This document summarizes the best practices and procedures for configuring and deploying a standalone AP using EnGenius hardware. This document uses an ENH1750EXT version 2.0.5 for all figures. On other access point models and/or firmware versions, some specific items may be in a slightly different order or on different screens. For single-band access points, omit the sections on configuring the 5 GHz radio and band steering.
Network Usage Types
Even on relatively small networks, it is often a requirement to support different types of users with different levels of access. The following are the typical types of usage applications on Wi-Fi networks:
Staff: Intended for client devices belonging to staff at the facility location used for Security should be either WPA2-Personal or WPA2-Enterprise, depending on whether an external RADIUS server is in use.
Guest: Intended for public / semi-public access, and/or for personal BYOD devices belonging to No encryption should be used for ease of access. Client isolation should always be enabled.
Security: Intended for security cameras, access card readers, NVR servers, and fixed or mobile security WPA2-Personal should be used (many devices do not support WPA2- Enterprise). Client isolation should generally be enabled, unless security stations are connecting wirelessly.
Device: Intended for network appliances, such as SONOS, NEST Thermostats, Control4, , as well as IoT sensors and devices. WPA2-Personal should be used (many devices do not support WPA2-Enterprise). Client isolation should generally be enabled
Voice: Intended for VoIP / VoWiFi WPA2-Personal should be used to minimize roaming times. Client isolation should generally be disabled to enable phones to communicate with each other.
Configuring the Access Points: Dual-Band AP Mode
Log into the Access Point
Username: admin
Password: admin
Figure 1: Login screen.
Firmware Check
On the device status screen, validate that the AP is at the latest firmware. If not, upgrade the firmware based on the procedure below.
Figure 2: Device status screen.
Network Settings
Go to the Network Basic Provide a unique static IP address, subnet mask, gateway, and DNS servers for the AP on your LAN. Using DHCP is not recommended, as a static IP address makes it easier to monitor and maintain the AP post-installation. Make sure spanning tree is disabled. Click save.
Wireless Settings: General
Figure 3: Network Basic Screen [bottom].
Go to the Network Wireless
Table 1: Summary table of Wireless settings: General
Variable | Recommended Setting | Explanation |
Device Name | {location on property} | Indicates the location of the AP where it will be mounted. Recommended for ease of monitoring and maintenance of AP post-installation |
Country / Region | {country} | Indicates country of operation, which restricts the available 2.4 GHz and 5 GHz channels. |
Band Steering | Enabled | Band steering will ensure dual-band clients are connecting on the 5 GHz band, which has larger capacity and generally less interference. Note that all SSID settings on both bands must be identical for band steering to work. |
Figure 4: Network Basic Screen [General settings].
Wireless Settings: Radio
Table 2: Summary table of Wireless settings: Radio
Vaiable | Recommended Setting 2.4 GHz | Recommended Setting 5 GHz | Explanation |
Operation Mode | Access Point [default] | Access Point [default] | Indicates mode of operation. |
Wireless Mode | 802.11 N | 802.11 N
(802.11n APs)
802.11 AC/N
(802.11ac APs) | Unless you have older Wi-Fi devices (e.g. warehouse barcode scanners) that the network must support, turn off connection for 802.11a/b/g devices to minimize protocol overhead. |
Channel HT Mode | 20 MHz | 40 MHz
(802.11n APs)
80 MHz
(802.11ac APs) | The 2.4 GHz band is only 73 MHz wide in the USA, allowing for only 3 independent 20 MHz channels or only 1 independent 40 MHz channel. Never use 40 MHz channels on the 2.4 GHz band in any multi-AP deployment.
