Contents

Manage Security Settings

The security settings for a virtual AP can be:

  • Open — Open means no security settings are applied. This is the default security setting.
  • WEP — WEP stands for Wireless Equivalent Privacy. WEP is a deprecated security algorithm for IEEE 802.11 networks. This has been provided for backward compatibility purposes only.
  • WPA2 — WPA2  is the latest and most secure protocol. It fully implements the IEEE 802.11i standard. If WPA2 is selected as the security protocol, an additional security mechanism of 802.11w management frame protection (MFP) can be enabled to protect a certain class of management frames and prevent spoofing attacks. 802.11w MFP protects the deauthentication, disassociation, and robust action management frames. Integrity Group Temporal Key (IGTK) is used to provide an integrity check for multicast management action frames. Pairwise Transient Key (PTK) is used to encrypt and protect unicast management action frames.

802.11w MFP can be enabled on an optional or mandatory basis. When it is enabled on an optional basis, both 802.11w and non-802.11w clients can connect to the AP in this case. When 802.11w is enabled on a required basis, only 802.11w clients are allowed to connect to the AP. 802.11w management frame protection is disabled by default.

  • WPA and WPA2 mixed mode — A mix of WPA and WPA2 protocols.
  • Hotspot 2.0 OSENOSU Server-Only Authenticated Layer 2 Encryption Network — Select this option if you configure a Wi-Fi profile to use for an online sign-up SSID for a production Hotspot 2.0 Release 2 Wi-Fi profile. When you select this option, you must also configure the RADIUS server parameters.

Pre-Shared Key (PSK) is generally used for small office networks.

In larger enterprise networks, RADIUS authentication is typically used. For more information, see RADIUS Server Authentication.

WEP Settings

Field

Description

Authentication Type

Select Open if you do not want to use authentication. In this case, the key is used for encryption only. Select Shared if the authentication type is shared key. The same key is used for both encryption and authentication.

WEP Type

Select WEP40 or WEP104.

Key Type

Select the ASCII option to type the WEP key in ASCII format. The AP converts this value to hexadecimal internally.

Select the HEX option to type the key in hexadecimal format.

Key

The WEP key is a sequence of hexadecimal digits.

If the WEP Type is WEP40, type the key as a five-character ASCII key or a 10-digit hexadecimal key, depending on the Key Type that you select.

If the WEP Type is WEP104, type the key as a 13-character ASCII key or a 26-digit hexadecimal key, depending on the Key Type that you select.

Show Key

Select this check box to see the actual key on the screen. If this check box is cleared, the key is masked.

WPA2 and WPA/WPA2 Mixed Mode Settings

Field

Description

PSK

Select the PSK option if you want to use a personal shared key. The passphrase field is enabled when this option is selected.

Passphrase

Specify the shared key of length 8–63 ASCII characters for PSK authentication.

Show Passphrase

Select the eye icon to display the actual passphrase.

802.1x

Select the 802.1x option if you want to use a RADIUS server for authentication.

Opportunistic Key Caching

Enable client fast handoffs using opportunistic key caching method. The key caching only works within the same subnet and not across subnets.

Pre-authentication

Enable client fast handoff using the Pre-Authentication method.

NAS ID

This field is used when a network access server (NAS) serves as a single point to access network resources. A NAS supports hundreds of simultaneous users. When a RADIUS client connects to a NAS, the NAS sends access request packets to the RADIUS server. These packets must contain either the NAS IP address or the NAS identifier. The NAS ID or the NAS-Identifier is used to authenticate RADIUS clients with the RADIUS server. You can specify a string for the NAS ID. You can use one or more of the special format specifiers, %m, %n, %l and/or  %s to represent the NAS ID. The AP replaces %m with the Ethernet MAC address of the AP. The AP replaces %s with the SSID. The AP replaces %l with the location tag.The AP replaces %n with the device name. You can repeat the format specifiers. The default value of NAS ID is %m-%s. The NAS ID corresponds to the NAS-Identifier attribute on the RADIUS server. The attribute ID for the NAS-Identifier RADIUS attribute is 32. Ensure that the NAS ID is not the same as the shared secret configured for the RADIUS server in the RADIUS Authentication section.

The AP uses the first 255 characters if the length of this parameter exceeds 255 characters.

