User Guide: AWC plug-in version 3.15.0 for VST-VRT

Configure CB Profile

Operation Reference > Channel Blanket > Configure CB Profile

This section describes how to create, edit and delete a CB Profile.

Create CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
    The CB Profile list will appear.

  2. Click "Create" at the top right corner.
  3. The "Select an AP model that uses AWC-CB" dialog box will appear.

    Table 1: "Select an AP model that users AWC-CB" dialog box
    Item Name Description
    AP Model Select an AP model.

    • TQ7403
      Select this for TQ7403.

    • TQ6403 GEN2:
      Select this for TQ6403 GEN2.

    • TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2:
      Select this for TQ6602 GEN2, TQ6702 GEN2, and TQ6702e GEN2.
      Note
      The following firmware must be applied when mixing TQ6602 GEN2, TQ6702 GEN2, and TQ6702e GEN2.
      • TQ6602 GEN2 / TQ6702 GEN2 firmware version 8.0.5-0.1 or later
      • TQ6702e GEN2 Firmware Version 9.0.5-0.1 or later

    • TQ6602:
      Select this for TQ6602.

    • TQ5403 / TQ5403e:
      Select this for TQ5403 and TQ5403e.
  4. Select an AP model.
  5. Click "OK".
  6. The "Create CB Profile" screen will appear.

  7. Configure items in the Profile Configuration and VAP (Multiple SSID) Configuration sections as required.
  8. Click "Save" at the top right of the Content section to save the configuration.
    After saving the CB Profile, create a channel blanket, starting from step 4 of Operation Reference > Channel Blanket > Create Channel Blanket.

Profile Configuration

Table 2: Profile Configuration
Item Name Description
CB Profile Name Enter a name for the CB Profile. Should be 1 to 100 characters in length, with alphabets, numbers and symbols (including spaces). (required)
Models Displays the AP model selected in the "Select an AP model that uses AWC-CB" dialog box.
Management Group Select a Management Group that you want to apply this CB Profile to. You cannot uncheck "Default Wireless Group" (required)
  • Search Wireless Management Group: Groups in the list can be filtered by entering a partial name in the search box.
    The Search field lets you enter a partial string to match. The screen displays entries with that string in their name.
    To remove the filter, delete the string from the search field and press enter.
    Note
    The search is case-sensitive.

VAP (Multiple SSID) Configuration


Table 3: VAP (Multiple SSID) Configuration
Item Name Description
CB VAP List Shows a list of configured CB VAPs.
This includes the status, radio band, VAP number, SSID and security setting of the CB VAP.
+ Add VAP Creates a new CB VAP.

A CB VAP name is assigned a number sequentially from 1. Note that the number in the CB VAP Name has nothing to do with the "VAP Number" (described later) for the CB VAP. The number of VAPs that can be created depends on the AP model you select.
  • TQ7403
    7 CB VAPs for each radio band (Radio 1 - 2.4GHz, Radio 2 - 5GHz W52, and Radio 3 - 6GHz), i.e. 21 CB VAPs in total
  • TQ6403 GEN2:
    7 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 14 CB VAPs in total
    Note
    TQ6403 GEN2 Radio 3 cannot be used for AWC-CB.
  • TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2:
    7 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 14 CB VAPs in total
  • TQ6602:
    10 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 20 CB VAPs in total
  • TQ5403 / TQ5403e:
    3 CB VAPs for each radio band (Radio 1 - 2.4GHz and Radio 2 - 5GHz W52), i.e. 6 CB VAPs in total
    Note
    TQ5403 and TQ5403e Radio 3 cannot be used for AWC-CB.
Note
It is recommended to use 5 or less VAPs per radio band in total, including both multi-channel and blanket VAPs.
Radio Select a radio band to use for this CB VAP.
  • AT-TQ7403
    Select from Radio 1 (2.4 GHz), Radio 2 (5 GHz W52) or Radio 3 (6 GHz). (mandatory)
  • TQ6702 GEN2 / TQ66602 GEN2 / TQ6702e GEN2, TQ6602, TQ6403 GEN2, TQ5403 / AT-TQ5403e
    Select from Radio 1 (2.4 GHz), Radio 2 (5 GHz W52). (mandatory)
Note
"Radio 2 - 5GHz W53" and "Radio 3 - W56" cannot be used for CB VAPs.
Note
When applying a CB profile to TQ6602, TQ6602 GEN2, TQ6702 GEN2, and TQ7403, if the bandwidth is set to 80+80MHz in Radio 2 of the AP profile, only W52 is used, because W53 cannot be used for CB VAP. The APs will operate with the 80 MHz bandwidth in that radio band.
VAP Specify a CB VAP Number (mandatory).
This can be specified as a number between 1 to 8 for TQ5403 and TQ5403e, and 1 to 16 for TQQ6403 GEN2, TQ6602, TQ6602 GEN2, TQ6702 GEN2, and TQ7403.
If you specify the same number for a CB Profile as an existing AP Profile, the CB VAP is used for the number (the AP Profile's VAP with the number is not used because it is overriden by the CB VAP with the same number).
Note
If you do not use multi-channel networks, create a dummy multi-channel VAP 1 in an AP Profile, then create a CB VAP with the "VAP number" of 1 to override the dummy multi-channel VAP. We recommend you configure security on the dummy VAP too.
Channel Select a channel to use for this CB VAP (required)
  • Radio 1: 1ch to 13ch
  • Radio 2:
    • W52
      36ch, 40ch, 44ch, 48ch
  • Radio 3 (TQ7403 only):
    • UNII-5
      1ch, 5ch, 9ch, 13ch, 17ch, 21ch, 25ch, 29ch, 33ch, 27ch, 41ch, 45ch, 49ch, 53ch, 57ch, 61ch, 65ch, 69ch, 73ch, 77ch, 81ch, 85ch, 89ch, 93ch
    • UNII-6
      97ch, 101ch, 105ch, 109ch, 113ch
    • UNII-7
      117ch, 121ch, 125ch, 129ch, 133ch, 137ch, 141ch, 145ch, 149ch, 153ch, 157ch, 61ch, 165ch, 169ch, 173ch, 177ch, 181ch, 185ch
    • UNII-8
      189ch, 193ch, 197ch, 201ch, 205ch, 209ch, 213ch, 217ch, 221ch, 225ch, 229ch, 233ch
Note
Select a channel according to the bandwidth used for the corresponding band set in the AP Profile.
For example, if the bandwidth used for Radio 2 is 40MHz, when creating CB VAP for Radio 2, select the channel from either 36ch or 44ch. 40ch and 48ch are not supported.
Channels that can be selected can be confirmed by "Auto Channel Selection" in the AP Profile.
Note
Selecting a channel that is disabled in "Auto Channel Selection" in the AP Profile is not supported.
VAP Status Enable or disable the CB VAP.
  • If you select "Enable", the CB VAP is enabled on the APs that are applied to the CB Profile.
  • If you select "Disable", the CB VAP is not used. The VAP that is properly configured and enabled in the AP Profile will also be disabled.
The default is "Enable".
VLAN ID Specify a VLAN ID used for communication between the CB VAP and associated clients (required)
Note
Specify a VLAN ID that is different from the AP's management VLAN. When the AP is detected as a guest device, a parent AMF device is configured to collect the guest device information automatically ("dynamic discovery"), and wireless clients get their IP addresses via DHCP.
SSID Specify an SSID (network name) to use on the CB VAP.