The 5 GHz band is 480 MHz wide (semi- contiguous) in the USA, allowing for 24 independent 20 MHz channels, 11
independent 40 MHz channels, 5
independent 80 MHz channels, and 2 independent 160 MHz channels. Never use 160 MHz channels on the 5 GHz band in any multi-AP deployment. |
Extension Channel | Disabled [default] | Upper [default] | For 20 MHz channels, no extension channel is used. For larger 5 GHz channels, the extension channel will be determined automatically. When 5 GHz channels are properly selected, the extension channel will always be upper. |
Channel | 1, 6, or 11 | 36, 44, 52, 60,
100, 108, 116,
124, 132, 149,
or 157
(40 MHz Channel)
36, 52, 100,
116, 149, or 157
(80 MHz Channel) | Non-overlapping static channels should be assigned for both bands. Do not use auto channel. |
Transmit Power | 16 dBm [initial] | 20 dBm [initial] | A static transmit power should be assigned for both bands. Do not use auto power. Avoid using maximum power, as client devices such as smartphones have weak transmitters and may not be able to talk back to the AP. Furthermore, 2.4 GHz propagates farther than 5 GHz, so the transmit power should be set 4-5 dB lower on the 2.4 GHz band. Initial recommended settings are indicated, but these may need to be tweaked slightly based on your environment. |
Data Rate | Auto [default] | Auto [default] | Auto allows the AP and client to dynamically negotiate speed based on distance and other RF factors. |
RTS / CTS
Threshold | 2346 [default] | 2346 [default] | RTS/CTS is a protection mechanism used for backwards compatibility with 802.11a/b/g clients. |
Client Limits | 127 [default] | 127 [default] | Limits the maximum number of clients per radio. Best practice designs plan on 30 –
50 client devices per AP for typical smartphone / tablet / laptop usage. |
Aggregation | Enable 32 Frames
50000 Bytes [default] | Enable 32 Frames
50000 Bytes [Default] | Frame aggregation is used to improve data speeds in 802.11n/ac. Always should be enabled. |
Distance | 1 km [default] | 1 km [default] | Long distance WDS links require additional time to receive ACK frames. Not relevant when radios are in Access Point mode. |
Figure 5: Network Wireless Screen [Radio settings].
Wireless Settings: 2.4 GHz & 5 GHz
These settings will depend on the network usage types that need to be supported on your network. If more than one network usage type is to be deployed, VLANs should be used.
Table 3: Summary table of typical network usage applications on Wi-Fi networks.
Network Usage Type |
Purpose |
Security Mode |
Encryption |
Passphrase | Group Key Update Interval | Hidden SSID | Client Isolation | L2
Isolation | VLAN
Isolation |
VID |
Staff | Staff devices at facility location | WPA2-PSK | AES | {8 - 63 characters} | 3600 | No | No | No | Yes | {2- 4094} |
WPA2-Enterprise | AES | see security section | 3600 | No | No | No | Yes | {2- 4094} | ||
Guest | Public / semi-public access for visitors or customers | Disabled {Open} | N/A | N/A | N/A | No | Yes | Yes | Yes | {2- 4094} |
Security | IP cameras, access card scanners, NVR servers, security stations | WPA2-PSK | AES | {8 - 63 characters} | 3600 | No | No* | No* | Yes | {2- 4094} |
Device | Network appliances (e.g. NEST thermostats, Control4, etc.) and IoT | WPA2-PSK | AES | {8 - 63 characters} | 3600 | No | Yes* | Yes* | Yes | {2- 4094} |
Voice | VoIP / VoWiFi headsets | WPA2-PSK | AES | {8 - 63 characters} | 3600 | No | No | No | Yes | {2- 4094} |
Table 4: Summary table of SSID settings.
Variable | Recommended Setting | Explanation |
SSID | {1-32 characters} | Name of the network that devices will connect to. Best practice is to put distinguishing feature at front of SSID, since some client devices truncate long SSIDs in their displays. It is recommended to not define more than 4 SSIDs per band, to limit airtime overhead. |
Security | None, WPA2-PSK, or WPA2-Enterprise | Depends on application. None recommended only for public / semi-public networks. WPA2-Enterprise recommended for staff devices when using external RADIUS server. WPA2-PSK used otherwise. Never se WEP, WPA, or WPA mixed. WEP and WPA are deprecated. See next section on Security |
Hidden SSID | No | When enabled, hides SSID in beacon frames. Many clients have trouble connecting to SSIDs that are hidden. Also, SSID is still available in association frames so can still be determined. Do not use.
