Skip to content

SSID advanced settings

Configure security, backend authentication, client connection, quality of service (QoS), network availability, and captive portal.

Go to My Products > Wireless > SSIDs and click Advanced Settings.


Define settings to make your network more secure.

Synchronized Security


Available only for APX 320, APX 530, and APX 740.

Turn on Synchronized Security to ensure that clients with Sophos Endpoint Protection and Sophos Mobile Protection can communicate with Sophos Central Wireless access points. If you turn on Synchronized Security for both Sophos Firewall and Sophos Central Wireless, the settings on Sophos Firewall take precedence.

Synchronized Security categorizes devices by their security status. You must protect devices with Sophos Endpoint Protection or Sophos Mobile as appropriate. Administrators can set up rules to manage the devices. If devices break these rules, the software reports the threat and the security heartbeat status of the device reflects this. Security Heartbeat categorizes devices as one of the following:

  • Protected (Green): The device is healthy and all traffic is allowed.
  • Client might be at risk (Yellow): There's a potentially unwanted application (PUA) or inactive malware on the device. All traffic is allowed.
  • Client at risk (Red): The device has active malware or ransomware. All internet traffic is blocked. Only traffic from the secured browsing environment (walled garden or safe URL list) is allowed.
  • No Security Heartbeat: This only applies to endpoint computers. This indicates the device is connected, but the endpoint hasn't sent a security heartbeat for 90 seconds.
  • Not available: Sophos Endpoint or Sophos Mobile Control isn't installed on the listed devices.

You can select the following Synchronized Security options for your devices:

  • Sophos Mobile (UEM): Turned on by default. Allows Sophos-managed mobile devices to send heartbeat information. You can also manage policies for these devices in Sophos Central.


    To prevent devices with red health from accessing the network, you must set Network Access Control for your mobile device to Sophos Wireless. Go to Mobile > Setup > Sophos setup > Network Access Control, and select Sophos Wireless.

  • Sophos Central Endpoint Protection: Turn on if you want to manage endpoint policies in Sophos Central. Alternatively, you can manage endpoint policies in Sophos Firewall.

  • Restrict SSID to Sophos Managed Devices: When an unmanaged device connects to the SSID, after authentication, we determine that the device is unmanaged, put the device behind a walled garden, and show a landing page, which you have to configure. The behavior of this device is similar to having a red security heartbeat status. The device is allowed to access only Sophos websites or those URLs and IPs that are on the allowed list.

A managed device is a mobile or endpoint device protected by Sophos.

You can see the landing page configuration when you turn on this option. Enter the following information:

  • Page Title
  • Welcome Text
  • Message to appear

Hidden SSID

Hides the SSID for network scans. The SSID is still available when hidden, but you must know the SSID name for a direct connection. Even if you hide the SSID, you can assign the SSID to an access point.


Hiding the SSID isn't a security feature. You still need to protect hidden SSIDs.

Client isolation

Blocks communication between clients within the same radio frequency. This is useful in a guest or hotspot network.


Client isolation is automatically turned on for guest networks on AP6 access points. See Enable Guest Network.

MAC Filtering

Provides minimal security by restricting Media Access Control (MAC) address connections.

  • None: No restriction on MAC addresses.
  • Blocked List: All MAC addresses you enter here are blocked.
  • Allowed List: All MAC addresses you enter here are allowed.


Active Threat Response (ATR) overrides MAC Filtering. You can't use the Allowed list to allow MAC addresses blocked by ATR. See Active Threat Response.

Walled garden

Enter domains you still want clients to access here, along with any domains, when they have a red Synchronized Security status. These domains will also be accessible by unmanaged devices if you've turned on Restrict SSID to Sophos Managed Devices. Both IP addresses and domain names are supported.

Client Connection


Bridge the wireless network traffic onto the LAN. The wireless devices share the same IP address range.


Directs traffic from wireless devices to specific VLANs. You must configure downstream network devices to accept VLAN packets.

RADIUS VLAN Assignment

Separates users without having multiple SSIDs. Available with enterprise encryption modes.

The access point tags users to a VLAN provided by a RADIUS server. Traffic is untagged if the RADIUS server does not provide VLAN.


If you turn on dynamic VLAN for an SSID, IPv6 is blocked. If IPv6 isn't blocked, wireless devices may end up with multiple IPv6 addresses and gateways from multiple VLANs.

Enable Guest Network

Enables a guest network. A guest network provides an isolated network for wireless devices with some traffic restrictions. The following modes are available:

Bridge Mode

Uses the DHCP server from the same subnet.

It filters all traffic and only allows communication to the gateway, DNS server, and external networks. You can add a guest network to an environment without VLAN and still have client isolation. The DHCP server is still on your network, so roaming between access points will work.

NAT Mode (APX only)

Uses the on-board DHCP server on the access point. This provides local isolated IPs to the wireless devices on the guest network. The devices aren't aware of the internal IP scheme.

In NAT mode, a DNS server is optional for a wireless device to obtain an IP address. If a DNS server doesn't assign an address to the wireless device, it’ll be assigned the same DNS address as the access point.

Bridge mode has a higher throughput, whereas NAT mode has more isolation.


Guest networks allow access to all public IP addresses. If you have local resources with public IP addresses and you don't want devices on the guest network to access these resources, you must configure your network to block the traffic.

Network Availability

Define SSIDs which are only available for a certain time of day or certain days in a week. The SSIDs aren’t visible in the meantime.

  • Always: Select to make SSID available at all times.
  • Scheduled: Select the days and times you want the network to be available.

