End of Support

Monitor Alerts

Alerts are categorized into three types: Wi-Fi, System, and WIPS (see the sections below for details) and are further classified as follows, based on the nature of events that trigger the alerts.

Instantaneous - Alerts generated for events that are instantaneous, i.e., one-off events that do not persist over time. For example, the failure of a scheduled client connectivity test is an instantaneous Wi-Fi alert. Similarly, an authorized client probing for a vulnerable SSID is an instantaneous WIPS alert.
Live - Alerts generated for events that persist over time. These alerts are triggered by some condition and persist until the condition holds true. For example, the number of clients experiencing authentication failure exceeding a threshold is a Wi-Fi alert that persists over time. Similarly, a rogue AP becoming active is a WIPS alert that persists over time.
Expired - A live alert expires when the condition that triggered the alert no longer holds true.

The chapter contains the following topics:

Monitor Wi-Fi Alerts
Monitor WIPS Alerts
Monitor System Alerts
Security Status

Monitor Wi-Fi Alerts

Under MONITOR > Alerts > WiFI , you can review Wi-Fi alerts that have been configured to be displayed on the UI.

Wi-Fi alerts capture network connectivity and performance events such as client authentication failures and high latencies. As shown in the figure above, alerts are categorized by the aspect of the Wi-Fi network that they pertain to-for example, client connectivity test or connection failure. You can mark a Wi-Fi alert as "Read" or "Unread" and you can delete it.

Monitor WIPS Alerts

Under MONITOR > Alerts > WIPS, you can review WIPS alerts that have been configured to be displayed on the UI.

WIPS alerts are related to Wi-Fi vulnerabilities and attacks that may pose a security threat to your network. You can turn on or off the security status of a WIPS alert, i.e., decide whether an alert affects the security status of your network. A network administrator can acknowledge an alert. This then shows up in the acknowledgment trail that other administrators can check to know which user has acknowledged an alert. Wherever needed, WIPS alerts have recommended actions that you can undertake to secure your network.

Monitor System Alerts

Under Monitor > Alerts > System, you can review System alerts that have been configured to be displayed on the UI.

System alerts are for events related to the overall health of the Wi-Fi server and infrastructure, e.g., when a Wi-Fi server switches from active to standby or an AP gets disconnected from the network. As shown in the figure above, they are categorized into Server or AP/Sensor alerts. You can change whether an alert affects the security status of your network. For example, when a server stops, some WIPS functionality is lost, which could make your network vulnerable. Like WIPS alerts, a network administrator can acknowledge and check acknowledgment trails for a system alert. Wherever needed, system alerts have recommended actions that you can undertake to address the issue.

Security Status

An alert is raised at the location of the device that triggers the alert. Security status shows you which locations in your network are vulnerable, i.e., which locations have live security alerts. As shown below, from the menu icon (three vertical dots) on a location, you can select Show Status > Security Status to see a color-coded view of network vulnerability: red for locations that are vulnerable and green for locations that are not. Whether or not a WIPS or System alert contributes to the security status can be set while configuring those alerts.

Wireless Intrusion Prevention Techniques

This chapter contains the following topics:

About Wireless Intrusion Prevention Techniques
Intrusion Prevention Level
Authorized Wi-Fi Policy
Access Point Auto Classification
Client Prevention
Client Auto-Classification
Banned Device List
WLAN Integration
Monitor Networks
Auto-Deletion Settings
WIPS Advanced Settings

About Wireless Intrusion Prevention Techniques

A large number of Wi-Fi devices Access Points (APs) and clients-are commonly present in the vicinity of an enterprise. While most are legitimate devices, belonging either to the enterprise or businesses around it, manually tracking the presence of any threat-posing devices among them or Wi-Fi connections violating the enterprise security policy is impractical.

Arista Wireless Intrusion Prevention System (WIPS) can automate that process and protect enterprise networks from Wi-Fi-based vulnerabilities and attacks. It can also track the physical location of Wi-Fi devices on enterprise premises.

Arista WIPS uses a variety of patented techniques to classify Wi-Fi devices automatically and accurately as follows.

Authorized: Owned and officially deployed by the enterprise,
External: Legitimate Wi-Fi devices in the enterprise vicinity, and
Rogue: Unauthorized Wi-Fi devices on the enterprise network.

This serves as the foundation for enforcing Wi-Fi security policies. Based on the accurate device classification, Arista WIPS can automatically block threat-posing Wi-Fi devices and connections (shown in red in the figure below).

You can enable automatic intrusion prevention using Arista CV-CUE, by navigating to CONFIGURE > WIPS > Automatic Intrusion Prevention or from DASHBOARD > WIPS.

Depending on the type of threat, intrusion prevention can be defined in the following ways.

Access Point Prevention

To automatically block all connections to threat-posing APs such as rogue APs, banned APs, and misconfigured APs.

Client Prevention

To automatically prevent client connections based on the type of client involved, e.g., authorized, guest, rogue, external, banned, and the type of AP (or client) to which it tries to connect. Thus, Client Prevention can block various types of threat-posing Wi-Fi connections, e.g., an authorized client could be blocked from connecting to an external AP that is a Wi-Fi hotspot while allowing other external clients to connect to that AP; an unauthorized client could be blocked from connecting to an authorized AP while allowing authorized clients to connect to that AP.

Threat Prevention

Arista WIPS can also be configured to automatically protect enterprises from malicious Wi-Fi-based attacks such as:

ARP spoofing/MAC spoofing: In ARP spoofing, an attacker sends a spoofed ARP reply, on behalf of an authorized AP, for a legitimate connection request by a Wi-Fi client. The reply contains the spoofed MAC address of the legitimate AP and links with the legitimate IP address, thus establishing the connection between them. The attacker can potentially receive all the data intended for the legitimate user.
Honeypot: In a honeypot or man-in-the-middle attack, an unauthorized AP, in the vicinity of an enterprise, tries to lure authorized enterprise clients to connect to it by broadcasting the same SSID as an authorized one, but at a higher RSSI. An attacker could also launch multiple honeypots ( aka multipot) simultaneously to evade security.
DoS Attack: By using a variety of techniques, an attacker can flood an enterprise network with a number of junk Wi-Fi frames or frames that consume a significant amount of airtime, starving legitimate APs and clients from transmitting, thus, disrupting the Wi-Fi service of the legitimate users.

Such severe attacks/threats can make the user information vulnerable. Arista WIPS automatically classifies the APs in the vicinity as authorized, rogue, or external in compliance with the AP auto-classification policy. Classification helps to alert the system of any vicious activity by an AP other than the authorized ones by defining Intrusion Prevention Levels. To safeguard, WIPS has some Intrusion Prevention Methods:

Inline: It is the background scanning done by the third radio of an AP. An inline technique is majorly acquired in the absence of WIPS or when automatic intrusion prevention is turned off. When a client sends a request for connection, the AP detects the client as- rogue or authorized as per the client auto-classification policy already defined. If it is rogue, the AP keeps on discarding the request packets on the driver level itself but if it is an authorized client the AP itself authenticates it. This happens for both open and encrypted APs.
De-Auth: This technique is useful to prevent the authorized connection by sending the de-auth packets in compliance with the 802.11 messaging format for disconnecting the unauthorized ones. When a misbehaving client connects to a rogue AP and tries to access the network, the authorized AP senses the unauthorized connection and unicasts a de-auth packet to the client. By sending de-auth packets, the connection is disrupted with the rogue AP. For encrypted Adhoc client prevention, where prevention beacons are sent can also be prevented using the same technique. This can also happen in offline mode. Offline Mode- When an AP is in online mode, it keeps on receiving and storing the data of all the rogue or misconfigured connections in a list as defined by AP auto-classification. So, even when the AP goes into offline mode, this list helps to detect the rogue APs and automatically prevent any activity from them.
Wireless ARP Prevention: ARP poisoned packets are sent over a network when the multipot attack happens where the transit between multiple APs is so fast that the de-authentication technique is not effective. So, the WIPS sensor sends a spoofed de-authentication packet with a spoofed MAC address over the wireless medium, thus, preventing any authorized clients to connect to a rogue AP.
Wired ARP: Any activity from a rogue AP should be detected and disabled. When any unauthorized activity is detected, poisoned ARP packets are sent on open Adhoc or wired connections as well. Wired ARP technique also takes place when the defined intrusion prevention level capacity becomes full. For example, if we had selected "Block" level which prevents one channel per radio and a threat posing device is detected then we switch to wired ARP. With this technique, ARP poisoning packets are sent from the wired interface to prevent any wireless clients to connect to the secured wired network through a rogue AP. The packets are unicasted to the authorized client, thus, not affecting the other connections.
Selective NAV: The prevention technique is used for Dos attacks. DoS attacks can prove harmful as they disrupt the legitimate receiver from any services. To mitigate this attack, WIPS allows the APs to allow a definite time slot for the clients. In this way, the rogue AP trying to flood the network with useless packets never gets a chance to connect.
Cell Splitting: Cell splitting is used to prevent encrypted ad hoc Wi-Fi mode where fake beacons are sent with random cell id so that the clients in ad hoc mode think that the preventing device is the ad hoc owner while the id keeps on changing randomly where the owner actually never settles on a particular cell id.

Intrusion Prevention Level

Arista WIPS offers four levels of automatic intrusion prevention, listed below.


Level	Number of channels-per-radio prevented
Block	1
Disrupt	2
Interrupt	3
Degrade	4

Each automatic intrusion prevention level defines the number of channels-per-radio that an AP can prevent. To detect an intrusion, an AP radio scans all the channels in its frequency band of operation, spending 120 ms on each channel. One scan cycle is the time it takes an AP radio to complete scanning all the channels once. At each level, Arista WIPS can prevent up to 10 intruding devices.

Consider an AP whose intrusion prevention level is set to "Block". Suppose this AP detects an intrusion on channel 36. Since the level is set to "Block", the AP can prevent one channel per band—in this case, channel 36. Then, during its scan cycle, the AP "visits" channel 36 more frequently, sending deauthentication packets to block the unwanted communication on channel 36. (Intrusions subsequently detected on other channels are put in a "Pending" list.) If the intrusion prevention level is set to "Disrupt" and the AP detects intrusions on two channels, then it divides the time it spends sending deauthentication packets between the two channels. This disrupts the unwanted communication on each of the two channels but does not block it completely. "Disrupt" is, therefore, a weaker form of prevention than "Block"; some packets belonging to the intruding device may get through. This logic extends to "Interrupt" and "Degrade" as well—these levels respectively interrupt and degrade the unwanted communication; they do not disrupt or block it.

So the trade-off is between the effectiveness of intrusion prevention and its coverage—in terms of the number of channels across which threats can be prevented. Larger the number of channels-per-radio prevented, the weaker the prevention since the AP has to divide the time it spends sending deauthentication packets among a larger number of channels. Choose the intrusion prevention level based on the needs of your Wi-Fi environment. By default, the intrusion prevention level is set to "Disrupt".

Authorized Wi-Fi Policy

Arista Wireless Intrusion Prevention System (WIPS) uses a variety of patented techniques to automatically and accurately classify Wi-Fi Access Points (APs) and clients as follows.

Authorized: Owned and officially deployed by the enterprise,
External: Legitimate Wi-Fi devices in the enterprise vicinity, and
Rogue: Unauthorized Wi-Fi devices on the enterprise network.

An Authorized Wi-Fi Policy forms the basis of this automatic device classification; it can be defined in terms of:

The characteristics of the official enterprise Wi-Fi network, e.g., SSID name, whether or not the SSID is a guest SSID, the type of authentication and encryption used, a mapping of SSIDs to specific enterprise subnetworks they are allowed to run on, allowed vendors, etc.
A pre-classification of Wi-Fi APs as potentially authorized or rogue based on whether or not they are connected to one of the monitored enterprise subnetworks (enabled by default), or based on the Received Signal Strength Indicator(RSSI) with which those APs are visible to Arista WIPS.

You can implement an authorized Wi-Fi policy in two ways: either using the SSID Profile settings to validate the configuration running on your Arista Wi-Fi APs or by creating an Authorized Wi-Fi Profile for each SSID. Each method is described below.

Using SSID Profile Settings

You may choose to simply leverage the settings of the SSID Profiles in use to validate the configuration running on the enterprise Wi-Fi APs; this can be done by enabling the Use SSID Profiles to verify managed access point configuration option as shown below.

Note: This option is enabled by default. You will have to disable it if you choose to define your enterprise authorized Wi-Fi policy in terms of Authorized Wi-Fi Profiles.

Authorized Wi-Fi Profile per SSID

The figure below shows an Authorized Wi-Fi Profile for a corporate SSID. The SSID must conform to the restrictions set by the profile. For example, the SSID must run on an Arista AP because that is the only allowed AP vendor; similarly, it must use PSK authentication.

When an SSID configuration does not match the authorized Wi-Fi policy, the SSID is marked as a Misconfigured SSID. When an SSID configuration does not follow the security policies of Wi-Fi 6 and 6E, the SSID is marked as Non Compliant. As shown in the figure below, you can filter on the Classification column under MONITOR > WIPS > Access Points to find APs running misconfigured SSIDs.

You can select an AP to see the SSIDs that are misconfigured and to view the reasons for the configuration mismatch. Active APs running misconfigured SSIDs are marked orange on the MONITOR > WIPS and MONITOR > WiFi tabs.

Access Point Auto Classification

Arista Wireless Intrusion Prevention System (WIPS) continuously scans the Wi-Fi frequency spectrum to detect other Wi-Fi devices present in the vicinity.

Whenever a new Wi-Fi AP is detected, it is initially considered to be uncategorized. Arista's unique Marker Packets technology helps determine whether or not the detected AP is connected to the enterprise wired network. If an AP is on the enterprise wired network, it is pre-classified as Potentially Authorized or Potentially Rogue, depending on whether or not the AP complies with the Authorized WiFi Policy. If the AP is not on the enterprise wired network, it is pre-classified as Potentially External. The pre-classification is an advanced setting under Authorized WiFi Policy.

Arista managed APs that are on the wired network and comply with the <Authorized Wi-Fi Policy> are automatically classified as Authorized. The AP Auto-Classification Policy allows you to let the Arista WIPS automatically classify potentially rogue APs as rogue APs and potentially external APs as external APs. By default, the AP auto-classification is enabled. You can edit the policy under CONFIGURE > WIPS > Access Point Auto-Classification.

You can also freeze the list of your authorized APs by using the Authorized AP List Locking feature so that no more APs get automatically classified as authorized.

Client Prevention

Client prevention allows you to choose the types of Wi-Fi client communication you want to prevent.

The types of client communication are based on two factors:

The type of the client (Rogue, Authorized, External, or Guest) as determined by Client auto-classification.
The device that the client attempts to connect to—Authorized Access Point (AP), other clients, etc.

The examples below show how specific client types and connection attempts can be prevented depending on the use case.

Authorized Client Misassociation

An authorized enterprise Wi-Fi client could attempt to associate with access points in the vicinity of your enterprise. To protect authorized clients on an enterprise Wi-Fi network, you might want to prevent them from associating with any non-authorized APs as shown below.

Client Bridging/ICS

Client bridging is when a laptop connected to the wired network acts as an access point, thereby allowing unauthorized clients access to an enterprise network. Internet Connection Sharing (ICS) is a service that turns a computer into a router to which other clients can connect directly. Both methods compromise the security of an enterprise Wi-Fi network by exposing it to unauthorized access. To prevent client bridging or ICS, you can enable the relevant prevention as shown below.

Unauthorized Associations To Authorized Access Points

For guest Wi-Fi access, suppose that your Client Auto-Classification is configured to re-classify all External and Uncategorized clients connecting to a Guest SSID as "Guest". In that case, you do not want to prevent unauthorized clients from accessing an authorized AP running the Guest SSID because an unauthorized client needs to associate with an authorized AP before it can be marked as a "Guest" client. You can allow such associations by not enabling prevention as shown below.

Client Auto-Classification

Classifying Wi-Fi clients can help you automatically enforce your Wi-Fi security policies.

Usually, clients are classified as:

Authorized: These are enterprise-owned, managed clients that are expected to comply with the enterprise security policies, e.g., they are allowed to connect to the enterprise-managed Wi-Fi Access Points (APs) but not to other APs.
Guest: These are clients that are brought along by visitors in your organization. Guest clients are normally allowed to connect to the guest Wi-Fi network for Internet access and have limited or no access to the internal network.
External: These are unmanaged clients detected in the vicinity of your enterprise. They are normally blocked from connecting to your managed APs but could connect to other APs. Such clients could be typically ignored unless their behavior poses a threat to your enterprise security.
Rogue: These are typically unauthorized clients that try to intrude into your enterprise network, for instance, by connecting to a rogue AP. The activity of such clients should be monitored and their unauthorized access should be blocked.

Manually keeping track of the list of clients that are authorized to access your enterprise Wi-Fi network is not scalable and is prone to errors, especially in large organizations. Arista CV-CUE provides a simpler way to automatically classify clients. The client auto-classification policy settings are available under CONFIGURE > WIPS > Client Auto-Classification.

By default, clients are left uncategorized initially and classified based on the type of AP or Wi-Fi network they connect. You can optionally choose to classify any newly discovered client as either External, Authorized, or Guest, and let them be reclassified based on association. Association-based classification can be based on the type of AP that the client connects to. For example, an uncategorized client attempting to connect to any external AP is classified as external.

The examples below show how clients can be auto-classified depending on their association.

Clients Connecting to Authorized Access Points

Depending on the initial classification, the clients connecting to your authorized access points can be reclassified based on their association. A sample screenshot showing the default values is shown below. You can change the settings based on your security policy.

Clients Connecting to Rogue Access Points

A client may attempt to associate with a rogue AP. In such a case, reclassification is based on the initial classification of the client and on the classification of an AP. In this scenario, AP could be rogue or potentially rogue.

Note:Once the client is manually classified as Rogue or Authorized, it is not reclassified automatically unless it is deleted and discovered again.

Banned Device List

You can ban certain Wi-Fi devices from accessing the enterprise network when needed. For instance, if an enterprise laptop gets stolen, its unauthorized access to the enterprise network needs to be restricted.

To prevent such access, you can add those Wi-Fi access points or clients to the Banned Access Points and Banned Clients, respectively. This can be done either by entering the MAC addresses of the individual access points or clients or by uploading a .csv file with the list of comma-separated MAC addresses. The banned devices can be defined only at the topmost or root folder of the location tree.

In addition, you can configure an alert that will warn you if a banned access point or client from the list is detected in the vicinity. Wi-Fi connectivity with a banned access point or client can also be prevented automatically by configuring the relevant intrusion prevention policy.

WLAN Integration

Whether you are using Arista WIPS or transitioning to cloud-based Wi-Fi, integrating the Arista Cloud Wi-Fi server with your on-premises WLAN controller allows you to leverage key advantages of the cloud server while continuing to use your controller-based WLAN.

The Arista cloud-based Wi-Fi server fetches information about access points, clients, and signal strengths from WLAN controllers using Simple Network Management Protocol (SNMP). Arista WIPS can then use this information to automatically classify authorized devices managed by the controller and track Wi-Fi client locations.

Arista supports integration with Aruba Mobility Controllers and Cisco WLC.

Configure WLAN Integration

To add WLAN controllers, go to SYSTEM > WIPS > WLAN Integration in CV-CUE. Select whether you want to add an Aruba or a Cisco controller, and click Add on the Wireless LAN Controllers grid. The Add Controller panel shown in the figure below opens up. Enter the settings (described in the table below) and click Done. Note that, as shown in the figure below, if your controller uses a private IP address, then you will need a Cloud Integration Point to integrate the controller with the Arista Cloud.

On the main WLAN Integration tab, set the Automatic Synchronization Interval; this is the interval that defines how frequently the Arista Cloud fetches information from the controller. Save the settings to complete adding the controller.

Controller Settings


Field	Description
Controller (IP Address/Hostname)	Enter the IP address or hostname of the controller. Note:If the controller uses a private IP address, you need to select a Cloud Integration Point.
Port Number	The controller port number from which data is imported.
Primary Cloud Integration Point (CIP)	From the drop-down list, select an Arista device that you want to use as the primary Cloud Integration Point (CIP) for this controller. Important: You must open port number 3852 in your network from the CIP to Arista cloud.
Secondary Cloud Integration Point (CIP)	From the drop-down list, select an Arista device that you want to use as the secondary Cloud Integration Point (CIP) for this controller. If the primary CIP goes down, the secondary one ensures connectivity of your service to the cloud.
SNMP Version	Select SNMP V2 or V3 for the Arista cloud communication with the controller.
Community String	User-defined community string using which Arista cloud communicates with the controller. The default value is 'public'.
Import	Select to enable the import of data from the controller.
Managed Access Points	Select to import managed access point information from the controller.
Managed Clients	Select to import information about clients associated with access points managed by the controller.
Unmanaged Access Points	Select to import information about access points not managed by the controller.
Unmanaged Clients	Select to import information about clients associated with access points not managed by the controller.
Signal Strength	Select to import signal strength information from the controller.

Monitor Networks

Under MONITOR > WIPS > Networks, you can see the networks being monitored by WIPS. As shown below, networks that are not being monitored (because they are unreachable) are shown in red.

Card Dataholder Environment (CDE) networks are networks that store, process, or transmit payment card transactions and sensitive cardholder data. CDE networks are in the scope of PCI DSS compliance. You can right-click on a network and change its type from CDE to Non-CDE or vice versa.

Auto-Deletion Settings

Using auto-deletion settings, you can specify parameters to automatically rogues Access Points (APs) and clients.

You can automatically delete the following items:

APs
Network
Clients
Alerts
Inactive Authorized APs

You must have superuser, administrator, or operator privileges to use auto-deletion settings.

Auto-Delete Access Points, Clients, and Network

You can specify the duration of inactivity after which rogue Access Points (APs) or clients are automatically deleted. For networks, you can define the duration for which the networks are retained on the server. After the specified retention duration, the networks are automatically deleted from the server. If you want to retain manually classified APs or clients, you can specify that in the auto-deletion parameters.

You can also delete authorized but inactive APs from the current location. Click Delete Inactive Authorized Access Points at the bottom of the Access Points tab.

Follow these steps to auto-delete APs, clients, and network:

Got to MONITOR > WIPS > Access Points .
Click Auto Deletion.
From the right pane, define the parameters to delete access points, clients, and network.
Save the settings.

WIPS Advanced Settings

Under CONFIGURE > WIPS > Authorized WiFi Policy, you can define Advanced Settings that allow you to pre-classify Access Points (APs) and define No-Wi-Fi networks.

Access Point Pre-Classification

Pre-classification of access points helps WIPS identify potential authorized and rogue APs. As shown in the figure below, by default, access points connected to a monitored subnet are pre-classified as potentially authorized or rogue. These APs then show up with the appropriate classification on the MONITOR > WIPS tab. This helps if, for instance, an unclassified AP is connected to the network. The AP appears on the MONITOR > WIPS tab. You can then re-classify it appropriately as either rogue or authorized and—for rogue APs—take appropriate action.

You can also have WIPS pre-classify APs based on the signal strength with which they are visible. As shown in the figure below, if you enable signal strength based pre-classification, CV-CUE allows you to define a signal strength threshold. APs with signal strength greater than the threshold are automatically classified as potentially authorized or rogue.

Relying on signal strength based classification alone, however, is not advisable, especially if you plan to enable automatic intrusion prevention. First, if a legitimate AP from a neighboring facility is visible with a signal strength higher than the threshold, then classifying it as rogue could disrupt legitimate Wi-Fi connections to the AP. Therefore, use this classification only if you are sure that no unauthorized Wi-Fi operates in the vicinity of your location. Second, signal strength based classification will not detect rogue APs that operate with a signal strength weaker than the threshold (smartphones running Wi-Fi hotspots, for example).

Define No-Wi-Fi Networks

Security-sensitive environments might need to ensure that no Wi-Fi network operates at certain locations. As shown in the figure below, you can define "No-Wi-Fi" networks for a location, i.e., specify subnets where no Wi-Fi is allowed. If you define such networks, an AP detected on the network at that location is automatically classified as a rogue AP, even if it conforms to the authorized policy.

Dashboards

CV-CUE provides varied widgets on its Connectivity and Performance dashboards that promote actual cause of issue, not just related client statistics, to drive faster troubleshooting efforts. With Dashboards, you receive immediate feedback when performing remediation thus democratizing Wi-Fi troubleshooting for level one and junior support staff.

Where applicable, dashboard widgets show values for both IPv4 and IPv6. This gives a more granular view of the network. For example, the Average Latencies widget on the Performance Dashboard shows the latency values for both v4 and v6 paths, helping you identify if the issue lies with only one of the IP addresses.

This chapter contains the following topics:

Connectivity Dashboard
Performance Dashboard
Applications Dashboard
Logical Categorization of Clients and Failures
Infrastructure Dashboard

Connectivity Dashboard

The Connectivity Dashboard provides the health of all the clients and devices that are present in a WLAN network, on the selected folder or floor. It comprises of a number of widgets which provide information of the connectivity strength in a single glance.

Navigate to Dashboard > Connectivity to view the Connectivity Dashboard.

The Connectivity Dashboard contains the following widgets:

Client Journey: It provides an overview of various aspects of the client such as number of active clients, associations to the Wi-Fi, successfully authenticated clients, total number of clients connected to the network, and number of online clients.
Clients by Most Failed Connections: Lists the number of times a client failed to connect. The clients are listed in decreasing order of failed attempts and then alphabetically.
Top Locations Affected by Failures: Displays the top five locations which are affected by association, authentication or network failure. The locations are listed in decreasing order based on the percentage of connection failures.
Baseline - Clients Affected by Failures: CV-CUE calculates a baseline for the percentage of clients that failed due to connectivity issues. The connectivity issues taken into consideration are: Authentication failure, Association failure, and Network failure.

Client Journey

Client Journey depicts the current state of the network for the selected folder or floor. It provides an overview of various aspects of the client such as number of active clients, associations to the Wi-Fi, successfully authenticated clients, total number of clients connected to the network, and number of online clients.

You can hover the mouse over the different phases of the client journey to get additional information. For example, if you hover the mouse over the Authentication phase, a tool tip displays information such as percentage of authenticated clients, number of clients who failed to authenticate, type of authentication failure with the number of clients that failed to authenticate for a type of authentication.

You can click on the different phases to view detailed information of each phase. For example, if you click Association, you will be redirected to a page that provides detailed information of the client health displaying a list of clients that failed to associate.

The client journey is presented on the Connectivity Dashboard as follows:

Total Clients: The Total Clients section displays the number clients that connected or tried to connect to the network. It includes the total number of clients that associated with an SSID on the network and the total number of clients that failed to associate. Click Total Clients to view a list of clients with their detailed information.

Association: The Association section displays the total number of clients that are successfully associated to a Wi-Fi network and the total number of clients that failed to associate to the Wi-Fi network. Click Associations to view a list of clients with failed associations.

Authentication: The Authentication section displays the total number successfully authenticated clients and the clients that failed to authenticate through the Wi-Fi network.

Network: The Network section displays the total number of clients that could successfully access the network services like DHCP, DNS and also those that failed to access these services.

Online: The Online section displays the total number of online clients that successfully connected to the Wi-Fi network. It also displays the total number of clients that failed to authenticate, associate or access the network.
: You can search a client by providing MAC address, IP address, user name or device name. You get the status of the various phases of that client, with the time stamp.

Search Icon on Client Journey

You can search an active client by providing MAC address, IP address, user name or device name. You get the status of the last attempted connection, in the various phases of the active client, with a time stamp.

Only those active clients that are available on a selected folder or floor can be searched. Therefore, if a client with device name, say LAP-ATN-424, is not connected to an SSID of the selected folder or floor, then the search for such a client will show the following:

No connection records found in currently active clients: No results are displayed because the searched active client is not available on the selected folder or floor.
Search historical client records?: A link that suggests to look for the searched client in the historical records. This option is displayed when the searched client was active in the past and unavailable at the moment. After clicking on the link, you are redirected to the list of clients and you can click on the name of the client for a detailed information. Refer Client Connection Logs for more information about the logs. The historical data for the last seven days is available in the logs.

If the searched client is active and connected to an SSID of the selected folder or floor, you can view the status of the last attempted connection, in the various phases of the client connection with a timestamp. The following figure shows the various phases of the client connection:

When an active client is searched, the widget displays the following information for the various phases:


Option	Description
Tried to connect	Name of the client and a link that redirects you to the Connection log for the searched active client.
Association	Status (Successful or Failed) The timestamp when the association was successful The name of the AP the client is connected to The name of the SSID
Authentication	Status (Successful or Failed) The timestamp when the authentication was successful The name of the authentication server and the average latency time
Network	Status (Successful or Failed) The timestamp of last successful connection The name of the authentication server and the average latency time
Online	Status (Successful or Failed) The timestamp of last successful connection

The data on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer Filters on Widgets.

Top Locations Affected by Failures

The widget displays a horizontal bar graph depicting the top five locations that are affected by association, authentication, or network connection failure. The graph contains the data for the selected parent and its immediate child folders.

The graph shows the top five locations with highest connection failure percentage in decreasing order.

If you hover the mouse over a bar in the graph, the tool-tip displays the number of clients that are affected due to the connectivity failure with respect to the total number of clients associated to an AP at that location. When you click a bar, on that location, you are redirected to a page that has detailed information of the clients affected by the connection failure at that location.

You can select the failure type from the drop-down list given on the top-right corner of the widget. To know more about the Any failure filter refer Filters on Widgets.

Clients by Most Failed Connections

Clients by Most Failed Connections lists the number of times a client failed to connect. The clients are listed in a decreasing order of failed attempts and then alphabetically.

The data is represented in tabular format displaying the name of the client that failed to connect and the total number of times the client failed to connect. Refer to the following widget for a sample listing.

When you click on the client name, you are directed to the Client connections log widget, where you get the detailed information of the failures. The maximum duration supported by the graph is 1 week and the minimum duration is 2 hours. You can select the duration from the drop-down list which is located at the top-right corner of the widget.

Performance Dashboard

The Performance Dashboard provides detailed information about the performance of the Wi-Fi network with the help of a number of graphs and widgets.

Navigate to Dashboard > Performance to view the Performance page. The page contains the following graphs and widgets:

Client Health: Displays the total number of clients for the selected folder or floor, with Low RSSI, Low Data Rate, High Retry %, and Sticky Clients.

Avg Latencies: Displays the average latency time (response time) taken by the servers like DHCP, DNS, and AAA servers with respect to the clients on a selected folder or floor.

Baseline - Clients Affected by Poor Performance: Displays the baseline for the percentage of clients affected by poor performance for all the clients over a period of time.

Clients by Avg. Data Rate: Displays a bar graph that shows the average data rate of the clients on a selected folder or floor.

Clients by RSSI: Displays a bar graph showing the total number of clients and the RSSI values.

Clients With Most Traffic: Displays a horizontal bar graph of clients with highest data usage.

Top Locations Affected by Poor Performance: Displays a horizontal bar graph of locations with highest performance issues, in a decreasing order.

Network Usage: Displays a line graph showing the number of client association and and a bar graph that shows the traffic volume.

Client Health

Client Health displays, for the selected folder or floor, clients that have Low RSSI, Low Data Rate, High Retry %, and those that are Sticky Clients. The Total Affected field shows the total number of clients on this folder or floor affected by these issues. Go to Dashboard > Performance to view the Client Health widget.

The values in the Client Health widget are clickable. For example, if you click the Low RSSI value, you will be redirected to a page that lists all the clients with low RSSI values and their relevant details. With reference to the image below, if the widget shows four clients with a low RSSI value, then on clicking the Low RSSI value, you will be redirected to a page that has detailed information of the four clients. The clients could be active or inactive. The information is updated every 2 minutes.

The Client Health widget lists the following:

Total Affected: Some clients could have more than one issue — for example, both Low RSSI and Low Data Rate. Such clients would then appear in both categories. CV-CUE ensures that such clients are not counted twice and shows the total number of distinct clients affected by the issues listed below in the Total Affected field .

Low RSSI: The number of clients that are below the set RSSI threshold value.

Low Data Rate: The number of clients that are below the set data rate value.
High Retry %: The number of clients that have the retry rate % more than 20%. Retry rate % is the number of retry packets divided by the total number of data packets of a client.

Sticky Clients

The number of sticky clients present on the selected folder or floor.

A Sticky Client is a device that tends to stay associated with an access point, even when the signal strength is poor, rather than roaming to another Access point in the vicinity that might offer better signal strength.

Note: For more information on setting threshold values, refer Set Threshold for a Folder or Floor.

Average Latencies

Average latencies shows the average latency time (response time) taken by servers like DHCP, DNS, AAA and Network servers with respect to the clients that are present on a selected folder or floor.

The average latency is calculated for the following services:

DHCP
DNS
AAA
Application

When you click on a latency, you can view the baseline graph for that latency.

Clients by Average Data Rate

Clients by Average Data Rate is a widget that displays the average data rate consumed by the clients on the selected folder or floor.

Navigate to Dashboard > Performance to view the Clients by Average Data Rate widget. There are a number of clients accessing data through the Wi-Fi network. This widget calculates and displays a graph of the average data rate used by the total number of clients. You can set the threshold for the data rate.

In the image, you can see a bar graph in three colors; red, green and yellow. The classification is as follows:

The clients with data rate, below the set threshold value are in red.
The clients with data rate above the set threshold value are in green.
The clients that are in the bucket where the threshold value falls, are in yellow. For example, in the above image, a threshold value that is set as 75 Mbps, falls in the bucket of 50 MBps to 100 Mbps. The clients that have threshold values between 50 Mbps and 100 Mbps are marked in yellow.

Refer to Set Threshold for a Folder or Floor for more information on how to set a threshold value.

The data on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer to Filters on Widgets.

Clients by RSSI

Clients by RSSI is a widget that displays the average RSSI (dBm) of the clients on the selected folder or floor.

Navigate to Dashboard > Performance to view the Clients by RSSI widget. Clients accessing the network can have varied RSSI levels. This widget calculates and displays the average RSSI used by the total number of clients. You can set the threshold for RSSI.

In the image, you can see a bar graph in three colors; red, green and yellow. The classification is as follows:

The clients with RSSI, below the set threshold value are in red.
The clients with RSSI above the set threshold value are in green.
The clients that are in the bucket where the threshold value falls, are in yellow. For example, in the above image, a threshold value that is set as -60 dBm, falls in the bucket of -65 dBm to -55 dBm. The clients that have threshold values between -65 dBm and -55 dBm are marked in yellow.

Refer to Set Threshold for a Folder or Floor for more information on how to set a threshold value.

Clients with Most Traffic

Clients with Most Traffic widget displays a bar chart showing clients with highest data usage. The data shown is for clients on the selected folder or floor.

Top 5 clients names with highest data usage in a network are listed in decreasing order. When you click on the name of the client you are redirected to the Client details page where detailed information of the client activities is presented. If you hover the mouse over the list, you can view the total amount of data used by a client. You can select the duration from the drop-down list that is located on the top-right corner of the widget.

The data on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer to Filters on Widgets.

Top Locations Affected by Poor Performance

The widget displays a horizontal bar graph depicting the top five locations and their clients, that are affected by poor performance of Wi-Fi network. The graph contains the data for the selected parent and its immediate child folders.

The poor performance is calculated based on the following factors:

Low RSSI
Low Data Rate
High Retry %
Stickey Clients

Top 5 locations with poor performance issues, on the selected folder or floor is listed in a decreasing order.

If you hover the mouse over the bar in the chart, the tool-tip displays the number of clients affected by poor performance with respect to the total number of clients on that location. When you click on a bar you are redirected to a page that lists all the clients that are affected by poor performance. For example, if you click the Low RSSI value, you will be redirected to a page that lists all the clients with low RSSI values and their relevant details at that location.

You can select the type of factor from the drop-down list given on the top-right corner of the widget.

The data on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer to Filters on Widgets.

Network Usage

You can access the Network Usage chart in two different ways from CV-CUE UI. If you access the chart from the performance dashboard, it displays a line graph showing the number of clients associated with the SSID and its traffic volume, for all the clients on the selected folder or floor. Whereas when you access the chart through AP drill down, it displays similar data, but this time for the selected AP.

If you hover over the graph, a tooltip providing quick information like timestamp, the number of clients associated and the used traffic volume appears.

You can view or retrieve data using the filters. To know more about these filters refer to Filters on Widgets.

The data of the network usage chart can be filtered based on two parameters; a client's data and the amount of data used by an application.

Drill down on the data point on the graph, redirects you to the page containing client connections table. This table contains the list of all the client connections along with their detailed information for the selected timestamp. For client details, refer to Filtered Network Usage Chart.

Drill down on the bar, redirects you to another page that contains:

Client Connections table - contains the list of all the client connections along with their detailed information for the selected timestamp.
Top Applications - that shows top ten applications with highest data usage. You can select an app from the drop-down list given on the top left corner of the table. Along with the selected application name it displays application specific data consumption.
All Application traffic - it displays the total amount of data used by the applications for a selected Access Point or a location. This information is shown at the top-right corner of the table.
Client Connections - selecting client connection displays the list of all the clients using the application selected from the top applications list.
Access Points Distribution - selecting access points distribution displays the list of all the associated APs.

Set Data Rate and RSSI Threshold for Folder or Floor

Thresholds are global settings and can be configured only on the root folder. You must be a Superuser, Administrator, or Operator to set the thresholds. If you have the Viewer privileges, you can only view the thresholds. The same threshold values are applicable on all the folders and floors in the Navigator.

