Configure
Use the Configure menus to set the WiFi security settings for Nebula Devices of the selected site.
SSID Advanced Settings
Use this screen to configure the WiFi security, L2 isolation, intra-BSS traffic blocking and walled garden settings for the SSID profiles.
Click Site-wide > Configure > Access points > SSID advanced settings to access this screen.
Site-wide > Configure > Access points > SSID advanced settings Part 1
Site-wide > Configure > Access points > SSID advanced settings Part 2
The following table describes the labels in this screen.
Label | Description |
|---|---|
SSID advanced settings | Select the SSID profile to which the settings you configure here is applied. |
Network access |  You cannot enable MAC authentication, 802.1X authentication and web authentication at the same time.User accounts can be created and authenticated using the NCC user database. See . |
Security options | Select Open to allow any client to associate this network without any data encryption or authentication. Select Enhanced-open to allow any client to associate this network without any password but with improved data encryption. Upon selecting Enhanced-open or WPA Personal With WPA3, transition mode generates two VAP so devices that do not support Enhanced-Open/WPA Personal With WPA3 can connect using Open/WPA Personal With WPA2 network. This is always on at the time of writing. Select WPA Personal With (WPA1/WPA2/WPA3) and enter a pre-shared key from 8 to 64 case-sensitive keyboard characters to enable WPA1/2/3-PSK data encryption. Upon selecting WPA Personal With WPA3, Nebula Devices that do not support it will revert to WPA2. • Turn on 802.11r to enable IEEE 802.11r fast roaming on the access point. 802.11r fast roaming reduces the delay when the clients switch from one Nebula Device to another by allowing security keys to be stored on all Nebula Devices in a network. Information from the original association is passed to the new Nebula Device when the client roams. The client does not need to perform the whole 802.1x authentication process. Click Print to display the QR code that includes the password for quick access. You can save the QR code as PDF. Select Dynamic personal psk to have every user connect to the SSID using a unique pre-shared key (PSK) that is linked to their user account. This allows you to revoke a user’s WiFi network access by disabling their account. After enabling this option, you must create one or more DPPSK users in the site or organization at Site-wide > Configure > Cloud authentication > Account Type > DPPSK. • For details on creating a site DPPSK user, see Create/Update User Account. • For details on creating organization DPPSK users, see Configure. Turn on MAC-based Authentication with to authenticate WiFi clients by their MAC addresses together with My RADIUS server to use an external RADIUS server. Or select Nebula cloud authentication to use the NCC for MAC authentication. Select WPA-Enterprise with to enable 802.1X secure authentication. You can select My RADIUS server to use an external RADIUS server or select Nebula cloud authentication to use the NCC for 802.1X authentication. • Turn on 802.11r to enable IEEE 802.11r fast roaming on the Nebula Device. 802.11r fast roaming reduces the delay when the clients switch from one Nebula Device to another by allowing security keys to be stored on all Nebula Devices in a network. Information from the original association is passed to the new Nebula Device when the client roams. The client does not need to perform the whole 802.1x authentication process. • Select Two-Factor Authentication to require that the user log in using both their password and a Google Authenticator code. To log in, users must have Two-Factor Authentication enabled on their account and have setup Google Authenticator on their mobile device. Select Enable on RAP only to only require Two-Factor Authentication when accessing the network through a remote access point (RAP). |
Sign-in method | Select Disabled to turn off web authentication. Select Click-to-continue to block network traffic until a client agrees to the policy of user agreement. After enabling Click-to-continue, the Nebula Device creates a user account with user name “clicktocontinue_X_Y”, where X is the radio type (1 = 2.4 GHz, 2 = 5 GHz) and Y is the SSID number (1–8) of the SSID profile. The Nebula Device uses this account to authenticate clients who agree to the terms of the click-to-continue page.Select Voucher to require that a user logs in with a voucher code. For details on vouchers, see Vouchers. Vouchers cannot be enabled if Dynamic Personal Pre-Shared Key (DPPSK) or WPA Enterprise are enabled. You can only enable voucher authentication for one SSID per site.Select Sign-on with and: • select Nebula cloud authentication to block network traffic until a client authenticates with the NCC through the specifically designated web portal page. • select My RADIUS server to block network traffic until a client authenticates with an external RADIUS server through the specifically designated web portal page. Enable MAC authentication fallback when both RADIUS-based MAC authentication and web authentication are implemented. Scenario 1: When MAC authentication fails. A WiFi client tries to connect to the WiFi network using MAC authentication (RADIUS server). If MAC authentication fails, he will fall back to web authentication. The WiFi client needs to provide a user name and password for web authentication. Scenario 2: When MAC authentication is successful. A WiFi client tries to connect to the WiFi network and passes MAC authentication. Web authentication is then skipped. When MAC authentication fallback is enabled, the WiFi client can avoid network disassociations due to MAC authentication failure.