For network security, the hotels often set up the room network as a Guest Network with L2 isolation enabled to prevent guests from accessing each other's devices. Under the Guest Network, the guests will be blocked from casting multimedia of mobile devices onto the room TV, which causes inconvenience and a poor stay experience for the guests. The newly released EnGenius SmartCasting feature provides smooth, fast setup and streaming on Guest Networks for media sticks, game consoles, and other devices for an exceptional, personalized entertainment experience. This Intelligent feature of EnGenius Cloud is different from the simple technology of simply casting to a Chromecast and AppleTV.

How SmartCasting Works

1. Create the SmartCasting SSID in EnGenius Cloud, and the SmartCasting SSID will have all casting devices under this SSID and allow them to cast to the device.

2. The SSID of SmartCasting can be accessed with a predefined URL, and this URL will be available for guests via a QR code.

3. By scanning the QR code, the hotel guests will be able to quickly cast the media on mobile devices to the room TV screen.

Access and Enable SmartCasting

1. Go to CONFIGURE>SSID.

2. Create a new SSID for casting devices > choose the SSID type to “SmartCast” > Add casting devices

3. Connect all casting devices to the SSID. 4. Auto or manually add casting devices.

• Auto： Connect your casting devices to the SSID first > The Auto mode will scan the casting devices connecting to the SSID.

• Manual： Manually add the casting devices by their MAC address.

1. Download the “QR code” of each casting device and insert it into the backdrop of the casting device for guests to scan the code showing on the TV or print the QR code out and place it in each room.

Display for Smart Casting on SSID lists

The TV icon will display near the SSID name, which means this SSID has enabled SmartCasting.

Security Type

Click Configure > SSID > Click one of SSID > Wireless to access this screen.

​ The following describes the authentication types on this screen:

• Open: Allows any client to associate with this network without any data encryption or authentication.

• WPA2 PSK: Enter a pre-shared key of 8-64 case-sensitive characters to enable WPA2-PSK data encryption.

• WPA2 Enterprise: Select Custom Radius to use an external Radius server or select the EnGenius Cloud Radius to use the EnGenius Cloud for 802.1X authentication.

• OWE: When using hotspots in public, users are given better protection through the Wi-Fi Enhanced Open that provides unauthenticated encryption.

• WPA3 Personal (SAE): This type features easier password selection for users to easily remember. It also feats a higher level of security wherein data stored and data traffic in the network will not be compromised even if the password was hacked and data was already transmitted. The upgrade also enabled the Simultaneous Authentication of Equals (SAE) which replaced the Pre-shared Keys (PSK) in WPA2-Personal.

• WPA3/WPA2 Personal mixed: WPA2/WPA3 mixed mode allows for the coexistence of WPA2 and WPA3 clients on a common SSID. The passphrase for both WPA2 and WPA3 clients remains the same, the AP just advertises the different encryption cyphers available to be selected for use by the client. Clients choose which cypher to use for the wireless connection.

• WPA3 Enterprise: This type was mainly built for tighter and consistent application of security protocols across networks of governments, establishments, enterprises, and financial institutions. Offering optional 192-bit minimum security, the WPA3 will make cryptographic tools better. Hence, better protection for sensitive data.

WiFi Access QR code

This QR code allows you to use your mobile device to connect to the specific SSID.

There’s a lot that EnGenius Cloud can do to customize a network to meet your specific needs. We’ll walk you through the most common settings here.

802.11r

802.11r is a standards-based fast roaming technology that is leveraged when using a secure SSID (WPA2-PSK & WPA2-Enterprise). This option improves client device roaming by reducing the handoff delay in situations where client devices roam from one access point to another. 802.11r is disabled by default on EnGenius Cloud.

This feature can be enabled from the Configure > Access Point > SSID page under Network Scope.

If this option cannot be enabled, please go to Wireless > Security Type to select WPA2 PSK/ WPA2 Enterprise /WPA3 Personal (SAE) /WPA3-Personal/WPA2-PSK mixed in advance.

802.11w

802.11w is enabled when Security Type is not Open. 802.11w enables Protected Management Frames (PMF) for management frames such as authentication, de-authentication, association, disassociation, beacon, and probe traffic. This enables APs to help prevent rogue devices from spoofing management frames from APs. Enable 802.11w will allow APs to begin utilizing Protected Management Frames for any clients that support 802.11w.

EnGenius Cloud AP can leverage Microsoft Azure AD to provide a highly secure authentication process for WPA2/WPA3-Enterprise or Captive Portal. The benefit of using Azure AD is that users may integrate WPA2/WPA3-Enterprise or Captive Portal with Azure AD to identify the specified domain/credentials quickly and account Emails for authentication management.

There are two ways to enable Azure AD to authenticate wireless users with EnGenius Cloud.

• Enable Security Type WPA2/WPA3-Enterprise with Azure AD.

• Enable Captive Portal for user authentication with Azure AD.

WPA2/WPA3-Enterprise with Azure AD

To get started:

• Go to Configure > SSID and select a specific SSID name from the list

• From the Wireless tab, select WPA2 /3 Enterprise for Security Type

• Select Azure AD for user authentication

• Enter the configuration (Host, Port, Account, and Password) for the Azure AD.

Host: IP address or domain name of your Azure AD

Port: Azure AD listening port

Username: Azure admin account (admin@example.com )

Password: Azure admin password

Base DN: dc=example,dc=com (Corresponding to the domain service, such as example.com)

• Click the Apply button to save SSID configurations.

Captive Portal Authentication with Azure AD

To get started:

• Go to Configure > SSID and select a specific SSID name from the list.

• Enable Captive Portal from the Captive Portal tab.

• Select Azure AD for Authentication Type

• Enter the configuration (Host, Port, Account, and Password) for the Azure AD.

Host: IP address or domain name of your Azure AD

Port: Azure AD listening port

Username: Azure admin account (admin@example.com )

Password: Azure admin password

Base DN: dc=example,dc=com (Corresponding to the domain service, such as example.com)

• Click the Apply button to save SSID configurations.

Note: Authentication with Active Directory is a feature in Pro Plan, and it requires a PRO license to enable it.

Bandwidth Limit

Bandwidth Limitation ensures that users do not consume more bandwidth than they should. We integrated bandwidth Limitation that enforces upload and download limits. Bandwidth Limitation can be applied per SSID or per user or both. When both SSID and Per Client bandwidth limit are set, that means when the total sum of client bandwidth is less than SSID bandwidth limit, per client can have a maximum of “per client bandwidth limit”. If the total sum is over the SSID limit, then all users will share the upper limit of SSID bandwidth.

Use this screen to configure maximum bandwidth.

Click Configure > SSID > Bandwidth Limit to access this screen.

Download Limit

Set the maximum download stream limit for traffic from the SSID or Per user .

Upload Limit

Set the maximum upload stream limit for traffic from the SSID or Per user .

NAT Mode

In NAT mode, the EnGenius APs run as DHCP servers to assign IP addresses to wireless clients out of a private 172.x.x.x IP address pool behind a NAT.

NAT mode should be enabled when any of the following is true:

• Wireless clients associated to the SSID only require Internet access, not access to local wired or wireless resources.

• There is no DHCP server on the LAN that can assign IP addresses to the wireless clients.

• There is a DHCP server on the LAN, but it does not have enough IP addresses to assign to wireless clients

The implications of enabling NAT mode are as follows:

1. No NAT client can be talked to the other NAT client, neither same SSID nor different SSID (client isolation enabled and block internal routing)

2. Change the IP range of CP DNS to be same as AP DNS (172.16-23.0.0/16)

Use Cases

NAT mode works well for providing a wireless guest network since it puts clients on a private wireless network with automatic addressing.

Diagram

When an SSID is configured in NAT Mode, wireless clients will point to the access point as their DNS server. The AP then acts as a DNS proxy and will forward clients' DNS queries to its configured DNS server.

Configuring Custom DNS for an SSID in NAT Mode

This allows you to set custom DNS servers for a NAT SSID, instead of using the AP's DNS server. This is typically used to forward NAT SSID clients to a DNS server with custom content filtering.

