Configure SSID Security Settings

When you add an SSID, you can configure security settings that determine how wireless clients must connect to your AP devices. The wireless security mode is set to Disabled by default. In this mode, the SSID operates as an open wireless network.

WatchGuard AP devices use two security protocol standards to protect your wireless network: WPA (Wi-Fi Protected Access) and WPA2. Each protocol standard can encrypt the transmissions on the wireless LAN between the computers and the AP devices. They also can prevent unauthorized access to the WatchGuard AP device.

To protect privacy, you can use these features together with other LAN security mechanisms such as password protection, VPN tunnels, and user authentication.

WPA and WPA2 with Pre-Shared Keys

The WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for authentication. When you choose one of these methods, you configure a pre-shared key that all wireless devices must use to authenticate to the AP device.

AP devices support three wireless authentication settings that use pre-shared keys:

To configure an AP device SSID to use WPA or WPA2 with pre-shared keys:

  1. In the Edit SSID or Add SSID dialog box, select the Security tab.

Screen shot of the SSID Security tab for WPA/WPA2 (PSK) security mode

  1. From the Security Mode drop-down list, select WPA (PSK), WPA2 (PSK) or WPA/WPA2 (PSK).
  2. From the Encryption drop-down list, select an encryption method:

We recommend that you select TKIP or AES. This allows the AP device to accept connections from wireless clients configured to use TKIP or AES encryption.

For 802.11n wireless clients, TKIP is not supported and we recommend you configure the wireless client to use AES encryption.

  1. (Optional) In the Group Key Update Interval text box, type or select the WPA group key update interval.
    We recommend you use the default setting of 3600 seconds.
  2. In the Passphrase text box, type the passphrase that wireless clients must use to connect to this SSID.

WPA and WPA2 with Enterprise Authentication

The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for network authentication. These authentication methods use the EAP (Extensible Authentication Protocol) framework to enable user authentication to an external RADIUS authentication server. The WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of a shared key.

To use the Enterprise authentication methods, you must configure an external RADIUS authentication server.

WatchGuard AP devices support three WPA and WPA2 Enterprise wireless authentication methods:

To configure an AP device SSID to use WPA or WPA2 with enterprise authentication:

  1. In the Edit SSID or Add SSID dialog box, select the Security tab.

Screen shot of the SSID Security tab for WPA/WPA2 Enterprise security mode

  1. From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or WPA/WPA2 Enterprise.
  2. From the Encryption drop-down list, select an encryption method:

We recommend that you select TKIP or AES. This allows the AP device to accept connections from wireless clients configured to use TKIP or AES encryption.

For 802.11n wireless clients, TKIP is not supported and we recommend you configure the wireless client to use AES encryption.

  1. (Optional) In the Group Key Update Interval text box, set the WPA group key update interval.
    We recommend you use the default setting of 3600 seconds.
  2. In the RADIUS Server text box, type the IP address of the RADIUS server.
  3. In the RADIUS Port text box, make sure that the port number the RADIUS server uses for authentication is correct.
    The default port number is 1812. Some older RADIUS servers use port 1645.
  4. In the RADIUS Secret text box, type the shared secret between the AP device and the RADIUS server.
    The shared secret is case-sensitive, and it must be the same in the SSID configuration as it is on the RADIUS server.

If you have a RADIUS accounting server, you can enable RADIUS Accounting:

  1. Select the Enable RADIUS Accounting check box.
  2. In the RADIUS Accounting Server text box, type the IP address of the RADIUS accounting server.
  3. In the RADIUS Accounting Port text box, make sure that the port number the RADIUS accounting server uses is correct.
    The default port number is 1813.
  4. In the RADIUS Accounting Secret text box, type the shared secret between the AP device and the RADIUS accounting server.
  5. In the Interim Accounting Interval text box, set the interim accounting interval.

See Also

Configure WatchGuard AP Device SSIDs

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base