• select Facebook to block network traffic until a client authenticates with the NCC using Facebook Login. Facebook Login is a secure and quick way for users to log into your app or website using their existing Facebook accounts. If you get the App ID for your app at the Facebook developers site, you can enter your Facebook app ID to obtain more information about your users using Facebook Analytics, such as user activity, age, gender, and so on. • select Facebook Wi-Fi to let users check in to a business on Facebook for free Internet access after connecting to the Nebula Device’s WiFi network. Users then have the option to like the Facebook fan page. You should already have set up a Facebook fan page associated with the business location. Click here to open the Facebook WiFi configuration screen in a new window, where you can select the Facebook Page associated with your location and configure bypass mode and session length. |
Sign-in method (continued) |  When the NCC license of the organization expires, the SSID configured with Facebook WiFi will be disabled automatically. To enable the SSID again, change its authentication method or register with a new license key. |
RADIUS server | This field is available only when you select to use the following: • MAC-based Authentication with My RADIUS server or WPA2-Enterprise with My RADIUS server in the WLAN security field, or • when you select Sign-on with My RADIUS server in the Sign-in method field. Click Add to specify the IP address/domain name, port number, and shared secret password of the RADIUS server to be used for authentication. User must enter the Account Format and Calling Station ID when MAC authentication fallback field is enabled.Nebula Devices with firmware version 5.50 or older will turn OFF this SSID when the Host field is configured with a domain name. |
NAS Identifier | If the RADIUS server requires the Nebula Device to provide the Network Access Server identifier attribute with a specific value, enter it here. |
RADIUS accounting | This field is available only when you select to use WPA2-Enterprise with My RADIUS server in the WLAN security field, or when you select Sign-on with My RADIUS server in the Sign-in method field. Select RADIUS accounting enabled to enable user accounting through an external RADIUS server. Select RADIUS accounting disabled to disable user accounting through an external RADIUS server. |
RADIUS accounting servers | If you select RADIUS accounting enabled, click Add to specify the IP address, port number and shared secret password of the RADIUS server to be used for accounting. |
Captive portal advance setting | |
Walled garden | Select On to enable Walled garden. |
Walled garden ranges | This field is not configurable if you set Sign-in method to Disable. With a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example. Select to turn on or off the walled garden feature. Specify walled garden web site links, which use a (wildcard) domain name or an IP address for web sites that all users are allowed to access without logging in. |
Self-registration | This field is available only when you set Sign-in method to Sign-on with Nebula Cloud authentication. Select Allow users to create accounts with auto authorized or Allow users to create accounts with manual authorized to display a link in the captive portal login page. The link directs users to a page where they can create an account before they authenticate with the NCC. For Allow users to create accounts with manual authorized, users cannot log in with the account until the account is authorized and granted access. For Allow users to create accounts with auto authorized, users can just use the registered account to log in without administrator approval. Select Don’t allow users to create accounts to not display a link for account creation in the captive portal login page. |
Simultaneous login limit | This field is available only when you set Sign-in method to Sign-on with My RADIUS server or Sign-on with Nebula Cloud authentication. Select Unlimited if you allow users to log in as many times as they want as long as they use different IP addresses. Select 1 to 10 if you do NOT allow users to have simultaneous logins. |
Strict Policy | Select Allow HTTPS traffic without sign-on to let users use HTTPS to access a web site without authentication. Select Block all access until sign-on to block both HTTP and HTTPS traffic until users authenticate their connections. The portal page will not display automatically if users try to access a web site using HTTPS. They will see an error message in the web screen. |