Configuration

1. Navigate to Configure > SSID, then choose one SSID to customize the DNS settings.

2. Locate the Client IP mode and choose NAT mode then click Custom DNS.

3. Enter the preferred Custom DNS IP addresses.

4. Click Apply.

Bridge Mode

In bridge mode, the APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server.

Bridge mode should be enabled when the following is true:

• Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network printer, or wired desktop needs to connect to a wireless surveillance camera).

The implications of enabling Bridge mode are as follows:

• Wired and wireless clients have IP addresses in the same subnet

User Cases

Bridge mode works well in most circumstances, particularly for Roaming. and is the simplest option to put wireless clients on the LAN.

Configuration

1. Navigate to Configure > SSID , then choose one SSID.

2. Locate the Client IP mode and choose Bridge mode then click Apply.

EoGRE

the EoGRE (Ethernet over GRE, or Layer 2 GRE tunnel ) is to build a GRE tunnel between AP and the remote site, so all traffic of the “EoGRE-enabled” SSID will go through the encrypted tunnel to the remote service center

EoGRE tunnel

When SSID’s EoGRE is enabled, all traffic of connecting clients will be tunneled by EoGRE to forward to TGW (Tunnel Gateway)

The connected client then sends a DHCP request to TGW to get an IP address

Option 82 can be enabled to provide more information for the DHCP server to assign IP accordingly.

DHCP Option 82

DHCP option 82 (also known as the DHCP relay agent information option) is used to prevent DHCP client requests from untrusted sources. The DHCP relay agent will insert more information of “circuit ID” to identify the request is from, say, which AP BSSID (radio mac), which SSID name, and which VLAN ID…, so the DHCP server can identify if the request is from an authorized source, and bases on the information to assign IP.

Circuit ID usually includes which ESSID (SSID name) and VLAN ID the client is connecting to. Remote ID usually includes which AP (AP MAC and BSSID - Radio MAC) is relaying the DHCP requests.

Users can define the fields to add to the Circuit ID and Remote ID. EnGenius Option 82 provides options as below:

• AP Ethernet MAC

• AP Radio MAC

• SSID Name

• SSID Type

• VLAN ID

Configuration

1. Navigate to Configure > SSID , then choose one SSID.

2. Locate the Client IP mode and choose Tunnel (EoGRE).

3. Choose the VLAN (the default value of “VLAN” is SSID default VLAN. If the value is changed, then it will override the SSID default VLAN ).

4. Input the Tunnel Gateway IP ( the IP of the remote site the GRE tunnel will be connecting to ).

5. Decide to enable the DHCP option-82, if yes, Input Delimiter ( how the field is separated in the option 82 frames) and select the Circuit ID and Remote ID and then click Apply.

A captive portal can intercept network traffic until a user authenticates his/her connection, usually through a specifically designated login page.

Click Configure > SSID > Captive Portal to access this screen.

Authentication Type

• Click-through: Users must view and acknowledge your splash page before being allowed on the network.

• EnGenius Authentication: Users must enter a username and password before being allowed on the network. You could edit user settings through Configure > Cloud RADIUS User.

• Custom RADIUS: Enter the host (IP address of your RADIUS server, reachable from the access points), port (UDP port the RADIUS server listens on for access requests, 1812 by default), and secret (RADIUS client shared secret). Optionally, the Accounting Server can be enabled on an SSID that's using WPA2-Enterprise with RADIUS authentication.

• Voucher Service: Edit the access plan for guests for the front desk manager.

• Google LDAP: https://app.gitbook.com/o/-LgVsbFz9VHz6Tj66C_6/s/-Lo1AtG4HHv3uJq1FqqB/authentication-with-google-secure-ldap-server

Redirect URL

Configure the URL to which users will be redirected after successful login.

Redirect to the original URL: Select this option to cache the initial website from the client during the authentication process and then forward it to the originally targeted web server after the user successfully authenticates.

Redirect users to a new URL: Select this option to redirect users to a pre-designated URL after the user successfully authenticates.

Advanced Setting

Session Timeout: Specify a time limit after which users will be disconnected and required to log in again.

Idle Timeout: Specify a time limit for an idle client after which users will be disconnected and required to log in again.

Walled Garden: This option allows users to define network destinations that users can access before authenticating. For example, your company's website.

HTTPS Login: This option allows users to log in through HTTPS. When you enable it, your password is encrypted, so others could not retrieve your information.

Captive Portal supports the way to authenticate with an externally hosted LDAP server. The option is available at Configure > SSID > Captive Portal > my LDAP server

Follow the steps below to configure the LDAP service:

1. Click Add a server to add a new LDAP server.

2. Enter the IP address or domain name of your LDAP server in the Host field and the LDAP listening port in the Port field.

3. For LDAP admin, enter the distinguished name of the administrative account to bind your LDAP server, for example, cn=admin,dc=example,dc=com, and the password.

4. Click OK and then click Apply button.

Base DN and Login Attribute

Base DN: When you configure the LDAP server, you can set a Base DN. For example, If your domain name is example.com, you can use the Base DN dc=example,dc=com.

Login Attribute:

1. UID: (default ) use unique ID as the login attribute for user authentication

2. Email: use email format

3. Other text: Use user-defined string

Captive Portal supports the way to authenticate via an externally hosted AD server. The option is available at Configure > SSID > Captive Portal > Active Directory.

Follow the steps below to configure your AD service.

1. Click Add a server to add a new AD server in the list.

2. Enter the IP address or domain name of your AD server in the Host field and the AD server listening port in the Port field.

3. For AD admin, enter the AD format: admin@example.com, and the password.

4. Click OK and then click Apply button.

VLAN pooling is a feature of EnGenius Cloud that allows you to split a large network into smaller virtual networks (VLANs) to reduce traffic and improve performance. To enable VLAN pooling, you need to select Dynamic Client VLAN Pooling in the WLAN settings and enter the VLAN IDs that you want to add to the pool.

Each client connected to the WLAN will be assigned a random VLAN ID based on MAC hashing algorithm. This helps to isolate broadcast packets and balance the load across different VLANs.

L2 isolation

L2 isolation is a feature to prevent wireless client from communicating with any other devices in the network except gateway. With this feature enabled, not only clients associating with the same SSID cannot communicate with each other (this is so called client isolation conventionally) but also clients cannot access other devices in the same LAN. Another exception is that wired devices added to VIP list are still accessible.

Example Use Cases

• Guest SSID to isolate clients and also stop them accessing corporation LAN resources

• Free WiFi service in which administrator want to keep the authentication simple, e.g., WPA2_PSK, such that customer can access the SSID via QR-code scanning.

Band Steering

Dual band operation with Band Steering detects clients capable of dual band operation and steers them to another frequency which leaves the more crowded band available for communication. This helps improve the end-user experience by reducing channel utilization, especially in high-density environments. Band Steering is configured on a per-SSID basis.

RSSI Threshold

This value defines the minimum RSSI required for dual-band wireless clients to associate to 5G band. If the client's RSSI drops below this threshold, it is only allowed to connect to 2.4G band. The recommended value is -60~-80.

BCMC Suppression

BCMC suppression is a feature to drop all the broadcast and multicast frames on a VLAN except for ARP, DHCP, IPv6 router advertisement, and IPv6 neighbor solicitation.

Broadcast-Multicast traffic from APs, remote APs, or distributions terminating on the same VLAN floods all VLAN member ports. This causes critical bandwidth wastage, especially when the APs are connected to an L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN broadcast-multicast traffic to prevent flooding can result in loss of client connectivity.

To effectively prevent flooding of broadcast-multicast traffic on all VLAN member ports, use BCMC Suppression to ensure controlled flooding of broadcast-multicast traffic without compromising the client connectivity. This option is for the controlled flooding of broadcast-multicast traffic and is enabled by default.

Example Use Cases

• Enterprise network with over 1000 active wired or wireless clients in different VLANs.

• Campus network with over 1000 active wired or wireless clients in different VLANs.

