This document summarizes the best practices and procedures for configuring and deploying a standalone AP using EnGenius hardware. This document uses an ENH1750EXT version 2.0.5 for all figures. On other access point models and/or firmware versions, some specific items may be in a slightly different order or on different screens. For single-band access points, omit the sections on configuring the 5 GHz radio and band steering.

 

 

Network Usage Types

Even on relatively small networks, it is often a requirement to support different types of users with different levels of access.  The following are the typical types of usage applications on Wi-Fi networks:

 

  • Staff: Intended for client devices belonging to staff at the facility location used for Security should be either WPA2-Personal or WPA2-Enterprise, depending on whether an external RADIUS server is in use.

 

  • Guest: Intended for public / semi-public access, and/or for personal BYOD devices belonging to No encryption should be used for ease of access. Client isolation should always be enabled.

 

  • Security: Intended for security cameras, access card readers, NVR servers, and fixed or mobile security WPA2-Personal should be used (many devices do not support WPA2- Enterprise). Client isolation should generally be enabled, unless security stations are connecting wirelessly.

 

  • Device: Intended for network appliances, such as SONOS, NEST Thermostats, Control4, , as well as IoT sensors and devices. WPA2-Personal should be used (many devices do not support WPA2-Enterprise). Client isolation should generally be enabled

 

  • Voice: Intended for VoIP / VoWiFi WPA2-Personal should be used to minimize roaming times. Client isolation should generally be disabled to enable phones to communicate with each other.

 

 

Configuring the Access Points: Dual-Band AP Mode

 

Log into the Access Point

-     http://192.168.1.1

  • Username: admin
  • Password: admin

 

 

Figure 1: Login screen.

 

Firmware Check

On the device status screen, validate that the AP is at the latest firmware.  If not, upgrade the firmware based on the procedure below.

 

Figure 2: Device status screen.

 

Network Settings

  • Go to the Network  Basic Provide a unique static IP address, subnet mask, gateway, and DNS servers for the AP on your LAN. Using DHCP is not recommended, as a static IP address makes it easier to monitor and maintain the AP post-installation. Make sure spanning tree is disabled.  Click save.

 

 

 

 

Wireless Settings: General

Figure 3: Network   Basic Screen [bottom].

 

  • Go to the Network  Wireless

Table 1:  Summary table of Wireless settings: General

 

Variable

Recommended Setting

Explanation

Device Name

{location on property}

Indicates the location of the AP where it will be mounted.  Recommended for ease of monitoring and maintenance of AP post-installation

Country / Region

{country}

Indicates country of operation, which restricts the available 2.4 GHz and 5 GHz channels.

Band Steering

Enabled

Band steering will ensure dual-band clients are connecting on the 5 GHz band, which has larger capacity and generally less interference. Note that all SSID settings on both bands must be identical for band steering to work.

 

 

Figure 4: Network   Basic Screen [General settings].

 

Wireless Settings: Radio

 

Table 2:  Summary table of Wireless settings: Radio

 

Vaiable

Recommended Setting 2.4 GHz

Recommended Setting 5 GHz

Explanation

Operation Mode

Access Point [default]

Access Point [default]

Indicates mode of operation.

Wireless Mode

802.11 N

802.11 N

(802.11n APs)

 

802.11 AC/N

(802.11ac APs)

Unless you have older Wi-Fi devices (e.g. warehouse barcode scanners) that the network must support, turn off connection for 802.11a/b/g devices to minimize protocol overhead.

Channel HT Mode

20 MHz

40 MHz

(802.11n APs)

80 MHz

(802.11ac APs)

The 2.4 GHz band is only 73 MHz wide in the USA, allowing for only 3 independent 20 MHz channels or only 1 independent 40 MHz channel. Never use 40 MHz channels on the 2.4 GHz band in any multi-AP deployment.

The 5 GHz band is 480 MHz wide (semi- contiguous) in the USA, allowing for 24 independent    20    MHz    channels,    11

independent     40     MHz     channels,     5

independent 80 MHz channels, and 2 independent 160 MHz channels. Never use 160 MHz channels on the 5 GHz band in any multi-AP deployment.