You can set the threshold values for RSSI and data rate. The range for these are as follows:


Threshold Name	Values
Data Rate	20 Mbps to 100 Mbps For example, if the threshold value is 80, clients below the set Data Rate threshold will be classified as Low Data Rate clients.
RSSI	-45 dBm to -75 dBm For example, if the threshold value is -60, the clients below the set RSSI threshold will be classified as Low RSSI clients

To set the threshold values, perform the following tasks:

Go to DASHBOARD > Performance .
Ensure that you are in the correct folder or floor in the Location tree.
Click Set Thresholds.
On the Set Thresholds page, type the values for Low RSSI and Low Data Rate, within the allowed range.
Save the settings.

Applications Dashboard

The applications dashboard gives you the quality of experience of each monitored application. You get an overall view of top ten applications that have maximum traffic in your network. The baseline gives you an insight into the percentage of poor application experience over a period of time.

Application Experience

Navigate to Dashboard > Applications to view the Application Experience chart. You can monitor the performance of web-based enterprise applications (such as Email applications, HR and Project Management applications, Intranet, Online Drive, and others) along with VOIP-based applications such as Zoom, Hangouts, and others. Arista APs capture essential details of the TCP flows of a web application and send it to the server to determine the health of the application. If the overall health is calculated as poor, CV-CUE displays the percentage of application experience for the duration. A lower percentage indicates a poor application experience whereas a higher percentage indicates a good application experience.

The Clients by Application Experience widget provides a client distribution for aggregated application experience or experience for each application.

Note:

Web applications running on UDP are not supported for Web Quality of Experience (QoE).
The algorithm only inspects information carried in the IP and TCP headers for each TCP stream that are related to the monitored applications. It does not inspect the user's data in the process.
Only Wi-Fi 5 and higher APs support QoE monitoring of web-based applications.

By default, the most affected or most used applications are shown in a card view in the Dashboard > Applications tab. If you have a preference for specific applications, you can also pin them to the Application Experience widget.

In each card, the red bar indicates the percentage of poor application experience, whereas the green bar indicates the percentage of good application experience. If we take the case of Google APIs and Youtube in the above image, the Google API users faced poor application experience 56% of the time, whereas the YouTube users faced poor application experience 30% of the time.

You can also view the application health for a specific SSID using the SSID filter (It is set to “All SSIDs” by default). Select All SSIDs to see a graph of the aggregated data for all SSIDs and all applications.

The data can also be filtered based on frequencies. Selecting a band shows you the data for all applications running on the band. The possible values for frequency filter are:

2.4 GHz
5 GHz
6 GHz
All Bands

When you click any application card, you drill down to application details. The application details are provided using the following widgets:

Baseline - %Poor App Experience
Application Traffic
Application Traffic - Sessions
Application Traffic - Clients
Application Traffic - Quality of Experience
Clients with Most Application Traffic
Clients using this Application

Monitor Selected Applications

You can monitor a maximum of 25 applications for application experience, including TCP and VOIP-based applications.

Web QoE is a global setting and you must configure the applications to monitor at the root folder. You can not have a different Web QoE setting for each folder in the Navigation tree.

Go to DASHBOARD > Applications tab. Ensure that you are at the root folder.
On the Application Experience widget, click the Monitor Application Experience icon.
On the Monitor Application Experience right panel, click Add to monitor the applications. You can add up to 25 applications for monitoring.
Save the list of selected applications.

Monitor Custom Applications

Your organization may use applications that are not predefined in CV-CUE. You may want to monitor such applications for QoE. Add such applications as custom applications and monitor them from Dashboard.

Follow these steps to add and monitor custom applications:

Go to DASHBOARD > Applications tab. Ensure that you are at the root folder.
On the Application Experience widget, click the Monitor Application Experience icon.
On the Monitor Application Experience right panel, click Custom Applications.
Provide the Application Name, IP address and port number used by the application. The application is added to the Monitor Application Experience right panel. Use the Plus icon to add multiple applications.
Save the applications.
On the Monitor Application Experience right panel, search the custom application and click Add.

View and Pin Applications on the Dashboard

On the landing page of Applications Dashboard, the Application Experience widget displays only 5 applications out of 25 in a card view. To see the card view of all 20 applications, click Show All.

You can choose which applications you want to view on the landing page by pinning your desired applications. To pin the applications on the Dashboard landing page for default view, click Show All in the Application Experience widget. Pin the application using the Pin button.

If you don not pin any applications, then CV-CUE displays the applications based on its usage or application experience. Use the Most Affected or Most Used filter to view the applications without pining them.

Clients by Application Experience Widget

The widget shows the application QoE by client count for each application in the last 2 hours. There is also an aggregated view which shows how many clients had poor experience across all selected applications in the last 2 hours. To display the application experience graph for a single application, click All Selected Applications and then select the application from the list.

The application QoE is available for the last two hours. For example, in the following image, you can view the application experience for the Google Meet application in the last 2 hours. So, from the image you can infer that in the past 2 hours, 1 client faced poor application experience between 90 to 100 percent of the time, which indicates a bad user experience. Similarly, around 15 clients faced poor application experience between 0 to 10 percent of the time, which indicates a good user experience.

Logical Categorization of Clients and Failures

CV-CUE creates logical categories of clients, grouping them based on properties such as their band of operation (2.4, 5, or 6 GHz), OS type, etc. You can then drill-down from Client Journey and troubleshoot issues based on these client properties - for example, you can check if Association failures occurred for clients on a particular band. The grouping of clients into meaningful logical categories speeds up Root Cause Analysis (RCA) of client connectivity issues. You no longer need to spend time trying to extract patterns from a row-column grid of data.

CV-CUE logically groups clients into categories based on the following properties:

OS Type - The client operating system type, e.g. Android, iOS.
Protocol / Band - The 802.11 protocols or bands the client is operating on, e.g. b/g, ac.
Manufacturer - The client manufacturer, e.g. Apple, Samsung.
Sticky Status - Indicates if it is a "sticky client", i.e., if it is connected to an AP even though it sees better signal strength from a neighboring AP.

The Dashboard > Connectivity and Performance views show clients grouped by categories.

Drill-Down by Logical Client Category

You can drill-down and analyse client Connectivity and Performance issues by filtering on logical client categories - for example, you can view all Authentication failures for Windows 10 clients.

To analyse connectivity issues by logical client categories:

Go to DASHBOARD > Connectivity>Client Journey.
Select the stage in the client journey that you want to analyse. For example, to analyse Authentication failures, select Authentication.
You will see the list of clients that failed authentication, with filter tabs for the most prominent characteristics, i.e., logical groupings. For example, the following figure shows tabs for Associated SSID,Frequency Band,Operating Systemand Capability.
Select the characteristic (for example, logical category) by which you want to filter the list of clients. For example, to see the list of clients with WiFi 6 Capability that failed authentication, click the Capability filter tab.
You can see the distribution of clients across logical categories by selecting the pie chart to the right of the filter tabs.
A Distribution window pane opens up, containing client details grouped by logical categories such as Manufacturer, OS Type, etc. as shown below. You can then select a category from this window to filter the list of clients by that category.

Infrastructure Dashboard

The Infrastructure Dashboard that provides an overview of the health of all managed access points (APs).

Navigate to Dashboard > Infrastruture to view the Infrastuture Dashboard.

Infrastructure Dashboard charts consider the CPU Utilization and Memory Utilization of all the APs present at a server to calculate the average CPU Utilization and Memory Utilization based on the different selected criterias. The average is used as the threshold to point out the APs that have higher than average CPU and Memory Utilization.

Note: You must have Aeris enabled on your server to leverage this feature.

With the Infrastructure Dashboard, network administrators can get the health check of all the APs installed at a particular location. In case of network failure, network administrators can use the dashboard to identify APs showing anomalous behavior. Infrastructure Dashboard also allows network administrators to take preventative and corrective actions based on the health insights. It helps them identify APs that have high CPU or memory utilization which might lead to network downtime because of reboot or panic due to high utilization.

Infrastructure Dashboard consists of the following charts:

CPU vs Memory Utilization by Access Point
CPU vs Memory Utilization by Location
Access Points by CPU Utilization
Access Points by Memory Utilization
Trend - CPU Utilization/Memory Utilization

CPU VS Memory Utilization by Access Point

CPU vs Memory Utilization by Access Point graph represents the cpu vs memory utilization data of all the access points on the server. Each data point on the scatter plot represents data for each AP. Hover over each AP to get more details and click the plotted data point to view the AP detail page. You can also narrow down the results by filtering the APs by AP build, AP model, and time duration.

CPU VS Memory Utilization by Location

CPU vs Memory Utilization by Location chart groups the APs by location. All the APs at the selected location and its child location are considered in this chart. Hover over each location to get more details about the number of APs, their average CPU utilization and their average memory utilization. You can also narrow down the results by filtering the APs by AP build, AP model, and time duration.

Click the plotted data point to view the AP list with their average CPU and Memory Utilization details.

Access Points by CPU Utilization

Access Points by CPU Utilization chart depicts the number of APs based on their utilization range.

Hover over the bar to get the number of APs in a particular range. You can also click the bar to view more details about the APs.

A yellow bar denotes APs having utilization more than the threshold. The threshold is calculated by the following formula.

Threshold = (mean utilization of all the APs + standard deviation *2)

APs with utilization higher than the calculated threshold are marked with the yellow bar. And all the APs with utilization of more than 80% are marked with red bar.

Access Points by Memory Utilization

Access Points by Memory Utilization chart depicts the number of APs based on their utilization range.

Hover over the bar to get the number of APs in a particular range. You can also click the bar to view more details about the APs.

A yellow bar denotes APs having utilization more than the threshold. The threshold is calculated by the following formula.

Threshold = (mean utilization of all the APs + standard deviation *2)

APs with utilization higher than the calculated threshold are marked with the yellow bar. And all the APs with utilization of more than 80% are marked with red bar.

Trend Utilization

Trend Utilization chart depicts the trend of average CPU and Memory Utilization of all APs installed at the selected location. The trend chart shows 25, 50 and 75 percentile utilization of the APs. The trend chart uses comparative data and not the absolute data to depict percentile utilization.

A change in the trend during a particular time duration can help administrators identify network issues or time frames when network congestion is highest.

FEED

FEED is a network dashboard that presents a timeline view of all the detected anomalies in the network. CV-CUE curates the feed by continuously monitoring and proactively detecting anomalies in the network. It also analyzes the cause of the anomaly and provides dynamic suggestions to mitigate the issue. The administrator can analyze the issue, the AI-based recommended action, and then decide on the best approach to mitigate the issue. Feed also lets administrators go back in time and understand anomalies that occurred in the past.

Administrators can also configure a Slack, Google Chat, or Microsoft Teams webhook to get a notification whenever an anomaly is detected.

Note: This is a BETA feature. Reach out to your Arista account manager to enable it.

This chapter contains the following topics:

FEED Dashboard
Configure Subscriptions

FEED Dashboard

To view detected anomalies, navigate to FEED.

At the top of the feed dashboard is the anomaly highlight widget. The anomaly highlight shows the number of anomalies detected in the last 2 hours. If no anomaly was detected in the last 2 hours, it shows when the last anomaly was detected.

Following the analogy highlight, the Feed displays the network timeline of detected anomalies within the chosen time frame. You can select the time frame using the time slider on the left.

For each detected anomaly, the dashboard shows the top affected locations, root causes and correlations, and actions you can take to mitigate the anomaly.

Click the Actions that can be taken to mitigate the issues link to view the recommend actions. Click More Details to view a detailed Root Cause Analysis of the detected anomaly.

Configure Subscriptions

You can configure a Slack, Google Chat, or Microsoft Teams webhook to send alert notifications to your configured channel anytime a network anomaly is detected.

To configure a subscription:

Go to FEED.
Click Configure Subscription.
Click Add Subscription.
Add the following details:
1. Subscription Name: Enter a name for the subscription.
2. Type: Select Slack, Google Chat, or Microsoft Teams.
  Add the webhook link configured for your channel. For information on adding an incoming webhook, refer to:
  Slack: https://api.slack.com/messaging/webhooks
3. Webhook Link: Add the webhook link configured for your channel. For information on adding an incoming webhook,refer to
  - Slack: https://api.slack.com/messaging/webhooks
  - Google Chat: https://developers.google.com/workspace/chat/quickstart/webhooks
  - Microsoft Teams: https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook?tabs=dotnet
4. Select Webhook Enabled.
5. Click Test-Webhook Link to send a test message to your configured channel.
6. Click Save.

Anytime an anomaly is detected, CV-CUE sends an alert message to your configured channel. The message contains information about the number of affected clients, their location, root cause, and key co-relations.

Monitor Wi-Fi

The Monitor tab in CV-CUE is primarily used for monitoring the Clients, APs, Radios, WLANs, Applications, and Tunnels in the network. You can perform troubleshooting operations based on the information collected for each of the components in the Monitor tab.

Select MONITOR tab from the left panel to get an overall view of your network that is categorized into the following tabs:

Clients: Presents a list of clients connected to and clients that failed to connect to Arista devices.
Access Points: Lists the Arista devices that are operating in AP or in AP/Sensor mode.
Radios: Lists the radios operating on 2.4, 5, and 6 GHz frequencies.
Active SSIDs (WLANs): Lists the SSID profiles.
Application Visibility: Lists the applications with details about their data usage for a specific SSID.

Tunnels: Lists the tunnels used by the SSIDS to traffic the data between endpoints.

The Global Counters at the top-right corner provide you the summary of Clients and Access Points.

You can use global counters to get the count of:

Total managed devices (access points and sensors)
Total active access points
Total inactive access points
Total currently online clients
Total switches

This chapter contains the following topics:

Clients
Access Points
Custom Certificates for Access Points
Radios
Active SSIDs
Application Visibility
Application Traffic
Automated Root Cause Analysis

Clients

The Clients tab displays the clients that are connected to APs. The type of Clients differ depending on their association with the AP.

The Client grid has drop-down list at the top-right corner, with options Live and All. The clients are listed on the following criteria:

If you select Live: A list of clients with the following status are displayed:
- Clients that are successfully connected to Arista APs.
- Clients that failed to connect.
If you select All: A list of clients with the following status (including Live clients) are displayed:
- Clients that are successfully connected to Arista APs.
- Clients that failed to connect.
- Clients that are currently visible but not connected to an Arista AP.
- Clients that are currently not visible, but connected earlier to an Arista AP.
- Clients that are currently not visible and failed to connect in their last attempt.

To know the status, hover the mouse over the Status icon.

When you click the name of a client, you are redirected to the Client Events widget with a Graph view. You can view the client detail dashboard by clicking, Upgrade to our latest client details page now!.

Graph View (Old view)

Click Switch to Table View, and you can see the following properties of clients displayed in the tabular format:

Property	Description
Status	Indicates if the client is successfully associated or failed to connect.
Name	Specifies the user-defined name of the client.
User Name	Provides Username of the client
Role	After client is connected via any SSID, it is assigned with Role configured in SSID profile.
Google Authorized	It is boolean value to represent whether client is authorized using google integration.
Location	Location of the client.
MAC Address	Specifies the unique 48-bit IEEE format address of the client assigned to the network adapter by the manufacturer.
IP Address	IP address of the client.
OS	Name of Operating System running on the client.
Associated AP	Specifies the AP with which a client is associated. This is the AP through which the client communicates with other clients and devices on the network.
Associated SSID	Specifies the operating SSID of the AP with which the client is associated.
Avg. data rate	Refers to the average amount of data transferred per unit of time
RSSI(dbm)	Displays the observed RSSI (Received Signal Strength Indicator) value for the client.
Uplink Data	Indicates the amount of data transferred by the client.
Downlink Data	Indicates the amount of data received by the client.
Protocol	Indicates the 802.11 protocol (with or without 802.11n or 802.11ac capability) used.
Up/Down Since	Date and time since the client is up or down.
First Detected At	Indicates the time and day when the client was first detected
Retry Rate (%)	Indicates the retry rate in percentage
Sticky	Denotes whether client is sticky or not. Sticky client means if client is connected to AP and while roaming it found better AP with more better signal strength, still it decides to stay connected with older AP.

The client icon also supports a context menu. Right-click the client icon to view the context menu.

Image showing the context menu when right-clicking the client image. — Figure 1. Context menu in Client Details

You can view ongoing activities of a Client using View Ongoing Activities option available to the right top corner on the Client table. The available activities are:

Live Client Debugging- The Live Client Debugging feature enables you to troubleshoot client activities. Selecting this feature displays the list of the clients, for those any live activities are in progress.
Packet Trace- Capture Packet Trace action on a client to intercept a data packet that is crossing or moving over a specific network. Selecting this activity displays the list of those clients for which packet trace is in session.
Prevention- Prevention activity displays the list of all quarantined clients.
None- Selecting None provided the list of all the clients without any filters.

You can perform the following actions on every client, these actions are available on a right click on any client:

Action	Description
Rename a Client	To change the name of a client.
Capture Packet Trace for a Client	Responsible for intercepting a data packet that is crossing or moving over a specific computer network
View Packet Trace History for an Access Point	Displays packet traces captured in the last 30 minutes
Start Live Client Debugging	Displays live client logs of a client.
Disconnect	Disconnects the client.

Click on a client in the Clients list to view the following:

Client Connection Logs
Client Events Logs
Baselines
Top Locations Affected by Poor Performance
Client Traffic Volume
Application Session Logs
Devices Seeing This Client

Client Explorer

Client Explorer helps you view the distribution of clients that are connected to Arista devices.

It provides a summary view of all the clients and provides an easy way for the network administrators to understand client distribution for each attribute. For example, network administrators can use the Client Explorer to understand client distribution for different versions of Wi-Fi and determine the percentage of legacy clients at a location.

To view the Client Explorer,

Navigate to MONITOR > WiFi > Clients.
Click Client Explorer

On the Client Explorer chart, you can filter the clients based on their association attributes such as SSID and with AP as well as a range of Client properties. You can use the client connection status drop-down menu to view graphical client distribution based on the selected attribute.

Connection Status

If you select Live, the chart shows data corresponding to clients with the following status:

Clients that are successfully connected to Arista APs.
Clients that failed to connect.

If you select ALL, data for clients with the following status is displayed in the chart:

Clients that are successfully connected to Arista APs.
Clients that failed to connect.
Clients that are currently visible but not connected to an Arista AP.
Clients that are currently not visible, but connected earlier to an Arista AP.
Clients that are currently not visible and failed to connect in their last attempt.

Hover over the Status icon to view the current selection for client connection status filter.

Client Attributes

You can further filter the clients by the following attributes:

Associated SSID
Vendor
Capability
Channel
Associated AP
Connection Failure Type
Protocol
Google Auth Status
Role Operating Status

You can select and deselect a particular bar in the bar graph to filter the tabular data in the client list.

Client Dashboard

Along with client and network details, the client details dashboard also contains multiple data points regarding client connectivity, performance, and application experience. From a single dashboard, you can conduct live troubleshooting, and review past data to identify and troubleshoot past issues, thus resulting in a faster resolution.

The Client Details Dashboard contains a client connection widget, a client properties widget, and multiple tabs containing different charts and graphs showcasing client details.

Client Connection Widget

The top section of the dashboard has the client connection widget, which visually shows the selected client's network connectivity path. It shows the Client > AP > Switch association.

Hover over any device to view more information about it or click the three-dot menu next to the device icon to see the available actions for that device.

Client Properties Widget

The left side of the dashboard contains the following sections that display client properties:

Device Details
RF Details (Radio Frequency)
Network Details - Only available for connected clients.

Client Dashboard Tabs

Client Dashboard is divided into the following tabs:

Overview
Connectivity
Performance
Application
Floor Plan

Overview Tab

At the very top of the Overview tab is the RCA widget, which shows the Root Cause Analysis for the symptoms faced by the client and the reason, along with the possible solution for the issues.

The Client Health Widget contains multiple charts related to client health, such as % Poor application experience, Connectivity Failures, RSSI, Data Rate, Wired Application Latency, Wireless Application Latency, Retry Rate %, etc. It is an interactive widget that you can customize according to your preferences. You can customize it to add or remove certain charts and change the order of visible charts. You can also hover over any data point to view more information.

To configure the widget, click the Customize

icon next to the chart filters to open the Configure panel. The following image shows the Configure panel for the Client Health widget:

Connectivity Tab

The connectivity tab contains charts that display the client’s connection attempts, the client’s roaming events from one AP to another, and a list of APs watching this client.

The connectivity tab shows the following charts:

Client Events / Roaming Explorer
Devices Seeing This Client
Recently Probed SSIDs
Association History

Performance Tab

The performance tab contains RSSI, Data Rate, Retry Rate %, and Traffic Volume charts.

Application Tab

The application tab displays charts that provide details about the applications used by the client such as the number of applications, application latency, poor application experience, etc.

It contains the following charts:

Application Explorer
Top Applications by Traffic
Application Experience

Floor Plan Tab

The floor plan shows the location of the client on the floor. For the client to be located on the floor plan, it must be visible to at least three APs operating in the same frequency band. At least three APs must report the device and the APs must be placed on the floor.

If the client cannot be located on the floor plan, the proximity view is displayed.

Troubleshooting a Client

You can perform the following actions on each client. These actions are available under the Troubleshoot menu.

Rename: To change the name of a client.
Capture Packet Trace: To intercept a data packet that is crossing or moving over a specific network. The captured packet is stored temporarily for analysis. The packet is inspected to help diagnose and solve network problems.
Packet Trace History: To view the Packet Trace History for the selected client. The packet traces captured only during the last 30 minutes are displayed in the history.
Start Live Client Debugging: Displays live client logs of a client connection.
Disconnect:Disconnects the client.
Update Device Tag: Update the device tag of the client.

Roaming Explorer

Roaming Explorer provides a graphical and tabular view of a client’s roaming events from one access point (AP) to another AP.

To view the Roaming Explorer,

Navigate to MONITOR > WiFi > Clients.
Click Roaming Explorer next to the Client Events widget.

Roaming Explorer consists of a graph view and a split view.

Graph View

The graph view appears as follows:

It is a line graph denoting the client’s roaming activities on different APs. The APs are listed based on the number of events logged for each AP, with the AP having the highest number of roaming events listed on top. The Y-axis shows the APs, and the X-axis shows the timeline of the roaming event. You can hover over any event to view more details about it.

Graph view considers the following roaming events only:

Association Failure
Fast Roaming Failure
Successful-Fast Roam
Successful-First Association

Split View

The split view consists of a graph view and tabular data that lists all the clients' events along with the event timestamp and further details such as BSSID, AP Name, Location, Frequency Band, and more.

Client Connection Logs

Selecting a client in the Clients list displays the connection logs.

Client Connection Logs shows the list of successful or failed connection attempts made by client. The list provides information about every attempt of connection made by a client. Green color represents successful connection. Red color represents failed connections. Client connection logs can be retrieved only for 802.11ac or higher APs.

You can view or fetch the connection logs for the following time intervals:

2 hours
4 hours
8 hours
12 hours
1 day
1 week

You can view the Client Connection Logs in one of the following views:

Timeline View
Grid View

The Timeline View appears as follows:

The Timeline View displays the list of connections logs with additional information as follows:


Field	Description
Timestamp	Indicates the date and time when the client connected to an AP.
Average Latencies	Average latencies of various stages and their sub-stages in the Wi-Fi connection for the client.
BSSID	BSSID is the MAC address of the AP to which the client attempted to connect.
AP Name	Name of the AP to which the client attempted to connect.
SSID	SSID of the WLAN to which the client is connected.
Channel	Operating channel of the AP to which the client attempted to connect.
Disconnect	Disconnects client from AP.

The Grid View appears as follows:

The Grid View contains detailed information in a tabular format:


Field	Description
BSSID	BSSID is the MAC address of the AP to which the client attempted to connect.
AP Name	Name of the AP to which the client attempted to connect.
SSID	SSID of the WLAN to which the client is connected.
Channel	Operating channel of the AP to which the client attempted to connect.
Timestamp	Indicates the date and time when the client connected to an AP.
Event	Indicates if the client successfully connected.

A red symbol in the Event column of the connection logs denotes client connection failure. Hover on the red text to know about the failure type. The types of failures are:


Failure Categories	Main Failure Type
Association Failure	AP association limit exceeded
	Capability mismatch
	Association failure
Authentication Failures	Eapol 4-way handshake failed
	RADIUS authentication failure
	Radius server not responding
	Incorrect Pre-Shared Key
	Fast roaming failed
Network Failures	Captive portal - shared secret mismatch
	Captive Portal authentication failed
	Captive portal - client in blackout period
	DHCP failed
	DNS failure

You can filter connection logs data in Grid View using the Filter icon on the top right corner. Filter is applied on the following column:


Column	Filtering Criteria	Description
Event	All	Retrieves all the event logs.
	Successful	Retrieves only successful event logs.
	Failed	Retrieves only unsuccessful event logs.


Filtering Criteria	Description
Enter the From and To dates.	Retrieves client connection logs between the From and To dates.
Check the Long Time Ago check box and enter the To date.	Retrieves all client connection logs till the To date.
Enter the From date and check the Now check box.	Retrieves client connection logs between the From date and the current date.
Check the Long Time Ago and Now check boxes.	Retrieves all the available client connection logs.

Client Events Logs

You can view Client Events Logs by navigating to Clients -> Client Connection Logs drop-down menu -> Client Events Logs.

Client Event Logs by default opens in a full screen mode. It lists majority of client events including connection attempts. The list provides information about client connectivity events. Green color represents successful connection events. Grey color represents intermediate events. Red color represents failed connection events.

You can view or fetch the connection logs for the following time intervals:

2 hours
4 hours
8 hours
12 hours
1 day
1 week

You can view the Client Connection Logs in one of the following views:

Graph View
Grid View
Consolidated View

Graph View

The Graph view displays the connection events of the client at a specific time. When you hover over each event, some of the information you see in the tooltip is:


Field	Description
Timestamp	Indicates the date and time when the client connected to an AP.
Average Latencies	Average latencies of various stages and their sub-stages in the WiFi connection for the client. This is seen in case of a successful connection event.
BSSID	BSSID is the MAC address of the AP radio for that SSID.
AP Name	Name of the AP to which the client attempted to connect.
SSID	SSID of the WLAN to which the client is connected.
Channel	Operating channel of the AP to which the client attempted to connect.
Location	Location of the AP to which the client is connected.
Frequency Band	Frequency band of the client connected to the AP.

Graph View

The Graph view appears as follows:

If you are interested in a specific event, you can apply filters based on various criteria to view the specific event. The filter is applied on the Grid view but the filter criteria are reflected in the Graph view as well. You can remove the filter from the Grid view.

Use the range scroll to limit the time period of the graph. If you don not want to use the scroll, you can also select the desired area in the graph using a mouse pointer. To go back to the original full range time period, click Reset Zoom. The Graph view is effective in full screen mode. Click the Full Screen icon (expand icon) to enter the full screen mode.

You can click a specific event in the graph and the corresponding event detail is highlighted in the table.

Grid View

The Grid View appears as follows. The red, green and grey colored symbols in event column of the client event logs denotes unsuccessful, successful and intermediate events respectively. Hover on each text to know about type of event occurred.

Client Events are categorized into 5 major categories and further divided into various intermediate events.


Field	Description
BSSID	BSSID is the MAC address of the AP to which the client attempted to connect.
AP Name	Name of the AP to which the client attempted to connect.
SSID	SSID of the WLAN to which the client is connected.
Channel	Operating channel of the AP to which the client attempted to connect. The channel is shown as Dual for sensor that operates on both 802.11a and 802.11b/g simultaneously.
Timestamp	Indicates the date and time when the client connected to an AP.
Event	Indicates if the client successfully connected.
Packet Capture	It provides the link of the wireshark file, that contains a packet capture for all failure events. User can open the file in Arista packets or download the file.

Consolidated View

Consolidated view captures client event logs of all clients connected to Arista devices. To view all client event logs, navigate to TROUBLESHOOT > Event Logs and click the Clients tab. The consolidated view appears as follows.

Top Applications by Traffic in Client Tab

Top Applications by Traffic chart graphically represents data usage for applications. It always represents data for top five applications, with highest traffic. To view exact data usage, hover on the specific bar in the graph.

The data on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer Filters on Widgets.

Client Traffic Volume

The Client Traffic Volume graph represents the data traffic sent and received by the client every 15 minutes. X-axis in the graph denotes the time period for which the Data Usage is plotted and Y-axis denotes the Traffic Volume.

This data usage includes Uplink Data as well as Downlink Data for all applications. User can choose to view the Client Traffic for:

2 hours
4 hours
8 hours
12 hours
1 day
1 week

Hovering the mouse on data point provides detail information about data usage.

The graph contains the following details about the data:

Time stamp: It includes day, date, month, year, and time of data usage.
Uplink Data: It states Uplink Data usage.
Downlink Data: It states Downlink Data usage.
Data Usage: It states Data Usage for all applications.

Application Session Logs

Application Session Logs provides details of the applications used by the client. Select a client from MONITOR > WiFi > Clients to view Application Session Logs.

The top left corner denotes the total number of application session logs.

Hover on the pie chart icon to view overall aggregated data. The data provides information about Total Sessions, percentage count of Affected Sessions, Total Experience Time and percentage count for Poor App Experience.

The logs on the widget can be filtered using the available filters on the top right corner of the widget. To know more about the filters refer Filters on Widgets.

Detailed information about session logs is displayed in tabular format:


Property	Description
App Name	Name of the application.
Start Time	Session start time.
End Time	Session end time.
Duration(min)x	Session duration in minutes.
% of Bad Time	Percentage of time for which app experience was bad for the specified clients.
Location	Location at which the client connected.
Potential Cause	Potential root cause for application performance to be poor.
Average Bitrate Uplink	Indicates average of the number of bits sent per second by the client in that session.
Average Bitrate Downlink	Indicates average of the number of bits received per second by the client in that session.
Average Bitrate Jitter Uplink	Average standard deviation in uplink bitrate.
Average Bitrate Jitter Downlink	Average standard deviation in downlink bitrate.
Average RSSI(dbm)	Average Received Signal Strength Indicator.
Average Retry Rate	Average percentage of retry packets out of the total packets sent or received by the client.
Average Data Rate Upstream	Average upstream data rate.
Average Data Rate Downstream	Average downstream data rate.
Roaming Count	Number of APs involved during the session.
Associated AP(s)	List of APs involved in the client session.

Devices Seeing This Client

Devices Seeing This Client represents list of APs currently watching the client.

The top-left corner denotes the total number of APs seeing the client and the name of the AP associated with the client.

The detailed information is as follows:


Field	Description
Name	Name of APs seeing the client.
RSSI (dbm)	RSSI states signal strength of an AP as seen by the client.
Radio 1 Operating Channel	Shows the band and channel operating on radio 1. Channel is shown in brackets.
Radio 2 Operating Channel	Shows the band and channel operating on radio 2. Channel is shown in brackets.
Radio 3 Operating Channel	Shows the band and channel operating on radio 3. Channel is shown in brackets.
2.4 GHz Associations	It states number of clients associated with 2.4 GHz radio.
5 GHz Associations	It states number of clients associated with 5 GHz radio.
6 GHz Association	It states number of clients associated with 6 GHz radio.

Clicking on the name of AP takes you to the Access Points Information page.

Rename a Client

You can change the name of a client.

Perform the following tasks to rename a client:

Go to MONITOR > WiFi > Clients or MONITOR > WIPS > Clients .
Right-click on the name of the client you want to rename or click on the menu icon (three vertical dots) and select Rename Client.
Change the name of the client and click Done to save the changes.

Access Points

Access Point tab provides detailed information of an AP such as its name, IP Address, status, and the switch it is connected to.

Note: An AP's status is set as Inactive after 10 minutes of Inactivity.

You can view ongoing activities on an AP using View Ongoing Activities option available to the right top corner on the AP table. The list of live activities that can be viewed for AP are:

Packet Trace: Capture Packet Trace action on an AP captures the packet and inspectes it to help diagnose and solve network problems. Selecting this activity displays the list of those devices for which packet trace is in session.
Prevention: Prevention activity displays the list of all quarantine devices.
Client Connectivity Test:Client Connectivity Test tis performed to troubleshoot an AP that has client connectivity issues. Client Connectivity Test action displays the list of such devices, for those the troubleshooting is in progress.
None:Selecting None provided the list of all the APs without any filters.

You can perform the following actions on every AP, these actions are available on a right click on any AP:


Action	Description
Update Firmware	Using this option you can update the firmware on the AP to the latest or any previously released version.
Access Point Event Logs	A log table that maintains event logs of APs.
Run Client Connectivity Test	Runs the Client Connectivity Test.
View RF Explorer	The RF Explorer shows you information such as the channels occupied by other APs in the vicinity of the AP and the RSSI values for each of the neighboring APs as seen by the AP.
Capture Packet Trace	This option helps troubleshoot Arista devices operating in AP or AP/Sensor mode.
Packet Trace History	You can view the Packet Trace History for a selected AP.
View on Floor Map	This option redirects you to the location on the floor map where the AP is placed.
Customize Transmit Power or Channel	Transmit Power Selection enables you to control the transmission power of the AP.
Move	Using Move operation you can change location of an AP.
Reboot	This operation Reboot's the AP.
Rename	Renames the AP.
Delete	Deletes the APs from the list of available APs.

Click on an AP in the list on the MONITOR > WiFi > Access Points page to go to the AP details page . The AP details page shows the event logs of the AP, a list of clients associated with the AP and their details, a graph showing clients by average data rate, top applications by traffic, and network usage. The selected AP's name is displayed on the top-right of the page. You can select another AP from the drop-down list.

The AP details page provides the following information:

Network Usage - Traffic: The chart displays a line graph showing the number of client association and its traffic volume, for all the clients on the selected folder or floor.
Network Usage - Poor Application Experience: This chart provides overall application usage analysis.
Baseline - Clients Affected By Poor Experience: The Baseline - Clients Affected By Poor Performance graph calculates the baseline for the percentage of clients affected by poor performance, for the selected AP, over a period of time.
Baseline - Retry Rate%: The graph calculates baseline for the Retry Rate % of the clients connected to the selected AP
Baseline - Averge Data Rate: The graph calculates the data rates for 2.4 GHz, 5 GHz, or 6 GHz for the selected SSID(s) and duration.
Baseline - Clients Affected by Failure: Baseline - Clients Affected by Failure chart provides calculated baseline for the percentage of clients that failed due to connectivity issues.
Baseline - Clients Affected by Poor App Experience: Baseline - Clients Affected chart provides the calculated baseline for the percentage of clients affected by poor app experience. This data is provided for the selected AP.
Clients by Average Data Rate: Displays a bar graph of the clients and their data usage, for the selected AP.
Top Applications by Traffic: Displays a bar graph of the top 5 applications that has highest data usage, for the selected AP.
Spectrum Occupancy: Shows the number of active radios and clients across the Rf spectrum.
Channel Utilization: Shows the AP channel utilization.
Currently Associated Clients: Currently Associated Clients widget provides the list of clients that are currently associated with the AP.
Ap Health: Shows the CPU and memory utilization of an AP.
Devices Seeing this AP: The widget displays the list of managed devices observing the selected device.
Visible VLANs: The widget displays details of the VLANs visible to the managed device.
Visible Access Points: Provides the list of the APs visible to the selected AP.
Visible Clients: Provides the list of clients visible to the selected AP.

Note: Views and charts that show information about channels other than the operating channels of the AP work best when the AP has a dedicated scanning radio. APs that do not have a dedicated scanning radio use background scanning, where typically an AP goes off-channel once every 60 seconds to scan one channel for 100 ms. Because background scanning takes a long time to scan all channels in the band, an AP in background scanning mode has a snapshot of the network that is anywhere between five minutes to an hour old. During this time, the radio environment could have changed significantly.

In the AP details view, you can click on the AP name under the AP icon (when you hover, you see the View Properties tool tip) to open the AP properties right panel. The panel shows you the wired side properties and health stats for the AP.

Note: The wired properties of only the primary interface (eth0) of the AP are shown, and LLDP must be enabled on the switch for current switch properties to be shown.

The managed APs also support a context menu from the AP Details page. Right-click the managed AP icon to view the context menu. T

Image showing the context menu when right-clicking the AP icon. — Figure 2. Context menu in AP Details page

The following table shows whether, depending on the state of the AP, the wired properties are current or they reflect the last known values. For example, for active APs, the wired properties shown are the current ones but for inactive APs they are the last known values. The values are not displayed for APs 802.11ac Wave-1 or lower and for APs with firmware older than version 8.9. Some properties (e.g., Health Stats) are updated at periodic intervals; others (e.g. Switch Name) are updated if and when needed.

AP State	Switch Properties			VLANs Detected	IPv4 or IPv6 Properties	Link Speed	Health Stats
AP State	Switch Name	Switch Vendor	Switch Port	VLANs Detected	IPv4 or IPv6 Properties	Link Speed	Health Stats
Active	Current	Current	Current	Current	Current	Current	Current
Inactive or Offline	Last Known	Last Known	Last Known	Last Known	Last Known	Last Known	Last Known with a note in the right panel: "Values when AP was last active" (shown "--" in the Managed Devices and AP listing)
Mesh Root	Current	Current	Current	Current	Current	Current	Current
Mesh Non-Root (Powered by DC or PoE brick)	Not Displayed ("--")	Not Displayed ("--")	Not Displayed ("--")	Current	Current	Not Displayed ("--")	Current
Mesh Non-Root (Used for network extension and connected to a switch)	Current	Current	Current	Current	Current	Current	Current
Link Aggregation: eth0 Up (regardless of whether eth1 is Up or Down)	Current	Current	Current	Current	Current	Current	Current
Link Aggregation: eth0 Down and eth1 is Up	Last known	Last known	Last known	Last known	Current	Last known	Current
Failsafe	Last Known	Last Known	Last Known	Last Known	Last Known	Last Known	Last Known with a note in the right panel: "Values before AP entered failsafe mode" (shown "--" in the Managed Devices and AP listing)
LLDP Disabled on Switch	Last Known	Last Known	Last Known	Current	Current	Current	Current

The wired properties of only the primary interface (eth0) of the AP are shown. Thus, when using link aggregation, the switch and VLAN wired properties reflect the information available on the primary interface only; their values do not depend on the state of the secondary interface (eth1). The IP and health stats, however, do not depend on a particular interface; their values are current as long as at least one of the two interfaces is up.

