Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
A captive portal presents a web page (also known as a ‘“splash page”) which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
When a captive portal is enabled, all Internet traffic will be re-directed to a particular URL and a user is required to take specific actions before their traffic is able to pass through to the Internet. In this way, a service provider controls the initial Internet experience for their end customer can request the customer take a variety of actions:
accept a set of terms and conditions before being allowed onto the Internet.
fill out a survey.
purchase a billing plan
view an advertisement
EnGeniusCloud includes built-in captive portal functionality with features like pre-built templates for free click-through access and powerful external captive portal APIs, which can allow customers and partners to deploy and leverage their own captive portal and billing systems, enabling a limitless range of applications such as specialized coupons and user analytics.
In order for the Captive Portal to function the EnGeniusCloud must be reachable at all times. Guests are redirected to the EnGeniusCloud to reach the guest portal, and the redirection will not be successful if Cloud APIs is not accessible.
When captive portal is enabled and authentication type is set to "Click-through", the user is redirected to a splash page and clicks on a link to be granted access to the Internet.
Following figure shows the communication flows and steps for a Click-through captive portal with external splash page server.
A new wireless client tries to connect to a Captive Portal enabled SSID served by an Access Point.
The AP intercepts the request and redirect the user to the external splash page which is served by a external web server configured in SSID's splash page setting. In addition, an actionurl parameter is passed to the splash page such that browser can be redirected back to the cloud after submission in splash page.
Splash page content with actionurl parameter are delivered to browser.
User clicks on the confirmation link or submit button in the splash page and then be redirected to actionurl to complete the authentication.
In previous Section Step 2, the actionurl parameter is composed of a cloud URL with extra parameters. A https request sample to the splash page could be like this:
The https://yourwebsite.com/splash.html here is the splash page setting customized for corresponding SSID. The details of the actionurl parameters are listed as follows:
Select a network in Org-tree.
Select SSID in the configuring tool menu.
Choose the SSID you want to configure.
switch to Captive Portal Tab and make sure your Captive Portal is enabled and Authentication Type is set to "Click-through".
switch to Splash Page Tab. Select "External Splash Page URL".
Enter the URL of your custom splash page (eg, https://yourwebsite.com/splash.html).
Click on "Apply" button.
The external splash page must be hosted on a web server that will be accessible from the Access Points on your network. The following must be accomplished, but the particular details will depend very much on your web hosting environment.
Setup the Web Server.
Modify the splash page to set form action as the value of actionurl passed by cloud. In this way, after the user submit the form, he will be redirected to specific URL and complete the authentication.
Another way to implement the splash page is to have a hyperlink redirect the browser to actionurl. For Example:
<a href="<?php print $_GET['actionurl'] ?>">For all in one url</a>
Parameter Name
Description
vendor
Should be "EnGenius"
ap_ip
IP address of associated AP
ap_mac
MAC address of associated AP
ap_port
AP service port
client_ip
IP address of the wireless client
client_mac
MAC address of the wireless client
userurl
The URL that user tried to visit before authenticated
mac
Client's MAC address (will be obsolete after 2021)
please use client_mac
called
AP's MAC address (will be obsolete after 2021)
please use ap_mac
nas_id
Network access server identifier is used to notify the source of a RADIUS access request.
White Papers are published by the EnGenius Technical Support organizations to provide guidance and detailed technical information on the installation, use, and integration of EnGenius Cloud products.
Using an external splash page allows you full control over the sequencing and presentation of a splash page. Alternatively, internal splash page are simpler, but provide less flexibility. External splash pages are stored and executed on a web server that user define, and must respond appropriately to certain messages from the Access Point in order to present appropriate user-interface to the user at various stages of the authentication process.
When combined with RADIUS Authentication, EnGeniusCloud will consult an external RADIUS server that you specify in order to determine whether to authenticate the user. The user interface presented to the user will be determined by the external splash page.
Most EnGenius customers who need a captive portal authentication system on their wireless networks use the customizable splash pages that are hosted by EnGeniusCloud. However, some network administrators may prefer to host a captive portal page on their own servers. This Section shows you how to configure EnGeniusCloud to adopt external splash page with an external RADIUS server to handle authentication.
There are three common security threats in WLAN
A denial of service attack crowds the radio channel by sending out de-authentication or dis-association packets to prevent clients from connecting to the AP and accessing the network. An RF jammer is a tool typically used to jam the radio channel, so valid clients won’t be able to access the network. Rogue clients can also spoof the SSID and AP to de-authenticate or dis-associate legitimate clients.
Hackers can sniff or eavesdrop over-the-air traffic to crack the PSK passphrase of an SSID and access the network. They can also break user credentials to change settings as an admin or access unauthorized resources as authorized users.
By spoofing a legitimate SSID or AP, hackers can leverage the rogue spoofing AP to collect user data. Common threats are from man-in-the-middle or evil twin attacks.
Dynamic Frequency Selection (DFS) is a mandate for radio systems operating in the 5 GHz band to identify and avoid interference with Radar systems. IEEE 802.11h is the standard that covers the usage of DFS channels. To make use of DFS channels, wireless access points need to be certified to ensure that WiFi services on AP do follow the rule, e.g., stop immediately when a Radar signal is detected.
Since only a few business or enterprise APs are certified to use DFS channels, DFS channels are generally not so crowded in comparing with non-DFS channels. Network providers like to use DFS channels because of less interference. However, for the area with occasional Radar signals, service providers tend to avoid DFS channels.
Based on the 802.11h standard, AP needs to change its channel immediately when the Radar signal is detected in the current DFS channel. In general, AP can only hop back to the non-DFS channel. The main reason is:
According to 802.11h, an AP, when moving to a new DFS channel, has to listen silently to the medium for one minute before it is allowed to transmit anything (like a beacon) in order to make sure that no radar is currently operating on that channel.
AP cannot wait for one minute without serving its wireless clients. That's why falling back to regular non-DFS channels is the only way for conventional APs to comply with standards.
Instead of falling back to the non-DFS channel, zero-wait DFS is a technique providing the seamless change of channels. That is, stations do not lose their connectivity when an AP moves to another DFS channel. With the dedicated scanning radio, EnGenius S-series APs can always guarantee the one-minute clearance of the target DFS channel hence hop to that channel without any waiting.
When an AP changes its channel, Channel Switch Announcement (CSA), as defined by IEEE 802.11h, is adopted to announce that AP is switching to a new channel before it begins transmitting on that channel. This allows the clients, who support CSA, to transition to the new channel with minimal downtime.
All S-series APs support zero-wait DFS. Relative options are available in radio settings.
Good to know:
Enable Spectrum Analyzer or Channel Scan in Live Diag would suspend zero-wait DFS temporarily because these Live Diag Tools need the scanning radio to scan all channels.