Reauth time | Select Follow site-wide setting or select a specific time the user can be logged in through the captive portal in one session before having to log in again. |
NCAS disconnect behavior | This field is available only when: • you set Sign-in method to Sign-on with Nebula Cloud authentication • you enable MAC-based Authentication with and you select Nebula cloud authentication Select Allowed to allow any users to access the network without authentication when the NCAS (Nebula Cloud Authentication Server) is not reachable. Select Limited to allow only the currently connected users or the users in the white list to access the network. |
Traffic options | |
Forwarding mode | Select Local bridge if you only want to access the Internet. Network traffic from clients connected to the Nebula Device is sent directly to the network through the access point’s local gateway. Select NAT mode to have the Nebula Device create a DHCP subnet with its own NAT for the SSID. This simplifies WiFi network management, as you do not need to configure a separate DHCP server. The following Nebula Device features do not work when NAT mode is enabled: • 802.11r • Layer2 isolation • Dynamic VLAN (cloud authentication, RADIUS server) In NAT mode, clients cannot communicate with clients connected to a different Nebula Device.Select Tunnel mode to forward broadcast and multicast traffic using an existing VLAN interface in the Nebula Device (Security Firewall device). This is the interface you configured in Site-wide > Configure > Security gateway > Interface addressing. Tunnel mode is available for Nebula Device (Security Firewall device) only.In Tunnel mode, make sure the ICMP protocol is enabled. See Site-wide > Configure > Firewall: Policy routes/Traffic shaping and Site-wide > Configure > Firewall > Security policy: Action for information. Select Tunnel mode for clients that want to access the network behind the Nebula Device. Select Local bridge for clients that want to access the Internet, but you do not want them to access the network behind the Nebula Device. |
Rate-limit | Set the maximum data download and upload rates in Kbps, on a per-station basis. Click a lock icon to change the lock state. If the lock icon is locked, the limit you set applies to both download and upload traffic. If the lock is unlocked, you can set download and upload traffic to have different transmission speeds. |
Advanced settings | |
VLAN ID | Enter the ID number of the VLAN to which the SSID belongs. If you have a Nebula Security Appliance installed in the site but did not configure an identical VLAN interface on the gateway, Smart Guest/VLAN network tip, click here. displays. Click here to open a screen where you can create a gateway interface with the specified VLAN ID. If you select Tunnel mode in Forwarding mode, the Tunnel to gateway interface field appears. Select LAN1 as the default. |
Band mode | Select to have the SSID use either 2.4GHz band, 5GHz band, or 6GHz band only. |
Layer 2 isolation | This field is not configurable if you select NAT mode. Select to turn on or off layer-2 isolation. If a device’s MAC addresses is NOT listed, it is blocked from communicating with other devices in an SSID on which layer-2 isolation is enabled. Click Add to enter the MAC address of each device that you want to allow to be accessed by other devices in the SSID on which layer-2 isolation is enabled. |
Intra-BSS traffic blocking | Select on to prevent crossover traffic from within the same SSID. Select off to allow intra-BSS traffic. |
Band select | Select to enable band steering. When enabled, the Nebula Device steers WiFi clients to the 5 GHz band. Band mode must be set to Concurrent operation (2.4 GHz and 5 GHz). |
Assisted roaming | Select to turn on or off IEEE 802.11k/v assisted roaming on the Nebula Device. When the connected clients request 802.11k neighbor lists, the Nebula Device will response with a list of neighbor Nebula Devices that can be candidates for roaming. When the 802.11v capable clients are using the 2.4 GHz band, the Nebula Device can send 802.11v messages to steer clients to the 5 GHz band. |
802.11r | Select to turn on or off IEEE 802.11r fast roaming on the Nebula Device. 802.11r fast roaming reduces the delay when the clients switch from one Nebula Device to another, by allowing security keys to be stored on all Nebula Devices in a network. Information from the original association is passed to the new Nebula Device when the client roams. The client does not need to perform the whole 802.1x authentication process. |
U-APSD | Select to turn on or off Automatic Power Save Delivery. This helps increase battery life for battery-powered WiFi clients connected to the Nebula Device. |
Captive Portal Customization
Use this screen to configure captive portal settings for SSID profiles. A captive portal intercepts network traffic until the user authenticates his or her connection, usually through a specifically designated login web page.
Click Site-wide > Configure > Access points > Captive portal customization to access this screen.
Site-wide > Configure > Access points > Captive portal customization
The following table describes the labels in this screen.
