SSID advanced settings

Configure security, backend authentication, client connection, quality of service (QoS), network availability, and captive portal.


Define settings to make your network more secure.

Synchronized Security: Enable to ensure that clients with Sophos Endpoint Protection and Sophos Mobile Protection can communicate with Sophos Central Wireless access points. If Synchronized Security is enabled on both Sophos XG Firewall and Sophos Central Wireless, the settings on Sophos XG Firewall take precedence.

To use this feature, you need to have an Endpoint Advanced Protection license for your endpoints. For mobile protection, go to Mobile > Set up > System setup > Network Access Control, and select Sophos Wireless.

Note Available only for APX 320, APX 530, and APX 740.

Security Heartbeat green: Indicates that the endpoint is healthy and all traffic is allowed.

Security Heartbeat yellow: Indicates that a potentially unwanted application (PUA) or inactive malware has been detected. All traffic is allowed.

Security Heartbeat red: Indicates that active malware or ransomware has been detected or the access point is unable to receive Security Heartbeat messages from the endpoint’s Sophos Endpoint Services. The access point blocks all internet traffic. Only traffic from the secured browsing environment (walled garden or safe URLs list) is allowed.

Sophos Mobile (UEM): Turned on by default. Allows heartbeat information to be sent from Sophos managed mobile devices. You can also manage policies for these devices in Sophos Central.

Sophos Central Endpoint Protection: Turn on if you want to manage endpoint policies in Sophos Central. Alternatively you can manage endpoint policies in XG Firewall.

Restrict SSID to Sophos Managed Devices: When an unmanaged device connects to the SSID, after authentication, we determine that the device is unmanaged and display a landing page, which you have to configure. The device is put behind a walled garden. The behavior of this device is similar to having a red security heartbeat status. The device is allowed to access only Sophos websites or those URLs and IPs that are on the allowed list.

A managed device is a mobile or endpoint device protected by Sophos.

When you enable this option the landing page configuration is shown. Enter the following information:

  • Page Title
  • Welcome Text
  • Message to appear
  • Company logo

Allowed domains: Enter domains here that you still want clients to access, along with any domains, when they have a red Synchronized Security status. These domains will also be accessible by unmanaged devices if you have turned on Restrict SSID to Sophos Managed Devices. Both IP addresses and domain names are supported.

Hidden SSID: Hides the SSID for network scans. When hidden, the SSID is still available and you need to know the SSID name for a direct connection. Even if an SSID is hidden, you can assign the SSID to an access point.

Note This is not a security feature. You still need to protect hidden SSIDs.

Client isolation: Blocks communication between clients within the same radio frequency. This is useful in a guest or hotspot network.

MAC Filtering: Provides minimal security by restricting Media Access Control (MAC) address connections.

  • None: No restriction on MAC addresses.
  • Blocked List: All MAC addresses are allowed except those that you enter here.
  • Allowed List: All MAC addresses are prohibited except those that you enter here.

Client Connection

LAN: Bridges a wireless network onto the network of an access point. The wireless clients share the same IP address range.

VLAN: Directs the client traffic to specific VLANs. The uplink switch must be configured to accept VLAN packets.

RADIUS VLAN Assignment: Separates users without having multiple SSIDs. Available with encryption mode WPA/WPA2 Enterprise.

Users will be tagged to a VLAN provided by a RADIUS server. Traffic is untagged if the RADIUS server does not provide VLAN.

Note IPv6 is blocked in SSIDs if dynamic VLAN is enabled. If IPv6 is not blocked, devices may end up with multiple IPv6 addresses and gateways from multiple VLANs.

Enable Guest Network: Enables a guest network. A guest network provides an isolated network for the clients with some traffic restrictions. Access points can have one guest network at a given time. The following modes are available:

Bridge Mode: Uses the DHCP server from the same subnet.

It filters all traffic and only allows communication to the gateway, DNS server, and external networks. You can add a guest network to an environment without VLAN and still have an isolation. As the DHCP server is still on your network, roaming between access points will work.

Note By using VLAN for your guest network, you can have a separate guest VLAN additional to the guest network.

NAT Mode: Uses the on-board DHCP server on the access point. This provides local isolated IPs to the guest network clients. Clients are unaware of the internal IP scheme.

In NAT mode, a DNS server is optional for a client address. If a DNS address is not assigned to the client by the DNS server, they will be assigned the same DNS address as of the access point.

Bridge mode has a higher throughput, whereas NAT mode has more isolation.

