Security

The access point provides various security options for the 5 GHz wireless band.

5 GHz Wireless security settings

• SSID selection: Select an SSID to configure its security settings.

• Broadcast SSID: Turn SSID broadcast on or off. The options are as follows:

  • Enable: The SSID will be visible to devices as an available Wi-Fi network.
  • Disable: The SSID won't be visible as an available Wi-Fi network. Devices must manually enter the SSID to connect. A hidden SSID is typically more secure than a visible SSID.

• Wireless client isolation: Turns Wireless client isolation on or off. Wireless client isolation improves security by preventing devices connected to the access point from communicating with each other. This can help prevent brute force attacks on devices. Choose from the following options:

  • Disable: Wireless devices can communicate with each other.
  • STA Separator: Wireless devices can't communicate with each other.
  • SSID Separator: Wireless devices can only communicate with other wireless devices connected to the same SSID.

• 802.11k: Turns 802.11k support on or off. 802.11k allows endpoint devices to select an access point based on the number of connected devices and overall traffic.

• 802.11w: Turns 802.11w support on or off. 802.11w provides management frame protection to help mitigate some DoS attacks.

• Guest Network: Turns the guest network on or off. A guest network allows clients to connect to the internet and isolates them from private network resources.

  Note

  Guest networks allow access to all public IP addresses. If you have local resources with public IP addresses and you don't want devices on the guest network to be able to access these resources, you must configure your network to block the traffic.

• Load Balancing: Set a load balancing value. Load balancing limits the number of wireless devices connected to an SSID. The following table shows the maximum supported clients for each AP6 model:

  Access point	Maximum clients
  AP6 420, 420E, 420X	128 per radio 256 total
  AP6 840	512 per radio 1024 total
  AP6 840E	512 per radio (2.4 GHz and 5 GHz radios) 256 (6 GHz radio) 1024 total

• Authentication method: Select an authentication method from the drop-down menu.

  • No Authentication: Not recommended. This option leaves the wireless network unsecured.

  • WEP: Turns Wireless Equivalent Privacy (WEP) authentication on. You must configure the following settings:

    • Key length: Choose 64-bit or 128-bit.
    • Key type: Choose ASCII or Hex to show the character limit for each choice.
    • Default key: Choose which encryption key to use as the default.
    • Encryption key 1: Enter an encryption key. You can enter up to three more encryption keys in the Encryption key 2, Encryption key 3, and Encryption key 4 fields.

  • WPA personal: Turns Wi-Fi Protected Access (WPA) authentication on. You must configure the following settings:

    • 802.11r fast roaming: Turns 802.11r fast roaming on or off. Reduces authentication time when devices roam from one access point to another. You must choose WPA2 only as the WPA type. Additional configuration is required. See 802.11r Fast transition roaming settings.
    • WPA type: Choose WPA2/WPA3 Mixed mode-PSK, WPA3 only, or WPA2 only.
    • Key renewal interval: Sets the key renewal interval in minutes.
    • Pre-shared key type: Select Passphrase or Hex (64Characters).
    • Pre-shared key: Enter a string for your preshared key.

  • WPA-EAP: Turns Wi-Fi Protected Access (WPA) with Extensible Authentication Protocol (EAP) on or off. You must configure the following settings:

    • 802.11r fast roaming: Turns 802.11r fast roaming on or off. Reduces authentication time when devices roam from one access point to another. You must choose WPA2-EAP as the WPA type. Additional configuration is required. See 802.11r Fast transition roaming settings.
    • WPA type: Select WPA2-EAP or WPA3-EAP.
    • Key renewal interval: Sets the key renewal interval in minutes.

  • OWE: Turns Opportunistic Wireless Encryption (OWE) on or off. OWE lets users connect without a pre-shared key, similar to open authentication but adds a layer of security by encrypting communication between the access point and connected devices.

• Additional authentication: You can add additional layers of security by selecting an additional authentication method from the drop down menu. You can choose from the following options:

  • No additional authentication
  • MAC address filters: You can use MAC address filters to allow or block specific devices. See MAC Address filters.
  • MAC filter & MAC RADIUS authentication: Sets a combination of MAC address filters and MAC RADIUS Authentication.

  • MAC RADIUS authentication: You can use MAC RADIUS authentication to allow access to your network. You must configure the following settings:

    • MAC RADIUS password: You can choose Use MAC address to allow devices based on their MAC address or Use the following password to set your password.

802.11r Fast transition roaming settings

If you turn on 802.11r fast roaming, you must configure the following settings:

• mobility_domain: The mobility domain is the group of access points you want devices to be able to fast roam between. The field must contain four hexadecimal characters (0-9 and a-f).
• Encryption key: The encryption key must contain 32 hexadecimal characters (0-9 and a-f).
• Over the DS: Turns Over-the-DS (Distribution System) preauthentication on or off. Over-the-DS preauthentication allows a device to communicate with a new access point through its current access point before it moves to the new one.

5 GHz Wireless advanced settings

• Smart handover: Turn Smart handover on or off.
• RSSI threshold: Received Signal Strength Indicator (RSSI) measures the strength of the access point's signal at the endpoint device. The closer the value is to zero, the stronger the signal is. Devices below the selected threshold won't be able to connect to the network.