Understanding WLAN Service Profiles

SSID

The SSID name is the most important configuration in a WLAN Service profile. Only the SSID name and WLAN name are actually required to create a WLAN Service profile—the other parameters have default values.

Wireless networks are identified by unique network names such as Juniper Networks_meetings or employee_patio. The unique name is known as a service set identifier, or SSID and this electronic identifier serves as a password for certain online communications. Most controllers are set to broadcast their SSID using WPA or WPA2 encryption. If an SSID is not broadcast, you must manually configure one or more SSIDs on clients so that the clients automatically find and connects to those SSIDs when it is in range of the controller. On a PC running Microsoft Windows OS, this setting is typically found in the Network Control Panel.

Beaconing the SSID Name

By default, SSIDs are beaconed, which means that an SSID advertises its name on the air. You might want to disable beaconing for security reasons, although doing so can make it more difficult for clients to access the WLAN. When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name in the frames is blank. For a non-beaconed SSID, radios respond only to directed 802.11 probe requests that match the non-beaconed SSID string.

Mapping WLAN Service Profiles to Additional Profiles

WLAN Service Profiles rely on other profiles, such as Authentication profiles and Authorization profiles, to provide additional parameters for the SSID. You link these other profiles as part of the WLAN configuration. (For more information, see Understanding Network Director SSID Configuration Using Profiles.) The completed WLAN Service profile is then mapped to a Radio profile during configuration of the Radio profile. It is the Radio profile that is actually deployed to controllers, pulling all of the other mapped profiles along with it.

SSID Encryption

Encryption protects information within a wireless session by reading that information in a data stream and altering it to make it unreadable to users outside the network.

Encryption (ssid-type) is either on (Crypto) or off (Clear). If encryption is on, additional configuration indicates the type of encryption (WPA and/or WPA2), any added ciphers such as TKIP (tkip-mc-time) or CCMP. For more information, see Understanding Wireless Encryption and Ciphers .

Both WPA and WPA2 are enabled by default in Network Director. Clients that use only WPA associate by using WPA and all clients capable of using WPA2 associate by using WPA2.

Authentication Used for Encryption Methods

The standard for wireless LAN authentication is the IEEE 802.1X standard, which is based on the IETF's Extensible Authentication Protocol (EAP). EAP and 802.1X together provide an authentication framework.

The second way to authenticate encrypted traffic is pre-selected key (PSK) authentication. If you use PSK, you must also provide the key or password. For more information, see Understanding Wireless Encryption and Ciphers .

Associated Authentication Profile

An Authentication profile must be associated with each WLAN Service profile—you do this by selecting an Authentication profile while configuring the WLAN. Authentication profiles are described in Understanding Authentication Profiles.

Associated Authorization Profile

An Authorization profile is also mapped to WLAN Service Profiles—you do this by selecting an Authorization profile while configuring the WLAN. Authorization profiles are described in Understanding Wireless Authorization Profiles.

VLAN Use

Clients usually switch VLANs when they switch controllers, usually as a result of roaming, but you can make initially assigned VLANs persist over different controllers. If an 802.1X user is not assigned to a VLAN by AAA, and subsequently roams to a controller where the VLAN he was in does not exist, a tunnel is set up so that he stays in that VLAN. This does not work for Web portal clients, however.

Bandwidth Limit for Client Sessions

You can limit bandwidth for clients to prevent one client from hogging bandwidth.

Load Balancing Between Access Points

RF load-balancing is the ability to reduce network congestion over an area by distributing client sessions across the access point radios with overlapping coverage in the area. Load balancing automatically occurs on the mobility domain to ensure maximum failover capability. For more information, see Understanding Load Balancing for Wireless Radios.

Using Proxy ARP

Proxy address resolution protocol (ARP) is a technique by which a device on a network answers requests for a different device. Because the proxy knows the location of the traffic’s destination, it offers its own IP address then sends the traffic on to the true destination.

Usually, wireless clients receive an IP address from a router. If you want to, you can have the controller respond to wireless clients’ search for a destination, and then forward the traffic to the router.

Restricting DHCP

The dynamic host configuration protocol (DHCP) is used to configure network devices with IP addresses from a DHCP server.

