Wifi

WiFi Configuration Guide
Mojo Aware 2.2

Contents
Chapter 1: Configure WiFi 7
Chapter 2: SSID Settings 8
Add New SSID 9
SSID Basic Settings 9
Configure SSID Basic Settings 10
SSID Security Settings 10
Configure SSID Security Settings 12
SSID Network Settings 13
Example Use Case 15
Configure SSID Network Settings 16
SSID Access Control 17
Configure SSID Access Control 19
L3-4 Firewall 19
Application Firewall 21
L3-4 versus Application Firewall Decision Table 22
Configure Firewall in SSID 23
What is Bonjour Gateway? 24
How Mojo Supports Bonjour Gateway 24
Configure Bonjour Gateway 25
Configure Redirection in SSID Access Control 26
What is a Walled Garden? 26
How Whitelisting/Blacklisting of Client MAC Works 27
Requirements for Whitelisting / Blacklisting of Client MAC Addresses 27
Google Integration for Client Device Authorization 27
Configure Client Authentication 28
Configure Role Based Control 29
SSID Analytics 30
HTTP POST Format 31
Configure Analytics in SSID Settings 31
2
Analytics Parameter 32
SSID Captive Portal 34
Walled Garden Sites for Captive Portal 37
Configure AP Hosted Captive Portal 38
Configure Cloud Hosted Captive Portal 40
Guest Wi-Fi User Authentication with Host Approval 41
Design a Splash Page 43
Configure Common Settings for Plugins 44
Configure Email Account Settings 44
Configure SMS / MMS Account Settings 45
Configure Payment Gateway Settings 45
Configure Clickthrough Plugin 46
Access Wi-Fi Using Social Media Plug-Ins 47
Configure Social Media Plugins 47
Configure Facebook Plug-In 48
Configure Foursquare Plug-In 48
Configure Google+ Plug-In 49
Configure Instagram Plug-In 49
Configure LinkedIn Plug-In 50
Configure Twitter Plug-In 50
Configure QOS and Redirect Settings 51
Configure Username Password Plugin 51
Configure Passcode Through SMS Plugin 53
Configure Webform Plugin 53
Configure External RADIUS Plugin 54
QoS Settings for Plugins 55
Configure Third-Party Hosted Captive Portal 55
Request and Response Parameters 57
SSID RF Optimization 58
802.11k - Use Case 59
802.11v - Use Case 61
3
Configure RF Optimization in SSID Profile 62
IGMP Snooping 63
Configure IGMP Snooping in SSID Profile 65
SSID Traffic Shaping and QoS 65
Configure Traffic Shaping 69
Configure Quality of Service (QoS) 70
SSID Scheduling 71
Configure SSID Scheduling 71
Turn an SSID On 72
Edit an SSID 73
Delete an SSID 74
Duplicate an SSID 74
Chapter 3: RADIUS 75
Configure RADIUS Profile 75
RADIUS Setting Parameters 76
Edit a RADIUS Profile 76
Duplicate a RADIUS Profile 77
Delete a RADIUS Profile 78
Chapter 4: Tunnel Interface 79
What is EoGRE? 79
Configure Tunnel Interface 80
Edit a Tunnel Interface 81
Tunnel Interface Parameters 82
Duplicate a Tunnel Interface 83
Delete a Tunnel Interface 84
Chapter 5: Role Profile 86
Configure a Role Profile 88
Configure Inherit from SSID in Role Profile 89
Configure VLAN in Role Profile 89
Configure Firewall Rules in Role Profile 90
Configure User Bandwidth Control in Role Profile 92
4
Configure Redirection in Role Profile 93
Edit a Role Profile 94
Duplicate a Role Profile 95
Delete a Role Profile 96
Chapter 6: Radio Settings 98
How Unified Client Steering Works 99
General Considerations 100
Inter AP Sync 100
Frequency of Client Steering 102
Configure Basic Radio Settings 103
Basic Radio Settings Parameters 103
Configure Transmit Power Control in Radio Settings 105
Transmit Power Control Parameters 105
Configure Smart Steering in Radio Settings 107
Configure Smart Client Load Balancing in Radio Settings 107
Configure Band Steering in Radio Settings 108
Configure WMM Admission Control Policy in Radio Settings 109
Chapter 7: Device Settings 110
Device Tab 110
Turn Access Point into a WIPS Sensor 111
Configure Background Scanning in Device Settings 112
Background Scanning Parameters 113
Configure Inter AP Sync for Client Steering in Device Settings 113
Configure Client Steering Common Parameters in Device Settings 114
What is Unified Client Steering 114
Client Steering Parameters 114
Configure Client RSSI Update Interval in Device Settings 115
Configure VLAN Extension in Device Settings 115
Configure Link Aggregation in Device Settings 116
Configure Antenna Settings in Device Settings 116
Configure Device Password in Device Settings 117
5
Configure Device Access Logs in Device Settings 117
Configure IPv4/IPv6 Dual Stack in Device Settings 117
Enable SSH IP Whitelisting in Device Settings 118
SSH IP Whitelisting Parameters 118
Configure NTP in Device Setting 119
Configure Analytics Integration with Third-Party Server in Device Settings 119
Configure Access Radio Exceptions in Device Settings 120
Device Security Settings 120
How Auto VLAN Monitoring Works 121
Number of VLANs Monitored 121
Configure VLAN Monitoring in Device Settings 122
VLAN Monitoring Parameters 123
Configure WIPS Settings in Device Settings 124
WIPS Settings Parameters 124
Chapter 8: Google Integration for Client Device Authorization 128
Mojo Device Authorization Workflow with Google Integration 128
Download Google Service Account JSON Key 129
Create and Download JSON Key 129
Define API Scopes for the Service Account 132
Configure Google Integration 133
6
Configure WiFi
Mojo Aware provides a convenient way to configure your WiFi network via the Configuration
tab.
All configuration in Mojo Aware is done at the location level. So when you create an SSID or
enable Smart Steering, you do this for a location. This is because most configuration parameters
are relevant to a location rather than a particular device. For example, all devices in an office are
likely to broadcast the same SSID's.
Note: By default, configurations at a location are automatically inherited by its child
locations. For example, suppose there is an HQ location with two child locations: Branch
1 and Branch 2. Then a configuration applied to HQ automatically applies to Branch 1 and
Branch 2. You can, however, customize the configuration of a child location so that it is
different from that of its parent.
The Configuration tab contains the following tabs:
• SSID
• RADIUS
• Tunnel Interface
• Role Profile
• Radio Settings
• Device Settings
7
SSID Settings
You can configure SSID settings in Mojo Aware on the Configuration > SSID tab.
The SSID tab shows all the SSIDs configured on your WiFi network along with their key features.
You can switch between a Card View, where the SSIDs and their key configurations are shown
as cards, and a Table View that lists these items in a table. From the SSID tab you can:
• Add a new SSID

• Edit an SSID
• Duplicate an SSID
• Delete an SSID
• Turn an SSID ON or turn it OFF.
Note: By default, configurations at a location are automatically inherited by its child
1 and Branch 2. Then a configuration applied to HQ automatically applies to Branch 1 and
Branch 2. You can, however, customize the configuration of a child location so that it is
different from that of its parent.
You can click on an SSID to configure it. For each SSID, Mojo Aware groups its settings into nine
functional tabs:
• Basic
• Security
• Network
• Access Control
• Analytics
• Captive Portal
• RF Optimization
• SSID Scheduling
• Traffic Shaping & QoS
Of these, the first three — Basic, Security and Network — are essential to an SSID, i.e., you must
configure these settings before you can save an SSID and turn it ON. The remaining tabs you
can configure if you need to, otherwise they assume default values.
You can add up to 8 SSIDs on the 2.4GHz band and up to 8 SSIDs on the 5GHz band at each
location.
8
Add New SSID
You can add up to 8 SSID's per band at each location.
To add an SSID at a location:
1. Go to Configure.
This takes you to the SSID tab by default.
2. Click Add New SSID.
The Basic tab opens up.
3. Enter the fields in the Basic tab.
See SSID Basic Settings for details.
4. Click Next.
The Security tab opens up.
5. Enter the fields in the Security tab.
See SSID Security Settings for details.
6. Click Next.
The Network tab opens up.
7. Enter the fields in the Network tab.
See SSID Network Settings for details.
8. Click Save to save the SSID or click Save & Turn SSID On to save and turn it on.
Note: You must configure at least the Basic, Security and Network tabs before you can
save the SSID.
An "SSID added successfully" message appears.

