Configure SSID Security Settings
When you add an SSID, you can configure security settings that control how wireless clients must connect to your APs. By default, the wireless security mode is set to WPA2 only to encrypt the transmissions on the wireless LAN between the computers and the APs, and to prevent unauthorized access to the AP. To protect privacy, you can use other LAN security mechanisms such as password protection, VPN tunnels, and user authentication.
KRACK WPA/WPA2 Vulnerabilities
WatchGuard has addressed KRACK WPA/WPA2 vulnerabilities for the Gateway Wireless Controller and APs and these AP firmware versions:
- AP125, AP327X, AP420: 8.3.0-657 and higher
- AP225W: 8.8.1-101 and higher
- AP325: 8.5.0-646 and higher
- AP327X: 8.8.0-179 and higher
To mitigate KRACK WPA/WPA2 vulnerabilities in unpatched wireless clients, we recommend you enable the Mitigate WPA/WPA2 key reinstallation vulnerability in clients check box in the SSID settings. For more information, go to Configure WatchGuard AP SSIDs.
WPA and WPA2 with Pre-Shared Keys
The WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for authentication. When you choose one of these methods, you configure a pre-shared key that all wireless devices must use to authenticate to the AP.
APs support three wireless authentication settings that use pre-shared keys:
- WPA only (PSK) — The AP accepts connections from wireless devices configured to use WPA with pre-shared keys.
- WPA2 only (PSK) — The AP accepts connections from wireless devices configured to use WPA2 with pre-shared keys. WPA2 implements the full 802.11i standard. WPA2 only mode it does not work with some older wireless network cards.
- WPA/WPA2 (PSK) — The AP accepts connections from wireless devices configured to use WPA or WPA2 with pre-shared keys.
You configure the settings for WPA or WPA2 security on the Security tab when you edit an SSID.
- Add or edit an SSID.
- On the SSID page, select the Security tab.
- From the Security Mode drop-down list, select WPA (PSK), WPA2 (PSK) or WPA/WPA2 (PSK).
- Configure the WPA or WPA2 settings.
- Add or edit an SSID.
- In the Edit SSID or Add SSID dialog box, select the Security tab.
- From the Security Mode drop-down list, select WPA (PSK), WPA2 (PSK) or WPA/WPA2 (PSK).
- Configure the WPA or WPA2 settings.
To configure WPA or WPA2 settings:
- From the Encryption drop-down list, select an encryption method:
- TKIP or AES — Uses either TKIP or AES for encryption (WPA or WPA/WPA2 mixed mode only). TKIP is a deprecated, insecure protocol and is not supported in WPA2 only mode.
- AES — Uses only AES (Advanced Encryption Standard) for encryption.
- (Optional) In the Group Key Update Interval text box, type or select the WPA group key update interval.
We recommend you use the default setting of 3600 seconds. - In the Passphrase text box, type the passphrase that wireless clients must use to connect to this SSID.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for network authentication. These authentication methods use the EAP (Extensible Authentication Protocol) framework to enable user authentication to an external RADIUS authentication server. The WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of a shared key.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication server.
WatchGuard APs support three WPA and WPA2 Enterprise wireless authentication methods:
- WPA Enterprise — The AP accepts connections from wireless devices configured to use WPA Enterprise authentication.
- WPA2 Enterprise — The AP accepts connections from wireless devices configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard; it does not work with some older wireless network cards.
- WPA/WPA2 Enterprise — The AP accepts connections from wireless devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
Configure RADIUS Server Authentication with Active Directory for Wireless Users
To authenticate wireless users to your network, you can use the user accounts from your Active Directory server database to authenticate users with your RADIUS server and the RADIUS protocol. You must configure the wireless security settings on your Firebox to enable RADIUS authentication, configure your RADIUS server to get user credentials from your Active Directory database, and configure your Active Directory and RADIUS servers to communicate with your Firebox and APs.
You must add the IP addresses of your WatchGuard APs and the Firebox as RADIUS clients on your RADIUS server. WatchGuard APs make their own connections to the RADIUS server for authentication requests. Make sure your Firebox is added as a RADIUS client for other types of Firebox-based authentication.
For more information, go to Configure RADIUS Server Authentication with Active Directory for Wireless Users.
About RADIUS Single Sign-On
You can use RADIUS Single Sign-On for wireless clients when you use WPA and WPA2 Enterprise authentication. For more information on RADIUS Single Sign-On, go to About RADIUS Single Sign-On.
Configure WPA and WPA2 Enterprise Authentication
Configure the settings for WPA or WPA2 Enterprise on the Security tab when you edit an SSID.
- Add or edit an SSID.
- On the SSID page, select the Security tab.
- From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or WPA/WPA2 Enterprise.
- Configure the WPA or WPA2 Enterprise settings.
- Add or edit an SSID.
- In the Edit SSID or Add SSID dialog box, select the Security tab.
- From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or WPA/WPA2 Enterprise.
- Configure the WPA or WPA2 Enterprise settings.
To configure WPA or WPA2 Enterprise settings:
- From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or WPA/WPA2 Enterprise.
- From the Encryption drop-down list, select an encryption method:
- TKIP or AES — Uses either TKIP or AES for encryption. (WPA or WPA/WPA2 mixed mode only). TKIP is a deprecated, insecure protocol and is not supported in WPA2 only mode.
- AES — Uses only AES (Advanced Encryption Standard) for encryption.
- (Optional) In the Group Key Update Interval text box, set the WPA group key update interval.
We recommend you use the default setting of 3600 seconds. - In the RADIUS Server text box, type the IP address of the RADIUS server.
- In the RADIUS Port text box, make sure that the port number the RADIUS server uses for authentication is correct.
The default port number is 1812. Some older RADIUS servers use port 1645. - In the RADIUS Secret text box, type the shared secret between the AP and the RADIUS server.
The shared secret is case-sensitive, and it must be the same in the SSID configuration as it is on the RADIUS server.
You must add the IP addresses of your WatchGuard APs as RADIUS clients on your RADIUS server.
Enable RADIUS Accounting:
- Select the Enable RADIUS Accounting check box.
- In the RADIUS Accounting Server text box, type the IP address of the RADIUS accounting server.
- In the RADIUS Accounting Port text box, make sure that the port number the RADIUS accounting server uses is correct.
The default port number is 1813. - In the RADIUS Accounting Secret text box, type the shared secret between the AP and the RADIUS accounting server.
- In the Interim Accounting Interval text box, set the interim accounting interval.
Fast Roaming (802.11k, 802.11r)
Fast Roaming decreases the WPA2 re-authentication time for a wireless client as it roams from one WatchGuard AP to another AP. Fast Roaming enables the wireless client to quickly transition wireless communications and improves performance and stability of streaming-intensive applications such as VoIP and video streaming.
Fast Roaming can only be enabled for WPA2-PSK, WPA/WPA2-PSK mixed, WPA/WPA2 Enterprise mixed, or WPA2-Enterprise protected SSIDs. Wireless clients must support the 802.11k and 802.11r standards.