Label | Description |
|---|---|
SSID | Select the SSID profile to which the settings you configure here is applied. |
Themes | This section is not configurable when External captive portal URL is set to ON. • Click the Preview icon at the upper right of a theme image to display the portal page in a new frame. • Click the Copy icon to create a new custom theme (login page). • Click the Edit icon of a custom theme to go to a screen where you can view and configure the details of the custom theme pages. See Custom Theme Edit. • Click the Remove icon to delete a custom theme page. Select the theme you want to use on the specified SSID. |
Click-to-continue/Voucher/Sign-on page This section is not configurable when External captive portal URL is set to ON. | |
Logo | This shows the logo image that you uploaded for the customized login page. Click Upload a logo and specify the location and file name of the logo graphic or click Browse to locate it. You can use the following image file formats: GIF, PNG, or JPG. |
Message | Enter a note to display below the title. Use up to 1024 printable ASCII characters. Spaces are allowed. |
Success page | |
Message | Enter a note to display on the page that displays when a user logs in successfully. Use up to 1024 printable ASCII characters. Spaces are allowed. |
External captive portal URL | |
Use URL | Select On to use a custom login page from an external web portal instead of the one built into the NCC. You can configure the look and feel of the web portal page. Specify the login page’s URL; for example, http://IIS server IP Address/login.asp. The Internet Information Server (IIS) is the web server on which the web portal files are installed. Click Download to download a ZIP file containing example captive port files. Edit these files then upload them to a webserver which is accessible from NCC.  |
Captive portal behavior | |
After the captive portal page where the user should go? | Select To promotion URL and specify the URL of the web site or page to which the user is redirected after a successful login. Otherwise, select Stay on Captive portal authenticated successfully page. |
Custom Theme Edit
Use this screen to check what the custom portal pages look like. You can also view and modify the CSS values of the selected HTML file. Click a custom login page’s Edit button in the Site-wide > Configure > Access points > Captive portal screen to access this screen.
Site-wide > Configure > Access points > Captive portal: Edit
The following table describes the labels in this screen.
Label | Description |
|---|---|
Back to config | Click this button to return to the Captive portal screen. |
Theme name | This shows the name of the theme. Click the edit icon the change it. |
Font | Click the arrow to hide or display the configuration fields. To display this section and customize the font type and/or size, click on an item with text in the preview of the selected custom portal page (HTML file). |
Color | Click the arrow to hide or display the configuration fields. Click an item in the preview of the selected custom portal page (HTML file) to customize its color, such as the color of the button, text, window’s background, links, borders, and so on. Select a color that you want to use and click the Select button. |
HTML/CSS | This shows the HTML file name of the portal page created for the selected custom theme. This also shows the name of the CSS files created for the selected custom theme. Click a HTML file to display the portal page. You can also change colors and modify the CSS values of the selected HTML file. |
 | Click this button to view and modify the CSS values of the selected HTML file. It is recommended that you do NOT change the script code to ensure proper operation of the portal page. |
 | Click this button to preview the portal page (the selected HTML file). |
Save | Click this button to save your settings for the selected HTML file to the NCC. |
Apply | Click this button to save your settings for the selected HTML file to the NCC and apply them to the access points in the site. |
SSID Availability
Use this screen to configure SSID availability and the schedules which can be applied to the SSIDs. The SSID is enabled or disabled at the specified time. Click Site-wide > Configure > Access points > SSID availability to access this screen.
Site-wide > Configure > Access points > SSID availability
The following table describes the labels in this screen.
Label | Description |
|---|---|
SSID | Select the SSID profile to which the settings you configure here is applied. |
SSID availability | |
Visibility | Select Hide this SSID if you want to hide your SSID from WiFi clients. This tells any WiFi clients in the vicinity of the Nebula Device using this SSID profile not to display its SSID name as a potential connection. Not all WiFi clients respect this flag and display it anyway. Otherwise, select Broadcast this SSID. When an SSID is “hidden” and a WiFi client cannot see it, the only way you can connect to the SSID is by manually entering the SSID name in your WiFi connection setup screens (these vary by client, client connectivity software, and operating system). |
Tagging | Enter the tags you created for Nebula Devices in the Site-wide > Devices > Access points screen. The SSID profile will only be applied to Nebula Devices with the specified tag. If you leave this field blank, this SSID profile will be applied to all Nebula Devices in the site. |
SSID schedule | |
Enabled | Click On to enable and configure a schedule. |
Schedule | Select a schedule to control when the SSID is enabled or disabled. You can click the edit icon to change the schedule name. |
Schedule templates | Select a pre-defined schedule template or select Custom schedule and manually configure the day and time at which the SSID is enabled or disabled. |
Day | This shows the day of the week. |
Availability | Click On to enable the SSID at the specified time on this day. Otherwise, select Off to disable the SSID on the day and at the specified time. Specify the hour and minute when the schedule begins and ends each day. |
Add | Click this button to create a new schedule. A window pops up asking you to enter a descriptive name for the schedule for identification purposes.  |
Delete | Click this button to remove a schedule which is not used in any SSID profile. |
Radio Settings
Use this screen to configure global radio settings for all Nebula Devices in the site. Click Site-wide > Configure > Access points > Radio settings to access this screen.
Site-wide > Configure > Access points > Radio settings
The following table describes the labels in this screen.