Extension Channel

Disabled [default]

Upper [default]

For 20 MHz channels, no extension channel is used. For larger 5 GHz channels, the extension channel will be determined automatically. When 5 GHz channels are properly selected, the extension channel will always be upper.

 

 

Channel

1, 6, or 11

36, 44, 52, 60,

100, 108, 116,

124, 132, 149,

or 157

(40 MHz Channel)

36, 52, 100,

116, 149, or 157

(80 MHz Channel)

Non-overlapping static channels should be assigned for both bands. Do not use auto channel.

Transmit Power

16 dBm [initial]

20 dBm [initial]

A static transmit power should be assigned for both bands. Do not use auto power. Avoid using maximum power, as client devices such as smartphones have weak transmitters and may not be able to talk back to the AP. Furthermore, 2.4 GHz propagates farther than 5 GHz, so the transmit power should be set 4-5 dB lower on the 2.4 GHz band. Initial recommended settings are indicated, but these may need to be tweaked slightly based on your environment.

Data Rate

Auto [default]

Auto [default]

Auto allows the AP and client to dynamically negotiate speed based on distance and other RF factors.

RTS / CTS

Threshold

2346 [default]

2346 [default]

RTS/CTS is a protection mechanism used for backwards  compatibility with 802.11a/b/g clients.

Client Limits

127 [default]

127 [default]

Limits the maximum number of clients per radio.  Best practice designs plan on 30 –

50   client   devices   per   AP   for   typical smartphone / tablet / laptop usage.

Aggregation

Enable  32 Frames

50000 Bytes [default]

Enable  32 Frames

50000 Bytes [Default]

Frame aggregation is used to improve data speeds in 802.11n/ac. Always should be enabled.

Distance

1 km [default]

1 km [default]

Long distance WDS links require additional time to receive ACK frames. Not relevant when radios are in Access Point mode.

 

 

 

 

Figure 5: Network   Wireless Screen [Radio settings].

 

Wireless Settings: 2.4 GHz & 5 GHz

 

These settings will depend on the network usage types that need to be supported on your network.   If more than one network usage type is to be deployed, VLANs should be used.

 

Table 3:  Summary table of typical network usage applications on Wi-Fi networks.

 

Network Usage Type

 

Purpose

 

Security Mode

 

Encryption

 

Passphrase

Group Key Update Interval

Hidden SSID

Client Isolation

L2

Isolation

VLAN

Isolation

 

VID

Staff

Staff devices at facility location

WPA2-PSK

AES

{8 – 63 characters}

3600

No

No

No

Yes

{2- 4094}

WPA2-Enterprise

AES

see security section

3600

No

No

No

Yes

{2- 4094}

Guest

Public / semi-public access for visitors or customers

Disabled {Open}

N/A

N/A

N/A

No

Yes

Yes

Yes

{2- 4094}

Security

IP cameras, access card scanners, NVR servers, security stations

WPA2-PSK

AES

{8 – 63 characters}

3600

No

No*

No*

Yes

{2- 4094}

Device

Network appliances (e.g. NEST thermostats, Control4, etc.) and IoT

WPA2-PSK

AES

{8 – 63 characters}

3600

No

Yes*

Yes*

Yes

{2- 4094}

Voice

VoIP / VoWiFi headsets

WPA2-PSK

AES

{8 – 63 characters}

3600

No

No

No

Yes

{2- 4094}

 

Table 4:  Summary table of SSID settings.

 

Variable

Recommended Setting

Explanation

SSID

{1-32 characters}

Name of the network that devices will connect to. Best practice is to put distinguishing feature at front of SSID, since some client devices truncate long SSIDs in their displays. It is recommended to not define more than 4 SSIDs per band, to limit airtime overhead.

Security

None, WPA2-PSK, or WPA2-Enterprise

Depends on application.  None recommended only for public / semi-public networks.  WPA2-Enterprise recommended for staff devices when using external RADIUS server.  WPA2-PSK used otherwise.  Never se WEP, WPA, or WPA mixed. WEP and WPA are deprecated. See next section on Security

 

 

Hidden SSID

No

When enabled, hides SSID in beacon frames. Many clients have trouble connecting to SSIDs that are hidden.  Also, SSID is still available in association frames so can still be determined.  Do not use.