Always disable. |
Client Isolation | Yes* | When enabled, prevents client devices connected to the same SSID on the same AP from inter- communicating. Always use for public / semi-public networks. Recommended for security and device networks unless intercommunication is required. |
L2 Isolation | Yes* | When enabled, prevents client devices connected to the same SSID across different AP from inter- communicating. Always use for public / semi-public networks. Recommended for security and device networks unless intercommunication is required. |
VLAN Isolation | Yes | When more than one network usage type is being implemented, VLANs are required to isolate traffic between SSIDs. Each SSID is associated with a particular VLAN. |
VID | {2 – 4094} | VLAN ID is a 12 bit number. VLAN 0 & 4095 are not used, and VLAN 1 is reserved for non-VLAN traffic. All other SSIDs should be assigned to a unique VLAN. Note your network switch(es) and router must also be configured to support these VLANs. |
Security Settings
There are three types of security settings that may be used:
Disabled {Open}: This allows all clients to associate with the access point, but all traffic between the client and access point is Use only for public / semi-public access networks.
Personal {PSK}: This requires the client to have a passphrase (a.k.a pre-shared key or PSK) to access the All traffic is encrypted. This security setting is appropriate for all staff networks not utilizing RADIUS, and all security and device networks. Most Wi-Fi appliances (e.g. cameras, multimedia, IoT, etc.) do not support Enterprise security. Never use WEP, WPA, or Mixed Mode. WEP was cracked in 2001, and WPA-TKIP was implemented as a temporary fix for client devices hardcoded with the RC4/TKIP algorithm used in WEP. Always use WPA2-AES only.
Enterprise {RADIUS}: This requires the client to authenticate to a 3rd party authentication server, such as RADIUS or Appropriate for large corporate and facility networks with dedicated IT staff. Most Wi-Fi appliances (e.g. cameras, multimedia, IoT, etc.) do not support Enterprise security. Never use WEP, WPA, or Mixed Mode. WEP was cracked in 2001, and WPA-TKIP was implemented as a temporary fix for client devices hardcoded with the RC4/TKIP algorithm used in WEP. Always use WPA2-AES only.
Other Security Settings:
Wireless MAC Filter: Used to explicitly allow or deny devices based on pre-programmed MAC Hard to maintain current and MAC addresses easy to spoof on devices. Disabled by default. Do not use.
Wireless Traffic Shaping: This setting limits the amount of bandwidth that can be pushed over the access point for a particular This may be appropriate to use in certain instances where bandwidth into the property is limited and some bandwidth needs to be reserved for particular applications. Disabled by default.
Figure 6: Security setting screen: disabled {open} network.
Settings Specific to Personal (PSK) Security:
Table 5: Summary table of WPA2-Personal settings.
Variable | Recommended Setting | Explanation |
Security Mode | WPA2-PSK | WPA has been deprecated. Do not use WPA-PSK or WPA-PSK Mixed. Only use WPA2-PSK. |
Encryption | AES | WEP and TKIP have been deprecated. Only use AES. |
Passphrase | {8 – 63 characters} | Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Passphrase ideally should be at least 15 characters in length, and not be a dictionary word or phrase. |
Group Key Update Interval | 3600 seconds [default] | Frequency at which AP should generate a new group key for broadcast messages to all connected clients. |
Figure 7: Security setting screen: WPA2 Personal.
Settings Specific to Enterprise (RADIUS) Security:
Table 6: Summary table of WPA2-Enterprise settings.