9. To configure any of the other SSID tabs, simply click the Menu icon (three vertical dots) next
to the Network tab, and select the tab you want to configure.
SSID Basic Settings

The Basic tab is the first of the three SSID tabs (Basic, Security and Network) that you must
configure before you can save an SSID and turn it ON.
The Basic tab contains the following fields:
SSID Name The name you want to assign to this SSID.
SSID Profile Name Typically, this is the same as the SSID Name.
It is primarily meant to distinguish between
duplicate SSIDs. So, duplicate SSIDs at the
same location have different profile names.
For example, if you duplicate "ABC Corp" at
the same location, then the new SSID name
will be "ABC Corp" but its profile name will
9
be "Copy of ABC Corp(1)". You can modify the
profile name.
SSID Type This could be a Public or a Guest SSID. If you

select Guest, Mojo Aware automatically shows
the Captive Portal tab next to the Network
tab, since Guest SSIDs typically use captive
portal logins.
Hide SSID If you select this, the SSID will be hidden, i.e., it
will not be broadcast on the wireless link.
Configure SSID Basic Settings

The Basic tab is the first of the three SSID tabs (Basic, Security and Network) that you must
Enter information on the following fields:
1. Enter the name you want to assign the SSID in Enter SSID Name.
The Enter Profile Name field gets populated automatically with the SSID name, except if this
is a duplicate SSID at the same location as the original.
2. Select if you want this to be a Private SSID or a Guest SSID.
3. Select Hide SSID if you do not want this SSID to be broadcast.
4. The next step depends on whether you are adding a new SSID or updating an existing one:
• If you are adding a new SSID, click Next to move to the Security tab.
• If you are updating an existing SSID, click Save or Save & Turn SSID On. In this case, an
"SSID updated successfully" message appears.
SSID Security Settings

The Security tab is the second of the three SSID tabs (Basic, Security and Network) that you
must configure before you can save an SSID and turn it ON.
Select Security Level for Associations
The Security Level defines the authentication mechanisms for users of this SSID. The options
are:
Open Open means no security settings are to be

applied. This is the default security setting.
WPA2 WPA2 is the latest security protocol and

therefore and more robust than WPA. It fully
implements the IEEE 802.11i standard. You
can use WPA2 with PSK (Pre-Shared Key) or
802.1x, i.e., RADIUS-based authentication.
10
WPA / WPA2 Mixed Mode This stands for a mix of the WPA and WPA2
protocols. You can use WPA with PSK (Pre-
Shared Key) or 802.1x, i.e., RADIUS-based
authentication.
Note: 802.11w and 802.11r are only supported in WPA2 mode and not in the WPA / WPA2
mixed mode.
As shown in the flowchart below, the Security settings workflow changes depending on the
option you choose.
The steps to configure the PSK Passphrase or the RADIUS settings (blue boxes in the flowchart)
are common to both WPA2 and WPA / WPA2 Mixed Mode. The 802.11w and 802.11r settings,
however, appear only when you select WPA2, since only WPA2 mode supports 802.11w and
802.11r.
For the PSK option, all you need to do is Enter a Passphrase. The passphrase is used to
generate the Pre-Shared Key to be used during the 4-way handshake authentication process.
PSK is generally used for small office networks.
RADIUS Settings
See 802.1x or RADIUS Settings for details.
802.11w
802.11w offers Management Frame Protection (MFP). MFP is an additional security mechanism
that protects the De-authentication, Disassociation and Robust Action management frames
and prevents some spoofing attacks. The Integrity Group Temporal Key (IGTK) is used to
provide integrity check for multicast management action frames, while the Pairwise Transient
Key (PTK) is used to encrypt and protect unicast management action frames. The Group
11
Management Cipher Suite is the combination of security and encryption algorithms used to
protect mangement frames. Mojo uses the AES-128-CMAC algorithm, so that's what is selected
by default.
Association frames are not protected as they need to be open for a client to establish an
association with an AP. To make sure that a client Association Request isn't spoofed, the AP
sends a Security Association (SA) query to a client requesting association. A genuine client
responds to the protected frames. The SA Query Max Timeout is the time, in seconds, for which
the AP waits for a client to respond to an SA query. If the AP receives no response within this
period, it ignores the client. Since clients that spoof Association Requests don't respond, the AP
rejects them. The SA Query Retry Timeout is the time, in milliseconds, for which a client can
request to associate with the AP after the SA Query max timeout.
802.11r
With WPA2, you can also enable 802.11r. 802.11r or Fast Transition (FT) allows clients to re-
establish security and QoS parameters before associating with a new AP, significantly reducing
the interruption that the client experiences during the transition.
SelectOver the DS if you want to set a preference for clients to roam by using the Over the
Distribution System (DS) mode of roaming. Client devices govern the mode of roaming from one
AP to another. When you don't select Over the DS, clients roam over the air. Note that this is just
a preference. A client can roam over the air irrespective of the preference. Select Mixed Mode
to allow both 802.11r compatible and 802.11r non-compatible clients to connect to the SSID.
Configure SSID Security Settings

The Security tab is the second of the three SSID tabs (Basic, Security and Network) that you
must configure before you can save an SSID and turn it ON.
Steps to configure the SSID security settings are:
1. Go to the Security tab under Configuration > SSID.

2. Select Security Level for Associations for this SSID
• If you select Open, there is nothing more you need to do for security. Click Next to move
to the Network tab if you are adding a new SSID, or click Save or Save and Turn SSID On
if you are updating an existing SSID.
• If you select WPA2, you need to select either PSK or 802.1x.
• If you selected WPA2 and PSK, Enter a Passphrase.
• If you select WPA2 and 802.1x, you need to enter the RADIUS Settings. RADIUS settings
include:
• The RADIUS servers you want to use as Authentication Server and Accounting
Server.
Note: If you have not yet defined a RADIUS profile to choose as your
Authentication or Accounting server, you can do so by clicking Add / Edit. This
12
opens a RADIUS Profile window on the right pane. You can create the RADIUS
profile and return to security settings. See Configure RADIUS Profile for details.
• The Called Station / NAS ID, IDs that the AP or a Network Access Server (NAS) send
the RADIUS server.
• The Retry Parameters that control how often the AP attempts to authenticate with
RADIUS.
• Fast Handoff Support which saves clients some authentication time when the roam
from one AP to another.
• Dynamic VLANs to enable RADIUS-based assignment of VLANs.
• Change of Authorization (CoA) to change a client's authorization, e.g., to "downgrade"
the client if it hits its data limit.
• If you select WPA2, you can configure 802.11w for Management Frame Protection (MFP),
and 802.11r for Fast Transition (FT).
Note: 802.11w and 802.11r are supported only in the WPA2 mode, not in the Open or
WPA/WPA2 Mixed Mode.
• If you select WPA/WPA2 Mixed Mode, you need to select either PSK or 802.1x. You can
then proceed in exactly the same manner as when you select WPA2, except that 802.11w
and 802.11r are not supported in WPA/WPA2 Mixed Mode.
3. The next step depends on whether you are adding a new SSID or updating an existing one:
• If you are adding a new SSID, click Next to move to the Network tab.
• If you are updating an existing SSID, click Save or Save & Turn SSID On. In this case, an
"SSID updated successfully" message appears.
SSID Network Settings

The Network tab is the third of the three SSID tabs (Basic, Security and Network) that you must
You must enter the default VLAN ID for this SSID.
You can have access points on this SSID operate in bridged, NAT or Tunneled modes.
Bridged
Use a bridged network when you want an AP and clients associated with the AP to be on the
same subnet.
NAT
When you want an AP and its clients on separate subnets, use Network Address Translation
(NAT). With NAT, clients have a private IP address pool and it is easier to add more clients to the
network as they do not require a public IP address. NAT translates local IP addresses to global
ones (and vice versa).
To configure NAT, you need to enter the Start IP Address, theEnd IP Address, and the Subnet
Mask. Together, these define the IP pool from which the AP will assign IP addresses to clients.
13
The Local IP Address is the IP address of the AP on the wireless side, i.e., the client-facing IP
address. It serves as the gateway for associated clients. Upon successful association, wireless
clients get their DNS information from the list of IP addresses you have entered in the DNS
Servers field. You must enter at least one DNS server IP address. You can enter up to three such
DNS server IP addresses. The Lease Time is the DHCP lease time in minutes, after which the IP
allocated to the client expires.
With Wired Extension, you can extend a NAT-enabled wireless LAN to the wired side using the
second Ethernet port on the AP. You can do so by creating an isolated wired LAN with one or
more wired devices connected through layer-2 switches, and connecting the second Ethernet
port of the AP to this wired subnet. The wired LAN then becomes an extension of the wireless
LAN with this SSID profile. All network settings configured on this SSID profile then apply to the
wired devices as well.
Note: The second Ethernet port is available only on some Mojo AP models.
Tunneled
A Tunnel Interface is useful when you want to route network traffic on the SSID to and from a
single end point, and apply policies at this end point. In the tunneled mode, APs on the SSID
route all traffic via the tunnel to a remote endpoint configured on the Tunnel Interface that you
select. See Tunnel Interface for details. If you haven't yet defined a Tunnel Interface, you can do
it from within the Network tab using the Add / Edit link.
Inter AP Coordination is the mechanism where Mojo APs exchange information with each other.
You can select how APs exchange this information by choosing one of the three options:
L2 Broadcast APs broadcast their information over the wired

network. L2 broadcast works on the SSID
VLAN and, if Layer 2 GRE is enabled, it works
on the communication VLAN. You can Use
Tunneling for Inter AP Coordination so that
information related to inter-AP coordination
flows through the tunnel, i.e., from one AP to
the tunnel endpoint to another AP.
RF Neighbors APs exchange information only with their RF

neighbors. Dual-radio APs use Background
Scanning to find their RF neighbors, tri-radio
APs use their third radio. If you have not
enabled Background Scanning under Device
Settings, Mojo Aware prompts you to do so
when you turn the SSID ON. You can Use
Tunneling for Inter AP Coordination so that
information related to inter-AP coordination
flows through the tunnel, i.e., from one AP to
the tunnel endpoint to another AP.
14
Note: RF Neighbor can be used only
with 802.11ac Mojo APs.
This Server APs exchange information via the Mojo