Access Point Explorer

AP Explorer provides a holistic view of all the APs at a location and provides an easy way for the network administrators to understand AP distribution for each attribute.

To view the AP Explorer,

Navigate to MONITOR > WiFi > Access Points.
Click Access Point Explorer.

Alternatively, you can also navigate to AP Explorer from MONITOR > WIPS > Managed Device Explorer.

On the AP Explorer chart, you can filter the devices based on the Device Status (All, Active, or Inactive). You can use the attribute drop-down menu to view graphical AP distribution based on the selected attribute. For example, you can the AP Explorer chart to get a summary view of AP Health by looking at the APs based on CPU Utilization or Memory Utilization.

Clients by Avg. Data Rate for an Access Point

The Clients by Avg. Data Rate graph displays clients classified based on data rate. CV-CUE has pre-defined, fixed thresholds for Average Data Rate. Since thresholds are configurable, user may select a value that falls in between a bucket on the X-axis. For instance, if a user sets the data rate threshold to 75 Mbps and RSSI threshold to -68 dBm, then these values fall in the “50 to 100 Mbps” data rate bucket and “-65 to -75 dBm” RSSI bucket, respectively.

The following logic is used to determine the color of the bar that falls in such a bucket:

If all values in the “50 to 100 Mbps” bucket are below 75 Mbps, then the bar in the “50 to 100 Mbps” bucket is red.
If all values in the “50 to 100 Mbps” bucket are above 75 Mbps, then the bar in the “50 to 100 Mbps” bucket is green.
If some values in the “50 to 100 Mbps” bucket are above and below 75 Mbps, then the bar in the “50 to 100 Mbps” bucket is yellow.

The chart can be observed for the following bands:

2.4 GHz
5 GHz
6 GHz
All Bands

Currently Associated Clients for an Access Point

Currently Associated Clients widget provides the list of clients that are currently associated to the AP.

The graph displays the following information:


Column	Description
Name	Name of a device to which AP is connected.
User Name	Name of a user.
MAC Address	Unique 48-bit address of the AP/ 802.11 PHY modes used by the AP.
IP Address	IP address of the AP
Associated SSID	Name of a SSID to which client is connected.
OS	Operating System running on the client.
UP/Down Since	Up since time or Down since time
RSSI (dBm)	Received Signal Strength Indicator.
Sticky	Denotes whether client is sticky or not. Sticky client means if client is connected to AP and while roaming it found better AP with more better signal strength, still it decides to stay connected with older client.
Tx Data Rate	Tx Data Rate is Transmission Data Rate of a client.
Rx Data Rate	Rx Data Rate is Received Data Rate of a client.
Avg Data Rate	Avg Data Rate is Average Data Rate of a client
Retry Rate (%)	Retry Rate (%) is Retransmission rate of a client.

Top Applications by Traffic for an Access Point

Top Applications by Traffic chart graphically represents data usage for applications. It always represents data for top five applications that have highest data usage (transmit and receive). To view exact data usage, hover on the specific bar in the graph.

You can choose to view the top applications by traffic for the following time intervals:

2 hours
4 hours
8 hours
12 hours
1 day
1 week

Network Usage

If you hover over the graph, a tooltip providing quick information like timestamp, the number of clients associated and the used traffic volume appears.

You can view or retrieve data using the filters. To know more about these filters refer Filters on Widgets.

The data of the network usage chart can be filtered based on two parameters; a client's data and the amount of data used by an application.

Drill down on the bar, redirects you to another page that contains:

Client Connections table - contains the list of all the client connections along with their detailed information for the selected timestamp.
Top Applications - that shows top ten applications with highest data usage. You can select an app from the drop-down list given on the top left corner of the table. Along with the selected application name it displays application specific data consumption.
All Application traffic - it displays the total amount of data used by the applications for a selected Access Point or a location. This information is shown at the top-right corner of the table.
Client Connections - selecting client connection displays the list of all the clients using the application selected from the top applications list.
Access Points Distribution - selecting access points distribution displays the list of all the associated APs.

Network Usage - Poor Application Experience

This chart provides overall application usage analysis. It states the time for which application quality was good and the time for which it was bad.

The graph displays poor app experience in red colour and good app experience in green colour. X-axis displays time slots and Y-axis displays amount of time app quality was good or bad.

Hover on the graph provides a tool tip with the following information:

Timestamp
No of associations
Aggregated value for poor app experience in percentage.

Click the data point or bar graph in the chart to view more details.

There are four filters provided on the right corner of the chart to filter the data:

Conferencing Apps Filter

The graph can be viewed for specific conferencing app using All Conferencing Apps filter. Filter can be applied on the following apps:

WebEx
Skype
GoToMeeting
Hangouts
Slack
Microsoft Teams
Zoom

Selecting All Conferencing Apps option provides details for all the above listed apps at once.

SSID Filter

The application quality can also be viewed for specific SSID, using All SSIDs filter. Selecting a specific SSID provides a application quality graph for the specified SSID. Selecting All SSIDs provides an aggregated data on a graph for all the SSIDs.

Frequency Filter

The data can be filtered based on frequencies. The data for applications working on the selected frequency is represented graphically. The possible values for frequency filter are:

2.4 GHz
5 GHz
6 GHz
All Bands

Time Filter

You can view or fetch the Application Session Logs for the following time intervals:

2 hours
4 hours
8 hours
12 hours
1 day
1 week

Spectrum Occupancy

As shown in the following figure, you can filter on a band and duration to see the number of radios and clients that were active in that band in that duration. This can help you identify congested or under-utilized bands.

Channel Map

Channel Map displays the number of clients and Access Points (APs) visible to the managed device at a time on a given channel. Network administrators can use this information to identify congested or underutilized channels in a given band.

To view Channel Map, select Channel Map from the drop-down menu in Specturm Occupancy chart.

In the Channel Map chart, from the right-hand drop-down menu, select the band and use the time slider to select your time interval to view the number of visible clients and APs. You can view the Channel Map upto 12 hours in the past from the current time. Hover over the chart to view the exact count of APs and clients on a given channel.

RF Explorer

You can launch the RF Explorer from the Spectrum Occupancy chart or from the AP listing under MONITOR > WiFi > Access Points by right-clicking on an AP and selecting Troubleshoot > View RF Exlporer.

As seen in the previous figure, the RF Explorer shows you what an AP sees in its RF neighborhood. For example, it shows you the channels occupied by other APs in the vicinity of the AP and the RSSI values for each of the neighboring APs as seen by the AP.

You can use the RF Explorer to identify issues such as co-channel and adjacent channel interference, and DFS channels occupied by APs. The grey rectangle stretching across the RSSI axis represents the operating channel of the AP itself; the heights of the other channel trapezoids indicate the RSSI values of those channels as seen by the AP. You can click on an AP from the list of APs to see its channel details on the chart (as seen in the callout in the previous figure).

Interference Classifier

One of the reasons why Wi-Fi clients encounter RF issues is non-Wi-Fi interference. All Wi-Fi 6 and above APs can perform interference classification. CV-CUE classifies interference into four categories — Wi-Fi, Microwave Oven (MWO), Frequency Hopping Spread Spectrum (FHSS), and Continuous Wave (CW).

You can run the interference classifier for a specific band or for a specific channel. The results are shown in a separate tab as a read-only information. To launch Interference Classifier from the AP listing, click MONITOR > WiFi > Access Points . Right click an AP and select selecting Troubleshoot > Start Interference Classifier .

The interference classification opens in a separate tab. Hover your pointer over a data point to see more details about the interference source for a specific channel.

Channel Utilization

As shown in the following figure, the channel utilization chart shows the AP channel utilization (as a percentage value) averaged over 15-minute intervals for both the 2.4 GHz and 5 GHz bands, for the selected duration.

The channel utilization chart is available for 2.4, 5, and 6 GHz bands.

Access Point Health

As shown in the following figure, the chart shows the average CPU and memory utilization of an AP for the selected duration.

Visible BSSIDs

The Visible BSSID widget provides the list of the APs visible to the selected AP. The widget provides two different views: one for Managed BSSIDs and the other for Unmanaged BSSIDs.

Visible BSSIDs - Managed

Selecting Visible BSSIDs - Managed from the drop-down list displays APs that belong to your network and are in the vicinity of the selected AP.

Visible Access Points - Un-managed

Selecting un-managed from the drop-down list displays the Access Points that do not belong to your network but are in the vicinity of the selected AP.

Radios Seeing this Access Point

This widget is available on drilling down from any Wi-Fi device. The widget displays the list of managed Wi-Fi device radios observing the selected device with the best RSSI.

Visible VLANs

The visible VLANs widget is available on drilling down from any managed Wi-Fi device. The widget displays details of the VLANs visible to the managed device. "Monitored" in the Status column indicates that the VLAN is being monitored by that managed device. "Not monitored" indicates that it is being monitored by another managed device.

The VLANs that can be seen by the selected device are populated depending on the following:

If the VLAN is used by the device to communicate with the Wireless Manager (aka communication VLAN); shown marked with an asterisk.
If the ID of the VLAN is added while configuring the SSID.
If you enable Auto VLAN monitoring from CONFIGURE > Device > Access Points > Security, the active VLAN is monitored by the device with the highest MAC address.
Thus the monitored VLAN's ID is added to the monitoring device's list and the VLAN's status is set to Monitored.
If you choose to enable Monitor Additional VLANs , one needs to specify a comma-separated list of VLANs to be monitored. In this situation, any active VLAN from the specified list is monitored. The device with the highest MAC address monitors the VLAN. The monitored VLAN's ID is added to the monitoring device's list and VLAN's status is set to Monitored.

Visible Clients

The Visible Client widget provides the list of clients visible to the selected AP. It also provides the total number of visible clients on the top left corner of the widget.

View Access Point Event Logs

AP event logs table maintain event logs of AP. The captured events are from an AP perspective and do not include data related to clients and their connectivity information. These events are sent by the AP to Wireless Manager in real time and logged at Wireless Manager.

You can view AP Event Logs, by selecting the option Troubleshoot > View Event Longs. with a right-click on any AP.

The detailed information about the event logs is as follows:


Column	Description
Category	It is a category of event.
Type	It is a type of event.
Description	It is description of event.
Date	Timestamp at which event occurred.

The AP Event Logs details can also be fetched for specified durations using Duration Filter. To know more about the duration filter refer Filters on Widgets.

The various types of events that are logged for an AP are:

AP Memory Status
AP Reboot
AP IP Conflict
AP System Service Crash
AP Ethernet Port Status
AP Upgrade Failure
AP Upgraded
AP CLI config change
AP DHCP lease status, etc.

View on Floor Map

View on Floor Map option redirects you to the location on the floor map where the AP is placed.

To view the AP on the Floor Map:

Navigate to MONITOR > WiFi > Access Points or MONITOR > WIPS > Access Points.
Right click on the AP, you wish to locate on the Floor Map.
Select Locate. These option is enabled only if the selected AP is placed on any of the floor maps. Else it is disabled.

Customize Transmit Power or Channel

Transmit Power Control enables you to control the transmission power of the AP. Transmit Control Settings are configured from Radio Settings. These settings are the generic settings for all the APs.

CV-CUE facilitates AP specific Transmit Control Settings.

To know more about Transmit Power Selection refer Configure Transmit Power Selection in Radio Settings and for Channel settings refer Configure Basic Radio Settings.

For AP specific customization:

Navigate to MONITOR > WiFi > Access Points.
Right click on the AP, for which you wish to customize the settings.
Select Customize Transmit Power or Channel.
Select appropriate frequency for which you wish to customize the settings.
Select Customize Transmit Power for transmit power settings. Select Auto or Manual option.
Select Customize Channel Settings for channel settings. Select Operating Channelas either Auto or Manual.
Click Save.

Customize VLANs to Monitor per Access Point

You can configure custom VLANs for individual APs to monitor. The steps to do so are as follows:

Go to MONITOR > WiFi > Access Points or MONITOR > WIPS > Managed WiFi Devices , or go to a floor plan and select an AP on the floor plan.
Right click on the AP and click Customize > VLANs. The Customize Access Point VLANs right panel appears.
Add the VLANs you want the AP to monitor. Detected VLANs are VLANs that the AP has detected on the network. They might help you select VLANs to monitor.
Select whether you want the VLAN to use a Static IP or DHCP. For the Static IP case, enter the IP network configuration.
Select a Communication VLAN from among the monitored VLANs. The AP communicates with the Wi-Fi server over the Communication VLAN. So the Communication VLAN must be one of the VLANs that the AP monitors.
Save the configuration.

Move an Access Point

CV-CUE provides the facility to change the location of an AP using the Move option.

To move an AP:

Go to MONITOR > WiFi > Access Points or MONITOR > WIPS > Access Points.
Right-click on the name of the AP that you want to move and select Move.
Select the new location, where you wish to move the AP.
Click Move.
Select appropriate option to confirm. If you select Yes the selected access points will adopt the configuration applied at the destination folder. Also if the AP is currently placed on any of the floor map, then the AP will be removed from that map.

Behavior - Move Devices

When you move devices across locations, the behavior of the devices may change depending on multiple factors.

The factors to be considered are captured below.

Suppose that you select a mix of devices to move, i.e., some are part of a group and others are not.

For devices that are not part of any group, the behavior is exactly as expected - when moved from one folder to another, these devices start using the default configuration of the destination folder.
If the destination folder has no groups, devices from the source groups will be removed from their respective groups and all devices will start using the default configuration of the destination folder.
For devices that were part of some group in the source folder, see the table below.


Source		Destination
Is the device in a group?	Does the group have a config?	Is the same group available at the destination location?	Behavior
Yes	Yes	Yes	All devices become part of the destination group but retain their configuration.
Yes	Yes	No	All devices are removed from their respective groups and start using the default configuration of the destination folder.
Yes	No	Yes	All the devices are removed from their respective groups and become part of the destination group. They start using the configuration of the destination group.
Yes	No	No	All devices are removed from their respective groups and start using the default configuration of the destination folder.

Reboot Access Points

You can reboot an AP, with the help of CV-CUE.

Perform the following tasks to reboot an AP:

Go to MONITOR > WIPS > Access Points.
Right-click on the name of the AP that you want to reboot and select Reboot.
Click Yes to reboot the AP.

Rename Access Points

You can change the name of the AP.

Perform the following tasks to rename an AP:

Go to MONITOR > WiFi > Access Points or MONITOR > WIPS > Access Points.
Right-click on the name of the AP that you want to rename and select Rename.
Change the name of the AP and click Done to save the changes.

Delete Access Points

You can delete the access points (APs) from the list of APs available on the Access Points tab.

Deleting APs from MONITOR > WiFi > Access Point or MONITOR > WIPS > Managed Devices deletes the BSSIDs (the properties) of the AP but doesn't remove the AP from the listing. To permanently remove the APs fromthe listing, unassign them from Arista Launchpad.

MONITOR > WIPS > Access Point shows all the APs (BSSIDs) visible to the managed access points in the vicinity; the BSSIDs could be the Managed AP's BSSID, another managed AP's BSSID, or neighboring company's BSSIDs.Deleting the neighboring company’s AP removes it from the list. Deleting a Managed AP resets its properties but doesn't remove it from the AP list.

Follow these steps to delete an AP:

Go to MONITOR > WiFi > Access Points or MONITOR > WIPS > Managed Devices.
Right-click on the name of the AP that you want to delete and select Delete.
Click Yes to confirm the deletion.
Important: If the AP is physically active on the network after deletion, then:
- CV-CUE marks the AP to the Unknown location.
- The default Device Settings of the Unknown location is applied.
- The default SSIDs are pushed on the active AP, if the AP is configured in the Device Settings.
- No SSIDs are applied, if the AP is not configured.

View Ongoing Activities on Access Point

View Ongoing Activities is an action available on Access Points screen.

To view the ongoing activities on an AP, perform the following steps:

In CV-CUE navigate to Access > Access Points.
Click on View Ongoing Activities action present on the top right hand corner of the screen.
From the drop-down menu, select one of the following:
Choose From:
- Packet Trace: It displays the list of APs with their information on which the Packet Trace Activity is in progress.
- Prevention: It displays the list of APs in quarantined status.
- None: It displays the list of APs on which no activity is going on.

View Access Point Uptime

Access Point (AP) Uptime indicates how long the AP has been up and running. To view AP Uptime, navigate to MONITOR > WIPS > Managed WiFi Device. The Last Booted At column shows the AP Uptime.

Assign a Device to a Group

You can assign one or more access points from a location subtree to a group. It is a method used to apply a single Wi-Fi configuration to multiple devices across different locations. If a group has no configuration, then the assigned devices will use the default Wi-Fi configuration of their respective locations. On the other hand, suppose an AP already has custom Wi-Fi configuration applied to it. Then if you assign such an AP to a group it will start using the Wi-Fi configuration of the group.

Assigning a device to a group can be performed from two different tabs:

Assign a Device to a Group from Access Points tab
Assign a Device to a Group from the Folders/Floors Page

Assign a Device to a Group from Access Points tab

One of the ways to assign access points to a group is from the access point list available on the access point page.

To assign a device to an existing group, perform the following steps:

Go to MONITOR > WiFi > Access Points.
Right-click on the name of a single AP, that you want to assign to a group or click on the menu icon (three vertical dots) and select Assign/Reassign to a Group.
Select the group to which you want to assign the selected AP.
Info:In case the group is not available in the list, you can add a new group from this panel. The newly added group will always be created at the top-most allowed folder of the selected locations. Adding a group option is disabled, if the user does not have access to the folder.
Note: When assigning multiple APs, only those groups which are available to the selected access points' folders will be listed under the Select a Group panel.
Click Assign.

Assign a Device to a Group from the Folders/Floors Page

In addition to assigning a device to a group from access point’s page, you can also do this from the folder/floor page.

To assign a device to an existing group, perform the following steps:

Go to SYSTEM > Navigator > Folders/Floors.
Right-click on the name of a single AP that you want to assign to a group or click on the menu icon (three vertical dots) and select Show Available Devices option from the list.
Right-click on the name of a single AP that you want to assign to a group or click on the menu icon (three vertical dots) and select Assign/Reassign to a Group.
Select the group to which you want to assign to the selected AP.
Info:In case, the group is not available in the list, you can add a new group from this panel. You cannot add a group if you do not have access to the top-most allowed parent folder. The newly added group will always be created at the top-most allowed parent folder of the selected locations.
Click Assign.

Re-assign a Device to Another Group

This operation allows you to move the access points from one group to another. Once reassigned, selected access points will start using target group's Wi-Fi configuration. If the target group does not have Wi-Fi configuration applied to it, access points will use their location's default Wi-Fi configuration. Even if the selected access points were not assigned to any group, reassigning will assign them to the target group.

Note: If the device is re-assigned to a group that does not have any configuration , then such devices will use the default Wi-Fi configuration of the respective folder.

Re-assigning a device to a group can be done from three different tabs:

Assign a Device to a Group
Assign a Device to a Group from the Folders/Floors Page
Groups

The first two methods are the same as for assigning a device to a group. The third one is applicable only to re-assigning devices.

To re-assign a device to another group from one group's page, perform the following steps:

Go to SYSTEM > Navigator > Groups.
Right-click on a selected group and select Show Assigned Devices.
Right-click on the name of the AP you want to reassign and click Assign/Reassign to a Group.
Select a group from the list to re-assign that device to the selected group.

About Device Firmware Update in CV-CUE

You can configure an automatic update that includes upgrade or downgrade of Arista devices deployed at your enterprise premises. The device update can be configured or scheduled for devices that connect to the server for the first time as well as for existing devices that are already placed at various locations.

A device firmware update configuration is specific to a location and applies to all Arista devices placed at the location. An individual Arista device cannot have an independent device firmware update configuration.

A device firmware update configuration can be created for location folders only. A location floor cannot have its own device firmware update configuration; it inherits the device firmware update configuration from the parent location folder. When you do not recursively apply a device firmware update configuration to the child location folders, the configuration is applied only to the selected location folder and the location floors directly under the selected location folder.

You can choose to apply a device firmware update configuration recursively to the child location folders, when you are creating or editing the device firmware update configuration, However, a child location folder can have its own device firmware update configuration. If you define the firmware update configuration specific to the child location folder when a schedule for its parent location folder is already defined, the schedule configured to the child location applies to the child location folder

When an active schedule is deleted or modified for a location, the sensors of that location on which the update process is already started or the update command is scheduled would still be upgraded.

The device firmware update setting for a location applies to all active devices deployed at the location. The update can be applied to both existing Arista devices and new devices connecting to the Arista Server for the first time. A schedule can be configured for existing Arista devices at a location. The device firmware update configuration is not tied to release numbers. If a server is updated multiple times between the creation of the update configuration and scheduled time of device update, the devices are updated to the latest firmware release.

Update AP Firmware

You can update the firmware on the AP to the latest or any previously released version. The AP automatically reboots after the firmware update is complete.

Perform the following tasks to update the firmware of an AP:

Go to MONITOR > WiFi > Access Points.
Click the Options icon (three vertical dots) or right-click on the name of the AP and select Update Firmware.
Select the required firmware version from the Version drop-down list.
Click Update.

Update Firmware for Multiple Access Points

You can update the firmware for multiple APs at the same time.

To update the firmware for multiple APs, perform the following steps:

Go to MONITOR > WiFi > Access Points.
Select the required APs, click the Options icon (three vertical dots) and click Update Firmware. Update Firmware page is displayed as follows:
- The model names of the selected APs.
- Number of access points selected for each device model.
- Version, drop-down list that contains the available firmware versions for each device model.
Select the required version number per AP model, from the Version drop-down list.
Click Update to update the firmware.

Schedule Firmware Update of a Single AP

Follow these steps to create a recurring or one-time schedule to update the AP firmare:

Go to MONITOR > WiFi > Access Points.
Right click the AP and select Update Firmware.
Select the version from the right panel.

Schedule Firmware Update of Multiple Access Points

Follow these steps to create a recurring or one-time schedule to update the AP firmare:

Go to MONITOR > WiFi > Access Points.
Click Update under Firmware Settings icon.

Provide the schedule for update in the Firmware Update Settings right panel.

The following table provides additional information for some of the options the Firmware Update Settings panel:

Table 1.
UI Option	Description
Apply Update Settings Recursively to Subfolders	Applies the update settings to the selected folder location and also to all its subfolders, if any.
Hitless Update	Updates access points with minimum impact to Wi-Fi clients. In certain situations, when the selected AP is the only AP on the floor and there are no APs around for clients to connect, then the Wi-Fi will be impacted.
Update Window	Defines the duration for the firmware update. For example, if the Start Time is 1 hour 15 minutes and the Update Window is 20 hours 30 minutes, then the update will begin at 1:15 AM and end at 9:45 PM. Firmware updates are not initiated after the expiry of the Update Window. However, ongoing updates during the Update Window can continue even after the Update Window expires.

The Scheduled state is indicated by an orange calendar icon in the Update column under Monitor > WiFi > Access Points. You can also see which APs are scheduled for a firmware update by clicking on the AP icon of the W-iFi Network Counters as shown in the following figure.

Cancel Firmware Update

You can cancel the firmware update for an AP. When an update is initiated for an Arista AP, the AP is initially in Active state and changes to Inactive state after a while. You can cancel the update only until the Arista AP is in Active state. Once the device is in Inactive state, you cannot cancel the firmware update.

Perform the following tasks to cancel firmware update:

Go to MONITOR > WiFi > Access Points.
Right-click the AP for which you want to cancel the firmware update and select Cancel Update.
Click Yes to cancel the update.

Configure Firmware Version Compliance

Organizations may have multiple access points (APs) of different models operating with various firmware versions. As an organization, you may want to designate a specific version as a compliant firmware version for a certain model. Assigning a compliant firmware version helps network administrators identify non-compliant AP models by generating notification alerts.

Firmware Version Compliance is a location-based setting and is applicable for all access points placed at the location.

Note:Configure the firmware version compliance before you update the AP firmware version.

Assign a Compliant Firmware Version

Follow these steps to assign a firmware version as the compliant version across the organization:

Select MONITOR > WiFi > Access Points
Select Firmware Settings > Version Compliance.
Select the Compliant Version checkbox.
Select one of the two options:
- Latest Version for all Models: Indicates that the latest firmware version is the compliant version across your organization. CV-CUE will raise an alert if any AP model doesn’t have the latest firmware version.
- Customize: Specify the AP model number and the firmware version you want to standardize across your organization. After you have made the selection, if any AP doesn’t have the compliant version, CV-CUE will raise an alert.
Save the settings.

Configure Alerts

The compliant firmware detection alert notifies you whenever CV-CUE detects non-compliant firmware. To configure alerts for compliant firmware, go to CONFIGURE > Alerts > Device and select Access Point with non-compliant firmware version detected.For more information on this alert, refer to Configure System Alerts

Access Point Web Shell

Web Shell is an online interface to remotely log into an access point (AP) via SSH. An administrator or a superuser can open Web Shell for a specific AP from CV-CUE. Web Shell is helpful to troubleshoot AP issues, especially if an AP is behind a NAT. The URL for the Web Shell is specific to an AP. You can bookmark the URL to open a shell session to the AP directly instead of opening the shell session from CV-CUE.

Depending on the limit defined in the config parameter, you can open concurrent Web Shell sessions to an AP. Web Shell is unavailable for inactive APs.

Note: If the AP is overburdened with data-heavy operations, then there could be a delay with an ongoing Web Shell session or a new Web Shell may not open. For example, if you are already performing a task in the Web Shell, and then you start some data-heavy operations such as packet capture, generate debug logs, or live client troubleshooting, you would see a latency in the Web Shell. If you are performing live client debugging (or similar other data-heavy operations), and then you try to open the Web Shell, you may receive an error and the Web Shell may not open.

For the list of APs supporting Web Shell, see the Access Point Feature Matrix article.

You can open an AP web shell from:

MONITOR > WiFi > Access Points
MONITOR > WIPS > Managed WiFi Devices
Floor Plan

Open Access Point Web Shell

You can open the Access Point (AP) web shell from CV-CUE for an individual AP and perform basic operations using CLI commands.

To open the AP Web Shell:

Got to MONITOR > WiFi > Access Points .
Right click the AP and go to Troubleshoot > Open Web Shell .
Web Shell opens in a new tab.
Enter the root credentials and log in to the web shell.
You can now type your AP-CLI commands.

To terminate the session, close the browser.

Custom Certificates for Access Points

Manage custom certificates and CA certificates for access points from a central location.

Access points (AP) can authenticate themselves to the network using respective certificates. With AP VPN, an AP uses the EAP-TLS protocol for authentication. Since EAP-TLS requires the client and network to authenticate themselves using respective certificates, the protocol is considered robust compared to exchanging shared secret and Xauth password. Therefore, the AP VPN solution requires the AP to use a unique certificate per AP or per tunnel. APs can use the default certificate or a custom certificate for the authentication.

Caveats

Note the following points before you create certificates:

You can upload the Device and CA certificate in the PEM encoded format.
You can upload a certificate with a maximum of five CA chain length.
You need to upload the device certificate and root CA chain separately at two different places.
When you regenerate a CSR, the existing certificates on the APs are not deleted until the new signed certificates are installed on the AP.
When you regenerate a CSR, the existing certificates on the APs are not deleted until the new signed certificates are installed on the AP.

Certificate Flow Overview

High level process flow for managing certificates.

Here’s a high level process flow on how you manage certificates in CV-CUE:

Generate CSR.
1. Create a new tag and assign it to a CSR from the global certificate menu. Note that you cannot a create a new tag for an individual AP.
2. Use an existing tag to generate a CSR. You can use an existing tag for an individul AP or for all APs.
Download the generated CSR and get it signed manually/offline.
Upload Device Certificate.
Upload CA Certificates.

Certificate Actions and Tags

Describes different actions available for certificates from the global toolbar as well as per AP.

You can take actions related to certificates for each AP or for all the APs seen in the Monitor > Access Points tab. When you use the global menu to perform your certificate-related actions, it applies to all APs in that location. For individual APs, you can perform the certificate actions from the three-dot menu per AP.

The following image shows the certificate actions from the toolbar:

Figure 4. Certificate actions from the global toolbar

The following image shows the certificate actions per AP:

Certificate Tags

Each certificate must have a tag associated with it. Typically, you assign tags for a specific function or you could keep a generic tag and use it for all purposes. For example, you could use a tag named IPsec and assign it to all the APs that use the IPsec protocol. You can also use a tag named Generic and use it for all purposes. This makes handling of certificates easier through tags. Note that after you update the certificate, you still need to manually upload the new certificates to APs.

When you manage certificates for the first time, you do not have any predefined tags. In such cases, you have to create a tag first and then generate a CSR.

You can create a new tag from the global certificate actions only. You cannot create a new tag for an individual AP.

When you generate a CSR for a single AP, you can only assign pre-created tags.

CSR Configuration

Configure CSR properties for access points.

CSR Configuration allows you to configure CSR properties for your AP. This is a location-based configuration.

To configure CSR for your AP:

Go to MONITOR > WiFi > Access Points
Click the Certificate Action button from the global toolbar and click CSR Configuration.
In the rght panel, provide the values for each field.

Figure 7. CSR configuration
Save the configuration.

Generate CSR

Generate CSR for your access points.

You can generate CSR for individual APs or all the APs at the selected location. When you generate CSR for all the APs, you can create a new tag and assign it to the CSR. However, if you generate a CSR for an individual AP, you cannot create a new tag. You have to use an existing tag.

To generate CSR for all the APs at a specific location:

Go to MONITOR > WiFi > Access Points .
Click the Certificate Action button and click Generate CSR.
Assign a new tag or use any existing tags if you have.

Figure 8. Add new tag and generate CSR
Click Generate.

Manage Certificates

Manage certificates for each access point.

You can see all the certificates for a location from the Manage Certificates page. It is a per-AP feature. Right-click an AP, then click Certificate > Manage Certificates . You can view the current status of certificates based on the tags. Refresh the page to get the latest certificate status.

For each certificate tag, you can perform the forllowing actions:

Generate CSR
Download CSR
Upload Device Certificate
Delete Certificate
Repush Certificate

The Last User Action Status column shows the latest action performed by the user. For example, if you regenerate the certificate, this column shows the status of your action. The Certificate Status on AP column shows whether the AP already has a certificate or if it’s in the process of obtaining a certificate.

The actions on the Manage Certificate page are already associated with a tag. Therefore, you do not have to provide a new tag when you perform any action from this page.

Upload Device Certificate

Upload device certificate for one or all access points.

After the certificates are signed by the signing authority, you can upload the device certificate either from the global toolbar or individually for each AP. You must upload the device certificate first before uploading the CA certificates.

To upload the device certificate for each AP:

Go to MONITOR > WiFi > Access Points .
Select the APs for which you want to upload the signed certificates.
Click the three-dot menu and click Certificate > Upload .

Figure 10. Upload certificate for a single access point
Select the certificate tag and click Upload.

Upload CA Certificate

Upload CA certificate in Advanced Settings.

You can upload the CA certificates from the global settings and the CA certificates get automatically applied to the respective APs that have the device certificate installed.

To upload CA certificates:

Go to SYSTEM > Advanced Settings > CA Certificate .
Click Upload CA Certificate.

Figure 11. Upload CA certificate
Select the certificate or the certificate chain zip file from your local drive.
(Optional) Select a certificate and click the three-dot menu icon to Delete or Download the CA certificate.
(Optional) Click the certificate to view the certificate details in the right panel.

Note that the default certificate is grayed out and you cannot delete it.

Delete Certificate

When you delete a certificate, the tag is also deleted from the AP. When you delete certificates from an AP, you delete both the device certificate and CA certificates associated with the respective tag.

To delete certificates from an AP:

Go to MONITOR > WiFi > Access Points .
Select the APs for which you want to delete the certificates.
Click the three-dot menu and click Certificate > Delete .

However, if you want to update a certificate and not delete it, you can use the Upload option and it will update the certificate.

Repush Certificate

Repush a certificate to reupload an existing but corrupt certificate.

When you repush a certificate, the server tries to reupload the device and CA certificates to the AP. Use this option when the AP malfunctions and stops associating with the installed certificates.

When you initiate the Repush action, the server automatically identifies the certificate that was previously available and tries to reinstall the certificate. Note that when you delete a certificate from an AP, the Repush action will not be effective to reinstall the certificate. You need to manually reupload certificates then.

Radios

The Radios tab under MONITOR tab has Access Radio Grid and Multifunctional Radio Grid.

Access Radio Grid

Access Radio Grid contains a list of all the radios operating on 2.4 GHz, 5 GHz, and 6 GHz bands. It displays a list of clients that are recently associated to the selected Radio. The recent associations are either those that happened in the last 4 hours or the latest 100 clients. This is the total number of associations in the system and not per device.

The Radios tab displays the following information about radios:


Field	Description
Status	Indicates whether the radio is on or off.
Access Point Name	Name of the AP.
Channel Width	Displays the width of the operating channel of the radio such as 80 MHz or 40 MHz.
MAC Address	Unique 48-bit address of the AP.
IP Address	Displays the IP address.
Device Template	Indicates the device template applied to the device.
Channel	Displays the Channel number on which the AP radio operates.
Clients	Displays the number of clients connected to the radio.
Tx. Power(dBm)	Indicates the transmission power.
Frequency	Indicates the frequency on which radio is operating.
RF Utilization (%)	Indicates the percentage of transmit and receive time on the radio.
Upstream Usage	Indicates upstream data usage.
Downstream Usage	Indicates downstream data usage.
Worst Client RSSI (dBm)	Displays the worst client signal strength.
Retry Rate (%)	Indicates the re-transmission rate in percentage.
Location	Displays the radio location.
Model	Displays the name of the device model.
Noise Floor (dBm)	Indicates the measure of the signal created from the sum of all the noise sources and unwanted signals within a measurement system.
Channel Width	Shows the width of the operating channel of the radio.
Radio MAC Address	Displays the MAC Address of the radio.

Multifunctional Radios

Multifunctional radios are radios present on Arista APs that do not broadcast SSIDS. Multifunctional radios can be used to perform actions such as Client Connectivity Tests (CCT), Packet Capture, Spectrum Analysis, etc.

To view Multifunction Radios, click Multifunction Radios from the Radios view drop-down menu.

The Multifunctional Radio grid displays the following information:

Table 2.
Field	Description
Status	Indicates whether the radio is on or off.
Access Point Name	Name of the AP on which the radio is present.
IP Address	Displays the IP address of the AP on which radio is present.
Location	Displays the location of the AP on which the radio is present.
Model	Displays the AP model of the connected radio.
Virtual Client MAC Address	Virtual MAC Address used by the radio to connect as a client to another AP while performing Client Connectivity Test.

Turn Radio On or Off

You can turn individual Access Point (AP) radios on or off. To understand the motivation for this, consider a floor where Wi-Fi APs with both 2.4GHz and 5GHz radios are deployed. Since the 2.4GHz signal propagates better than 5GHz and APs are often deployed to provide high 5GHz RSSI all over the floor, some areas on the floor end up having an “excess” of 2.4GHz signal, i.e., these areas get high RSSI signal from multiple 2.4GHz AP radios. This could cause interference in those areas because the 2.4GHz band has only three non-overlapping channels. You can then simply turn off the 2.4GHz radio for APs near these high 2.4GHz interference spots on the floor.

You can turn an AP radio on or off only if:

The AP is active and
The radio is not part of a mesh network.

The steps to turn a radio on or off are as follows:

Select the location of the AP whose radio you want to turn on or off.
Go to Monitor > WiFi > Radios.
Right-click on the radio and select Turn Radio Off or Turn Radio On.
Note:
- When you turn a radio off, all SSIDs on that radio are turned off. For uninterrupted Wi-Fi in the coverage area of an AP, make sure that at least one AP radio is on.
- Turning a radio on or off can take a few minutes; the radio appears in italics until its status has changed, after which the UI shows the updated status—on or off, as the case may be.
- A radio that has been turned off manually is not turned on automatically when its AP reboots or when an SSID of that AP is scheduled to be on.

Freeze and Unfreeze Transmit Power Control and Auto-Channel Selection

You can freeze the channel and transmit power in the Auto mode to operate a specific radio at a specific channel number and transmit power. You can perform this action per radio. To switch to other channels, unfreeze the settings and make your own channel and power selection, or enable the Auto mode to select the optimum channel and transmit power.

Note: You can freeze and unfreeze ACS and TPC only when you have enabled the Auto option. Both these options won’t work with the Manual mode.

Use Case

When you customize the Transmit Power and Channel Settings, and select the Auto mode, you let the access point decide and select the best channel and transmit power according to the current conditions. The AP reviews the channel and transmit power periodically and depending on the conditions, it may change the channel and power to best suit the existing conditions. For operational needs, you may want to freeze the channel and transmit power in the Auto mode. The Freeze ACS and Freeze TPC options let you easily achieve this result.