Called Station ID

A free form text parameter that the AP passes to the RADIUS server in the standard RADIUS parameter, Called-Station-Id, during the authentication or accounting process. You can use one or more of the special format specifiers such as '%m, %n, %l and/or  %s to represent the called station ID. The AP replaces %m with the Ethernet MAC address of the AP. The AP replaces %s with the SSID. The AP replaces %l with the location tag. The AP replaces %n with the device name. You can repeat the format specifiers. You can enter text instead of using the format specifiers.
The AP uses only the first 255 characters if the length of this parameter exceeds 255 characters.

COA

Select the check box to enable change of authorization (COA) for a user session after the session has been authenticated. When COA is enabled you can change the per user VLAN settings and per user bandwidth settings for an authenticated user session. Make sure that port 3799 is open on the firewall in the direction of the AP from the RADIUS server for COA packets.

Enable Dynamic VLANs

Select the check box to enable the AP to accept the VLAN for the current user from the RADIUS server. When dynamic VLANs are enabled, BYOD, firewall, portal, and NAT features are disabled  for the Wi-Fi profile.
When the check box is selected, you can enter a list of dynamic VLANs. The list of dynamic VLANs must be a comma-separated list of VLAN IDs.  If the RADIUS server does not return a VLAN ID or returns a VLAN ID that is not in the list of dynamic VLANs configured in the Wi-Fi profile, the AP redirects the user traffic to the default VLAN (the VLAN ID specified in the Wi-Fi profile network settings).

WPA2 802.11w Settings

Field

Description

802.11w Management Frame Protection

802.11w management frame protection is disabled by default. To enable 802.11w management frame protection, select Optional or Required. When Required is selected,  only 802.11w clients are allowed to connect to the AP. When Optional is selected, both 802.11w and non-802.11w clients are allowed to connect to the AP.

Group Management Cipher Suite

 A cipher suite is a combination of security and encryption algorithms. The AES-128-CMAC algorithm is supported and selected by default.

SA Query Max Timeout

The time, in seconds, for which the AP awaits for a response from the requesting client to SA query request sent by the AP. If no response is received within this period, the client is ignored. Association frames are not protected as they are required to be open for establishing an association between the client and the AP. The security association (SA) query frame is sent by the AP to the requesting client to determine whether the request is spoofed. A genuine client provides response to the protected frames. The AP rejects spoofed requests when no response is received.

SA Query Retry Timeout

The time, in milliseconds, for which a client can request to associate with the AP after the SA Query max timeout.

WPA2 802.11r Settings

Field

Description

Enable 802.11r

Select the check box to enable 802.11r on the SSID profile.

Over the DS

Select the check box if you want to set a preference for clients to roam by using the over the distribution system (DS) mode of roaming. The client devices govern the mode of roaming from one AP to another. When the check box is not selected, the clients roam over the air. The client can roam over the air whether the preference has been specified or not specified.

Mixed Mode

Select the check box to enable mixed mode. When mixed mode is enabled, both 802.11r compatible devices and 802.11r non-compatible devices connect to the SSID to which the SSID profile has been applied.

Client Isolation

Client isolation is an SSID-specific option that prevents communication between wireless clients connected to the same network. This includes clients on the same radio, different radios of an AP, or on different APs. Wireless clients also cannot communicate with wired-side hosts on the same network.

Client isolation is useful in guest Wi-Fi access deployments to prevent communications between guest clients.

Note these limitations when you enable client isolation:

  • Wi-Fi clients cannot communicate with another wired or wireless host on the same network. This includes:
  • Local printers
  • NAS drives
  • Any other local hosted service such as local DNS servers

Note that if the other wired or wireless host is on a different network that is routable via your default gateway, this traffic is not limited by client isolation.

  • These features do not work when client isolation is enabled:
  • External portal hosted on a local network
  • L2TIF
  • IPv6 is not supported by client isolation. Wireless clients can still communicate with each other over IPv6.
  • Clients connected to the same SSID but mapped to different VLANs on different APs cannot be isolated. You can perform this isolation with your router configuration.
  • A VLAN where all clients have static IP addresses cannot be isolated.

Mitigate WPA/WPA2 Key Reinstallation Vulnerabilities

This option mitigates recently discovered WPA/WPA2 vulnerabilities that affect APs and clients. Vulnerabilities have been discovered in how APs and clients implement state machines in software for WPA/WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results in the reuse of some packet numbers when handshakes are performed.

WatchGuard has addressed these vulnerabilities in Wi-Fi Cloud and AP software. To address client vulnerabilities, you must update the client OS software to a version that includes fixes to address these vulnerabilities.

