Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

WLAN Options

Navigating to the WLAN Settings Window

  • For a WLAN in a WLAN template, select Organization > Wireless | WLAN Templates from the left menu, then create a WLAN template or select an existing template. To add a WLAN to your template, click Add WLAN. To edit an existing WLAN in the WLANs list, click it.

  • For a site-level WLAN, select Site > Wireless | WLANs from the left menu, and then click Add WLAN. To edit an existing WLAN on the WLANs page, click it.

  • Some changes will reset the radioWLAN Configuration Changes.

Figure 1: WLAN Settings WLAN Settings

WLAN Configuration Settings

Table 1: WLAN Settings
Setting Summary
SSID

This is the name the WLAN will broadcast for clients to see.

While you can configure as many as 15 service set identifiers (SSIDs) per radio, a good rule of thumb for device profiles and WLAN templates is to use only two or three WLANs per AP. The idea is to minimize the airtime overhead incurred by beacon management frames, which are sent every 102.4 ms per radio, at the Minimum Basic Rate (MBR). In other words, unless you are carefully considering data rates and co-channel contention in order to achieve four, six, or even eight active WLANs on an AP, we recommend two or three WLANs per AP max.

WLAN Status

Use this to set whether an AP broadcasts the WLAN. You can also hide the SSID, and broadcast the AP by name.

Radio Band

Choose which radio frequencies to broadcast on the WLAN: 2.4 GHz, 5 GHz, or 6 GHz. Wireless clients typically experience better performance when connected to the 5-GHz band rather than the 2.4-GHz band because the 5-GHz band has more channels, and so less co-channel contention. The 6-GHz band has still more channels, wider channel, more advanced security options, and greater data rates.

Client Inactivity

You configure an inactivity timer on your WLAN to prevent congestion. The AP deauthenticates inactive clients, as defined by the time you set here. The default time is 1800 seconds.

Geofence

Geofencing can prevent clients with a received signal strength indicator (RSSI) below a specified level from joining the network. You can set a minimum client RSSI, per radio band, to prevent clients who are beyond a given distance or range from joining the WLAN. Geofencing applies only to the initial association. Therefore, if a client is already associate with the network, the client will not be dissociated if its RSSI value falls below the configured threshold. The default is disabled for all radio-bands.

See Enable Geofencing.

Data Rates

Set data rates to prevent clients with slow connections from degrading the overall WLAN performance.

The default is Compatible, which allows all connections. The other options are:

  • No Legacy (2.4G, no 11b)—Prevents 802.11b and 802.11g devices from joining the WLAN (which, in effect, adds capacity to the network).

  • High Density (disable all lower rates)—Prevents 802.11b and 802.11g clients from joining the network, and also sets a minimum signal level to connect. This setting can affect client roaming. It can also prevent legacy devices from joining the network, which may be desirable from a capacity standpoint, or the opposite, for example, if you have a lot of legacy devices that are cut off.

  • Custom Rates—See Data Rates.

Wi-Fi Protocols You use this option to enable or disable Wi-Fi 6 on the supported APs.
WLAN Rate Limit

Use WLAN rate limits to set uplink and downlink limits for the WLAN bandwidth. You can configure rate limits per AP, per client, and per application. You can also limit the total bandwidth allocation for a given application.

The rate limit field also supports site-level variables per WLAN and per client, as an option to hard-coding the values (that is, making them global). This is especially useful in WLAN templates, where you want to configure a core configuration for common use, but also want the flexibility of site-specific differences. You can add variables on the Organization > Admin > Site Configuration page.

Note:

Depending on your exact use-case, setting a rate limit may be self-defeating in wireless networks because it can increase the client's airtime consumption. Since airtime is usually the most precious resource in wireless networks, consuming more of it by rate-limiting the comparatively plentiful bandwidth often ends up degrading your overall network performance.

Per-Client Rate Limit

Set the uplink and downlink rate per client.

Note:

Mist applies this rate limit to all wireless clients on the selected SSID. There is no way to tune the limits on an individual client basis. The effect of setting values in these fields is to limit each and every wireless client to the uplink and downlink values you set.

Application Rate Limit

This option limits the uplink or downlink rate per client for the specified application. You must identify applications by their name or hostname.

Apply to Access Points

Select the APs you want this WLAN to apply to: All, Specific, or according to the AP label.

By default, all APs in a selected site or site group will get the WLAN configuration and beacon the SSID. Based on the use-case or the requirements, you can apply filters to have the WLAN configured only on AP labels or Specific APs.

