Applies To: WatchGuard Cloud-managed Access Points
You can configure the wireless SSIDs that are broadcast by your access points and enable wireless clients to connect to your network.
Access points can have two different types of settings:
- Device-level settings that you apply individually to each access point. For more information, see Configure SSID Settings for an Access Point.
- Settings that are applied to the access point from an Access Point Site. You can use Access Point Sites to create SSID settings that are applied to multiple access points that subscribe to the site. For more information, see Configure SSID Settings for an Access Point Site.
To configure device-level SSID settings in WatchGuard Cloud for an access point:
- Select Configure > Devices.
- Select the access point you want to configure.
- Select Device Configuration.
The device configuration page opens.
- In the Wi-Fi Networks tile, click SSIDs.
To configure SSID settings in WatchGuard Cloud for an Access Point Site:
- Select Configure > Access Points Sites.
- Select an existing site, or add a new site.
- From the Configuration Details tab, in the Wi-Fi Networks tile, click SSIDs.
The SSIDs page lists your configured Wi-Fi networks and includes this information:
- SSID Name — The name of the Wi-Fi network SSID. There are two types of SSIDs, a device-level SSID, or an SSID configured from an Access Point Site, indicated by . From this page you can only add or delete device-level SSIDs. For more information about Access Point Sites, see About Access Point Sites.
- Broadcast — Indicates whether the SSID name is broadcast and visible to Wi-Fi clients.
- Security — The security type configured on this network, such as WPA2 or Open.
- Radios — The access point radios that broadcast this SSID.
To sort the list of SSIDs, click a column name.
Click an existing SSID to edit the wireless network settings, or click Add SSID to add a new wireless network.
Add an SSID
To add an SSID, click .
On each tab, you can configure different settings for the SSID such as wireless settings, access control, scheduling, traffic shaping, and advanced settings.
When you are finished your wireless network configuration, click Add to save the SSID.
On the Wireless tab, you can configure the SSID name, specify if the network is private or for guests, specify the radios to broadcast the SSID, enable SSID security, and configure network settings.
- SSID Name — Type the SSID name. This is the name for this wireless network that appears to clients.
- Broadcast SSID — Select the Broadcast SSID check box to broadcast the SSID name to wireless clients. Clear this check box if you want to hide the SSID name.
- SSID Type
- Private — Create a private wireless network.
- Guest — Create a guest wireless network that provides limited access to protect devices and resources on your private wireless network. When you select a Guest network, Client Isolation is also enabled by default. For more information, see Client Isolation.
- Radio — Select the access point radios (2.4 GHz, 5 GHz, or both 2.4 GHz and 5 GHz) that will broadcast this SSID.
- Security — Select the type of security for this SSID.
- Open — Open means no security encryption is applied. This option is typically used for public guest networks.
- OWE — Opportunistic Wireless Encryption (OWE), also known as Enhanced Open, is the latest and most secure open protocol for Wi-Fi 6 (802.11ax) access points that provides each user with encryption that protects data exchange between the client and the wireless network. This enables you to create an open network that can provide data privacy without authentication. Clients that do not support OWE cannot connect with an SSID with OWE. Both the access point and client must support OWE.
- WPA2 Personal (default) — WPA2 is the latest and most secure protocol for 802.11a/b/g/n/ac access points. You must type a Passphrase that wireless users will use to connect to this SSID.
- WPA3/WPA2 — A mixed mode of WPA3 and WPA2 protocols.
- WPA3 Personal — WPA3 is the latest and most secure protocol for Wi-Fi 6 (802.11ax) devices. WPA3 enables Protected Management Frames (802.11w) for higher security. Wireless clients must also support 802.11ax to use WPA3. You must type a Passphrase that wireless users will use to connect to this SSID.
There is an open issue where wireless clients with older operating systems that do not support WPA3 are unable to connect to an SSID with mixed WPA3/WPA2 security. For more information, see this Knowledge Base article.
- WPA2 Enterprise — The WPA2 protocol with enterprise RADIUS authentication.
- WPA3 Enterprise — The WPA3 protocol with enterprise RADIUS authentication.
Enterprise authentication options only appear if you have configured an Authentication Domain with a RADIUS server. For more information, see Access Point Authentication Domains.
- Passphrase — If you selected a security method that uses a pre-shared key such as WPA2 Personal or WPA3 Personal, type the passphrase to use. Wireless users must specify this passphrase when they connect to the SSID.
- Authentication Domain — If you selected a security method that uses an enterprise RADIUS server such as WPA2 Enterprise or WPA3 Enterprise, select a configured RADIUS server from the drop-down list. For more information, see Access Point Authentication Domains.