Wireless Manager server. The information
is shared from a parent location to its child
locations.
Note: Since the Mojo server is involved,
you cannot use the tunneling mode for
inter-AP information.
If you select Advertise Client Associations on SSID VLAN, APs on this SSID broadcast their
client associations to other APs on the same SSID VLAN. This helps clients in fast roaming.
DHCP Option 82 (DHCP Agent Information Option) is generally used in a distributed DHCP
server environment to assign IP addresses to clients based on their location. The AP inserts
DHCP Option 82 in all DHCP packets, such as DHCP Discover and DHCP Request, thereby
providing additional information to identify the client's point of attachment. DHCP Option 82
contains a Circuit ID that you can configure at this location and on the DHCP server as well. The
DHCP server then selects an appropriate IP pool for the Circuit ID it receives, and assigns an IP
address to the client from this pool. For an example, see Example Use Case for DHCP Option 82.
Example Use Case

Let’s consider an enterprise deployment with two branch offices and a single DHCP server
hosted in the data center at the HQ. Only one SSID is configured and the same configuration
is assigned to all the branch office locations. The same VLAN ID is configured but different
subnets are assigned to the branch office locations.
In this case, we create three SSID profiles:
• HQ
• Branch1
• Branch2
We also configure the appropriate location tags for each location (HQ and branch offices) in the
location tree.
DHCP Option 82 is enabled and the Circuit ID is set to “%l” which sends the location tag to the
DHCP server.
On the DHCP server, we configure policies based on the information received from the DHCP
Option 82
• If Circuit ID = HQ then assign IP from 172.16.0.0/16 – 172.16.8.255/16 subnet

• If Circuit ID = Branch1 then assign IP from 172.16.9.0/16 – 172.16.12.255/16 subnet
• If Circuit ID = Branch2 then assign IP from 172.16.13.0/16 – 172.16.15.255/16 subnet
15
Configure SSID Network Settings
The Network tab is the third of the three SSID tabs (Basic, Security and Network) that you must
Steps to configure the SSID network settings are:
1. Go to Configuration > SSID > Network.

2. Enter the default VLAN ID for the SSID.
3. Select the AP mode of operation for the SSID.
• If you select Bridged mode, you do not need to configure anything more and you can
proceed to the next step.
• If you select NAT, you need to configure the following NAT-related parameters:
• Start IP Address defines the starting IP address of the IP pool from which the AP
assigns IP addresses to clients.
• End IP Address defines the end IP address of the IP pool from which the AP assigns IP
addresses to clients.
• Local IP Address is the local IP address of the APs on the wireless side.
• Subnet Mask is the subnet mask for the IP pool.
• DNS Servers are the DNS servers that clients will use to get DNS information. You
must enter at least one DNS server IP address. You can enter up to three such DNS
server IP addresses.
• Lease Time is the DHCP lease time in minutes, after which the IP allocated to the
client expires.
• Select Wired Extension to extend a NAT-enabled wireless LAN to the wired side using
the second Ethernet port on the AP.
• If you select Tunneled, you need to select the Tunnel Interface which contains the
endpoint to which the AP will tunnel all traffic. If you have not yet defined a tunnel
interface, you can do so by clicking Add / Edit. This opens a Tunnel Interface window on
the right-pane. You can create the interface and return to network settings.
4. Select the Inter AP Coordination mechanism
• If you select L2 Broadcast, APs broadcast their information over the wired network.
Select Use Tunneling for Inter AP Coordination if you want the inter-AP coordination
related information to flow through the tunnel.
• If you select RF Neighbors, APs exchange information only with their RF neighbors.
Select Use Tunneling for Inter AP Coordination if you want the inter-AP coordination
related information to flow through the tunnel.
• If you select This Server, APs exchange information via the Mojo Wireless Manager
server.
Note: Since the Mojo server is involved, you cannot use the tunneling mode for inter-
AP information.
16
5. Select Advertise Client Associations on SSID VLAN if you want APs on the SSID to
broadcast their client associations to other APs on the same SSID VLAN.
6. Select DHCP Option 82 to assign clients IP addresses based on their location in a distributed
DHCP server environment.
7. Click Save or Save & Turn SSID On.
If you select Save & Turn SSID On, see Turn an SSID On for details.
If you are adding a new SSID, an "SSID created successfully" message appears. If you are
updating an SSID, an "SSID updated successfully" message appears.
SSID Access Control

The SSID Access Control tab contains settings that control access to the SSID, for example,
Firewall and Client Authentication settings.
You can configure the following firewalls on the Access Control tab:
• L3-4 Firewall
• Application Firewall
To configure the firewall settings, see Configure Firewall Settings.
You can enable Apple's Bonjour Gateway feature that allows access to Apple devices on the
network.
Note: Bonjour Gateway does not work when the Network is set to NAT mode. If you have
set the Network to NAT mode, Mojo Aware grays out Bonjour Gateway and prompts you to
change the Network setting from within the Access Control tab.
For details, see How Mojo Supports Bonjour Gateway. To configure Bonjour Gateway, see
Configure Bonjour Gateway.
You can enableRedirection to redirect either Smartphones & Tablets or all clients of the SSID to
the Redirect URL that you specify. This could be useful, for example, in an enterprise network
where you might want smartphones and tablets to be redirected when accessing the SSID, but
allow laptops and desktops to directly start using WiFi. You can also have a Walled Garden of
sites that the user can access before login. For use cases of a walled garden, see Walled Garden
Applications.
Note: You must enter at least the Redirect URL in the Walled Garden field, since the user
must be able to access that URL before login.
To configure Redirection, see Configure Redirection in SSID Access Control.
Organizations such as enterprises and educational institutions (K-12 and higher education) often
implement a centralized AAA (Authentication, Authorization and Accounting) management to
enforce Role Based Control , also called Role Based Access Control (RBAC). RBAC enables
network administrators to restrict system access to authorized users. Users are granted
controlled access to network resources based on the roles assigned to them or the groups to
17
which they belong. Typically, organizations implement this kind of controlled access by using
RADIUS. When users connect to the network, they are first authenticated and then authorized to
access appropriate resources on the network.
In the case of a WLAN network, user access restrictions could mean that only specific VLANs
or a fixed bandwidth is provided to users based on the user roles defined in the RADIUS server.
You can also enforce which applications a user can access over the WLAN network based on
the user role.
Mojo uses Role Profiles to define various WLAN access roles, and to create RADIUS Vendor
Specific Attribute (VSA) based rules and Google Organizational Unit (OU) rules to authorize Wi-
Fi users. A network administrator can define various role profiles that specify the restrictions to
be placed on the Wi-Fi user to whom the profile is assigned. The administrator can then define
multiple VSA rules (for RADIUS) or Google OU rules (for Google Integration) here in SSID Access
Control, and assign role profiles through these rules to the Wi-Fi users that connect to the SSID.
Let's consider an example. When you define a Rule Type for RBAC, then the OU returned
from Google or the role obtained from the RADIUS VSA must contain the string entered in the
Enter Value field. For example, if the string in the Enter Value field is ‘/*/Elementary School/*/
Student’, then this will match with ‘/SJUSD/Elementary School/Almaden Elementary/Student’
in Google/VSA.
It could happen that you have different settings in the SSID tabs and different ones in the Role
Profiles tab. What happens then? For the answer, see Role Profile.
To configure Role Based Control, see Configure Role Based Control.
To control clients that can access this SSID, you can enable Blacklisting and Whitelisting of
Wi-Fi Clients. See How Whitelisting / Blacklisting of Client MAC Works and Requirements for
details on the feature.
Client Isolation prevents clients of the same AP from being able to access each other's data.
Suppose that Client A and Client B are connected to the same AP. In absence of Client Isolation,
if Client A has turned Network Sharing ON, Client B can access those files on Client A's machine.
Client Isolation prevents such behavior between clients connected to the same AP.
To enable client isolation, select Client Isolation on the SSID Access Control tab and save the
settings.
Client Authentication adds another layer of security to your network. It authenticates clients, i.e.
user devices, in addition to mechanisms configured in the SSID Security tab that authenticate
users (e.g. WPA2-PSK). Client Authentication uses either Google Integration or RADIUS MAC
Authentication. See Google Integration for more information.
Note: If you have configured 802.1x authentication in the SSID Security tab, then Mojo
Aware grays out the RADIUS MAC Authentication option, since 802.1x already is a
RADIIUS-based mechanism.
You can choose to either Disconnect or Assign Role to the user, should Client Authentication
fail. To assign a role, you need to select one from those defined on the Role Profile tab. You
18
might configure Client Authentication before you have created any Role Profile. When you click
Add / Edit under Select Role, a window appears in the right pane, allowing you to define a Role
Profile without having to leave Client Authentication.
To configure Client Authentication, see Configure Client Authentication.
Configure SSID Access Control