To Freeze orUnfreeze Transmit Power Control and Auto-Channel Selection:

Navigate to MONITOR > WiFi > Radios
Select the radio of the access point and click the three-dot menu to open the context menu.
Select Freeze ACS or Freeze TPC.
Click Confirm in the confirmation dialog box.

To unfreeze TPC and ACS, right-click the radio and select the Unfreeze ACS or Unfreeze TPC options.

To verify whether the access points have the channels and transmit power frozen, go to the MONITOR > WiFi > Radios page and check the status on the Transmit Power Mode column.

On-Demand Transmit Power Control and Auto-Channel Selection

You can trigger the Auto-Channel Selection (ACS) Mode and Transmit Power Control (TPC) Mode for a radio on demand. In ACS Mode, the Access Point (AP) scans the network to select the best channel. In Auto-TPC Mode, the AP automatically adjusts its transmit power to minimize interference with neighboring Arista APs.

You can trigger ACS and TPC only when you have enabled the Auto option. Both these options do not work in the Manual mode.

Note: Trigger ACS and Trigger TPC work even if ACS or TPC is in freeze mode.

Use Case

When you customize the Transmit Power and Channel Settings, and select the Auto mode, the access point decides and selects the best channel and transmit power according to the current conditions. When you are facing high interference in your network, Triggering ACS and TPC allows the AP to review the channel and transmit power and change the channel and power to best suit the existing network conditions. Network administrators can use this functionality to switch to the best conditions without changing network configurations.

To Trigger ACS or TPC:

Navigate to MONITOR > WiFi > Radios
Select the radio of the access point and click the three-dot menu to open the context menu.
Select Trigger ACS or Trigger TPC.
Click Confirm in the confirmation dialog box.

To verify whether the access points have the ACS and TPC triggered, go to TROUBLESHOOT > EVENT LOGS.

Active SSIDs

The Active SSIDs page displays a list of active SSID profiles.

Go to MONITOR > WiFi > Active SSIDs to view the Active SSIDs page.

The Active SSIDs page displays the following information:


Field	Description
SSID	Name of the SSID profile.
Security	The mode of security used.
Authentication	The authentication method used.
2.4Ghz Clients	The number of clients connected on the 2.4 GHz frequency.
5 GHz Clients	The number of clients connected on the 5 GHz frequency.
6 GHz Clients	The number of clients connected on the 6 GHz frequency.
2.4 GHz Radios	The number of 2.4 GHz radios on which the SSID is being broadcasted.
5 GHz Radios	The number of 5 GHz radios on which the SSID is being broadcasted.
6 GHz Radios	The number of 6 GHz radios on which the SSID is being broadcasted.
Uplink Data	The uplink data usage.
Downlink Data	The downlink data usage.

Application Visibility

Application information page provides detailed monitoring information for an application selected from the Application Visibility tab. It displays a list of top 10 clients using the selected application and a line graph plotting the usage of the selected application over a period of time.

The name of the selected application is displayed on the top-left of the page. You can select another application from the drop-down list.

The application information page displays the following information:

Baseline - Clients Affected
Baseline - % Poor Application Experience
Application Traffic: It displays the usage of data of the selected application, over a period of time. Refer Application Traffic section for more information.
Application Traffic - Clients
Application Traffic - Sessions
Application Traffic - Quality of Experience
Clients Using This Application: It displays a list of the top 10 clients with highest data usage for the selected application along with the detailed information of the client like Username, MAC address, IP address, Recently Associated SSID and so on. Refer Clients Using This Application section for more details.

Monitoring an Application

You can monitor an application, from the list of applications that are displayed in the Application Visibility tab.

To Monitor an application, perform the following tasks:

Go to MONITOR > WiFi > Application Visibility.
Click on the name of the application that you want to monitor. A page providing detailed application information is displayed as follows:
- Top 10 clients using the selected application. Refer to Clients with Most Application Traffic for more details.
- Application Data Usage Over Time. Refer to Application Traffic for more information.

Application Traffic

Application Data Usage Over Time widget displays the usage of data of the selected application, over a period of time. The data is displayed for clients using the selected application, on the selected folder or floor.

You can view or retrieve data using the three filters SSID, Frequency Filter and Time Filter. To know more about these filters refer Filters on Widgets. Use Start Live button for live data.

The graph is plotted at a time interval of 15 minutes. If its live data it is plotted every 3 seconds. If you hover the mouse over the graph, you can get a quick view of the timestamp and the data consumption by the selected application, at the given time.

Visible Clients with Most Application Traffic

The Visible Clients with Most Application Traffic widget displays a list of the visible clients with highest usage of the selected application along with the detailed information of the client. The number on the top left corner indicates the total number of clients with the most traffic.

The widget has a provision to view or retrieve data using the filters. To know more about these filters refer Filters on Widgets.

You can modify the view of the table by using the set of tools provided in the top-right corner of the widget. You can sort the data in an ascending or descending order by clicking on the Name column.

Automated Root Cause Analysis

CV-CUE eliminates the need to manually troubleshoot some commonly occuring network issues. Its powerful Root Cause Analysis (RCA) engine identifies the root causes of network issues for a single client or total clients, and recommends solutions to those problems.

The RCA engine can diagnose and recommend solutions for the following symptoms:

Low RSSI
Low data rate
High retry

Note that root cause analysis is not supported for sticky clients.

The RCA engine analyzes the following causes to display the matching symptoms:

Poor Coverage
Low RSSI
Low SNR
High Interference
Low Data Rate
High Retry Rate
High Contention (BSSID/Clients)
Sticky Clients
Client does not support the latest 2.4 GHz, 5 GHz, or 6 GHz protocol
Band Issues such as client does not support the 5 GHz band, 5 GHz capable client is operating in 2.4 GHz band, No 5 GHz SSID for 5 GHz capable client

The RCA engine finds the root cause of a failure based on the following parameters:

Symptoms and the number of clients that are showing the symptoms at a location.
The domain knowledge determines the reason because of which an issue has occurred. For example, frequency band issues, too many clients with high uplink traffic, poor coverage, etc. are potential reasons for an issue.
The system knowledge informs you about the Wi-Fi configuration settings that might have caused the issue. For example: is transmit power set to "Auto"?, is Dynamic Channel Selection enabled?

Note: The RCA engine provides recommendations for some specific root cause types only. There is no recommendation available if the root cause is based on location, SSID, vendor name, OS, or AP.

Root Cause Analysis for a Single Client Vs Total Clients

CV-CUE performs root cause analysis on single clients as well as on the total number of clients facing problems.

For single clients, you do not have to run the Inference Engine. You can view the recommendations from MONITOR > WiFi > Clients .

For total clients, you have to run the Inference Engine in the Client Health widget and the root cause analysis runs based on the locations. You run it from Dashboard > Performance > Client Health > Total Affected.

Looking for Root Causes

The intelligent view is available for performance issues specific to Client Health widget. The generated view expires after an interval of 60 minutes.

Follow the steps below to generate the intelligent view:

Go to DASHBOARD > Performance > Client Health.
Select a parameter (Low RSSI,Low Data Rate, High Retry) that you want to analyze. For example, let us consider "Low Data Rate".
Click on the value showing the total number of clients facing low data rate.
Click Should I look for root causes? This will start the root cause analysis in the background. You can continue navigating to other parts of CV-CUE while it is generating the intelligent view.

After the background process is completed, a message containing the number of clients for whom the root cause analysis is done appears next to the robot icon . Also, an "Ongoing activity" message box linking to the result of the root cause analysis appears in the lower-right corner of the screen .The link contains the number of clients for which the root cause was found. For example- "Found root causes for 10 out of 20 clients."
Click Should I look for root causes? Or click on the link in the Outgoing Activitymessage box to view the result of the root cause analysis.

The RCA Engine displays the results of the analysis at one glance.
Click a location to view the list of affected clients.
To view recommendations, click the bulb icon next to the root cause.
To go back to the normal view, first close the recommendation panel.

Perform Root Cause Analysis for a Single Client

When you open the details of a single client, you see the symptoms faced by the client and reason for the issue. Inference Engine automatically does all the calculations in the background and displays the symptoms as well as the probable solution. If there are no issues with the client, then you see a confirmation message.

Click MONITOR > WiFi > Clients.
Click the client name from the list.
If the client is facing any issue, you will see the symptom and the reason below the client details.
To view recommendations for the symptom, click the How do I fix this icon (bulb icon) next to the root cause.

Monitor Wired Devices

You can access the switch listing page from MONITOR > Wired .

The Wired page displays the list of discovered switches, managed switches, and hosts. There is no separate configuration needed to display the list of switches. APs collect and analyze the Link Layer Discovery Protocol (LLDP) packets to obtain switch information. The data is then displayed on the UI.

You can also view the switch information from the global counter. The switch counter shows the number of active switches, inactive switches, and discovered switches depending on the selected location. For a parent location, the counter would show the total count of active switches available in the parent and its child location.

Note: This is a Beta feature.

This chapter contains the following topics:

Discovered Switches
Managed Switches
Hosts
Onboard Switches
Configure Switches
VXLAN Endpoints

Discovered Switches

Discovered Switches are switches discovered by Arista’s Managed APs.

The Discovered Switch listing page displays the vendor name, number of APs managed by that switch, the AP distribution, and the number of connected WiFi clients. The Access Point Distribution column has a link to view all the APs connected to the switch. Since the APs are tied to the location hierarchy, if you do not have access to a particular location, you may not see the APs managed by the switch.

The following image shows the AP distribution in the right panel on clicking the View Details link:

In the AP Distribution view, you can filter the APs by location, PoE type, or link speed.

The categories for PoE Type are PoE, PoE+, andPoE++.
The categories for link speed are 10Gbps, 5Gbps, 2.5Gbps, 1Gbps, 100Mbps, and 10Mbps.

Managed Switches

The Managed Switches listing shows all the managed switches deployed in your network. You will see the Manged Switches tab if you have enabled CVaaS.

CV-CUE displays the switch details for the following switch models — 710P, 720XP, 720D, and 722XP. It contains information about the switch such as Software Version, MAC Address, Location, Status, Total Ports, Available Ports, Available PoE Power, etc.

Note: Managed Switches features are available for cloud deployments only. They are not available for on-premises deployments.

You can perform the following operations on Managed switches:

Move: Move to switch to a different location.
Rename: Rename the switch.
Decommission : You can decommission a switch and remove it from CV-CUE. Once you decommission a switch, it is deleted from CV-CUE and you need to onboard the switch again.
Reboot: Reboot the switch.

Switch Details

Click the switch name to view complete details of the switch. Switch details contain Switch Summary, Switch Properties and Switch Layout, Switch Topology. Hover over a port in the Switch layout to view its status. You can also click a particular port to view more details about the port. To go back to summary, click the Switch Summary icon.

The following image shows the switch details page:

Hosts

Host tabs contain information about devices connected to switches.

Onboard Switches

You can onboard switches manually or use Arista’s Zero Touch Provisioning (ZTP) to onboard your switches to CV-CUE.

Onboarding Switches using ZTP

You can use ZTP to onboard a switch without user intervention. ZTP leverages the power of Arista’s Extensible Operating System (EOS) to onboard switches.

Prerequisites:

DHCP Server: Switch should be able to reach arista.io by obtaining valid IP settings from a DHCP server.
EOS Version: The device should be running EOS version 4.25.5 or 4.26.1 or newer.

You can enable ZTP using a custom bootstrap script and use a DHCP server option to point to that bootstrap script.

To enable ZTP using a bootstrap script:

Log in to the CV-CUE and generate a token from System > Advanced Settings > Switch Onboarding and click Generate.
Prepare a bootstrap script and host it on an HTTP server. You can get asample script fromhttps://github.com/aristanetworks/cloudvision-ztpaas-utils.

Provide the updated token information and other information in the bootstrap script.

############## USER INPUT #############
cvAddr = "www.cv-staging.corp.arista.io"
enrollment_token = "eyJhbGciOiJSUzI1Nixxx..."
############## USER INPUT #############
Note: If the device is behind a non-transparent proxy, use the following cvproxy option:
# Add proxy url if device is behind proxy server, leave it as an empty string otherwise
cvproxy = ""
Note: You can start an HTTP server using python (python3 -m http.server 8000 &),
and host the bootstrap.py file, and then point the DHCP server to download from this server location.

Host the script on a TFTP server locally and direct the DHCP server to point to the bootstrap script via option-67/bootfile-name option:

For example:
subnet 10.10.1.1 netmask 255.255.255.0 {
range 10.10.1.1 10.10.1.253;
option domain-name "dev.aristanetworks.com";
option routers 10.10.1.250;
option domain-name-servers 10.10.1.5;
option ntp-servers time.google.com;
host leaf-1A {
hardware ethernet fc:bd:67:aa:22:33;
fixed-address 10.10.1.180;
option host-name "leaf-1A";
option bootfile-name "http://10.10.1.10:8000/bootstrap.py";
}

Note: Make sure the ntp-servers option is set in your DHCP configuration.

Boot up the switch into ZTP provisioning mode.

The onboarding process begins and the successfully onboarded switches are displayed under Monitor > Wired > Managed Switches tab.

Note: You can use the same bootstrap script and token to onboard multiple switches. Ensure that the token has not expired before proceeding.

Onboarding Switches Manually

You can onboard switches manually to CV-CUE. The onboarded switches show up as Managed Switches in CV-CUE.

To onboard switches manually:

Go to SYSTEM > Advanced Settings.
Click Switch Onboarding.
Follow the instructions shown.

Note: You can use the same token to onboard multiple switches in one go.

Onboarded switches are available under Monitor > Wired > Managed Switches tab.All the managed switches when first identified are deployed in the staging environment.

Configure Switches

To configure an onboarded switch, perform the following steps:

Create Network Profiles
Create Switch Profiles
Apply Switch Profile to a Switch
Configure Device Settings

Create Network Profiles

To configure a switch, you need to create the following network profiles:

Port Profile
ACL Profile
DHCP Profile
VLAN Profile

You can create network profiles by navigating to CONFIGURE > Network Profiles.

Port Profile

With Port Profile, you can configure all the settings of a switch port.

To create a Port Profile:

Go to Configure > Network Profiles > Port.
Click Add Switch Port Profile.
Provide the port profile name and description.
Select Enable PoE and select the power mode.
Select the Port Mode. You can select:
- Access Mode: Provide the access VLAN.
- Trunk Mode: Trunk mode allows you to connect multiple VLANs. Provide the Native VLANs and Allowed VLANS.
- Phone Mode: Phone mode allows you to connect a phone. Along with Native VLAN and Allowed VLANs, provide the Phone VLAN. You can also set the phone traffic as tagged or untagged.
Select the MTU Settings.
Enable Port Security to define the maximum number of MAC Addresses. You can also select the action to take if the MAC Addresses exceed the allowed value.
Click Add Port ACL to add and define ACL Profile for this port.
Select 802.1X Settings to apply RADIUS Group Configuration to this port.
Click Save.

ACL Profile

Access Control List (ACL) Profile allows you to define rules that control the traffic flow to and from the switch.

To create an ACL Profile:

Go to CONFIGURE > Network Profiles > ACL.
Click Add ACL Profile.
Select the ACL Type:
- Standard
- Extended: Along with the source and destination address, you can provide the protocol as well.
- MAC
Select either IPv4 or IPv6 as ACL Version.
Select either Permit or Deny for the Explicit Rule. An explicit rule is applied if none of your defined ACL rules are applicable.
Provide the ACL Rules. For example, permit host 1.1.1.1
You can also check the rule syntax.
Click Save.

DHCP Profile

WithDHCP Profile, you can configure DHCP server for a particular VLAN on the switch.

To create DHCP Profile:

Go to CONFIGURE > Network Profiles > DHCP.
Click Add DHCP Profile.
Provide the Profile Name, Subnet, and Default Gateway of the DHCP server. The IPv4 address for the subnet has to be in the CIDR notation. For example, 192.168.100.1/24.
Provide the DHCP Range and define the Lease Time.
Provide the Primary DNS and Secondary DNS.
Click Save.

VLAN Profile

With VLAN Profile, you can configure VLAN and virtual interface. One VLAN profile corresponds to one VLAN.

To create a VLAN Profile:

Go to CONFIGURE > Network Profiles > VLAN.
Click Add VLAN Profile.
Provide the Profile Name, VLAN ID, and VLAN Name.
Select SVI to enable the virtual interface.
Provide the following details for SVI:
- IP Address Type
- IP Address
- IP Helper
- ACL Profile
- DHCP Profile
Click Save.

Create Switch Profiles

Switch profile consists of switch configuration, RADIUS server settings, mapping switch ports to port profile, and SNMP server details.

To create a switch profile:

Navigate to CONFIGURE > Wired > Switch Profiles
Click Add Switch Profile.
Provide the switch name.
Select Enable LLDP and Enable STP.
Select the VLAN Profile.
Select Enable RADIUS Server Group to enable RADIUS server. Select the source interface to use to communicate with the RADIUS server and provide the interface number.
Specify the 802.1X Settings. You can also specify the Unresposnvie VLAN to use if the RADIUS server is unresponsive.
Select the ACL Profile.
Select Enable IGMP Snooping and select the IGMP version.
Provide Static Route Configuration. Static routes are typically used when dynamic protocols are unable to establish routes to a specified destination prefix. Static routes are also useful when dynamic routing protocols are not available or appropriate.
Select DHCP Relay and provide the DHCP server IP address.
Click + under the Mapping Switch Ports to Port Profile section.
Provide port ranges and select the port profile to apply to that entire port range. Ensure that port values do not overlap. A port can have only one port profile mapped to it.
Note:
Provide the same port value number in the From and To field to map a port profile to a single port.
Click + under SNMP Servers to send information to the SNMP server using SNMP Traps.
Click Save.

Apply Switch Profile to a Switch

Once you have defined the switch configurations in a switch profile, you can apply those configurations to individual switches.

Note:

You can apply only one switch profile per switch.

To apply a switch profile to a switch:

Navigate to CONFIGURE > Wired > Switch Profiles.
Select the profile to apply and click Apply.
The switch pane opens and displays all the available switches. Switches that already have this profile are preselected. You can uncheck the selection to remove the profile from those switches. Select the switches that you want to apply the profile to and click Next.
Verify the switches where the profile will be applied. If you have unchecked a switch in the previous pane, confirm that the switch doesn’t appear here. Click Apply.
The switch profile card shows the total number of switches using the particular profile.

You can verify that the profile is applied to the switch by checking the Config Application Status column in the MONITOR > Wired . Once the profile is applied to a switch and the configuration is applied successfully, the value on the Config Application Status column changes to Success.

Configure Device Settings

Under CONFIGURE > Device > Switches, , you can configure general switch-related settings such as NTP Server, Syslog Server, and security-related settings such as User Access Levels.

Note: By default, Device Settings applied to a location are automatically inherited by its child locations.

Switch device settings are divided into two tabs:

General
Security

General Switch Settings

To configure general switch settings:

Navigate to CONFIGURE > Device > Switches.
Under the General tab, provide the following details:
- NTP - Provide details of the NTP server to ensure that the timestamp on the logs reflects the correct date and time by synchronizing the Arista device system clock with an NTP server.
- Syslog - Provide details of the Syslog server to send messages and alerts to the Syslog server.
- DNS - Provide details of the DNS server to fetch the DNS information.
- Login Banner - Provide a text message to display on the switch CLI.
Click Save.

Security Settings

Under Switches > Security tab, you can define Local Users to enable your users to access the switch CLI. Along with the user credentials, you can define the user role and their privilege level.

VXLAN Endpoints

VXLAN tunneling requires that the switch where the tunnel terminates is configured with a VTEP that matches the configuration on the AP.By having the same VXLAN configuration for APs and switches, you can aggregate all wireless traffic from the same VXLAN to a single wired destination for better traffic management and visibility.

To configure the switches from CV-CUE, the first step is to import the switches to the VXLAN Endpoints tab. You can import one switch at a time and up to a maximum of 10 switches to CV-CUE. Only those switches that you import, get listed in the VXLAN Profile.

Follow these steps to import the switches:

Go to MONITOR > Wired > VXLAN Endpoints .
Click Import VXLAN Switch.
Provide the Management IP address of the switch or the name of the switch and click Import.

The switches are immediately imported to the VXLAN Endpoints tab.

Once imported, you can delete the switch listing from the page, rename switches, and reboot switches. You can rename and reboot active switches.

Configure Wi-Fi

CV-CUE provides a convenient way to configure your Wi-Fi network via the Configure tab.

All configuration in CV-CUE is done at the location level. So, when you create an SSID or enable Smart Steering, you do this for a location. This is because most configuration parameters are relevant to a location rather than a particular device. For example, all devices in an office are likely to broadcast the same SSID's.

Note: By default, configurations at a location are automatically inherited by its child locations. For example, suppose there is an HQ location with two child locations: Branch 1 and Branch 2. Then a configuration applied to HQ automatically applies to Branch 1 and Branch 2. You can, however, customize the configuration of a child location so that it is different from that of its parent.

The Configure tab allows you to configure the following:

Service Impact of Configuration Changes

CV-CUE warns a user of any service impact caused by settings changed on the UI. In general, the configuration changes affect the Wi-Fi service as follows:

Changes to SSID settings cause the SSID to restart.
Changes to RADIUS profiles, Role Profiles, and Tunnel Interfaces cause SSIDs using these profiles to restart.
Changes to Device and Radio Settings can cause either SSIDs using these settings to restart or Access Points (APs) using these settings to reboot.

Exceptions to the general rule exist—settings that do not cause any service interruptions. The table below is a tab-wise list of the impact that each setting change has on the Wi-Fi service.


Tab and Action	Settings	Impact of Setting Change
SSID	Client Isolation Hide SSID SSID Profile Name	No impact.
SSID	Any other setting	SSID restarts.
Role Profile	Profile Name	No impact.
Role Profile	Any other setting	SSIDs using these settings restart.
Tunnel Interface	Profile Name	No impact.
Tunnel Interface	Any other setting	SSIDs using these settings restart.
RADIUS Profile	Profile Name	No impact.
RADIUS Profile	Any other setting	SSIDs using these settings restart.
Radio Settings	Wi-Fi Regulatory Domain	APs using these settings reboot.
Radio Settings	Any other setting	SSIDs using these settings restart.
Device Settings	- Access Radio Exceptions - Scanning - Wi-Fi Scan Duration - Wi-Fi Access Duration - Inter-Access Point Sync for Client Steering - Inter AP Sync Period	SSIDs using these settings restart.
Device Settings	- SSID VLAN Monitoring - IPv4/IPv6 Dual Stack - Turn Access Points into Dedicated WIPS Sensors - Link Aggregation - Transmit Hash Policy	APs using these settings reboot.
Mesh Profile	Mesh Profile Enabled Mesh Profile Disabled	Mesh APs reboot. Note: When you edit an “enabled” mesh profile, mesh links are re-established, which may disrupt Wi-Fi service to clients.
Monitor > WiFi > Access Points > Customize VLANs	Any setting	AP reboots.
Monitor > WiFi > Access Points > Customize Transmit Power or Channel	Any setting	SSIDs on the AP restart.
Monitor > WiFi > Access Points > Assign/Reassign to Group OR Remove Access Points from Group Other screens from which you can change AP-group assignment: System > Navigator> Show Available Devices Floor Plan	The service impact depends on which settings at the current location change because of the operation.	APs or the SSIDs on these APs may restart.
Get Configuration from another folder/group.	The service impact depends on which settings at the current location change because of the operation.	APs or the SSIDs on these APs may restart.
Monitor > WiFi > Radios > Turn Off Radio	-	All SSIDs on the radio are turned off.
Customize or Inherit Configuration at a Location	The service impact depends on which settings at the current location change because of the operation.	APs or the SSIDs on these APs may restart.
Move AP to another location	The service impact depends on which settings at the current location change because of the operation.	APs or the SSIDs on these APs may restart.
Troubleshoot > Packet Trace	Enable or disable packet trace on an SSID.	SSIDs for which auto packet trace is enabled or disabled will restart.

Checkpoints

You can create checkpoints to save your current configurations, profiles and settings. Creating and restoring a checkpoint is possible for all configuration settings available in CV-CUE. You can create a checkpoint for location based configurations, group configurations, or global configurations. For all the configurable settings that are available for a network, you can create a checkpoint to save it.

A checkpoint is a snapshot of your current settings and configurations.You can use this checkpoint to view your configuration details, compare your current configurations with a previous instance, or to restore your configurations to a particular set of settings. In case of a network failure or performance degradation, you can restore a previously created checkpoint to go back to the previous working state.

Note: This is a Beta Feature.

This chapter contains the following topics:

Types of Checkpoints
Create Checkpoints
View Checkpoints
Compare Checkpoints
Restore Checkpoints

Types of Checkpoints

There are 3 kinds of checkpoints:

Location Checkpoint
Location checkpoint saves all your SSID configurations, network policies, device configurations, WIPS policies, Mesh profile, and other settings of the selected location.
Group Checkpoint
Group checkpoint captures the device configurations, custom device settings, and enabled SSID and Mesh profiles for a group.
Note:
Group checkpoint only captures which SSIDs and Mesh profiles have been enabled for the group, the actual SSIDs and Mesh profiles are not part of the checkpoint. Thus, restoring a group checkpoint restores the Enabled or Disabled state of SSIDs and Mesh profiles for that group. However, if the configuration of the SSID or Mesh profile was changed, the changed configurations are not restored.
Global Checkpoint
Global checkpoints save configurations for all locations and groups, along with global policies such as WIPS, Advanced Settings, and third-party server policies.

Create Checkpoints

The ability to create a checkpoint is available on the following UI screens:

Configure > WiFi
Configure > Device
Configure > Network Profile
Configure > WIPS
Configure > Alerts
System > Navigator
System > Third Party Server
System > WIPS
System > Logs
System > User Accounts

Create a Location or Group Checkpoint

The option to create a location or group checkpoint is available in all configuration options under the Configure menu.

To create a location or group checkpoint:

Select your location or group from the Navigator.
Go to Configure > WiFi or any Configure option.
Note: Note: You cannot create a location checkpoint at the root location.
Click Create Checkpoint from the three-dot more menu.
Provide a name and a brief description for the checkpoint and click Create.

Create a Global Checkpoint

The option to create global checkpoint is available in all screens available under the System menu. You can create a global checkpoint by clicking Create Global Checkpoint from the three-dot more menu.

You can also create a global checkpoint from any CONFIGURE screen by selecting the root location in the location tree.

Create Global Checkpoint in MSU Setup

For MSU setups, navigate to the parent server and click Create Checkpoints for all Servers to create checkpoints for the parent and all child servers simultaneously.

Note: For MSU setups, global checkpoints are server specific. You need to create a separate global checkpoint for each server.

View Checkpoints

Just like Create Checkpoint, the option to view your created checkpoints is available on all Configure screens in the three-dot more menu. Navigate to your location or group to view all the checkpoints available for that particular location or group. You can view your global checkpoints from any of the screens available under the System menu or by selecting the root location in the location tree.

You can perform the following actions on your created checkpoints:

Edit
Delete
Download - Displays a downloadable json file of your configuration details
Compare
Restore

Compare Checkpoints

You can compare two checkpoints to identify the delta in the configurations. To compare the checkpoints, select the two checkpoints to compare from the View Checkpoint table and click Compare.

A new tab displaying the differences in the JSON files of both the checkpoints opens.

You can also compare the checkpoint with your current configuration.

Restore Checkpoints

You can restore your configurations and settings to an earlier created checkpoint. When you restore a checkpoint, all the settings and configurations are changed to that of the saved checkpoint. If a location is inheriting a policy from its parent or is using an inherited profile, the checkpoint only captures the inheritance information and not the actual profile or policy. When you restore such a checkpoint, the policy is inherited again from the parent. If the inherited policy or profile is changed, the changed settings are not restored.

Non-restorable checkpoints

You cannot restore global checkpoints. Checkpoints also become non-restorable if any of the referenced configurations are deleted. For example, consider an SSID profile inherited by a child location. If you delete the SSID profile from the parent location, the checkpoint created on the child location becomes non-restorable.

You can use global and non-restorable checkpoints to perform view and compare operations.

SSID Settings

You can configure SSID settings on the Configure > WiFi > SSID tab.

The SSID tab shows all the SSIDs configured on your Wi-Fi network along with their key features. You can switch between a Card View, where the SSIDs and their key configurations are shown as cards, and a Table View that lists these items in a table. You can add and edit an SSID. You can also turn an SSID on or off. You can click on an SSID to configure it.

Note: By default, the configuration of a folder is automatically inherited by its child folders. For example, suppose there is an HQ folder with two child folders: Branch 1 and Branch 2. Then a configuration applied to HQ automatically applies to Branch 1 and Branch 2. You can, however, customize the configuration of a child folder so that it is different from that of its parent.

SSID Configuration Tabs

For each SSID, there are nine functional settings: Basic, Security, Network, Access Control, Analytics, Captive Portal, RF Optimization, SSID Scheduling, and Traffic Shaping and QoS.

Of these, the first three — Basic, Security, and Network — are essential to an SSID, i.e., you must configure these settings before you can save an SSID and turn it on. You can configure the remaining tabs if you need to, otherwise they assume default values.

You can add up to 8 SSIDs on the 2.4GHz band and up to 8 SSIDs on the 5GHz band in each folder.

Add New SSID

To add an SSID, go to CONFIGURE > WiFi > SSID, and click Add SSID. Enter the details in each tab sequentially. You must configure at least the Basic, Security, and Network tabs before you can save the SSID. To configure any of the other SSID tabs, click the three-dot menu next, which is typically next to the Network tab, and select the tab you want to configure.

This chapter contains the following topics:

SSID Basic Settings
SSID Security Settings
SSID Network Settings
SSID Access Control
SSID Analytics
SSID Captive Portal
SSID RF Optimization
SSID WiFi 7 Setting - Multi-Link Operation
SSID Traffic Shaping and QoS
Hotspot 2.0
SSID Scheduling
Managing SSID
Location Based VLAN Mapping
Customize SSID Attributes for Location-Specific Overrides

SSID Basic Settings

The Basic tab is the first of the three mandatory SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it on.

Some of the fields in the Basic tab are self explanatory; the remaining fields are:

SSID Profile Name: Typically, this is the same as the SSID Name. It is primarily meant to distinguish between duplicate SSIDs. So, duplicate SSIDs at the same location have different profile names. For example, if you duplicate "ABC Corp" at the same location, then the new SSID name will be "ABC Corp" but its profile name will be "Copy of ABC Corp(1)". You can modify the profile name.
SSID Type: This could be a Public or a Guest SSID. If you select Guest, then on the UI you can see the Captive Portal tab next to the Network tab, since Guest SSIDs typically use captive portal logins.
Hide SSID: If you select this, the SSID will be hidden, i.e., it will not be broadcast on the wireless link.
Include AP Name in Beacon: Select this option to include the name of the access point (AP) in the beacon.

Configure SSID Basic Settings

The Basic tab is the first of the three SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it ON.

Enter information on the following fields:

Enter the name you want to assign the SSID in Enter SSID Name.The Enter Profile Name field gets populated automatically with the SSID name, except if this is a duplicate SSID at the same location as the original.
Select if you want this to be a Private SSID or a Guest SSID.
Select Hide SSID if you do not want this SSID to be broadcast.
The next step depends on whether you are adding a new SSID or updating an existing one:
- If you are adding a new SSID, click Next to move to the Security tab.
- If you are updating an existing SSID, click Save or Save & Turn SSID On. In this case, an "SSID updated successfully" message appears.

SSID Security Settings

The Security tab is the second of the three SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it on.

Select Security Level for Associations

The Security Level defines the authentication mechanisms for users of this SSID. The options are:

Open: Open means no security settings are to be applied. This is the default security setting.
Enhanced Open (OWE): OWE (Enhanced Open), as the name suggests, is an enhancement to open networks. It provides data security for open networks. Open SSID networks are widely used in coffee shops, shopping malls, airport lounges, and enterprise guest networks, and OWE offers data security to your clients with encrypted sessions.
WPA2: The WPA2 security protocol was created to fix the vulnerabilities of WPA and therefore it is more robust than WPA. It fully implements the IEEE 802.11i standard. You can use WPA2 with PSK (Pre-Shared Key), UPSK(Unique PSKs), Group PSKs, or 802.1x, i.e., RADIUS-based authentication.
WPA / WPA2 Mixed Mode: This stands for a mix of the WPA and WPA2 protocols. You can use WPA with PSK (Pre-Shared Key), UPSK(Unique PSKs), Group PSKs or 802.1x, i.e., RADIUS-based authentication.
WPA3: The WPA3 security protocol mitigates the vulnerabilities of WPA2. You can use WPA3 Personal or WPA3 Enterprise.
WPA3 Personal is typically meant for home users. Its robust password-based authentication and 128-bit data AES encryption provides stronger security and protection than WPA2. WPA3 Personal provides protection against attacks such as offline dictionary attacks that attempt to guess passwords. WPA3 Enterprise has an option to use 192-bit encryption and it is meant for enterprises and office networks where the need for data security and protection is higher.

Management Frame Protection is mandatory for both WPA3 Enterprise and WPA3 Personal.
WPA2/WPA3 Mixed Mode: This stands for a mix of WPA2 and WPA3 protocols. If your SSID operates in WPA2/WPA3 Mixed Mode, then WPA2-only clients can also connect with the same SSID along with WPA3-supported clients. In this mode, WPA3 clients use WPA3 Personal.
Note: 802.11w and 802.11r are supported in WPA2, WPA3, and WPA2/WPA3 Mixed Mode. WPA/WPA2 Mixed Mode does not support 802.11w and 802.11r.

RADIUS Settings

See 802.1X or RADIUS Settings for details.

Deny Locally-Administered MAC Addresses

You can prevent clients using locally-administered MAC addresses from accessing your network. You can ensure that only clients using their device’s globally unique MAC addresses are able to connect to the network. By making sure that only devices with globally unique MAC addresses connect to the network, you can mitigate potential security threats associated with spoofing or unauthorized access by having control over device identification.

802.11w

802.11w offers Management Frame Protection (MFP). MFP is an additional security mechanism that protects the De-authentication, Disassociation and Robust Action management frames and prevents some spoofing attacks. The Integrity Group Temporal Key (IGTK) is used to provide integrity check for multicast management action frames, while the Pairwise Transient Key (PTK) is used to encrypt and protect unicast management action frames. The Group Management Cipher Suite is the combination of security and encryption algorithms used to protect mangement frames. Arista uses the AES-128-CMAC algorithm, so that is what is selected by default.

Association frames are not protected as they need to be open for a client to establish an association with an AP. To make sure that a client Association Request is not spoofed, the AP sends a Security Association (SA) query to a client requesting association. A genuine client responds to the protected frames. The SA Query Max Timeout is the time, in seconds, for which the AP waits for a client to respond to an SA query. If the AP receives no response within this period, it ignores the client. Since clients that spoof Association Requests don't respond, the AP rejects them. The SA Query Retry Timeout is the time, in milliseconds, for which a client can request to associate with the AP after the SA Query max timeout.

Configure SSID Security Settings

The Security tab is the second of the three SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it ON.