AirGuard may work with zero-wait DFS smoothly except the containment feature is enabled. The containment feature requires the scanning radio to do the containment in advance.
Current ECS switches already support LLDP-MED to configure voice vlan of IP phones automatically. In "switch settings" page (also available in network-wide setting):
set voice vlan mode to "auto" will make the switch continuously send voice vlan and its priority TLVs via LLDP-MED. The IP phone would adopt that VLAN and priority if it supports the same standard.
For applications like CRM tools, presence analytics, or location-aware services which need to continuously gather presence data of wireless clients, EnGenius Cloud Acess Points are capable of delivering realtime presence data to fulfill the requirement.
EnGenius Presence Service can have cloud managed APs continuously gathering 802.11 probe request frames sent by wireless clients and then sending the data to 3rd party servers configured in EnGenius Cloud.
In EnGeniusCloud, the configuration of presence service is at
General Settings > AP > Advanced Settings
Following parameters can be configured in the page:
The data sent by EnGenius Presence Services is basically in JSON format with following objects:
The server receives the data via an HTTP POST message. Access points and EnGenius Cloud services DO NOT keep any of presence data. Accordingly, if the server specified in the configuration is down or otherwise unreachable, the HTTP POST will fail, making the data inaccessible. EnGenius Cloud will not provide any notification of such failure.
The EnGenius Cloud services are built upon fully redundant and highly available data centers with SSAE18 Type II audited and ISO27001 certifications. EnGenius Cloud architecture is a serverless design that functions and data are distributed across multiple redundant servers so that there is no single point of failure and every function module will scale by itself to reach high availability and high independency.
EnGenius Cloud is a distributed FaaS (Function-as-a-Service) design and the components include:
Cloud devices check-in service
End-user web GUI access service
Real-time monitoring service
End-user configuration database
Log and notification services
Services management center
99.99% uptime service level agreement
24*7 server health monitoring and report every 2 minutes
24*7 automated failure detection test every 20 minutes
Rapid escalation procedures by multiple operation team shift
Distributed Datacenters between multiple availability zones
Customer network configuration data and statistical data replicated across different zones
Real-time replication of data
Daily backups for network configuration, statistical data, and event logs
Rapid failover to hot spare in event of hardware failure or natural disaster
The End-user network keeps running even if EnGenius Cloud connectivity is unreachable. (except the function of EnGenius Cloud Authentication)
Users' data plane doesn't go through EnGenius Cloud
Only Cloud devices' management plane goes through EnGenius Cloud for configuration and status reporting, so when the Cloud is not reachable, it won't impact the users' network normal operation and keep running.
Every Cloud device will have a unique certificate built-in from the factory
Cloud devices have to go through multiple-factory authentication (MFA) process to make sure the devices are legitimate devices, then the devices will have another private certificate from Cloud to build a secure tunnel between the devices and Cloud
Before the on-boarding, the device has to be registered in an Organization by the users
After the secure tunnel is built, the device starts to check in to the Cloud by sending the device information
If the device is assigned to a Network, then the Network configuration will be pushed to the device through the secure tunnel
The device will keep checking in to sync up the configuration and update device information
EnGenius builds team for Data Centers global operation to create several regional zones for back up whole FaaS services
For users to run global businesses, EnGenius Cloud infrastructure design allows users to manage different Networks under different Countries and timezones, so the firmware scheduling update time can be adoptive to local time and device operation mode can be compliant with local Country regulations such as available channels.
24*7 intrusion detection
Protected by IP and port-based firewalls
Administrator access with multiple-factor authentication enforcement
All entries, exits of the datacenters are monitored by the surveillance camera
24*7 security guards control all accesses into and out of datacenters to ensure only authorized persons can access the controlled zones with different privilege
To keep improving the Cloud infrastructure and features, the operation team might need to upgrade the current production site
Any revision of code will do a full test at a staging site before pushing to the production site
Before the upgrade, the operation team will notify cloud users 2 days ago through a pop-up Post when users log in to Cloud to announce when the maintenance will be held and the estimated time of the action
During the maintenance window, users will be redirected to a maintenance window to let users know how long the maintenance will be. Since the data plane will not go through Cloud, so users' networks should still be functional
Users can also call local support to understand more details
External splash pages are stored and executed on a web server that you define, and must respond appropriately to certain messages from the Access Point in order to present appropriate user-interface to the user at various stages of the authentication process.
When combining with RADIUS Authentication, EnGeniusCloud can consult an external RADIUS server that you specify in order to determine whether to authenticate the user. The user interface presented to the user will be determined by the external splash page.
EnGeniusCloud supports three types of RADIUS-based authentication: EnGenius Authentication, Custom Radius, and Voucher Service. All the three types can works with external splash page to perform a sign-on splash service.
A new wireless client tries to connect to a Captive Portal enabled SSID served by an Access Point.
The AP intercepts the request and redirect the user to the external splash page which is served by a external web server configured in SSID's splash page setting. In addition, an actionurl parameter is passed to the splash page such that browser can be redirected back to the cloud after submission in splash page.
Splash page content with actionurl parameter are delivered to browser.
User clicks on the login button in the splash page and then be redirected to actionurl. The actionurl actually makes Access Point play as a RADIUS proxy to help on authenticating user with Remote RADIUS Server.
In previous Section Step 2, the actionurl parameter is composed of a cloud URL with extra parameters. A https request sample to the splash page could be like this:
The https://yourwebsite.com/splash.html here is the splash page setting customized for corresponding SSID. The details of the actionurl parameters are listed as follows:
Select a network in Org-tree.
Select SSID in the configuring tool menu.
Choose the SSID you want to configure.
Under Association Tab, choose "Open", "WPA2 PSK".
Switch to Captive PortalTab and choose one of three authentication types: EnGenius Authentication, Custom Radius, and Voucher Service to enable the RADIUS-based authentication.
Enable walled garden (located under Captive Portal > Advanced Settings > Walled garden) and enter the public IP address of your web server. The address specified needs to be the public-facing IP address of the web server hosting the Splash page, not the local LAN IP.
Click on Apply button.
Select a network in Org-tree.
Select SSID in the configuring tool menu.
Choose the SSID you want to configure.
switch to Captive Portal Tab and make sure your Captive Portal is enabled and Authentication Type is set to Click-through.
switch to Splash Page Tab. Select External Splash Page URL.
Enter the URL of your custom splash page (eg, https://yourwebsite.com/splash.html).
Click on "Apply" button.
The external splash page must be hosted on a web server that will be accessible from the Access Points on your network. The following must be accomplished, but the particular details will depend very much on your web hosting environment.
Setup the Web Server.