Hotspot 2.0, also known as Passpoint, is a service provider feature that assists with carrier offloading. Hotspot 2.0 SSIDs include additional 802.11u information that supported client devices can use to determine if they are able to join the network automatically.

Operation Name : Input the displayed Hotspot 2.0 network name

Venue Name / Type : Input the Venue Name .

Venue Type : Specify the venue groups to be advertised in the IEs from APs associated with this hotspot profile.

Network Type : Access the network type in beacon.

Domain List : This information element specifies the APs domain name.

Roaming Consortium List : This information element contains information identifying the network and service provider, whose security credentials can be used to authenticate with the AP transmitting this element. Input the Roaming Consortium Organization Identifier

3GPP Cellular Network Info: This information element defines information for a 3GPP Cellular Network for hotspots that have roaming relationships with cellular operators. Input the mobile country code and mobile network code.

NAI Realm : This information element identifies and describes a NAI realm accessible using the AP and the method that this NAI realm uses for authentication. Input the Network Access Identifier Realm Names.

The Cloud RADIUS User is used when you select the EnGenius authentication from Configure > SSID > Captive portal > Authenticated type

Double-click one of the networks on Org-Trees > Configure > EnGenius Auth.> Cloud RADIUS Users to access this screen to view and manage user accounts authenticated using EnGenius Authentication.

The following describes the labels on this screen:

1. Email: Shows the email of the user account.

2. Authorized SSID: This shows the SSID numbers that the user has authorized.

3. Create Date: This shows the date and time that the user was created.

4. Status: This shows whether the user has been blocked or not.

The following describes the functions on this screen:

• Add User: Add users and authorize users to SSIDs.

• Authorize: This allows you to authorize users to SSIDs.

• Delete: Delete users.

• Block: Block users.

• Unblock: Unblock users.

AVExpress offers an end-to-end Quality of Service (QoS) solution specifically designed for crucial audio/video (AV) applications, including video conferencing, multi-media streaming, and gaming. It enables users to prioritize traffic based on its importance, ensuring that critical applications receive the necessary bandwidth and low latency for uninterrupted operation.

EnGenius AP will mark DSCP to those traffic to make sure it also gets the same level of priority through EnGenius Switches to reach end-to-end priority

you can access this page through Configure > SSID > Application Control

Application Aware: This allows users to see the application analysis on the client page . Disabling application awareness may improve WiFi performance.

AVXpress: Voice-related traffic will be prioritized as the highest level (Express), other traffic will be under General as normal applications, just like AVXpress is disabled. Fast is in the midst between Express and General ; it gets higher priority than General, but less than Express

Use this screen to configure radio settings for all access points in the network.

Double-click one of the networks on Org-Trees > Configure > Radio Settings.

The settings and options in the Radio Setting page apply to all access points in a network, and you can configure the following settings:

Channel

This option allows users to customize the channels. On the Auto setting, EnGenius access points automatically adjust the channels of their radios to avoid RF interference.

Exclude DFS

Some use cases may require that Dynamic Frequency Selection (DFS) channels be excluded from the Auto Channel algorithm. DFS channels can be allowed or excluded on the radio settings page.

Since DFS channels can only be used until radar communication is heard, disabling DFS may be useful if the wireless network is in close proximity to a harbor, airport, or weather radar station. Administrators may also want to disable DFS if most local wireless clients do not support DFS channels.

Preferred Scanning Channels (PSC)

With 1200 MHz of spectrum and 59 new 20 MHz channels, a station with a dwell time of 100 ms per channel would require almost 6 seconds to complete a passive scan of the entire band. The standard implements a new efficient process for clients to discover nearby access points (APs). In Wi-Fi 6E, a process called fast passive scanning is being used to focus on a reduced set of channels called preferred scanning channels (PSC). PSCs are a set of 15 20-MHz channels that are spaced every 80 MHz. The APs will set their primary channel to coincide with the PSC so that it can be easily discovered by a client, and clients will use passive scanning in order to just scan PSCs to look for an AP.

Channel HT Mode

The use of 40 MHz channels on the 2.4 GHz band does not provide for multiple independent channels in multi-AP deployments for 2.4GHz. The recommended setting is 20MHz. To maximize throughput, use 40 MHz for 802.11n and 80 MHz for 802.11ac for 5GHz. Note that higher density deployments should use 20 MHz or 40 MHz channels on 5 GHz.

Tx Power

Using this option, users can set a custom range for Tx power.

The higher the transmission power (Tx power) of the access point, the bigger the coverage of the WiFi signal, so usually maximum power is set for an access point to connect to another access point for WDS or mesh purposes.

However, it might not be the best practice if the access point serves the purpose of being a client access point because usually client devices (notebooks, mobile phones, etc.) might not have the same transmission power to be able to communicate back.

The current device's transmission power can be referenced here, where most notebooks and mobile phone transmission power range from 15dBm - 25dBm. Some WiFi devices, like Amazon Echo, are in the smaller range of 10-11dBm.

If your enterprise environment is comprised mainly of notebooks and mobile phones, then it is better to turn down your access point transmission power to 15-17dBm on 5G, and 10-12dBm for 2.4G (so the coverage area of 5G and 2.4G is about the same). If you keep the same transmission power of 5G and 2.4G, it also means the signal strength of 2.4G is about 6 dB higher than 5G at the same location. Then the client device might roam from 5G to 2.4G because it detects better signal strength. It is highly recommended to leverage the EnGenius ezWiFiPlanner tool to simulate coverage with different transmission power settings.

Minimum Bit Rate

EnGenius access points can adjust the minimum bit rate for each radio (2.4G and 5G separately). When the minimum bitrate is set, an access point will send out beacons based on the minimum bit rate.

For example, if the bit rate is set to 6Mbps, then those clients with slower than 6Mbps bit rate will not be able to connect to the WiFi and will not slow down other clients' performance. 802.11b max bit rate is 11Mbps, so if 12Mbps is set per radio, then 802.11b clients will not be able to connect to the network.

The other benefit is to help better roaming, because when a client roams to a weaker RSSI signal and causes slower performance, then the access point will be kicked out, and the client will search the available SSIDs again to connect to a stronger signal SSID.

If the value is set too high, then it also means a greater density of access points are required to cover the area with the minimum bit rate. This may potentially cause more channel conflict because the transmission power of the access point remains the same, so the RF coverage area is the same and more RF areas overlap.

Client Limit

This is a hardware limitation, commonly applied to most access points in the market. There can be 254 clients connected to an access point at a maximum (127 clients to each 2.4G and 5G band). To serve more than 127 2.4/5G clients in a space, a higher density of access points must be deployed.

Discard 802.11 a/b/g

This option allows users to discard 802.11 a/b/g devices to use network to prevent the impact of performance on other 802.11ac/ax clients.

Disable 11ax

Some legacy wireless clients are not compatible with 11ax. This option allows legacy equipment to connect with your network as usual, we suggest you disable 11ax in 2.4G of your Radio settings. In this way, you can have equipment working in 5G with better performance and get legacy devices served well in 2.4G.

Disable 11be

Some legacy wireless clients are not compatible with 11be. This option allows legacy equipment to connect with your network as usual.

Disable RTS/CTS

Disabling RTS/CTS can reduce additional signaling overhead and latency, thereby increasing data transmission efficiency, especially in environments with strong signals and minimal interference, such as in directional antennas.

DCS (Dynamic Channel Selection)

Dynamic Channel Selection allows a Wireless Access Point to monitor traffic and noise levels on the channel which is current operating and also keeps watching utilization of other channels with background scanning.

When DCS is enabled and traffic or noise levels of current channel exceed predefined threshold (50%) for a period (15 mins), the AP ceases operating on the current channel and hops to an alternative channel with best utilization in statistics. If you want to schedule the DCS, you could expand the advanced settings and select 2 timeslots in a day or do the DCS every time interval.

When to use it

DCS is useful for the complex and dynamic wireless environment where numerous APs and travel routers broadcast and transmit packets in the same area. It usually comes with high radio interference and the situation changes from time to time. In this case, DCS could be helpful to react for unexpected interference with a short-term mechanism and jump to a cleaner channel to operate.

