WLAN Options

This is the name the WLAN will broadcast for clients to see.

While you can configure as many as 15 service set identifiers (SSIDs) per radio, a good rule of thumb for device profiles and WLAN templates is to use only two or three WLANs per AP. The idea is to minimize the airtime overhead incurred by beacon management frames, which are sent every 102.4 ms per radio, at the Minimum Basic Rate (MBR). In other words, unless you are carefully considering data rates and co-channel contention in order to achieve four, six, or even eight active WLANs on an AP, we recommend two or three WLANs per AP max.

Use this to set whether an AP broadcasts the WLAN. You can also hide the SSID, and broadcast the AP by name.

Choose which radio frequencies to broadcast on the WLAN: 2.4 GHz, 5 GHz, or 6 GHz. Wireless clients typically experience better performance when connected to the 5-GHz band rather than the 2.4-GHz band because the 5-GHz band has more channels, and so less co-channel contention. The 6-GHz band has still more channels, wider channel, more advanced security options, and greater data rates.

You configure an inactivity timer on your WLAN to prevent congestion. The AP deauthenticates inactive clients, as defined by the time you set here. The default time is 1800 seconds.

Geofencing can prevent clients with a received signal strength indicator (RSSI) below a specified level from joining the network. You can set a minimum client RSSI, per radio band, to prevent clients who are beyond a given distance or range from joining the WLAN. Geofencing applies only to the initial association. Therefore, if a client is already associate with the network, the client will not be dissociated if its RSSI value falls below the configured threshold. The default is disabled for all radio-bands.

See Enable Geofencing.

Set data rates to prevent clients with slow connections from degrading the overall WLAN performance.

The default is Compatible, which allows all connections. The other options are:

• No Legacy (2.4G, no 11b)—Prevents 802.11b and 802.11g devices from joining the WLAN (which, in effect, adds capacity to the network).

• High Density (disable all lower rates)—Prevents 802.11b and 802.11g clients from joining the network, and also sets a minimum signal level to connect. This setting can affect client roaming. It can also prevent legacy devices from joining the network, which may be desirable from a capacity standpoint, or the opposite, for example, if you have a lot of legacy devices that are cut off.

• Custom Rates—See Data Rates.

You use this option to configure a WLAN rate limit to enforce an uplink and downlink rate for the WLAN. You can configure rate limits per AP, per client, and per application. You can also limit the total bandwidth allocation for a given application. Note, however that rate limiting bandwidth per client is often self-defeating, as it can have the effect of increasing the clients airtime consumption (by prolonging downloads).

Set the uplink and downlink rate per client.

This option limits the uplink or downlink rate per client for the specified application. You must identify applications by their name or hostname.

Select the APs you want this WLAN to apply to: All, Specific, or according to the AP label.

By default, all APs in a selected site or site group will get the WLAN configuration and beacon the SSID. Based on the use-case or the requirements, you can apply filters to have the WLAN configured only on AP labels or Specific APs.

Security Types

• WPA3 using Enterprise (802.1X)—RADIUS-based authentication. With this security type, you also can enable additional options:

  • WPA3+WPA2 Transition—Transition modes can help ease adoption to WPA3 and OWE by offering existing security types. For more information, see Considerations for 6 GHz Wireless.

  • 192-bit Encryption—This option offers the highest level of 802.1X security in Wi-Fi by offering GCMP-256 encryption over the air and requiring more secure certificates.

• WPA3 with Personal (SAE)—Passphrase-based authentication. You can configure a single passphrase or multiple passphrases.

• WPA2 using Enterprise (802.1X)—RADIUS-based authentication.

• WPA2 with Personal (PSK)—Wi-Fi Protected Access (WPA) 2 using a standard preshared key (PSK). You can configure a single passphrase or multiple passphrases.

• Opportunistic Wireless Encryption (OWE)—You can configure WPA3/OWE transition modes on 6 GHz multiband SSIDs, in order to allow for easier adoption of transition mode SSIDs. For more information, see Considerations for 6 GHz Wireless.

• Open Access—Unencrypted, typically used for guest networks.

Depending on the selected security type, other options include:

• MAC address authentication by using RADIUS lookup—A MAC address is presented to a RADIUS server to authorize the device. Unavailable with certain security types.

• Prevent banned clients from associating—This option prevents clients that have been ban on the Network Security page from associating with this WLAN.

• Fast Roaming— A security method based on 802.11r for authenticating new clients.

VLAN

• Untagged—Doesn't use VLANs; this is the default setting.

• Tagged—Select this option if you have static VLANs on the network. In the field that appears, enter the VLAN ID. Make sure that the switch port connected to the access point (AP) also uses a tagged VLAN.

• Pool—Select this option to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool. When using this for PSK-based network segmentation, specify all the VLAN IDs you will need for the VLAN ID field of the PSK (Organization > WLAN Templates > Pre-Shared Key> Add Key button, and then VLAN ID).

  Alternatively, to put clients in different VLANs according to their site, use a site variable for the Pools VLANs and leave the VLAN ID field blank in the PSK configuration page.

• Dynamic—Select this option to connect wireless users to a given VLAN, as configured in the RADIUS server.

Peer-to-peer isolation prevents Layer 2 peer traffic on the same WLAN, AP, or wired or wireless subnet. This option is disabled by default. (For Layer 3 filtering, you can create WxLAN policies.)