Modify the splash page to set form action as the value of actionurl passed by cloud. In this way, after user submits the form, he will be redirected to specific URL and complete the authentication. In order to collect logon credentials, you will need to create an HTML based form that collects and then submits these to the login URL. In its simplest form this could look similar to the code below:
Note that the input field name "username" and "password" are unchangeable. These two input fields are necessary to provide the credential for RADIUS authentication.
As SaaS becomes more widely adopted by enterprises and work-from-home options grow more popular, corporate IT managers need to consider how to make sure legitimate users with legitimate devices are able to access authorized corporate resources whether they are at the office, at home or on the road. So an SASE (secure access service edge) infrastructure with Zero Trust Network Access policy rules becomes necessary to ensure the same policy applies to every individual. However, the bottom line is legitimate users have to be able to access the wired and wireless network securely without worrying about their credentials or data being breached or hackers mimicking legitimate clients.
Unlike hardwired switch networks with client devices connected to a dedicated wired port, wireless local area networks (WLANs) transmit and receive data over the air, which makes WLANs vulnerable to interference, interception, eavesdropping, and all kinds of hacking. WFH (work-from-home) users also expose themselves to threats in an unsecured home Wi-Fi environment. Even if a VPN tunnel is enforced to secure the connection between the home gateway and HQ, it is still hard to secure a WLAN at an employee's workplace even if an authorized VPN tunneled device is provided by the company for home users.
Besides the threats of WLAN, there are also many kinds of security issues happening including leaving the device credential at factory default, leaving the SSID open, exposing management frames without encryption. The EnGenius Cloud solution provides the essential features to help IT managers strengthen their infrastructure and protect corporate assets.
| Parameters | Description |
|---|---|
| Object | Description |
|---|---|
| Parameter Name | Description |
|---|---|
Server Location
3rd party server address
Key
Secret used to generate a SHA256 HMAC signature, over the payload (the JSON message). The signature is then added to a custom HTTP header (“Signature”) in the POST message.
Interval
Interval between two consecutive message been sent.
mac
MAC address of the end client device for which presence data is being reported.
node_mac
MAC address of the Access Point reporting the presence data.
min_signal
Lowest RSSI reading on the access point for the specific client within the time period specified by the First seen and Last seen timestamps.
max_signal
Highest RSSI reading on the AP for the specific client within the time period specified by the First seen and Last seen timestamps.
count
Number of times the specific end client device connected to the access point within the time period specified by the First seen and Last seen timestamps.
avg_signal
Average RSSI reading on the AP for the specific client within the time period specified by the First seen and Last seen timestamps.
first_seen
Timestamp of when the client was first seen, during the reporting period; timezone is UTC.
last_seen
Timestamp of when the client was last seen, during the reporting period; timezone is UTC.
last_seen_signal
Reported RSSI reading on the access point for when this client was last seen.
associated
Displays the association status between the client and the access point.
vendor
Should be "EnGenius"
ap_ip
IP address of associated AP
ap_mac
MAC address of associated AP
ap_port
AP service port
client_ip
IP address of the wireless client
client_mac
MAC address of the wireless client
userurl
The URL that user tried to visit before authenticated
mac
Client's MAC address (will be obsolete after 2021)
please use client_mac
called
AP's MAC address (will be obsolete after 2021)
please use ap_mac
nas_id
Network access server identifier is used to notify the source of a RADIUS access request.
ssidProfileId
Global unique identity of assoicated SSID
networkId
Global unique identity of the network which the assoicated AP belongs to
A comprehensive Wireless Intrusion Prevention System to create a secure wireless network.
Wi-Fi security risks are always something to consider when providing any kind of wireless service. With the inception of next-gen technologies such as the Internet of Things (IoT) and Metaverse, secure WiFi access has become a critical component of enterprise and small business networking. The pandemic has even made Wi-Fi security more essential to home networking since working from home is common nowadays.
EnGenius AirGuard© is a full-featured solution with advanced wireless security technologies that allows network administrators to build a secure, efficient, and easy to manage Wi-Fi network. The core concept of AirGuard is to be able to prove that your security solution defends your business against Wi-Fi attacks and deliver the following benefits:
Provide automatic detection and protection from Wi-Fi threats:
Containing rogue SSIDs to prevent user connections to unauthorized APs.
Allow legitimate external APs to operate in the same airspace.
A rogue access point is an AP that is connected to a company’s physical network infrastructure but is not under that company’s administrative control. This could arise if an employee or student naively brought in a home WiFi-enabled router and connected it to the company’s infrastructure to provide wireless network access. This act introduces multiple threat vectors to the company, such as:
Insecure wireless authentication – the rogue AP might only support a deprecated and insecure encryption standard, such as WEP. Or even worse, be purposefully configured with open association and authentication.
Inappropriate attachment – the user could also physically attach the AP to a network port in a secure area of the network, or in an area without appropriate firewalling between it and sensitive information.
Inappropriate location – the AP could be placed close to the perimeter of a building, meaning that someone could listen in on the company’s network.
It’s clear that rogue access points are something we need to protect our business-critical WLAN and networks.
When a failed login occurs from Captive Portal, the user will be redirected to the splash page again with 2 additional query parameters res and reason to indicate the error. The https request to the splash page could be like this:
These 2 parameters can be used for displaying error message on splash page. The usage is depicted in the following table:
| Parameters | Description |
|---|---|
The following JavaScript code illustrates how to display error message in splash page.
Users might experience strong Wi-Fi signal strength but have problems connecting to the AP or suffer an extremely low data rate. It’s usually because the WiFi channel utilization rate is so high that there is no bandwidth for valid clients. The interference sources might come from your neighbors’ Wi-Fi or from non-Wi-Fi appliances like microwave ovens.
EnGenius Cloud provides a real-time channel utilization analysis tool to view how many Wi-Fi and non-Wi-Fi radio signals utilize the operating channel, so users can know if the connectivity issue is because of high channel utilization or from non-Wi-Fi appliances nearby.
When the operating channel is crowded, the best remedy is to move to a clean channel. Besides the real-time channel utilization analysis to see the utilization status of the current operating channel, EnGenius Cloud provides an additional helpful tool to show full channel utilization and density analysis to help you identify which channel is cleaner.
When analyzing channel utilization, the user will see how dense the usage is in a given moment. However, brief interference might mislead the user into thinking the interference is ongoing. The spectrum waterfall analysis tool helps users see the interference over time with the “waterfall” display, so users can know which channel is cleaner over time instead of one specific time.
Without manually selecting the channel from the full channel utilization graph or waterfall spectrum, users can run EnGenius auto channel selection (ACS) for an EnGenius AP to scan the environment and, based on the EnGenius algorithm, identify and move to a cleaner channel automatically.