- Enable VLAN — To map your wireless network SSID to a VLAN on your network, select the Enable VLAN check box. For example, you can configure VLANs to separate traffic between your SSIDs, such as private and guest SSIDs. You can assign a VLAN ID from 1 to 4094 for each SSID. For more information on VLANs and your wireless networks, see Access Points and VLANs.
- Bridged (default) — Use a bridged network when the access point and the clients associating with the access point are in the same subnet.
- NAT — Use Network Address Translation (NAT) when you want to have the clients and the access point in a separate subnet. Wireless clients use a private IP address pool assigned from the access point. You must use NAT to use this SSID with an access point VPN. For more information, see Configure an Access Point VPN. Fast Roaming is disabled if you use NAT.
You must configure these settings when you enable NAT:
- Local IP Address (Gateway) — An IP address in the selected network outside of the DHCP address pool. This address is used as the gateway address for the clients on the wireless network.
- Subnet Mask — The net mask for the selected network.
- DHCP Pool Start IP Address — The starting IP address of the DHCP address pool in the selected network.
- DHCP Pool End IP Address — The end IP address of the DHCP address pool in the selected network.
- Lease Time — The DHCP lease time in hours (1 to 24).
- Primary and Secondary DNS Server — The primary and secondary DNS servers to which wireless clients make DNS queries.
To control access for specific wireless clients based on their MAC address, enable the MAC Address Access Control List.
- Use the Allowed MAC Address List to only allow access for the client MAC addresses that you specify.
- Use the Blocked MAC Address List to block wireless clients based on the MAC addresses that you specify.
To add a new address, click Add MAC Address. When you have finished, click Add to save the access control list.
You can configure up to a maximum of 32 MAC addresses for each SSID.
Specify when to enable Wi-Fi access for this SSID. This limits access to this SSID based on the times you configure. For example, you might want to limit wireless guest access to only during business hours. The times are based on a 24-hour clock with minimum 30-minute intervals.
The default is Always Available. You can also select a pre-configured schedule for 8:00AM to 5:00PM Monday to Friday, or create a Custom Schedule.
Access point VPNs configured with this SSID are also enabled and disabled by the configured SSID schedule. For more information, see Configure an Access Point VPN.
You can enable bandwidth controls that limit the bandwidth usage on this SSID. For example, you can enable limits on your guest SSID so that guest users do not use too much bandwidth and affect wireless performance on your private wireless network.
To enable bandwidth controls, select SSID Bandwidth Control.
Specify the Upload Limit and Download Limit in Mbps. You can select a value from 1 to 999 Mbps.
These limits are applied to traffic on the entire SSID.
To apply these upload and download limits to each individual user on the SSID, select the corresponding Per Client check box.
Advanced options enable you to configure additional management, security, and steering options for this SSID.
- Protected Management Frames (802.11w) — For WPA2 and WPA3 security encryption, you can enable additional management frame protection to prevent spoofing attacks that use deauthentication and disassociation management frame actions. You can select Allow All Clients which only protects 802.11w-capable clients, or select Allow Only 802.11w Capable Clients. 802.11w is mandatory for WPA3 encryption.
- Fast Roaming (802.11k/r) — When you select WPA2 security encryption, you can enable Fast Roaming to reduce the re-authentication time for a wireless client as it roams from one WatchGuard access point to another access point. This enables the wireless client to quickly transition wireless communications and improves performance and stability of streaming-intensive applications such as VoIP and video streaming. Wireless clients must support the 802.11k and 802.11r standards to use Fast Roaming. Fast Roaming is disabled if NAT is enabled on the SSID.
- Band Steering — You can actively steer wireless clients from the 2.4 GHz band to use the less congested 5 GHz band to help balance associated clients on an access point between the 2.4 GHz and 5 GHz radios.
You can choose from these settings:
- Balance Clients: Distributes the wireless client load between the 2.4 GHz and 5 GHz radios. In the Balance Ratio text box, specify the percentage of clients that will use the 5 GHz radio. The remaining percentage will use the 2.4 GHz radio.
- Prefer 5 GHz (default): Clients are steered to the 5 GHz band if the client's signal strength in 5 GHz is higher than the configured RSSI Threshold (default -75 dBm).
- Force 5 GHz: Enables the use of additional management packets to make sure a client is always disconnected from the 2.4 GHz radio and steered to the 5 GHz radio when the client reconnects to the access point.
- Client Isolation — Prevents wireless clients from communicating directly to each other on the same access point, different radios of the same access point, and on different access points. This also prevents communications with wired-side devices. Client isolation is useful in typical guest Wi-Fi access deployments to prevent communications between guest clients. Client isolation is enabled by default if the SSID is configured as a Guest SSID.