You can configure a controller to capture but not forward any wireless client traffic except DHCP traffic during authentication and authorization. This is referred to as restricting DHCP and enables a controller to authenticate and authorize new clients more quickly.

Client Types

You decide which client types to support on a WLAN. If you put all clients on one WLAN, they will be reduced to the speed of the slowest client—we do not recommend doing this.

Possible client types are:

• 802.11n clients use newer technology that can produce throughput link rates above 54 MBps, if you select only this client type and enforce the data rate (speed). Typical clients include laptops, PCs, and streaming video.

  Note

  The Wi-Fi Alliance requires that high-throughput (802.11n) transmissions use WPA2 and CCMP.

• 802.11g clients can have throughput link rates as fast as 54 MBps, with a more average rate of 19 MBps. Typical clients include older laptops and PCs.

• 802.11a clients can have throughput link rates as fast as 54 MBps, with a more average rate of 19 MBps.

• 802.11b clients can have throughput link rates as fast as 10 MBps.

Call Admission Control Settings for Voice

Call admission control (CAC) regulates the addition of new real-time media sessions on access point radios, guaranteeing a higher quality of service to a fixed number of clients by limiting either the number of concurrent sessions or the number of concurrent phone calls.

There are two CAC methods, WMM and SVP. WMM is enabled by default and is used by all newer 802.11n devices. SVP includes all the configurations of WMM, but adds Spectralink phones at the top of the priority list. SVP is a legacy technology—Spectralink's new phones use WMM.

As the name indicates, call admission control applies to real-time media traffic as opposed to data traffic. Call admission control mechanisms and quality-of-service settings work together to protect voice traffic from the negative effects of other voice traffic and keep excess voice traffic off the network. For more information, see Understanding Call Admission Control.

Retry Count

The retry count is the number of times a channel resends a frame without getting a response. You can configure 1 - 15 attempts, with each attempt taking more time and affecting throughput. We recommend configuring five attempts.

You can also specify either a long retry count or a short retry count. The difference between the two methods is the length of the pause between attempts. In general, a short retransmission works best in heavy traffic and is used most often. You might want to try a long transmission if the network is experiencing a lot of interference.

Client Timeouts

Timeouts are used to disconnect clients under certain circumstances. You can change the timeframes for these timeouts:

• User Idle—180 seconds

• Handshake attempt (logon)—20 milliseconds

• Web portal session—0 seconds (which means no timeout)

802.11n Settings

802.11n is the most recent wireless technology that utilizes different mechanisms than previous versions of 802.11. Therefore, there are settings that apply only to 802.11n traffic.

Guard Intervals

A guard interval is the interval is observed before the next bit of traffic is transmitted. This guard interval ensures that bit transmissions do not interfere with one another. As long as the echoes fall within this interval, they do not affect the receiver's ability to safely decode the actual data, because data is interpreted only outside the guard interval—it eliminates intersymbol interference. In normal 802.11 operation, the guard interval is 800 ns. In 802.11n operation, short guard intervals of 400 ns are supported. Shorter guard intervals between symbols increases throughput. Legacy devices might require long guard intervals. By reducing this interval (called short guard interval), data bits are transmitted in shorter intervals and provide for increased throughput.

Frame Aggregation

You can enable frame aggregation for certain frame types in 802.11n. Multiple packets of application data can be aggregated into a single packet called an aggregated MAC protocol data Unit (A-MPDU). This improves performance because the number of packets is reduced.

After transmission of every frame, an idle time called Interframe Spacing (IFS) is observed before transmitting the subsequent frame. When frames are aggregated, fewer IFS intervals are used, which in turn reduces the time for data transmission. In addition, when clients operating in 802.11n send acknowledgement for block of aggregated packets instead of individual packets, overhead involved in frame acknowledgements and increasing overall throughput is reduced.

MAC Service Data Unit (MSDU) Length

With 802.11n, you can change the maximum length for a MAC service data unit (MSDU) to reduce the overhead associated with each transmission. An MSDU is the service data unit received from the logical link control (LLC) sub-layer which lies above the medium access control (MAC) sub-layer in a protocol stack. When 802.11n is an enabled client type for this WLAN, you can configure the maximum aggregated MSDU packet length. This enables joining multiple packets together into a single transmission unit, which reduces the overhead associated with each transmission. MSDU default length is 4K.