Under high density deployment, many non-overlapping Wi-Fi channels require that DFS channels be used to avoid channel interference. However, the AP will need to switch to another channel once protected radar is detected. Since non-DFS channels are highly dense, switching to another DFS channel is the best option. However it usually requires a >30 sec wait time to make sure the DFS channel can be used causing client session downtime. EnGenius zero-wait DFS technology in EnGenius “S” models (i.e., ECW220S, ECW230S) uses a dedicated scanning radio to keep listening for other available DFS channels that the AP can switch to immediately to keep client sessions connected.
There are two kinds of RF jamming: radio jamming to simply block the radio channel and packet flooding to generate a massive number of Wi-Fi packets on the channel so that there is no bandwidth for valid clients to connect to the network.
EnGenius AirGuard provides RF jamming attack detection and categorizes the attacks as radio jamming or packet flood. It then specifies which channel is attacked and detected by which EnGenius AP, so users can know approximately which detected APs might have an RF jammer around. When the channel is jammed, users can use EnGenius ACS (auto channel selection) to move the SSID to another channel without being attacked.
Clients must be authenticated by the AP with the correct security protocol (i.e., WPA2-personal PSK key) before associating with the AP. Clients are typically disconnected when they receive deauthentication or disassociation frames from the AP. Since the auth/deauth, asso/disasso management frames are unprotected most of the time, hackers can easily mimic the client to keep sending deauth/disassociation requests to the AP or mimic the AP to send deauth/disassociation responses to all clients, preventing them from accessing the AP.
EnGenius AirGuard has an algorithm to detect frequent abnormal de-authentication and disassociation frames and to report the malicious attack into one of two categories: de-authentication and disassociation. AirGuard can also detect if the attack is directed to a specific client, then the attacked party will show the client’s MAC address. Or if the attack is to mimic the AP to disconnect all clients, then the attacked party will show ff:ff:ff:ff:ff:ff instead.
It’s highly recommended to enable 802.11w (802.11w-2009 MFP-Management Frame Protection) to protect the management frames and make sure the management frame is from a legitimate AP. Both clients and APs need to support 802.11w to communicate.
res=failed&reason=reject
Invalid username or password.
res=failed&reason=timeout
No response from authentication server.
res=failed&reason=mtu
Abnormal network error.
res=failed&reason=other
Other errors.
It is an important first step to reveal and classify potential wireless threats in securing the wireless network and network infrastructure as a whole. Once classified, remediation can be taken against confirmed threats and innocuous alerts can be dismissed. AirGuard automatically classifies threats into the following categories to provide great visibility and overall protection for your network.
The network administrator can manually maintain an SSID naming rule set to identify the Rogue APs. For any wireless services matching the rogue rules, the cloud system would identify it as a rogue service and list it in Rogue SSIDs.
Note:
Rogue rules are Network-wide settings. If you have multiple Networks running close to each other and with different managed SSIDs defined, you'd better add all managed SSIDs in the white list rule set to avoid the adjacent managed SSIDs being identified as rogue SSIDs.
SSIDs that do not match the rogue rules or match the whitelist rules are classified as Other SSIDs. This can be the SSIDs running by your neighbors or by the coffee shop close to your office. With the visibility of these SSIDs, the network administrator can easily decide whether or not to identify the SSIDs as rogues.
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. AirGuard could detect two types of evil twins:
AP spoofs
The malicious mimic of a legitimate AP by spoofing the SSID name.
AP Impersonation
Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).
More details are available here.
To prevent clients from associating with the legitimate AP, it's possible to have Denial of Service (DoS) attacks by sending an excessive number of broadcast messages to clients or APs. DoS attacks could be from malicious clients, APs, or even another WIPS system in the area that considers the corporate network a threat and is attempting to remediate. AirGuard is capable of detecting two types of Malicious Attacks:
De-auth attack to AP
The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.
De-auth attack to client
The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of an attacked client.
RF jamming is a technique utilizing the open medium nature of WiFi by sending a lot of noise in the environment, making it impossible for other nodes to send messages through available channels.
An RF jammer is not needed to be compliant with WiFi protocols. Instead, it only needs to interfere with the physical transmission and reception of wireless communications. AirGuard is capable of detecting four types of RF jamming:
Constant Jammer:
Continually emits a radio signal that interferes with communication.
Deceptive Jammer:
Constantly injects regular packets to the channel without following CSMA/CA procedure.
Random Jammer:
Intermittently emits the jamming signal.
Reactive Jammer
Jam and simultaneously sense/discern/detect the legitimate transmission.
Refer to more details here.
EnGenius AirGuard is the way EnGenius detects the attacks of RF jamming, de-authentication and dis-association abnormal frames, evil twins and identifies rogue SSID’s from rogue APs. AirGuard also provides ways to set rogue rules and whitelist rules by identifying SSID names or radio MAC addresses.
EnGenius provides diagnostic tools for each AP to see the channel utilization of Wi-Fi and non-WiFi traffic, and waterfall spectrum to see what congestion of the channel looks like overtime. The tools also provide the capability to do ping, traceroute, and live client list.
Every EnGenius Cloud device has a built-in certificate from the factory and requires multiple authentication methods to be able to connect to EnGenius Cloud. Only management traffic will flow through EnGenius Cloud. All other user important data flows will not pass through EnGenius Cloud to protect user privacy.
EnGenius Cloud zero-wait DFS is perfectly suitable for a high density environment to leverage as many available channels as possible. Also, the auto-channel selection (ACS) algorithm allows the AP to find a clearer channel for best connection.
The EnGenius Cloud AP supports myPSK by setting a unique PSK for each user to protect the passphrase from leakage. The Cloud AP also supports WPA3, 802.11w for more secure WLAN connection from breach over the air. EnGenius Cloud enforces the auto firmware upgrade to make sure all managed AP firmware versions are most up-to-date to amend any vulnerability issues. EnGenius Cloud also keeps checking if the default credential has changed and will keep warning users to change the default password. A sophisticated floor plan tool helps users to see heap maps of the floor and how walls, doors, and other obstacles affect coverage. Administrators can use the floor map combined with AirGuard to find the rogue source location by identifying the detected AP list on the floor map.
Hackers need impatient web users to pull off an evil twin attack. Unfortunately, plenty of us falls into this category. When we go into a public space, such as a library or a coffee shop, we expect that establishment to offer free and fast WiFi. In fact, reporters even rank businesses by their connection speeds.
But that speed and convenience come with a cost. Hackers can quickly take over a safe-seeming WiFi connection and see (or steal) anything users do online.
An attack typically works like this:
Step 1: Set up an evil twin access point. A hacker looks for a location with free, popular WiFi. The hacker takes note of the Service Set Identifier (SSID) name. Then, the hacker uses a tool like a WiFi Pineapple to set up a new account with the same SSID. Connected devices can't differentiate between legitimate connections and fake versions.