Client Balancing

After you enable Client Balancing, AP will use information about the state of the network and wireless protocol 802.11V to steer the clients to the best available access point during association. Require firmware v 1.x.20 or above, and only support on ECW220v2/ECW220v3.

Mesh

This option will allow users to enable meshing on the 2.4GHz, 5GHz or 6GHz bands. Auto Pairing will assist in wirelessly connecting (meshing) to an access point (AP) that is not connected to a LAN connection.

Once you enable mesh and click Apply, an Auto Pairing button will appear. The Auto Pairing button will trigger access points that are connected to the internet to scan and mesh with neighboring access points that are not connected to the internet.

How to enable mesh node

1. Locate an AP that is wired and connected to a LAN (i.e., connected to Cloud, Power LED is steady orange).

2. Place the new unwired AP, which is already registered to an organization (Org) and assigned to a network, within 10 meters of the LAN-connected AP.

3. Power on the new unwired AP and the “mesh” LED will begin flashing.

4. Click the Auto Pairing button under Radio Settings in cloud to begin the meshing process. The connected AP will attempt to find and mesh with the new unwired AP.

a. There must be a cloud-connected AP nearby for the new AP to wirelessly connect.

b. All APs must be on the same “network” so that the mesh configuration can be pushed to all

APs in the mesh group.

c. It will take approximately 4-10 minutes for an AP to complete the meshing process due to

firmware upgrade and reboot.

5. Once complete and successful, the mesh LED will be on, and the power LED will be blue on all

mesh-connected APs.

This guide is intended to help you set up your network to generate and accept vouchers. With vouchers, you control access on a per-user basis by generating guest passes you can provide to users.

Vouchers can be set to specific time increments and are ideal for hotels, coffee shops, apartments, etc. where you want to limit network access to users for a specific period of time.

Enable Voucher Service

Enable the voucher service by clicking Configure > SSID > Captive portal > Voucher Service.

Remember to click on the Apply button at the top-right corner to confirm your change on SSID settings.

Management URL and Access Plan

Management URL

For each enabled voucher service, a dedicated Management URL is created. Any team members who have permissions of Front-desk Manager or Administrator can log in that specific URL and manage Voucher Users there.

Access Plan

In addition, you can create different Plans for voucher user to identify how long a voucher user can access the network (Access Time) and how many simultaneous login are allowed for that user (Simultaneous Login).

Plan Start Time

The plan start time is an option that defines the plan of voucher service is activated when an account is created or after the account's first login.

Managing Voucher Users

Generating Guest Pass

The first page after you login the Management URL of Voucher Service allows you to generate guest account/password with different manners:

A network Administrator or Front-desk Manager can firstly select a access plan and then select to generate account/password of voucher user automatically or manually. Auto Generation allows you to generate Guest pass in batch , you can fill in the number of the Guest Pass you want to create.

Managing Voucher User

Click on the User Management Button in the toolbar.

A Guest Management Page is performed to list all generated voucher user. You can edit the properties of a voucher user by clicking the user_id of that user or pick the users in that list to delete.

Print the Voucher User Info

In the Guest Management Page, you can also select the users and click on the print button to print the voucher info for end-user. This feature allows you to print voucher users in batch.

This allows you to clone SSID configuration which you created previously. So you can create Multiple SSID with same configuration easily.

Follow steps to clone SSID

1. Click Clone From

2. Select SSID to be cloned => Click apply in popup

3. Click Apply on tab bar to take effect

This page allows you to block clients in mac based on current SSID.

The following describes the functions on this screen:

• Add : The entry for you to add the Mac address to be blocked.

• Reset : Clean all the Block list .

• Delete : Delete the list that you selected .

After you add the block list , remember to click Apply to take effect .

This guide is intended to help you set up your splash page. With a splash page, you can channel network users to see a custom page before they can access the Internet.

Before you start configuring a splash page, please make sure the captive portal is enabled in advance.

External Splash Page URL: The external splash page enables the administrator to host their own splash page web server, rather than having it hosted by EnGenius Cloud.

Local Splash page : Local Splash page provides the HTML for a splash page that will be hosted internally on the Access Point . For example , allows you to customize your splash page.

After you complete the splash page, please remember to click Apply.

Using the WYSIWYG editor

You can choose different template from the drop-down menu at the top of the editor.

Once you select your starting template, you can customize it with your message, colors, fonts, and images. EnGenius uses a WYSIWYG (what-you-see-is-what-you-get) editor that also supports HTML editing.

In addition to the standard editing tools along the top toolbar , you can click HTML icon to start editing .

Choosing a starting template

Choose a template from the drop-down menu at the top of the editor. You can customize the content and presentation of these templates to suit your needs . Any edits you make will be a copy of the template, you can go back to the default at any time.

Adding and modifying images

Each splash page template comes with a library of stock images. You can also use the Insert Image tool to add your images and logos.

1. Click the Insert Image button, then navigate to a file, or drag and drop it into the upload images.

2.Double-Click on the image or click insert icon to add the image.

This setting allows you to configure VLAN to all devices in the network at once . Table displays all VLANs have been configure in selected network .

Use this screen to add and delete VLANs for network.

Click Configure > VLAN Settings to access this screen.

The VLAN Settings page contains the following information :

• VLAN ID : VLAN ID.

• NAME : VLAN name.

• Voice VLAN : This shows if VLAN has been assigned to Voice VLAN or not.

• SSID : the SSID that has been assigned the VLAN.

Add VLAN

1. Click Add VLAN button.

2. Input VLAN ID and VLAN Name.

3. Click Apply to complete the settings.

This setting allows you to configure Systems & Protocols in the network at once. This gives you to configure the System setting and apply it to whole Switches in the network. you can access this screen by Configure > Switch settings.

The settings are the same as you configure the individual switches , please refer to below page

How to Configure Captive Portal

1. Before you begin configuring a captive portal, you need to create a SSID. Navigate to Configure > SSID (If you can't click configure, please make sure you are on network scope).

2. Select one of the SSIDs from the list. If one is not available, please click Add SSID to create one.

3. Navigate to the captive portal and click Enabled and then select the authentication type.

4. Click Apply.

Many MSPs or SI would like to be able to “group configure port settings” in the Network. The Switch Template feature helps users to apply the same port configuration to all switches with the same models in the Network to save the time of configuration one by one.

you can access this screen by Configure > Switch Settings > Template

You can create any template by model type and then click on “Edit” on the template to configure detail; the setting is similar to switch detail page settings.

• Apply to All will apply the Switch Template to all devices of the same model in the Network.

VLAN

For Hospitality or other network environments, the network administrator will purchase the same model of the switch and define the same port function, say port 1 for TV for VLAN1, port 2 for IP phone for VLAN 10, and other ports for VLAN 11-50.., with the switch template created and import the VLAN settings, it will apply to all switches of the same model, which ease the job of switch configuration one by one

VLAN export

This will export the current VLAN JSON file and allows you to edit locally.

VLAN import

You can click the example hyperlink to download the JSON file

and then adjust the VLAN settings locally

then click JSON file upload to import your custom JSON file.

So you can import VLAN settings at a time instead use the current Web GUI to edit one by one

Apply the template individually in Switch lists

You can apply the switch template to the same model of the switches from

Manage > Switch List > choose the Switches to be applied > Choose Apply Template

Static routes are used to reach subnets that are not directly connected to or configured on the EnGenius Security Gateway, you can access this tab through Configure > Gateway > Interface > Static Route to add static routes to reach these subnets.

• Enabled: Whether the EnGenius Gateway should use the route or not. Disable this setting if you wish to temporarily remove a route from the EnGenius Gateway without manually recreating it later.

• Name: The name of the static route.

• Destination: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).

• Next-hop IP: IP address of the device (such as a router or layer 3 switches) that connects the EnGenius Gateway to the static route subnet.

PBR (Policy-Based Routing) enables precise control over network traffic by defining routing policies based on criteria like source/destination IP addresses or layer 4 port numbers. This capability resolves challenges related to inefficient network resource management, providing organizations with greater flexibility and control over traffic routing and optimization.