Quality of Service

Configure settings to optimize your network.

Multicast to unicast conversion

Optimizes the multicast packets to unicast packets. The access point individually converts multicast packets to unicast packets for each wireless device based on IGMP.

It works best when fewer wireless devices connect to one access point.

The conversion to unicast is preferred for media streaming as it can operate at higher throughput rates.

Proxy ARP

Enables the access point to answer Address Resolution Protocol (ARP) requests intended for the connected wireless devices.

Fast roaming

Optimizes the roaming times when switching between different access points. SSIDs with WPA2 encryption use the IEEE 802.11r standard to reduce roaming times (with enterprise authentification). It applies when you assign the same SSID to different access points. Wireless devices also need to support the IEEE 802.11r standard.

Keep broadcasting

When an access point can't connect to Sophos Central, it stops broadcasting the configured SSIDs if it restarts. Select Keep broadcasting to allow the access point to continue broadcasting its configured SSIDs after a restart, even if it can't connect to Sophos Central. The access point operates with its last known configuration until it restores its connection to Sophos Central. Wireless devices can still connect and access all configured internal and external resources.


This feature is always turned on for AP6 series access points. You can't turn it off.

Band steering

Band steering detects wireless devices capable of 5 GHz operation and connects them to that frequency. This makes the more crowded 2.4 GHz frequency band available for wireless devices that can only connect to it. The access point rejects the initial association request sent on the 2.4 GHz band. This causes a dual-band wireless device to then attempt to negotiate at 5 GHz. If it doesn't connect on the 5 GHz band, the access point marks it as “steering unfriendly” and won't route it again. The access point won't attempt band steering if a wireless device is too far away. This prevents routing to 5 GHz when the wireless device isn't in range. Band steering is done on a per access point level and affects all SSIDs on that access point.


You must configure the 2.4 and 5 GHz frequency bands to use band steering.

Captive portal

A captive portal forces devices to authenticate before they’re allowed to access the internet.

Enable hotspot

To turn on captive portal for your SSIDs, select Enable hotspot.


In many countries, operating a public hotspot is subject to specific national laws restricting access to websites of legally questionable content, for example, file-sharing sites or extremist websites. Legal regulations may require registering your hotspot with the national regulatory body.

Once you turn the captive portal on, you can configure the following captive portal options:

Landing page

Access points with Enable hotspot selected intercept HTTP traffic and redirect users to a predefined page, the captive portal. There, users must use a configured authentication method before accessing the allowed networks, for example, the internet. The landing page is the first page users will see after connecting to the hotspot.

You can customize the landing page with a title and welcome text. You can also create custom terms of service that users must agree to before accessing the network.

Authentication types

Wireless devices need to authenticate in the captive portal before accessing the internet. Choose from the following authentication options:

  • None: No authentication.
  • Backend authentication: Allows authentication via a RADIUS server with Password Authentication Protocol (PAP).


    Backend authentication requires PAP (Password Authentication Protocol) policy on the RADIUS server. The access point encrypts all user credentials transmitted to the RADIUS server with HTTPS.

  • Password schedule: Creates a new password automatically on a daily, weekly, or monthly schedule. When the password expires, the access point ends all current sessions and users must authenticate with the new password. If you select Notify all admins, Sophos Central sends the new password as a notification to all Sophos Central admins and any email addresses specified in Other users.

  • Social login: Allows authentication via social media accounts. We don't store any information from the account. You can choose from the following providers:

    • Google: Select Enable to allow users to sign in with their Google credentials.

      You'll need your organization's Google Client ID and Client secret. To get this information, do as follows:

      1. Sign in to the Google Developer Console.
      2. Click Credentials and create a new project.
      3. Click OAuth consent screen, select the User Type and click Create.
      4. Fill in the required fields on the OAuth Consent screen, click Add domain and enter as the Authorized domain.
      5. Save your changes.
      6. Click Credentials, click Create credentials, and click OAuth client ID.
      7. Choose Web application as the application type, enter a name, and enter the following information for the series of access points you're using:
      • Authorized JavaScript origins:
      • Authorized redirect URIs:
      • Authorized JavaScript origins:
      • Authorized redirect URIs:

      After saving your changes, you'll see your Client ID and Client secret in the OAuth client created window.

    • Facebook: Select Enable to allow users to sign in with their Facebook credentials.

      You'll need your Facebook App ID and App Secret from the Facebook Developer Account. To get this information, do as follows:

      1. Sign in to the Facebook developer site.
      2. Click My Apps and click Add New App.
      3. Select an app type and click Next.
      4. Fill in the required details and click Create App.
      5. Click Settings and click Basic. You can see your App ID.
      6. Click Show to see your App Secret.
    • Authorized domain: You can set the authorized domain for Google and Facebook.

    • Session timeout: You can set Session Timeout between 1 and 24 hours.
    • Re-login timeout: Select Enable to stop users from signing into the network for 24 hours after they authenticate for the first time.


    If a user signs in with a social media account they're asked to accept the certificate and continue. They must click the Google button to do this.

  • Voucher: Use printable vouchers with time limits for authentication. Click Create voucher to create a new voucher.

Redirect URL

You can set the behavior of the captive portal after users authenticate. You can send authenticated users to the page they initially requested or a custom URL. The options are as follows:

  • Redirect URL: Choose from the following options:

    • Redirect to original URL: Redirects users to the website they originally wanted to reach after authentication.
    • Custom URL: Redirects users to a specific website after authentication. Enter the URL in the Custom URL field.

More information