Step 2: Set up a fake captive portal. Before you can sign in to most public WiFi accounts, you must fill in data on a generic login page. A hacker will set up an exact copy of this page, hoping that they will trick the victim into offering up authentication details. Once the hacker has those, they can log in to the network and control it.
Step 3: Encourage victims to connect to the evil twin WiFi. The hacker moves close to victims and makes a stronger connection signal than the valid version. Anyone new will only see the evil twin, and they will tap and log in. The hacker can kick off anyone currently connected with a distributed denial of service (DDoS) attack, which temporarily takes the valid server offline and prompts mass logins.
Step 4: The hacker steals the data. Anyone who logs in connects via the hacker. This is a classic man-in-the-middle attack, which allows the attacker to monitor anything that happens online. If the user logs into something sensitive (like a bank account), the hacker can see all the login details and save them for later use.
Customer participation is critical in an evil twin WiFi attack. And unfortunately, only about half of all consumers think they're responsible for securing their data on a public WiFi account. Most think the companies that offer connections will protect them. The companies may disagree.
When an evil twin AP is present, a threat actor broadcasts the same SSID as the legitimate AP (and often the same BSSID or MAC address of the SSID) to fool the device into connecting (image below).
While within range of the target SSID, attackers begin by broadcasting the same SSID. This is straightforward and can even be done on smartphones with data plans that allow mobile Wi-Fi hotspot tethering. Attackers looking to avoid drawing suspicion toward antennas and battery packs typically opt for a popular tool called bettercap, which can run natively on Linux, Mac, Windows, and Android systems.
Additionally, it's important to note that evil twin attackers need to use clients with a radio capable of "monitoring mode."
If the target SSID is a busy open hotspot, victim clients will connect to the evil twin AP within seconds. If the target is a private, PSK-encrypted SSID, then the attacker would need knowledge of the PSK (a service offered online that requires packet capture files of the WPA/WPA2 handshake sequence).
Most Wi-Fi clients and their human operators choose to "auto join" previously saved Wi-Fi networks. If the attacker can't successfully trick the victim into connecting to the evil twin, he can simply break the connection between the victim and any legitimate AP he or she is using by flooding a client and/or associated AP with spoofed de-authentication frames in what's called a de-authentication attack. This means that the target device and AP are informed that their connection has been dropped.
Once a client is connected to the evil twin AP, the attack is over. This entire process is used to allow attackers to establish MitM (man-in-the-middle) positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you've simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.
AirGuard could detect two types of evil twins:
AP spoofs
The malicious mimic of a legitimate AP by spoofing the SSID name.
AP Impersonation
Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).
The system not only helps detecting the evil twin but also helps analyzing the attacks in detail.
EnGenius AirGuard offers wireless intrusion prevention systems (WIPS) solutions to detect the presence of an evil twin AP and contain any managed corporate clients from connecting to them. (Full disclosure: EnGenius is one of a number of companies that provide such services.)
For Wi-Fi users, an evil twin AP is nearly impossible to detect because the SSID appears legitimate and the attackers typically provide Internet service.
Almost everyone can easily purchase an access point or Wi-Fi router to generate a rogue SSID that looks exactly the same as the legitimate corporate SSID. It can be placed, for example, in the parking lot around thecorporate building as a honey pot to which a valid employee’s notebook might inadvertently connect.
The rogue SSID attack is more likely to happen whenever more companies use cloud services like Google Suite, Salesforce.com, etc. The hacker doesn’t need to hack the corporate network but simply put out a honey pot and sniff the traffic between valid users and cloud services.
It becomes even easier when new roaming technology is implemented in mobile phones and notebooks that will detect the stronger signal of the same SSID and roam to it. The hacker can then boost his rogue AP aside the corporate building whereas corporate Wi-Fi might have weaker coverage around the corners or border of the building.
EnGenius AirGuard can check the SSID name (ESSID) or AP radio MAC (BSSID) to automatically detect the rogue AP that mimics the legitimate SSID but is not listed among legitimate EnGenius managed APs in the same network.
It is a good practice to set up a honeypot environment in a corporate network to lure and identify malicious attackers. Administrators can set up a network separate from corporate networks with a honeypot AP using an open SSID and some clients generating traffic. Malicious hackers will then find the “weak” SSID of the honey pot and attack.
AirGuard allows users to set rogue rules and whitelist rules by comparing the SSID name or BSSID MAC address. In the honeypot case, administrators can monitor which MAC sources mimic the honeypot SSID, observe how they are trying to attack the network, and take actions accordingly. In case there might be legitimate non-EnGenius APs deployed in the corporate network, administrators can whitelist the MAC address of the non-EnGenius APs and separate them from the rogue SSID list.
By luring valid users to connect to the rogue AP, hackers can connect a proxy to the rogue AP and redirect all traffic through the proxy. Hackers can then snoop through sensitive corporate information while the valid user is accessing corporate cloud services.
If the hacker can furthermore connect to a legitimate AP, then he can connect a rogue AP to a legitimate AP, and mimic the legitimate SSID. Everything looks the same from the client end when the client connects to the rogue SSID of a man-in-the-middle rogue AP.
There are three easy ways a hacker can connect to a legitimate AP:
Factory Default Device Admin Credential This is the most common fraud that users might encounter accidentally. Using the factory default credential, hackers can hack into the device and change the configuration to allow a rogue AP to connect to a legitimate AP.
When the SSID security type is set to “Open.” When an SSID is “Open,” everyone can connect to the legitimate AP and access corporate networks and assets. It’s also quite common to set the SSID security type to Open when the captive portal splash page is set up for user authentication. The rogue AP can easily connect to the legitimate AP and pass overall traffic, including splash page authentication while sniffing all data.
Exploit the vulnerability without updating the firmware There were some vulnerability issues found in WPA2, like the KRACK issue where hackers could leverage a four-way handshake sequence of WPA2 and hack the PSK to steal sensitive information like credentials, credit card info, and so on. The vulnerability was fixed but users had to upgrade to the most up-to-date version of their device firmware. Managing the device firmware across the corporate network is also a task for the administrator. For example, the hacker can start a DoS attack to break the connection between clients and a legitimate AP, so that the clients will have problems connecting to the legitimate SSID. For example, if a hacker finds a network called "XYZ," the hacker can create a look-alike SSID “XYZ-5G” to connect to. (The hacker can also use the exact same SSID name to simulate a legitimate SSID; however, this will be found through “rogue SSID” detection.) The hacker can then either redirect the traffic to a phishing web page to steal credentials or direct the traffic back to a legitimate AP and sniff all data transferred in between.