Benifits

• By defining routing policies, you can route traffic over preferred network paths, prioritize certain types of traffic, or balance traffic across multiple links for load balancing and optimization purposes.

• PBR can be used to implement Quality of Service (QoS) policies to prioritize critical traffic types, such as voice or video communications, over less time-sensitive traffic.

How to configure

You can access this page through Configure > Gateway > Interface > Policy Route

Layer 7 Policy-base Route

You can create policy-based routing rules to direct specific applications to different WAN interfaces without specifying IP addresses or port ranges

The Benefits

Optimized Traffic Management: Direct critical applications to a primary WAN while routing less important traffic to a secondary WAN

Enhanced Network Performance: Improve network efficiency by balancing load between WAN interfaces based on application

Simplified Rule Management: No need to update routing rules for changing IP addresses or port ranges

Application Example

Enterprises are increasingly relying on SaaS services such as Gmail, Windows 365, and CRM tools like Salesforce.com, making these services more critical than other internet traffic that it is better to separate the traffic from others. In this scenario, users can strategize as follows:

1. Designate WAN1 as the primary WAN and WAN2 as the failover WAN, with most traffic routed through WAN1

2. Route business-critical SaaS traffic, such as Gmail, Windows 365, and Salesforce.com, through WAN2

How to configure

The figure below illustrates layer 7 policy-based routing rules for directing entire categories and specific applications within a category to different WAN interfaces

Go to Configure > Gateway > Interfaces > Policy Routes > Layer 7> Add Rule

This allows you to set networking parameters for your gateway, including WAN1, WAN2 settings, Cellular connection, and DDNS. You can access this page through Configure > Gateway > Interface

Operation mode

Routed

In this mode, the EnGenius Gateway acts as a layer 3 routing gateway between WAN and LAN interfaces. Client outbound traffic to the Internet is source Network Address Translated (NATed) with the gateway’s WAN1/WAN2 IP address. As a layer 3 routing gateway, LAN-to-LAN traffic passing through the gateway can also be bridged or routed and can be controlled by outbound firewall rules as well.

Passthrough

In this mode, the EnGenius Security Gateway acts as a layer 2 bridge that does not perform any routing or network address translation for client outbound traffic for Internet access. This mode is usually used when you want to put the EnGenius Security Gateway between a customer's existing external NAT device and an internal L2/L3 switch. And you want to deploy EnGenius Security Gateway to provide firewall filtering and VPN services without changing the existing IP subnet address planning.

WAN1

EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. Below are the WAN1 configuration settings. For the connection type, the Interface can be configured to DHCP to dynamically obtain an IP address or to static IP to manually configure the IP address or to use PPPoE to authenticate the gateway to an Internet Service Provider (ISP)

• Name: the WAN Interface Name

• DHCP: When you select DHCP, the gateway will automatically configure its IP address, subnet mask, and default gateway for the WAN interface.

• PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) is a specification used to authenticate a networking device to an Internet Service Provider (ISP). Selecting PPPoE will allow you to enter the following information:

• Username: Enter the username associated with your ISP. This is a required field.

• Password: Enter the password associated with your ISP. This is a required field.

• DNS Server: you can choose the DNS server from ISP or use Google Public DNS (8.8.8.8) or specify nameservers entered in the Primary DNS and Secondary DNS.

• VLAN id: Enter the VLAN id from 1-4094.

• ISP Bandwidth: you should check with your ISP (Internet Service Provider) for the actual Download/Upload bandwidth. The ISP Bandwidth is used in WAN link utilization and dual WAN outbound sessions load balance calculations.

WAN2

EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. To deploy dual WAN configuration, you have to enter the following WAN2 settings. After WAN2 is enabled and settings configured here, the WAN2/P3 port will act as the WAN2 port.

Dual WAN Preference:

Primary WAN Interface: either WAN1 or WAN2 can be selected as the Primary WAN Interface in a dual WAN configuration deployment.

Load Policy:

• Failover: When both WAN1 and WAN2 are up, only the Primary WAN is active for inbound and outbound services. If the Primary WAN is down, automatic WAN failover will occur then the other WAN will take over and become active for services. (PS: currently for inbound Client VPN and Site to Site VPN services, automatic WAN failover is not yet supported. When your Primary WAN is down, for the other WAN to take over Client VPN and Site to Site VPN services, you have to manually reconfigure the other WAN as the new Primary WAN.)

• Load balance: For inbound services, the usage and restriction are the same as Failover. for the client's outbound Internet access traffic sessions, when both WAN1 and WAN2 are up, both WAN1 and WAN2 are used for outbound connections. The session load balance distribution algorithm is based on WRR(Weighted Round Robin) using WAN1/WAN2 upload bandwidth.

Cellular Connection

Cellular networks are high-speed, high-capacity voice and data communication networks with enhanced multimedia and seamless roaming capabilities for supporting cellular devices. With the increase in popularity of cellular devices, these networks are used for more than just entertainment and phone calls. They have become the primary means of communication for finance-sensitive business transactions, emergency services, etc. WAN connectivity options, such as cellular networks, now also serve as a reliable backup internet uplink in the event of a primary uplink failure. You can plug in the USB modern in the EnGenius Gateway and configure the following settings.

• SIM PIN: Enter the Security Code on the SIM to prevent unauthorized use of the card.

• Dial on Demand: Only connect when traffic is sent over the interface.

• Idle timeout: If there is no traffic on the interface for the given minutes, the gateway will disconnect the link.

DDNS

We offer the EnGenius Security Gateway that supports Dynamic DNS (DDNS) service by default. With this feature, users can have a hostname associated specifically with the ESG WAN interfaces. ESG uses Dynamic DNS (DDNS) to update a registered DNS hostname A record automatically each time its Primary WAN IP address changes. This feature is useful because it allows the administrator to configure applications such as client VPN to access the EnGenius Gateway by its hostname which is static instead of an IP address that may change over time. When the Primary WAN is down, EnGenius Security Gateway will use the public WAN IP of the other WAN for DDNS update.

• DDNS Enable: click the button to enable/disable the DDNS service.

• DDNS Providers: Select your DDNS service provider from the pull-down menu, if your DDNS service provider is not in the list, please select Custom

• Username: input your registered username

• Password: input your registered password

• Hostname: input your registered DDNS FQDN hostname

• Enter other required information from your DDNS Service Provider

LAN allows you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The EnGenius Gateway can have multiple LAN IPs, each of which is the default gateway address on its particular VLAN.

You can access this page through Configure > Gateway > Interface > LAN

There are two modes for the LAN Interface

Hybrid Port

The ESG can support a single Bridge and multiple VLANs. The same LAN port can be added to both a bridge and VLAN simultaneously.

Multiple Bridge

the ESG provides the flexibility to operate in multiple untagged subnets (Bridges) and multiple tagged subnets (VLANs) on the LAN side. If you want to have multi-untagged subnet environments, you can use Multiple bridge mode. However, The same LAN port cannot be added to both a bridge and VLAN simultaneously.

How to configure Multiple untagged subnets on your network

1. Select the "Multiple Bridge"

1. Add another interface and set Bridge mode

1. Verify the Untagged subnets if this is OK

How to Add an Interface

To add a new Interface, click Add Interface at the top right of the LAN table. To modify an existing LAN, click the Interface name in the LAN table.

Addressing

You can click the LAN interface name to access the below screens.

Name: Enter the LAN interface name

IP address: Use this option to enter the IP subnet and IP address of the gateway for the LAN Interface. For example, if the IP subnet is 192.168.100.0/24 and the gateway's IP Address is 192.168.100.1/24, please enter 192.168.100.1/24.

Use VPN: Determines whether the EnGenius Gateway advertises this LAN Interface to site-to-site VPN peers.

Port: select the port to use the LAN Interface.

DHCP

The EnGenius gateway provides a fully-featured DHCP service when configured in Routed mode on the Configure > Gateway > Interface > WAN > Operation mode page. You can enable and configure the DHCP service on each LAN Interface individually, You can access this screen on the Configure >Gateway > Interface > DHCP page.