Steps to configure the SSID security settings are:

Go to the Security tab under CONFIGURE > WiFi > SSID.
Select Security Level for Associations for this SSID.
- If you select Open, there is nothing more you need to do for security. Click Next to move to the Network tab if you are adding a new SSID, or click Save or Save and Turn SSID On if you are updating an existing SSID.
- If you select OWE (Enhanced Open), there is nothing more you need to do for security. Click Next to move to the Network tab if you are adding a new SSID, or click Save or Save and Turn SSID On if you are updating an existing SSID.
- If you select WPA2, you need to select either PSK, UPSK, or 802.1X.
- If you selected WPA2 and PSK, Enter a Passphrase. You can also enable Group PSK. For information on Group PSKs, refer to Group PSKs.
- If you select WPA2 and 802.1X or WPA2 and UPSK, you need to enter the RADIUS Settings. RADIUS settings include:
  - The RADIUS servers you want to use as Authentication Server and Accounting Server. You can add up to four RADIUS servers. One is the primary server and the other three are fallback or additional servers. If the Primary server is not reachable, the AP tries to reach the second server defined on the UI. If the second RADIUS server is not reachable, then the AP tries to reach the third server and so on. The AP follows the same order of hierarchy for the additional RADIUS servers that you define on the UI.
    Note: If you have not yet defined a RADIUS profile to choose as your Authentication or Accounting server, you can do so by clicking Add / Edit. This opens a RADIUS Profile window on the right pane. You can create the RADIUS profile and return to security settings. See Configure RADIUS Profile for details.
  - Enable Send DHCP Options and HTTP User Agent if you want the AP to send client profiling attributes such as DHCP Options 12, 15, and 60, and HTTP User Agent to the RADIUS server in the RADIUS accounting packets.
  - The Called Station / NAS ID, IDs that the AP or a Network Access Server (NAS) send the RADIUS server.
    Note: No two SSIDs on the same AP should use the same NAS ID.
  - The Retry Parameters that control how often the AP attempts to authenticate with RADIUS.
  - Fast Handoff Support which saves clients some authentication time when the roam from one AP to another.
  - Dynamic VLANs to enable RADIUS-based assignment of VLANs. Select VLAN IDs and manually enter the RADIUS VLANs. Select Auto VLAN to dynamically assign VLANS to clients and send the VLAN to the access point (AP) when the client connects. For more information on creating dynamic VLANs from RADIUS server, refer to Create Dynamic VLANS from RADIUS Server.
  - Change of Authorization (CoA) to change a client's authorization. For example, you can use CoA to assign VLANs to a user or to assign roles to a user when implementing Role-Based Access Control.
    Note: For CoA, open Port 3799 on your firewall from the RADIUS server to the AP.
  - Enable Prefer Primary RADIUS Server if you want the authentication to fall back to the primary RADIUS server once it comes back up after a failover. This helps if, for example, your secondary RADIUS servers have lower capacity than the primary servers. Another example where this helps is when enterprises use two data centers, each one configured as the “secondary” of the other. You would then want the authentication to fall back to the primary or “home” data center RADIUS server once it comes back up.
    Once an AP detects a failover to the secondary RADIUS server, it waits for the Dead Time interval before falling back to the primary. This ensures that fallback does not happen too soon, allowing time for the primary server to stabilize if it had been flapping.
  - Select the type of Framed IPv6 Address that you want the RADIUS Accounting message to report to an authenticated Wi-Fi client. The choice depends on whether your network uses solicited IPv6 addresses or unsolicited ones obtained via SLAAC (Stateless Address Autoconfiguration). For solicited IPv6 addresses, select Report Full IPv6 Address; for the unsolicited case, select Report Only IPv6 Prefix.
  - Enable Prefer Primary RADIUS Server if you want the authentication to fall back to the primary RADIUS server once it comes back up after a failover. This helps if, for example, your secondary RADIUS servers have lower capacity than the primary servers. Another example where this helps is when enterprises use two data centers, each one configured as the “secondary” of the other. You would then want the authentication to fall back to the primary or “home” data center RADIUS server once it comes back up.
    Once an AP detects a failover to the secondary RADIUS server, it waits for the Dead Time interval before falling back to the primary. This ensures that fallback does not happen too soon, allowing time for the primary server to stabilize if it had been flapping.
- If you select WPA2, you can configure 802.11w for Management Frame Protection (MFP). If you select PSK, you can enable Group PSK. To enable Group PSK, select Group PSK and enter the passphrase. If you select UPSK, you must configure the RADIUS server.
  Note: 802.11w is not supported in Open, OWE, and WPA/WPA2 Mixed Mode security levels.
- If you select WPA/WPA2 Mixed Mode, you need to select PSK, UPSK, or 802.1X. If you select PSK, you can enable Group PSK. To enable Group PSK, select Group PSK and enter the passphrase. You can then proceed in exactly the same manner as when you select WPA2.
- If you select WPA3, you need to select either WPA3 Personal, UPSK, or WPA3 Enterprise. WPA3 Personal uses Simultaneous Authentication of Equals (SAE) to secure data and it is meant for home users. WPA3 Enterprise is meant for organizations as it includes an option to add 192-bit security for data security. If you select WPA3 or WPA3 Transition Mode, you can select one of the following SAE Mechanism for PWE Derivation:
  - Hunting-and-Pecking only
  - Hash-to-Element only
  - Hunting-and-Pecking and Hash-to-Element
Select Deny Locally-Administered MAC Addresses to prevent clients using locally-administered MAC addresses from accessing your network.
The next step depends on whether you are adding a new SSID or updating an existing one:
- If you are adding a new SSID, click Next to move to the Network tab.
- If you are updating an existing SSID, click Save or Save & Turn SSID On. In this case, an "SSID updated successfully" message appears.

Group PSKs

A single SSID can support up to 64 Group PSKs, each for a group of Wi-Fi clients. To appreciate Group PSKs, consider the following use cases:

An enterprise might require IoT devices to connect to the Wi-Fi network. Network administrators often want to use the same SSID for different client device categories, but assign different VLANs or access lists to them—for example, they might want to map printers and video cameras to separate VLANs. IoT devices typically do not support 802.1X-based authentication methods that enterprises use to segment clients into separate VLANs. With Group PSKs, you can configure the same SSID with different PSKs: one PSK for printers, another one for video cameras, and so on. You can also assign roles to each Group PSK.
A small branch office or a retail establishment might want to segment users on the same SSID by department (HR, finance, legal, etc.). Such establishments typically do not have 802.1X infrastructure; they can use Group PSKs to segment users.

Limitations

Group PSKs have the following limitations:

Group PSKs are supported for only the following security methods:
- WPA2 with PSK and
- WPA/WPA2 Mixed Mode with PSK.
Secondary Authentication (e.g., RADIUS MAC Authentication or Google Authentication) is not supported for Group PSKs.
Captive Portal is not supported with Group PSKs.
Group PSKs are not supported for SSIDs using VPN (L3 tunnel) or NAT.

Unique PSKs

UPSKs allow users to connect to the same SSID using a unique PSK which is user specific. UPSK provides added security as compared to single PSK because single PSKs are easily compromised.

UPSK is useful for large campuses that have huge numbers of BYOD/IOT devices, for example, college campuses or universities. The advantages of UPSK are:

Increased security by using individual PSKs per student and MAC authentication. When a user leaves the organization, administrators can deactivate their account so their PSK will no longer be valid to connect to the university network.
Easily managing a group of devices. For example, consider an enterprise having multiple categories of IOT devices such as cameras and printers. The administrator can assign different PSK to different categories of devices and manage the group of devices easily.
Easily managing a group of devices. For example, consider an enterprise having multiple categories of IOT devices such as cameras and printers. The administrator can assign different PSK to different categories of devices and manage the group of devices easily.
Monitoring of devices. One user may have multiple devices. In such cases, RADIUS assigns each device a specific PSK making it unique. Network administrators can easily track individual devices.

Note: You cannot disable RADIUS MAC Authentication if you have enabled UPSK.

UPSK New User Onboarding Flow

New user logs in and connects its clients using the default PSK (shared by admin).
Access Point (AP) initiates the MAC-Auth with the RADIUS server. As the MAC address is not registered, the RADIUS server assigns a default role to the client.
Client gets redirected to a portal for registration.
After registration, the user gets an auto-generated or admin-configured Unique PSK. The user can use this UPSK to connect other devices after MAC registration in the RADIUS server. This PSK remains unique to that user.
Once the device is registered, the RADIUS server can now send COA-Disconnect to the client.

UPSK Registered User Onboarding Flow

The user connects the registered device to the UPSK enabled SSID and enters the assigned PSK.
AP initiates the MAC-Auth with the RADIUS server. As the MAC address is already registered, RADIUS server sends an access-accept containing RADIUS Tunnel-Password attribute, which carries the assigned PSK.
- Attribute Name: Tunnel-Password
- Attribute ID: 69
AP matches the hash of the PSK entered by the user and the hash of the PSK received in the access-accept packet. If it's a correct match, the user device is onboarded.

Use Case

Consider a new student trying to connect to the university network. The student first connects to the SSID using the default credentials provided by the network administrator. The student is connected to the network using the default role and is redirected to the registration portal. The student can then provide their device information and register their device. The registration portal assigns a user-specific PSK and the client is disconnected. Post registration, the student can log into the network using the unique PSK assigned to them.

Unique-PSK User Private Network and Identity Lookup

Along with UPSK, you can also enable User Private Netwtoks and Identity Lookup.

UPSK User Private Networks

You can enable UPSK User Private Networks option to generate UPSK with isolation between multiple users’ devices. After you enable this setting, User-A’s devices onboarded using UPSK-A cannot reach or communicate with devices onboarded using User-B’s UPSK-B.

This setting further enhances the security provided by UPSK.

UPSK Identity Lookup

You can enable UPSK Identity Lookup to auto-register a new client using the generated UPSK Password. This feature lets you onboard a new client without the need of manual intervention.

Enabling UPSK

To enable UPSK:

Go to WiFi > Configure > SSID.
Under the Security tab, select your security level for associations.
Note: UPSK is unavailable for Open, OWE, and Hotspot 2.0 OSEN security levels.
Select the UPSK radio button.
Select UPSK User Private Network to enable isolation between client devices.
Note:For WPA2 and WPA/WPA2 Mixed Mode, UPSK Identity Lookup is auto-enabled. For WPA3 and WPA3 Transition Mode, you cannot enable UPSK Identity Lookup.
Under the Access Control tab, provide details for the RADIUS Settings.
Save the settings.

Supported AP Platforms and Security Methods

AP Platforms - WiFi 6 and above
Supported Security Methods
- WPA2
- WPA3
- WPA/WPA2 Mixed
- WPA3 Transition mode
Note: For WPA3 and WPA3 Transition Mode, you cannot enable UPSK Identity Lookup.

Local Authentication of Wireless Clients

Local Authentication (also known as authentication survivability) is the ability of access points (AP) to authenticate and onboard clients to the network using CA certificates through the integrated EAP server of the AP. Use Local Authentication when the RADIUS servers are not reachable to authenticate the clients. It is typically a temporary authentication mechanism; avoid using it as a primary authentication.

When the AP cannot reach the RADIUS server, it goes into authentication survivability mode. While the AP is in this mode, if any client tries to connect to the AP, the AP uses certificate-based authentication to on-board the AP and connect to the network. As soon as the RADIUS servers are reachable, the client gets reauthenticated by the RADIUS server.

Workflow

You can define up to four RADIUS servers in CloudVision Cognitive Unified Edge (CV-CUE) for 802.1X authentication. When the Primary RADIUS server computer is unreachable, the AP retries connecting to the Primary RADIUS server a certain number of times before switching to the next RADIUS server. When all the RADIUS servers are unreachable, the AP falls back to the local authentication mode. While the AP is in this mode, if any client tries to connect to the AP, the AP uses certificate-based authentication to on-board the client and connect to the network. Such clients are called locally authenticated clients.

The AP remains in the local authentication mode for the duration defined in the Dead Time configuration. After the dead time is over, the AP repeats the cycle of connecting to the RADIUS servers. If it successfully connects to the RADIUS server, it disconnects all locally authenticated clients. The clients reauthenticate using the RADIUS server.

Enable Authentication Survivability

To enable Authentication Survivability:

Go to CONFIGURE > WiFi > Add SSID or edit an existing SSID.
Click the Security tab and navigate to the Local Authentication section.
Select Local Authentication and provide the CA Certificate.
Upload the CA Certificate and then select a certificate tag.
Select the dead time. Dead Time indicates the duration for which the AP remains in the Local Authentication mode before connecting to the RADIUS server.
(Optional) Select a role for the clients from Assign Role for locally authenticated clients

You can verify locally authenticated clients and APs from the following pages:

Connectivity Dashboard — Client Journey
Client Details — Client Journey
Client Listing: Locally Authenticated column in client listing (MONITOR > WiFi > Clients)
AP Listing: Locally Authenticated column in AP listing (MONITOR > WiFi > Access Points)

The following image from the Connectivity Dashboard shows 3 locally authenticated clients:

The following image shows the client journey of a locally authenticated client (Client 1):

Configure and Monitor Alerts

You can configure and monitor alerts related to Local Authentication by navigating to CONFIGURE > Alerts > Device > Local Authentication. . For more information, refer to Configure System Alerts

SSID RADIUS Pooling

RADIUS Pooling lets you assign a pre-defined list of RADIUS Servers that Access Points (AP) can use to authenticate, authorize, and maintain clients' accounts. It offers better load-balancing capabilities and improved scalability.

You do not have to specify the order of the RADIUS servers as Primary or Secondary. Every AP randomly chooses the RADIUS servers from the pool, and then independently decides the sequence of the RADIUS servers and follows the order. Two APs sharing the same RADIUS pool may not share the same order for the RADIUS servers. APs automatically distribute the client load based on an intelligent algorithm.

Also, there is no separate list of RADIUS servers for Accounting and Authentication. The AP uses the same active RADIUS for accounting and authentication. If the AP doesn’t receive any Accounting messages from the active RADIUS server, it switches to the next RADIUS in the order. If all the RADIUS servers are disconnected and Local Authentication (Authentication Survivability) is enabled, the AP goes into the Local Authentication mode.

RADIUS Pooling is an SSID setting in the Security and Access Control tabs.

Configure RADIUS Pooling

Follow these steps to configure VLAN Pooling in SSID settings:

Go to CONFIGURE > WiFi > Add SSID.
Select the Security tab and select any 802.1X Authentication security level association, such as WPA3, WPA3 transition Mode, or WPA2.
Select Enable RADIUS Pooling and select a maximum of four RADIUS servers from the drop-down list. If you have not configured any RADIUS servers, they won’t be visible in the drop-down list.
(Optional) Click Add/Edit to add RADIUS servers or edit existing RADIUS servers.
Save the settings.

Note: On enabling RadSec, only the RadSec-capable RADIUS servers will be displayed in the drop-down list. On disabling RadSec, the RadSec-capable RADIUS servers are not displayed in the drop-down list.

Event Logs

When the AP decides the order of the RADIUS server, it generates an event log that displays the order of the RADIUS Server. You can view the event logs from TROUBLESHOOT > Event Logs > Access Points.

SSID Network Settings

The Network tab is the third of the three SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it ON.

You must enter the default VLAN ID for this SSID.

You can have access points on this SSID operate in bridged, NAT or Tunneled modes.

Bridged

Use a bridged network when you want an AP and clients associated with the AP to be on the same subnet.

NAT

When you want an AP and its clients on separate subnets, use Network Address Translation (NAT). With NAT, clients have a private IP address pool and it is easier to add more clients to the network as they do not require a public IP address. NAT translates local IP addresses to global ones (and vice versa).

Note: NAT cannot be selected if under SSID Security Settings, you have enabled Dynamic VLANs with 802.1X authentication.

To configure NAT, you need to enter the Start IP Address, theEnd IP Address, and the Subnet Mask. Together, these define the IP pool from which the AP will assign IP addresses to clients. The Local IP Address is the IP address of the AP on the wireless side, i.e., the client-facing IP address. It serves as the gateway for associated clients. Upon successful association, wireless clients get their DNS information from the list of IP addresses you have entered in the DNS Servers field. You must enter at least one DNS server IP address. You can enter up to six DNS server IP addresses. The Lease Time is the DHCP lease time in minutes, after which the IP allocated to the client expires.

With Wired Extension, you can extend a NAT-enabled wireless LAN to the wired side using additional Ethernet ports on the AP. You can do so by creating an isolated wired LAN with one or more wired devices connected through layer-2 switches, and connecting the additional Ethernets port of the AP to this wired subnet. The wired LAN then becomes an extension of the wireless LAN with this SSID profile. All network settings configured on this SSID profile then apply to the wired devices as well.

Note: The additional Ethernet ports are available only on some Arista AP models. For more information, see the AP Datasheet.

Tunneled

A Tunnel Interface is useful when you want to route network traffic on the SSID to and from a single end point, and apply policies at this end point. In the tunneled mode, APs on the SSID route all traffic via the tunnel to a remote endpoint configured on the Tunnel Interface that you select. See Tunnel Interface for details. If you have not yet defined a Tunnel Interface, you can do it from within the Network tab using the Add / Edit link.

In tunneled networks, the RADIUS server could be located in the private corporate network behind the remote endpoint. When you enable Use Tunnel for RADIUS Messages, CV-CUE tunnels RADIUS messages between the AP and the RADIUS server. Key characteristics are:

All types of tunnel interfaces support tunneling of RADIUS messages between APs and a RADIUS server located behind the tunnel endpoint.
For tunnel types other than the RAP VPN tunnel, an AP obtains its IP address from the DHCP server in the remote network on the SSID VLAN. A RAP running an SSID with a VPN tunnel obtains its VPN IP address from the remote VPN endpoint, e.g., a firewall appliance.
The RAP VPN tunnel does not support IPv6. So for a RAP to communicate with a RADIUS server, the RADIUS server must have an IPv4 address.

The following RADIUS message types are supported for communication via tunnel:

Authentication (802.1X or RADIUS MAC Authentication)
Accounting
CoA (Change of Authorization)

With Layer 2 Traffic Inspection and Filtering (L2TIF) enabled on an SSID, Arista APs running the SSID send all packets to a wired endpoint, i.e., a tunnel endpoint or a switch. You can then configure the wired endpoint to inspect and filter traffic. An effect of enabling L2TIF on an SSID is that two clients associated with the SSID cannot communicate directly with each other on the wireless link; their packets are sent to the wired endpoint. What happens to these packets depends on the policies configured at the endpoint.

Consider two Wi-Fi clients, Client 1 and Client 2, associated with the same AP and the same SSID. As shown in the figure below, with L2TIF enabled, packets originating from Client 1 and destined for Client 2 are sent to the switch.

Switches typically discard packets whose source and destination are on the same port. If you wish to allow some types of direct Layer 2 communication on your network (for example, peer-to-peer file-sharing applications or access to printers) while still sending all packets to the wired endpoint for inspection, you can do so by configuring appropriate policies at the endpoint.

Note: L2TIF is applicable only to SSIDs in the bridged mode; in the tunneled mode, SSID traffic is anyway tunneled to an endpoint. Also, L2TIF is not supported for SSIDs that have NAT enabled. This is because an AP running a NAT-ed SSID becomes the gateway node of its own private subnet; its clients are not visible to the wired endpoint.

Inter AP Coordination is the mechanism where Arista APs exchange information with each other. You can select how APs exchange this information by choosing one of the three options:

L2 Broadcast: APs broadcast their information over the wired network. L2 broadcast works on the SSID VLAN and, if Layer 2 GRE is enabled, it works on the communication VLAN. You can Use Tunneling for Inter AP Coordination so that information related to inter-AP coordination flows through the tunnel, i.e., from one AP to the tunnel endpoint to another AP.
RF Neighbors: APs exchange information only with their RF neighbors. Dual-radio APs use Background Scanning to find their RF neighbors, tri-radio APs use their third radio. If you have not enabled Background Scanning under Device Settings, CV-CUE prompts you to do so when you turn the SSID ON. You can Use Tunneling for Inter AP Coordination so that information related to inter-AP coordination flows through the tunnel, i.e., from one AP to the tunnel endpoint to another AP.
Note: RF Neighbor can be used only with 802.11ac or higher Arista APs.
This Server:APs exchange information via the Wireless Manager server. The information is shared from a parent location to its child locations.
Note: Since the Arista server is involved, you cannot use the tunneling mode for inter-AP information.

If you select Advertise Client Associations on SSID VLAN, APs on this SSID broadcast their client associations to other APs on the same SSID VLAN.

DHCP Option 82 (DHCP Agent Information Option) is generally used in a distributed DHCP server environment to assign IP addresses to clients based on their location. The AP inserts DHCP Option 82 in all DHCP packets, such as DHCP Discover and DHCP Request, thereby providing additional information to identify the client's point of attachment. DHCP Option 82 contains a Circuit ID that you can configure at this location and on the DHCP server as well. The DHCP server then selects an appropriate IP pool for the Circuit ID it receives, and assigns an IP address to the client from this pool. For an example, see Example Use Case for DHCP Option 82.

DHCP Packet Forwarding is used to send a copy of DHCP Packets from Access Points (AP) to Network Access Control (NAC) solutions for profiling clients and assigning appropriate network segments. When you enable the packet forwarding option on the UI, the AP forwards a copy of the DHCP packets to Port 67 of the destination server.

The destination server can be an IPv4 or IPv6 address, not a hostname. You can provide a maximum of eight IP addresses for the destination server. You also have the option to send the DHCP packets through a tunnel if the Network Mode is L2 Tunnel or L3 Tunnel. However, you cannot send the DHCP packets to IPv6 addresses if the network mode is L3 Tunnel.

Note: Forwarding of DHCP packets is applicable only for wireless clients.

Multicast DNS (mDNS) Packet Tagging helps Wi-Fi clients discover network services such as printers or conference room displays. A Wi-Fi client sends an mDNS packet querying for services on the network—for example, printers. An Arista AP can tag client mDNS query packets with a location name. The AP adds its location, i.e. the name of the folder in the location tree, as a tag to the mDNS query. mDNS gateways running on Arista aggregation switches use the location tag to filter services that they return in response to the mDNS query. This filtering is based on rules configured in the mDNS gateway—for example, the mDNS gateway in the following figure can be configured so that when it receives a query tagged with “Floor 1” as the location, it returns only “Printer 1”, the printer located on floor 1.

Note:

mDNS tagging is not supported in NAT or VPN Tunnel modes.
For mDNS tagging to work, make sure your aggregation switch supports mDNS gateways. See the Supported Features page on the Arista website to check if a particular switch model supports an mDNS gateway.
Make sure you have assigned the correct location tag to each location because mDNS gateways return devices based on location tags. See Set Location Tag for steps on how to assign location tags.

Example Use Case

Let us consider an enterprise deployment with two branch offices and a single DHCP server hosted in the data center at the HQ. Only one SSID is configured and the same configuration is assigned to all the branch office locations. The same VLAN ID is configured but different subnets are assigned to the branch office locations.

In this case, we create three SSID profiles:

HQ
Branch1
Branch2

We also configure the appropriate location tags for each location (HQ and branch offices) in the location tree.

DHCP Option 82 is enabled and the Circuit ID is set to “%l” which sends the location tag to the DHCP server.

On the DHCP server, we configure policies based on the information received from the DHCP Option 82:

If Circuit ID = HQ then assign IP from 172.16.0.0/16 – 172.16.8.255/16 subnet
If Circuit ID = Branch1 then assign IP from 172.16.9.0/16 – 172.16.12.255/16 subnet
If Circuit ID = Branch2 then assign IP from 172.16.13.0/16 – 172.16.15.255/16 subnet

Configure SSID Network Settings

The Network tab is the third of the three SSID tabs (Basic, Security and Network) that you must configure before you can save an SSID and turn it ON.

Steps to configure the SSID network settings are:

Go to CONFIGURE > WiFi > SSID > Network.
Enter the default VLAN ID for the SSID.
Select the AP mode of operation for the SSID.
- If you select Bridged mode, you do not need to configure anything more and you can proceed to the next step.
- If you select NAT, you need to configure the following NAT-related parameters:
  - Start IP Address defines the starting IP address of the IP pool from which the AP assigns IP addresses to clients.
  - End IP Address defines the end IP address of the IP pool from which the AP assigns IP addresses to clients.
  - Local IP Address is the local IP address of the APs on the wireless side.
  - Subnet Mask is the subnet mask for the IP pool.
  - DNS Servers are the DNS servers that clients will use to get DNS information. You must enter at least one DNS server IP address. You can enter up to three such DNS server IP addresses.
  - Lease Time is the DHCP lease time in minutes, after which the IP allocated to the client expires.
  - Select Wired Extension to extend a NAT-enabled wireless LAN to the wired side using the second Ethernet port on the AP.
- If you select L2 Tunnel or VPN Tunnel , you need to select the Tunnel Interface which contains the endpoint to which the AP will tunnel all traffic. If you have not yet defined a tunnel interface, you can do so by clicking Add / Edit. This opens a Tunnel Interface window on the right-pane. You can create the interface and return to network settings.
  - Enable Use Tunnel for RADIUS Messages if the enterprise RADIUS server is behind the tunnel endpoint and you wish to tunnel RADIUS messags to the endpoint.
    Note: Either 802.1X or RADIUS MAC Authentication must be enabled for communication with a remote RADIUS server.
  - For EoGRE tunnels, you can Synchronize Failover and Fallback of RADIUS Server with EoGRE Interface. This is helpful if the primary and secondary RADIUS servers are bound to the respective EoGRE interfaces but they do not mutually sync client authentication states. In such cases, selecting this prevents a "split-brain" situation, where the client data flows via the secondary EoGRE tunnel while RADIUS messages are exchanged with the primary RADIUS.
Select the Inter AP Coordination mechanism.
- If you select L2 Broadcast, APs broadcast their information over the wired network. Select Use Tunneling for Inter AP Coordination if you want the inter-AP coordination related information to flow through the tunnel.
- If you select RF Neighbors, APs exchange information only with their RF neighbors. Select Use Tunneling for Inter AP Coordination if you want the inter-AP coordination related information to flow through the tunnel.
- If you select This Server, APs exchange information via the Wireless Manager server.
  Note: Since the Arista server is involved, you cannot use the tunneling mode for inter-AP information.
Select Advertise Client Associations on SSID VLAN if you want APs on the SSID to broadcast their client associations to other APs on the same SSID VLAN.
Select DHCP Option 82 to assign clients IP addresses based on their location in a distributed DHCP server environment.
Select Multicast DNS (mDNS) Packet Tagging if you want APs to tag client mDNS query packets with the location name. mDNS gateways running on the switch return appropriate network services (printers) based on the location tag.
Select DHCP Packet Forwarding to send a copy of DHCP Packets from Access Points (AP) to Network Access Control (NAC) solutions for profiling clients and assigning appropriate network segments.
Click Save or Save & Turn SSID On.If you select Save & Turn SSID On, see Turn an SSID On for details.

SSID VLAN Mapping

To enable SSID VLAN mapping:

Go to CONFIGURE > WiFi > SSID. Click Add SSID.
Click the Network tab.
In VLAN, select the VLAN Name radio button and provide your VLAN name.
Provide a fallback VLAN ID.
Click SSID VLAN Mapping.
Add the VLAN name and ID and save the settings.
Save and turn on the SSID.

SSID VLAN Pooling

VLAN Pooling is a list of VLAN IDs defined by the Network Administrator. The Access Point (AP) distributes the VLAN IDs from this pool of VLAN to the clients connecting to the SSID. VLAN Pooling offers better scalability and optimized load-balancing of traffic.

VLAN Pool can be Static or Dynamic. Static VLAN Pool is manually defined by Network Administrators in the SSID. Dynamic VLAN Pool is assigned by RADIUS servers depending on the device identity.

VLAN Pooling also supports MVRP.

Rules and Restrictions for VLAN Pool

The following VLAN rules and restrictions apply to VLAN Pool:

You can provide a maximum of 128 VLAN IDs in the VLAN Pool.
VLAN IDs must be in the range of 0-4094.
You can provide a VLAN range separated by a hyphen. Example, 10-20
Duplicate VLAN IDs are not allowed.
Inverse or decreasing VLAN range is not allowed. For example, 20-10 is not allowed.

Configure VLAN Pooling

Follow these steps to configure VLAN Pooling in SSID settings:

Go to CONFIGURE > WiFi > Add SSID.
Select the Network tab and then select the VLAN Pool option.
Specify the VLAN IDs.
Save the settings.

Alternatively, to configure the VLAN Pool from the Role profile, navigate to CONFIGURE > Network Profile > Role and specify the VLAN Pool.

SSID Access Control

The SSID Access Control tab contains settings that control access to the SSID, for example, Firewall and Client Authentication settings.

You can configure the following firewalls on the Access Control tab:

L3-4 Firewall
Application Firewall

Note: You can not enable firewall settings if Dynamic VLANs is enabled under CONFIGURE > SSID >Security > 802.1X.

To configure the firewall settings, see Configure Firewall Settings.

You can enable Apple's Bonjour Gateway feature that allows access to Apple devices on the network.

Note: Bonjour Gateway does not work when the Network is set to NAT mode. If you have set the Network to NAT mode, CV-CUE grays out Bonjour Gateway and prompts you to change the Network setting from within the Access Control tab.

For details, see How Arista Supports Bonjour Gateway. To configure Bonjour Gateway, see Configure Bonjour Gateway.

You can enable Redirection to redirect either Smartphones & Tablets or all clients of the SSID to the Redirect URL that you specify. This could be useful, for example, in an enterprise network where you might want smartphones and tablets to be redirected when accessing the SSID, but allow laptops and desktops to directly start using Wi-Fi. You can also have a Walled Garden of sites that the user can access before login.

Note: You must enter at least the Redirect URL in the Walled Garden field, since the user must be able to access that URL before login.

To configure Redirection, see Configure Redirection in SSID Access Control.

Organizations such as enterprises and educational institutions (K-12 and higher education) often implement a centralized Authentication, Authorization and Accounting (AAA) management to enforce Role Based Control , also called Role Based Access Control (RBAC). RBAC enables network administrators to restrict system access to authorized users. Users are granted controlled access to network resources based on the roles assigned to them or the groups to which they belong. Typically, organizations implement this kind of controlled access by using RADIUS. When users connect to the network, they are first authenticated and then authorized to access appropriate resources on the network.

In the case of a WLAN network, user access restrictions could mean that only specific VLANs or a fixed bandwidth is provided to users based on the user roles defined in the RADIUS server. You can also enforce which applications a user can access over the WLAN network based on the user role.

Arista uses Role Profiles to define various WLAN access roles, and to create RADIUS Vendor Specific Attribute (VSA) based rules and Google Organizational Unit (OU) rules to authorize Wi-Fi users. A network administrator can define various role profiles that specify the restrictions to be placed on the Wi-Fi user to whom the profile is assigned. The administrator can then define multiple VSA rules (for RADIUS) or Google OU rules (for Google Integration) here in SSID Access Control, and assign role profiles through these rules to the Wi-Fi users that connect to the SSID.

Let us consider an example. When you define a Rule Type for RBAC, then the OU returned from Google or the role obtained from the RADIUS VSA must contain the string entered in the Enter Value field. For example, if the string in the Enter Value field is ‘/*/Elementary School/*/Student’, then this will match with ‘/SJUSD/Elementary School/Almaden Elementary/Student’ in Google/VSA.

It could happen that you have different settings in the SSID tabs and different ones in the Role Profiles tab. What happens then? For the answer, see Role Profile.

To configure Role Based Control, see Configure Role Based Control.

To control clients that can access this SSID, you can create Allow and Deny lists of client MAC addresses. See How the Client MAC Allow and Deny Lists Work and Requirements for details on the feature.

With Client Isolation enabled on an SSID, Wi-Fi clients associated with the SSID are allowed to communicate only with their gateway; they cannot communicate directly with any other hosts on the same subnet—including other clients on the same SSID, clients associated with other SSIDs on the same subnet, and hosts connected to the wired network on the same subnet. An AP running an SSID with Client Isolation discards all packets from a client if the destination IP address is on the same network as the client, except for packets destined to the gateway.

Consider two Wi-Fi clients, Client 1 and Client 2, associated with different APs on the same SSID, SSID 1. As shown in the figure below, with Client Isolation enabled, AP1 discards packets originating from Client 1 and destined to Client 2.

If NAT is enabled on an SSID, an AP running the SSID becomes the gateway node of its own private subnet. Consider Client 1 and Client 2 in the figure above. If these clients are associated with a NAT-ed SSID, they cannot see each other’s IP address. Thus, it is NAT rather than Client Isolation that prevents direct connections between these clients; Client Isolation prevents direct connections only between clients of the same AP.

Note that even with a NAT-ed SSID, the net effect of enabling Client Isolation is the same as in the case of a bridged or tunneled SSID: clients on the same SSID cannot communicate directly with each other. But the mechanisms that prevent such communication are different: NAT prevents direct communication between clients on different APs and Client Isolation prevents direct communication between clients of the same AP.

Client Authentication adds another layer of security to your network. It authenticates clients, i.e. user devices, in addition to mechanisms configured in the SSID Security tab that authenticate users (e.g. WPA2-PSK). Client Authentication uses either Google Integration or RADIUS MAC Authentication. See Google Integration for more information.

Note: If you have configured 802.1X authentication in the SSID Security tab, then CV-CUE grays out the RADIUS MAC Authentication option, since 802.1X already is a RADIIUS-based mechanism.

Some Wi-Fi clients send Diassociation messages whenever they enter a "sleep" mode. If the AP immediately sends an Accounting Stop request to the RADIUS server, the RADIUS server clears the client info and the client has to reauthenticate when it wakes up. This could cause frequent and unnecessary reauthentication. The Accounting Stop Delay is the number of minutes that the AP waits between the time it receives the Disassociation and the time it sends the Accounting Sopt message to the RADIUS server. If the client wakes up in the interim and communicates with the AP, the Accounting Stop message is not sent and the client does not need to reauthenticate.

For the other RADIUS settings, see Configure SSID Security Settings.

You can choose to either Disconnect or Stay Connected and Assign Role to the user. To assign a role, you need to select one from those defined on the Role Profile tab. You might configure Client Authentication before you have created any Role Profile. When you click Add / Edit under Select Role, a window appears in the right pane, allowing you to define a Role Profile without having to leave Client Authentication.

To configure Client Authentication, see Configure Client Authentication.

Configure SSID Access Control

You can configure settings that control access to the SSID, for example, Firewall and Client Authentication settings.

SSID Access Control consists of the following settings:

Configure the Firewall settings. See Configure Firewall Settings for details.
Configure Bonjour Gateway settings.
See Configure Bonjour Gateway for details.
Configure Redirection settings.
See Configure Redirection Settings for details.
Configure Role Based Control settings.
See Configure Role Based Control for details.
Configure WiFi Clients in Allow List and Deny List settings.
See Configure Allow and Deny Lists of Wi-Fi Clients for details.
Enable Client Isolation to prevent clients of the same AP from being able to access each other's data.
Configure Client Authentication settings.
See Configure Client Authentication for details.
Click Save or Save & Turn SSID On.
If you select Save & Turn SSID On, see Turn an SSID On for details.

L3-4 Firewall

Arista Access Points (APs) have firewall capabilities. The AP firewall monitors the traffic passing through the AP and takes actions based on user-defined rules.

The firewall is stateful, that is to say, it keeps track of whether the connection has been opened in the outgoing direction (wireless to wired-side) or in the incoming direction (wired-side to wireless), and takes appropriate actions on the packets based on the direction in which the connection was opened. The following image illustrates the conventions used for directions.

Note that this is not the Internet facing firewall. Its main purpose is to facilitate traffic controls, such as allowing/disallowing access to certain assets and/or applications for wireless users. The firewall rules are defined and enforced on a per SSID basis. Arista APs support multiple SSID profiles, thereby enabling multiple firewall configurations to co-exist.

The following use cases illustrate typical applications for the Arista AP firewall functionality:

Block guest Wi-Fi users from accessing the private/corporate subnet. This serves as an additional security control to ensure that guest Wi-Fi users can access only public Internet and nothing in the private address space.
Block or allow access to specific domain names.
Allow guest Wi-Fi users to access only HTTP and HTTPS content in the Internet. This is typically done to control the type of traffic guest users can generate.
Implement DNS-based content filtering to prevent access to non-family-friendly web sites, security threats, and peer-to-peer file sharing. The firewall can be used to ensure that Wi-Fi clients necessarily use the specified content filtering DNS server, such as Norton ConnectSafe, and cannot bypass it.
Enforce use of IPsec VPN for wireless clients.

Note:

When you enable L3-4 Firewall Rules, you can see the default rule Action : Block on the UI. If you enable L3-4 Firewall Rules and do not define any rules at all, the default rule applies, i.e., all traffic is blocked.
The AP compares traffic with rules from top to bottom until it finds the first match. Once it finds the first match, the AP does not compare the rest of the rules. If it finds no match with any of the defined rules, the AP uses the default rule at the end. You can re-order the rules using the drag-and-drop feature to reposition them at the desired level.

In case of a conflict between rules on the L3-4 Firewall and those on the Application Firewall, the AP decides using this Decision Table.

Example Use Case of L3-4 Firewall

Let us look at a rule set that might be found on a Guest SSID in a retail store deployment.

Goal for Retail Store: Allow only HTTP/HTTPS Internet access, with content filtering and no access to private subnets.

Table 1. Example Rules Table for Retail Store
Rule Number	Rule Name	IP / Hostname	Port	Action	Protocol	Direction
1	Content Filtering DNS1	199.85.126.30	53	Allow	UDP	Outgoing
2	Content Filtering DNS2	199.85.127.30	53	Allow	UDP	Outgoing
3	Block All Other DNS	*	53	Block	UDP	Outgoing
4	No Local Access	192.168.0.0/16, 172.17.0.0/21, 10.0.0.0/8		Block	Any	Any
5	Allow HTTP / HTTPS	*	80, 443	Allow	TCP	Outgoing
6	Default			Block

Rule 1 - Allow outbound UDP port 53 to Content Filtering (Norton) DNS1/199.85.126.30. This rule implements DNS-based content filtering to block access to web sites that contain non-family-friendly content, pose security risks, and promote file sharing applications. DNS uses UDP port 53. So this rule allows outgoing UDP connections destined to port 53 on a content filtering DNS server with the 199.85.126.30 host IP address.

Because the firewall is stateful, the return path is automatically allowed and you do not need a separate rule for the return path. This is true for the other rules as well.

Rule 2 - Allow outbound UDP port 53 to Content Filtering (Norton) DNS2/199.85.127.30. Like Rule 1, this rule also implements DNS-based content filtering. This rule provides DNS server redundancy.

Rule 3 - Block all outbound UDP 53. This rule blocks all DNS traffic excluding that which is allowed by Rules 1 and 2. This rule prevents users from statically configuring DNS server addresses on their clients to circumvent content filtering.

Rule 4 - Block traffic to destination 192.168.0.0/16, 172.17.0.0/21 and 10.0.0.0/8. Blocks access to private/corporate subnets. This rule blocks any wireless traffic addressed to any host in the 192.168.0.0/16, 172.17.0.0/21 and 10.0.0.0/8 subnets. The Protocol specified for this rule is Any, which covers any protocol carried over IP. Because there are protocols that do not implement the port concept (e.g. ICMP), the port number gets grayed out when Any is selected as protocol. This rule is ideal for restricting users on the Guest Wi-Fi from accessing private subnets.

Rule 5 - Allow any traffic outbound to TCP port 80, 443. Allow clients to open outgoing TCP connections to port 80 (allows outgoing HTTP connections) and allow clients to open outgoing TCP connections to port 443 (allows outgoing HTTPS connections). The wildcard character (*) represents “any” hosts.

Rule 6 - Default rule is set to Block, which means that all other kinds of communication, except the ones enabled by the rules 1-5, are disallowed.

Application Firewall

You can define firewall rules at the application level.

