEE 802.11i while WPA2 is based on the final version of IEEE 802.11i and therefore meets all mandatory items required by the standard.
Encryption Protocol You can select "CCMP" only or both "CCMP" and "TKIP".
"CCMP" uses the standard encryption algorithm approved by the US Secretary of Commerce. This standard has a strong algorithm.
Note
According to the WPA standard, TKIP is mandatory while CCMP is optional. Our products implement both algorithms.
Management Frame Protection Specify whether to protect management frames. Select "Capable" to use MFP. Otherwise select "Disable". The default is "Disable".
Note
The option "Capable" is displayed only with "WPA2" for the WPA version.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
Broadcast Key Refresh Rate Specify an interval, between 0 and 86400 seconds, at which to refresh the broadcast key that is sent to clients on the VAP. A value of 0 means that the key is never refreshed. The default is 0.
Note
When you create multiple CB VAPs, the Broadcast Key Refresh Rate will be set to a single value common to all VAPs.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.

◼ WPA Enterprise Configuration
Selecting "WPA Enterprise" for Security will show you the following additional items:
Table 6: Additional options for WPA Enterprise
Item Name Description
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (mandatory)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (mandatory)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
WPA Versions Select the WPA version(s) to use.
You can select "WPA2" only, or both "WPA2" and "WPA".
The default is "WPA2". Select both for a mixed environment. In that case, the security level of the wireless network is the same as WPA.
Note
WPA is based on a draft of IEEE 802.11i while WPA2 is based on the final version of IEEE 802.11i and therefore meets all mandatory items required by the standard.
Encryption Protocol You can select "CCMP" only or both "CCMP" and "TKIP".
"CCMP" uses the standard encryption algorithm approved by the US Secretary of Commerce. This standard has a strong algorithm.
Note
According to the WPA standard, TKIP is mandatory while CCMP is optional. Our products implement both algorithms.
Management Frame Protection Specify whether to protect management frames. Select "Capable" to use MFP. Otherwise select "Disable". The default is "Disable".
Note
The option "Capable" is displayed only with "WPA2" for the WPA version.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
Broadcast Key Refresh Rate Specify an interval, between 0 and 86400 seconds, at which to refresh the broadcast key that is sent to clients on the VAP. A value of 0 means that the key is never refreshed. The default is 0.
Note
Changing the Broadcast Key Refresh Interval is not supported with channel blanket. Do not change its value from the default "0".
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
RADIUS Accounting Specify whether to use RADIUS accounting server to record the resources (such as connection time) used by each user. Select "Enable" to perform accounting. Otherwise select "Disable". The default is "Disable".
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
RADIUS Accounting Port Number Specify a port number on which the RADIUS accounting server is listening. This is valid only when RADIUS Accounting is enabled. The default is 1813.
Note
This item is not supported. Do not enable it.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.
Note
The RADIUS Session-Timeout attribute is not supported on a CB VAP (It is discarded by the APs). : multipar(2)

Additional options for Captive Portal

◼ External RADIUS Configuration
If you select "External RADIUS" for Captive Portal, configure the following items:
Table 7: Additional options for External RADIUS in Captive Portal
Item Name Description
Authentication Page Proxy Specify whether to use an external authentication page or not.
  • Enable:
    Shows an external authentication page. Specify the page URL in "Base URL".
    • Base URL:
      Specify the base URL of the external web authentication page.
      Clients will access the page through the AP's proxy feature instead of direct connection.
      The HTML filename of the external authentication page must be "radius_login.html".
      The AP's proxy will get the page from "Base URL/radius_login.html" and send it back to clients.
      For example, when you specify "http://www.example.com/captive_portal" in "Base URL", the APs will present the content of the page at "http://www.example.com/captive_portal/radius_login.html" to connecting clients.
      For details of the format of radius_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal.
  • Disable:
    Shows an authentication page embedded in the APs.
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (mandatory)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (mandatory)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify. Should be 1 to 128 characters in length, with alphabets, numbers and symbols (including spaces).
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address:
      Shows a list of registered addresses that contain the input string.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.
Session Timeout Action Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

◼ Click-through Configuration
If you select "Click-through" for Captive Portal, configure the following items:
Table 8: Additional options for Click-through in Captive Portal
Item Name Description
Authentication Page Proxy Specify whether to use an external Click-through page or not.
  • Enable:
    Shows an external authentication page. Specify the page URL in "Base URL".
    • Base URL:
      Specify the base URL of the external Click-through page.
      Clients will access the page through the AP's proxy feature instead of direct connection.
      The HTML filename of the external Click-through page must be "click_through_login.html".
      The AP's proxy will get the page from "Base URL/click_through_login.html" and send it back to clients.
      For example, when you specify "http://www.example.com/captive_portal" in "Base URL", APs will present the content of the page at "http://www.example.com/captive_portal/click_through_login.html" to connecting clients.
      For details of the format of click_through_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal.
  • Disable:
    Shows an authentication page embedded in the APs.
    Note
    "Terms of Use" to show on the Authentication Page can be configured on each AP's web interface.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify.
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address: Searches for a specific address in the list.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.