The configuration options include:

• Client Addressing: Choose Run a DHCP server to enable DHCP services on that particular VLAN

• DNS Servers: DNS servers that the DHCP server will instruct the clients to use

• Reserved IP range: IP ranges that are reserved and therefore will not be assigned to clients.

• Fixed IP List: IP addresses that are allocated to specific devices by MAC address to ensure that these devices always get the same IP address when they make a DHCP request.

Advanced Setting:

• Lease Time: Specify the DHCP address lease time, the default is 1 day. You can select 30 minutes,1 hour, 4 hours, 12 hours, 1 day, and 1 week.

• Additional Options: Specify additional DHCP options sent to the DHCP client by clicking +Add

DHCP Relay

If you want to forward DHCP requests for a configured subnet or VLAN to another DHCP server rather than serving DHCP on the EnGenius Gateway, you can do so by choosing the Relay DHCP to another subnet DHCP server option for Client addressing and entering the IP address of the DHCP server you wish to forward requests to.

The DHCP relay server must be reachable in one of the following three ways:

• The DHCP server is in a local VLAN configured on the EnGenius Gateway

• EnGenius Gateway's DHCP server in all LAN interfaces is disabled.

• The DHCP server is in a subnet for which a static LAN route is configured on the EnGenius Gateway.

Captive Portal

Authentication Type

There are 2 options, Click-through and Custom RADIUS (External)

Click-through: After a client opens and enters a URL on his/her browser, the Client browser will be redirected to a Captive Portal splash page without username/password authentication required. But the client must view and acknowledge the splash page before being allowed to access the network.

Custom RADIUS (External): After a client opens and enters a URL on his/her browser, the client will be redirected to a Captive Portal splash page where username/password authentication is required before being allowed to access the network. An external RADIUS server must be set up to authenticate the client’s username/password. Enter the following settings for your gateway to access external RADIUS servers for authentication. You can configure 2 RADIUS servers for redundancy.

• Server 1: IP address, Port number, and shared secret

• Server 2: IP address, Port number, and shared secret

• NAS ID: For NAS(Network Access Server) ID, please enter an ID for your gateway to access the RADIUS servers specified.

• NAS IP: For NAS(Network Access Server) IP, please enter a VLAN IP address of your gateway for your gateway to access the RADIUS servers specified as the source IP address.

• NAS Port: For NAS(Network Access Server) port, please enter a port number for your gateway to access the RADIUS servers specified as the source TCP port number.

Redirect URL

Select one of the 2 options below to redirect the client after successfully passing the Cut-through splash page or the Custom RADIUS (External) splash authentication page.

Redirect to the original URL: Select this option to cache the initial website from the client during the authentication process and then forward it to the originally targeted web server after the user successfully authenticates.

Redirect users to a new URL: Select this option to redirect users to a pre-designated URL after the user successfully authenticates.

Advanced Setting

Session Timeout: Specify a time limit after which users will be disconnected and required to log in again.

Idle Timeout: Specify a time limit for an idle client after which users will be disconnected and required to log in again.

Walled Garden: This option allows users to define network destinations that users can access before authenticating. For example, your company's website.

Splash Page

With a splash page, you can channel LAN users to see a custom page before they can access the Internet.

When setting up an enterprise wireless network, it is common to configure WPA2-PSK authentication in order to onboard different users on to the wireless network. However, IT administrators may still encounter some drawbacks with this method of authentication when they need to use different PSKs in order to assign different VLANs. MyPSK allows a network administrator to use multiple PSKs and assigned different VLANs per SSID.

Before Configuring the MyPSK Users, please make sure you have chosen the Cloud myPSK user From Configure > SSID > Wireless > Security Type > WPA2-MyPSK

Create my PSK Users

You can access this screen from Configure > EnGenius.Auth > MyPSK Users > Add Users

The following describes the labels on the popup.

Auto-Generated: Click the checkbox and then input the number of the users you want to create. Auto-Generated Users are limited to 50 per time.

PSK: Input the password for the user to log in, Auto-Generated Users will have PSK automatically.

VLAN: By SSID means the user is assigned the VLAN from the SSID which you choose to authorize. If you see the VLAN you wanted is not displayed, you could add the VLAN from Configure > VLAN Settings, then you could select from the dropdown list.

Allowed MAC: Only the User with this Mac Address could access the SSID, leave it blank if you don't want to restrict it.

Expired Date: Default is Permanent, click the checkbox to choose the expired date

User note: Add note to map “the user” to the “PSK” to “identify” the person

SSID Authorized: The SSIDs you want users to access

Edit MyPSK Users

1.Click the number on the Authorized SSIDs or each PSK

2. Allows you to edit the details of each user.

To configure an iOS device to connect to the client VPN, follow these steps:

1. Navigate to Settings > General > VPN & Device Management > Add VPN Configuration.

2. Type: Set to IPsec.

3. Description: This can be anything you want to name this connection, for example, "Work VPN"

4. Server: Enter the hostname, the admin can find the hostname from Configure > Gateway> Client VPN

5. Account: Enter the username that the admin created on the Configure > Users > ESG VPN Users

6. Password: Enter the password that the admin created on the Configure > Users > ESG VPN Users

7. Secret: Enter the Pre-shared key that the admin find the key from Configure > Gateway> Client VPN

8. Click Done and Enable the VPN connection on the IOS Device.

Andriod 11 connects to VPN IPsec Xauth PSK

1. Go to Setting > Connection & Sharing

2. Click VPN

3. Click add VPN

4. Set Office Profile Name, Security type, Server address IP, IPsec pre-share key, Username, and Password, and Click the Save button.

5. Click Office VPN profile to start a connection, When the VPN client connects to the VPN server, it will show the key icon on the top bar status, and the Profile name will show connected.

6. When you want to disconnect the VPN connection, please click the toggle button to disconnect VPN.

Site-to-site VPNs connect Multiple locations with static public IP addresses and allow traffic to be routed among the networks. This is most commonly used to connect an organization’s branch offices back to its main office, so branch users can access network resources in the main office.

Site-to-site VPN settings are accessible through the Configure > Gateway> Site-to-site VPN page

Type

There are two options for configuring the EnGenius Gateway's role in the Auto VPN topology

• Hub (Mesh): This EnGenius Security Gateway acts as a VPN Hub(Mesh) node and will establish VPN tunnels to all remote EnGenius VPN peers in the same organization that are also configured in this mode. It will also establish VPN tunnels to Spoke nodes that specify this gateway as their common Hub node.

• Spoke: This EnGenius Security Gateway acts as a VPN Spoke node and will establish only one tunnel to the specified remote EnGenius Security Gateway which acts as this gateway’s Hub node. All Spoke nodes with a common Hub node can reach each other through Hub-and-Spoke tunnels unless blocked by Site-to-Site VPN firewall rules.

Local Network to use VPN

If you have multiple LAN subnets, you have the option to specify which LAN Interface could participate in the VPN.

NAT Traversal

If the EnGenius Gateway is behind a firewall or other NAT device, there are two options for establishing the VPN tunnel:

• Automatic: In the vast majority of cases, the EnGenius Gateway can automatically establish site-to-site VPN connectivity to remote EnGenius VPN peers even through a firewall or NAT device using a technique known as "UDP hole punching". This is the recommended (and default) option.

• Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, EnGenius VPN peers contact this EnGenius Security Gateway using the specified public IP address and UDP port number 500. You still need to configure port forwarding rules on the upstream NAT/firewall device to forward all incoming traffic with the specified destination IP and destination UDP 500 and UDP 4500 to the Primary WAN IP address of the EnGenius Security Gateway.

Add Non-EnGenius Gateway

Auto VPN(Mesh VPN or Hub and Spoke VPN) works on EnGenius Security Gateways in the same organization only. For the following conditions, you must use the Add Non-EnGenius Gateway option.

• To establish a Site-to-Site VPN connection between an EnGenius Security Gateway and a 3rd party VPN device.

• To establish a Site-to-Site VPN connection between 2 EnGenius Security Gateways in 2 different organizations.

