Overview

The Wireless Protection > Access Points > Overview page provides an overview of access points (AP) known to the system. Sophos UTM on AWS distinguishes between active, inactive and pending APs. To make sure that only genuine APs connect to your network, APs need to be authorized first.

Access points can be temporarily disabled on the Grouping tab. When an AP is physically removed from your network, you can delete it here by clicking the Delete button. As long as the AP remains connected to your network, it will automatically re-appear in Pending state after deletion. SG "w" appliances with on-board WiFi cannot be deleted form the AP list.

Tip – Each section of this page can be collapsed and expanded by clicking the Collapse icon on the right of the section header.

Active Access Points

Here, APs are listed that are connected, configured, and running. To edit an AP, click the Edit button (see Editing an Access Point below).

Inactive Access Points

Here, APs are listed that have been configured in the past but are currently not connected to Sophos UTM on AWS. If an AP remains in this state for more than five minutes, please check the network connectivity of the AP and the configuration of your system. A restart of the Wireless Protection service will erase Last Seen timestamps. To edit an AP, click the Edit button (see Editing an Access Point below).

Pending Access Points

Here, APs are listed that are connected to the system but not yet authorized. To authorize an access point, click the Accept button (see Editing an Access Point below).

After receiving its configuration, the now authorized access point will be immediately displayed in one of the above sections, depending on whether it is currently active or not.

Editing an Access Point

  1. Click the Edit or Accept button of the respective access point.

    The Edit Access Point dialog window opens.

  2. Specify the following settings:

    Label (optional): Enter a label to easily identify the AP in your network.

    Country: For dedicated APs select the country where the AP is located. For a Local WiFi Device the country is derived from the global country setting on the Management > System Settings > Organizational tab.

    Important Note – The country setting regulates which channels are available for transmission. To comply with local law, always select the correct country of operation.

    Note –In the Sophos APX series access point, when you change the country, the channel list shows only the Auto option until you save the settings. Also, until the Sophos APX series access point reboots and is up, it retains the previously configured country's channel list.

    Group (optional): You can organize APs in groups. If a group has been created before, you can select it from the drop-down list. Otherwise select << New group >> and enter a name for the group into the appearing Name text box. Groups can be organized on the Grouping tab.

  3. In the Wireless Networks section, make the following settings:

    Wireless network selection (only if no group or a new group is selected): Select the wireless networks the access point should broadcast. This is useful if you have, for example, a company wireless network that should only be broadcasted in your offices, and a guest wireless network that should only be broadcasted in public parts of your building. You can search the wireless network list by using the filter field in the list header.

    Note – It is possible to assign 8 wireless networks to the access point. Each wireless network can be broadcasted on 2.4 GHz and 5 GHz, which results in 16 SSIDs (8 per radio). For more information on access points bands, see chapter Access Point.

    Note – For an access point to broadcast a wireless network some conditions have to be fulfilled. They are explained in section Rules for Assigning Networks to APs below.

  4. Optionally, in the Mesh Networks section, make the following settings (only available with AP 50 and only if a mesh network is defined on the Mesh Networks tab):

    Mesh roles: Click the Plus icon to select mesh networks that should be broadcasted by the access point. A dialog window opens.

    • Mesh: Select the mesh network.
    • Role: Define the access point's role for the selected mesh network. You must designate at least one access point as root. You can select either Sophos access points or Sophos APX series access points. A root access point is directly connected to Sophos UTM on AWS. A mesh access point, after having received its initial configuration, once unplugged from Sophos UTM on AWS will connect to a root access point via the mesh network. Note that an access point can be mesh access point only for one single mesh network.

    After saving, the access point icon in the Mesh roles list designates the access point's role. Via the functional icons you can edit a mesh role or delete it from the list.

    Important Note – If you delete a mesh role from the Mesh roles list, you have to plug the access point into your Ethernet again to get its initial configuration. To change the mesh network without having to plug the access point into your Ethernet again, do not delete the mesh role but instead click the Edit icon of the mesh role, and select the desired mesh network.

  5. Optionally, make the following advanced settings:

    Band (only available for Local WiFi Devices): The Local WiFi Device allows one band only. Select 5 GHz or 2.4 GHz from the drop-down list.

    Channel (only available for Local WiFi Devices): Either keep the default setting Auto which automatically selects the last used channel for transmit or select a fix channel.

    TX Power (only available for Local WiFi Devices): Either keep the default setting 100 % for the access point to send with maximum power or down-regulate the power to reduce the operating distance, e.g., to minimize interference.

    Channel 2.4 GHz: Either keep the default setting Auto which will automatically select the least used channel for transmit or select a fix channel.