Variable | Recommended Setting | Explanation |
Security Mode | WPA2-Enterprise | WPA has been deprecated. Do not use WPA- Enterprise or WPA Mixed-Enterprise. Only use WPA2-PSK. |
Encryption | AES | WEP and TKIP have been deprecated. Only use AES. |
Group Key Update Interval | 3600 seconds [default] | Frequency at which AP should generate a new group key for broadcast messages to all connected clients. |
Radius Server | {IP Address} | IP address of RADIUS server. |
Radius Port | 1812 [default] | UDP Port of RADIUS server. Most installations use UDP/1812. |
Radius Secret | {8 – 63 characters} | Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Ideally should be at least 15 characters in length, and not be a dictionary word or phrase, and different for each SSID. |
Radius Accounting | Disable [default] | Enable if RADIUS Accounting server is used on the network. |
Radius Accounting Server | {IP Address} | IP address of RADIUS Accounting server. May be same or different than RADIUS server. |
Radius Accounting Port | 1813 [default] | UDP Port of RADIUS Accounting server. Most installations use UDP/1813. |
Radius Accounting Secret | {8 – 63 characters} | Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Ideally should be at least 15 characters in length, and not be a dictionary word or phrase. |
Interim Accounting Interval | 600 [default] | Polling interval used by RADIUS accounting server |
Figure 8: Security setting screen: WPA2 Enterprise.
The following figure shows a representative network set up for 4 SSIDs.
Figure 9: SSID setting example.
Wireless Settings: Other
Guest Network Settings: Leave disabled [default]. This is included to provide for a separate guest access network on a separate This is intended for a single AP environment where only a guest and staff network are needed. Do not use in a multi-AP environment.
Fast Handover / RSSI Threshold: Leave disabled [default]. Per the 11 standard, roaming is triggered by a client device. Some client devices can be “sticky” by not triggering a roam, even when an AP with a significantly stronger signal is available. When enabled, a client device that falls below the RSSI threshold will be disassociated from the access point, to force the device to roam to another access point with a stronger signal. Only use this feature in multi-AP
environments with good Wi-Fi coverage and sticky clients. The RSSI threshold should generally be set for -80 dBm to -90 dBm.
Management VLAN: A management VLAN is a separate VLAN / subnet for your managed network When implementing VLANs, an explicit management VLAN is recommended to prevent wireless users from accessing network equipment.
Figure 10: Wireless Settings: Other.
Apply Changes
Click on the “Changes” button in the upper left and click “Apply” to apply all changes made under Network Basic and Network Wireless. The AP will reboot and come back online with the new settings. Log into the AP with the new IP address.
Management Settings: SNMP
Click on the Management Advanced tab and proceed to the section on SNMP Settings.
Table 7: Summary table of Advanced settings: SNMP.
Variable | Recommended Setting | Explanation |
Status | Disable* | SNMP is a valuable and powerful monitoring and management tool. If you are using an NMS or other SNMP software (e.g. Nagios), then enable and change the default settings. If you are not using SNMP, then disable it for security. |
Contact | {company name} | The name or web address of the company installing and maintaining the access point. |
Location | {property name} | The name of the property or facility where the AP is installed. |
Port | 161 | UDP port for SNMP. Typical implementations use UDP/161. |
Community Name (Read Only) | {R/O community string} | String for SNMP read-only access. Always change this from the default “public” for security. |
Community Name (Read Write) | {R/W community string} | String for SNMP read-write access. Always change this from the default “private” for security. |
Trap Destination Port | 162 | UDP port for SNMP traps. Typical implementations use UDP/162. |
Trap Destination IP Address | {IP Address} | IP address of server set up to receive SNMP traps |
Trap Destination Community Name | {community string} | String for SNMP traps. Always change this from the default “public” for security. |
SNMPv3 Status | Disable* | SNMPv3 is an enhancement of the SNMP protocol to incorporate encryption. If you are using an NMS or other SNMP software (e.g. Nagios), then enable and change the default settings. If you are not using SNMPv3, then disable it for security. |
SNMPv3 Username | {username} | Username for SNMPv3 queries |
SNMPv3 Authorized Protocol | MD5 or SHA | Encryption key to be used with SNMPv3 queries.
Always use encryption with SNMPv3. |
SNMPv3 Authorized Key | {password} | Password key for SNMPv3 queries. Always change from the default “12345678” for security. |
SNMPv3 Private Protocol | DES | Encryption key to be used with SNMPv3 queries.
Always use encryption with SNMPv3. |
SNMPv3 Private Key | {password} | Password key for SNMPv3 queries. Always change from the default “12345678” for security. |
Engine ID | {unique hex string} | Unique hexadecimal string. It is customary to use the MAC address of the device. |
Figure 11: Management Advanced: SNMP Settings.