Label | Description |
|---|---|
Country | Select the country where the Nebula Device is located or installed. The available channels vary depending on the country you selected. Be sure to select the correct or same country for both radios on a Nebula Device and all connected Nebula Devices in order to prevent roaming failure and interference with other systems. |
Deployment selection | Select High-density (More than 10 APs) for the lowest output power for 10 or more Access Points. Select Moderate-density (6-9 APs) for moderate output power for 5 to 9 Access Points. Select Low-density (2-5 APs) for higher concentration of output power for less than 5 Access Points. Select Single AP for highest concentration of output power for a single Access Point. |
Maximum output power | Selecting any of the options in the Deployment selection field will automatically set the maximum output power for 2.4 / 5 / 6 GHz. But you can change the setting (1 – 30 dBm). |
Channel width | Select the wireless channel bandwidth you want the access point to use. A standard 20 MHz channel offers transfer speeds of up to 144 Mbps (2.4 GHz) or 217 Mbps (5 GHz) whereas a 40 MHz channel uses two standard channels and offers speeds of up to 300 Mbps (2.4 GHz) or 450 Mbps (5 GHz). An IEEE 802.11ac-specific 80 MHz channel offers speeds of up to 1.3 Gbps. 40 MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. An 80 MHz channel consists of two adjacent 40 MHz channels. The WiFi clients must also support 40 MHz or 80 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the WiFi signal. It is suggested that you select 20 MHz when there is more than one 2.4 GHz Nebula Device in the network.It is not possible to set channel bandwidth to 160 MHz for the whole site. To configure a Nebula Device to use 160 MHz, select a supported Nebula Device in the table at the bottom of the screen, click Edit, and then select 160 MHz under Channel width. |
DCS setting | |
DCS time interval | Select ON to set the DCS time interval (in minutes) to regulate how often the Nebula Device surveys the other Nebula Devices within its broadcast radius. If the channel on which it is currently broadcasting suddenly comes into use by another Nebula Device, the Nebula Device will then dynamically select the next available clean channel or a channel with lower interference. |
DCS schedule | Select ON to have the Nebula Device automatically find a less-used channel within its broadcast radius at a specific time on selected days of the week. You then need to select each day of the week and specify the time of the day (in 24-hour format) to have the Nebula Device use DCS to automatically scan and find a less-used channel. |
DCS client aware | Select ON to have the Nebula Device wait until all connected clients have disconnected before switching channels. |
Avoid 5G DFS channel | If your Nebula Devices are operating in an area known to have RADAR devices, the Nebula Device will choose non-DFS channels to provide a stable WiFi service. |
Blacklist DFS channels in the presence of radar | Select ON to blacklist a channel if RADAR is detected. After being blacklisted, the Nebula Device will not use the channel again until the Nebula Device is rebooted. However, the Nebula Device can still use other DFS channels. |
2.4 GHz channel deployment | Select Three-Channel Deployment to limit channel switching to channels 1, 6, and 11, the three channels that are sufficiently attenuated to have almost no impact on one another. In other words, this allows you to minimize channel interference by limiting channel-hopping to these three “safe” channels. Select Four-Channel Deployment to limit channel switching to four channels. Depending on the country domain, if the only allowable channels are 1 – 11 then the Nebula Device uses channels 1, 4, 7, 11 in this configuration; otherwise, the Nebula Device uses channels 1, 5, 9, 13 in this configuration. Four channel deployment expands your pool of possible channels while keeping the channel interference to a minimum. Select All available channels to allow channel-hopping to have the Nebula Device automatically select the best channel. Select Manual to select the individual channels the Nebula Device switches between. |
5 GHz channel deployment | Select how you want to specify the channels the Nebula Device switches between for 5 GHz operation. Select All available channels to have the Nebula Device automatically select the best channel. Select Manual to select the individual channels the Nebula Device switches between. The method is automatically set to All available channels when no channel is selected or any one of the previously selected channels is not supported. |
6 GHz channel deployment | Select how you want to specify the channels the Nebula Device switches between for 6 GHz operation. Select All available channels to have the Nebula Device automatically select the best channel. Select Manual to select the individual channels the Nebula Device switches between. The method is automatically set to All available channels when no channel is selected or any one of the previously selected channels is not supported. |
Allow 802.11ax/ac/n stations only | Select ON to have the Nebula Device allow only IEEE 802.11n/ac/ax clients to connect, and reject IEEE 802.11a/b/g clients. |