Note:

You can create labels at the organization or site level. From the left menu, select Organization > Wireless > Labels or select Site > Wireless > Labels.

1. Give your label a name.

2. Select a Label Type of Access Point.

3. Under Label Values, click the plus sign to Add Access Point, then select the Entire Org tab or the Site tab.

4. Select the AP Name checkbox at the top to select all APs in the org or site, or you can select the checkboxes next to whichever APs as you would like to include in this label.
  • The AP selection list includes a search filter which allows you to filter APs by MAC address or AP name. For example, if the APs in the site are named in the strings you filter for, you can then bulk select to apply the label to all APs matching the filtered string.

5. Apply the AP label to your WLAN so that only the APs included in the label get the needed WLAN configuration.

Security Types

  • WPA3 using Enterprise (802.1X)—RADIUS-based authentication. With this security type, you also can enable additional options:

    • WPA3+WPA2 Transition—Transition modes can help ease adoption to WPA3 and OWE by offering existing security types. For more information, see Considerations for 6 GHz Wireless.

    • 192-bit Encryption—This option offers the highest level of 802.1X security in Wi-Fi by offering GCMP-256 encryption over the air and requiring more secure certificates.

  • WPA3 with Personal (SAE)—Passphrase-based authentication. You can configure a single passphrase or multiple passphrases.

  • WPA2 using Enterprise (802.1X)—RADIUS-based authentication.

  • WPA2 with Personal (PSK)—Wi-Fi Protected Access (WPA) 2 using a standard preshared key (PSK). You can configure a single passphrase or multiple passphrases.

  • Opportunistic Wireless Encryption (OWE)—You can configure WPA3/OWE transition modes on 6 GHz multiband SSIDs, in order to allow for easier adoption of transition mode SSIDs. For more information, see Considerations for 6 GHz Wireless.

  • Open Access—Unencrypted, typically used for guest networks.

Other Security Options

Depending on the selected security type, other options include:

  • MAC address authentication by using RADIUS lookup—A MAC address is presented to a RADIUS server to authorize the device. Unavailable with certain security types.

  • Prevent banned clients from associating—This option prevents clients that have been ban on the Network Security page from associating with this WLAN.

  • Fast Roaming— A security method based on 802.11r for authenticating new clients.

VLAN

  • Untagged—Doesn't use VLANs; this is the default setting.

  • Tagged—Select this option if you have static VLANs on the network. In the field that appears, enter the VLAN ID. Make sure that the switch port connected to the access point (AP) also uses a tagged VLAN.

  • Pool—Select this option to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool. When using this for PSK-based network segmentation, specify all the VLAN IDs you will need for the VLAN ID field of the PSK (Organization > WLAN Templates > Pre-Shared Key> Add Key button, and then VLAN ID).

    Alternatively, to put clients in different VLANs according to their site, use a site variable for the Pools VLANs and leave the VLAN ID field blank in the PSK configuration page.

  • Dynamic—Select this option to connect wireless users to a given VLAN, as configured in the RADIUS server.

Isolation

Peer-to-peer isolation prevents Layer 2 peer traffic on the same WLAN, AP, or wired or wireless subnet. This option is disabled by default. (For Layer 3 filtering, you can create WxLAN policies.)

Subnet isolation requires firmware version 0.12 or later, and clients must have a DHCP address.

Filtering (Wireless)
  • ARP
  • Broadcast/Multicast
    • Allow mDNS
    • Allow SSDP
    • Allow IPv6 Neighbor Discovery
  • Ignore Broadcast SSID Probe Requests

These filters reduce the amount of management frames sent by APs in the WLAN. Filtering can significantly improve performance by freeing up radio air time which is otherwise consumed as a routine part of the operational overhead.

  • The ARP filter prevents Address Resolution Protocol (ARP) broadcast requests to a given WLAN interface. If not enabled, the proxy ARP will try to resolve all unknown Ethernet address requests by flooding the request to any unfiltered interfaces. We recommend leaving the ARP filter enabled. (By default, Mist APs support proxy ARPs, which means the AP sends an ARP response on behalf of the client instead of forwarding the packet over the air.)
  • The Broadcast / Multicast filter prevents the AP from propagating broadcast and multicast frames on the wireless network. It filters IPv6 broadcasts, multicast, and IPv4/IPv6 mDNS frames, although these can be individually exempted. DHCP broadcasts are not included in this filter.
    • Allow mDNS frames by exempting this traffic from being filtered when broadcast/multicast filtering is selected. mDNS is needed for Apple Bonjour for network discovery.