Management Settings: Other
Table 8: Summary table of Advanced settings: Other.
Variable | Recommended Setting | Explanation |
CLI Setting Status | Disable | Allows access to the command line interface via telnet. This should be disabled because telnet is unencrypted. |
SSH Setting Status | Enable | Allows access to the command line interface via ssh. This should be enabled if CLI access is desired, because SSH is unencrypted. |
HTTPS Setting Status | Enable [default] | Allows access to the web interface of the AP via HTTPS. |
HTTPS Forward | Enable | Prevents access to the web interface via HTTP and forwards any attempted HTTP connections to HTTPS. This should always be enabled to ensure encrypted access to the AP settings. |
Email Alert | Enable* | If enabled, email alerts are sent to a user when there is an event on the AP. When using this feature, make sure to use a valid “To” address and a valid email account from which to send the emails. It is recommended that an encrypted email service be used for security. |
Figure 12: Advanced Settings: Other.
After hitting apply, you may need to initiate an explicit https connection to the AP.
Management Settings: Time Zone
Table 9: Summary table of Time Zone Settings
Variable | Recommended Setting | Explanation |
Date and Time Settings | Automatically get Date and Time [default] | When enabled, syncs the clock on the AP with an Internet time server. |
NTP Server | 209.81.9.7 [default] | NTP time server clock.via.net. Any valid NTP time server is acceptable. |
Time Zone | {time zone of NOC} | The time zone of the NOC monitoring the property (or the time zone of the property). |
Daylight Savings | Enable | Enable if Daylight Savings is active in your time zone. For the USA, daylight savings starts on the 2nd Sunday of March at 2:00 am, and ends on the 1st Sunday of November at 2:00 am. |
Figure 13: Time Zone settings.
Management Settings: Wi-Fi Scheduler
If using the Wi-Fi Scheduler or Auto Reboot features, make sure the access point is synchronized with an Internet time server.
Table 10: Summary table of Wi-Fi Scheduler Settings
Variable | Recommended Setting | Explanation |
Auto Reboot Settings Status | Disable [default] | When enabled, automatically reboots the access point on specified days at a specified time. |
Wi-Fi Scheduler | Disable [default] | When enabled, allows only one SSID on only one radio to be active during set intervals, instead of |
full time. Templates are available, but intervals can be specified for each day of the week. |
Figure 14: Wi-Fi Scheduler settings.
System Manager: Account
It is recommended that the system password be changed from the default password of “admin” for security purposes. The username can also be changed if desired.
System Manager: Firmware
Figure 15: Account password screen.
From this screen, new firmware can be loaded, a backup configuration file can be generated or loaded, and the AP can be reset to factory default.
System Manager: Log
Figure 16: Firmware screen.
From this screen, the local event log can be seen. Logging events to a remote syslog server can also be enabled on this screen.
Figure 17: Log screen.
Configuring the 5 GHz Radio for WDS Backhaul
In scenarios where the 5 GHz radio is being configured for WDS backhaul, the following settings should be changed.
Table 11: Summary table of WDS Settings changes for 5 GHz WDS mode
Variable | Recommended Setting | Explanation |
Operation Mode (Radio) | WDS Bridge | WDS Bridge Mode should be used when configuring the radio for wireless backhaul. |
Security | AES | AES encryption should always be used for WDS links. |
WEP Key | {disabled} | Not relevant when AES encryption used |
AES Passphrase | {8 – 63 characters} | Best practices for security is to use a mixture of capital letters, lower case letters, numbers, and special characters. Passphrase ideally should be at least 15 characters in length, and not be a dictionary word or phrase. |
ID 1 – 4 | {MAC Address of remote link} | WDS bridging requires specification of the MAC address of the device(s) being connected to wirelessly. Up to 4 remote nodes can connect to a root node. Avoid daisy chaining multiple remote nodes. |
Figure 18: Wireless settings for a WDS link on the 5 GHz radio.