Network Availability

Define SSIDs which are only available for a certain time of a day or certain days in a week. The SSIDs are not visible in the meantime.

Always: Select to make SSID available at all times.

Scheduled: Select the weekdays and timeframes for the network to be available.

Quality of Service

Configure settings to optimize your network.

Multicast to unicast conversion: Optimizes the multicast packets to unicast packets. The access point converts multicast packets to unicast packets individually for each client based on the Internet Group Management Protocol (IGMP).

It works best when fewer clients are connected to one access point.

The conversion to unicast is preferred for media streaming as it can operate at higher throughput rates.

Proxy ARP: Enables the access point to answer Address Resolution Protocol (ARP) requests intended for the connected wireless clients.

Fast roaming: Optimizes the roaming times when switching between different access points. SSIDs with WPA2 encryption use the IEEE 802.11r standard to reduce roaming times (with enterprise authentification). It applies when the same SSID is assigned to different access points. Clients also need to support the IEEE 802.11r standard.

Keep broadcasting: Ensures that the access point keeps broadcasting when it is not able to re-connect to Sophos Central after a restart. If this is turned on, clients will still be able to connect to the access point and (or) to the internet and the access point works with its old configuration.

Note The SSID will be broadcasted in all cases of connection loss to Sophos Central, regardless if this function is turned on or not.

Band Steering: Distributes clients based on the load on two radio bands and the client's capability between the 2.4 GHz and 5 GHz bands. Dual-band capable wireless clients will be routed to 5 GHz, if possible, to improve the client experience. This is done by rejecting the initial association request sent by the client in the 2.4 GHz band. This will cause a dual-band client to then attempt to negotiate at 5 GHz. If it does not associate in the 5 GHz band, it will be marked as “steering unfriendly” and will not be routed again. If a client is too far away from the access point, routing will not be attempted. This prevents routing clients to 5 GHz when the range is usually less than in the 2.4 GHz band. Band Steering is done on a per access point level and will affect all SSIDs on that access point.

Captive Portal

Activate and configure a hotspot.

Enable hotspot: Turns the SSID into a hotspot. This allows cafés, hotels, or companies to provide time and traffic restricted internet access to guests.

Caution In many countries, operating a public hotspot is subject to specific national laws, restricting access to websites of legally questionable content. For example, file sharing sites or extremist websites.

Page Title: You can define a title for the landing page. It is visible to the users when they accept terms of service.

Welcome Text: You can define welcome text for the landing page.

Terms of Service: Users have to accept the terms of service before authentication.

Backend Authentication: With this authentication type, users can authenticate via Remote Authentication Dial-In User Service (RADIUS).

Note Backend authentication requires PAP (Password Authentication Protocol) policy on the RADIUS server. All user credentials transmitted to the RADIUS server will be encrypted with HTTPS by Sophos Central.

Password schedule: You can create a new password automatically on a fixed schedule. If the schedule is set to weekly or monthly, you can also select a weekday or week. The old password expires when the scheduled time is reached and current sessions are cut off. The new password is sent as a notification to the specified email addresses.

Voucher: With this hotspot type, vouchers with time limitations can be generated, printed, and given to customers. After entering the code, users can directly access the internet.

Social Login: You can allow your users to authenticate using their social media accounts. You can let them use their Facebook or Google accounts. To set up Google authentication, go to the Google Developer Console and get the Client ID and Secret for Google. Enter this information here. To set up Facebook authentication, go to Facebook Developer Account and get the Application ID and Secret for Facebook. Enter this information here.

To retrieve the Google client ID from the Google developer console you will need to do as follows:

  1. Create a new project.
  2. Go to the OAuth Consent screen and enter the application name. You can enter anything in this field. Then enter the authorized domain, which has to be "".
  3. Go to credentials > create credentials > OAuth client ID.
  4. Choose application type as web application.
  5. Under the restrictions, enter the authorized javascript origins and authorized redirect URIs as given below.

    Authorized JavaScript origins:

    Authorized redirect URIs:

Note If a user signs in with a social media account they are asked to accept the certificate and continue. They must click the Google button to do this.
Note If a user authenticates with a social media account, we don't store personal information from that account.

Session Timeout: Restricts the users internet access time.

Re-Login Timeout: Enabling this will prevent the user from re-logging into the network for 24 hours from the time of initial connection to social login.

Note A maximum of 8 devices can connect using the same email ID.

Redirect URL: You can define the URL to which users will be redirected from the landing page. Users can be redirected to the default website of the mobile device or a specific website of your choice. For example, your company page.