Note:

To enable Application Firewall Rules, you must enable Application Visibility under the SSID Analytics tab. CV-CUE prompts you to enable Application Visibility from within the Application Firewall Settings, so you do not need to navigate to the Analytics tab.
When you enable Application Firewall Rules, you can see the default rule Action : Block on the UI. If you enable Application Firewall Rules and do not define any rules at all, the default rule applies, i.e., all traffic is blocked.
The AP tests packets with rules from top to bottom until it finds the first match. Once it finds the first match, the AP does not compare the rest of the rules. If it finds no match with any of the defined rules, the AP uses the default rule at the end. You can re-order the rules using the drag-and-drop feature to reposition them at the desired level.

In case of a conflict between rules on the L3-4 Firewall and those on the Application Firewall, the AP decides using this Decision Table.

Example Use Case of Application Firewall

Shown below is a rule for an enterprise that wants to block Facebook and Twitter on their corporate SSID.

Table 2. Example Rule for Enterprise Corporate SSID
Rule Name	Category	Application Name	Action
Block Facebook and Twitter	Social Networking	Facebook, Facebook Apps, Facebook Event, Facebook Messages, Facebook Post, Facebook Search, Facebook Video, Facebook Video Chat, Twitter	Block
Default			Block

L3-4 versus Application Firewall Decision Table

Table 3. Decision Table for L3-4 Firewall versus Application Firewall
L3 Firewall Action	Application Firewall Action	Final Action
Deny	Any	Deny
Allow	Deny	Deny
Allow	No Match	Allow
No Match	Deny	Deny
No Match	Allow	Allow
No Match	No Match	Default
Allow and Mark	Allow and Mark	Allow with App Mark
Allow and Mark	Allow	Allow with L3 Mark
Allow and Mark	No Match	Allow with L3 Mark
No Match	Allow and Mark	Allow with App Mark
No Match	No Match	Default Mark

Configure Firewall in SSID

You can configure both L3-4 and Application firewalls.

To configure firewalls:

Go to CONFIGURE > WiFi > SSID > Access Control.
Click Firewall.
Select Layer 3-4 Firewall Rules to set up a L3-4 firewall.
1. Click the "+" sign to add a new rule to the firewall.
2. Configure the following details of the firewall rule:
  - Enter the Rule Name, what you want to call the rule.
  - Enter IP / Hostname to which you want to apply the rule.
  - Enter the Port number to which you want to apply the rule.
  - Select the Action, whether you want to Allow, Block, or Allow and Mark the packets under this rule.
  - Select the Protocol to which you want to apply the rule.
  - Select the Direction, whether you want the rule to apply to Any direction, to Incoming packets or to Outgoing packets.
Select Application Firewall Rules to set up an application firewall.
1. Click the "+" sign to add a new rule to the firewall.
2. Configure the following details of the firewall rule:
  - Enter the Rule Name, what you want to call the rule.
  - Select the application Category to which you want to apply the rule.
  - Select the Application Name to which you want to apply the rule.
  - Select the Action, whether you want to Allow, Block, or Allow and Mark the packets under this rule.
Click Save or Save & Turn SSID On. If you select Save & Turn SSID On, see Turn an SSID On for details.

What is Bonjour Gateway?

Bonjour is Apple's implementation of zero-configuration networking (Zeroconf). It is used to discover devices and services advertised by Bonjour capable devices on a local network using multicast Domain Name System (mDNS).

Generally, Bonjour devices run on local networks and the Bonjour service advertisements do not cross network boundaries. They are restricted to the broadcast domain of a single VLAN / Subnet. Clients that are connected on a different VLAN than the one on which the Bonjour devices are connected, cannot discover these services.

How Arista Supports Bonjour Gateway

Arista APs provide support for clients to automatically detect and connect to Bonjour capable devices and the services running on such devices. For the sake of understanding how the clients can connect to Bonjour capable devices over an Arista WLAN, let us consider just two VLANs as follows:

A service VLAN on which the Bonjour capable devices are deployed.
A client VLAN on which the clients are deployed.

As shown in the figure, after a client connects to an SSID that has Bonjour Gateway enabled and the service VLAN configured, the AP forwards the mDNS packets from the service VLAN to the client VLAN (i.e. the VLAN ID configured in the SSID) and vice versa. The client now knows about the Bonjour services available on the WLAN and can connect to such services.

Note: Bonjour Gateway can be configured only if the Network type on the SSID is set to Bridged. This feature is not available for a NAT type network.

Configure Bonjour Gateway

You can configure Apple's Bonjour Gateway feature that allows access to Apple devices on the network.

To configure Bonjour Gateway:

Go to CONFIGURE > WiFi > SSID > Access Control.
Select Bonjour Gateway.
Note: Bonjour Gateway does not work when the Network is set to NAT mode. If you have set the Network to NAT mode, CV-CUE grays out Bonjour Gateway and prompts you to change the Network setting from within the Access Control tab.
Enter the Service VLANs.These are the VLANs with the Bonjour devices. The AP forwards packets from the service VLAN to the client VLAN (i.e. the VLAN ID configured in the SSID) and vice versa.
Click Save or Save & Turn SSID On.

DHCP Fingerprinting-based Access Control

Using DHCP Fingerprinting-based access control, you can allow or deny clients getting connected to an SSID.

The AP can identify the Operating System (OS) of the client based on the DHCP exchange packets between the client and the DHCP server. DHCP has many request parameters; in this case, DHCP uses Option 55 to capture and exchange client OS (Macintosh, Windows, and others). Leveraging this client-specific information, you can restrict certain types of clients from connecting to the network.

As a network administrator, you can use DHCP fingerprinting to allow or deny a client from associating with an Access Point (AP), put clients in a specific VLAN, apply bandwidth control or firewall rules, and apply other network policies.

Note that DHCP fingerprinting-based access control is not a per-client configuration. This configuration applies to all clients matching a particular profile, using a specific OS. So, all clients of a specific OS can be allowed or denied to access the network.

Navigate to CONFIGURE > WiFi > SSID > Access Control.
Enable the DHCP Fingerprinting based Access Control check box.
For Identified Clients, first specify the Default Rule. The OS Type is Any and you cannot change it. Select either Allow or Deny for Action. The default rule applies to all identified clients.
(Optional) Specify the exceptions to your default rule, if any. You can add multiple exceptions.
Click Allow or Deny for Unidentified clients.
Save the settings.

Identified and Unidentified Clients

The AP categorizes clients into identified and unidentified based on client information captured from DHCP exchange request.

When the client tries to connect to the AP the next time, the client data is matched with the fingerprint database. If the data matches, the client is classified as identified. If not, the client is considered as unidentified.

How the Rules Work for Identified and Unidentified Clients

For unidentified clients, you can specify whether to Allow or Deny such clients to connect to the network. For identified clients, you can specify a default rule and exceptions to the default rule. Exceptions are given priority over the default rule.

In a default rule, the OS type is Any for clients and you cannot change it. You can change the action as Allow or Deny for such clients. In exceptions, you can specify only the OS type. The action will be the opposite of what you select in the default rule. For example, if the default rule for an identified client is Allow for Windows OS, and in the exceptions you have added Android as the OS type, then Windows clients will be allowed to connect to the network but Android clients will be denied connection to the network.

When a client successfully connects to the network, you can see the status of the client as Successfully connected in MONITOR > WiFi > Clients . For clients that failed to connect, the status is seen as Failed client. DHCP Fingerprinting Failure. The client events are also captured in the client event logs.

Configure Redirection in SSID Access Control

You can redirect clients of the SSID to a URL of your choice.

To configure Redirection:

Go to CONFIGURE > WiFi > SSID > Access Control.
Select Redirection.
Select whether you want to redirect Smartphones / Tablets only or All Clients.
Enter the Redirect URL.
Select HTTPS Redirection if you wish to move to secure version of HTTP.
Info:Enabling HTTPS Redirection enables three fields, these three fields provide the information of the customer using the certificate.
- Common Name: Identifies the host name associated with the certificate.
- Organization: Name of an organization.
- Organization Unit: Name of an organizational unit.
Enter the list of Walled Garden sites.
Note: You must enter at least the Redirect URL in the Walled Garden field, since the user must be able to access that URL before login.
Click Save or Save & Turn SSID On.

What is a Walled Garden?

Let us understand the concept of a “walled garden” and its typical applications within Arista Wi-Fi. A walled garden allows Wi-Fi providers to control which destinations users can or cannot access on a wireless network.

Walled garden functionality is used in conjunction with Arista’s captive portal. The captive portal function serves as a vehicle to interact with users when they log into Wi-Fi network.

When a captive portal is enabled on an SSID, a splash page is presented to the users before allowing them Wi-Fi access. The splash page serves as a gatekeeper for allowing Wi-Fi access and facilitates user interactions such as:

Asking the user to accept terms and conditions
Facilitating user authentication using a web-based login and password screen
Facilitating logins using social Wi-Fi credentials

Sometimes it is necessary to bypass the gatekeeping function of the splash page and this bypass function is facilitated by the walled garden. By defining specific destinations inside the walled garden, it is possible to bypass the splash page allowing a user to access those specified destinations directly. See Figure Splash Page and Walled Garden.

How the Client MAC Allow and Deny Lists Work

You can define either an Allow list or a Deny list of client MAC addresses on a per SSID basis. It is basically an Access Control List for an SSID – you get to decide which devices can or cannot connect to an SSID. For example, you might want to allow only employees on the Corporate SSID. You could then create an Allow list of MAC addresses that can connect to the Corporate SSID. Conversely, you might want to restrict some clients from connecting to an SSID. You could then create a Deny list of client MAC addresses for that SSID to prevent those clients from connecting to the SSID. Below are the definitions of Allow and Deny lists.

Allow list: Only clients in the Allow list can connect to the SSID. No other clients are allowed.

Deny list: Clients in the Deny list cannot connect to the SSID. All other clients are allowed.

Requirements for Allow Deny Lists of Client MAC Addresses

Allow and Deny lists need to meet the following requirements:

For a given SSID, you can create either an Allow list or a Deny list, but not both
Per SSID Allow list or a Deny list works only for 802.11ac and higher Arista devices
For each SSID, you can add a maximum of 1024 clients to its Allow list or Deny list

Google Integration for Client Device Authorization

Google provides App sets for enterprises (Google for Work) and educational institutions (Google for Education). These enable users to communicate and collaborate from a single platform. From network administrators’ perspective, key functions provided by Google are User and Device Management, and Organizational Units. Network administrators can create an organizational structure and control which settings and policies must be applied to users and devices. User directory offers SSO for all Google applications, while device management enables administrators to authorize devices that can access the network and restrict access based on the user role. Once a user logs in with his official Google credentials, the device MAC is listed on the Google Device Management page. The administrator can then authorize or reject the device when it attempts to connect to the network.

Configure Client Authentication

You can configure client authentication using either Google Integration or RADIUS MAC Authentication.

To configure client authentication:

Go to CONFIGURE > WiFi > SSID > Access Control.
Select Client Authentication.
Select either Google Integration or RADIUS MAC Authentication.
- If you select Google Integration, then select what happens If Client Authentication Fails:
  - Select Disconnect to disconnect the client if authentication fails.
  - Select Stay Connected and Apply Role and select the role you want to assign to the client if authentication fails. If you want to define a role, click Add / Edit. A right-panel window appears where you can configure the Role Profile and continue with Client Authentication. See Configure a Role Profile.
- If you select RADIUS MAC Authentication, RADIUS Settings appear.
  Note: RADIUS MAC Authentication is not available If you have configured 802.1X authentication in the SSID Security tab, since 802.1X already is a RADIIUS-based mechanism.
Click Save or Save & Turn SSID On. If you select Save & Turn SSID On, see Turn an SSID On for details.

Configure Role Based Control

You can assign role profiles to users connecting to the SSID based on the Google Integration or RADIUS rules you define here in Role Based Control.

Prerequisites

To implement Role Based Control using Google, you must enable Google Integration.
To implement Role Based Control using RADIUS, you must enable 802.1x.

You do not have to leave the SSID Access Control tab to configure Google or RADIUS. Just click Change Settings? under Role Based Control. CV-CUE opens a right-pane window, allowing you to configure and save the relevant settings and continue with Role Based Control.

To configure Role Based Control:

Select Role Based Control
- Select RADIUS VSA to assign roles based on rules for the RADIUS server.
  - Select the Rule Type. This could be either Arista-Role RADIUS VSA or Custom RADIUS attributes VSA.
  - Enter the Vendor ID and Attribute ID if you selected Custom RADIUS attributes VSA. For the Arista-Role RADIUS VSA case, the vendor is Arista and the Vendor ID and Attribute ID are pre-defined in the RADIUS server, so you do not have to enter those values here.
  - Select the Operand for the string pattern that you want to use for the rule.
  - Enter the string pattern in the Enter Value field.
  - Select the role you want to assign for this rule in Assign Role. If you have not yet defined the role you want to assign, click Add / Edit. A right-pane window appears allowing you to define a role and continue with Role Based Control. See Configure a Role Profile for details.
- Select Google OU to assign roles based on rules for Google OU.
  - The Rule Type is preset to Google OU.
  - Select the Operand for the string pattern that you want to use for the rule.
  - Enter the string pattern in the Enter Value field.
  - Select the role you want to assign for this rule in Assign Role. If you have not yet defined the role you want to assign, click Add / Edit. A right-pane window appears allowing you to define a role and continue with Role Based Control. See Configure a Role Profile for details.
Click Save or Save & Turn SSID On.

Typical RADIUS MAC Authentication Flow

You can configure RADIUS MAC Authentication in CV-CUE to assign roles to clients both before and after authentication. Let us look at a typical use case to understand how this works. Consider an SSID that uses RADIUS MAC Authentication to authenticate clients associating with it. A typical RADIUS MAC authentication workflow is shown in the figure below.

The RADIUS server notifies the AP that the client MAC is unknown. The AP then redirects the client to a login portal.
The user enters a username and password into the portal. The RADIUS server authenticates these credentials and registers the client MAC address against this user.
The RADIUS server notifies the AP of the successful authentication. The user is now connected to the network.

Typically, in such cases, subsequent attempts by this client to connect to the SSID are seamless, i.e., the RADIUS server knows its MAC address and the client is not redirected to the login portal.

Role-based control with RADIUS MAC authentication can be implemented in CV-CUE using any of the following:

Role Profiles
Captive Portal hosted on the Arista Cloud
Captive Portal hosted on a Third Party server

CV-CUE supports integration with Forescout, ISE and ClearPass.

Implementation Using Role Profiles

To implement Role-based control with RADIUS MAC authentication using Role Profiles, you need to define two roles in CV-CUE: a Pre-Authentication role and a Post-Authentication role. The workflow using roles is as shown in the figure below.

When the client first connects to the SSID, the WiFi Access Point (AP) sends an Authentication Request containing the client’s MAC address to the RADIUS server.
The RADIUS server responds with an Access-Accept message containing the Pre-Authentication role. The Pre-Authentication role redirects the client to a web authentication portal hosted on the RADIUS server.
The user enters a username and password into the portal. The RADIUS server authenticates these credentials and registers the client MAC address against this user.
The RADIUS server sends a Change of Authorization (CoA) message containing the Post-Authentication role to the AP. The AP connects the client to the network.

Configure Roles with RADIUS MAC Authentication

Let us look at how to define the two roles in CloudVisionWiFi to implement the role-based MAC authentication workflow.

RADIUS Profile

Under CONFIGURE > Network Profiles > RADIUS, click Add RADIUS Server and enter the RADIUS server details as shown below:

Pre-Authentication Role

The Pre-Authentication role profile enables redirection to the URL of the web authentication portal, as shown below.

Note: You must add the web authentication portal URL and ports 80 and 443 to the “Websites That Can Be Accessed Before Authorization” list.

This implements Step 2) from the workflow above, redirecting the client to the RADIUS server authentication portal. You need to configure the RADIUS server to return this role in the Access-Accept message it sends to the AP.

Post-Authentication Role

The Post-Authentication role profile defines the connection settings (e.g., VLAN, Firewall rules) for successfully authenticated clients as shown below.

You need to configure the RADIUS server to return this role in the Change Of Authorization (CoA) message it sends to the AP.

RADIUS MAC Authentication and Role-Based Control

Note: RADIUS MAC Authentication is available only if the Security Mode is set to Open, WPA2, or Mixed mode. For WPA2 and Mixed mode, PSK must be selected. This option is not available with 802.1x.

The steps to configure RADIUS MAC Authentication and Role-Based Control are:

Under SSID > Access Control, enable Client Authentication > RADIUS MAC Authentication and select “Disconnect” if authentication fails. This causes the client to disconnect if authentication fails. If authentication succeeds, roles defined in the SSID are applied.
Next, under RADIUS Settings, select the RADIUS server you want to use.
Note: Set the Calling Station ID to %m-%s (MAC Address and SSID), and the NAS ID to “%s” (only the SSID).
Finally, enable Role-Based Control on the SSID and assign the two roles via the RADIUS VSA, as shown below.

Note: The VSA and its value may vary depending on the RADIUS server used.

SSID Analytics

The SSID Analytics tab contains settings to control what analytics information is stored and where.

Arista APs collect, process and present useful and easy-to-understand Analytics information. You can choose to store this information on the Arista server and / or on a third-party server of your choice. Analytics information is broadly classified into Association and Application Visibility analytics.

Association

Association analytics includes information on clients that associate with the SSID and neighboring APs that are visible to the AP. An Arista AP collects the following data:

Client MAC address
Protocol
SSID of the network to which the client connects
Location of the client in the Arista Location Hierarchy
Start time of client association with the AP (GMT)
End time of client association with the AP (GMT)
Start time of client association with the AP according to local time of the user
End time of client association with the AP according to local time at the user
Session duration
Data transfer from client device in bytes
Data transfer to client device in bytes
Data rate in Kbps
Smart device type
Local Time Zone
RSSI data of connected clients as well probing clients without the local MAC address
RSSI data of neighboring Arista APs
Channel information with each RSSI record

If you select Association, you can also select Website URLs accessed by WiFi userst analytics. Content analytics include:

Domain name accessed by the clients
Data transferred to the domain (in bytes)
Data received from the domain (in bytes)

The Arista server stores the data in CSV format so you can download it as reports.

Application Visibility

Application Visibility is where the AP monitors all applications above Layer 2 for this SSID. It tells you what applications are most popular on your network. It can also help you identify unwanted or harmful applications. You can view these Applications on the Monitor tab in CV-CUE either on a per-Client basis or on a per-Application basis.

Note: Application Visibility is not supported on 802.11n devices (AP Feature Matrix). Additionally, we recommend that you do not enable Application Visibility for C-65, C-75, W-68 and O-90 as it might adversely affect performance.

You can choose to send the analytics to a third-party server. In this case, when you select HTTP Content, you need to enter the Username and Password for the server. The Send Interval determines how often the data are sent to the server.

You can select which HTTP fields you want to send as part of the analytics. Arista APs send client MAC and RSSI data as part of the HTTP Post message. For details, see HTTP Post Format.

HTTP POST Format

The curl program is used to post the RSSI values to the server. The command format used is as follows:

curl <upload_URL>?sensor_mac=<sensor's MAC address>&timestamp=<time in seconds> -F data=@"<file_on_airtight_device>"

The post command contains two arguments:

sensor_mac: The MAC address of the Arista device. Example 00:11:74:90:00:1F
timestamp: The time in number of seconds from boot of the Arista device.

The contents of this post command is the upload file, which contains RSSI data of clients. The file name is rssi_data.

Each line in the file is of the following format:

<client_mac>, <RSSI in dBm>, <time in seconds at which RSSI reading was taken>

Configure Analytics in SSID Settings

To configure Analytics in SSID, includes two steps, one is to store analytics information on the server, and to push analytics information to third-part server.

To know more about parameters required in configuring Analytics in SSID Settings refer Analytics Parameter.

To configure Analytics in SSID Settings:

Navigate to CONFIGURE > WiFi > SSID.
Configure settings within the Store Analytics on This Server tab to store analytics information on the server.
1. Select Association for information about the clients that connect to or associate with the Arista APs. Selecting this enables HTTP Content field.
2. Select HTTP Content to capture information about the internet domains accessed by the clients associated with the Arista APs.
3. Select Application Visibility to turn ON the application visibility feature.
Scroll down to Push Analytics to Third-Party Server tab and configure the below settings to push analytics data to third-party server.
1. Enter Server URL of the external server.
2. Enter Username to log in to external server.
3. Enter Password for the user to log in to external server.
4. Enter Send Interval in minutes.
Select HTTP Content information like Post Request Body, User Agent, Referer that you would like to share with the third party server.
Click Save.

Analytics Parameter

Fields	Description
Store Analytics on This Server
Application Visibility	This check box turns ON the application visibility feature. If you enable Application Visibility for a selected SSID, then a list of all applications above layer 2 for the selected SSID will be displayed in the Monitoring > Applications tile. Note: We recommend not to enable Application Visibility feature for C-65, C-75, W68, and O-90. If you enable Application Visibility for these models, then it may impact the AP performance. Application Visibility feature is not supported on 802.11n and older devices.
Association	This check box, if enabled presents information about the clients that connect to or associate with the Arista APs. You can choose to collect analytics data for reporting purpose about the client-AP association. Association analytics and content analytics can be collected if you enable the collection of these analytics in the Wi-Fi profile. Association Analytics comprises the data related to the client - AP communication. The following data is collected as association analytics: Client MAC address Protocol SSID of the network to which the client connects Location of the client Start time of client association with the AP (GMT) End time of client association with the AP (GMT) Start time of client association with the AP according to local time of the user End time of client association with the AP according to local time at the user Session duration Data transfer from client device in bytes Data transfer to client device in bytes Data rate in Kbps Smart device type Local Time Zone
HTTP Content	This check box captures information about the internet domains accessed by the clients associated with the Arista APs. This information is present in the association analytics file. The following information is present for each internet domain as content analytics information: Domain name Data transferred to the domain (in bytes) Data received from the domain (in bytes)
Push Analytics to Third-Party Server
Server URL	URL of the external server where the information is to be stored.
Username	Username to log in to external server.
Password	Password for the user to log in to external server.
Send Interval	Recurrent time interval, in minutes, after which the HTTP content analytics JSON file must be sent to the external server. Value can vary from [1 - 60] mins, default value is 10 mins.
HTTP Fields
HTTP Content	Arista AP supports the transfer of client HTTP content analytics or browsing data from clients over HTTP or HTTPS to an external server where this information can be stored. If this feature is enabled then user has to configure below options.
Post Request Body	If checked then include the POST method request body in the JSON file.
User Agent	If checked then include the user agent (browser) in the JSON file.
Referer	If checked then include the HTTP referrer in the JSON file.

SSID Captive Portal

A Captive Portal is a page that appears when a user attempts to access the SSID. This could be a Facebook login enabled page for a public Wi-Fi network, a simple Terms-of-Use page for a Guest SSID on a corporate network, or a custom-branded page for a coffee shop chain. The Captive Portal tab in CV-CUE is designed so that you can configure all portal related settings for your SSID (social media plugins, splash page, etc.) from this tab.

The captive portal can reside on the Arista AP, on Arista Cloud or on a third-party server. The AP Hosted portal is the simplest case. It is simply a clickthrough splash page, typically asking a user to accept some terms of use. You can upload a splash page bundle, which is a ".zip" file containing components of the splash page. A Download Sample can help you with creating your own bundle.

A Cloud Hosted captive portal is one that resides on Arista Cloud. You can do a lot with this option, authenticating users via a wide variety of methods — called plugins — and defining Quality of Service (QoS) settings for each authentication method. When you click Select login method for guest Wi-Fi users, a right-panel window opens up allowing you to choose plugins and define the QoS settings for each of them. QoS Settings include login and blackout timeouts, and download and upload bandwidth limits. Below are the plugins through which users can access Arista Cloud hosted captive portal:

Click-Through: This is basically no authentication, only a Welcome or Terms-of-Use type page on which the user can click and access Wi-Fi.
Social Media Plug-Ins: Users authenticate using their social media login credentials to access the Wi-Fi. For details, see Access WiFi Using Social Media Plug-ins. Arista supports the following social media plugins: Facebook, Twitter, LinkedIn, Foursquare, Instagram, and Google+.
Username and Password: There are two options within this method:
- You can Allow Guest Users to Self-Register. Self-Registration can be for Free Wi-Fi, Paid Wi-Fi, a combination of the two, or with Host Approval. For the Free case, there are options to allow guest users to set their own passwords or to auto-login, to enable "Forgot Password" links, and to activate expired accounts. For the Paid case, Arista uses the Stripe Payment Gateway. You can define tiers of payment. So, you can charge different amounts for different session durations — say, $1 for an hour and $3 for 2 hours. The access time must be consumed as soon as it is purchased. So, if a guest user purchases 1 hour of access for $1, the session will expire after exactly 1 hour of purchase, irrespective of how much session time the guest actually consumes. Even if the user explicitly logs off, the session continues to be billed. The Free + Paid case is a mixed mode - in addition to combining options from both cases, it allows you to keep the Wi-Fi free for some time and then start charging. For example, many airports offer free Wi-Fi for the first half an hour and charge users after that. Host Approval is for enterprise setups, where you want to authorize the guest Wi-Fi access. The host, whom the guest has come to visit in the enterprise, can be the authorizer. Host-approved Wi-Fi access ensures that only authorized users can access the WLAN network. To understand how host-approved guest access works, see Guest WiFi Authentication with Host Approval.
- Admin Generated Credentials uses the Guestbook method. This is where you maintain a private guestbook and allow guest users to log in and access Wi-Fi with guest user account credentials that you have defined. The guestbook can include other user-specific information. When you enable this in CV-CUE, it opens up in a new tab once you save the SSID.
Passcode through SMS: Users provide their mobile number to receive an authentication code via SMS. They use this code to authenticate and access the Wi-Fi. You can define settings related to the passcode (such as maximum length) and to the SMS (such as maximum number of times the SMS is resent).
Web Form: This is an enhanced form of clickthrough. There is no authentication. To access Wi-Fi, users fill out specific information such as their name, e-mail address, and contact number.
External RADIUS: Authentication happens via an external RADIUS server. You can select a RADIUS server from the ones you have added, or add a new one using the Add / Edit option. CV-CUE allows you to add and save the new RADIUS server and return to the portal settings.
Note: You cannot use the RADIUS plugin with any other plugins. If you select External RADIUS, CV-CUE automatically disables the other plugins.

Important Notes on Payment Gateway

If you use the Paid or the Free + Paid option, you are using a payment gateway. There are a few important things to keep in mind when using a payment gateway:

Some scripts from the payment gateway do not load in Android native web view (i.e. the native browser that Android uses). To avoid this, you must add ssl.gstatic.com to the Walled Garden list of the captive portal. if you do not add this entry to the Walled Garden, the user sees an error message saying that the page could not be loaded and asking them to use a different browser.
For best Wi-Fi user experience, we recommend that you add the general sites mentioned in Walled Garden Sites for Captive Portal to the Walled Garden list of the captive portal. The reason for this is that when a user attempts to access a Wi-Fi connection, some Operating Systems (e.g. iOS) try to reach some sites — let us call them "test sites" — to detect if the user is behind a captive portal. If they are unable to reach the "test sites", these operating systems conclude that the user is behind a captive portal and open the splash page using an "in-app" browser. This could cause problems because, in conventional browsers, the page containing the usage time and the logout option opens in a separate tab from the splash page. Thus, with an "in-app" browser, users could end up not being able to see the usage and logout page at all. While users are sent reminders to logout once they close their sessions, they could miss these messages or attend to them after a while. This means that users could get billed for time they have not spent using the Wi-Fi. To avoid such problems, it is best to add those "test sites" to your Walled Garden so that users can access the time and logout tab as well.
Currently, you can define only time limits on the payment gateway. You cannot define bandwidth or data limits; usage evaluation based on either bandwidth or data volume is not supported.
You can define amounts with up to 2 decimal points (e.g. $1.35).

Note: The QoS settings you configure for the plugins override those in the SSID > Access Control tab.

Apart from the plugins, you can configure Common Settings such as e-mail, SMS and payment gateway accounts used to communicate with your Wi-Fi users. Common settings are applicable not only across plugins within an SSID captive portal, but also across SSIDs and across locations. So if you define a new location and an SSID at that location, the common settings apply there as well. This means that Wi-Fi users of an organization see the same e-mail and use the same SMS account, no matter what location they are at.

You can use a combination of plug-ins on your captive portal. For example, you can use all the social media plugins to provide guests with the option of using any social media account of their choice to authenticate and access the Wi-Fi. Or, if you are organizing an event and want to provide Wi-Fi access to guests, you can create a batch of guest user accounts in Guest Manager and provide the account details to the guests to access the Wi-Fi by using these account credentials.

Another use case is to give users the option to access Wi-Fi without any authentication. Say, you have configured the social media plug-ins on your portal. But you also want to provide Wi-Fi access to guests who do not have a social media account or do not wish to use their social media account credentials. In this case, you can provide a link on the portal page that allows users to access the Wi-Fi by just accepting certain Terms and Conditions. This can be done using the Clickthrough plugin.

Note: The Terms and Conditions are user-defined and not Arista specific. You can choose not to provide any Terms and Conditions.

A Third-Party Hosted captive portal resides on an external server. As such, you must enter the Splash Page URL and the Shared Secret of the server that hosts the portal. You can enable RADIUS Authentication and enter the 802.1X Settings. See 802.1X RADIUS Settings for details. With third-party hosted portal, you need to configure Advanced Portal Parameters, namely the Request and Response Attributes that the portal uses for its challenge-response based user authentication.

There are some general fields that apply to AP-hosted, Cloud Hosted and Third-Party hosted portals. For example, you can define Websites that users can access before login and some Post Login fields such as a URL the user is redirected to after login (for instance, a coupon for the 100th customer), and login and blackout times. For a third-party hosted portal, you can define a post-login Service Identifier for the user

Walled Garden Sites for Captive Portal

For best results with splash pages, there are some sites you need to add to the Walled Garden list of the captive portal. Some of these sites are general, for all splash page based captive portals, while others are for specific plugins or content type.

General Sites

Add the following sites to the Walled Garden list for your captive portal:

Host name of the Guest Manager; for example, gms.cloudwifi.com.
akamaihd.net
googleapis.com
gstatic.com
Country specific Google domain where the access point using the SSID profile is deployed. For example, if an AP deployed in France is using the SSID profile, then you must add google.co.fr to the walled garden. If the SSID profile is used by access points deployed in different geographies, then the corresponding geography-specific Google domain must be included in the walled garden.

Due to some third-party application issues, some of the plug-ins do not respond properly on Apple iOS clients. To work-around these issues, you must add the following entries in the walled garden for enabling the captive portals to function properly on Apple iOS clients:

appleiphonecell.com
captive.apple.com
itools.info
ibook.info
airport.us
thinkdifferent.us

Note: For an Apple iOS client, if you have a video in the splash page then add the walled garden entries. However, if there is no video in the splash page and you need Automatic Internet Detection then do not add the walled garden entries.

Site for Payment Gateway

If you use the Paid or the Free + Paid option, you are using a payment gateway. Some scripts from the payment gateway do not load in Android native web view (i.e. the native browser that Android uses). To avoid this, you must add ssl.gstatic.com to the Walled Garden list of the captive portal. if you do not add this entry to the Walled Garden, users see an error message saying that the page could not be loaded and asking them to use a different browser.

Sites based on Content

Based on the content type used in the splash page, add the following domains to the walled garden.

Content Type	Walled Garden Entries
Vimeo	vimeo.com vimeocdn.com google-analytics.com
PollDaddy	polldaddy.com
YouTube	youtube.com googlevideo.com ytimg.com google.com googleusercontent.com (for thumbnail images) lh5.googleusercontent.com (for thumbnail images)

Content Type

Walled Garden Entries

Vimeo

vimeo.com

vimeocdn.com

google-analytics.com

PollDaddy

polldaddy.com

YouTube

youtube.com

googlevideo.com

ytimg.com

google.com

googleusercontent.com (for thumbnail images)

lh5.googleusercontent.com (for thumbnail images)

Configure Access Point Hosted Captive Portal

To configure AP Hosted Captive Portal settings:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal.
Select the Captive Portal check box to display a portal page to be shown to the client on using the guest network.
Select the mode of access as AP Hosted to the internet through the captive portal.
Click Download Sample to download the factory default portal bundle file.
Click Upload Custom Splash Page Bundle to upload the bundle.
Info:The bundle must be a .zip file of the portal page along with any other files like images, style sheets and upload this file. The zip file must satisfy the following requirements for the portal to work correctly:
1. The zip file should have a file with the name "index.html" at the root level (i.e., outside of any other folder). This is the main portal page. It can have other files and folders, (and folder within folders) at the root level that are referenced by the index.html file.
2. The total unzipped size of the files in the bundle should be less than 100 KB. In case, large images or other content is to be displayed on the page, this content can be placed on an external web server with references from the index.html file. In this case, the IP address of the external web server must be included in the list of exempt hosts (see below).
3. The index.html file must contain the following HTML tags for the portal to work correctly:
  - A form element with the exact starting tag: <form method="POST" action="$action">
  - A submit button inside the above form element with the name "mode_login". For example: <input type="image" name="mode_login" src="/images/login.gif">. The exact tag: <input type="hidden" name="redirect" value="$redirect"> inside the above form element.
Select HTTPS Redirection if you wish to move to secure version of HTTP. Enabling HTTPS Redirection enables three fields, these three fields provide the information of the customer using the certificate.
- Common Name: Identifies the host name associated with the certificate.
- Organization: Name of an organization.
- Organization Unit: Name of an organizational unit.
Enter the list of Websites that users can access before login.
For Post Login configuration enter details for the below fields:
1. Specify the Redirect URL. The browser is redirected to this URL after the user clicks the submit button on the portal page. If left empty, the browser is redirected to the original URL accessed from the browser for which the portal page was displayed.
2. Specify Login Timeout, in minutes, for which a wireless user can access the guest network after submitting the portal page. After the timeout, access to guest network is stopped and the portal page is displayed again. The user has to submit the portal page to regain access to the guest network. If the user disconnects and reconnects to the guest network before his session times out, he does not have to enter his credentials on the splash page.
3. Specify Blackout Time, in minutes. This is the time for which a user is not allowed to login after his previous successful session was timed out. For example, if the session time-out is 1 hour and the blackout time is 30 minutes, a user will be timed out one hour after a successful login. Now after this point, the user will not be able to login again for 30 minutes. At the end of 30 minutes, the user can login again.
4. Select Detect when Internet connection is down and inform guest users, if you want to check the internet connectivity and inform guest users in case of loss of Internet connectivity.

Configure Cloud Hosted Captive Portal

This is the default option when you first access the SSID > Captive Portal tab. With this option, the captive portal is hosted on Arista Cloud.

To configure Cloud Hosted captive portal:

Go to CONFIGURE > WiFi > SSID > Captive Portal.
Select Captive Portal.
Design the splash page. See Design a Splash Page for details.
Configure the plugins you want to use. The default plugin is Clickthrough. The settings are different for different plugins. For information on these settings, see:
Select Skip Splash Page and the Duration in days, if you want to skip presenting the splash page to the user for that duration.
Select HTTPS Redirection if you wish to move to secure version of HTTP. Enabling HTTPS Redirection enables Certificate Information section. This section provides the information of the customer using the certificate.
Enter the valid information for the below fields from Certificate Information section.
- Common Name: Identifies the host name associated with the certificate.
- Organization: Name of an organization.
- Organization Unit: Name of an organizational unit.
Enter the Websites that users can access before login. This is the Walled Garden of sites that you are allowing the user to access before login. For best results with captive portal, we recommend that you add some sites to the walled garden. See Walled Garden Sites for Captive Portal.
Configure the Post Login parameters.
- Redirect URL to which you want to redirect the user.
- Login Timeout after which the user's login expires.
- Blackout Time which is the time period for which a user cannot log in to the portal after the last successful login has timed out.
Select if you want the AP to detect when the internet is down and inform users.
Click Save to save the SSID or Save & Turn SSID On to save and turn it on.

Guest Wi-Fi User Authentication with Host Approval

An overview of how the user will gain access to Wi-Fi using the guestbook plugin with host approval is described as follows:

The guest user connects to the SSID and is redirected to a splash page. The guest user registers on the splash page by providing his contact information and the email address of the host. The guest user account information is stored in the guestbook of the portal.
The user is shown a message that the request has been sent for approval.
The host receives an email for the registration performed by the guest user.

A sample email is displayed as follows:
Once the host clicks Approve in the email, the guest user will receive an approval message. If the approval is granted within 5 minutes from the time of request, the guest user can access Wi-Fi without logging in again. The login page is displayed as follows:

The guest user is automatically logged in after clicking Continue.
If the request approval is granted after 5 minutes, the guest user must explicitly log in using the provided username and password. The guest user must click Click Here to Login to authenticate and access Wi-Fi.

Design a Splash Page

The Cloud Hosted captive portal comes with a default splash page. You can edit this splash page.

You must select Cloud Hosted captive portal under CONFIGURE > WiFi > SSID > Captive Portal. to edit the splash page.