You can configure settings that control access to the SSID, for example, Firewall and Client
Authentication settings.
SSID Access Control consists of the following settings:
1. Configure the Firewall settings.

See Configure Firewall Settings for details.
2. Configure Bonjour Gateway settings
See Configure Bonjour Gateway for details.
3. Configure Redirection settings.
See Configure Redirection Settings for details.
4. Configure Role Based Control settings.
See Configure Role Based Control for details.
5. Configure Blacklisting and Whitelisting of WiFi Clients settings.
See Configure Blacklisting and Whitelisting of WiFi Clients for details.
6. Enable Client Isolation to prevent clients of the same AP from being able to access each
other's data.
7. Configure Client Authentication settings.
See Configure Client Authentication for details.
L3-4 Firewall
Mojo Access Points (APs) have firewall capabilities. The AP firewall monitors the traffic passing
through the AP and takes actions based on user-defined rules.
The firewall is stateful, that is to say, it keeps track of whether the connection has been opened
in the outgoing direction (wireless to wired-side) or in the incoming direction (wired-side to
wireless), and takes appropriate actions on the packets based on the direction in which the
connection was opened. The following image illustrates the conventions used for directions.
Note that this is not the Internet facing firewall. Its main purpose is to facilitate traffic controls,
such as allowing/disallowing access to certain assets and/or applications for wireless users.
19
The firewall rules are defined and enforced on a per SSID basis. Mojo APs support multiple SSID
profiles, thereby enabling multiple firewall configurations to co-exist.
The following use cases illustrate typical applications for the Mojo AP firewall functionality:
• Block guest Wi-Fi users from accessing the private/corporate subnet. This serves as an
additional security control to ensure that guest Wi-Fi users can access only public Internet
and nothing in the private address space.
• Block or allow access to specific domain names.
• Allow guest Wi-Fi users to access only HTTP and HTTPS content in the Internet. This is
typically done to control the type of traffic guest users can generate.
• Implement DNS-based content filtering to prevent access to non-family-friendly web sites,
security threats, and peer-to-peer file sharing. The firewall can be used to ensure that
Wi-Fi clients necessarily use the specified content filtering DNS server, such as Norton
ConnectSafe, and cannot bypass it.
• Enforce use of IPsec VPN for wireless clients.
Note:
• When you enable L3-4 Firewall Rules, you can see the default rule Action : Block on
the UI. If you enable L3-4 Firewall Rules and do not define any rules at all, the default
rule applies, i.e., all traffic is blocked.
• The AP compares traffic with rules from top to bottom until it finds the first match. Once
it finds the first match, the AP does not compare the rest of the rules. If it finds no match
with any of the defined rules, the AP uses the default rule at the end. You can re-order
the rules using the drag-and-drop feature to reposition them at the desired level.
In case of a conflict between rules on the L3-4 Firewall and those on the Application Firewall,
the AP decides using this Decision Table.
Example Use Case of L3-4 Firewall
Let's look at a rule set that might be found on a Guest SSID in a retail store deployment.
Goal for Retail Store: Allow only HTTP/HTTPS Internet access, with content filtering and no
access to private subnets.
Table 1: Example Rules Table for Retail Store
Rule Rule Name IP / Port Action Protocol Direction

Number Hostname
1 Content Filtering DNS1 199.85.126.30 53 Allow UDP Outgoing
2 Content Filtering DNS2 199.85.127.30 53 Allow UDP Outgoing
3 Block All Other DNS * 53 Block UDP Outgoing
20
4 No Local Access 192.168.0.0/16, Block Any Any
172.17.0.0/21,
10.0.0.0/8
5 Allow HTTP / HTTPS * 80, 443 Allow TCP Outgoing
6 Default Block
Rule 1 - Allow outbound UDP port 53 to Content Filtering (Norton) DNS1/199.85.126.30. This rule
implements DNS-based content filtering to block access to web sites that contain non-family-
friendly content, pose security risks, and promote file sharing applications. DNS uses UDP port
53. So this rule allows outgoing UDP connections destined to port 53 on a content filtering DNS
server with the 199.85.126.30 host IP address.
Because the firewall is stateful, the return path is automatically allowed and you don't need a
separate rule for the return path. This is true for the other rules as well.
Rule 2 - Allow outbound UDP port 53 to Content Filtering (Norton) DNS2/199.85.127.30. Like
Rule 1, this rule also implements DNS-based content filtering. This rule provides DNS server
redundancy.
Rule 3 - Block all outbound UDP 53. This rule blocks all DNS traffic excluding that which is
allowed by Rules 1 and 2. This rule prevents users from statically configuring DNS server
addresses on their clients to circumvent content filtering.
Rule 4 - Block traffic to destination 192.168.0.0/16, 172.17.0.0/21 and 10.0.0.0/8. Blocks access
to private/corporate subnets. This rule blocks any wireless traffic addressed to any host in the
192.168.0.0/16, 172.17.0.0/21 and 10.0.0.0/8 subnets. The Protocol specified for this rule is Any,
which covers any protocol carried over IP. Because there are protocols that do not implement
the port concept (e.g. ICMP), the port number gets grayed out when Any is selected as protocol.
This rule is ideal for restricting users on the Guest Wi-Fi from accessing private subnets.
Rule 5 - Allow any traffic outbound to TCP port 80, 443. Allow clients to open outgoing TCP
connections to port 80 (allows outgoing HTTP connections) and allow clients to open outgoing
TCP connections to port 443 (allows outgoing HTTPS connections). The wildcard character (*)
represents “any” hosts.
Rule 6 - Default rule is set to Block, which means that all other kinds of communication, except
the ones enabled by the rules 1-5, are disallowed.
Application Firewall
You can define firewall rules at the application level.
Note:
• To enable Application Firewall Rules, you must enable Application Visibility under
the SSID Analytics tab. Mojo Aware prompts you to enable Application Visibility from
within the Application Firewall Settings, so you don't need to navigate to the Analytics
tab.
21
• When you enable Application Firewall Rules, you can see the default rule Action :
Block on the UI. If you enable Application Firewall Rules and do not define any rules at
all, the default rule applies, i.e., all traffic is blocked.
• The AP tests packets with rules from top to bottom until it finds the first match. Once it
finds the first match, the AP does not compare the rest of the rules. If it finds no match
with any of the defined rules, the AP uses the default rule at the end. You can re-order
the rules using the drag-and-drop feature to reposition them at the desired level.
In case of a conflict between rules on the L3-4 Firewall and those on the Application Firewall,
the AP decides using this Decision Table.
Example Use Case of Application Firewall
Shown below is a rule for an enterprise that wants to block Facebook and Twitter on their
corporate SSID.
Table 2: Example Rule for Enterprise Corporate SSID
Rule Name Category Application Action

Name
Block Facebook and Social Networking Facebook, Block

Twitter Facebook
Apps,
Facebook
Event,
Facebook
Messages,
Facebook
Post,
Facebook
Search,
Facebook
Video,
Facebook
Video Chat,
Twitter
Default Block
L3-4 versus Application Firewall Decision Table

Table 3: Decision Table for L3-4 Firewall versus Application Firewall
L3 Firewall Action Application Firewall Action Final Action
Deny Any Deny
22
Allow Deny Deny
Allow No Match Allow
No Match Deny Deny
No Match Allow Allow
No Match No Match Default
Allow and Mark Allow and Mark Allow with App Mark
Allow and Mark Allow Allow with L3 Mark
Allow and Mark No Match Allow with L3 Mark
No Match Allow and Mark Allow with App Mark
No Match No Match Default Mark
Configure Firewall in SSID

You can configure both L3-4 and Application firewalls.
To configure firewalls:
1. Go to Configure > SSID > Access Control.

