Default Wi-Fi Network
Menu path: Setup > Network > LAN Interfaces > Wireless > Default Wi-Fi network
Here, you can configure wireless network connections.
Disable Encryption: No encryption will be used. (Default)
Enable WEP Encryption: WEP encryption will be used.
Enable WPA Encryption: WPA encryption will be used.
Wireless Network Name (SSID): Name of the wireless network (SSID)
For WEP Encryption
Transmit key ID: Choose from a maximum of four configurable keys. (Default: 1)
Key Format:
- ASCII
- Hexadecimal
Key [1-4]: Enter the key here.
- For 64-bit encryption, 5 characters (ASCII) or 10 hex digits (hexadecimal)
- For 128-bit encryption, 13 characters (ASCII) or 26 hex digits (hexadecimal)
For WPA/WPA2/WPA3 Personal Encryption
Network authentication
- WPA Personal: Wi-Fi Protected Access Pre-Shared Key (WPA / IEEE 802.11i/D3.0)
- WPA2 Personal: Wi-Fi Protected Access Pre-Shared Key (WPA2 / IEEE 802.11i/RSN)
- WPA3 Personal: Wi-Fi Protected Access SAE (Simultaneous Authentication of Equals)
Network key: WPA network key/passphrase as set at the dial-in point. This is either an ASCII character string with a length of 8...63 or exactly 64 hexadecimal digits.
Data encryption:
- Default: The default value depends on which network authentication method is selected - TKIP for WPA, AES (CCMP) for WPA2.
- TKIP: Temporal Key Integrity Protocol (IEEE 802.11i/D7.0)
- AES (CCMP): AES in Counter mode with CBC-MAC (RFC 3610, IEEE 802.11i/D7.0)
- AES (CCMP) + TKIP: One of two encryption methods is selected by the access point.
- Automatic: The access point can choose the encryption method freely – nothing is stipulated.
AP Scan mode: Scan mode for access points
- Default
- Broadcast: Alternative for access points which allow the SSID broadcast
- No broadcast: Alternative for access points which refuse the SSID broadcast (hidden access points)
For WPA/WPA2 Enterprise Encryption
Network authentication:
- WPA Enterprise: Wi-Fi Protected Access with 802.1X authentication (WPA / IEEE 802.11i/D3.0)
- WPA2 Enterprise: Wi-Fi Protected Access with 802.1X authentication (WPA2/IEEE 802.11i/RSN)
Data encryption:
- Default: The default value depends on which network authentication method is selected - TKIP for WPA, AES (CCMP) for WPA2.
- TKIP: Temporal Key Integrity Protocol (IEEE 802.11i/D7.0)
- AES (CCMP): AES in Counter mode with CBC-MAC (RFC 3610, IEEE 802.11i/D7.0)
- AES (CCMP) + TKIP: One of two encryption methods is selected by the access point.
- Automatic: The access point can choose the encryption method freely – nothing is stipulated.
AP Scan mode: Scan mode for access points
- Default
- Broadcast: Alternative for access points which allow the SSID broadcast
- No broadcast: Alternative for access points which refuse the SSID broadcast (hidden access points)
EAP Type
- PEAP: Protected Extensible Authentication Protocol
- TLS: Transport Layer Security with client certificate
- TTLS: Tunneled Transport Layer Security
- FAST: Flexible Authentication via Secure Tunneling
Anonymous identity: This identity is sent by authentication instead of the actual Identity. This prevents the disclosure of the actual identity of the user. The anonymous identity is relevant for any of the above-mentioned EAP types, except for "TLS".
Auth Method: Method for authentification that is available for the selected EAP type
Possible options:
- MSCHAPv2: Microsoft Challenge Handshake Authentication Protocol
- TLS: Transport Layer Security with client certificate
- GTC: Generic Token Card
- MD5: MD5-Challenge
- PAP: Password Authentication Protocol
Validate Server Certificate
☑ The endpoint device validates the authenticity of the authentification server against the certificate file. This certificate file is stored under the path defined by CA Root Certificate.
☐ The authenticity of the authentification server is not validated.
CA Root Certificate: Path and file name of the file that contains the certificates with which the authentification server authenticates itself.
Identity: User name that is stored at the authentification server
Password: Password relevant to the user name
The following settings are relevant if you have selected "TLS" as EAP type:
Manage certificates with SCEP (NDES)
☑ Client certificates will automatically be managed with SCEP.
☐ Client certificates will not be managed with SCEP. (Default)
Client certificate: Path to the file with the certificate for client authentication in the PEM (base64) or DER format.
Private key: Path to the file with the private key for the client certificate. The file can be in the PEM (base64), DER, or PFX format. The Private key password may be required for access.
Identity: User name for network access
Private key password: Password for the Private key for the client certificate
Learn more from the how-to Using WPA Enterprise / WPA2 Enterprise with TLS Client Certificates.
The following setting is relevant if you have selected "FAST" as EAP type:
Automatic PAC provisioning: Specifies how the PAC (Protected Access Credential) is delivered to the client.
Possible options:
- "disabled": PAC files have to be transferred to the device manually, e.g. via UMS file transfer.
- "unauthenticated": An anonymous tunnel will be used for PAC provisioning.
- "authenticated": An authenticated tunnel will be used for PAC provisioning.
- "unrestricted": Both authenticated and unauthenticated PAC provisioning is allowed. PAC files are automatically created after the first successful authentication.
PAC files are stored in /wfs/eap_fast_pacs/
.
PAC file names are automatically derived from the Identity, but are coded. In the case of the manual PAC provisioning, you can determine the PAC file names with the following script: /bin/gen_pac_filename.sh
In tests with hostapd
, it has been necessary to disable TLS 1.2. To do that, enter the command tls_disable_tlsv1_2=1
for the following registry keys:
- System > Registry > network.interfaces.wirelesslan.device0.wpa.phase1_direct
- System > Registry > network.interfaces.wirelesslan.device0.alt_ssid%.wpa.phase1_direct