To edit the splash page:

Click the "pen" (edit) icon on the Splash Page section.
Expand the Logo option to add your logo to the splash page.
1. Click Upload Logo Image and select the logo image you want to upload.
2. You can use the slider below the image to adjust the size of the logo.
Expand the Background Image option to add your background image to the splash page.
1. Click Upload Image and select the background image you want to upload.
Expand the Background Color option.
1. Select the background color from the color bar on the right.
2. Select the exact shade of the color by clicking at a particular location on the rectangle.
3. Set the level of Transparency using the slider below the color pane. The rgba values below the slider correspond to the color, shade and the transparency level you select. RGBA stands for Red, Green, Blue and Alpha, where Alpha is the transparency parameter (0 - fully transparent, 1 - fully opaque).
Expand the Terms of Use option to define the terms of use.
1. Enter the Title for the terms of use.
2. Enter the Body of text for the terms of use.
Expand the Privacy Policy option.
1. Enter the Title of the privacy policy.
2. Enter the Body of the privacy policy.
Expand the Text option. You can use this to enter your caption or welcome message (e.g. "Enjoy Free Wi-Fi") and your copyright info.
1. Enter the Plugin Title. This is your caption or welcome message.
2. Enter the Copyright text.
Click Save.

Configure Common Settings for Plugins

Common settings are system wide — they are applicable not only across plugins within an SSID captive portal, but also across SSIDs and across locations. Common settings include settings for email, SMS and payment gateway accounts used to communicate with your Wi-Fi users.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure common settings.

Configure Email Account Settings
Configure SMS / MMS Account Settings
Configure Payment Gateway Settings

Configure Email Account Settings

This is the email account used to communicate with your Wi-Fi users.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure common settings.

To configure e-mail account settings:

On the CONFIGURE > WiFi > SSID > Captive Portal tab, click Select login method for guest WiFi users.
Click the "gear" icon for Common Settings.
Click the "envelope" icon for Email Account.
Select the Email Service Type.
- If you select System Email:
  - Enter the From Email ID and the From Name. These will appear in the "From" field of the email the user gets.
  - Enter the Return Email ID. This is the email ID to which the user can send a response. You can test by clicking Verify to receive a test message on the return ID.
- If you select SMTP Configuration:
  - Enter the From Email ID and the From Name. These will appear in the "From" field of the email the user gets.
  - Enter the Return Email ID. This is the email ID to which the user can send a response.
  - Enter the SMTP Server Host name or IP address.
  - Enter the Server Port number of the SMTP server.
  - Select the Login Method for the SMTP server.
  - Enter the Login Username and the Login Password for the SMTP server.
  - Select the Connection Security type for the connection to the SMTP server.
You can enter a Test Account and click Send Test Email to verify that the configuration works.
Click Save to save the configuration.

Configure SMS/MMS Account Settings

This is the SMS / MMS account used to communicate with your Wi-Fi users.

Select Cloud Hosted captive portal under SSID > Captive Portal to configure common settings.

To configure SMS / MMS account settings:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Click the "gear" icon for Common Settings.
Click the "message" icon for SMS / MMS Account.
Under the Account option, select an existing account or select Add New to add a new account.
Provide an account name.
Select a Service Provider.
Info:You can select Twilio, Msg91 or a custom service provider. The configuration varies depending on your choice.
- If you select Twilio, enter the Account SID, the Auth Token and the Twilio Number.
- If you select Msg91, enter the Username, Password, and Sender ID, and select the SMS Route.
- If you select Custom, enter the Service URL.
Enter a Test Account number, provide the DLT Template ID, and Test SMS Settings to verify that the configuration works.
Click Save to save the configuration.

Configure Payment Gateway Settings

This is the payment gateway used to bill users when you select Paid or Free + Paid Wi-Fi.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure common settings.

Note: When using Paid or Free + Paid Wi-Fi, we recommend that you add the general sites mentioned in Walled Garden Sites for Captive Portal to the Walled Garden list in the captive portal settings. This will ensure that the captive portal is not suppressed and users are not forced into an "in-app" browser.

Arista currently supports only the Stripe payment gateway. To configure payment gateway account settings:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Click the "gear" icon for Common Settings.
Click the "two coins" icon for Payment Gateway.
Under the Stripe Account option, select an existing account or select Add New to add a new account.
Enter a Name for the account.
Open the Stripe website in a new tab and login to your Stripe account.
On the Stripe home page, click API on the left navigation menu.
Note: If you were already logged in to Stripe, you need to logout and log back in to be able to access the API menu.
Copy the Live Publishable Key and the Live Secret Key from the Stripe API menu, and paste them in the respective fields in the payment gateway settings in CV-CUE.
Click Save to save the configuration.

Configure Clickthrough Plugin

The Clickthrough plugin has no authentication, only a Welcome or Terms-of-Use type page on which the user can click and access Wi-Fi.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.

To configure Clickthrough plugin:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Select Clickthrough and click the edit icon (pencil) to edit settings.
Configure the Common Plugin Settings.
Click Save.
Click Save on the Plugin & QoS page to save the clickthrough settings.
Save the SSID.

Configure SAML

You can integrate SAML SSO with a captive portal for authentication.

Note: The SAML integration functionality is only available for captive portals hosted on the Arista Cloud. It is not available if the captive portal is hosted on third-party servers or on the access point.

To configure SAML:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal tab.
Select the Captive Portal checkbox and select Cloud Hosted from the dropdown list.
In Authentication Plugins and Quality of Service, click SAML in Custom.
From the right panel, click the Custom > SAML checkbox and click the SAML logo. You can add your custom logo or keep the default logo. The SAML Settings right panel opens.
Provide the display name. Users will see this name on the splash page. A maximum of 15 characters, including spaces, is allowed for the display name.
(Optional) Upload a logo for the SAML icon. Once uploaded, you will see this logo appear in the previous screen.
Click the Download SP Metadata XML link and share the downloaded metadata with the identity provider.
Provide the metadata information received from your IDP Vendor. You can add the metadata manually or upload an XML with all the metadata details. To add metadata manually, provide these information:
- Entity ID — The ID of the SAML SSO identity provider (IDP).
- Login URL — The URL of the IDP application.
- Hash Algorithm
- Upload Certificate — Certificate used by the IDP to sign or encrypt the data.
To upload the metadata, click Upload XML and upload the XML file from your local or shared drive.
Provide a mapping between SAML attribute and target attribute. The SAML attributes are predefined attributes that users see on the UI. The Target attributes are attributes defined by the identity service provider.
Define the Quality of Service parameters:
- Login Timeout
- Blackout Time
- Limit the maximum download bandwidth to
- Limit the maximum upload bandwidth to
Specify the redirect URL. Users will be redirected to this URL after authentication.
Note: There is another redirect URL field in the Post Login section in Captive Portal settings. If both the fields have different redirect URLS, then the URL defined in the SAML settings page takes precedence over the general Captive Portal redirect URL settings.
Save the SAML settings and then save the Captive Portal settings.

Configure OpenID Connect

You can integrate OpenID Connect with a captive portal for authentication. .

Note: The OpenID Connect integration functionality is only available for captive portals hosted on the Arista Cloud. It is not available if the captive portal is hosted on third-party servers or on the access point.

To configure OpenID:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal tab.
Select the Captive Portal checkbox and select Cloud Hosted from the dropdown list.
In Authentication Plugins and Quality of Service, click Custom.
From the right panel, click the Custom > OpenID Connect radio button and click the OpenID Connect logo. You can either keep the default logo or add your custom logo in the next screen. The OpenID Settings right panel opens.
Provide the display name. Users will see this name on the splash page. A maximum of 15 characters, including spaces, is allowed for the display name.
(Optional) Upload a logo for the OpenID Connect icon. Once uploaded, you will see this logo appear in the previous screen.
Specify the login details for the OpenID Connect account:
- Client ID — The client ID or login ID of your OpenID Connect account. It is used to identify your application on IDP.
- Client Secret — The password of your OpenID Connect account. Client secret ensures that the access tokens are granted to authorized applications only. By adding the client secret in SSID settings, we ensure that our application is considered as authorized by the IDP.
- Issuer URL — The URL of the OpenID server. This is the landing page url of the IDP. The user gets to the sign-in page through this URL.
Note: The maximum character limit for all the three fields is 200 characters.
Define the Quality of Service parameters:
- Login Timeout
- Blackout Time
- Limit the maximum download bandwidth to
- Limit the maximum upload bandwidth to
Specify the redirect URL. Users will be redirected to this URL after authentication.
Note: There is another redirect URL field in the Post Login section in Captive Portal settings. If both the fields have different redirect URLS, then the URL defined in the SAML settings page takes precedence over the general Captive Portal redirect URL settings.
Save the OpenID settings and then save the Captive Portal settings.

Access Wi-Fi Using Social Media Plug-Ins

The figure below explains how Arista authenticates the guests using social media plug-ins.

When guests try to access the Wi-Fi through an Access Point (AP), the captive portal page is displayed. The portal provides options for authenticating with social media accounts. When a guest chooses a social media to authenticate, the portal redirects the user to the social media login page for his social media account credentials. The social media validates the user account credentials. If successful, the portal and the social media exchange certain information and perform a handshake. The user is requested for permission to share some of the information in his social media account with the social media App. The social media checks whether the user Likes or Follows your page on the social media and, if not, requests the user to Like or Follow your page. The AP then opens the gate for the users to access the Internet.

Configure Social Media Plugins

You can configure social media plug-ins on your captive portal. You must configure only the plug-ins that you have selected for your portal. Following are the social media plugins that can be configured from captive portal:

Facebook
Foursquare
Google+
Instagram
Linkedin
Twitter

Configure Facebook Plug-In

To configure the Facebook plug-in on your captive portal, you need to know App ID and App Secret of your Facebook App.

To configure the Facebook plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select Facebook.
Enter App ID provided by Facebook to communicate with the Facebook API.
Enter App Secret.
Select Display Like Page if you wish the guests must Like your Facebook page when they authenticate using their Facebook account credentials.
Enter Like Page URL of the the Facebook page that guests see and can 'Like'.
Select Extended Profile Permissions if you want to ask the guest user for permission to access additional information such as email address, birthday, likes and location.
Info: If selected, the user is asked for permissions to access above-mentioned information from the user profile. Select the check boxes for the information fields (Email address, Birthday, Likes, Location) that you want to request access for from the guest user.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure Twitter Plug-In

You can configure Twitter plug-ins on your captive portal. You must have the Administrator role to configure the Twitter plug-ins. Before you configure the Twitter plug-in you must ensure that you have created your application/ project in the social media.

To configure the Twitter plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select Twitter.
Enter Customer Key provided by Twitter to communicate with the Twitter API.
Enter Customer Secret.
Select Display Follow Page if you wish the guests must Follow you on Twitter when they authenticate using their Twitter account credentials.
Enter the Follow Page URL for the Twitter page that the guests can see and 'Follow'.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure LinkedIn Plug-In

You can configure LinkedIn plug-ins on your captive portal. You must have the Administrator role to configure the LinkedIn plug-ins. Before you configure the LinkedIn plug-in you must ensure that you have created your application/project in the social media.

To configure the LinkedIn plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select LinkedIn.
Enter App ID provided by LinkedIn to communicate with the LinkedIn API.
Enter Secret Key.
Select Display Follow Page if you wish the guests must Follow you on LinkedIn when they authenticate using their LinkedIn account credentials.
Enter the Follow Page URL to be displayed to the guest.
Select Extended Profile Permissions if you want to ask the guest user for permission to access additional information such as Email Address.
Info:If selected, the user is asked for permissions to access above-mentioned information from the user profile. Select the check boxes for the information fields (Email address) that you want to request access for from the guest user.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure Foursquare Plug-In

To configure the Foursquare plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select Foursquare.
Enter Client ID provided by Foursquare to communicate with the Foursquare application that uses OAuth 2.0 protocol to call Foursquare APIs.
Enter Client Secret.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure Google+ Plug-In

To configure the Google+ plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select Google+.
Enter the Client ID provided by Google+ to communicate with the Google+ application that uses OAuth 2.0 protocol to call Google APIs.
Enter the Client Secret.
Enter an API Key generated by Google+ for each project and is used to communicate with other APIs enabled in the project.
Select Extended Profile Permissions if you want to ask the guest user for permission to access additional information such as email address, and advanced profiles.
Info:If selected, the user is asked for permissions to access above-mentioned information from the user profile. Select the check boxes for the information fields(Email address, and Advanced Profiles) that you want to request access for from the guest user.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure Instagram Plug-In

To configure the Instagram plug-in:

Navigate to CONFIGURE > WiFi > SSID > Captive Portal > Authentication Plugins & Quality of Service > Social.
Select Instagram.
Enter Client ID provided by Instagram to communicate with the Instagram application that uses OAuth 2.0 protocol to call Instagram APIs.
Enter Client Secret.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Click Save.

Configure Okta Plug-In

You must be an Administrator to configure the Okta plug-in on your captive portal. Before you configure the plug-in, ensure that you have created your application/project in the social media.

To configure the Okta plug-in:

Log in to CV-CUE, and go to CONFIGURE > WiFi > SSID.
Create a new SSID or edit an existing SSID. Click the Captive Portal tab.
Click the Captive Portal check box and then ensure that Cloud Hosted is selected from the drop-down list.
Click Social in the Authentication Plugins and Quality of Service tile.
Select the Okta check box under the Social check box.
Configure the Client ID, Client Secret and Organization Domain. Use the values that you have previously noted during Okta Configuration.
Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect URL configuration.
Save the Okta configuration and then save the SSID configuration.

Configure QOS and Redirect Settings

Quality of Service and Redirect URL are the two common settings to be configured for every plugin.

To know more about the below configuring parameters refer QoS Settings for Plugins.

To configure Quality of Service and Redirect URL:

Scroll down to Quality of Service on Social Media Plugin Settings page.
Enter the Login Timeout.
Enter the Blackout Time.
Enter Limit the maximum download bandwidth to.
Enter Limit the maximum upload bandwidth to.
Enter Custom URL in Redirect URL section.

Configure Username Password Plugin

With the Username/Password plugin, you can allow users to self-register or have them use Guestbook, i.e., admin generated credentials.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.

To configure Username/Password plugin:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
To let users self-register, select Allow Guest Users to Self-Register.
Select the option you want to use for self-registration.
- Select Free Wi-Fi to allow free Wi-Fi access to users. Click on the "gift" icon to configure the free Wi-Fi. With free Wi-Fi you can:
  - Allow self-registered users to set password
  - Enable Forgot Password Link
  - Allow guest users to activate expired account
  - Allow self-registered guest users to auto login
  - Show credentials to a self-registered guest user on a webpage
- Select Paid Wi-Fi to have users pay for Wi-Fi access. Click on the "$" icon to configure paid Wi-Fi. With paid Wi-Fi, you can do all of the things listed in free Wi-Fi above, such as allow self-registered users to set password, enable forgot password link, etc. Additionally, you can define Payment Tiers for a payment gateway to bill users. The steps are:
  - If you have not yet configured a payment gateway, you must do so before you can proceed any further. Click Configure to set up a payment gateway. See Configure Payment Gateway Settings for details.
  - Select Currency for payment
  - Click the "+" icon to Add Tier.
  - Configure the Amount, and the access Duration for this amount.
  - Enter the Email Content you want to include as part of the paid Wi-Fi welcome message.
  - Enter the SMS Content you want to include as part of the paid Wi-Fi welcome message.
- Select Free & Paid Wi-Fi to offer users free access for some time and then charge them. The configuration is essentially a combination of the items in the free Wi-Fi and the paid Wi-Fi cases. The only additional task is that you need to define the initial period for which the Wi-Fi is free and how often you want to renew this free period. The steps for this task are:
  - Expand the Free for first option.
  - Enter the Free WiFi Duration.
  - Select Renew Every and enter the period after which you want to renew the free access.
  Note: Some scripts from the payment gateway do not load in Android native web view (i.e. the native browser that Android uses). To avoid this, you must add ssl.gstatic.com to the Walled Garden list of the captive portal. if you do not add this entry to the Walled Garden, the user sees an error message saying that the page could not be loaded and asking them to use a different browser.
- Select Host Approval for users to request host approval vie email. To understand how this works, see Guest WiFi Authentication with Host Approval. Click on the host approval icon (person with tick mark) to configure the Host Approval Settings. For host approval settings:
  - Enter the Email domains to receive approval requests for guest access. With this you can ensure that requests are only sent to authorized domains.
  - You can define approvers by entering Approver Email Addresses.
  Additionally, you can:
  - Allow guest users to skip host's email on splash page
  - Allow self-registered guest users to auto login
  - Show credentials to a self-registered guest user on a webpage
To use a Guestbook to authorize logins, select Admin Generated Credentials.
Note: You can use the Guestbook icon only after you have saved the SSID.
Click on the Guestbook icon.
Info:This opens a new Guest Manager tab in your browser, where you can define new guest Wi-Fi accounts. For details on how to configure Guestbook, see the Guest Manager User Guide.
Click Save.
Click Save on the Plugin & QoS page to save the plugin settings.
Save the SSID.

Configure Passcode Through SMS Plugin

In this method, users provide their mobile numbers and receive a passcode for Wi-Fi access via SMS.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.

To configure Passcode through SMS plugin:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Select Passcode through SMS and click the edit icon (pencil) to edit settings.
Select the limit for the maximum number of devices per user.
Select the Passcode Length and the Passcode Validity.
Select the parameters for re-sending the SMS: the limit for the maximum number of times you want the SMS to be re-sent, and the minimum time interval that must elapse before an SMS is re-sent.
Enter the text to be sent to guest users in the SMS.
Enter the DLT Template ID. The DLT Template ID is provided by the SMS service provider.
Configure the Quality of Service settings and the Redirect URL. See Common Plugin Settings.
Click Save.
Click Save on the Plugin & QoS page to save the clickthrough settings, and then save the SSID.

Configure Webform Plugin

This is an enhanced form of clickthrough. There is no authentication but users fill out their details such as name, email, and contact number.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.

To configure Webform plugin:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Select Webform and click the edit icon (pencil) to edit settings.
For each Field (e.g. First Name), select whether you want to Display the field on the webform and whether you want the field to be Mandatory.
Configure the Common Plugin Settings.
Click Save.
Click Save on the Plugin & QoS page to save the clickthrough settings.
Save the SSID.

Configure External RADIUS Plugin

In this method, authentication happens via an external RADIUS server.

You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.

Note: You cannot use the RADIUS plugin with any other plugins. If you select External RADIUS, CV-CUE automatically disables the other plugins.

To configure external RADIUS plugin:

On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
Select External RADIUS. The 802.1X Settings appear. For an explanation of these settings, see 802.1X or RADIUS Settings.
For common plugin settings, click the edit icon (pencil).
Info:The External RADIUS Settings window appears. For details on these settings, see Common Plugin Settings.
Select the Authentication Server.
Info:If you have not yet added any RADIUS servers, you can do so by clicking Add / Edit. The RADIUS Server Settings window appears. For details on how to add a RADIUS server, see Configure RADIUS Profile.
Note: You must select at least one Primary Authentication server. Optionally, you can select a Primary Accounting sever and Secondary Authentication and Accounting servers as well.
Select the Accounting Server.
Info:If you have not yet added any RADIUS servers, you can do so by clicking Add / Edit. The RADIUS Server Settings window appears. For details on how to add a RADIUS server, see Configure RADIUS Profile.
Select the Accounting Interval.
Enter the Called Station and NAS ID values.
Note: No two SSIDs on the same AP should use the same NAS ID.
Click Save.
Click Save on the Plugin & QoS page to save the plugin settings, and then save the SSID.

QoS Settings for Plugins

Field	Description
Login Timeout	The time period after which the guest user session for the portal expires. The user must re-authenticate with his login credentials if he wants to continue using the Wi-Fi service. "0" indicates that the user session does not timeout and the user must explicitly log out from the portal. A non-zero timeout configured on the plug-in takes precedence over the timeout configured on the SSID profile. The time period, can be specified in Hours, Minutes, Days, Weeks or Months.
Blackout Time	The time period for which a user cannot log in to the portal after the last successful login has timed out. "0" indicates no blackout time. The blackout time configured on the plug-in takes precedence over the blackout time configured on the SSID profile. The time period, can be specified in Hours, Minutes, Days, Weeks or Months.
Redirect URL	The URL of the page to which the guest user must be redirected to on successful login from the portal using the plug-in.
Max Download Bandwidth	Maximum download bandwidth, in Kbps or Mbps, for this plug-in on the portal.
Max Upload Bandwidth	Maximum upload bandwidth, in Kbps or Mbps, for this plug-in on the portal.

Configure Third-Party Hosted Captive Portal

To configure Third-Party Hosted Captive Portal settings:

Navigate to SSID > Captive Portal .
Select Captive Portal to display a portal page to be shown to the client on using the guest network.
Select the mode of access as Third-Party Hosted.
To configure basic settings within Third-Party Hosted do the following:
1. Select With RADIUS Authentication.
  Info: The guest user is authenticated by a RADIUS server, when he logs in to the external portal. Once you select With RADIUS Authentication a link to configure 802.1X Settings.
2. To configure 802.1X Settings, see Configure External RADIUS Plugin.
3. Enter Splash Page URL.
4. Enter a Shared Secret for SSID-external portal communication.
5. Select HTTPS Redirection if you wish to move to secure version of HTTP.
  Info:Enabling HTTPS Redirection enables three fields, these three fields provide the information of the customer using the certificate.
  - Common Name: Identifies the host name associated with the certificate.
  - Organization: Name of an organization.
  - Organization Unit: Name of an organizational unit.
6. Enter Websites that users can access before login..
For Post Login configuration enter details for the below fields:
1. Specify the Redirect URL.
  Info:The browser is redirected to this URL after the user clicks the submit button on the portal page. If left empty, the browser is redirected to the original URL accessed from the browser for which the portal page was displayed.
2. Specify the value of the Service Identifier.
3. Specify Login Timeout, in minutes, for which a wireless user can access the guest network after submitting the portal page.
  Info:After the timeout, access to guest network is stopped and the portal page is displayed again. The user has to submit the portal page to regain access to the guest network. If the user disconnects and reconnects to the guest network before his session times out, he does not have to enter his credentials on the splash page.
4. Specify Blackout Time, in minutes.
  Info:This is the time for which a user is not allowed to login after his previous successful session was timed out. For example, if the session time-out is 1 hour and the blackout time is 30 minutes, a user will be timed out one hour after a successful login. Now after this point, the user will not be able to login again for 30 minutes. At the end of 30 minutes, the user can login again.
5. Select the Detect when Internet connection is down and inform guest users, if you want to check the internet connectivity and inform guest users in case of loss of Internet connectivity.
To configure Advanced Portal Parameters refer Request and Response Parameters.
Click Save.

Request and Response Parameters

Request Attributes	Description
Request Type	Field name for request type field.
Challenge	Field name for random text used for authentication.
Client MAC Address	Field name for the MAC address of the client.
Access Point MAC Address	Field name for MAC address of the access point that is communicating with the external portal.
Access Point IP Address	Field name for the IP address of the access point that is communicating with the external portal. This should match the field name used by the external portal.
Access Point Port Number	Field name for the AP port number on which the AP and external server communicate.
Failure Count	Field name for the count of the number of failed login attempts.
Requested URL	Field name for the requested URL that is the URL requested by the client through the AP, to the external server.
Login URL	Field name for the login URL.
Logoff URL	Field name for the logoff URL.
Remaining Blackout Time	Field name for the remaining blackout time.
Service Identifier	Name of the portal parameter that is used to pass the service identifier value to the external portal. The service identifier value is specified in the Captive Portal section of the SSID Profile. This parameter can be used by the external portal to implement SSID profile specific functionality like different portals for different SSIDs etc.
Response Attributes
Challenge	Field name for the challenge
Response Type	Field name for the response type.
Challenge Response	Field name for the challenge response.
Redirect URL	Field name for the redirect URL
Login Timeout	Field name for login timeout.
User name	Field name for user name.
Password	Field name for password.

SSID RF Optimization

The RF (Radio Frequency) Optimization tab is where you can enable RF related optimizations on the SSID.

Arista uses a Unified Client Steering approach. That is, the various client steering mechanisms work together to improve the client Quality of Experience (QoE). On the SSID RF Optimization tab, you simply enable different types of steering for this SSID. To configure the parameters related to client steering you need to go to the Radio Settings tab. The Minimum Association RSSI is the minimum RSSI at which a client is allowed to associate with an AP on this SSID. The value comes from the Steering RSSI Threshold in the common steering parameters. See Configure Common Steering Parameters.

Figure 1. Minumim RSSI-based Association

The flowchart depicts the logic for minimum RSSI-based association. When an AP receives an association request, it first checks if the client RSSI is more than te minimum association RSSI. If it is more, then the AP accepts the association request from the client. However, if the client RSSI is less than the minimum association RSSI, then the AP checks ifany neighbor AP is reporting the a higher RSSI for the same client. If yes, the AP rejects the association request because the neighbor AP is reporting a better RSSI for the client. If the neighboring AP is not reporting a better RSSI for the client, then the AP accepts the association request.

Enforce Steering is enabled by default . Some clients directly send Association Request packets by listening to beacons. Enforce Steering causes an AP to reject such requests on 2.4GHz, thereby force-steering clients to 5GHz.

You can enable 802.11k Neighbor List. This allows clients to request neighbor lists from APs, which speeds up roaming. See 802.11k Use Case for details. When you enable 802.11k, you can select Neighbor List Dual Band if you want the AP to send the client neighbor information on both bands. While 802.11k defines methods that help individualclients understand their radio environment, 802.11v defines services that help improve overall network performance. See 802.11v Use Case for details.

Address Resolution Protocol (ARP) is an IPv4 protocol used to resolve a device’s IP address to its physical MAC address so communication can occur on the Layer 2 segment. A device sends an ARP broadcast packet containing an IP address, in effect asking who on the Layer 2 segment knows which MAC address is associated with that IP address. A client may also send an ARP broadcast that contains its own IP and MAC address to update Layer 2 device ARP tables. IPv6 does not use broadcast packets, it uses a Neighbor Discovery Protocol (NDP). NDP uses multicast to resolve addresses and to find other network resources.

An AP can act as a proxy for the wireless clients associated to it. When you enable Proxy ARP and NDP, the AP itself responds to the ARP and NDP requests instead of forwarding them and transmitting them at a low, basic data rate. Downstream Group-Addressed Forwarding (DGAF) blocks all broadcast/multicast traffic from the wired to the wireless side. It is used only with Hotspot 2.0. You can disable it by selecting Disable DGAF.

When you enable Broadcast/Multicast Control, the AP blocks broadcast/multicast packets from Ethernet to wireless. This cleans up the RF airspace is by blocking unnecessary traffic. You can also block broadcast/multicast packets from wireless to Ethernet by selecting Block Wireless to Wired. Broadcast / Multicast Control should be used carefully as many network functions use broadcast packets for basic operations.

For applications that must be allowed to use broadcast / multicast packets, you can create an exemption by adding the protocol information to the Exemption List.

Bonjour is an Apple protocol designed to make Bonjour-enabled devices and services easy to use and configure over the network. Bonjour makes heavy use of broadcast and is essential for Apple products. You can select Allow Bonjour to automatically apply an exemption.

IGMP Snoopingis a mechanism to prune multicast packets so that they are forwarded only to ports on which clients have subscribed. This saves bandwidth by avoiding unnecessary packet flows. For details, see IGMP Snooping.

Target Wake Time (TWT) is one of the advanced features of Wi-Fi 6. It enables access points (AP) and stations (STAs) to negotiate schedules for active and sleep durations.

802.11k - Use Case

Consider a client moving from one AP (AP1 in the figure) towards another AP (AP2 in the figure below). The strength of the signal received from AP1 gets weaker as the client moves away from it. Without 802.11k, a client needs to scan several channels before it can determine which AP has the best signal. Clients typically scan channels at 100ms intervals looking for beacons. Assuming there are 21 channels available in the 5GHz band (with DFS), a complete scan of all available channels could take as long as 2.1 seconds. Real-time applications have strict timing requirements (one-way delay must be < 50ms for Voice over Wi-Fi (VoFi)). A complete scan could thus result in poor user experience. 802.11k provides a better alternative.

The IEEE 802.11k amendment, also called Radio Resource Measurement (RRM), defines methods allowing stations to inform each other about their respective radio frequency (RF) environments. That way, they can make faster and better informed decisions on roaming. With 802.11k, a client can request an Arista AP to send a Neighbor Report. In case of the client in the above figure, it requests a Neighbor Report from AP1. It is basically asking AP1, “Which APs are advertising my current SSID? What channels are these APs operating on? What are their signal strengths as you see them?” AP1 reports on all the APs it can sense that are advertising this SSID. Suppose there are 4 such neighbors in the 5GHz band (AP2 through AP5 in the figure). The client then receives a Neighbor Report containing 4 candidate channels to scan. At 100ms a channel, the client can decide in under half a second which AP to move to. It no longer needs to spend 2.1 seconds scanning all available channels for target APs.

Table 4. Scan Times with and without 802.11k
5GHz (w DFS)	All Channels	11k Neighbors
Channels to scan	21	4
Scan Time	2.1s	400ms

The Neighbor Report from an Arista AP to a Client figure shows an example of the Neighbor Report message that an Arista AP sends its client. The report informs the client that channels 157 and 11 are available on neighboring APs. The client now needs to scan only these channels and pick the AP with the best signal as its target. This saves time and improves user experience.

802.11v - Use Case

Consider a client connected to an AP. The signal strength from the client could drop below a configured threshold, or the network’s load balancing algorithm might decide that a different AP can serve the client better. In such situations, an AP might disassociate with the client. This can be an unexpected shock to a client, causing it to go through a complete scan before selecting an AP to associate with. This could cause poor user experience, especially for real-time applications.

The IEEE 802.11v amendment is also called Wireless Network Management (WNM). As the name suggests, 802.11v has a broader scope than 802.11k. While 802.11k defines methods that help individual clients understand their radio environment, 802.11v defines services that help improve overall network performance.

An important service is BSS Transition Management (BSTM). When an Arista AP decides to disassociate with a client, it sends an 802.11v frame called a BSTM Request. It is basically the AP warning the client, “Beware. I am going to disassociate in 60 seconds.” (The actual time interval is configurable.) This is called an Unsolicited Request. It allows a client some time to find and associate with another AP. The message includes a list of neighboring APs on the same ESS that the client can associate with. In an 802.11v message called the BSTM Response, the client can accept or reject the AP's request. It can also ask the AP for more time – the BSTM Response message includes a BSS Termination Delay field. Essentially, it is the client saying, “60 seconds is too short. Let us disassociate after 3 minutes”. The AP honors this request.

Note that with 802.11k, only a client can request a Neighbor List. With 802.11v, however, either the client or the AP can initiate a conversation about transitioning. So, a client can send a BSTM Query asking an Arista AP, “Should I associate with a different AP? If yes, which one?” Depending on its implementation, the client may send this query periodically or based on triggers such as low signal strength. The AP responds with a BSTM Request - called a Solicited Request - containing the list of recommended APs the client can associate with.

Every time an Arista AP sends an 802.11v frame, it does not necessarily want to disassociate. It might simply want to nudge the client into looking for another AP by sending a BSTM Request with the list of neighbors but without a disassociation warning. This could happen, for instance, if a neighbor AP is less loaded and close enough. Since 802.11v has a network-wide view of things, it might recommend (but not force) the client to move to the less loaded AP. To allow this, 802.11v provides a Disassociation Imminent flag bit, which indicates whether the AP intends to disassociate with the client.

Configure RF Optimization in SSID Profile

To enable RF related optimizations navigate to SSID > RF Optimization.

Select types of steering you want to enable. Types of steering are:
- Smart Client Load Balancing
- Smart Steering
- Min Association RSSI
- Band Steering
- Enforce Steering
You can enable 802.11k Neighbour List, 802.11v BSS Transition and 802.11r (Fast Transition). By default these standards are disabled. Enabling these standards enables few new sub fields.
- If you enable 802.11k Neighbour List, you can also optionally enable Neighbor list for all bands - Both 2.4 GHz, 5 GHz, and 6 GHz.
- If you enable 802.11v BSS Transition, you must enable the Disassociation Imminent and configure it in the Disassociation Timer field. This is the time after which the client will be disconnected from the AP. The Disassociation Timer is expressed in number of beacon intervals. The range of the Disassociation Timer should be between 10 to 3000 TBTT (Target Beacon Transmission Time). Once the Disassociation Timer reaches zero, then the client can be disassociated based on the Force Disconnection setting.
  - You can select Force Disconnection to forcefully disconnect the client after the disassociation timer expires. The client will be disconnected even if it responds with a negative BSS transition response. When Force Disconnection is not selected, the AP does not disconnect the client (but waits for the client to disconnect on its own).
- If you enable 802.11r, you can optionaly enable Mixed Mode. By enabling Mixed Mode, you allow both 802.11r capable and incapable clients (clients that do not support 802.11r) to connect to this SSID.
Select Proxy ARP and NDP.
Info:When you enable Proxy ARP and NDP, then the AP filters downstream ARP (IPv4) and NDP (IPv6) packets and also responds as appropriate on behalf of wireless clients to conserve wireless bandwidth. Enabling Proxy ARP and NDP enables a field that allows you to Disable DGAF.
Select Disable DGAF.
Info: It is applicable only for Hotspot 2.0. If you enable this option, then AP starts proxy ARP for IPv4 and proxy NDP for IPv6. It also drops all Multicast and Broadcast packets in the transmit path. Selecting this option disables Broadcast/Multicast control and IGMP Snooping.
Select Target Wake Time, Broadcast/Multicast Control, IGMP Snooping.
Click Save.

IGMP Snooping

Multicast is often used to stream video. Multicast packets need to flood the network to reach their recipients. Multicast packets are forwarded to many network segments. Video streaming packets, for example, could end up being sent to segments with no video streaming clients. These packets waste network bandwidth. The Internet Group Membership Protocol (IGMP) protocol was developed to cull such wasteful data. IGMP provides a way for a client to inform the Layer 2 device it is connected to that it wants to receive a multicast stream. A client does this by sending an IGMP Report with the multicast address of the multicast session it wants to join. Layer 2 devices use IGMP Snooping to look at multicast packets and match them to a list of multicast addresses that clients have joined. IGMP and IGMP snooping are effective ways to prune multicast packets so that they are forwarded only to ports on which clients have subscribed. When you enable IGMP Snooping, the AP blocks multicast traffic from Ethernet to wireless. To receive multicast packets, a client must send an IGMP Report with the address of the multicast group it wants to join (IGMP Report - Join).

The client application is responsible for sending the IGMP Report. If the client application does not support IGMP (e.g. legacy applications), you can still enable IGMP snooping. But you need to add the multicast address that the application uses to the IGMP Snooping Exception List. This will allow multicast traffic for that application to flow. When you add an address to the exception list, all APs using the SSID forward all multicast packets with that address, regardless of whether a client sent an IGMP Report to join. You can add a maximum of 30 multicast addresses to the exception list.

When a client receiving multicast packets roams to another AP, the snoop table is forwarded. The client does not need to send a new IGMP Report to join. Convert Multicast to Unicast converts multicast packets to unicast, except for the addresses in the exception list.

Table 2 – IGMP Snoop Table

Feature	Description	Default	Range
IGMP Snooping	Enables IGMP Snooping	Enabled
IGMP Snooping Exception List	Allow multicast to be delivered without client sending an IGMP Report (Join)		30 Max

Table 3 – IGMP Snooping Restrictions

Feature	Restrictions
IGMP Snooping	Enabled by default Based on client IGMP Report (Join) Enable – blocks multicast, Disable – forwards all multicast Applies to multicast going from Ethernet to wireless Independent of multicast/unicast conversion Snoop table forwarded when client roams AP does not send IGMP Query
IGMP Snoop Protected Address	Max 30 multicast addresses Internal protected addresses 224.0.0.1/24 – query for all systems 224.0.0.22/24 – IGMP v3 addresses Not converted to unicast even if Convert Mulicast to Unicast is enabled. All packets forwarded on match even if no client sends an IGMP Report to join

Feature

Restrictions

IGMP Snooping

Enabled by default

Based on client IGMP Report (Join)

Enable – blocks multicast, Disable – forwards all multicast

Applies to multicast going from Ethernet to wireless

Independent of multicast/unicast conversion

Snoop table forwarded when client roams

AP does not send IGMP Query

IGMP Snoop Protected Address

Max 30 multicast addresses

Internal protected addresses

224.0.0.1/24 – query for all systems

224.0.0.22/24 – IGMP v3 addresses

Not converted to unicast even if Convert Mulicast to Unicast is enabled.

All packets forwarded on match even if no client sends an IGMP Report to join

Configure IGMP Snooping in SSID Profile

IGMP is Internet Group Management Protocol (IGMP). IGMP snooping is the process of listening to IGMP network traffic. Enabling IGMP Snooping for a selected SSID blocks the multicast packets if no client joins the multicast group. Enabling the IGMP snooping does not convert the packets from multicast to unicast until you specifically enable Multicast to Unicast.

To know more about parameters required in configuring IGMP Snooping refer IGMP Snooping Parameters.

To configure IGMP Snooping:

Navigate to SSID > RF Optimization.
Scroll down and select IGMP Snooping.
Enter IP address in IGMP Snooping Exception List.
Enter Snoop Timeout in minutes.
Select Convert Multicast to Unicast.
Info:The Convert Multicast to Unicast is disabled by default. You can enable it only if IGMP Snooping is enabled. If you enable Convert Multicast to Unicast, then all the multicast packets are converted to MAC layer unicast packets after passing the snoop check.
Select the appropriate value for Tag Packets with Selected Priority.
Click Save.

Target Wake Time

Target Wake Time(TWT) is one of the advanced features of Wi-Fi 6. It enables access points (AP) and stations (STAs) to negotiate schedules for active and sleep durations.

