Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


WLAN Options

Navigating to the WLAN Settings Window

  • For a WLAN in a WLAN template, select Organization > Wireless | WLAN Templates from the left menu, then create a WLAN template or select an existing template. To add a WLAN to your template, click Add WLAN. To edit an existing WLAN in the WLANs list, click it.

  • For a site-level WLAN, select Site > Wireless | WLANs from the left menu, and then click Add WLAN. To edit an existing WLAN on the WLANs page, click it.

WLAN Configuration Options

Table 1: WLAN Options
Option Summary

This is the name the WLAN will broadcast for clients to see.

While you can configure as many as 15 service set identifiers (SSIDs) per radio, a good rule of thumb for device profiles and WLAN templates is to use only two or three WLANs per AP. The idea is to minimize the airtime overhead incurred by beacon management frames, which are sent every 102.4ms per radio, at the Minimum Basic Rate (MBR). In other words, unless you are carefully considering data rates and co-channel contention in order to achieve four, six, or even eight active WLANs on an AP, we recommend two or three WLANs per AP max.

WLAN Status

This option controls whether an AP broadcasts the configured WLAN. You can also use it to hide the SSID and instead broadcast the AP by name.

Radio Band

Choose which radio frequencies to broadcast on the WLAN: 2.4 GHz, 5 GHz, or 6 GHz. Wireless clients typically experience better performance when connected to the 5-GHz band rather than the 2.4-GHz band. The 5-GHz band has more channels, resulting in less co-channel contention, and there are more sources of interference on the 2.4-GHz band.

See Radio Management, Radio Management (page), and Radio Settings (RF Templates).

Band Steering

Band steering detects whether a connected client has dual-band (2.4 GHz and 5 GHz) capabilities. This option steers clients with dual-band capability to join the 5-Ghz band if the signal is good. Both the 2.4-GHz and 5-GHz radios need to be enabled on the WLAN. Band steering is disabled by default.

Note that even with band steering, clients can still hear beacon frames from the 2.4-GHz radios and can sometimes connect to these radios.

See Radio Management (dual band) and Dual Band Usage Examples.

Client Inactivity

You configure an inactivity timer on your WLAN to prevent congestion. The AP deauthenticates inactive clients, as defined by the time you set here. The default time is 1800 seconds.


Geofencing can prevent clients with a received signal strength indicator (RSSI) below a specified decibel-milliwatt (dBM) level from joining the network. You can set a minimum client RSSI, per radio band, to prevent clients who are beyond a given distance or range from joining the WLAN. Geofencing applies only to the initial association. Therefore, if a client is already associated to the network, the client will not be dissociated if its RSSI value falls below the configured threshold. The default is disabled for all radio-bands.

See Enable Geofencing.

Data Rates

Set data rates to prevent clients with slow connections from degrading the overall WLAN performance.

The default is Compatible, which allows all connections. The other options are:

  • No Legacy (2.4G, no 11b)—Prevents 802.11b and 802.11g devices from joining the WLAN. This option has the effect of adding capacity to the network.

  • High Density (disable all lower rates)—Prevents 802.11b and 802.11g clients from joining the network if they don't meet a minimum signal level.

  • Custom Rates—See Data Rates.

Wi-Fi Protocols You use this option to enable or disable Wi-Fi 6 on the supported APs.
WLAN Rate Limit

You use this option to configure a WLAN rate limit to enforce an uplink and downlink rate for the WLAN. You can configure rate limits per AP, per client, and per application. You can also limit the total bandwidth allocation for a given application. Note, however that rate limiting bandwidth per client is often self-defeating, as it can have the effect of increasing the clients airtime consumption (by prolonging downloads).

Per-Client Rate Limit

Client rate limits set the uplink and downlink rate per client.

Application Rate Limit

This option limits the uplink or downlink rate per client for the specified application. You must identify applications by their name or hostname.

Apply to Access Points Select the APs you want this WLAN to apply to: All, Specific, or according to the AP label.

