Add a New Wireless Network

This page describes how to create a new wireless network.

The Add button on the Wireless Networks page allows to define a new wireless network. This can then be used in definitions for access points and access point groups.

  1. Go to Device Configuration > Protect > Wireless > Wireless Networks and click the Add button.
    A new page General Settings opens.
  2. Make the following settings:
    Name
    Enter a descriptive name for the network.
    Description
    Enter a description for the wireless network that helps you to identify it.
    SSID
    Enter the Service Set Identifier (SSID) for the network which will be seen by clients to identify the wireless network. The SSID may consist of 1-32 ASCII printable characters. It must not contain a comma and must not begin or end with a space.
    Security Mode
    Select a security mode from the drop-down list. Default is WPA 2 Personal.
    We recommend to prefer WPA2 over WPA, if possible. For security reasons, we recommend to not use WEP unless there are clients using your wireless network that do not support one of the other methods.
    When using an enterprise authentication method, you also need to configure a RADIUS server on the System > Authentication > Authentication Server or Objects > Assets > Authentication Server page. As NAS ID of the RADIUS server enter the wireless network name.
    Note Sophos XG Firewall supports the IEEE 802.11r standard in WPA2 (PSK/Enterprise) networks to reduce roaming times. Clients also need to support the IEEE 802.11r standard.
    Passphrase/PSK
    Only available with WPA Personal, WPA2Personal and WPA2/WPA Personal security mode.
    Enter the passphrase to protect the wireless network from unauthorized access and repeat it in the next field. The passphrase may consist of 8-63 ASCII printable characters.
    Key
    Only available with WEP Open security mode.
    Enter a WEP key here that consists of exactly 26 hexadecimal characters.
    Client Traffic
    Select a method how the wireless network is to be integrated into your local network.
    Separate Zone
    Default.
    The wireless network is handled as a separate network, having an IP address range of its own. Using this option, after adding the wireless network, proceed as described in chapter Next Steps for Seperate Zone Networks.
    Note When switching an existing Separate Zone network to Bridge to AP LAN or Bridge to VLAN, an already configured WLAN interface will be deleted.
    Zone
    Select a zone where the wireless network should be broadcasted.
    Default: WiFi
    IP Address
    Assign an IP address to the wireless network.
    Netmask
    Select a subnet mask for the IP address.
    Bridge to AP LAN
    You can bridge a wireless network into the network of an access point, that means that wireless clients share the same IP address range. Using this option, after adding the wirless network, proceed as described in chapter Next Steps for Bridge to AP LAN Networks.
    Bridge to VLAN
    Not available for Local WiFi Devices.
    You can decide to have this wireless network's traffic bridged to a VLAN of your choice. This is useful when you want access points to be in a common network separate from the wireless clients.
    Bridge to VLAN ID
    Enter the VLAN ID of the network that the wireless clients should be part of.
    Client VLAN ID
    Only available with an enterprise security mode.
    Select how the VLAN ID is defined.
    • Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.
    • RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server: When a user connects to one of your wireless networks and authenticates at your RADIUS server, the RADIUS server tells the access point what VLAN ID to use for that user. Thus, when using multiple wireless networks, you can define per user who has access to which internal networks. If a user does not have a VLAN ID attribute assigned, the VLAN ID defined in the Bridge to VLAN ID is used.
  3. Optionally, you can make the following Advanced Settings:
    Encryption
    Only available with WPA, WPA2 or WPA2/WPA encryption modes): Select an encryption algorithm which can be either AES, TKIP or TKIP&AES. For security reasons, it is recommended that you use AES.
    Frequency Band
    Access points assigned to this wireless network will transmit on the selected frequency band(s). The 5 GHz band generally has higher performance, lower latency, and is typically less disturbed. Hence it should be preferred for e.g. VoIP communication. For an overview which APs support the 5 GHz band, see chapter Protection > Wireless Protection > Access Points or Objects > Assets > Access Points.
    Time-based Access
    Select this option if you want to automatically enable and disable the wireless network according to a time schedule.
    Select Active-Time
    Select a schedule definition which determines when the wireless network is enabled. You can add a new schedule definition by clicking the Add button.
    Client Isolation
    Clients within a network usually can communicate with one another. If you want to prevent this, for example in a guest network, select Enabled from the drop-down list.
    Hide SSID
    If you want to hide the wireless network's SSID, select Yes from the drop-down list. Please note that this is no security feature.
    Fast Transition
    Only available with WPA2 Personal/Enterprise security mode.
    Wireless networks with WPA2 security use the IEEE 802.11r standard. If you want to prevent this, select Disabled from the drop-down list.
    MAC Filtering
    To restrict the MAC addresses allowed to connect to this wireless network, select Blacklist or Whitelist. With Blacklist, all MAC addresses are allowed except those listed on the MAC List. With Whitelist, all MAC addresses are prohibited except those listed on the MAC List.

    MAC Hosts added under Objects > Host and Services > MAC Host will be displayed in the MAC List.

    Figure: Add Wireless Network
  4. Click Save to save your settings and add the wireless network.