    • Allow Simple Service Discovery Protocol (SSDP) advertisement beacons by exempting this traffic being filtered when broadcast/multicast filtering is selected. SSDP is needed Universal Plug and Play (UPnP) device discovery.

    • Allow IPv6 Neighbor Discovery frames by exempting this traffic when broadcast/multicast filtering is selected.

  • The AP can Ignore Broadcast SSID Probe Requests from wireless clients, that is, not send a probe response (which advertises its SSID, supported data rates, and other 802.11 capabilities).

Custom Forwarding By default, the WLAN forwards tagged or untagged client traffic through the primary Ethernet port, Eth0. You use custom forwarding in conjunction with Mist Edge, or for example, to ensure that guest and corporate traffic use different networks.
  • Eth0 + PoE—Default. Forward traffic out the Eth0 port.

  • Eth1—Forwards traffic through the second Ethernet port of the AP. This mode requires the WLAN VLAN to be untagged. You must connect Port Eth1 to a physically separate LAN.

SSID Scheduling

You use this option to have the WLAN broadcast the SSID only on certain days and times. When scheduled to be disabled, the AP will not broadcast the SSID (that is, the SSID will not be visible to clients searching for available networks). The change in broadcast status does not reset the radio or disable the AP.

SSID scheduling supports multiple time ranges for each day. By default this mode is disabled.

802.1X Web Redirect

Applies to VLANs with security type Enterprise (802.1X).

Select the Enabled check box to redirect a client to a particular web page (for example, a quarantined portal for compliance checks) after it completes the 802.1X authentication. For this feature to work, your firmware version must be 0.7 or newer. For more information, see Configure an 802.1X WLAN to Redirect Clients to Specific Web Pages.
QoS Priority

Use quality of service (QoS) to prioritize traffic so that the more important traffic does not get held up in a queue during congestion. Juniper APs can prioritize wireless traffic to optimize the shared radio for maximum application performance.

  • 0=Background (not used by Juniper APs)

  • 1=Best Effort

  • 2=Video

  • 3=Voice

Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless QoS standard to support traffic prioritization. This specification uses the following access categories to prioritize transmission:

Multimedia Extensions

When multiple concurrent applications compete for network resources, Juniper APs can use MMEs to define and improve the wireless signal quality and performance.

Multimedia extensions (MMEs) are architectural extensions to general-purpose processors to boost the performance of multimedia workloads. Throughput is not guaranteed by WMM.

AirWatch

AirWatch™ is 3rd-party mobile device management system. When this setting is enabled, the APs allow traffic to pass only for those clients already identified in the AirWatch console. If enabled, you need to specify the AirWatch console URL, the API key, and your login credentials for the managed devices.

Bonjour Gateway

Default is not configured. Configure this setting on a per WLAN basis, from either the WLAN configuration page or WLAN Templates. This feature automatically enables broadcast/multicast filtering. As such, be sure to select the option to allow mDNS frames.

The following services are available, but must explicitly enabled to be discoverable:

  • AirDrop, AirPlay, AirPrint, Apple HomeKit
  • Amazon Devices, GoogleCast, Roku, Spotify Connect
  • NFS, Scanner, SleepProxy (Wake-On-Network)

See Add a Bonjour Gateway to a WLAN.

Security

Supports WPA3, WPA2, Legacy, OWE, and Open Access, with either Enterprise (802.1X) and Personal (SAE), as well as single or multiple passphrases, TKIP, etc.

See:

Fast Roaming

Enable fast roaming to allow clients that are connected to the network using WPA2 or WPA3 security to remain connected as they roam between APs. With fast roaming, WPA2 and WPA3 clients do not need to re-authenticate with the authentication server every time they change APs in the same network.

  • Default—Local PMKID caching only; there is no sharing of the PMKID between Mist APs on the network. This may be appropriate for some use cases, but does not scale.
  • .11r—Standards-based method of fast roaming, described in 802.11r.

VLAN

Required for each WLAN. Specify the type of VLAN the AP will use in the switch connection.

  • Untagged—Doesn't use VLANs; this is the default setting.

  • Tagged—Use with static VLANs on the network (the switch port connected to the AP must also use tagged VLAN).

  • Pool—Use to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool.
  • Dynamic—Use to connect wireless users to a given VLAN, as configured in the RADIUS server.

For information about using VLAN Pools with Pre-Shared Keys for segmentation, see Leveraging Roles in a PSK (Use Case).

Guest Portal

You can enable guest access by creating a sign-in portal in Juniper Mist, using your own external portal, or enabling Single Sign-On. For more information, see WLAN Guest Portal.