AirGuard will monitor all SSID’s with the same name as the legitimate SSID and check if the SSID is from legitimate AP’s in the network. Users can also set whitelist rules by adding legitimate AP MAC lists which are not managed by EnGenius Cloud to exclude from the rogue SSID list.
It is common and easy to set the passphrase of the WPA PSK of the SSID to have basic security access control. However, once someone knows the passphrase he/she can access the SSID forever uninhibited. EnGenius myPSK allows the network administrator to set a unique PSK for each person and control the valid period and VLAN, so when the person is not eligible to access the network, the PSK will be invalid. This feature is especially suitable for school dormitories where the students and teachers come and go with different levels of resource access. Dormitory administrators can base access on the full school year or certain semesters for students to be assigned a unique PSK and access a certain VLAN for a limited period of time.
All devices come with a default account and password for easy first-time configuration. If the administrator doesn’t change the account/password, it’s easy for someone to log in to the device and change the configuration. This is the most common oversight that puts corporate network security at risk.
EnGenius encourages users to set a unique network-wide local admin account and password immediately. When a new device is assigned to the network and a new network created, the local admin account and password to access the local GUI of the device must be changed accordingly. If the factory-default credential is not changed. EnGenius Cloud will mark the network as “insecure” by putting a warning icon on the network to indicate that the network devices are exposed to security fraud.
WPA3 enhances the security mechanism with OWE (Opportunistic Wireless Encryption) to replace the open security type. Clients don’t need the passphrase to access the AP, because OWE will encrypt the transmission. In addition, WPA3-personal uses SAE technology to replace the WPA2 pre-shared key, a more secure way to do the key exchange and to prevent attacks like the four-way handshaking KRACK.
EnGenius provides an HTTPS option for users to encrypt the communication between the client and AP before the user gets authenticated through a captive portal. Without the encryption, a man-in-the-middle can easily sniff the credential during the captive portal login process.
To make sure the firmware of devices on the corporate network is most up-to-date and vulnerabilities fixed as soon as possible, the EnGenius Cloud auto firmware upgrade feature allows users to set time slots each week to upgrade. Once set, administrators won’t need to worry about firmware version management across the whole network.
Hackers use evil twin devices to hack into networks by seducing legitimate clients to connect. Since security detection checks to make sure frames are from legitimate access points, hackers will change the MAC address and even the SSID name of the evil twin to match the MAC address and SSID name of the legitimate AP.
AirGuard can detect the evil twin attack with an algorithm to distinguish if the frames are from a legitimate EnGenius AP or rogue AP mimicking the legitimate MAC address. Two categories are classified:
AP Spoofing The rogue AP will spoof the legitimate AP by sending frames with the same MAC address as the legitimate AP.
AP impersonation The rogue AP not only mimics the MAC address of the legitimate AP but also its SSID name.
Usually the way an AP can detect an evil twin is by leveraging the technique of “I know you are not me.” So when “I,” the detecting AP, detect frames with my MAC address, I know I didn’t send the frame, so I know there is an evil twin around. However if an evil twin is outside the range of the victim AP, the victim AP won’t be able to identify whether it’s legitimate or fake. EnGenius enhances the evil twin detection algorithm by letting all legitimate APs in the network know who my colleagues are and who the evil twin is.
With the EnGenius Cloud Map function, users can upload a floor plan and place an AP on the floor map to see the heat map of Wi-Fi coverage. Users can also add walls and doors to the floor plan to see how the obstacles affect the heat map. For every rogue detected, AirGuard will list the detecting APs with signal strength (RSSI value) so users can leverage the floor plan to locate those detecting APs and discover if the rogue source might be nearby.
Every EnGenius Cloud device has a built-in certificate installed at the factory, which is a mandatory component when communicating with EnGenius Cloud. Therefore, an evil twin rogue AP can clone the same MAC as a legitimate AP. However, the rogue AP cannot connect to EnGenius Cloud without the built-in certificate to access the corporate network.
To get the built-in certificate, the intruder might purchase an EnGenius AP from the market to function as an evil twin rogue AP; however, the AP needs to go through the MFA (multiple-factor authentication) process to be able to connect to the Cloud and join the network. First, EnGenius Cloud will check the certificate, MAC address, serial number, and key exchange process, and then check if the device is registered to an org or if the device is associated with the network.
Only the control plane of device information and configuration goes to EnGenius Cloud. All other user data planes will not pass through the Cloud, so users don’t need to worry if EnGenius Cloud will capture or store any user-sensitive data. EnGenius Cloud also encrypts the control plane information to prevent hackers from sniffing the management traffic.
Deauthentication attack is a disruptive technique against wireless connections. It belongs to the denial-of-service family, abruptly rendering networks temporarily inactive. These tactics are usually low-key as they do not require unique skills or elaborate equipment. For some, deauthentication attacks are innocent pranks on coworkers, friends, or neighbors. However, it can be a component of a bigger ruse, such as an evil twin attack. As a result, perpetrators overwhelm networks with deauthentication requests, forcing them to drop their clients’ connections.
Deauthentication attacks represent fraudulent requests that interfere with the communication between routers and devices. The strategy attacks 802.11-based wireless networks, as they require deauthentication frames whenever users terminate connections. The dilemma here is that access points might not recognize that requests originate from a fraudulent source. Since networks do not validate incoming frames, hackers can imitate them. Lack of encryption adds fuel to the fire, even if sessions feature WEP.
Wi-Fi networks also do not have effective mechanisms for verifying MAC addresses. Perpetrators could spoof addresses and perform deauthentication attacks. Forged frames terminate connections. If attackers continue to send requests, users won’t be able to reconnect. While the attack could focus on a single target, all clients could lose connection to the access point.
As the attack forces clients to abandon the authentic AP, they might consider connecting to other hotspots. Rogue access points known as evil twins are highly prominent in the free Wi-Fi landscape. Nowadays, many popular hangouts supply free internet. Hackers could generate fake hotspots by mimicking the details of an official access point. So, after a deauthentication attack terminates clients’ connections, they could connect to a rogue network. Then, its owners can monitor all activities. This surveillance covers all communications, visited websites, financial transactions, and more. Hence, free Wi-Fi in crowded locations poses severe threats, especially if hackers set up evil twins nearby.
Disturbingly, there are articles and special tools for performing deauthentication attacks. While this strategy is prevalent in hackers’ communities, its purpose could be benign. Let’s discuss several scenarios that force networks to drop connections.
Terminating hidden cameras. Airbnb clients always wonder whether accommodation providers follow the rules regarding surveillance through cameras. Over the years, forced Airbnb to forbid the use of cameras in rented apartments or rooms. However, more cunning homeowners can conceal cameras from their guests. White hackers emphasize that deauthentication attacks can reveal whether a rented apartment conceals cameras.