Always disable.

Client Isolation

Yes*

When enabled, prevents client devices connected to the same SSID on the same AP from inter- communicating.  Always use for public / semi-public networks. Recommended for security and device networks unless intercommunication is required.

L2 Isolation

Yes*

When enabled, prevents client devices connected to the same SSID across different AP from inter- communicating.  Always use for public / semi-public networks. Recommended for security and device networks unless intercommunication is required.

VLAN Isolation

Yes

When more than one network usage type is being implemented, VLANs are required to isolate traffic between SSIDs. Each SSID is associated with a particular VLAN.

VID

{2 – 4094}

VLAN ID is a 12 bit number. VLAN 0 & 4095 are not used, and VLAN 1 is reserved for non-VLAN traffic.  All other SSIDs should be assigned to a unique VLAN. Note your network switch(es) and router must also be configured to support these VLANs.

 

Security Settings

There are three types of security settings that may be used:

 

  • Disabled {Open}: This allows all clients to associate with the access point, but all traffic between the client and access point is Use only for public / semi-public access networks.

 

  • Personal {PSK}: This requires the client to have a passphrase (a.k.a pre-shared key or PSK) to access the All traffic is encrypted. This security setting is appropriate for all staff networks not utilizing RADIUS, and all security and device networks. Most Wi-Fi appliances (e.g. cameras, multimedia, IoT, etc.) do not support Enterprise security. Never use WEP, WPA, or Mixed Mode. WEP was cracked in 2001, and WPA-TKIP was implemented as a temporary fix for client devices hardcoded with the RC4/TKIP algorithm used in WEP. Always use WPA2-AES only.

 

  • Enterprise {RADIUS}: This requires the client to authenticate to a 3rd party authentication server, such as RADIUS or Appropriate for large corporate and facility networks with dedicated IT staff. Most Wi-Fi appliances (e.g. cameras, multimedia, IoT, etc.) do not support Enterprise security. Never use WEP, WPA, or Mixed Mode. WEP was cracked in 2001, and WPA-TKIP was implemented as a temporary fix for client devices hardcoded with the RC4/TKIP algorithm used in WEP. Always use WPA2-AES only.

 

Other Security Settings:

 

  • Wireless MAC Filter: Used to explicitly allow or deny devices based on pre-programmed MAC Hard to maintain current and MAC addresses easy to spoof on devices. Disabled by default. Do not use.

 

  • Wireless Traffic Shaping: This setting limits the amount of bandwidth that can be pushed over the access point for a particular This may be appropriate to use in certain instances where bandwidth into the property is limited and some bandwidth needs to be reserved for particular applications. Disabled by default.

 

Figure 6: Security setting screen: disabled {open} network.

 

Settings Specific to Personal (PSK) Security:

Table 5:  Summary table of WPA2-Personal settings.

 

Variable

Recommended Setting

Explanation

Security Mode

WPA2-PSK

WPA has been deprecated. Do not use WPA-PSK or WPA-PSK Mixed. Only use WPA2-PSK.

Encryption

AES

WEP and TKIP have been deprecated. Only use AES.

Passphrase

{8 – 63 characters}

Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Passphrase ideally should be at least 15 characters in length, and not be a dictionary word or phrase.

Group Key Update Interval

3600 seconds [default]

Frequency at which AP should generate a new group key for broadcast messages to all connected clients.

 

 

Figure 7: Security setting screen: WPA2 Personal.

Settings Specific to Enterprise (RADIUS) Security:

Table 6:  Summary table of WPA2-Enterprise settings.

 

Variable

Recommended Setting

Explanation

Security Mode

WPA2-Enterprise

WPA has been deprecated. Do not use WPA- Enterprise or WPA Mixed-Enterprise. Only use WPA2-PSK.

Encryption

AES

WEP and TKIP have been deprecated. Only use AES.

Group Key Update Interval

3600 seconds [default]

Frequency at which AP should generate a new group key for broadcast messages to all connected clients.

Radius Server

{IP Address}

IP address of RADIUS server.

Radius Port

1812 [default]

UDP Port of RADIUS server. Most installations use UDP/1812.