Click "Add " and enter the following information

• Gateway Name: A name for the remote gateway

• Public WAN IP: The Primary WAN public IP address of the remote gateway.

• Private Subnet: Enter the local network address or subnet behind the remote gateway.

• IKE Version: What IKE version to use (IKEv1 or IKEv2).

• Local ID: Enter the identity of the remote gateway during authentication. Only IKEV2 needs this ID.

• Remote ID: Enter the Remote ID of the remote peer. The remote Gateway’s Primary WAN public IP is recommended. Do not enter the remote peer’s Primary WAN native private IP if it is behind an external NAT device.

• IPsec Policy: Select a pre-defined policy or have a custom one.

• Diffie-Hellman group: Select which Diffie-Hellman group you want to use for encryption keys

• Encryption: Select which key size and encryption to use.

• Authentication: Select between MD5 and SHA1 authentication. Only phase2 can be multi-selected.

• PFS key Group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select groups 1, 2, 5, or 14 to enable PFS using that Diffie Hellman group.

• Lifetime: Type the maximum number of seconds that the IKE security association can last.

• Pre-shared Key: Enter the pre-shared secret key to use.

VPN Firewall Rules

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all EnGenius Gateway in the Organization that participates in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.

1. Create a new service and select VPN connection with Cisco IPSec

2. Enter server address and account/password

3. Enter the pre-shared key

4. Connect to VPN server

The Client VPN service uses IPsec VPN technology and can support VPN clients running on Windows10, macOS, iOS devices, and Android devices

To enable client VPN, choose Enabled from Configure > Gateway > Client VPN page.

The following client VPN options can be configured:

• Hostname: This is the hostname of the EnGenius Gateway that client VPN users will use to connect to. If you have enabled DDNS service in your WAN settings, then the registered DDNS FQDN hostname is displayed which can be resolved to the Primary WAN public IP address of the EnGenius Security Gateway. If the DDNS service is not enabled or the DDNS update fails then the Primary WAN public IP address is displayed.

• VPN Client Subnet: The subnet that will be used for client VPN connections. This should be a private subnet that is not in use anywhere else in the network. The EnGenius Gateway will be the default gateway on this subnet and will route traffic to and from this subnet.

• DNS server: The server's VPN clients will use to resolve DNS hostnames. Choose from Google Public DNS or specify custom DNS servers by IP address.

• WINS server: If VPN clients should use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.

• Pre-Shared Key: The shared secret that will be used to establish the client's VPN connection.

• Authentication type: Use this option to authenticate Client VPN users with the local ESG VPN User database or select Custom RADIUS to use external RADIUS servers for authentication.

For detailed instructions on how to configure a client VPN connection on various client device platforms. please refer to the following instructions

Automatic Upgrades

EnGenius Cloud enables automatic upgrades by default and will upgrade firmware according to the Maintenance Window time period each week.

Manual Upgrade

To manually update device firmware:

1. Select the firmware you desire to upgrade.

2. Click Upgrade Now (If you have the devices in the New Firmware Trial Zone, you will only upgrade the Firmware on these devices. )

3. Click Apply.

Freeze Firmware version

This is used when users don’t want to change anything, including configurations and device firmware, on a stable network to minimize maintenance.

By enabling the freeze FW version, users can select a version between beta, stable, or pre-stable versions to freeze by using the Firmware Release drop down menu

After you enable the freeze firmware version, the freeze firmware list will be displayed. So you can easily check what device firmware version you have frozen on the current network

Compare allows you to compare the current network device firmware version to the target freeze firmware version. So you can see the summary of the comparison. e.g., the number of devices to be upgraded / downgraded.

Disable Freeze Firmware

When you disable freeze firmware, all models in the FW freeze list will be upgraded to the current FW release & maintenance window settings.

Firmware Compatibility with Cloud Services

The Cloud platform is generally backward compatible with older device firmware versions. However, in rare cases where compatibility issues arise, specific actions will be taken to ensure continued functionality.

• Force offline: Devices will be forced offline to protect the security and stability of both the cloud and device.

• Stop pulling data: The cloud may block partial or full device check-in data, potentially causing some charts or statistics to be inaccurate.

• Stop push config: Stop pushing new configurations to devices, and devices will keep running previous configurations.

New Firmware Trial Zone

Users can choose cloud devices into a New Firmware Trial Zone, so the devices in Trial Zone will be upgraded first (based on the Maintenance Window schedule), the other devices won't be upgraded within 21 days from the firmware release date. So you can prevent from the network going wrong after the firmware upgrade at one time.

Remove Device from Trial Zone

If the firmware has any issue during the trial period, you can call support or roll back to the device's previous firmware version by removing the device from Trial Zone.

Upcoming Upgrade Schedule

This allows you to know the exact Firmware Upgrade date of Trial Zone devices and other devices. So you will easily know what will be happening next.

In some cases, it is necessary to block a specific client on a network. This configuration will apply to the whole network and will affect the client immediately.

Blocked List

Navigate to Configure > Client Access Control > Rules > Block list to access this screen.

You could block clients in all SSIDs in the current network or on an SSID basis depending on your requirements. This blocked list displays which you added the blocked clients in SSID > Access Control and Manage > Clients. So you could manage whole blocked clients easily in single lists.

How to block clients

1. Click Add in the top-right corner.

2. Enter the Mac Address, select the Scope ( All SSIDs in current Network or SSID basis), then click Apply

How to Unblock Clients

1. Select the clients on the lists

2. Click Unblock

VIP Lists

All VIP clients can bypass the Captive portal. Wired VIP clients can bypass L2 isolation.

If wireless printer/scanner/IoT to be accessible, pls make sure the wireless printer/scanner/IoT devices are under the SSID of

• Bridge mode

• L2 Isolation is disabled

• Optional: If captive portal is enabled on the SSID, the “VIP” can let the IoT skip captive portal entry

If wired printer/scanner / IoT device to be accessible, then

• Make the devices be “VIP” to all SSIDs (or to the SSIDs for the wireless clients to be able to access)

• Any wireless client can access. No matter if NAT/Bridge mode. L2 Isolation can be enabled/ disabled

You could add the VIP clients in the current network or on SSID basis depending on your requirements. This VIP list displays which you added the VIP clients in SSID > Access Control and Manage > Clients. So you could manage whole VIP clients easily in single lists.

How to Add VIP clients

1. Click Add in the top-right corner.

2. Enter the Mac Address, select the Scope ( Current Network or SSID basis), then click Apply

How to remove VIP clients

1. Select the clients on the lists

2. Click Delete

Whitelist

You could block clients in all SSIDs in the current network or on an SSID basis depending on your requirements. This Whitelist displays which you added the white clients in SSID > Access Control and Manage > Clients. So you could manage whole whitelist clients easily in single lists.

The default Client Access Control is Blocklist, so you need to change the default ACL Rule to Allow whitelist only, so your whitelist client will take effect.

This section describes the various firewall configuration options and capabilities of the EnGenius Security Gateway. You can access this page from Configure > Gateway > Firewall

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings

Click Add a rule to add a new outbound firewall rule.

• The Protocol field allows you to specify TCP traffic, UDP traffic, ICMP traffic, or Any.

• The Policy field determines whether the ACL statement permits or blocks traffic that matches the criteria specified in the statement.

• The Src.IP and Dest.IP fields support IPs or CIDR subnets. Multiple IPs or subnets can be entered comma-separated.

• The Src. Port and Dest.Port fields support port numbers. Multiple ports can be entered comma-separated. You can enter additional information in the Description field

• Apply to all ESG in the org: It is used when you want to have the same firewall rules in all gateways in one organization. so the outbound rules will be replicated to all EnGenius Gateway in the same Organization.

Layer 7 firewall Rules

You can create firewall rules to block specific applications without specifying IP addresses or port ranges. This feature is particularly useful when applications frequently change their IP addresses or use multiple IPs

Click Add a rule to add a new outbound firewall rule.

You block entire categories and specific applications within a category. For instance, you can block all Steaming or Apple music/spotify while allowing business-critical ones

Export CSV

This allows you to generate a documented record of your outbound firewall rules in a CSV format. This documentation serves various purposes, including backup, future reference, and troubleshooting.