Hotels pushing their paid Wi-Fi plans. There have been incidents when hotels employed deauthentication to promote their Wi-Fi services. In fact, the Federal Communications Commission (FCC) stating that blocking or interfering with Wi-Fi hotspots is illegal. One of the first offenders was the Marriott hotel with financial motives for disrupting visitors’ access points. However, charging perpetrators with deauthentication attacks is a rare sight. Usually, victims might blame the interruptions on unstable Wi-Fi.
A prank on neighbors or friends. Ethical computer hackers could employ deauthentication for testing purposes. In other cases, tech-savvy users might make their neighbors stop stealing their Wi-Fi. However, deauthentication attacks can participate in evil twin attacks, highly damaging to victims’ privacy.
The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic. Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.
To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function.
Good to know:
Not all WiFi clients, especially iot devices, supports 802.11w well. For maximum compatibility, network providers tend to turn off 802.11w today. That's why de-auth attacks are still popular.
AirGuard is capable of detecting two types of Malicious Attacks:
De-auth attack to AP The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.
De-auth attack to client The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of the attacked client.
AirGuard shows the details of a Malicious Attack.
To set up Google LDAP authentication for EnGenius Cloud AP includes the following steps:
Setup Google LDAP server in Google Workspace and generate a certificate used for the AP and Google Workspace authentication process.
Configure Google LDAP authentication for SSID profile configuration with WPA2/ WPA3-Enterprise or Captive Portal.
Configure Google LDAP profile in client devices.
The following sections describe the detailed instructions for each step.
The user needs to apply a Google Account (Gmail) and apply Google Workspace with one of the following editions to set up an LDAP server.Business Plus, Enterprise, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus.
To get started:
Sign in to the Google Admin console (https://admin.google.com ) as an Administrator
Add LDAP clients
Go to Apps > LDAP
Click Add Client filed
Type a name in the LDAP client name, for example: EnGenius AP
Click the Continue button
Configure Access Permission for verifying user credentials
To specify which organization units and groups EnGenius AP can access to verify the user’s credentials. Choose “Entire domain” if no specific Organization/Group is required (Note: Any change of the setting will take effect up to 24 hours)
Generate a new certificate (used between AP and Google Workspace)
Go to Apps > LDAP
Client in the list
Click Authentication Card
Click GENERATE NEW CERTIFICATE
Click Download to save the Certificate file on the computer
Click Record the Username and Password to store credentials somewhere
Create a Firewall rule which is needed for AP to query Google Secure LDAP.
TCP and traffic direction are outgoing to port 636 of a hostname ldap.google.com
EnGenius Cloud AP can configure Google LDAP Server for WPA2/ WPA3-Enterprise or Captive Portal as an authentication server.
Go to Configure > SSID and select a specific SSID name from the list.
From the Wireless tab, select WPA2 Enterprise for Security Type.
Select Google LDAP for user authentication.
Enter configurations for the Google LDAP Server:
Enter the Administrator’s credential (Account and Password) of the Google LDAP Server
Base DN (Optional): The start point of the LDAP directory tree while AP requests to search the corresponding user’s credentials in the LDAP server. If the field is empty, AP will auto-detect the configuration from the Google LDAP Server. Otherwise, users can set the specified Base DN string according to the Google LDAP account. (Format: ‘dc=xxx,dc=ooo’)
Upload the Google Certificate zip file generated while setting up Google LDAP Server.
Import Authenticator Certificate (Optional) for customized content and Domain. (Note: The certificate is used between Access Point and wireless client devices, like 802.1x with Radius Server.)
Click the Apply button to save SSID configurations.
Go to Configure > SSID and select a specific SSID name from the list.
From the Wireless tab, select Open for Security Type.
From the Captive Portal tab, select Google LDAP for user authentication.
Enter configurations for the Google LDAP Server:
Enter the Administrator’s credential (Account and Password) of the Google LDAP Server.
Base DN (Optional): The start point of the LDAP directory tree while AP requests to search the corresponding user’s credentials in the LDAP server. If the field is empty, AP will auto-detect the configuration from the Google LDAP Server. Otherwise, users can set the specified Base DN string according to the Google LDAP account. (Format: ‘dc=xxx,dc=ooo’)
Upload the Google Certificate zip file generated while setting up Google LDAP Server.
Import Authenticator Certificate (Optional) for customized content and Domain.
Click the Apply button to save SSID configurations.
Setup LDAP Profile on Client Devices Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Google LDAP Server.
Note: The CA Certificate for LDAP Clients can be Exported via EnGenius Cloud GUI.
The LDAP client device scans out EnGenius Wifi SSID and connects it
802.1x page pops up and requests to enter Username and Password, e.g., account@example.edu.
If the Certificate page pops up, click the Trust button
For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings
Enter configurations for the Google LDAP Server:
EAP method: Select EAP-TTLS.
EAP Phase 2 authentication: Select PAP (Note: if PAP is not supported on client devices, GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)
Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)
Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)
Radio Frequency or RF Jamming is one of the easiest methods of defeating a wireless system – the wireless equivalent of cutting the wires on a traditional wired system. The open medium nature of WiFi makes it vulnerable to various attacks, among them, attacks against availability is wifi jamming. WiFi jamming sends a lot of noise in the environment, making it impossible for other nodes to send messages through available channels.
AirGuard is capable of detecting four types of RF jamming:
Constant Jammer:
Continually emits a radio signal that interferes with communication.
Deceptive Jammer:
Constantly injects regular packets to the channel without following CSMA/CA procedure.
Random Jammer:
Intermittently emits the jamming signal.
Reactive Jammer:
Jam and simultaneously sense/discern/detect the legitimate transmission.
AirGuard adopts unique technologies to detect all types of RF jamming while keeping a very low fail rate on the detection. That is, the system would not easily treat massive transmission of WiFi data as an RF Jamming attack. In contrast, the signal interference sent by a jammer can be efficiently detected in seconds.
Refer to
Login to EnGenius Cloud ( ) and click the (hamxxxx) icon to select the Network for configuration.
EnGenius Cloud AP can leverage Microsoft Active Directory (AD) Server to provide a highly secure authentication process for WPA2/WPA3-Enterprise or Captive Portal. The benefit of using Microsoft Active Directory Server is that users may integrate WPA2/WPA3-Enterprise or Captive Portal with a Windows AD Server to identify the specified domain, credentials quickly, and account Emails for the authentication management.
Before setting up Microsoft AD Authentication for EnGenius Cloud AP, you need to set up the Microsoft Windows 2000 Server or later edition. (Note: To enable the SMBv1 sharing protocol, please refer to https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
Chromebook Bug:
Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.
Samsung devices must fill in Domain
Google Pixel requires instaling the Certificate https://support.google.com/pixelphone/answer/2844832?hl=zh-Hant
Learn more about EnGenius Cloud:https://www.engenius.ai/cloud
To be continued ...