The SSID is mapped to the VLAN ID. Enter a name between 1 to 32 alphanumeric characters.
The default is "Default-X" (where X is an automatically assigned CB VAP number) (required)
Broadcast SSID Specify whether to broadcast the SSID on the CB VAP.
  • When enabled, the SSID is included in beacons. When you configure a wireless client, you may be able to see the SSID in a list of wireless networks to connect. This setting also allows wireless clients to connect using an "ANY" connection.
  • When disabled, the SSID is not included in beacons. You may not be able to see the SSID in a wireless network list on a wireless client. In this case, you have to enter the same SSID as the AP on a wireless client. This setting also denies wireless clients from connecting using an "ANY" connection.
The default is "Enable".
Note
An "ANY" connection is a connection where a wireless client tries to connect to an AP by specifying a wildcard or null as the SSID. Even when an "ANY" connection is allowed, clients cannot connect to APs without knowing the correct security key.
Security Select a security mechanism to use.
The available options are "None", "Static WEP", "Enhanced Open", "Enhanced Open Transition Mode", "WPA Personal", and "WPA Enterprise".
The default is "Enhanced Open" (if "TQ7403" is selected for Model and "Radio 3" for Radio) or "None".
Note
In addition, if the Security is set to Static WEP in the VAP Settings of CB Profile, do not use a "Mode" that contains IEEE 802.11n in the Radio Configuration of the AP Profile. Select IEEE 802.11b/g on Radio 1 or IEEE 802.11a on Radio 2 instead.
  • None:
    No authentication or encryption is performed. Everyone can connect to the CB VAP.
    Note
    If you use "None" to build a network such as a guest hotspot, you should consider the consequences for the overall security of your entire network.
    Note
    "None" will not appear if "AT-TQ7403" is selected in the "Select an AP model that uses AWC-CB" dialog box and "Radio 3" is selected for the Radio.
  • Static WEP:
    Uses RC4 encryption with fixed keys. Per-client authentication is not performed. We recommend using "WPA Personal" for fixed key security because WEP is vulnerable.
    Note
    "Static WEP" is not displayed when the selected Mode contains "IEEE 802.11n".
    Note
    This option is displayed with selecting "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" in "Select an AP model that uses AWC-CB" dialog box, and in VAP 1 for each radio band.
  • Enhanced Open:
    Open authentication enables connection to the network without entering a user ID or password, but after open authentication, data between the AP and client is encrypted using the Opportunistic Wireless Encryption (OWE) protocol (128-bit CCMP/AES).
    Note
    This option is displayed with selecting "AT-TQ7403" for the AP model in "Select an AP model that uses AWC-CB" dialog box.
  • WPA Personal:
    Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated from a pre-shared key (PSK). It uses CCMP (AES) as the encryption algorithm.
  • WPA Enterprise:
    Performs authentication and encryption between an AP and a wireless client. It uses per-client keys which are generated on a RADIUS server. It uses CCMP (AES) as the encryption algorithm.
When "Static WEP", "Enhanced Open", "WPA Personal", or "WPA Enterprise" is selected, additional options will be displayed for each security method.
For more details, refer to Additional Options for Security.
Captive Portal Specify whether to use Captive Portal on the VAP. Captive Portal displays an authentication page before granting web access.