Security Types

  • WPA3 using Enterprise (802.1X)—RADIUS-based authentication. With this security type, you also can enable additional options:

    • WPA3+WPA2 Transition—Transition modes can help ease adoption to WPA3 and OWE. What they do in effect is delay the migration to WPA3 by still offering existing security types. For more information, see Considerations for 6GHz Wireless.

    • 192-bit Encryption—This option offers the highest level of 802.1X security in Wi-Fi by offering GCMP-256 encryption over the air and requiring more secure certificates.

  • WPA3 with Personal (SAE)—Passphrase-based authentication. You can configure a single passphrase or multiple passphrases.

  • WPA2 using Enterprise (802.1X)—RADIUS-based authentication.

  • WPA2 with Personal (PSK)—Wi-Fi Protected Access (WPA) 2 using a standard preshared key (PSK). You can configure a single passphrase or multiple passphrases.

  • Opportunistic Wireless Encryption (OWE)—You can configure WPA3/OWE transition modes on 6 GHz multiband SSIDs, in order to allow for easier adoption of transition mode SSIDs. For more information, see Considerations for 6GHz Wireless.

  • Open Access—Unencrypted, typically used for guest networks.

Other Security Options
  • MAC address authentication by using RADIUS lookup—A MAC address is presented to a RADIUS server to authorize the device. Unavailable with certain security types.

  • Prevent banned clients from associating—If you identify clients to ban on the Network Security page, this option bans them from associating with this WLAN.

  • Fast Roaming— A security method based on 802.11r for authenticating new clients.


  • Untagged—Doesn't use VLANs; this is the default setting.

  • Tagged—Select this option if you have static VLANs on the network. In the field that appears, enter the VLAN ID. Make sure that the switch port connected to the access point (AP) also uses a tagged VLAN.

  • Pool—Select this option to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool. When using this for PSK-based network segmentation, specify all the VLAN IDs you will need for the VLAN ID field of the PSK (Organization > WLAN Templates > Pre-Shared Key> Add Key button, and then VLAN ID).

    Alternatively, to put clients in different VLANs according to their site, use a site variable for the Pools VLANs and leave the VLAN ID field blank in the PSK configuration page.

  • Dynamic—Select this option to connect wireless users to a given VLAN, as configured in the RADIUS server.


Peer-to-peer isolation prevents Layer 2 peer traffic on the same WLAN, AP, or wired or wireless subnet. This option is disabled by default. (For Layer 3 filtering, you can create WxLAN policies.)

Subnet isolation requires firmware version 0.12 or later, and clients must have a DHCP address.

Filtering (Wireless)
  • ARP
  • Broadcast/Multicast
    • Allow mDNS
    • Allow SSDP
    • Allow IPv6 Neighbor Discovery
  • Ignore Broadcast SSID Probe Requests

These filters reduce the amount of management frames sent by APs in the WLAN. Filtering can significantly improve performance by freeing up radio air time which is otherwise consumed as a routine part of the operational overhead.

  • The ARP filter prevents Address Resolution Protocol (ARP) broadcast requests to a given WLAN interface. If not enabled, the proxy ARP will try to resolve all unknown Ethernet address requests by flooding the request to any unfiltered interfaces. We recommend leaving the ARP filter enabled. (By default, Mist APs support proxy ARPs, which means the AP sends an ARP response on behalf of the client instead of forwarding the packet over the air.)
  • The Broadcast / Multicast filter prevents the AP from propagating broadcast and multicast frames on the wireless network. It filters IPv6 broadcasts, multicast, and IPv4/IPv6 mDNS frames, although these can be individually exempted. DHCP broadcasts are not included in this filter.
    • Allow mDNS frames by exempting this traffic from being filtered when broadcast/multicast filtering is selected. mDNS is needed for Apple Bonjour for network discovery.

    • Allow Simple Service Discovery Protocol (SSDP) advertisement beacons by exempting this traffic being filtered when broadcast/multicast filtering is selected. SSDP is needed Universal Plug and Play (UPnP) device discovery.

    • Allow IPv6 Neighbor Discovery frames by exempting this traffic when broadcast/multicast filtering is selected.