You can click on the Export button located at the top right corner to export current Outbound rules in a CSV format.

Port Forwarding

Use this option to forward traffic destined for the WAN IP of the EnGenius Gateway on a specific port to any IP address within a local subnet or VLAN. Click Add rule to create a new port forward. You need to provide the following:

• Protocol: TCP or UDP.

• Public IP: Listen on the Public IP of WAN 1, WAN 2, or WAN1 & WAN2.

• Public port: Destination port of the traffic that is arriving on the WAN.

• LAN IP: Local IP address to which traffic will be forwarded.

• Local port: Destination port of the forwarded traffic that will be sent from the EnGenius Gateway to the specified host on the LAN. If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.

• Allowed remote IPs: Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule.

• Description: A description of the rule.

Export CSV

This allows you to generate a documented record of your port forwarding rules in a CSV format. This documentation serves various purposes, including backup, future reference, and troubleshooting.

You can click on the Export button located at the top right corner to export current Port forwarding rules in a CSV format.

1:1 NAT

Use this option to map an IP address on the WAN side of the EnGenius gateway (other than the WAN IP of the EnGenius Gateway itself) to a local IP address on your network. Click Add a 1:1 NAT mapping to create a new mapping. You need to provide the following:

• Uplink: The physical WAN interface on which the traffic will arrive.

• Public IP: The inbound destination public IP address that will be matched to access the internal resource from the WAN.

• LAN IP: The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.

• Rules: You can add rules to specify the matching conditions that only incoming connections matching the following conditions are accepted for 1:1 NAT service to access internal LAN resources.

• Allowed Remote IPs: Enter the source IP addresses/ranges that will be matched. You can specify multiple WAN IP addresses/ranges separated by commas.

• Protocol: Choose from TCP, UDP, ICMP, or any.

• Public Ports: Enter the destination port that will be matched. You can specify multiple ports separated by commas.

Creating a 1:1 NAT rule does not automatically allow inbound traffic to the public IP listed in the 1:1 NAT mapping. By default, all inbound connections are denied. You have to configure matching Rules as described above in order to allow the inbound 1:1 NAT traffic.

Allowed Services

This allows you to configure the allowed services to access EnGenius Gateway

• ICMP Ping: Use this setting to allow the EnGenius Gateway to reply to inbound ICMP ping requests coming from the specified address(es). Supported values for the remote IP address field include None, Any, or a specific IP range (using CIDR notation). You can also enter multiple IP ranges separated by commas.

• Web (local status & configuration): Use this setting to allow or disable access to the local management page via the WAN IP of the EnGenius Gateway. Supported values for the remote IPs field are the same as for ICMP Ping.

General settings allow you to configure Network settings, AP network-wide settings and so do Switches. Click Configure > General Setting to access this screen.

Edit Network

Network name, country, and timezone can be edited as needed. Follow the steps below to edit a network.

1. Click edit button to change network name

2. Select Country, Timezone, and then click Apply

Local Credential

This feature allows you to configure the login account of local web GUI for devices. The settings here apply to all APs and Switches in this Network.

Local Web pages

Users can configure the device's web server (local web access) to enforce HTTPS-only access. This will ensure that the device web server, including components such as the LSP or local GUI, redirects HTTP requests to HTTPS.

Access Control means you can control the devices in the networks to enable/disable LSP or local GUI.

SNMP

Simple network management protocol (SNMP) allows network administrators to query devices for various information. We allow SNMP polling to gather information either from the access points, switches, or PDUs. Please notice that the switch extender does not support SNMP.

• SNMP State: Select V1/V2c to allow SNMP managers using SNMP to access the devices in this network.

• Community String: This field is used when you select V1/V2c. Enter the password for the incoming SNMP request from the management station.

LED Light

This allows you to enable all AP's LED lights in the current network.

LAN Port settings (for ECW115AP & ECW215AP only)

This allows you to configure LAN port settings on ECW115 & ECW215AP. SSID on LAN currently is only supported on LAN3.

VLAN Mode

Tagged Device Only : Allow only 1 inbound tagged frame, for example if the IP phone is attached and has a tagged frame as a PVID.

Untagged Device Only: Allow only 1 inbound untagged frame, and add a PVID tag to the frames ; the switch port defines the VLAN. For example , If IP phone is attached, specify the PVID as Voice VLAN, so the IP phone traffic will be tagged with the PVID and join the Voice VLAN in the Network.

Bypass All : Allowed specified multiple VLAN tag frames (in our case here, allow all VLANs) and untagged VLAN : bypass the frames.

Supported SSID Parameters on SSID on LAN

LAN Port settings (for ECW130AP only)

ECW130 supports dual ports to do link aggregation. After you do the Link Aggregation, you still can

override the setting under the AP detail page.

System Reserved IP Range

When using NAT (AP DHCP) and captive portal, AP will leverage a range of IP addresses as default. If user unconsciously configures their local Network to conflict with the range, it will cause problems. the user is able to change the System reserved range if they cannot change their local LAN IP address range.

SSID > Wireless > IP Addressing (NAT/Bridge). Click “Change” will redirect to the Network-wide setting

General Settings > AP > System Reserved IP Range

Message for blocked Clients

Clients can be blocked from accessing the network. When these clients attempt to connect to the network and open a web browser, they will be redirected to a blocked message. The Network-wide Default block message is configured on a per-network basis. The message is set in the Network-wide > General Settings > AP page.

The blocked splash page below will be presented below to the blocked clients.

Advanced settings

Presence reporting

For applications like CRM tools, presence analytics, or location-aware services which need to continuously gather presence data of wireless clients, EnGenius Cloud Acess Points are capable of delivering real-time presence data to fulfill the requirement.

EnGenius Presence Service can have cloud-managed APs continuously gathering 802.11 probe request frames sent by wireless clients and then sending the data to 3rd party servers configured in EnGenius Cloud.

Configuration

In EnGeniusCloud, the configuration of presence service is at

General Settings > AP > Advanced Settings

the following parameters can be configured on the page:

Traffic log

Traffic log feeds wireless client info to remote Syslog server. Note that enabling this setting will severely degrade AP performance. To enable this function, the syslog server must be enabled.

Remote System Log

The Remote System Log gives you the capability to remotely log Syslog events from a device on EnGenius Cloud to your external logging server.

You can enable and configure the remote logging feature from Configure → General setting→ Syslog server.

• Status: Enable to open the function to the remote system log.

• Log server address: Specify the IP address or hostname of the Syslog server.

• Log server port: Specify the port of the Syslog server. The default port is 514.

This helps “group configure PDUs” in the network. The PDU Template feature helps users apply the same outlet configuration to all PDUs with the same models in the network to save time on configuration one by one.

you can access this screen by going to Configure > PDUs > Template

You can create any template by model type and then click on “Edit” on the template to configure detail; the setting is similar to PDU detail page settings.

Click the "Apply to all" button to deploy template settings across all PDUs of the same model within the network.

This allows you to configure the EnGenius Gateway VPN user to use the You can access this page from Configure > EnGenius Auth. > ESG VPN Users

The following describes the labels on this screen:

• Name: Shows the descriptive name of the user account.

• Created by: This User is created by whom.

• Created time: When the user has been created.

• Description: the remark that you can add the note on this user.

Win10 connects to VPN IPsec Xauth PSK

1. Download the VPN Access Manager application.

2. Install vpn-client-2.2.2-release.exe

3. Setup VPN client setting

a. Click Add button to add a VPN profile

b. Input the VPN server IP address and click the Save button.

c. Client use default setting.

d. Name Resolution uses the default setting.

e. Authentication select Mutual PSK+XAuth and click the Save button.

f. Authentication>Credentials input IPsec Pre-share key and click Save button.

g. Phase 1 Exchange Type select to main and click the save button.

h. Click VPN profile, input user name, and password, and click Connect button.

i. Click Network to check VPN connection status.

4. Use ping traffic to check VPN link status.

a. Ping VPN server LAN side PC

b. ping VPN server WAN side DNS.

c. ping www.google.com.