When either option is selected, wireless clients connected to the corresponding CB VAP will be directed to a page (Captive Portal) that contains text such as licensing and authentication dialogs when they attempt to access any web page with a Web browser. Wireless APs that have applied the CB profile will allow or deny wireless clients according to the options specified in this item. Once successfully authenticated, wireless clients can continue to communicate through the VAP until a certain amount of time has elapsed.
  • External RADIUS:
    The APs will query the RADIUS server.
  • Click-through:
    The APs will display a Click-through page instead of performing RADIUS authentication. The Click-through page does not require authentication with a username/password pair, but can be configured to show an arbitrary "Terms of Use" that users have to accept before use, or to redirect to an external page.
  • External Page Redirect:
    The clients will be able to connect using third-party web credentials such as social networking sites.
  • Disable:
    Select to not use Captive Portal.
The default is "Disable".
If you select "External RADIUS", "Click-through", or "External Page Redirect", the following additional items are displayed:
For more details, refer to Additional Options for Captive Portal.
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2", or "AT-TQ6602" is selected as AP Model.
Note
Do not enable Captive Portal on the radio used for the WDS connection.
MAC Access Control Select the MAC Access Control method to apply to the relevant VAPs.
  • External RADIUS:
    The APs will query the RADIUS server.
  • MAC Address List:
    Selecting this option will allow or deny connections only to the MAC addresses recorded in the list, according to the MAC address list selected in the MAC Address List field.
  • MAC Address List + External RADIUS:
    Selecting this option allows or denies connections only to the MAC addresses recorded in the list. This list refers to both the MAC address list selected in the MAC address list field at the top of the screen and the external RADIUS server.
    Firstly, it will try to authenticate using the MAC Address List. If a connection cannot be established, it will try to authenticate the connection using an External RADIUS server. If the preceding MAC address list allows a user to connect, the user can still connect even if the external RADIUS server does not grant the access.
  • Disable:
    No MAC access control is performed.
The default is "Disable".

When you select either "External RADIUS" or "MAC Address List + External RADIUS", additional items are also displayed.
For more details, refer to Additional Options for MAC Access Control.
Note
When using MAC Access Control with "External RADIUS" on CB VAP, one of the following firmware is required depending on your model.
  • TQ5403 and TQ5403e firmware version 6.0.1-2.x or later
  • TQ6602 firmware version 7.0.1-0.1 or later
  • TQ6602 GEN2 and TQ6702 GEN2 firmware version 8.0.2-1.1 or later
  • TQ6702e GEN2 firmware version 9.0.4-2.1 or later
  • TQ6403 GEN2 firmware version 9.0.4-0.1 or later
  • TQ7403 firmware version 10.0.4-2.1 or later
Note
"MAC Address List" is only available if you have selected a "MAC Address List" in the "Basic Configuration" section in the AP profile.
Note
The option "MAC Address List + External RADIUS" is not displayed with selecting "AT-TQ6602" for AP model in "Select an AP model that uses AWC-CB" dialog box.
Area Authentication Specify whether to use the Area Authentication function.
When "Enable" is selected, the AWC Plug-in will make use of the Location Estimation function to find the wireless clients estimated to be in the specific area on the floor map and allow only these clients to connect to this VAP.
Specify the area to permit the clients to connect to in the Floor Map screen separately.
Note
To use the Area Authentication on CB VAP, the following conditions must be met:
  • "Location Estimation" in History Data Retention Period Setting is set effectively in the System Setting screen.
  • On TQ5403, TQ5403e, TQ6403 GEN2, TQ6602 GEN2, TQ6702 GEN2, or TQ7403 APs, Channel Blanket is working, and the VAP with Area Authentication option enabled in the CB Profile is applied.
  • Wireless client has requested connection to the CB VAP of the corresponding channel blanket.
For more details about channel blanket and floor map, refer to Operation Reference > Floor Map > Configure Floor Maps and Operation Reference > Channel Blanket > Overview respectively.
Note
Area Authentication is not supported on TQ6602.
Note
Area Authentication cannot be used in combination with MAC Access Control.
Fast Roaming Specify whether to use Fast Roaming of wireless clients.
The default is "Disable".
When you select "Enable", you can configure various fast roaming functions.
  • 802.11r FT
  • FT over DS
  • Mobility Domain
  • R0 key Lifetime
  • AES Key
  • IEEE 802.11k RRM
  • IEEE 802.11v WNM
For more details, refer to Additional Options for Fast Roaming.
Note
This item is displayed only when "WPA Personal" or "WPA Enterprise" is selected for "Security".
Wireless Client Isolation Specify whether to block communications between wireless clients connected to the same CB VAP. Select "Disable" to allow communications between wireless clients. Otherwise select "Enable". The default is "Disable".
Inactivity Timer
Note
With this version, combining usage with Inactivity Timer is not supported on CB VAPs. Use the default setting.
Specify the time, between 5 and 65535 seconds, after which a client will be disconnected if it disappears without disassociating from an AP.
It should also be specified in multiples of 15. If you specify a value that is not a multiple of 15, it will be converted to the nearest multiple greater than the specified value.
The default is 300 (seconds).
Disconnect after No ACK Specify whether to disconnect the wireless client when there is no response from the wireless client to packets from the wireless AP.
When "Enable" is selected, the wireless client is disconnected after a certain number of packets with no response from the wireless client, regardless of the setting of the Inactivity Timer.
When "Disable" is selected, the wireless client will remain connected even if there is no response to packets from the AP until the Inactivity Timer setting time has elapsed.
The default is "Enable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model. This item is not displayed for other models. The same operation as when set to "Enable" is performed.
Duplicate AUTH received Select how to process connection requests from clients that have maintained a connection.
  • TQ7403, TQ6403 GEN2, TQ6702 GEN2 / TQ6602 GEN2 / TQ6702e GEN2
    Only "Ignore" is displayed. It connects as normal, without disconnecting.
  • AT-TQ5403 / AT-TQ5403e
    Select from "Disconnect" or "Ignore".
    • If you select "Disconnect", it disconnects the previous connection and then accepts the new connection.
    • If you select "Ignore", it connects as normal, without disconnecting.
    The default is "Disconnect".
    When "Management Frame Protection" is set to "Capable", it performs as same as "Disconnect" is selected regardless of this item's setting.
Note
This option is not displayed with selecting "AT-TQ6602" for the AP model in "Select an AP model that uses AWC-CB" dialog box.
Association Advertisement Specify whether to use Association Advertisement.
When enabled, a notification broadcast frame is sent to the network configured in Control VLAN when a Wireless Client connects to the AP. The AP that receives this frame updates its wireless client connection information.
The default is "Disable".
Note
To make this function take effect, APs on the same subnet must have "Roaming Notification" set to "Enable" for each other.
DTIM Period Specify how frequently to insert a DTIM (Delivery Traffic Indication Map) in the AP's beacons (every 1 to 5 beacons).
The default is 1. The value of 1 means that a DTIM is inserted in every beacon.