Subnet isolation requires firmware version 0.12 or later, and clients must have a DHCP address.

• ARP
• Broadcast/Multicast
  • Allow mDNS
  • Allow SSDP
  • Allow IPv6 Neighbor Discovery
• Ignore Broadcast SSID Probe Requests

These filters reduce the amount of management frames sent by APs in the WLAN. Filtering can significantly improve performance by freeing up radio air time which is otherwise consumed as a routine part of the operational overhead.

• The ARP filter prevents Address Resolution Protocol (ARP) broadcast requests to a given WLAN interface. If not enabled, the proxy ARP will try to resolve all unknown Ethernet address requests by flooding the request to any unfiltered interfaces. We recommend leaving the ARP filter enabled. (By default, Mist APs support proxy ARPs, which means the AP sends an ARP response on behalf of the client instead of forwarding the packet over the air.)
• The Broadcast / Multicast filter prevents the AP from propagating broadcast and multicast frames on the wireless network. It filters IPv6 broadcasts, multicast, and IPv4/IPv6 mDNS frames, although these can be individually exempted. DHCP broadcasts are not included in this filter.

• • Allow mDNS frames by exempting this traffic from being filtered when broadcast/multicast filtering is selected. mDNS is needed for Apple Bonjour for network discovery.

  • Allow Simple Service Discovery Protocol (SSDP) advertisement beacons by exempting this traffic being filtered when broadcast/multicast filtering is selected. SSDP is needed Universal Plug and Play (UPnP) device discovery.

  • Allow IPv6 Neighbor Discovery frames by exempting this traffic when broadcast/multicast filtering is selected.

• The AP can Ignore Broadcast SSID Probe Requests from wireless clients, that is, not send a probe response (which advertises its SSID, supported data rates, and other 802.11 capabilities).

• Eth0 + PoE—Default. Forward traffic out the Eth0 port.

• Eth1—Forwards traffic through the second Ethernet port of the AP. This mode requires the WLAN VLAN to be untagged. You must connect Port Eth1 to a physically separate LAN.

You use this option to have the WLAN broadcast the SSID only on certain days and times. When scheduled to be disabled, the AP will not broadcast the SSID (that is, the SSID will not be visible to clients searching for available networks). The change in broadcast status does not reset the radio or disable the AP.

SSID scheduling supports multiple time ranges for each day. By default this mode is disabled.

802.1X Web Redirect

Applies to VLANs with security type Enterprise (802.1X).

Use quality of service (QoS) to prioritize traffic so that the more important traffic does not get held up in a queue during congestion. Juniper APs can prioritize wireless traffic to optimize the shared radio for maximum application performance.

• 0=Background (not used by Juniper APs)

• 1=Best Effort

• 2=Video

• 3=Voice

Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless QoS standard to support traffic prioritization. This specification uses the following access categories to prioritize transmission:

When multiple concurrent applications compete for network resources, Juniper APs can use MMEs to define and improve the wireless signal quality and performance.

Multimedia extensions (MMEs) are architectural extensions to general-purpose processors to boost the performance of multimedia workloads. Throughput is not guaranteed by WMM.

AirWatch™ is 3rd-party mobile device management system. When this setting is enabled, the APs allow traffic to pass only for those clients already identified in the AirWatch console. If enabled, you need to specify the AirWatch console URL, the API key, and your login credentials for the managed devices.

Default is not configured. Configure this setting on a per WLAN basis, from either the WLAN configuration page or WLAN Templates. This feature automatically enables broadcast/multicast filtering. As such, be sure to select the option to allow mDNS frames.

The following services are available, but must explicitly enabled to be discoverable:

• AirDrop, AirPlay, AirPrint, Apple HomeKit
• Amazon Devices, GoogleCast, Roku, Spotify Connect
• NFS, Scanner, SleepProxy (Wake-On-Network)

See Add a Bonjour Gateway to a WLAN.

Supports WPA3, WPA2, Legacy, OWE, and Open Access, with either Enterprise (802.1X) and Personal (SAE), as well as single or multiple passphrases, TKIP, etc.

See:

• Enable WPA2/WPA3 Enterprise (802.1X) Security on a WLAN

• Rogue, Neighbor, and Honeypot Access Points

• Configure and Manage Pre-Shared Keys

Enable fast roaming to allow clients that are connected to the network using WPA2 or WPA3 security to remain connected as they roam between APs. With fast roaming, WPA2 and WPA3 clients do not need to re-authenticate with the authentication server every time they change APs in the same network.

• Default—Local PMKID caching only; there is no sharing of the PMKID between Mist APs on the network. This may be appropriate for some use cases, but does not scale.

• .11r—Standards-based method of fast roaming, described in 802.11r.

Required for each WLAN. Specify the type of VLAN the AP will use in the switch connection.

• Untagged—Doesn't use VLANs; this is the default setting.

• Tagged—Use with static VLANs on the network (the switch port connected to the AP must also use tagged VLAN).

• Pool—Use to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool.

• Dynamic—Use to connect wireless users to a given VLAN, as configured in the RADIUS server.

For information about using VLAN Pools with Pre-Shared Keys for segmentation, see Leveraging Roles in a PSK (Use Case).

You can enable guest access by creating a sign-in portal in Juniper Mist, using your own external portal, or enabling Single Sign-On. For more information, see WLAN Guest Portal.