Session Timeout Action:
Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

◼ External Page Redirect Configuration
If you have selected "External Page Redirect" on the Captive Portal, you will need to configure the following items.
Table 9: Additional options for External Page Redirect in Captive Portal
Item Name Description
External Page URL Enter the URL to which the APs redirect the users with 1 to 128 alphanumeric characters. The default is empty.
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (mandatory)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters. (mandatory)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify.
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address: Searches for a specific address in the list.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.
Session Timeout Action Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

Additional options for MAC Access Control


◼ When "MAC Address List" or "MAC Address List + External RADIUS" is selected
When you select the option including "MAC Address List", filtering is performed using the MAC address list specified in the AP Profile's "Basic Configuration" section.
The CB Profile screen does not display the name of the MAC Address List to be applied.

◼ When "External RADIUS" or "MAC Address List + External RADIUS" is selected
Table 10: Additional options for External RADIUS in MAC Accessc Control
Item Name Description
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (mandatory)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters.
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave it blank if you are not using a secondary RADIUS server.
Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
User-Name Format Separator A client's MAC address is sent to the RADIUS server as a User-Name attribute.
Specify an octet delimiter to use in a User-Name attribute from "Hyphen", "Colon" and "None". The default is "Hyphen".
User-Name Format Letter Case Specify which case to use in a User-Name attribute from "Upper" and "Lower". The default is "Lower".
User-Password Format Specify what is used for a User-Password attribute when a client MAC address is sent to the RADIUS server for authentication. The default is "User Name".
  • If you select "Fixed Password", a string specified in "User-Password Format Password" is always used as the value of the User-Password attribute.
  • If you select "User Name", the same string as the User-Name attribute (MAC Address) is sent to the RADIUS server as the value of the User-Password attribute.
User-Password Format Password Specify a fixed password string which is used when "User-Password Format Type" is set to "Fixed Password".
By default (where "User-Name Format Delimiter" is "Hyphen", "User-Name Format Case" is "Lower" and "User-Password Format Type" is "User Name"), authentication credentials (User-Name and User-Password attributes) of a client will be sent to the RADIUS server as follows:

Additional options for Fast Roaming

Table 11: Additional options for Fast Roaming
Item Name Description
802.11r FT Specify whether to use IEEE 802.11r (Fast Basic Service Set Transition).
When enabled, wireless clients can do IEEE 802.11r fast transition when roaming from one AP to another.
The default is "Disable".
FT over DS Specify whether to request authentication via distributed system (DS).
When enabled, wireless clients send an authentication request to the destination AP via the current (source) AP. (Over The DS.)
When disabled, wireless clients send an authentication request to the destination AP directly over the radio. (Over The Air)
The default is "Disable".
Mobility Domain Specify a mobility domain with 4 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive.
A wireless client can perform IEEE 802.11r fast transition between the APs in the same mobility domain.
The default is "a1b2".
R0 key Lifetime Specify a PMK-R0 lifetime, between 1 and 65535 minutes.
Once the lifetime expires, IEEE 802.11r fast transition is not performed.
The default is 10000.
AES Key Specify an AES key that is used to exchange PMK-R1 between APs with 32 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive. The default is empty.
Note
This is mandatory for every function in the "Fast Roaming" section. Configure this item even if you only use IEEE 802.11k or IEEE 802.11v and you are not going to use IEEE 802.11r fast transition.
IEEE 802.11k RRM Specify whether to use IEEE 802.11k RRM (Radio Resource Management).
The default is "Disable".
IEEE 802.11v WNM Specify whether to use IEEE 802.11v WNM (Wireless Network Management).
The default is "Disable".

Edit CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
  2. Click "Details" (magnifying glass icon) to the right of the CB Profile you want to edit.
  3. Configuration information for the CB Profile is displayed. Click "Edit" at the top right corner.
  4. Change the information as needed.
  5. Click "Save" at the top right of the Content section.

Delete CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
  2. Click "Details" (magnifying glass icon) to the right of the CB Profile you want to edit.
  3. Configuration information for the CB Profile is displayed. Click "Delete" at the top right of the Content section.
  4. The "Confirm" dialog box will appear.
  5. Click "Delete".

(C) 2023 Allied Telesis, Inc. All rights reserved.

CC613-04143-00 Rev A

04 Jul 2023 13:01