For example, if you set the DTIM interval to 2, one in two beacons has a DTIM inserted (i.e. a beacon with a DTIM and one without a DTIM are transmitted in turn).

When a wireless client operates in power-saving mode, DTIM notifies the client that there is a packet to send to the client. The AP will send the packet to the client once the client is ready to communicate.
Increasing the DTIM interval reduces power consumption but also makes communication less responsive.
Note
This setting is used for support purposes. We do not recommend changing the value.
RSSI Threshold Specify the numerical value of the parameter related to beacon control of CB VAP, in the range of 0 to 91.
Adjusting this parameter may improve the connection / communication status in a Channel Blanket environment.
The default is 30.
Note
This setting is used for support purposes. We do not recommend changing the value.
Tx Power The AP's transmission power can be selected from five levels: "Min", "Low", "Middle", "High" and "Max".
The default is "Max".
Note
This setting is used for support purposes. We do not recommend changing the value.
Note
If you change the Tx Power in the AP-specific configuration settings, the AP-specific setting has priority.
Proxy ARP Specify whether to use Proxy ARP.
  • If enabled, when a managed wireless AP receives an ARP request for a connected client, the wireless AP that has a connection to the client will send an ARP response on behalf of the client. The wireless AP that does not have a connection to this client will discard the ARP request, thereby reducing unnecessary traffic.
    If enabled, when a managed wireless AP receives an ARP request for a connected client, the wireless AP that has a connection to the client will send an ARP response on behalf of the client. The wireless AP that does not have a connection to this client will discard the ARP request, thereby reducing unnecessary traffic. In this case, since multiple wireless APs have connections to the client in a channel blanket, the wireless AP with the strongest connection will send the ARP response representing all the connected APs.
    If you select "AT-TQ7403", "AT-TQ6403 GEN2", "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" as the Model, the following items are additionally displayed.

    • Transmit Unlearned ARP Packet

    For APs other than those listed above, when Proxy ARP is enabled, unlearned ARP packets are discarded as same as when "Transmit Unlearned ARP Packet" is disabled.
    For more details, refer to Additional Options for Proxy ARP.

  • If you select "Disable", Proxy ARP will not be activated. That means ARP requests are broadcasted from all wireless APs to their subordinate clients. The corresponding clients send ARP responses themselves.
The default is "Disable".
Force Power Save Disabled Specify whether to force the wireless client to disable the wireless power saving setting.
  • Selecting "Enable" will force the wireless power saving setting to be deactivated for the associating clients of the APs under management.
    Although it may eliminate the unstable connectivity caused by the wireless power saving setting, wireless clients such as laptops, smart phones, and tablets may experience shorter battery life than when this setting is disabled.
  • When "Disable" is selected, the wireless power saving setting will not be removed for the associating clients of the APs under management. Wireless clients such as laptops, smartphones, and tablets may experience longer battery life than when this setting is enabled, but at the same time, their wireless associations may become unstable.
This setting applies to all CB VAPs in common.
The default is "Disable".
Refuse RX ADDBA Requests Specify whether to reject ADDBA (Add Block Acknowledgement) requests from wireless clients.
When "Enable" is selected, it rejects the request for bulk response by Block ACK and suppresses the bulk transmission of packets from the wireless client.
When using IEEE 802.11n or later, if the signal is stable and there are few wireless clients, the wait time for transmit/receive control can be reduced by receiving wireless packets in batches and then sending a Block ACK Packet. However, when many wireless clients are present or when the signal is unstable, the frequency of retransmissions increases, and the transmit/receive control load reduction by Block ACK may not function effectively. In such an environment, enabling this item rejects requests to allow batch transmission, and responds to them one by one for more robust and stable communication.
The default is "Disable".
Note
This setting is displayed when "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.

Additional Options for Security

◼ Static WEP Configuration
Selecting "Static WEP" for Security will show you the following additional items:
Table 4: Additional Options for Static WEP
Item Name Description
Key Length Select the WEP key length. The default is 128bit.
  • 64bit:
    You can directly enter a WEP key with 10 hex digits. Or you can enter 5 ASCII characters to automatically generate a WEP key.
  • 128bit:
    You can directly enter a WEP key with 26 hex digits. Or you can enter 13 ASCII characters to automatically generate a WEP key.
Key Type Select a generation method for the WEP key. The default is "Hex".
  • ASCII:
    Lets you enter an arbitrary string to automatically generate a WEP key. The string is case-sensitive.
  • Hex:
    Lets you directly enter a WEP key with hexadecimal characters (0 to 9, A to F, a to f). Hex characters are not case-sensitive.
Key Index Specify a key to use. The default is 1.
Security Key (WEP Key) Enter a WEP key (in hex) or a seed of a key (in ASCII) according to the selected "Key Length" and "Key Type".
You have to enter the same WEP key as the one specified by "Key Index" on the wireless client.
WEP Authentication Method "Open System" is the recommended option here. The default is "Open System".
It is recommended to use the default "Open System" for security.
  • Open System:
    All wireless clients are allowed to connect regardless of whether they have the correct WEP key. But as wireless clients are only allowed to connect, they cannot communicate without a valid WEP key.
    This option is not only for "WEP" but is also used for "None", "WPA Personal" and "WPA Enterprise".
  • Shared Key:
    Only wireless clients with the correct WEP key can connect. Wireless clients cannot connect without a valid key.
  • Open System and Shared Key:
    A client configured to use Shared Key can connect if it has a valid WEP key.
    A client configured to use Open System can connect regardless of whether it has a correct key.