Radius Secret

{8 – 63 characters}

Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Ideally should be at least 15 characters in length, and not be a dictionary word or phrase, and different for each SSID.

Radius Accounting

Disable [default]

Enable if RADIUS Accounting server is used on the network.

Radius Accounting Server

{IP Address}

IP address of RADIUS Accounting server. May be same or different than RADIUS server.

Radius Accounting Port

1813 [default]

UDP Port of RADIUS Accounting server. Most installations use UDP/1813.

Radius Accounting Secret

{8 – 63 characters}

Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Ideally should be at least 15 characters in length, and not be a dictionary word or phrase.

Interim Accounting Interval

600 [default]

Polling interval used by RADIUS accounting server

 

 

Figure 8: Security setting screen: WPA2 Enterprise.

 

The following figure shows a representative network set up for 4 SSIDs.

 

Figure 9: SSID setting example.

 

Wireless Settings: Other

 

  • Guest Network Settings: Leave disabled [default]. This is included to provide for a separate guest access network on a separate This is intended for a single AP environment where only a guest and staff network are needed. Do not use in a multi-AP environment.

 

  • Fast Handover / RSSI Threshold: Leave disabled [default]. Per the 11 standard, roaming is triggered by a client device. Some client devices can be “sticky” by not triggering a roam, even when an AP with a significantly stronger signal is available. When enabled, a client device that falls below the RSSI threshold will be disassociated from the access point, to force the device to roam to  another  access  point  with  a  stronger  signal.    Only  use  this  feature  in  multi-AP

 

environments with good Wi-Fi coverage and sticky clients. The RSSI threshold should generally be set for -80 dBm to -90 dBm.

 

  • Management VLAN: A management VLAN is a separate VLAN / subnet for your managed network When implementing VLANs, an explicit management VLAN is recommended to prevent wireless users from accessing network equipment.

 

Figure 10: Wireless Settings: Other.

 

Apply Changes

Click on the “Changes” button in the upper left and click “Apply” to apply all changes made under Network   Basic and Network   Wireless.  The AP will reboot and come back online with the new settings. Log into the AP with the new IP address.

 

 

 

 

Management Settings: SNMP

Click on the Management   Advanced tab and proceed to the section on SNMP Settings.

Table 7:  Summary table of Advanced settings: SNMP.

 

Variable

Recommended Setting

Explanation

Status

Disable*

SNMP is a valuable and powerful monitoring and management tool. If you are using an NMS or other SNMP software (e.g. Nagios), then enable and change the default settings.  If you are not using SNMP, then disable it for security.

Contact

{company name}

The name or web address of the company installing and maintaining the access point.

Location

{property name}

The name of the property or facility where the AP is installed.

Port

161

UDP port for SNMP.  Typical implementations use UDP/161.

Community Name (Read Only)

{R/O community string}

String for SNMP read-only access. Always change this from the default “public” for security.

Community Name (Read Write)

{R/W community string}

String for SNMP read-write access. Always change this from the default “private” for security.

Trap Destination Port

162

UDP port for SNMP traps. Typical implementations use UDP/162.

Trap Destination IP Address

{IP Address}

IP address of server set up to receive SNMP traps

Trap Destination Community Name

{community string}

String for SNMP traps. Always change this from the default “public” for security.

 

 

SNMPv3 Status

Disable*

SNMPv3 is an enhancement of the SNMP protocol to incorporate encryption. If you are using an NMS or other SNMP software (e.g. Nagios), then enable and change the default settings.  If you are not using SNMPv3, then disable it for security.

SNMPv3 Username

{username}

Username for SNMPv3 queries

SNMPv3 Authorized Protocol

MD5 or SHA

Encryption key to be used with SNMPv3 queries.

Always use encryption with SNMPv3.

SNMPv3 Authorized Key

{password}

Password key for SNMPv3 queries.  Always change from the default “12345678” for security.

SNMPv3 Private Protocol

DES

Encryption key to be used with SNMPv3 queries.

Always use encryption with SNMPv3.

SNMPv3 Private Key

{password}

Password key for SNMPv3 queries.  Always change from the default “12345678” for security.