    Dyn Chan: If selected, the AP scans all available channels and connects to the channel with the best signal.

    Time-based scan: If selected, the AP checks for the best signal channel on a regular time base. To add a time event, click the Plus icon and enter the time data. You can also select a predefined time event which is listed on the Definitions & Users > Time Period Definitions tab.

    Channel 5 GHz (only available if supported by access point): You can keep the default setting Auto which will automatically select the least used channel for transmit. Or you can select a fix channel.

    Tip – When you select Auto, the currently used channel will be announced in the access point entry.

    Note – For APX 320, both radios must be on 5 GHz to enlist all available channels.

    TX power 2.4 GHz: You can keep the default setting 100 % for the access point to send with maximum power. Or you can down-regulate the power to reduce the operating distance, e.g., to minimize interference.

    TX power 5 GHz (only available with AP 50, AP 55, AP 55C, AP 100, AP 100C and AP 100X): You can down-regulate the power output for the 5 GHz band separately.

    STP: To enable Spanning Tree Protocol, select Enabled from the drop-down list. This network protocol detects and prevents bridge loops. STP is mandatory if the access point broadcasts a mesh network.

    VLAN tagging: VLAN tagging is disabled by default. If you want to connect the AP with an existing VLAN Ethernet interface, you need to enable VLAN tagging by selecting the checkbox. Make sure that the VLAN Ethernet interface is added to the Allowed interfaces box on the Global Settings > Global Settings page.

    Note – To introduce the usage of VLAN for your access points in your network, take the following steps: Connect the AP to Sophos UTM on AWS using standard LAN for at least a minute. This is necessary for the AP to get its configuration. Connecting it via VLAN from the beginning, the AP would not know of being in a VLAN and therefore would not be able to connect to Sophos UTM on AWS to get its configuration. When the AP is displayed, enable VLAN tagging and enter the VLAN ID. Then connect the AP to its intended VLAN, e.g., a switch.

    Note – When using VLAN tagging for RED 15w, ensure that a VLAN interface exists on the RED tunnel endpoint interface.

    AP VLAN ID: When VLAN tagging is enabled, enter the VLAN tag of the VLAN the access point should use to connect to Sophos UTM on AWS. Do not use the VLAN tags 0 and 1 as they usually have a special meaning on networking hardware like switches, and 4095 is reserved by convention.

    Note – When VLAN tagging is configured, the AP will try DHCP on the configured VLAN for 60 seconds. If no IP address is received during that time, the AP will try DHCP on the regular LAN as a fallback.

  6. Click Save.

    The access point receives its configuration or configuration update, respectively.

    Note – A configuration change needs approximately 15 seconds until all interfaces are reconfigured.

    If VLAN tagging is configured but the AP cannot contact Sophos UTM on AWS via VLAN, the AP will reboot itself and try again after receiving the configuration.

    Cross Reference – Find information about configuring auto channel assignment for Sophos Wireless Access Points in the Sophos Knowledge Base.

Rules for Assigning Networks to APs

An access point can only be assigned to a wireless network if the Client traffic option of the wireless network and the VLAN tagging option of the access point fit together. The following rules apply:

  • Wireless network with client traffic Separate Zone: VLAN tagging of the access point can be enabled or disabled.
  • Wireless network with client traffic Bridge to AP LAN: VLAN tagging of the access point has to be disabled.
  • Wireless network with client traffic Bridge to VLAN: VLAN tagging of the access point has to be enabled. The respective wireless clients will use the Bridge to VLAN ID specified for the wireless network, or they will receive their VLAN ID from the RADIUS server, if specified.

Reflash Bricked APs

The main reason for returned Access Points are bricked devices with a broken firmware. Therefore you can download a tool to reflash Sophos Access Points. The tool is available here.

If you are running the tool on Windows 8, you may have to disable the Windows Firewall first.

To reflash a Sophos Access Point, proceed as follows:

  1. Download the AP reflash utility.
  2. Extract the downloaded files.
  3. Run the EXE file as Administrator to start the reflash utility.
  4. Follow the instructions to flash the AP device.

    The power-LED will flash very fast.

The process is completed if the power-LED flashes every second.

Reflash Bricked RED Devices

You can download a tool to reflash Sophos RED 10 devices. The tool is available here.

If you are running the tool on Windows 8, you may have to disable the Windows Firewall first.

To reflash a Sophos RED, proceed as follows:

  1. Download the reflash utility.
  2. Extract the downloaded files.
  3. Run the EXE file as Administrator to start the reflash utility.
  4. Follow the instructions to reflash the RED device.

    Flashing will take about two minutes.