Chromebook Bug:
Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.
Samsung devices must fill in Domain
Google Pixel requires instaling the Certificate https://support.google.com/pixelphone/answer/2844832?hl=zh-Hant
Learn more about EnGenius Cloud:https://www.engenius.ai/cloud
There are two ways to enable Microsoft AD Authentication to authenticate wireless users with EnGenius Cloud.
Enable Security Type WPA2/WPA3-Enterprise with AD Authentication.
Enable Captive Portal for user authentication with Active Directory Server.
The steps below show only the important settings. Please refer to Microsoft documentation and support for assistance.
Select the Active Directory Domain Services role to promote a domain controller in the Server Roles steps.
Configure Access Permission for verifying user credentials
To specify which organization units and groups EnGenius AP can access to verify the user’s credentials.
Create Firewall rules which are needed for AP to join domain and authentication (ref: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts)
88/TCP/UDP Kerberos
389/TCP/UDP LDAP
445/TCP SMB
Note: Microsoft Active Directory server needs to be located in the same VLAN subnet as AP’s management VLAN interface. Even though the SSID enables VLAN, AP still sends SMBv1 packets to communicate with the Active Directory server via AP’s management VLAN interface.
Login to EnGenius Cloud ( https://cloud.engenius.ai ) and click the (hamxxxx) icon to select the Network for configuration.
Go to Configure > SSID and select a specific SSID name from the list
From the Wireless tab, select WPA2 Enterprise for Security Type
Select Active Directory for user authentication
Click Add a server and enter the configuration (Host, Port, Admin, and Password) for the Active Directory server.
Click the Apply button to save SSID configurations.
Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.
Login to EnGenius Cloud ( https://cloud.engenius.ai ) and click the (hamxxxx) icon to select the Network for configuration.
To get started: Go to Configure > SSID and select a specific SSID name from the list.
From the Wireless tab, set the Security Type to Open.
Enable Captive Portal from the Captive Portal tab.
Select Active Directory for Authentication Type
Click Add a server and enter the configuration (Host, Port, Admin, and Password) for the Active Directory server.
Click the Apply button to save SSID configurations. Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.
Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.
Each AP must join the Windows Active Directory domain before it has permission to validate the user’s credentials on the Active Directory Server via the SMBv1 protocol.
EnGenius AP automatically looks up the closest Windows Domain Controller and stores the information in the Samba configuration.
AP requests a Ticket-Granting Ticket (TGT) from the Kerberos server to join the AD domain.
After the AP joined the domain, the Samba Winbind daemon within AP firmware would be ready to authenticate wireless users.
When users request to access the wireless network, EnGenius Cloud AP’s internal Radius Server uses the ntlm_auth tool to verify the access permission to the AD server with the Winbind daemon. The Winbind daemon would immediately communicate with the AD server via SMBv1 to authenticate wireless users.
Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Active Directory Server.
Note: The CA Certificate for Active Directory Clients can be Exported via EnGenius Cloud GUI.
To get started:
The Active Directory client device scans out EnGenius Wifi SSID and connects it
802.1x page pops up and requests to enter sAMAccountName, e.g., account.
If the Certificate page pops up, click the Trust button
For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings
EAP method: Select EAP-PEAP
EAP Phase 2 authentication: Select MSCHAPV2 (Note: if MSCHAPV2 is not supported on client devices, None or GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)
Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)
Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)
Example Configuration for Android:
There are several tools available to create self-signed certificates. This tutorial lets you create a self-signed certificate for Secure LDAP by using OpenSSL.
Get started to generate a certification file
Download Freeradius code from the link below: https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/cert
Cd to raddb/cert/
Adjust customized information in the .cnf file, e.g., domain name, expiration duration, location, etc.
./bootstrap
zip cert.zip server.key server.pem dh ca.pem
Click Import and upload cert.zip to the EnGenius Cloud.
3. Export ca.pem and install it on the client device if requested.
Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.
EAP-TTLS/PAP and TLS 1.2+ are essential on client devices for LDAP authentication. The following operating systems have native support and get verified working with EnGenius Cloud AP: (updated on 4/20/2022)
iOS version 13 and higher.
Google Chrome OS
Android version 6 and higher
Microsoft Windows 8 and higher
MacOS 11 and higher
| Manufacturer | Model | Operating System |
|---|
Apple | iPhone 7 Plus | iOS 13.1.3 |
Apple | iPhone 11 | iOS 15.4 |
Apple | iPhone 12 | iOS 14.1 |
Apple | iPhone XS | iOS 14.6 |
Apple | MacBook Air (M1,2020) | MacOS 12.3 |
Apple | iPad Air A1474 (2013) | iOS 12.5.5 |
Lenovo | IdeaPad Duet CT-X636 | Chrome OS 72 |
Pixel 3a | Android 11 |
HP | ProBook 450 G8 | Windows 10 |
Samsung | S21 | Android 11 |
Samsung | Note 4 | Android 6.0.1 |
There are several tools available to create self-signed certificates. This tutorial lets you create a self-signed certificate for Active Directory by using OpenSSL.
Get started to generate a certification file
Download Freeradius code from the link below: https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/cert
cd to raddb/cert/
Adjust customized information in the .cnf file, e.g., domain name, expiration duration, location, etc.
./bootstrap
zip cert.zip server.pem dh ca.pem
Click Import and upload cert.zip to the EnGenius Cloud
Export ca.pem and install it on the client device if requested.
Note: Some browsers might pop up a Not-Trusted warning message for self-signed certificates. If this is the case, the user must search for an official Certificate Authority (CA) to apply for a (CA) certificate to avoid the warning message.
EAP-PEAP/MSCHAPV2 and TLS 1.2+ are essential on client devices for Active Directory authentication. The following operating systems have native support and get verified working with EnGenius Cloud AP: (updated on 4/20/2022)
iOS version 13 and higher.
Google Chrome OS
Android version 6 and higher
Microsoft Windows 8 and higher
macOS 11 and higher
Example Configuration for Android:
| Manufacturer | Model | Operating System |
|---|
Apple | iPhone 7 Plus | iOS 13.1.3 |
Apple | iPhone 11 | iOS 15.4 |
Apple | iPhone 12 | iOS 14.1 |
Apple | iPhone XS | iOS 14.6 |
Apple | MacBook Air (M1,2020) | MacOS 12.3 |
Apple | iPad Air A1474 (2013) | iOS 12.5.5 |
Lenovo | IdeaPad Duet CT-X636F | Chrome OS 72 |
Pixel 3a | Android 11 |
HP | ProBook 450 G8 | Windows 10 |
Samsung | S21 | Android 11 |
Samsung | Note 4 | Android 6.0.1 |