Until clients are updated, APs can mitigate these client vulnerabilities by blocking handshake messages that can potentially exploit clients, and force clients to reauthenticate. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams from one AP to another or roams beyond the range of the current AP connection. This can cause some legitimate client authentication connections to fail and be reestablished.

WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities.

WatchGuard Wi-Fi Cloud WIPS (Wireless Intrusion Prevention System) with dedicated WIPS sensors provide zero-day protection against these vulnerabilities if you enable the MAC Spoofing option in your Intrusion Prevention configuration and prevention is enabled. WIPS will block the exploit until you upgrade APs and clients. For more information, see Configure Wi-Fi Cloud Intrusion Prevention.

Secondary Authentication

When you enable secondary authorization on your network, a wireless user is first authenticated on the wireless network (with PSK or 802.1x), and then the device used to connect to the network is authenticated to check whether it is an authorized device.

The device authorization can be enforced through Google Device authorization, or RADIUS MAC authentication.

  • Google Device Authorization — Google Integration must be configured in Configuration > Device Configuration > Google Integration for this option to take effect. If Google Integration is not configured and this option is selected, then the authorized clients are either disconnected or assigned a role profile as configured in the SSID. This option is not available with the WEP security mode. For more information, see Google Device Authorization.
  • RADIUS MAC Authentication — This option is available only if the Security Mode is set to Open, WPA2 or Mixed mode. For WPA2 and Mixed mode, PSK must be selected. This option is not available with 802.1X. For more information, see RADIUS MAC Authentication.

RADIUS Server Authentication

For larger enterprise networks, you can use RADIUS authentication. Enterprises sometimes use RADIUS attributes to propagate network policies across multiple points of access. Users are divided into groups and policies are applied to each group to effectively control access to network resources. Each user group is redirected to a different VLAN based on the policies applicable to that user group. For example, sales personnel would have access to a VLAN that is different from the VLAN accessed by HR personnel.

For more information and a configuration example, see Dynamic VLAN Assignment in WatchGuard Wi-Fi Cloud.

An AP can retrieve the VLAN associated with the user from the RADIUS server. This option is available only for WPA2, and WPA and WPA2 mixed mode when 802.1x is enabled on the Wi-Fi profile. Based on the VLAN returned by the RADIUS server, the AP dynamically redirects the network traffic of a RADIUS-authenticated user to the VLAN that is associated with the group to which the user belongs. Until the RADIUS server authenticates the user, the EAP packets will pass through the default VLAN.

The VLAN ID that is set in the Wi-Fi profile network settings is used as the default VLAN.

To enable RADIUS-based assignment of VLANs, you must enable dynamic VLANs on the Wi-Fi profile and specify a list of dynamic VLANs that RADIUS users can be redirected to. If the VLAN specific to the user group is not present, the default VLAN is used.

These RADIUS attributes must be set on the RADIUS side for each user group for the RADIUS server and AP communication.

Attribute

Value

Tunnel Type

Set this to VLAN.

Tunnel Medium Type

Set this to 802.

Tunnel Private Group ID

Type the VLAN ID to be assigned to the user group.

RADIUS accounting can be configured for Open, WPA2, and WPA2 mixed mode PSK. When you configure RADIUS accounting, the AP sends an accounting start packet to the RADIUS server including the required RADIUS attributes.

This table describes the fields for RADIUS authentication settings:

Field

Description

RADIUS Authentication
Primary Authentication Server Select a RADIUS profile from the drop-down list. Configure RADIUS server profiles in Configuration > Device Configuration > RADIUS Profiles.
Secondary Authentication Server Select a RADIUS profile from the drop-down list. Configure RADIUS server profiles in Configuration > Device Configuration > RADIUS Profiles.
RADIUS Accounting Server Details
Primary Accounting Server Select a RADIUS profile from the drop-down list. Configure RADIUS server profiles in Configuration > Device Configuration > RADIUS Profiles.
Secondary Accounting Server Select a RADIUS profile from the drop-down list. Configure RADIUS server profiles in Configuration > Device Configuration > RADIUS Profiles.
RADIUS Retry Parameters

Timeout after

The time, in seconds, after which the AP sends a repeat authentication request to the RADIUS server if it does not receive a response from the RADIUS server. You can specify a value between 1 and 10. The default value is 2 seconds.

Attempts
 

The maximum number of retries for an authentication request that has timed out with the RADIUS server. After the maximum number of retries is exceeded, the AP switches to the alternate RADIUS server (secondary or primar). You can specify a value between 1 and 10. The default value is 4.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search