◼ Additional Options for Enhanced Open
Selecting "Enhanced Open" for Security will show the following additional items:
Table 5: Additional Options for Enhanced Open
Item Name Description
OWE Uses Opportunistic Wireless Encryption (OWE) protocol for encryption. After open authentication, data between the wireless client and the AP is encrypted with 128-bit CCMP/AES encryption. Only "Enable" can be selected.
Management Frame Protection Protects IEEE 802.11 management frames. Only "Required" can be selected.

◼ WPA Personal Configuration
Selecting "WPA Personal" for Security will show you the following additional items:
Table 6: Additional Options for WPA Personal
Item Name Description
Security Key (WPA-PSK) Specify an encryption key for the VAP. The key should contain 8 to 63 alphanumeric and symbol characters. The key is case-sensitive.
WPA Versions Select the WPA version(s) to use.
Select both for a mixed environment. In that case, the security level of the wireless network is the same as the older version.
The configurable options depend on the selection made in the "Select an AP model that uses AWC-CB" dialogue box.
  • TQ7403, TQ6403 GEN2, TQ6702 GEN2 / TQ6602 GEN2 / TQ6702e GEN2:
    • WPA3
    • WPA3 / WPA2
    • WPA2
    • WPA2 / WPA
  • TQ6602, TQ5403 / TQ5403e:
    • WPA2
    • WPA2 / WPA
The default is "WPA2".
Encryption Protocol Select the encryption protocol to use.

The configurable options depend on the selection made in the "Select an AP model that uses AWC-CB" dialogue box, and selected WPA version.
AP Model WPA Versions Available options
AT-TQ7403
AT-TQ6403 GEN2
AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2 		WPA3
WPA3 / WPA2
WPA2 		CCMP
WPA2 / WPA CCMP / TKIP
TQ6602
AT-TQ5403 / AT-TQ5403e 		WPA2
WPA2 / WPA 		CCMP (default) or CCMP / TKIP
Management Frame Protection Displays whether to protect management frames from eavesdropping and forging.
This item changes depending on the selection made in the "Select an AP model that uses AWC-CB" dialogue box.
  • TQ7403, TQ6403 GEN2, TQ6702 GEN2 / AT-TQ6602 GEN2:
    The following fixed settings are made depending on the choice of WPA version.
    • WPA3: Required
    • WPA3 and WPA2: Capable
    • WPA2: Disable
    • WPA2 and WPA: Disable
  • AT-TQ5403 / AT-TQ5403e or AT-TQ6602:
    Select "Capable" to use MFP. Otherwise select "Disable". The default is "Disable".
    Note
    The option "Capable" is displayed only with "WPA2" for the WPA version.
Broadcast Key Refresh Rate Specify an interval, between 0 and 86400 seconds, at which to refresh the broadcast key that is sent to clients on the VAP. A value of 0 means that the key is never refreshed. The default is 0.
Note
When you create multiple CB VAPs, the Broadcast Key Refresh Rate will be set to a single value common to all VAPs.
Note
This setting is displayed when "TQ5403 / TQ5403e" or "TQ6602" is selected as AP Model.