MPDU Length

MPDU can have a maximum length for frame aggregation.

Maximum Bandwidth Used by a WLAN Service Profile’s SSID

The speed of a computer network is most commonly stated in bandwidth units of Megabits per second (Mbps) or Gigabits (Gbps). This standard measure of communication capacity (data rate) is advertised by all computer networking equipment. When you indicate a maximum bandwidth for a WLAN, you are indicating the highest data rate you support with a given WLAN Service profile. Devices in each category have a maximum bandwidth, so the maximum bandwidth also determines which devices are supported. For example, the 802.11g standard for wireless networking supports a maximum bandwidth of 54 Mbps, including overhead. 802.11n supports a maximum bandwidth of 600 Mbps.

Maximum Transmission Unit Parameter

The maximum transmission unit (MTU) of the communications protocol of a layer is the size (in bytes) of the largest protocol data unit that the layer can forward. MTU parameters usually appear in association with a communications interface such as a NIC card or serial port.

Client Probing of Idle Clients

Idle client probing sends periodic keepalives from a radio to non-transmitting clients. By default, a radio sends idle-client probes every 10 seconds to each client with a session on the radio to verify that the client is still active. The probes are unicast null-data frames. Normally, an active client sends an ACK in reply to an idle-client probe. If a client does not send any data or respond to idle-client probes before the user idle timeout expires, the client session is disassociated.

Enable Pre-Shared Key (PSK) for WPA or WPA2

WPA-PSK is an authentication mechanism in which users provide credentials to verify whether or not to allow them access to a network. This requires that a single password be entered into each WLAN node (access points, wireless routers, client adapters, bridges). When the passwords match, a client is granted access to a WLAN.

Create a Pre-Shared Key (PSK) Phrase for WPA or WPA2

A pre-shared key (PSK) phrase is the hexadecimal secret phrase used for authenticating WPA or WPA2 clients. Note that either WPA or WPA2 security must be enabled for this to have any effect.

Create a Pre-Shared Key (PSK) Raw Phrase for WPA or WPA2

A pre-shared key (PSK) raw phrase is the raw hexadecimal secret phrase used for authenticating WPA or WPA2 clients. Note that either WPA or WPA2 security must be enabled for this to have any effect.

Enforce Data Rates

By default, a client can associate with and transmit data to an access point by using a slower data rate than the mandatory or standard rate, although the access point does not necessarily transmit data back to the client at the slower rate.

When you enforce data rates, a connecting client must transmit at one of the mandatory or standard rates to associate with the access point. Clients transmitting at slower rates cannot associate with the access point.

Retry Count for Sending Frames

Retry-count settings indicate how many times that the network sends either a long unicast frame or short unicast frame without receiving an acknowledgement. If you set retry count to zero, frames are sent once with no retries.

WPA Encryption Type Used

Enable and choose WPA encryption—either WPA or WPA2. Either or both TKIP and CCMP cipher algorithms for WPA and WPA2 can be added.

Shared Key Authentication Values

Shared key authentication is a process by which a client gains access to a WLAN by using an encryption key. The key, obtained in advance by the client, must match a key stored at the access point. To begin the connection process, the client sends a request for authentication to the access point. The access point responds by generating a sequence of characters called a challenge text for the computer. The computer encrypts the challenge text with the key and transmits the message back to the access point. The access point decrypts the message and compares the result with the original challenge text. If there are no discrepancies, the access point sends an authentication code to the connecting computer. Finally, the computer accepts the authentication code and becomes part of the network for the duration of the session or for as long as it remains within range of the original access point. If the decrypted message does not precisely agree with the original text, the access point does not allow the computer to become part of the network.

Radio Transmit Rates Used

Radio transmit rates supported by access point radios have defaults, but you can change the transmit rates for the radios. Each type of radio (802.11a, 802.11b, 802.11g, and 802.11n) providing service to an SSID has a set of rates the radio is enabled to use for sending beacons, multicast frames, and unicast data. The rate you set also specifies the rates clients must support to associate with a radio.

WMM Power Save

WMM Power Save is disabled by default, even though it saves client battery life, because clients that use power save must send a separate PSpoll to retrieve each unicast packet buffered by the access point radio. This increases bandwidth and affects performance. For more information, see Understanding WMM Power Save and WLAN Client Battery Life.