  • The AP can Ignore Broadcast SSID Probe Requests from wireless clients, that is, not send a probe response (which advertises its SSID, supported data rates, and other 802.11 capabilities).

Custom Forwarding By default, the WLAN forwards tagged or untagged client traffic through the primary Ethernet port, Eth0. You use custom forwarding in conjunction with Mist Edge, or for example, to ensure that guest and corporate traffic use different networks.
  • Eth0 + PoE—Default. Forward traffic out the Eth0 port.

  • Eth1—Forwards traffic through the second Ethernet port of the AP. This mode requires the WLAN VLAN to be untagged. You must connect Port Eth1 to a physically separate LAN.

SSID Scheduling

You use this option to customize your WLAN by choosing the exact days and times to broadcast the SSID. When scheduled to be disabled, the AP will not broadcast the SSID (that is, the SSID will not be visible to clients searching for available networks). The change in broadcast status does not reset the radio or disable the AP.

SSID scheduling supports multiple time ranges for each day. By default this mode is disabled.

802.1X Web Redirect

Applies to VLANs with security type Enterprise (802.1X).

Select the Enabled check box to redirect a client to a particular web page (for example, a quarantined portal for compliance checks) after it completes the 802.1X authentication. For this feature to work, your firmware version must be 0.7 or newer. For more information, see Configure an 802.1X WLAN to Redirect Clients to Specific Web Pages.
QoS Priority

Use quality of service (QoS) to prioritize traffic so that the more important traffic does not get held up in a queue during congestion. Juniper APs can prioritize wireless traffic to optimize the shared radio for maximum application performance.

Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless QoS standard to support traffic prioritization. This specification uses the following access categories to prioritize transmission:

  • 0=Background (not used by Juniper APs)

  • 1=Best Effort

  • 2=Video

  • 3=Voice

Multimedia Extensions

When multiple concurrent applications compete for network resources, Juniper APs can use MMEs to define and improve the wireless signal quality and performance.

Multimedia extensions (MMEs) are architectural extensions to general-purpose processors to boost the performance of multimedia workloads. Throughput is not guaranteed by WMM.


AirWatch mobility management solutions to ensure secure network access for authorized devices. When enabled, the APs allow traffic to pass only for those clients already identified in the AirWatch console. If enabled, you need to specify the AirWatch console URL, the API key, and your login credentials for the managed devices.

Bonjour Gateway

Default is not configured. Configure this setting on a per WLAN basis, from either the WLAN configuration page or WLAN Templates. This feature automatically enables broadcast/multicast filtering. As such, be sure to select the option to allow mDNS frames.

The following services are available, but must explicitly enabled to be discoverable:

  • AirDrop, AirPlay, AirPrint, Apple HomeKit
  • Amazon Devices, GoogleCast, Roku, Spotify Connect
  • NFS, Scanner, SleepProxy (Wake-On-Network)

See Add a Bonjour Gateway to a WLAN.


Supports WPA3, WPA2, Legacy, OWE, and Open Access, with either Enterprise (802.1X) and Personal (SAE), as well as single or multiple passphrases, TKIP, etc.


Fast Roaming

Enable fast roaming to allow clients that are connected to the network using WPA2 or WPA3 security to remain connected as they roam between APs. With fast roaming, WPA2 and WPA3 clients do not need to re-authenticate with the authentication server every time they change APs in the same network.

See Fast Roaming and Roaming History.


Required for each WLAN. Specify the type of VLAN the AP will use in the switch connection.

  • Untagged—Doesn't use VLANs; this is the default setting.

  • Tagged—Use with static VLANs on the network (the switch port connected to the AP must also use tagged VLAN).

  • Pool—Use to assign wireless clients a randomly selected IP address from one of the VLANs listed in the pool.
  • Dynamic—Use to connect wireless users to a given VLAN, as configured in the RADIUS server.

For information about using VLAN Pools with Pre-Shared Keys for segmentation, see Leveraging Roles in a PSK (Use Case).

Guest Portal

You can enable guest access by creating a sign-in portal in Juniper Mist, using your own external portal, or enabling Single Sign-On. For more information, see WLAN Guest Portal.