Smart Steering | Select ON to enable smart client steering on the Nebula Device. Client steering helps monitor WiFi clients and drop their connections to optimize the bandwidth when the clients are idle or have a low signal. When a WiFi client is dropped they have the opportunity to steer to an Nebula Device with a strong signal. Additionally, dual band WiFi clients can also steer from one band to another. Select OFF to disable this feature on the Nebula Device. |
ADVANCED OPTIONS | Click this to display a greater or lesser number of configuration fields. |
2.4G/5G/6G Setting | |
Disassociate Station Threshold | Set a minimum kick-off signal strength. When a WiFi client’s signal strength is lower than the specified threshold, the Nebula Device disconnects the WiFi client. –20 dBm is the strongest signal you can require and –105 dBm is the weakest. |
Optimization aggressiveness | High, Standard and Low stand for different traffic rate threshold levels. The level you select here decides when the Nebula Device takes action to improve the access point’s WiFi network performance. The Nebula Device will postpone the actions implemented on access points until your network is less busy if the threshold is exceeded. Select a suitable traffic rate threshold level for your network. High: Select this if you want the Nebula Device to postpone the action set when the access point network traffic is heavy. Standard: Select this if you want the Nebula Device to postpone the action set when the access point network traffic is medium. Low: Select this if you want the Nebula Device to postpone the action set when the access point network traffic is low. |
802.11d | Click this to enable 802.11d on the access point. 802.11d is a WiFi network specification, for use in countries where 802.11 WiFi is restricted. Enabling 802.11d causes the Nebula Device to broadcast the country where it is located, which is determined by the Country setting. |
WLAN Rate Control Setting | |
2.4Ghz/5Ghz/6Ghz | Sets the minimum data rate that 2.4 GHz, 5 GHz, and 6 GHz WiFi clients can connect to the Nebula Device, in Mbps. Increasing the minimum data rate can reduce network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the Nebula Device. |
Edit | Click this button to modify the channel, output power, channel width, airtime fairness (the same setting will apply to both 2.4 GHz and 5 GHz), and smart steering settings for the selected Nebula Devices. On the Nebula Device that comes with internal antennas and also has an antenna switch, you can adjust coverage depending on the orientation of the antenna for the Nebula Device radios. Select Wall if you mount the Nebula Device to a wall. Select Ceiling if the Nebula Device is mounted on a ceiling. You can switch from Wall to Ceiling if there are still WiFi dead zones, and so on. If you select Hardware Switch, you use the physical antenna switch to adjust coverage and apply the same antenna orientation settings to both radios.  On this screen, you can set channel width to 160 MHz for the 5/6 GHz channel, if the Nebula Device supports it. |
DCS Now | Click this button to have the selected Nebula Devices immediately scan for and select a channel that has least interference. |
List | Click this to display a list of all connected Nebula Devices. |
Map | Click this to display the locations of all connected Nebula Devices on the Google map. |
2.4GHz | Click this to display the connected Nebula Devices using the 2.4 GHz frequency band. |
5GHz | Click this to display the connected Nebula Devices using the 5 GHz frequency band. |
6GHz | Click this to display the connected Nebula Devices using the 6 GHz frequency band. |
BandFlex | Click this to display the connected Nebula Devices that supports BandFlex (5 GHz or 6 GHz frequency bands). |
Hide transmit circles | Click this button to not show the transmission range on the Map. |
Access point | This displays the descriptive name or MAC address of the connected Nebula Device. |
Radio # | This displays the number of the connected Nebula Device’s radio. |
Model | This displays the model name of the connected Nebula Device. |
Radio mode | This displays the type of WiFi radio the Nebula Device is currently using, for example 802.11b/g/n. |
Channel | This displays the channel ID currently being used by the connected Nebula Device’s radio. |
Transmit power | This displays the current transmitting power of the connected Nebula Device’s radio. If the Nebula Device is offline, this shows the maximum output power you configured for the Nebula Device. |
Channel width | This displays the wireless channel bandwidth the connected Nebula Device’s radio is set to use. |
Smart steering | This displays whether smart client steering is enabled or disabled on the connected Nebula Devices. |
Antenna | This displays the antenna orientation settings for the Nebula Device that comes with internal antennas and also has an antenna switch. |
Airtime fairness | This displays whether airtime fairness is enabled or disabled on the connected Nebula Device. |
 | Click this icon to display a greater or lesser number of configuration fields. For faster loading of data, select only the configuration fields listed that do NOT take a long time to fetch data. |
The following table describes the pre-defined deployments and the related output power, channel width, DFS (Dynamic Frequency Selection) setting, rate control, and channel deployment.