TWT is beneficial for the following reasons:

Pre-defined schedules allow STAs to manage their power consumption more effectively, thus helping conserve energy. STAs need to wake up only during the designated Service Periods (SP) to transmit and receive data.
TWT can help reduce contention by time slicing. Individual STAs or STA groups can be assigned different SPs by the AP to ensure that contention within a BSS is limited to only the clients that have overlapping SP.

TWT Modes

TWT can be deployed in two modes: Individual and Group. Individual TWT allows each STA to independently negotiate one or more TWT sessions with its AP.

In Group TWT, the AP creates a set of schedules and multiple STAs can be assigned to the same schedule. For example, there can be a ‘VoIP schedule’ and STAs with VoIP sessions can join it.

Note: The Individual TWT mode is mandatory for Wi-Fi 6 certification of APs and STAs.

To understand more about TWT protocol, refer to TWT Help Article.

Enable TWT in CV-CUE

To enable TWT:

Go to CONFIGURE > WiFi.
Navigate to your SSID and go to the RF Optimization tab.
Select Individual under the Target Wake Time setting and click Save.

SSID WiFi 7 Setting - Multi-Link Operation

The WiFi 7 tab contains MLO setting.

Multi-Link Operation

Until now, a multi-band client (for example, a phone with 2.4, 5, and 6 GHz radios) could connect to an AP using only one of the bands. Therefore, only one connection link formed between the client and the AP. Multi-link Operation (MLO) is the capability of the client and the AP to connect to more than one band simultaneously establishing multiple links. The clients that are capable of communicating with each other over multiple radio links at the same time are called Multi-Link Devices (MLD).

Establishing multiple links of communication reduces access latency and enables bandwidth aggregation for increased throughput. With MLO, Wi-Fi 7 APs broadcast the same SSID on all radios (2.4, 5, and 6 GHz), and MLO-capable clients can connect to all bands or a combination of bands simultaneously.

Enable MLO

MLO is a per-SSID configuration.

To enable MLO for the selected SSID:

Go to CONFIGURE > WiFi > SSID.
Open a new SSID or edit an existing one.
Select the WiFi 7 tab and select the Mutli-Link Operation checkbox.
Save the settings.

Verification

You can verify active MLO radios and MLO clients by navigating to MONITOR > WIFI > Active SSIDs.

MLO Client Details

The client view tab is divided into 2 grids, client view and link view.

Client View

The client view grid contains information about the clients connected to the AP.

Link View

The link view contains information about the links established between client and AP. Each MLO link is denoted by an entry in the link view grid. The link view grid contains the Link MAC Address, which is a unique identifier for each link, along with other client details.

You can view the same information in a graphical format through the Link Explorer.

Wi-Fi Analytics for MLO Clients

The Frequency Band Filter on all analytics charts and widgets is enhanced with filters for Multi Link Clients and Non Multi Link Clients. You can filter the analytics data on the basis of MLO Clients and non-MLO clients. Within MLO Clients, you can further drill down the data on the basis of All Bands or a combination of selected bands.

The following analytics widgets are enhanced with MLO filters:

Overview Dashboard
Connectivity Chart:
- Baseline - Clients Affected by Failure
Performance Charts:
- Baseline - Clients Affected by Poor Performance
- Clients by Avg. Data Rate
- Clients by RSSI
- Clients by Retry Rate %
- Network Usage
Application Charts:
- Application Experience
- Baseline - % Poor Application Experience

SSID Traffic Shaping and QoS

You can optimize bandwidth utilization and Quality of Service (QoS) settings for this SSID on the Traffic Shaping & QoS tab.

Traffic Shaping

You can restrict the upload and download bandwidths on the SSID. Such restrictions could be really useful for Guest or student SSIDs, for example. You can also limit the number of simultaneous associations that the SSID allows.

Depending on how you have set up the SSID, the bandwidth limits could come from a source other than the Traffic Shaping parameters defined here. For example, enterprise networks often use RADIUS servers to propagate network policies across APs. Users are divided into groups and policies are applied to each group. So the Sales group might have different bandwidth limits than those of the HR group. In such cases, the bandwidth limits could come from the RADIUS server. If an AP does not get values from the RADIUS server, it uses values defined on the Traffic Shaping & QoS tab.

Below are the possible sources from where an SSID might get its bandwidth control values:

From a RADIUS server being used for authentication by an external Captive Portal. This is if you have configured an external Captive Portal on this SSID and that portal uses a RADIUS server to propagate policies.
From a Captive Portal on Arista Cloud. This is if you have configured the SSID to use a Captive Portal on Arista Cloud.
From a RADIUS server when you have configured the SSID to use 802.1X security.
From the values defined here, in the Traffic Shaping & QoS tab on the Arista server.

Typically, only one of the above sources will apply. For example, if you have defined an external Captive Portal on this SSID, then obviously there is no portal on the Arista Cloud for this SSID. The only possibility is that a RADIUS server or a Captive Portal does not pass bandwidth control values on to an Arista AP, in which case the values defined in Traffic Shaping & QoS apply.

You can limit the data rate for Unicast traffic between a minimum and maximum value. The Set the data rate for multicast, broadcast and management traffic to parameter sets the Basic or Mandatory rate of the AP. This not only controls the data rate at which broadcast / multicast packets are sent but also sets the data rate at which Beacons are sent. You must set this rate carefully. Increasing the basic rate of the AP does reduce the transmission airtime, but it also reduces the effective coverage area. This could cause problems for the client if the AP's coverage at the client is not enough for that data rate. For example, real-time streaming of audio and video are applications that commonly use multicast packets for delivery. If clients have problems receiving multicast packets because the AP coverage is not good enough to support higher data rates, they will experience choppy audio or pixilation and screen freezing.

Select Per User Bandwidth Control to restrict bandwidth on a per-user basis (the bandwidth controls discussed earlier were for a per-SSID basis). The RADIUS attributes used to set per-user bandwidth control fall under vendor-specific attributes, IETF ID:26. The table below shows the mapping of Arista attributes to RADIUS attributes. The vendor ID for Arista is 16901.

Table 5. Arista to RADIUS-Mapping of Bandwidth Control Attributes
Arista Attribute	RADIUS Attribute
Per-user download limit	5
Per-user upload limit	6

QoS

Quality of Service determines the priorities assigned to various types of traffic. Applications such as voice over IP, video, and online games need a service guarantee. When network bandwidth is shared, defining priorities becomes a must for such applications. You must define the QoS parameters if you are using the SSID for such applications. QoS ensures that applications that need higher priority get it. The service guarantee for such applications is met by allocating adequate bandwidth based on the QoS priority.

QoS is essentially about differentiating between services. So, a QoS mechanism might classify traffic as Background, Best Effort, Video and Voice, in increasing order of priority, i.e., Background traffic has the lowest priority while Voice calls have the highest. The main QoS standards in use are:

Type of Service (TOS) - a field in older versions of IPV4 header.
Differentiated Services Code Point (DSCP) - the TOS field redefined for better QoS differentiation. DSCP is also specified in the IP header.
802.1p Class of Service - a field in the Ethernet frame
802.11e Wi-Fi Multi-Media (WMM) - an 802.11 enhancement that alters MAC-layer behavior based on the traffic type

These standards differ from each other in how they classify traffic.

Select Enforce WMM Admission Control if you want to enforce the admission control parameters configured under SSID Radio Settings > Advanced Radio Settings.

Note: The WMM Admission Control settings configured under Radio Settings override the QoS Settings configured in the Traffic Shaping & QoS tab.

For an 802.11n AP, Wi-Fi Multimedia (WMM) is mandatory. For 802.11n APs, if you do not enable QoS, the system uses the default QoS parameters.

The default QoS settings are:

SSID Priority is Voice
Priority Type is Ceiling
Downstream Mapping is DSCP
Upstream Marking is enabled and the value is 802.1p Marking

The system applies user-configured QoS settings if you enable QoS.

With SSID Priority, you can select which type of traffic — Background, Best Effort, Video or Voice — you want to prioritize. There are two types of priority:

Fixed:Select this if you want all traffic transmitted on this SSID to have the selected priority, irrespective of the priority indicated in the 802.1p or IP header. For example, you could set all traffic to Background, in which case the SSID treats even voice and video packets as Background traffic.
Ceiling:Select this if you want traffic on this SSID to have priorities equal to or lower than the selected priority. For example, if you set SSID Priority to Video and Type to Ceiling, the SSID differentiates Background, Best Effort, and Video traffic but not Voice, since that is higher than Video. In effect, it treats Voice and Video equally.

If you select Fixed, CV-CUE grays out the Downstream Mapping, since all traffic is marked with the selected priority and there is no downstream mapping to be done. If you select Ceiling, however, you can choose from among DSCP, 802.1p or TOS to map downstream traffic.

An Arista AP translates the traffic class mark from a standard (say, DSCP) to a service guarantee by mapping the downstream traffic to a WMM Access Category, since 802.11e WMM is what induces MAC-layer behavior to allocate appropriate Wi-Fi bandwidth. So an AP extracts the priority from the selected standard (802.1p, DSCP or TOS) and maps it to the WMM Access Category, subject to a maximum of the selected SSID Priority (i.e. the Ceiling). For downstream traffic, the mapping depends on the first 3 bits (Class selector) of the DSCP value, TOS value, or 802.1p access category. The only exception is DSCP value 46 which is mapped to WMM access category 'Voice'. The table below shows downstream traffic mapping.

DSCP / TOS / 802.1p Class of Service	802.11e/WMM access category
0 (Background)	1 (Background)
1 (Best Effort)	0 (Best Effort)
2 (Excellent Effort)	3 (Best Effort)
3 (Critical Apps)	4 (Video)
4 (Video)	5 (Video)
5 (Voice)	6 (Voice)
6 (Internetwork Ctrl)	7 (Voice)
7 (Network Ctrl)	7 (Voice)

For Upstream Mapping, you can enable both 802.1p and DSCP / TOS Marking, since 802.1p is an Ethernet frame field and DSCP / TOS is in the IP header. The table below shows the mapping used for upstream traffic.

802.1p Class of Service	DSCP	802.11e/WMM Access Category
1	0	0
0	10	1
0	18	2
2	0	3
3	26	4
4	34	5
5	46	6
6	48	7

Configure Traffic Shaping

Traffic Shaping helps in effective utilization of network bandwidth by setting an upload and download limit for the network, restricting the number of client association, band steering etc. You can opt for one or more of these ways depending on the network traffic, the applications used on the SSID, and the Arista device model in use.

To configure Traffic Shaping and QoS:

Navigate to CONFIGURE > WiFi > SSID > Traffice Shaping and QOS.
You can limit the upload and/or download bandwidth on an SSID in SSID Bandwidth Control. To restrict the upload bandwidth on the SSID:
1. Select Limit the maximum upload bandwith on the SSID to and enter a data rate, from 0 through 1024 Kbps, to restrict the upload bandwidth for the SSID to the value specified here.
2. Select Limit the maximum download bandwith on the SSID to and enter a data rate, from 0 through 1024 Kbps, to restrict the download bandwidth for the SSID to the value specified here.
You can limit the number of clients associating with an SSID per radio. To limit the number of clients association:
1. Select the Limit maximum number of simultaneous associations to, if you want to specify the maximum number of clients that can associate with an SSID per radio.
2. Specify the maximum number of clients in the field below to the Limit maximum number of simultaneous associations to field.
You can specify the minimum and maximum data rate for the AP-client communication in Unicast Rate Control. To specify a minimum and maximum data rate:
1. Select Limit the maximum unicast traffic data rate to and Specify the minimum data rate for communication in the field below the Limit the minimum unicast traffic data rate to field.
2. Select Limit the maximum data rate for unicast traffic to and Specify the maximum data rate for communication in the field below the Limit the minimum unicast traffic data rate to field. Maximum threshold for minimum as well as maximum data rate is 54 Mbps.
3. Select Apply to all clients, including 802.11n and higher if you wish to apply the specified maximum data rate for unicast traffic to all clients, including those that support higher data rate 802.11 protocols.
Click Save.

Configure Quality of Service (QoS)

Quality of Service determines the priorities assigned to various types of traffic. The service guarantee is imperative in case of streaming multimedia applications, for example, voice over IP, video, online games etc.

Before you configure Quality of Service settings for the SSID, refer SSID Traffic Shaping and QoS to understand the Quality of Service concept.

To configure Quality of Service (QoS):

Navigate to CONFIGURE > WiFi > SSID > Traffice Shaping and QOS.
Scroll down and Select QoS to define your own QoS settings for Wi-Fi multimedia on the SSID profile.
Select Enforce WMM Admission Control.
Info:This field helps you specify whether the admission control parameters configured in the device template applied to the Arista device must be enforced for the network. The admission control parameters are configured under Radio Advanced Settings for Arista devices functioning as access points.
Note:The WMM Admission Control settings configured for the radio on which the Wi-Fi profile is applied, override the QoS Settings configured in the Wi-Fi profile.
Select voice, video, best effort or background as the SSID Priority depending on your requirement.
Select Priority Type as Fixed or Ceiling.
Info:Priority Type is selected as Fixed if all traffic of this SSID has to be transmitted at the selected priority irrespective of the priority indicated in the 802.1p or IP header. Priority Type is selected as Ceiling if traffic of this SSID can be transmitted at priorities equal to or lower than the selected priority.
Downstream mapping option is enabled if Priority Type is selected as Ceiling. Select the appropriate Mapping Type.
Info:The priority is extracted from the selected field (802.1p, DSCP or TOS) and mapped to the wireless access category for the downstream traffic subject to a maximum of the selected SSID Priority. For the downstream mappings, the mapping depends on the first 3 bits (Class selector) of the DSCP value, TOS value or 802.1p access category. The only exception will be DSCP value 46 which will be mapped to WMM access category 'Voice'.
Select the Upstream marking option as per the requirement.
Info:The incoming wireless access category is mapped to a priority subject to a maximum of the selected SSID priority and set in the 802.1p header and the IP header as selected.
Click Save.

SSID Scheduling

If you want to limit the duration for which the SSID is active, you can define a schedule for the SSID.

You can also specify if an SSID is to be permanently active or valid for only a limited time duration. This could be useful if, for example, you have an event coming up for which you want to use a special Guest SSID with a different splash page. Another use case might be to restrict employee SSID use to office hours. When you enable Select Timeslot, CV-CUE shows a calendar view of the week split into days (rows) and hours (columns). You can then go ahead and select the timeslots when you want the SSID Turned On.

Configure SSID Scheduling

After you create a SSID profile, by default, the profile remains active throughout until you delete it. However, you can make a SSID available or active only for a limited time period, or only for a limited number of hours during the day, by using the SSID scheduling feature.

To configure SSID Scheduling:

Navigate to CONFIGURE > WiFi > SSID.
Click Add New SSID.
Click menu icon (three vertical dots) next to Network tab.
Select SSID Scheduling.
Select Validity Type as Now to Forever or Custom depending on you want to keep a SSID active throughout or for specific hours.
Info: Now to Forever indicates that the SSID is deployed permanently. Selecting Custom enables From and To fields.
If you select Custom as validity type then specify start and end date in From and To fields.
Select Select Timeslot.
Select the active timeslots for the SSID.
Info:Active timeslots is the time during which the SSID is active. The minimum active time duration that you can select is 30 minutes. Click between the squares representing the time of the day (12 a.m. - 11 p.m.) to select the desired active intervals. The blue color indicates active duration and the white color indicates inactive duration.
Click Save.

Hotspot 2.0

Hotspot 2.0 is a standard for public-access Wi-Fi that enables seamless roaming among Wi-Fi networks and between Wi-Fi and cellular networks. With Hotspot 2.0, Passpoint-certified mobile devices such as laptops and smartphones can automatically discover and connect to Wi-Fi networks without the need of signing in manually. It is based on IEEE 802.11u standard for Interworking with External Networks.

Hotspot 2.0 works only with WPA2 802.1x, WPA3 Enterprise or WPA3 Transition Mode. Ensure that you have configured the RADIUS Server and 802.11w Management Frame Protection is set as Required or Optional.

Hotspot 2.0 Settings

The Hotspot 2.0 settings for an Arista AP are divided into Network Settings, Roaming, Venue, Domain, NAI Realms, Friendly Names, Connection Capabilities and QoS Mapping.

This topic contains the following subtopics:

Hotspot 2.0 Network Settings
Hotspot 2.0 Roaming Settings
Hotspot 2.0 Venue Settings
Hotspot 2.0 Domain Settings
Hotspot 2.0 NAI Realms Settings
Hotspot 2.0 Friendly Name Settings
Hotspot 2.0 Connection Capabilities Settings
Hotspot 2.0 QoS Mapping Settings

Hotspot 2.0 Network Settings

Network setting tab consists of settings related to network configuration.

Provide the following details for the network settings:

Network Type: The type of the network.
HESSID: HESSID stands for Homogenous Extended Service Set Identifier. It is used to identify hotspot AP. APs with the same HESSID have the same hotspot configuration.
IPv4 Address: Select the appropriate IPv4 Address from the available options.
IPv6 Address: Select the appropriate IPv6 Address from the available options
GAS Fragmentation Limit: The maximum allowed size, in bytes, for the GAS response frame above which frame fragmentation needs to be done. Default value is 1400 bytes.
GAS Comeback Delay: The comeback delay, in milliseconds, between initial GAS response and first comeback request.
Internet Access: Select this checkbox if the network provides internet access to the client through the AP.
Network Authentication Type: Select the network authentication type from one of the following options:
- Terms and conditions - Select this option if the network requires the user to accept terms and conditions.
- Online enrollment - Select this option if you want the user to enroll online.
- Https redirection- Select this option if the user is redirected for authentication.
- DNS redirection- Select this option if the network supports DNS redirection.
- Not configured- Select this option if you don't want to provide specific information when the client queries about network authorization type.
You can also provide the Redirect URL if you want the client to be redirected after connecting to the access point.
Link Status: Select the status of the link
Symmetric Link Status: Select the Same option if the uplink and downlink speeds are the same. Select the Different option if the uplink and the downlink speeds are different.
Uplink Speed: Enter the uplink speed in Kbps or Mbps.
Downlink Speed: Enter the downlink speed in Kbps or Mbps.

Hotspot 2.0 Roaming Settings

Enter the roaming consortium list using hex characters. Roaming consortium consists of one or more organization identifiers that are unique hexadecimal strings.

Hotspot 2.0 Venue Settings

Under the Venue tab, provide the venue details and 3GPP Cellular Network Details of the access point.

Venue Details

Venue details consist of venue groups and venue types. Select the venue group from the available options and based on the venue group, select your venue type.

3GPP Cellular Network

Provide the list of mobile networks supported by the access point.

Hotspot 2.0 Domain Settings

Under the Domain tab, provide the list of Hotspot 2.0 operator domain names.

Hotspot 2.0 NAI Realms Settings

The NAI Realm List corresponds to the NAI realm element. The NAI realm element provides a list of network access identifier (NAI) realms corresponding to service providers whose networks are accessible through the AP. A list of one or more EAP Methods is optionally included for each NAI realm.

Hotspot 2.0 Friendly Name Settings

Under Friendly Name, enter the friendly name of the Hotspot 2.0 operator in different languages along with their language code. You can provide up to 32 operator friendly names.

Hotspot 2.0 Connection Capabilities Settings

Under connection capability, enter the connection capability details of the network. Connection capability settings signify the capabilities of the wired network the AP is connected to.

Specify the protocols supported by the network connection and the corresponding port numbers and the port status.

P2P Cross Connection

Enable P2P Cross Connection to allow the client to bridge the Wi-Fi direct network and the infrastructure network.

BSS Load

Enable BSS Load to include BSS Load element in the beacons and probe responses. The BSS Load element contains information on the number of currently associated stations and traffic levels in the BSS.

Hotspot 2.0 QoS Mapping Settings

Enter the QoS Mapping, only if required. The DSCP exception indicates the priority to be assigned when the specified DSCP value is detected in data packets. The value 255 indicates that the row is ignored.

Configuring a SSID with Hotspot 2.0

To configure a SSID profile with Hotspot 2.0:

Click CONFIGURE > WiFi > SSID.
Click Add SSID.
Enter the Profile Name and SSID Name.
Under the Security section, select WPA2, WPA3 or WPA3 Transition Mode as the Security Level for Association.
Select 802.1X and configure the RADIUS Settings.
Set 802.11w Management Frame Protection as Optional or Required.
Configure the required Network, Captive Portal, Firewall, and Traffic Shaping & QoS settings.
Click Hotspot 2.0 from the WLAN drop-down menu.
Enable Hotspot 2.0.
Configure all the Hotspot 2.0 settings.
Save and turn on the SSID.

Configuring a Wi-Fi Profile for an AP Connecting to Online Sign-up Servers

A Hotspot 2.0 compatible mobile client can subscribe to online sign up servers from various service providers through a Hotspot 2.0 compliant Arista AP. The mobile client can choose an online service from the list of available online services and sign up for the chosen service through the Arista AP.

To configure a Wi-Fi Profile for an AP connecting to Online Sign-up Server:

Click CONFIGURE > WiFi > SSID.
Click Add SSID.
Enter the Profile Name and SSID Name.
Under the Security section, select Hotspot 2.0 OSEN.
Configure the RADIUS Settings.
Save the SSID settings.

Note: Proxy ARP and Disable DGAF must be selected when you select Hotspot 2.0 OSEN.

Managing SSID

This chapter contains the following topics:

Turn an SSID On
Edit an SSID
Delete an SSID
Create a Copy of an SSID

Turn an SSID On

You need to turn an SSID on before it becomes available for access to users.

You can turn on a new SSID once you are done configuring it, or you can turn an existing SSID on.
Choose from:
- If you are adding a new SSID, you can click Save & Turn SSID On after you are done configuring at least the three mandatory SSID tabs (Basic, Security and Network).
- If you are turning an existing SSID on, just go to Configure and click the OFF / ON switch on the SSID you want to turn on.
Select whether you want the SSID on the 2.4 GHz, 5 GHz , or 6 GHz bands and click Turn SSID On. You will also see the Dual 5 GHz mode option with Lower 5 GHz and Upper 5 GHz options in the Turn SSID On page if you have enabled Dual 5 GHz in the Radio Settings tab.

Choose from:
- Some features in an SSID depend on Background Scanning under CONFIGURE > Device settings. If you have enabled any such features on the SSID, but you have not enabled background scanning, then the dialog window prompts you to do so. Click Continue on the dialog window. This takes you to stage 2, where CV-CUE recommends that you turn background scanning on. You can still turn the SSID on without enabling background scanning, but features in the SSID that depend on background scanning might not work properly.

Edit an SSID

You can modify an existing SSID.

To edit an existing SSID at a location:

Go to CONFIGURE > WiFi > SSID.
On the SSID you want to edit, click Edit (the pencil icon).
To modify the settings on any of the SSID tabs, simply click the tab you want to edit. If the tab you want to edit is not visible, click the Menu icon (three vertical dots) next to the Network tab to see all the SSID tabs.
Click Save to save the SSID or click Save & Turn SSID On to save and turn it on.

Delete an SSID

You can delete an SSID from a location

To delete an SSID at a location:

Go to CONFIGURE > WiFi > SSID.
On the SSID you want to delete, click the Menu icon (three vertical dots) and select Delete.
Click Delete.

Create a Copy of an SSID

You can create a copy of an SSID at the same location or at a different one.

To create a copy of an SSID:

Go to CONFIGURE > WiFi > SSID.
On the SSID you want to duplicate, click the Menu icon (three vertical dots) and select Create a Copy.
Select Currently Selected Folder to create a copy of the SSID in the current folder or At a Different Folder to create a copy of it at a different location, and click Continue.
Choose From:
- If you chose Currently Selected Folder, an appropriate message appears and you can see a copied SSID in the current location.
  Note: If you copy the SSID at the current location, the SSID Profile Name is different for the copied copy. For example, if you copy "ABC Corp" at the same location, then the new SSID name will be "ABC Corp" but its profile name will be "Copy of ABC Corp(1)".
- If you chose At a Different Folder, the location hierarchy appears on the right pane window. Select the location where you want the SSID copied and click Create a Copy. An appropriate message appears.

Location Based VLAN Mapping

Location-based VLAN mapping takes precedence over SSID VLAN mapping. As VLAN mapping is not inherited, you must map the VLAN ID to VLAN Name for each floor in a location hierarchy.

To enable location-based VLAN mapping:

Go to CONFIGURE > WiFi > SSID.
Navigate to your SSID and click Location Based VLAN Mapping from the three-dot more menu.
Add the VLAN name, ID, and provide the location for the mapping.
Save the settings.

Customize SSID Attributes for Location-Specific Overrides

Network Administrators can create SSIDs at any location in CV-CUE, and the same SSID can be inherited from a parent to a child location. The inherited SSIDs, by default, share the same attributes as the parent location. Administrators can override certain attributes of SSID at a child location without breaking the inheritance, so that the entire SSID configuration remains the same, except for the overridden attributes.

Overriding SSID attributes is useful if you want to have the same SSID configurations across your organization but want to have specific attributes for specific locations. For example, you can have the same corporate SSID across your geography but want a different RADIUS server for each location.

Note: Overriding SSID attributes is not supported for floors; it is available only for folders.

Attributes You Can Edit

L2 Tunnel Interface in the Network tab
VLAN Name
VLAN ID
Fallback VLAN ID
SSID VLAN Mapping
VLAN Pool
RADIUS Pool
RADIUS Authentication and Accounting Servers (Primary and all additional servers)

Override SSID Attributes

To override any SSID attribute:

Select the location and then select Configure > WiFi.
From the SSID list, select the three-dot menu for the SSID and select Customize SSID Attributes.

You see a table comparing the SSID attributes of the current folder and its parent folders side-by-side.
Select the Edit icon to edit the SSID’s attributes. You can edit one folder at a time.
Save the changes by clicking the Save icon (check mark icon).

Compare Attributes Across Locations

You can select up to 10 locations to compare SSID attributes. To compare attributes across locations:

Select the location and then select Configure > WiFi.
From the SSID list, select the three-dot menu for the SSID and select Customize SSID Attributes.
You see a table with a side-by-side comparison of the SSID attributes between the current folder and its parent folders. The farthest column towards the right is the current folder. All its parent folders, up to the root folder where the SSID was created, are displayed towards the left of the current folder.
Select the Edit icon to edit the SSID’s attributes. You can edit one folder at a time.
Save the changes by clicking the Save icon (checkmark icon).

Inherit from Parent Vs. Manually Providing the Parent Value

When you click Inherit from Parent, the overridden value is deleted, and the parent value is restored. However, manually entering the same value as the parent folder without using the Inherit from Parent button is treated as an override.

LAN Port Profile

You can configure LAN Port Profile from CONFIGURE > Network Profile > Port tab.

You can authenticate wired hosts connected to the LAN ports of access points (W-118 and W-318) using 802.1X or MAC-based authentication. You can configure the authentication parameters for each downlink port on the access point (AP) using the LAN Port profile in CV-CUE. The communication happens either through a bridged network or transferred using L2 tunnels.

This chapter contains the following topics:

Use Case
Configure Wired LAN Ports
Assign Port Profile to Ports
Monitor Wired Hosts

Use Case

Consider a home office or a remote office with APs such as W-318 and W-118. Earlier, whatever wired hosts were connected to the AP through the downlink port, they were onboarded to the network without any authentication. It was a security loophole as these external devices could breach into the corporate network as the downlink ports were not secure. Now, the entire office L2 network, including the security perimeter, extends to your AP using VXLAN over IPSec. The network configuration in your office is broadcast in the same VLAN through the internet to your AP. You will have access to the same VLAN and resources that you had in the office. Devices are first authenticated, given a respective VLAN, and then connected to the network.

APs support 802.1x and MAC-based authentication. Administrators can configure each port and control which device gets connected to each port and which authentication will happen on each port.

If users connect any unauthorized device to the downlink port, such devices will not be onboarded to the network. Also, the entire traffic is bridged through the same tunnel to the corporate data center. For example, if you connect a laptop to Port 1 and that port in the AP is configured for a printer, then you cannot connect a laptop to that port. The AP will onboard only the printer through that port.

Configure Wired LAN Ports

Configure LAN ports to authenticate and manage wired hosts connected through W-118 and W-318 access points. You can create multiple port profiles with different confgurations and apply one profile per port. You can apply one profile to one port and another profile to another port in the same AP.

Administrators can manage per-port configuration and shut down each port remotely when needed. CV-CUE displays a view-only information for all the devices connected to the downlink ports in the AP. Only one wired host can connect per port. The wired ports support CoA.

Follow these steps to configure the LAN port profile:

Go to CONFIGURE > Network Profile > Port .
Click Add LAN Ports.
Provide a profile name in the Basic tab.
Click the Security tab and select the port security type.
Figure 1. LAN Port Security
For MAC Based Authentication, provide the username and password.
Provide the details of the RADIUS server. You can add one Primary RADIUS server and three additional servers.
Configure the other parameters in the Security tab:
- Retry Parameters: Indicates the frequency of retries to establish connection with a server before switching to the alternative (secondary) server.
  - Attempts
  - Timeout
- Dynamic VLAN: Indicates the VLAN assigned by the RADIUS server. Specify the VLAN name or VLAN ID.
- Change of Authorization (CoA): Indicates the IP addresses of the CoA servers in load-balancer deployments. Specify the IP address of the CoA servers.
- Prefer Primary RADIUS Server: Indicates the fallback to Primary RADIUS Server when it’s detected in the network.
  - Dead Time — The time interval for which the primary RADIUS server is marked unreachable after a failover. For example, if the dead time is 30 minutes, the AP will not try to connect with the primary RADIUS server for 30 minutes after failover. The AP will try to connect with the primary RADIUS server after the 30 minutes dead time is over.
    Figure 2. VLAN Assignment
Click the Network tab and provide the VLAN details and the network mode.
Figure 3. Network tab configuration
Save the settings.

Assign Port Profile to Ports

After you configure the port profile, you need to manually apply the port profile to each port. Although you can create multiple port profiles, you can apply only one profile per port.

Follow these steps to assign port profiles to ports:

Go to CONFIGURE > Device > Access Points .
Click the LAN Ports tab and then select the Configure LAN Ports check box.
Figure 4. Assign LAN port profile
Select a port number and apply a profile from the dropdown list.

Monitor Wired Hosts

You can monitor hosts or clients connected to the wired ports from MONITOR > Wired > Hosts .

You can view details such as name and MAC address of the host, current connection status, authentication type and others.

For each host, you can perform limited functions such as rename the host, update the device tag, and disconnect the host.

RADIUS

You can create, edit and delete RADIUS servers on the RADIUS tab.

Enterprise networks often use Remote Authentication Dial-In User Service (RADIUS) servers for Authentication, Authorization and Accounting (AAA) in the network. You can define the IP Address of the RADIUS server, the port numbers for Authentication and Accounting, and the Shared Secret between the APs at this location and the RADIUS server.

You can define multiple RADIUS profiles at a location. You can then directly invoke these RADIUS profiles in different SSID contexts by just selecting one of them. For example, if you use 802.1X Authentication in the SSID Security settings or in the SSID Captive Portal settings, you can select from among the RADIUS profiles defined here on the RADIUS tab. To take some use cases, an "Employee" SSID and a "Guest" SSID could both use the same RADIUS profile but in different contexts — employees might use WPA2-PSK with 802.1X, while guests might use a captive portal. Or, SSIDs at child "Branch" locations of an enterprise, for example, could all use the same "HQ RADIUS" profile defined at the parent HQ location.

The chapter contains the following topics:

Configure RADIUS Profile
Edit a RADIUS Profile
Create a Copy of RADIUS Server
Delete a RADIUS Profile
RADIUS Setting Parameters

Configure RADIUS Profile

RADIUS server configuration is location hierarchy specific. RADIUS server configuration defined at a specific location is visible at all its child locations. Whereas, vice versa is not true. RADIUS server listing is available in the card view layout. You can edit, copy and delete an existing RADIUS server from the card view layout.

To configure a RADIUS Server, follow these steps:

Navigate to CONFIGURE > Network Profiles > RADIUS.
Click theAdd RADIUS Server button.
Specify a name for the new RADIUS server in RADIUS Server Name field.
Specify the server IP or hostname in IP Address/Hostname field. The maximum limit for the hostname is 200 characters.
Note: RADIUS server configured with hostname cannot be used with captive portal.
Specify RadSec as ON to enable the RadSec protocol.
Specify the port number of authenticating RADIUS server in Authentication Port field. The RADIUS server listens for authentication requests at this port number. The value can be between 1 to 65535. The default value is 1812.
Specify the port number of accounting RADIUS server in Accounting Port field.The value can be between 1 to 65535. The default value is 1813.
Specify a Shared Secret key. The primary RADIUS server and the AP identify themselves using the shared secret key.
Save the settings.

Edit a RADIUS Profile

Any existing RADIUS profile can be edited at the location it was created. Changes made in profile created on the parent location reflect in the inherited profile on the child location.

To know more about parameters required in editing RADIUS Settings refer RADIUS Settings Parameters

To edit the RADIUS profile:

Click on the options tab (three vertical dots), of the RADIUS profile that is to be edited.

Select Edit.

Choose from:

If you are on the location where profile was created, then directly go to step 3.

If you are on the child location and the profile is a inherited profile, then choose the appropriate option.

Option	Description
If you select GO to Parent Folder and Edit.	Then perform the Step 2 again and then perform step 3.
If you select Duplicate & Continue.	Then a ready to edit duplicate profile gets created on the child location.

Make the necessary changes and click on Save.

Create a Copy of RADIUS Server

Any existing RADIUS server can be copied to same or different locations. The process, creates an exact copy. The copied profile contains name and configured properties as that of the original profile. The copy of a server created on parent location exists on child location as well. Where as vise versa is not true.

To make a copy of the existing RADIUS server:

Click on the options tab (three vertical dots), of the RADIUS server that is to be duplicated.
Select Create a Copy.
Select option dependent on location where you would like to copy the RADIUS Server.
Click on Copy.

Delete a RADIUS Profile

An existing RADIUS profile and a duplicate RADIUS profile can be deleted using the delete option. The profile once deleted is removed permanently from its specific location and its child location as well. Inherited profiles can not be deleted from the child location. Profiles can be deleted only on the location, where they were created.

Note: You cannot delete a RADIUS profile that is currently in use on an SSID. You need to disable/remove the RADIUS profile from the SSID configuration before you delete it.

To delete the RADIUS profile:

Click on the options tab (three vertical dots), of the RADIUS profile that is to be deleted.
Select Delete.
Perform the below location dependent actions:
Choose from:
- If you are on the location where you had created the RADIUS profile, then select Delete.
- If you are on the child location and profile to be deleted is an inherited profile then click on Go to Parent Folder & Delete.
This action will divert you to its parent location, with an appropriate message. Once you are diverted to the parent location, perform all the above steps again.

RADIUS Setting Parameters

The below table provides information related to RADIUS Settings parameters.

Field	Description
RADIUS Name	Name for the RADIUS profile.
IP Address/Hostname	IP / Hostname address of accounting RADIUS server.
Authentication Port	The port number at which RADIUS server listens for authentication requests. The value can be between 1 to 65535. The default value is 1812.
Accounting Port	The port number on which to contact the RADIUS accounting server. The value can be between 1 to 65535. The default value is 1813.
Shared Secret	The secret shared between the primary RADIUS server and the AP.

Page 3 of 4

End of Support

CloudVision CUE User Guide - Monitor Alerts

Monitor Alerts

Monitor Wi-Fi Alerts

Monitor WIPS Alerts

Monitor System Alerts

Security Status

CloudVision CUE User Guide - Wireless Intrusion Prevention Techniques

Wireless Intrusion Prevention Techniques

About Wireless Intrusion Prevention Techniques

Intrusion Prevention Level

Authorized Wi-Fi Policy

Access Point Auto Classification

Client Prevention

Client Auto-Classification

Banned Device List

WLAN Integration

Configure WLAN Integration

Controller Settings

Monitor Networks

Auto-Deletion Settings

Auto-Delete Access Points, Clients, and Network

WIPS Advanced Settings

CloudVision CUE User Guide - Dashboards

Dashboards

Connectivity Dashboard

Client Journey

Top Locations Affected by Failures

Clients by Most Failed Connections

Performance Dashboard

Client Health

Average Latencies

Clients by Average Data Rate

Clients by RSSI

Clients with Most Traffic

Top Locations Affected by Poor Performance

Network Usage

Set Data Rate and RSSI Threshold for Folder or Floor

Applications Dashboard

Application Experience

Monitor Selected Applications

Monitor Custom Applications

View and Pin Applications on the Dashboard

Clients by Application Experience Widget

Logical Categorization of Clients and Failures

Drill-Down by Logical Client Category

Infrastructure Dashboard

CPU VS Memory Utilization by Access Point

CPU VS Memory Utilization by Location

Access Points by CPU Utilization

Access Points by Memory Utilization

Trend Utilization

CloudVision CUE User Guide - FEED

FEED

FEED Dashboard

Configure Subscriptions

CloudVision CUE User Guide - Monitor Wi-Fi

Monitor Wi-Fi

Clients

Client Explorer

Client Dashboard

Roaming Explorer

Client Connection Logs

Client Events Logs

Top Applications by Traffic in Client Tab

Client Traffic Volume

Application Session Logs

Devices Seeing This Client

Rename a Client

Access Points

Access Point Explorer

Clients by Avg. Data Rate for an Access Point

Currently Associated Clients for an Access Point

Top Applications by Traffic for an Access Point

Network Usage

Network Usage - Poor Application Experience

Spectrum Occupancy

Channel Map

RF Explorer

Interference Classifier