AP6 and APX mixed deployment guide
When upgrading your environment to Sophos AP6 access points, you may need to have AP6 and APX access points deployed simultaneously in a mixed deployment. A mixed wireless deployment is a wireless network consisting of AP6 and APX access points deployed in the same location, managed by Sophos Central, where wireless clients can roam between the two series of access points. This configuration is supported, but you must be aware of some considerations and limitations because APX access points don't support some advanced Wi-Fi 6 features available in AP6 models. This guide provides considerations and recommendations for deploying a combination of AP6 and APX access points in the same location.
SSID configuration
In a mixed deployment, you can configure your AP6 and APX access points with the same SSID or choose to give them different SSIDs. Giving them the same SSID is preferable because it provides the best and most seamless user experience. However, there may be times when giving your AP6 and APX access points different SSIDs is preferable or necessary, for example if you want to use captive portal authentication or mesh.
Using the same SSID
When configuring AP6 and APX in a mixed deployment with the same SSID, you must configure both SSIDs with identical settings. This means limiting AP6 access points to the 2.4 GHz and 5 GHz frequency bands and encryption to WPA2 or WPA2/WPA3. To do this, use the Clone for AP6 option in Sophos Central. This option lets you create an SSID for AP6 access points using the same settings as the selected APX SSID. See SSIDs.
For example, AP6 420E and 840E require WPA3 or OWE encryption to broadcast on the 6 GHz frequency band. APX access points don't support these settings. Configuring the 6 GHz frequency band would lead to encryption incompatibility and prevent wireless clients from roaming between AP6 and APX access points. You would need to configure the AP6 access points with only the 2.4 GHz and 5 GHz bands and WPA2 encryption or configure a separate SSID for the AP6 access points. This lets them use the 6 GHz band and stronger encryption without causing roaming issues for connected clients.
Using different SSIDs
If you're using captive portal in your environment, we recommend that you configure a separate SSID for AP6 access points. If the coverage area is large enough, you can deploy the AP6 and APX access points in separate areas to minimize roaming between them. This is because authentication information for the captive portal isn't shared between the AP6 and APX access points. In a mixed deployment using captive portal, wireless clients must reauthenticate when roaming between AP6 and APX access points regardless of the authentication method used.
Vouchers and passwords created for one series of access points aren't recognized on the other. If your captive portal uses vouchers or a password schedule for authentication, wireless clients must enter different information when roaming between the different series of access points, even if the SSID name is the same.
Because of the impact on the user experience, we recommend configuring a separate SSID for AP6 access points. We also recommend that you separate the different series of access points within your environment as much as possible to minimize roaming and reauthentication. You can also use the captive portal landing page to let users know which voucher or password they must use for that specific SSID.
Compatible wireless features between AP6 and APX
When configuring a mixed deployment, you must make sure you know which wireless features are fully compatible, which are partially compatible, and which features are incompatible with AP6 and APX series access points.
Full compatibility
For the most seamless user experience, you can create an SSID for AP6 and a separate SSID for APX with identical settings. If the settings are compatible, users can roam between the two series of access points without any issues. The following Sophos Central wireless features are fully compatible between AP6 and APX and will function in a mixed deployment if they're configured with the same settings:
- SSID
- Network availability
- Multicast to unicast conversion (IGMP Snooping)
- Proxy ARP
- Firmware upgrade
Sites and Floorplan are also fully compatible with AP6 and APX access points. You can add both series of access points to sites and floorplans in Sophos Central to manage and visualize your mixed deployment.
Partial compatibility
Certain settings will work in a mixed deployment if you select options compatible with both series of access points. The following Sophos Central wireless features are partially compatible between AP6 and APX and will function in a mixed deployment if you select compatible settings:
- Encryption mode: AP6 and APX access points support WPA2 encryption. You can't use WPA3 in a mixed deployment.
- Encryption algorithm: AP6 and APX access points support AES. You can't use TKIP in a mixed deployment.
- Frequency band: AP6 and APX access points support the 2.4 and 5 GHz frequency bands. You can't use the 6 GHz frequency band in a mixed deployment.
The following settings can work identically on both series of access points but you must configure them on each series because the settings don't synchronize between the different series of access points.
- Client isolation
- MAC Filtering
- Guest network
No compatibility
The following Sophos Central wireless features are incompatible between AP6 and APX and can't be used in a mixed deployment:
- Mesh: AP6 and APX access points support mesh configuration, but you can't mix AP6 and APX access points in a mesh network.
- Fast roaming: In a mixed deployment, Fast roaming only works between bands on AP6 or APX access points, not between the AP6 and APX models.
- Captive portal: The configuration doesn't sync between AP6 and APX.
- Authentication types: Captive portal authentication doesn't sync between AP6 and APX.
- Walled garden: The configuration doesn't sync between AP6 and APX.
Diagnostics
AP6 and APX access points have different diagnostic capabilities. The following table shows which diagnostic features are available for each series of access points:
| Diagnostic feature | AP6 | APX |
|---|---|---|
| Packet capture | Note: APX packet capture requires a third-party tool, such as Wireshark. | |
| Syslog | ||
| System logs |
Tip
You can access AP6 packet capture and system logs in Sophos Central.
Access point details
In Sophos Central, you can manage multiple settings for each access point from its details page. The following table shows which features you can control from the access point's details page:
| Setting | AP6 | APX |
|---|---|---|
| Airtime fairness | ||
| TX Power | ||
| Channel width | ||
| Autochannel | ||
| Reboot Access Point | ||
| Devices | ||
| Task queue | ||
| Time zone | Must be manually set. See Time Zone. | APX access points use UTC. |