deployment | high density | moderate density | low density | single ap | |
|---|---|---|---|---|---|
Number of APs | More than 10 | 6 – 9 | 2 – 5 | 1 | |
Power (dBm) | 2G | 12 | 15 | 20 | 30 20 (EU) |
5G | 15 | 18 | 30 | 30 | |
6G | 18 | 21 | 30 | 30 | |
Channel width (MHz) | 5G | 20 | 40 | 80 | 80 |
6G | 80 | 160 | 160 | 160 | |
Avoid 5G DFS channel / Blacklist DFS channels in the presence of radar | Disabled / Enabled | Enabled /Disabled | Enabled / Disabled | Enabled / Disabled | |
Rate control (Mbps) | 2.4G | 11 | 1 | 1 | 1 |
5G | 12 | 6 | 6 | 6 | |
2.4G channel deployment | All channels | Three-channel | Three-channel | Three-channel | |
Traffic Shaping
This feature is for dynamic VLAN application. The data limit set here applies to the VLAN on a per WiFi client basis. This has a higher priority than the data limit set in Site-wide > Configure > Access points > SSID advanced settings, which is applied on a per station basis. Use this screen to configure maximum bandwidth on the Nebula Device.
Click Site-wide > Configure > Access points > Traffic shaping to access this screen.
Site-wide > Configure > Access point > Traffic shaping
The following table describes the labels in this screen.
Label | Description |
|---|---|
WLAN traffic shaping | |
Rule Name | Enter the name of the traffic shaping rule. The name is used to refer to the traffic shaping rule. You may use 1 – 31 alphanumeric characters, underscores(_), or dashes (-). This value is case-sensitive. |
VLAN ID | Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 – 4094. (0 and 4095 are reserved.) |
Rate-limit | Set the maximum data download and upload rate in Mb/s, on a per WiFi client basis. Allowed values are 1 – 160. Click the lock icon to change the lock state. If the lock icon is locked, the data limit you set applies to both download and upload traffic. If the lock is unlocked, you can set download and upload traffic to have different data limits. |
Add | Click this button to create a new rule. |
Security Service
Use this screen to enable or disable the features available in the security pack for your Nebula Device, such as application visibility and optimization and/or IP reputation filter.
Click Site-wide > Configure > Access points > Security service to access this screen.
Site-wide > Configure > Access points > Security service
The following table describes the labels in this screen.
Label | Description |
|---|---|
Application Visibility & Optimization | |
Application visibility & Optimization | Select this option to turn on application visibility and optimization. Application visibility and optimization does the following: • Detects the type of applications used by WiFi clients, • Throttles specific applications to save WiFi bandwidth. Application visibility provides a way for a Nebula Device to manage the use of various applications on its WiFi network. It can detect the type of applications used by WiFi clients and how much bandwidth they use. Application optimization limits the applications bandwidth usage by their categories. You can manage and view the applications and their categories in Site-wide > Applications usage > Application view by Access Point. |
Threat Protection | |
Enabled | Select this option to allow inspection of DNS queries made by clients on your network and turn on IP blocking on the Nebula Device. When you enable the DNS threat service, your Nebula Device inspects the DNS queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs). You can have the Nebula Device reply to the user with a fake DNS response (where the user will see a “Web Page Blocked!” page). When you enable the IP reputation service, your Nebula Device downloads signature files that identifies reputation of IPv4 addresses. You can have the Nebula Device forward, block, and/or log packets from IPv4 addresses based on these signatures and categories. |
Block log | Select this option to create a log on the Nebula Device when the packet comes from an IPv4 address with bad reputation. |
Click to proceed | Select this option to allow clients to browse unsafe websites. When enabled, the denied access message window includes the Proceed button. To continue, you must close and restart your web browser to visit the unsafe website.  |
Denied access message | Enter a message to be displayed when IP reputation filter blocks access to a web page. Use up to 127 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect external URL field. In this case if the IP reputation filter blocks access to a web page, the Nebula Device just opens the web page you specified without showing a denied access message. |
Redirect external URL | Enter the URL of the web page to which you want to send users when their web access is blocked by IP reputation filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Notification page | Select this option to display the notification page. |
Enable on | Select the SSID 1 – 8 that is allowed access to WiFi clients. |
Access message | Enter a message to be displayed when access to a web page is allowed. Use up to 127 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. |
Category list | Select the categories of packets that come from the Internet and are known to pose a security threat to users or their computers. |
IP Reputation exempt list | Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. Add the IPv4 addresses that the Nebula Device will allow the incoming and outgoing packets. |
DNS Threat exempt list | Domain names that you want to allow access to, regardless of their reputation, can be allowed by adding them to this list. Add the Fully Qualified Domain Names (FQDNs) that the Nebula Device will allow the DNS query packets. |
AP & Port Settings
Use this screen to configure general Nebula Device settings and network traffic load balancing between the Nebula Devices in the site. This screen also allows you to enable or disable a port on the managed Nebula Device and configure the port’s VLAN settings. The port settings apply to all Nebula Devices that are assigned to the site and have one or more than one Ethernet LAN port (except the uplink port).