◼ WPA Enterprise Configuration
Selecting "WPA Enterprise" for Security will show you the following additional items:
Table 7: Additional Options for WPA Enterprise
Item Name Description
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (required)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (required)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
WPA Versions Select the WPA version(s) to use.
Select both for a mixed environment. In that case, the security level of the wireless network is the same as the older version.
The configurable options depend on the selection made in the "Select an AP model that uses AWC-CB" dialogue box.
  • TQ7403, TQ6403 GEN2, TQ6702 GEN2 / TQ6602 GEN2 / TQ6702e GEN2:
    • WPA3
    • WPA3 / WPA2
    • WPA2
    • WPA2 / WPA
  • TQ6602, TQ5403 / TQ5403e:
    • WPA2
    • WPA2 / WPA
The default is "WPA2".
Encryption Protocol Select the encryption protocol to use.
The configurable options depend on the selection made in the "Select an AP model that uses AWC-CB" dialogue box, and selected WPA version.
AP Model WPA Versions Available options
AT-TQ7403
AT-TQ6403 GEN2
AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2 		WPA3 CCMP or GCMP (default)
WPA3 / WPA2
WPA2 		CCMP
WPA2 / WPA CCMP / TKIP
TQ6602
AT-TQ5403 / AT-TQ5403e 		WPA2
WPA2 / WPA 		CCMP (default) or CCMP / TKIP
Management Frame Protection Displays whether to protect management frames from eavesdropping and forging.
This item changes depending on the selection made in the "Select an AP model that uses AWC-CB" dialogue box.
  • TQ7403, TQ6403 GEN2, TQ6702 GEN2 / AT-TQ6602 GEN2:
    The following fixed settings are made depending on the choice of WPA version.
    • WPA3: Required
    • WPA3 and WPA2: Capable
    • WPA2: Disable
    • WPA2 and WPA: Disable
  • AT-TQ5403 / AT-TQ5403e or AT-TQ6602:
    Select "Capable" to use MFP. Otherwise select "Disable". The default is "Disable".
    Note
    The option "Capable" is displayed only with "WPA2" for the WPA version.
Broadcast Key Refresh Rate Specify an interval, between 0 and 86400 seconds, at which to refresh the broadcast key that is sent to clients on the VAP. A value of 0 means that the key is never refreshed. The default is 0.
Note
Changing the Broadcast Key Refresh Interval is not supported with channel blanket. Do not change its value from the default "0".
Note
This setting is displayed when "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.
RADIUS Accounting Specify whether to use RADIUS accounting server to record the resources (such as connection time) used by each user. Select "Enable" to perform accounting. Otherwise select "Disable". The default is "Disable".
Note
This setting is displayed when "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.
RADIUS Accounting Port Number Specify a port number on which the RADIUS accounting server is listening. This is valid only when RADIUS Accounting is enabled. The default is 1813.
Note
This item is not supported. Do not enable it.
Note
This setting is displayed when "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.
Verify RADIUS packets Specify whether RADIUS packet verification is performed.
  • Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute.
  • When set to "Disable", use of the RADIUS Message-Authenticator attribute is not mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect.
The default is "Capable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
RADIUS Timeout Specify the timeout period for a RADIUS Access-Request message with a value from 1 to 29 (unit: second).
If no response is received after the packet is sent to the RADIUS server beyond the value of this setting, the access request is retransmitted or treated as an authentication failure.
In this case, the total time for the transmission sequence of the specified number of times (first time + retransmission count) to the primary RADIUS server and secondary RADIUS server is set to 29 seconds or less. For example, the calculation is as follows:
  • When the secondary RADIUS server is not used and the number of RADIUS Retransmit is set to "4":
    The primary RADIUS server is attempted a maximum of 5 authentication requests (first time and 4 retransmissions). Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout must be set to "5" or less.
  • When using the both primary/secondary RADIUS servers and setting the number of RADIUS Retransmit to "2":
    Three authentication requests (the first attempt and two retries) are attempted for each RADIUS server, for a total of up to 6 authentication requests. Therefore, to keep the entire authentication session within 29 seconds, the RADIUS Timeout should be set to "4" or less.
The default is 3 (seconds).
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
RADIUS Retransmit Specify the number of retransmissions of Access-Request messages to the RADIUS server with a value from 0 to 8 (unit: times).
Together with the first transmission, a maximum of this setting plus one authentication request will be made to the RADIUS server.
If primary and secondary RADIUS servers are configured, the primary RADIUS server will be sent this configuration plus one authentication request, and then the secondary RADIUS server will be sent this configuration plus one authentication request in the same manner.
If there is no response to any of these authentication requests, it is treated as an authentication failure.
The default is 1 (time). This means that up to two authentication requests will be made to the primary/secondary RADIUS servers, respectively.
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Retry Interval for Primary Specify the time from 0 to 600 (in seconds) to return to the primary RADIUS server again after communication to the primary RADIUS server fails and the authentication destination falls back to the secondary RADIUS server.
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Dynamic VLAN When enabled, the VLAN included in RADIUS response is assigned to the user.
When disabled, the VLAN configured for the VAP is always applied to the user regardless of the VLAN information in a RADIUS response.
The default is "Disable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Note
The RADIUS Session-Timeout attribute is not supported on a CB VAP (It is discarded by the APs).

Additional Options for Captive Portal

◼ External RADIUS Configuration
If you select "External RADIUS" for Captive Portal, configure the following items:
Table 8: Additional Options for External RADIUS in Captive Portal
Item Name Description
Authentication Page Proxy Specify whether to use an external authentication page or not.
  • Enable:
    Shows an external authentication page. Specify the page URL in "Base URL".
    • Base URL:
      Specify the base URL of the external web authentication page.
      Clients will access the page through the AP's proxy feature instead of direct connection.
      The HTML filename of the external authentication page must be "radius_login.html".
      The AP's proxy will get the page from "Base URL/radius_login.html" and send it back to clients.
      For example, when you specify "http://www.example.com/captive_portal" in "Base URL", the APs will present the content of the page at "http://www.example.com/captive_portal/radius_login.html" to connecting clients.
      For details of the format of radius_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal.
  • Disable:
    Shows an authentication page embedded in the APs.
    If "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected in "Select an AP model that uses AWC-CB", specify the Authentication Page Language in addition.
    • Authentication Page Language:
      Select the display language of the authentication page from "Japanese" or "English". The default is "English".
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (required)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). (required)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters (including spaces). Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets Specify whether RADIUS packet verification is performed.
  • Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute.
  • When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect.
The default is "Disable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify. Should be 1 to 128 characters in length, with alphabets, numbers and symbols (including spaces).
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
      When "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected in the "Select an AP model that uses AWC-CB" dialog box, one asterisk (*) can be used as a wildcard when specifying the FQDN in the walled garden entry.
      For example, "*.example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example.*" will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., "*.example.*") are not allowed.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address:
      Shows a list of registered addresses that contain the input string.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
DNS Proxy for Walled Garden Specifies whether DNS proxying is performed in the walled garden.
  • Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected. The default is "Disable".
  • If at least one wildcard is used in a walled garden entry, it is fixed as "Enable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.
Session Timeout Action Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