2. Click Firewall
The Layer 3-4 Firewall Rules and Application Firewall Rules options appear.
3. Select Layer 3-4 Firewall Rules to set up a L3-4 firewall.
a) Click the "+" sign to add a new rule to the firewall.
b) Configure the following details of the firewall rule:
• Enter the Rule Name, what you want to call the rule.
• Enter IP / Hostname to which you want to apply the rule.
• Enter the Port number to which you want to apply the rule.
• Select the Action, whether you want to Allow, Block, or Allow and Mark the packets
under this rule.
• Select the Protocol to which you want to apply the rule.
• Select the Direction, whether you want the rule to apply to Any direction, to Incoming
packets or to Outgoing packets.
4. Select Application Firewall Rules to set up an application firewall.
a) Click the "+" sign to add a new rule to the firewall.
b) Configure the following details of the firewall rule:
• Enter the Rule Name, what you want to call the rule.
• Select the application Category to which you want to apply the rule.
• Select the Application Name to which you want to apply the rule.
23
• Select the Action, whether you want to Allow, Block, or Allow and Mark the packets
under this rule.
To see what takes precedence between L3-4 and Application Firewall rules, see L3-4 versus
Application Firewall Decision Table.
What is Bonjour Gateway?

Bonjour is Apple's implementation of zero-configuration networking (Zeroconf). It is used to
discover devices and services advertised by Bonjour capable devices on a local network using
multicast Domain Name System (mDNS).
Generally, Bonjour devices run on local networks and the Bonjour service advertisements do
not cross network boundaries. They are restricted to the broadcast domain of a single VLAN /
Subnet. Clients that are connected on a different VLAN than the one on which the Bonjour
devices are connected, cannot discover these services.
Figure 1: Bonjour Devices Running on Local Networks
How Mojo Supports Bonjour Gateway

Mojo APs provide support for clients to automatically detect and connect to Bonjour capable
devices and the services running on such devices. For the sake of understanding how the
clients can connect to Bonjour capable devices over a Mojo WLAN, let’s consider just two
VLANs as follows:
24
• A service VLAN on which the Bonjour capable devices are deployed
• A client VLAN on which the clients are deployed
Figure 2: Bonjour Gateway Enabled on an SSID
As shown in the figure Bonjour Gateway Enabled on an SSID, after a client connects to an SSID
that has Bonjour Gateway enabled and the service VLAN configured, the AP forwards the
mDNS packets from the service VLAN to the client VLAN (i.e. the VLAN ID configured in the
SSID) and vice versa. The client now knows about the Bonjour services available on the WLAN
and can connect to such services.
Note: Bonjour Gateway can be configured only if the Network type on the SSID is set to
Bridged. This feature is not available for a NAT type network.
Configure Bonjour Gateway

You can configure Apple's Bonjour Gateway feature that allows access to Apple devices on the
network.
To configure Bonjour Gateway:

2. Select Bonjour Gateway.
Note: Bonjour Gateway does not work when the Network is set to NAT mode. If you
have set the Network to NAT mode, Mojo Aware grays out Bonjour Gateway and prompts
you to change the Network setting from within the Access Control tab.
3. Enter the Service VLANs.
These are the VLANs with the Bonjour devices. The AP forwards packets from the service
VLAN to the client VLAN (i.e. the VLAN ID configured in the SSID) and vice versa.
25
Configure Redirection in SSID Access Control

You can redirect clients of the SSID to a URL of your choice.
To configure Redirection:

2. Select Redirection
Options for the redirection mechanism appear.
3. Select whether you want to redirect Smartphones / Tablets only or All Clients.
4. Enter the Redirect URL.
5. Enter the list of Walled Garden sites.
The user can access these sites before login.
Note: You must enter at least the Redirect URL in the Walled Garden field, since the
user must be able to access that URL before login.
What is a Walled Garden?

Let's understand the concept of a “walled garden” and its typical applications within Mojo Wi-
Fi. A walled garden allows Wi-Fi providers to control which destinations users can or cannot
access on a wireless network.
Walled garden functionality is used in conjunction with Mojo’s captive portal. The captive portal
function serves as a vehicle to interact with users when they log into Wi-Fi network.
When a captive portal is enabled on an SSID, a splash page is presented to the users before
allowing them Wi-Fi access. The splash page serves as a gatekeeper for allowing Wi-Fi access
and facilitates user interactions such as:
• Asking the user to accept terms and conditions

• Facilitating user authentication using a web-based login and password screen
• Facilitating logins using social Wi-Fi credentials
Sometimes it is necessary to bypass the gatekeeping function of the splash page and this
bypass function is facilitated by the walled garden. By defining specific destinations inside the
walled garden, it is possible to bypass the splash page allowing a user to access those specified
destinations directly. See Figure Splash Page and Walled Garden.
26
Figure 3: Splash Page and Walled Garden
How Whitelisting/Blacklisting of Client MAC Works

You can define either a Whitelist or a Blacklist of client MAC addresses on a per SSID basis. It’s
basically an Access Control List for an SSID – you get to decide which devices can or cannot
connect to an SSID. For example, you might want to allow only employees on the Corporate
SSID. You could then create a Whitelist of MAC addresses that can connect to the Corporate
SSID. Conversely, you might want to restrict some clients from connecting to an SSID. You could
then create a Blacklist of client MAC addresses for that SSID to prevent those clients from
connecting to the SSID. Below are the definitions of a Whitelist and a Blacklist.
Whitelist: Only clients in the Whitelist can connect to the SSID. No other clients are allowed.
Blacklist: Clients in the Blacklist cannot connect to the SSID. All other clients are allowed.
Requirements for Whitelisting / Blacklisting of Client MAC Addresses

To create whitelist and blacklist, you need to meet a few requirements
• For a given SSID, you can create either a Whitelist or a Blacklist, but not both
• Per SSID Whitelist / Blacklist works only for 802.11ac Mojo devices
• For each SSID, you can add a maximum of 1024 clients to its Whitelist or Blacklist
Google Integration for Client Device Authorization

Google provides App sets for enterprises (Google for Work) and educational institutions
(Google for Education). These enable users to communicate and collaborate from a single
platform. From network administrators’ perspective, key functions provided by Google are
User and Device Management, and Organizational Units. Network administrators can create
27
an organizational structure and control which settings and policies must be applied to users
and devices. User directory offers SSO for all Google applications, while device management
enables administrators to authorize devices that can access the network and restrict access
based on the user role. Once a user logs in with his official Google credentials, the device MAC
is listed on the Google Device Management page. The administrator can then authorize or reject
the device when it attempts to connect to the network.
Configure Client Authentication

You can configure client authentication using either Google Integration or RADIUS MAC
Authentication.
To configure client authentication:

2. Select Client Authentication
Options for Google Integration or RADIUS MAC Authentication appear.
3. Select either Google Integration or RADIUS MAC Authentication
• If you select Google Integration, then select what happens If Client Authentication Fails:
• Select Disconnect to disconnect the client if authentication fails.
• Select Assign Role and select the role you want to assign to the client if authentication
fails. If you want to define a role, click Add / Edit. A right-panel window appears
where you can configure the Role Profile and continue with Client Authentication. See
Configure a Role Profile.
• If you select RADIUS MAC Authentication, RADIUS Settings appear.
Note: If you have configured 802.1x authentication in the SSID Security tab, then
Mojo Aware grays out the RADIUS MAC Authentication option, since 802.1x already
is a RADIIUS-based mechanism.
The RADIUS Settings for Client Authentication are:
• The Primary and Secondary RADIUS servers you want to use as Authentication
Server and Accounting Server.
• The Retry Parameters that control how often the AP attempts to authenticate with
RADIUS.
• The Username and the Password. For each of these fields, you can select from
among the MAC address formats in the list.
• The Called Station / NAS ID, IDs that the AP or a Network Access Server (NAS) send
the RADIUS server.
Select what happens If Client Authentication Fails:
• Select Disconnect to disconnect the client if authentication fails.

• Select Assign Role and select the role you want to assign to the client if authentication
fails. If you want to define a role, click Add / Edit. A right-pane window appears where
you can configure the Role Profile and continue with Client Authentication.
28
Configure Role Based Control

You can assign role profiles to users connecting to the SSID based on the Google Integration or
RADIUS rules you define here in Role Based Control.
• To implement Role Based Control using Google, you must enable Google Integration.
• To implement Role Based Control using RADIUS, you must enable 802.1x.
You don't have to leave the SSID Access Control tab to configure Google or RADIUS. Just click
Change Settings? under Role Based Control. Mojo Aware opens a right-pane window, allowing
you to configure and save the relevant settings and continue with Role Based Control.
To configure Role Based Control:
1. Select Role Based Control.