Engine ID

{unique hex string}

Unique hexadecimal string.  It is customary to use the MAC address of the device.

 

 

 

Figure 11: Management   Advanced: SNMP Settings.

 

Management Settings: Other

Table 8:  Summary table of Advanced settings: Other.

 

Variable

Recommended Setting

Explanation

 

 

CLI Setting Status

Disable

Allows access to the command line interface via telnet. This should be disabled because telnet is unencrypted.

SSH Setting Status

Enable

Allows access to the command line interface via ssh.  This should be enabled if CLI access is desired, because SSH is unencrypted.

HTTPS Setting Status

Enable [default]

Allows access to the web interface of the AP via HTTPS.

HTTPS Forward

Enable

Prevents access to the web interface via HTTP and forwards any attempted HTTP connections to HTTPS.  This should always be enabled to ensure encrypted access to the AP settings.

Email Alert

Enable*

If enabled, email alerts are sent to a user when there is an event on the AP.   When using this feature, make sure to use a valid “To” address and a valid email account from which to send the emails. It is recommended that an encrypted email service be used for security.

 

Figure 12: Advanced Settings: Other.

 

After hitting apply, you may need to initiate an explicit https connection to the AP.

 

Management Settings: Time Zone

Table 9:  Summary table of Time Zone Settings

 

Variable

Recommended Setting

Explanation

Date and Time Settings

Automatically get Date and Time [default]

When enabled, syncs the clock on the AP with an Internet time server.

NTP Server

209.81.9.7 [default]

NTP time server clock.via.net.   Any valid NTP time server is acceptable.

Time Zone

{time zone of NOC}

The time zone of the NOC monitoring the property (or the time zone of the property).

Daylight Savings

Enable

Enable if Daylight Savings is active in your time zone.  For the USA, daylight savings starts on the 2nd Sunday of March at 2:00 am, and ends on the 1st Sunday of November at 2:00 am.

 

 

Figure 13: Time Zone settings.

Management Settings: Wi-Fi Scheduler

If using the Wi-Fi Scheduler or Auto Reboot features, make sure the access point is synchronized with an Internet time server.

Table 10:  Summary table of Wi-Fi Scheduler Settings

 

Variable

Recommended Setting

Explanation

Auto Reboot Settings Status

Disable [default]

When enabled, automatically reboots the access point on specified days at a specified time.

Wi-Fi Scheduler

Disable [default]

When enabled, allows only one SSID on only one radio to be active during set intervals, instead of

 

 

 

 

full time. Templates are available, but intervals can be specified for each day of the week.

 

 

 

Figure 14: Wi-Fi Scheduler settings.

 

 

 

System Manager: Account

It is recommended that the system password be changed from the default password of “admin” for security purposes.  The username can also be changed if desired.

 

 

 

 

System Manager: Firmware

Figure 15: Account password screen.

 

From this screen, new firmware can be loaded, a backup configuration file can be generated or loaded, and the AP can be reset to factory default.

 

 

 

System Manager: Log

Figure 16: Firmware screen.

 

From this screen, the local event log can be seen. Logging events to a remote syslog server can also be enabled on this screen.

 

 

Figure 17: Log screen.

 

Configuring the 5 GHz Radio for WDS Backhaul

In scenarios where the 5 GHz radio is being configured for WDS backhaul, the following settings should be changed.

 

Table 11:  Summary table of WDS Settings changes for 5 GHz WDS mode

 

Variable

Recommended Setting

Explanation

Operation Mode (Radio)

WDS Bridge

WDS Bridge Mode should be used when configuring the radio for wireless backhaul.

Security

AES

AES encryption should always be used for WDS links.

WEP Key

{disabled}

Not relevant when AES encryption used

AES Passphrase

{8 – 63 characters}

Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Passphrase ideally should be at least 15 characters in length, and not be a dictionary word or phrase.

ID 1 – 4

{MAC Address of remote link}

WDS bridging requires specification of the MAC address of the device(s) being connected to wirelessly. Up to 4 remote nodes can connect to a root node.  Avoid daisy chaining multiple remote nodes.

 

 

 

 

 

 

 

Figure 18: Wireless settings for a WDS link on the 5 GHz radio.