◼ Click-through Configuration
If you select "Click-through" for Captive Portal, configure the following items:
Table 9: Additional Options for Click-through in Captive Portal
Item Name Description
Authentication Page Proxy Specify whether to use an external authentication page or not.
  • Enable:
    Shows an external authentication page. Specify the page URL in "Base URL".
    • Base URL:
      Specify the base URL of the external web authentication page.
      Clients will access the page through the AP's proxy feature instead of direct connection.
      The HTML filename of the external authentication page must be "radius_login.html".
      The AP's proxy will get the page from "Base URL/radius_login.html" and send it back to clients.
      For example, when you specify "http://www.example.com/captive_portal" in "Base URL", the APs will present the content of the page at "http://www.example.com/captive_portal/radius_login.html" to connecting clients.
      For details of the format of radius_login.html, refer to Operation Reference > Authentication > Web Authentication with Captive Portal.
  • Disable:
    Shows an authentication page embedded in the APs.
    If "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected in "Select an AP model that uses AWC-CB", specify the Authentication Page Language and Agreement Message in addition.
    • Authentication Page Language:
      Select the display language of the authentication page from "Japanese" or "English". The default is "English".
    • Agreement Message:
      Create the text of the Terms of Use to be displayed on the AP's authentication page with a maximum length of 1,024 characters.
      Each line break counts as four characters.
      Formatting (font size, color, etc.) is not available.
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2", or "AT-TQ6602" is selected as AP Model.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify.
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
      When "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected in the "Select an AP model that uses AWC-CB" dialog box, one asterisk (*) can be used as a wildcard when specifying the FQDN in the walled garden entry.
      For example, "*.example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example.*" will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., "*.example.*") are not allowed.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address:
      Shows a list of registered addresses that contain the input string.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
DNS Proxy for Walled Garden Specifies whether DNS proxying is performed in the walled garden.
  • Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected. The default is "Disable".
  • If at least one wildcard is used in a walled garden entry, it is fixed as "Enable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.
Session Timeout Action Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

◼ External Page Redirect Configuration
If you have selected "External Page Redirect" on the Captive Portal, you will need to configure the following items.
Table 10: Additional Options for External Page Redirect in Captive Portal
Item Name Description
External Page URL Enter the URL to which the APs redirect the users with 1 to 128 alphanumeric characters. The default is empty.
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (required)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters. (required)
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets Specify whether RADIUS packet verification is performed.
  • Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute.
  • When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect.
The default is "Disable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Redirect type (after user is authenticated) Specify a page to be shown after the user passes web authentication.
  • Keep Session:
    Show the original URL that was entered in the client's browser before web authentication.
  • Fixed URL
    Always show a fixed URL that you specify.
  • Disable
    Do not redirect the browser after successful web authentication.
Walled Garden Shows the number of entries on the page that use the Walled Garden feature.
The Walled Garden feature allows you to specify which pages can be viewed by users who have not yet completed the authentication or who have not yet been authenticated. If they try to view a page other than specified, the Captive Portal page will appear again.
Clicking on this brings up the "Walled Garden List" dialog box.

  • Walled Garden List
    You can register addresses to use the Walled Garden feature.
    • Address:
      The address of the site that is accessible from inside the Walled Garden, in the form of an FQDN, an IP address or an IP address/mask. Max 50 entries can be registered.
      When "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected in the "Select an AP model that uses AWC-CB" dialog box, one asterisk (*) can be used as a wildcard when specifying the FQDN in the walled garden entry.
      For example, "*.example.jp" will get hits for "www.example.jp", "ftp.example.jp", etc. Similarly, "example.*" will get hits for "example.com", "example.jp", etc. Up to one wildcard may be used per entry. Multiple wildcards (e.g., "*.example.*") are not allowed.
    • "Add" button:
      Registers the address entered in the Address field to the list.
    • "Clear" button:
      Deletes the entry of the Address field.
    • "Import from CSV file" button:
      Imports the addresses from a CSV file.
      The CSV file can contain one address per line, described in one of the following formats: FQDN, IP address or IP address/mask.
    • X Address:
      Shows the number of address entries registered to the list.
    • Search Walled Garden Address:
      Shows a list of registered addresses that contain the input string.
    • Address:
      Shows an address entry.
    • Delete:
      Deletes the selected entry.
    • "Save" button:
      Saves changes to the Walled Garden List.
    • "Close" button:
      Discard the changes to the Walled Garden List and close the Walled Garden List dialog box.
DNS Proxy for Walled Garden Specifies whether DNS proxying is performed in the walled garden.
  • Only if none of the walled garden entries have been registered using wildcards can "Enable" or "Disable" be selected. The default is "Disable".
  • If at least one wildcard is used in a walled garden entry, it is fixed as "Enable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Session Timeout Specify the client's authentication session timeout; between 0 and 86400 (seconds).
After the client is successfully authenticated, the session automatically terminates when the time set for timeout elapses.
The default is 3600.
Session Timeout Action Select the action to be taken when the session is timed out, from "Reauthentication" or "Disconnection".
The default is "Reauthentication".

Additional Options for MAC Access Control


◼ When "MAC Address List" or "MAC Address List + External RADIUS" is selected
When you select the option including "MAC Address List", filtering is performed using the MAC address list specified in the AP Profile's "Basic Configuration" section.
The CB Profile screen does not display the name of the MAC Address List to be applied.