• Select RADIUS VSA to assign roles based on rules for the RADIUS server.
• Select the Rule Type. This could be either Mojo-Role RADIUS VSA or Custom RADIUS
attributes VSA.
• Enter the Vendor ID and Attribute ID if you selected Custom RADIUS attributes
VSA. For the Mojo-Role RADIUS VSA case, the vendor is Mojo and the Vendor ID and
Attribute ID are pre-defined in the RADIUS server, so you don't have to enter those
values here.
• Select the Operand for the string pattern that you want to use for the rule.
• Enter the string pattern in the Enter Value field.
• Select the role you want to assign for this rule in Assign Role. If you have not yet
defined the role you want to assign, click Add / Edit. A right-pane window appears
allowing you to define a role and continue with Role Based Control. See Configure a
Role Profile for details.
• Select Google OU to assign roles based on rules for Google OU.
• The Rule Type is preset to Google OU.

• Select the Operand for the string pattern that you want to use for the rule.
• Enter the string pattern in the Enter Value field.
• Select the role you want to assign for this rule in Assign Role. If you have not yet
defined the role you want to assign, click Add / Edit. A right-pane window appears
allowing you to define a role and continue with Role Based Control. See Configure a
Role Profile for details.
29
SSID Analytics
The SSID Analytics tab contains settings to control what analytics information is stored and
where.
Mojo APs collect, process and present useful and easy-to-understand Analytics information.
You can choose to store this information on the Mojo server and / or on a third-party server of
your choice. Analytics information is broadly classified into Association and Application Visibility
analytics.
Association
Association analytics includes information on clients that associate with the SSID. A Mojo AP
collects the following data:
• Client MAC address

• Protocol
• SSID of the network to which the client connects
• Location of the client in the Mojo Location Hierarchy
• Start time of client association with the AP (GMT)
• End time of client association with the AP (GMT)
• Start time of client association with the AP according to local time of the user
• End time of client association with the AP according to local time at the user
• Session duration
• Data transfer from client device in bytes
• Data transfer to client device in bytes
• Data rate in Kbps
• Smart device type
• Local Time Zone
If you select Association, you can also select HTTP Content analytics. Content analytics
include:
• Domain name accessed by the clients

• Data transferred to the domain (in bytes)
• Data received from the domain (in bytes)
The Mojo server stores the data in CSV format so you can download it as reports.
Application Visibility
Application Visibility is where the AP monitors all applications above Layer 2 for this SSID. It tells
you what applications are most popular on your network. It can also help you identify unwanted
30
or harmful applications. You can view these Applications on the Monitor tab in Aware either on a
per-Client basis or on a per-Application basis.
Note: Application Visibility is not supported on 802.11n devices. Additionally, we
recommend that you do not enable Application Visibility for C-65, C-75, W-68 and O-90 as it
might adversely affect performance.
You can choose to send the analytics to a third-party server. In this case, when you select HTTP
Content, you need to enter the Username and Password for the server. The Send Interval
determines how often the data are sent to the server.
You can select which HTTP fields you want to send as part of the analytics. Mojo APs send
client MAC and RSSI data as part of the HTTP Post message. For details, see HTTP Post Format.
HTTP POST Format

The curl program is used to post the RSSI values to the server. The command format used is as
follows:
curl <upload_URL>?sensor_mac=<sensor's MAC address>&timestamp=<time in seconds> -F

data=@"<file_on_airtight_device>"
The post command contains two arguments:
• sensor_mac: The MAC address of the Mojo device. Example 00:11:74:90:00:1F

• timestamp: The time in number of seconds from boot of the Mojo device.
The contents of this post command is the upload file, which contains RSSI data of clients. The
file name is rssi_data .
Each line in the file is of the following format:
<client_mac>, <RSSI in dBm>, <time in seconds at which RSSI reading was taken>
Configure Analytics in SSID Settings

To configure Analytics in SSID, includes two steps, one is to store analytics information on the
server, and to push analytics information to third-part server.
To know more about parameters required in configuring Analytics in SSID Settings refer
Analytics Parameter.
To configure Analytics in SSID Settings:
1. Navigate to Configure > SSID.

2. Configure settings within the Store Analytics on This Server tab to store analytics
information on the server.
a) Select Association for information about the clients that connect to or associate with the
Mojo APs.
Selecting this enables HTTP Content field.
b) Select HTTP Content to capture information about the internet domains accessed by the
clients associated with the Mojo APs.
31
c) Select Application Visibility to turn ON the application visibility feature.
3. Scroll down to Push Analytics to Third-Party Server tab and configure the below settings to
push analytics data to third-party server.
a) Enter Server URL of the external server .
b) Enter Username to log in to external server.
c) Enter Password for the user to log in to external server.
d) Enter Send Interval in minutes.
4. Select HTTP Content information like Post Request Body, User Agent, Referer that you
would like to share with the third party server.
5. Click Save.
If the configuration is correct and saved successfully, Mojo Aware displays a success message.
Analytics Parameter
Fields Description
Store Analytics on This Server
Application Visibility This check box turns ON the application

visibility feature. If you enable Application
Visibility for a selected SSID, then a list of all
applications above layer 2 for the selected
SSID will be displayed in the Monitoring >
Applications tile. Note: We recommend not
to enable Application Visibility feature for
C-65, C-75, W68, and O-90. If you enable
Application Visibility for these models, then it
may impact the AP performance. Application
Visibility feature is not supported on 802.11n
and older devices.
Association This check box, if enabled presents

information about the clients that connect
to or associate with the Mojo APs. You can
choose to collect analytics data for reporting
purpose about the client-AP association.
Association analytics and content analytics
can be collected if you enable the collection
of these analytics in the Wi-Fi profile.
Association Analytics comprises the data
related to the client - AP communication.
The following data is collected as association
analytics:
• Client MAC address
32
Fields Description
• Protocol
• SSID of the network to which the client
connects
• Location of the client
• Start time of client association with the AP
(GMT)
• End time of client association with the AP
(GMT)
• Start time of client association with the AP
according to local time of the user
• End time of client association with the AP
according to local time at the user
• Session duration
• Data transfer from client device in bytes
• Data transfer to client device in bytes
• Data rate in Kbps
• Smart device type
• Local Time Zone
HTTP Content This check box captures information about

the internet domains accessed by the clients
associated with the Mojo APs. This information
is present in the association analytics file.
The following information is present for
each internet domain as content analytics
information:
• Domain name
• Data transferred to the domain (in bytes)
• Data received from the domain (in bytes)
Push Analytics to Third-Party Server
HTTP Content Mojo AP supports the transfer of client HTTP

content analytics or browsing data from
clients over HTTP or HTTPS to an external
server where this information can be stored.
If this feature is enabled then user has to
configure below options.
Server URL URL of the external server where the

information is to be stored.
33
Fields Description
Username Username to log in to external server.
Password Password for the user to log in to external

server.
Send Interval Recurrent time interval, in minutes, after which

the HTTP content analytics JSON file must
be sent to the external server. Value can vary
from [1 - 60] mins, default value is 10 mins.
HTTP Fields
Post Request Body If checked then include the POST method

request body in the JSON file.
User Agent If checked then include the user agent

(browser) in the JSON file.
Referer If checked then include the HTTP referrer in

the JSON file.
SSID Captive Portal

A Captive Portal is a page that appears when a user attempts to access the SSID. This could
be a Facebook login enabled page for a public WiFi network, a simple Terms-of-Use page
for a Guest SSID on a corporate network, or a custom-branded page for a coffee shop chain.
The Captive Portal tab in Mojo Aware is designed so that you can configure all portal related
settings for your SSID (social media plugins, splash page, etc.) from this tab.
The captive portal can reside on the Mojo AP, on Mojo Cloud or on a third-party server. The AP
Hosted portal is the simplest case. It is simply a Clickthrough splash page, typically asking a
user to accept some terms of use. You can upload a splash page bundle, which is a ".zip" file
containing components of the splash page. A Download Sample can help you with creating
your own bundle.
A Cloud Hosted captive portal is one that resides on Mojo Cloud. You can do a lot with this
option, authenticating users via a wide variety of methods — called plugins — and defining
Quality of Service (QoS) settings for each authentication method. When you click Select login
method for guest Wi-Fi users, a right-panel window opens up allowing you to choose plugins
and define the QoS settings for each of them. QoS Settings include login and blackout timeouts,
and download and upload bandwidth limits. Below are the plugins through which users can
access Mojo Cloud hosted captive portal:
• Click-Through: This is basically no authentication, only a Welcome or Terms-of-Use type