Click Site-wide > Configure > Access points > AP & port settings to access this screen.
Site-wide > Configure > Access points > AP & port settings
The following table describes the labels in this screen.
Label | Description |
|---|---|
General setting | |
AP LED lights | Click to turn on or off the LEDs on the Nebula Devices. |
AP Smart Mesh | Click to enable or disable the Nebula Smart Mesh feature on all Nebula Devices in the site. Click Model list to see whether your Nebula Device supports Nebula Smart Mesh. Nebula Smart Mesh is a WiFi mesh solution for Nebula Devices. For details, see Nebula Smart Mesh.You can override NCC settings and enable or disable Smart Mesh on individual Nebula Devices. For details, see Access Point Details.Disabling Nebula Device Smart Mesh automatically disables wireless bridge on all Nebula Devices in the site. For details on wireless bridge, see Access Point Details. |
Ethernet failover | When enabled, a wired Nebula Device in the site automatically changes its role from mesh controller to mesh extender if the Nebula Device is unable to reach the site’s gateway. When disabled, a wired Nebula Device in the site automatically changes its role from mesh controller to mesh extender only if the Nebula Device’s uplink Ethernet cable is unplugged. For details on mesh controller and mesh extender, see Nebula Smart Mesh. |
Load balancing | |
Disable | Select this option to disable load balancing on the Nebula Device. |
Enable "By client device number" mode | Select this option to balance network traffic based on the number of specified client devices connected to the Nebula Device. |
Maximum client device number | Enter the threshold number of client devices at which the Nebula Device begins load balancing its connections. |
Disassociate client device when overloaded | Select ON to disassociate WiFi clients connected to the Nebula Device when it becomes overloaded. Select OFF to disable this option, then the Nebula Device simply delays the connection until it can afford the bandwidth it requires, or it transfers the connection to another Nebula Device within its broadcast radius. The disassociation priority is determined automatically by the Nebula Device and is as follows: • Idle Time – Devices that have been idle the longest will be disassociated first. If none of the connected devices are idle, then the priority shifts to Signal Strength. • Signal Strength – Devices with the weakest signal strength will be disassociated first. |
Enable "Smart Classroom" mode | Select this option to balance network traffic based on the number of specified client devices connected to the Nebula Device. The Nebula Device ignores association request and authentication request packets from any new client device when the maximum number of client devices is reached. The Disassociate client device when overloaded function is enabled by default and the disassociation priority is always Signal Strength when you select this option. |
Maximum client device number | Enter the threshold number of client devices at which the Nebula Device begins load balancing its connections. |
Port setting | |
LAN x | This is the name of the physical Ethernet port on the Nebula Device. This section lets you configure global port VLAN settings for all Nebula Devices in the site. To modify port settings for a specific Nebula Device, use its Edit button in the table below. |
ON/OFF | Select ON to turn on the LAN port of the Nebula Device. Select OFF to disable the port. |
PVID | Enter the port’s PVID. A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines. |
Allowed VLANs | Enter the VLAN ID numbers to which the port belongs. You can enter individual VLAN ID numbers separated by a comma or a range of VLANs by using a dash, such as 1,3,5–8. |
Access Point | This displays the descriptive name or MAC address of the connected Nebula Device. Only the Nebula Device that has an extra Ethernet LAN port will be listed, such as NAP203 or NAP303. |
Status | This shows whether the Nebula Device’s Ethernet LAN port is enabled or disabled. |
Port Setting | This displays the port’s VLAN settings for the managed Nebula Device. |
Edit Port Settings
Click an entry in the Port setting table of the Site-wide > Configure > Access points > AP & port settings screen to access this screen.
Select NAT mode to have the Nebula Device create a DHCP subnet with its own NAT for the SSID. This simplifies WiFi network management, as you do not need to configure a separate DHCP server. Otherwise, select Local bridge.
The following Nebula Device features do not work when NAT mode is enabled:
• 802.11r (see Site-wide > Configure > Access points > SSID advanced settings for more information on enabling 802.11r)
• Layer2 isolation
• Dynamic VLAN (cloud authentication, RADIUS server)
In NAT mode, clients cannot communicate with clients connected to a different Nebula Device.Only WAC500H supports Ethernet Traffic options Forwarding Mode at the time of writing.
By default, all Nebula Devices in the site use the global port settings. Use this screen to change the port settings on a per-device basis. You can turn on or off the port, modify its PVID or update the ID number of VLANs to which the port belongs.
Site-wide > Configure > Access points > AP & port settings: Edit