Covering a Network with WiFi
How do I use SCM to plan and broadcast WiFi?
The WiFi broadcast and planning components explained in this section demonstrate how SCM’s support for embedded security, firewalls, access points, and switches simplifies and consolidates the overall management of branch equipment.
You can use SCM’s WiFi broadcast and planning components to:
offer a unified, corporate service set identifier (SSID) for all locations that place users into the local network at their site.
grant users seamless access to the corporate headquarters network from their home offices.
deploy SDI-130 wireless access points to execute the expansion design and blanket your locations in wireless coverage.
The hardware is deployed last, because SCM is deployed using a new, dynamic workflow.
We strongly recommend using the latest Chrome browser with the WiFi planner.
What is an SSID?
An SSID is a technical term for the name of a wireless network, used to distinguish one wireless network from another. When you set up a wireless network, you give it a name to distinguish it from all other networks in range. You connect a computer to the wireless network using this name. After you create a broadcast for the SSID on SCM, it will always be broadcast on all access points within a site.
You can create up to eight SSIDs, per access point or total.
To create an SSID
1. Choose WiFi > SSIDs.
2. Click New SSID.
3. Type the SSID name.
4. Select a security protocol to use to authenticate users from the drop-down list. SCM supports the common WiFi protected access 2 security protocols and version 1 in compatibility mode. Open broadcasts the SSID without password protection.
5. Click Submit.
A wireless network, or SSID, is not available until you broadcast it.
To broadcast an SSID
1. Choose WiFi > SSIDs.
Verify that you have defined appropriate SSIDs: for example, one for your corporate network and one for your guest access.
2. Select Broadcasts and click New Broadcast.
3. Select the site, an SSID, and the default zone the clients will be mapped into when they join the network from that site. You can choose zones from different sites. A VPN tunnel will be automatically created.
4. Click Submit.
5. Repeat steps 2 through 4 for each site in which you want to broadcast the SSID.
From now on, any time you deploy hardware, the SSID will be broadcast at that location and will be mapped into the appropriate LAN.
To enable the guest portal for a broadcast
1. Define a guest zone as described in To create a guest zone.
2. Select the guest zone.
3. Select the broadcast.
4. Select the Advanced tab.
5. You can perform wireless network management such as hiding the SSID broadcast. When hidden, the broadcasted SSID becomes invisible so clients can't find it automatically. You can also select to broadcast 2.4 GHz and 5 GHz (or only one of them).
How do I apply network access control across users or user groups?
DynZone, or dynamic zone assignment, allows you to apply network access control across users or user groups within a single wireless network broadcast. Devices (and consequently users) can be dynamically mapped into different zones, either by setting tags on zones, user groups, and users or using RADIUS authentication.
Use DynZone to automatically tag devices into the correct VLAN. For example, you can assign the sales group to the Sales VLAN. Then, independent of where you connect the device to WiFi, it receives the correct VLAN assignment dynamically without any interaction with the device.
You can also use this feature to automatically map known VoIP phones to the VoIP VLAN.
DynZone doesn’t support the Cisco LLDP-MED extension to LLDP.
In these types of deployments it is enough to broadcast a single SSID for the entire site.
For nonenterprise SSIDs, you set policy tags for a user group, user, or device objects, and then set one of the same tags on the desired zone.
When a WiFi client device connects to the SSID, the access point checks if a tag for that user or device matches a tag assigned to a zone. If it does, the system moves the client device into the appropriate VLAN. If no tag matches, the system uses the configured default zone as a fallback.
For nonenterprise SSIDs, this works by setting policy tags for a user group, user, or device objects, and then setting one of the same tags on the desired zone.
For enterprise SSIDs, the target zone VLAN tag is set on the RADIUS server. Using DynZone through RADIUS/NPS requires a RADIUS server and a WPA2 Enterprise SSID. When RADIUS is used for dynamic VLAN tagging, SteelConnect ignores all other tags such as device, user and zone.