page on which the user can click and access WiFi.
34
• Social Media Plug-Ins: Users authenticate using their social media login credentials to
access the WiFi. For details, see Access WiFi Using Social Media Plug-ins. Mojo supports
the following social media plugins: Facebook, Twitter, LinkedIn, Foursquare, Instagram, and
Google+.
• Username and Password: There are two options within this method:
• You can Allow Guest Users to Self-Register. Self-Registration can be for Free WiFi,
Paid WiFi, a combination of the two, or with Host Approval. For the Free case, there are
options to allow guest users to set their own passwords or to auto-login, to enable "Forgot
Password" links, and to activate expired accounts. For the Paid case, Mojo uses the Stripe
Payment Gateway. You can define tiers of payment. So, you can charge different amounts
for different session durations — say, $1 for an hour and $3 for 2 hours. The access time
must be consumed as soon as it is purchased. So, if a guest user purchases 1 hour of
access for $1, the session will expire after exactly 1 hour of purchase, irrespective of
how much session time the guest actually consumes. Even if the user explicitly logs off,
the session continues to be billed. The Free + Paid case is a mixed mode - in addition to
combining options from both cases, it allows you to keep the WiFi free for some time
and then start charging. For example, many airports offer free WiFi for the first half an
hour and charge users after that. Host Approval is for enterprise setups, where you
want to authorize the guest WiFi access. The host, whom the guest has come to visit
in the enterprise, can be the authorizer. Host-approved WiFi access ensures that only
authorized users can access the WLAN network. To understand how host-approved
guest access works, see Guest WiFi Authentication with Host Approval.
• Admin Generated Credentials uses the Guestbook method. This is where you maintain
a private guestbook and allow guest users to log in and access WiFi with guest user
account credentials that you have defined. The guestbook can include other user-specific
information. When you enable this in Mojo Aware, it opens up in a new tab once you save
the SSID.
• Passcode through SMS: Users provide their mobile number to receive an authentication
code via SMS. They use this code to authenticate and access the WiFi. You can define
settings related to the passcode (such as maximum length) and to the SMS (such as
maximum number of times the SMS is resent).
• Web Form: This is an enhanced form of clickthrough. There is no authentication. To access
WiFi, users fill out specific information such as their name, e-mail address, and contact
number.
• External RADIUS: Authentication happens via an external RADIUS server. You can select
a RADIUS server from the ones you have added, or add a new one using the Add / Edit
option. Mojo Aware allows you to add and save the new RADIUS server and return to the
portal settings.
Note: You cannot use the RADIUS plugin with any other plugins. If you select External
RADIUS, Mojo Aware automatically disables the other plugins.
Important Notes on Payment Gateway
35
If you use the Paid or the Free + Paid option, you're using a payment gateway. There are a few
important things to keep in mind when using a payment gateway:
• Some scripts from the payment gateway do not load in Android native web view (i.e. the
native browser that Android uses). To avoid this, you must add ssl.gstatic.com to the Walled
Garden list of the captive portal. if you don't add this entry to the Walled Garden, the user
sees an error message saying that the page could not be loaded and asking them to use a
different browser.
• For best WiFi user experience, we recommend that you add the general sites mentioned
in Walled Garden Sites for Captive Portal to the Walled Garden list of the captive portal. The
reason for this is that when a user attempts to access a WiFi connection, some operating
systems (e.g. iOS) try to reach some sites — let's call them "test sites" — to detect if the user
is behind a captive portal. If they're unable to reach the "test sites", these operating systems
conclude that the user is behind a captive portal and open the splash page using an "in-app"
browser. This could cause problems because, in conventional browsers, the page containing
the usage time and the logout option opens in a separate tab from the splash page. Thus,
with an "in-app" browser, users could end up not being able to see the usage and logout
page at all. While users are sent reminders to logout once they close their sessions, they
could miss these messages or attend to them after a while. This means that users could get
billed for time they haven't spent using the WiFi. To avoid such problems, it's best to add
those "test sites" to your Walled Garden so that users can access the time and logout tab as
well.
• Currently, you can define only time limits on the payment gateway. You cannot define
bandwidth or data limits; usage evaluation based on either bandwidth or data volume is not
supported.
• You can define amounts with up to 2 decimal points (e.g. $1.35).
Note: The QoS settings you configure for the plugins override those in the SSID > Access
Control tab.
Apart from the plugins, you can configure Common Settings such as e-mail, SMS and payment
gateway accounts used to communicate with your WiFi users. Common settings are applicable
not only across plugins within an SSID captive portal, but also across SSIDs and across
locations. So if you define a new location and an SSID at that location, the common settings
apply there as well. This means that WiFi users of an organization see the same e-mail and use
the same SMS account, no matter what location they're at.
You can use a combination of plug-ins on your captive portal. For example, you can use all the
social media plugins to provide guests with the option of using any social media account of
their choice to authenticate and access the WiFi. Or, if you are organizing an event and want
to provide WiFi access to guests, you can create a batch of guest user accounts in Mojo Guest
Manager and provide the account details to the guests to access the WiFi by using these
account credentials.
Another use case is to give users the option to access WiFi without any authentication. Say, you
have configured the social media plug-ins on your portal. But you also want to provide WiFi
36
access to guests who do not have a social media account or do not wish to use their social
media account credentials. In this case, you can provide a link on the portal page that allows
users to access the WiFi by just accepting certain Terms and Conditions. This can be done
using the Clickthrough plugin.
Note: The Terms and Conditions are user-defined and not Mojo specific. You can choose
not to provide any Terms and Conditions.
A Third-Party Hosted captive portal resides on an external server. As such, you must enter the
Splash Page URL and the Shared Secret of the server that hosts the portal. You can enable
RADIUS Authentication and enter the 802.1x Settings. See 802.1x RADIUS Settings for details.
With third-party hosted portal, you need to configure Advanced Portal Parameters, namely the
Request and Response Attributes that the portal uses for its challenge-response based user
authentication.
There are some general fields that apply to AP-hosted, Cloud Hosted and Third-Party hosted
portals. For example, you can define Websites That Can Be Accessed Before Login and some
Post Login fields such as a URL the user is redirected to after login (for instance, a coupon for
the 100th customer), and login and blackout times. For a third-party hosted portal, you can
define a post-login Service Identifier for the user.
Walled Garden Sites for Captive Portal

For best results with splash pages, there are some sites you need to add to the Walled Garden
list of the captive portal. Some of these sites are general, for all splash page based captive
portals, while others are for specific plugins or content type.
General Sites
Add the following sites to the Walled Garden list for your captive portal:
• Host name of the Mojo Guest Manager; for example, gms.cloudwifi.com.

• akamaihd.net
• googleapis.com
• gstatic.com
• Country specific Google domain where the access point using the SSID profile is deployed.
For example, if an AP deployed in France is using the SSID profile, then you must add
google.co.fr to the walled garden. If the SSID profile is used by access points deployed in
different geographies, then the corresponding geography-specific Google domain must be
included in the walled garden.
Due to some third-party application issues, some of the plug-ins do not respond properly on
Apple iOS clients. To work-around these issues, you must add the following entries in the walled
garden for enabling the captive portals to function properly on Apple iOS clients:
• appleiphonecell.com
• captive.apple.com
• itools.info
37
• ibook.info
• airport.us
• thinkdifferent.us
Note: For an Apple iOS client, if you have a video in the splash page then add the walled
garden entries. However, if there is no video in the splash page and you need Automatic
Internet Detection then do not add the walled garden entries.
Site for Payment Gateway
If you use the Paid or the Free + Paid option, you're using a payment gateway. Some scripts
from the payment gateway do not load in Android native web view (i.e. the native browser
that Android uses). To avoid this, you must add ssl.gstatic.com to the Walled Garden list of the
captive portal. if you don't add this entry to the Walled Garden, users see an error message
saying that the page could not be loaded and asking them to use a different browser.
Sites based on Content
Based on the content type used in the splash page, add the following domains to the walled
garden.
Content Type Walled Garden Entries
Vimeo vimeo.com
vimeocdn.com
google-analytics.com
PollDaddy polldaddy.com
YouTube youtube.com
googlevideo.com
ytimg.com
google.com
googleusercontent.com (for thumbnail

images)
lh5.googleusercontent.com (for thumbnail

images)
Configure AP Hosted Captive Portal

To configure AP Hosted Captive Portal settings:
1. Navigate to CONFIGURATION > SSID > Captive Portal.