◼ When "External RADIUS" or "MAC Address List + External RADIUS" is selected
Table 11: Additional Options for External RADIUS in MAC Accessc Control
Item Name Description
RADIUS Server Primary IP Address Enter the IP address of the primary RADIUS server. (required)
RADIUS Server Primary Secret Enter the password to connect to the primary RADIUS server with 128 or less alphanumeric and symbol characters.
RADIUS Server Secondary IP Address Enter the IP address of the secondary RADIUS server. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Secondary Secret Enter the password to connect to the secondary RADIUS server with 128 or less alphanumeric and symbol characters. Leave it blank if you are not using a secondary RADIUS server.
RADIUS Server Port Number Enter a port number between 1 and 65535 on which the primary and secondary RADIUS server is listening. The default is 1812.
Verify RADIUS packets Specify whether RADIUS packet verification is performed.
  • Setting it to "Required" always mandates the use of the RADIUS Message-Authenticator attribute to the RADIUS server. In this case, the RADIUS server must support the RADIUS Message-Authenticator attribute.
  • When set to "Disable", use of the RADIUS Message-Authenticator attribute is not treated as mandatory. If a malicious user forges a RADIUS packet, a unauthorized client could be allowed to connect.
The default is "Disable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
User-Name Format Separator A client's MAC address is sent to the RADIUS server as a User-Name attribute.
Specify an octet delimiter to use in a User-Name attribute from "Hyphen", "Colon" and "None". The default is "Hyphen".
User-Name Format Letter Case Specify which case to use in a User-Name attribute from "Upper" and "Lower". The default is "Lower".
User-Password Format Specify what is used for a User-Password attribute when a client MAC address is sent to the RADIUS server for authentication. The default is "User Name".
  • If you select "Fixed Password", a string specified in "User-Password Format Password" is always used as the value of the User-Password attribute.
  • If you select "User Name", the same string as the User-Name attribute (MAC Address) is sent to the RADIUS server as the value of the User-Password attribute.
User-Password Format Password Specify a fixed password string which is used when "User-Password Format Type" is set to "Fixed Password".
Dynamic VLAN When enabled, the VLAN included in RADIUS response is assigned to the user.
When disabled, the VLAN configured for the VAP is always applied to the user regardless of the VLAN information in a RADIUS response.
The default is "Disable".
Note
This setting is displayed when "AT-TQ7403", "AT-TQ6403 GEN2", or "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" is selected as AP Model.
Two-step auth with Captive Portal When any authentication method except "None" is selected for Captive Portal, the authentication will be performed in two steps: Captive Portal and MAC Access Control.
  • When you select "Enable", only the wireless clients which have been authenticated by both MAC Access Control, and then Captive Portal, will be able to communicate via the relevant VAP.
  • When you select "Disable", the wireless clients which have been granted by either MAC Access Control, or by Captive Portal separately will be able to communicate via the relevant VAP.
Note
This option is displayed with selecting "AT-TQ6702 GEN2 / AT-TQ6602 GEN2 / AT-TQ6702e GEN2" for AP model in the "Select an AP model that uses AWC-CB" dialog box.
By default (where "User-Name Format Delimiter" is "Hyphen", "User-Name Format Case" is "Lower" and "User-Password Format Type" is "User Name"), authentication credentials (User-Name and User-Password attributes) of a client will be sent to the RADIUS server as follows:

Additional Options for Fast Roaming

Table 12: Additional Options for Fast Roaming
Item Name Description
802.11r FT Specify whether to use IEEE 802.11r (Fast Basic Service Set Transition).
When enabled, wireless clients can do IEEE 802.11r fast transition when roaming from one AP to another.
The default is "Disable".
FT over DS Specify whether to request authentication via distributed system (DS).
When enabled, wireless clients send an authentication request to the destination AP via the current (source) AP. (Over The DS.)
When disabled, wireless clients send an authentication request to the destination AP directly over the radio. (Over The Air)
The default is "Disable".
Note
Fast roaming with FT over DS enabled is not supported on TQ7403 Radio 3. When "AT-TQ7403" is selected for AP Model, set this item to "Disable" when using the Fast Roaming function on Radio 3.
Mobility Domain Specify a mobility domain with 4 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive.
A wireless client can perform IEEE 802.11r fast transition between the APs in the same mobility domain.
The default is "a1b2".
R0 key Lifetime Specify a PMK-R0 lifetime, between 1 and 65535 minutes.
Once the lifetime expires, IEEE 802.11r fast transition is not performed.
The default is 10000.
AES Key Specify an AES key that is used to exchange PMK-R1 between APs with 32 hexadecimal digits (0 to 9, A to F, a to f). This is not case-sensitive. The default is empty.
Note
This is mandatory for every function in the "Fast Roaming" section. Configure this item even if you only use IEEE 802.11k or IEEE 802.11v and you are not going to use IEEE 802.11r fast transition.
IEEE 802.11k RRM Specify whether to use IEEE 802.11k RRM (Radio Resource Management).
The default is "Disable".
Note
This setting is displayed when "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.
IEEE 802.11v WNM Specify whether to use IEEE 802.11v WNM (Wireless Network Management).
The default is "Disable".
Note
This setting is displayed when "AT-TQ6602" or "AT-TQ5403 / AT-TQ5403e" is selected as AP Model.

Additional Options for Proxy ARP

Table 13: Additional Options for Proxy ARP
Item Name Description
Transmit Unlearned ARP Packet
Specify whether to transmit unlearned ARP Packet.
The default is "Disable", which discards ARP requests addressed to wireless clients not connected to the AP and does not flood the wireless output.
For the Proxy ARP to work, an AP must learn IP information of connected wireless clients, and learning is performed by one of the following frames.
Wireless clients that do not send the these frames will not be learned in the AP's ARP table and will not be able to communicate.
  • DHCP Ack *1
  • ARP Announcement *2
  • ARP Probe *2
  • ARP request *2
  • ARP reply *2
*1 When a DHCP Ack is sent to the wireless client.
*2 When the relevant frame from the wireless client is sent.

When set to "Enable", an ARP request addressed to an IP address not learned in the AP's ARP table will be flooded to the wireless output to attempt address resolution.
It can prevent some wireless clients from missing learning, but instead consumes wireless bandwidth as more queries for unlearned IP addresses are made.

Edit CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
  2. Click "Details" (magnifying glass icon) to the right of the CB Profile you want to edit.
  3. Configuration information for the CB Profile is displayed. Click "Edit" at the top right corner.
  4. Change the information as needed.
  5. Click "Save" at the top right of the Content section.

Delete CB Profile

  1. Select "Wireless Configuration" > "CB Profile" from the AWC Plug-in menu.
  2. Click "Details" (magnifying glass icon) to the right of the CB Profile you want to edit.
  3. Configuration information for the CB Profile is displayed. Click "Delete" at the top right of the Content section.
  4. The "Confirm" dialog box will appear.
  5. Click "Delete".

(C) 2025 Allied Telesis, Inc. All rights reserved.

C613-04206-00 Rev A

10 Nov 2025 11:49