If DynZone is used in combination with RADIUS/NPS, SteelConnect retags the wireless clients to a specific VLAN using the following RADIUS attributes (as specified in RFC 3580 at
Tunnel-Type=VLAN (13)
For details on configuring RADIUS on Windows Server for dynamic VLAN tagging, go to
Policy tag priorities
Device Tags (as ordered in Device Policy Tags)
User Tags (as ordered in User Policy Tags)
To tag users (groups) and the zones
1. Choose Users and select a user.
2. Choose Policy > Policy Tags.
3. Set a policy tag. For example, Sales.
4. Click Submit.
To match the user with a zone
Choose Network Design > Zones.
Select a zone.
Select VLAN > Policy Tags and select the Sales tag.
To activate DynZone
Choose WiFi > Broadcasts > DynZone.
Planning WiFi wireless radio coverage
First you’ll need to determine how many access points you need. To assist with access point planning, SCM provides an integrated WiFi planner that eliminates expensive planning tools and guesswork. Use the planner to visualize the WiFi coverage in all sites, upload floor plans, and place access point placeholders as required. You can select different coverage-type presets. The WiFi planner will automatically create shadow devices as placeholders that you can turn into real hardware deployments later.
The WiFi planning tool assumes a barrier-free wireless radio signal coverage.
We recommend using the Chrome browser for the best WiFi planning experience.
To plan the WiFi coverage for a site
1. Choose WiFi > Planning.
2. Click New Plan.
3. Select a site.
4. Type a name for the plan.
5. Select a WiFi profile to influence the recommended access point placement and range.
6. Click Upload Plan or Draw Plan.
To upload a predefined plan, choose the filename and click Open. You can upload the floor plans in .jpg, .png, .bmp, and .gif file formats.
7. Click Submit.
The next step is to set the general building dimensions to help define the signal strength and ranges.
To set the building dimensions
1. Click Set Scale.
2. Click the plan, expand an item in the drawing, and set the scale. For example: if you know one wall of your building is 26 feet long you can set the scale using this wall measurement of 26 feet.
To add access points
1. Open the WiFi planner.
2. Click Create New AP3 (or AP5 or AP5r).
An access point icon appears on the plan, surrounded by a shaded transmit power area.
3. Select 2.4 or 5 GHz.
4. Move the access point to the desired location in the plan.
5. Type a name for the location.
6. Use the slider to adjust the transmit area.
7. Repeat steps 2-6 to add more access points, making sure they have the correct placement, amount of channel separation, and transmit power.
8. To avoid overlap between access points, right-click the access point and select another channel from the channel drop-down menu. Or, use the channel auto select (the default setting).
9. Adjust the transmit area and placement of the access point as needed.
10. Click Save.
Because the WiFi planner is integrated in SCM, it uses the concept of shadow appliances for the access points. When you add an access point for future deployment, it’s called a shadow access point. Shadow access points are basically cardboard cutouts that you can use to represent what will be a physical access point. For details on shadow appliances, see Enabling appliances.
To deploy an access point
1. Choose Appliances.
2. Click Add appliances.
3. Select Register Hardware Appliance.
4. Enter the access point serial number.
5. Select the site to deploy the access point.
6. Click Submit.
The access point receives an IP configuration through DHCP from the zone automatically.
7. Choose WiFi > Broadcasts.
8. Click New Broadcast.
9. Select a site for the SSID.
10. Select an SSID.
11. Select a default zone.
12. Click Submit.
13. Repeat steps 8 through 12 for each SSID.
All access points in a site broadcast the SSIDs as configured in the WiFi menu.
When deploying an access point into a location without a SteelConnect gateway, you might want to enable AutoVPN operation so the access point joins the full-mesh VPN network.
To enable AutoVPN on an access point
1. Choose Appliances > Access Points.
2. Select the access point.
3. Select the AutoVPN tab.
4. Click On.
When an access point and the zone of a broadcast are in the same zone site without a gateway, the access point establishes L3 VPN locally.
When an access point and the zone of a broadcast are in different sites, the system establishes a L2 tunnel.
While booting up, two LEDs (green and orange) blink as long as a connection to SCM was established successfully. Blinking will stop in normal operation.
To view the access points
Choose Appliances > Access Points.
The access points appear with a status of Shadow until they are registered.