2. Select the Enable Captive Portal check box to display a portal page to be shown to the
client on using the guest network.
38
3. Select the mode of access as AP Hosted to the internet through the captive portal.
4. Click Download Sample to download the factory default portal bundle file.
You can download the factory default portal bundle file and use it as a template to create a
custom portal bundle.
5. Click Upload Custom Splash Page Bundle to upload the bundle.
The bundle must be a .zip file of the portal page along with any other files like images, style
sheets and upload this file. The zip file must satisfy the following requirements for the portal
to work correctly:
1. The zip file should have a file with the name "index.html" at the root level (i.e., outside of
any other folder). This is the main portal page. It can have other files and folders, (and
folder within folders) at the root level that are referenced by the index.html file.
2. The total unzipped size of the files in the bundle should be less than 100 KB. In case, large
images or other content is to be displayed on the page, this content can be placed on an
external web server with references from the index.html file. In this case, the IP address of
the external web server must be included in the list of exempt hosts (see below).
3. The index.html file must contain the following HTML tags for the portal to work correctly:
• A form element with the exact starting tag: <form method="POST" action="$action">
• A submit button inside the above form element with the name "mode_login". For
example: <input type="image" name="mode_login" src="images/login.gif">. The exact
tag: <input type="hidden" name="redirect" value="$redirect"> inside the above form
element.
6. Enter the list of Websites That Can Be Accessed Before Login.
7. For Post Login configuration enter details for the below fields:
a) Specify the Redirect URL.
The browser is redirected to this URL after the user clicks the submit button on the portal
page. If left empty, the browser is redirected to the original URL accessed from the
browser for which the portal page was displayed.
b) Specify the value of the Service Identifier.
This is a free form parameter that can be passed to the external portal.
c) Specify Login Timeout, in minutes, for which a wireless user can access the guest
network after submitting the portal page.
After the timeout, access to guest network is stopped and the portal page is displayed
again. The user has to submit the portal page to regain access to the guest network. If the
user disconnects and reconnects to the guest network before his session times out, he
does not have to enter his credentials on the splash page.
d) Specify Blackout Time, in minutes.
This is the time for which a user is not allowed to login after his previous successful
session was timed out. For example, if the session time-out is 1 hour and the blackout
time is 30 minutes, a user will be timed out one hour after a successful login. Now after
39
this point, the user will not be able to login again for 30 minutes. At the end of 30 minutes,
the user can login again.
e) Select the Detect when Internet connection is down and inform guest users, if you
want to check the internet connectivity and inform guest users in case of loss of Internet
connectivity.
8. Click Save.
Configure Cloud Hosted Captive Portal

This is the default option when you first access the SSID > Captive Portal tab. With this option,
the captive portal is hosted on Mojo Cloud.
To configure Cloud Hosted captive portal:
1. Go to SSID > Captive Portal.

2. Select Enable Captive Portal.
The Cloud Hosted option appears by default.
3. Design the splash page.
See Design a Splash Page for details.
4. Configure the plugins you want to use.
The default plugin is Clickthrough. The settings are different for different plugins. For
information on these settings, see:
• Configure Clickthrough Plugin

• Configure Social Media Plugins
• Configure Username Password Plugin
• Configure Passcode Through SMS Plugin
• Configure Webform Plugin
• Configure External RADIUS Plugin
5. Select Skip Splash Page and the Duration in days, if you want to skip presenting the splash
page to the user for that duration.
6. Enter the Websites that Can Be Accessed Before Login.
This is the Walled Garden of sites that you're allowing the user to access before login. For
best results with captive portal, we recommend that you add some sites to the walled
garden. See Walled Garden Sites for Captive Portal.
7. Configure the Post Login parameters.
These include:
• Redirect URL to which you want to redirect the user.

• Login Timeout after which the user's login expires.
• Blackout Time which is the time period for which a user cannot log in to the portal after
the last successful login has timed out.
8. Select if you want the AP to detect when the internet is down and inform users.
9. Click Save to save the SSID or Save & Turn SSID On to save and turn it on.
40
Guest Wi-Fi User Authentication with Host Approval
An overview of how the user will gain access to Wi-Fi using the guestbook plugin with host
approval is described as follows:
1. The guest user connects to the SSID and is redirected to a splash page. The guest user
registers on the splash page by providing his contact information and the email address of
the host. The guest user account information is stored in the guestbook of the portal.
2. The user is shown a message that the request has been sent for approval.
3. The host receives an email for the registration performed by the guest user.
41
A sample email is displayed as follows:
4. Once the host clicks Approve in the email, the guest user will receive an approval message.
If the approval is granted within 5 minutes from the time of request, the guest user can
access Wi-Fi without logging in again. The login page is displayed as follows:
The guest user is automatically logged in after clicking Continue.

5. If the request approval is granted after 5 minutes, the guest user must explicitly log in using
the provided username and password. The guest user must click Click Here to Login to
authenticate and access Wi-Fi.
42
Design a Splash Page
The Cloud Hosted captive portal comes with a default splash page. You can edit this splash
page.
You must select Cloud Hosted captive portal under SSID > Captive Portal to edit the splash
page.
To edit the splash page:
1. Click the "pen" (edit) icon on the Splash Page section.

A right panel Splash Page window opens up, where you can edit the elements of your splash
page.
2. Expand the Logo option to add your logo to the splash page.
a) Click Upload Logo Image and select the logo image you want to upload.
b) You can use the slider below the image to adjust the size of the logo.
3. Expand the Background Image option to add your background image to the splash page.
a) Click Upload Image and select the background image you want to upload.
4. Expand the Background Color option
a) Select the background color from the color bar on the right.
The rectangle on the left shows shades of the color you selected.
b) Select the exact shade of the color by clicking at a particular location on the rectangle.
c) Set the level of Transparency using the slider below the color pane.
The rgba values below the slider correspond to the color, shade and the transparency
level you select. RGBA stands for Red, Green, Blue and Alpha, where Alpha is the
transparency parameter (0 - fully transparent, 1 - fully opaque).
5. Expand the Terms of Use option to define the terms of use.
a) Enter the Title for the terms of use.
b) Enter the Body of text for the terms of use.
6. Expand the Privacy Policy option.
a) Enter the Title of the privacy policy.
b) Enter the Body of the privacy policy.
7. Expand the Text option.
You can use this to enter your caption or welcome message (e.g. "Enjoy Free WiFi") and your
copyright info.
a) Enter the Plugin Title.
This is your caption or welcome message.
b) Enter the Copyright text.
8. Click Save.
You can see a preview of the splash page.
The splash page you have designed appears on the SSID > Captive Portal tab.
43
Configure Common Settings for Plugins
Common settings are system wide — they're applicable not only across plugins within an SSID
captive portal, but also across SSIDs and across locations. Common settings include settings for
email, SMS and payment gateway accounts used to communicate with your WiFi users.
You must select Cloud Hosted captive portal under SSID > Captive Portal to configure
common settings.
Common settings consist of the following tasks:
• Configure Email Account Settings

• Configure SMS / MMS Account Settings
• Configure Payment Gateway Settings
Configure Email Account Settings

This is the email account used to communicate with your WiFi users.
common settings.
To configure e-mail account settings:

1. On the SSID > Captive Portal tab, click Select login method for guest WiFi users.
The Plugins & QoSwindow appears on the right panel.
2. Click the "gear" icon for Common Settings
Icons for email, SMS / MMS, payment gateway and country code appear.
3. Click the "envelope" icon for Email Account.
The Email Account Settings appear.
4. Select the Email Service Type.
• If you select System Email:
• Enter the From Email ID and the From Name. These will appear in the "From" field of
the email the user gets.
• Enter the Return Email ID. This is the email ID to which the user can send a response.
You can test by clicking Verify to receive a test message on the return ID.
• If you select SMTP Configuration:
• Enter the From Email ID and the From Name. These will appear in the "From" field of
the email the user gets.
• Enter the Return Email ID. This is the email ID to which the user can send a response.
• Enter the SMTP Server Host name or IP address.
• Enter the Server Port number of the SMTP server.
• Select the Login Method for the SMTP server.
• Enter the Login Username and the Login Password for the SMTP server.
• Select the Connection Security type for the connection to the SMTP server.
44
5. You can enter a Test Account and click Send Test Email to verify that the configuration
works.
If you have configured everything right, this will send a test email with the correct
parameters to the account you entered.
6. Click Save to save the configuration.
Configure SMS / MMS Account Settings

This is the SMS / MMS account used to communicate with your WiFi users.
common settings.
To configure SMS / MMS account settings:
3. Click the "message" icon for SMS / MMS Account.
The SMS / MMS Account Settings appear.
4. Under the Account option, select an existing account or select Add New to add a new
account.
5. Enter a Name for the account.
6. Select a Service Provider.
You can select Twilio, Msg91 or a custom service provider. The configuration varies
depending on your choice.
• If you select Twilio, enter the Account SID, the Auth Token and the Twilio Number.
• If you select Msg91, enter the Username, Password, and Sender ID, and select the SMS
Route.
• If you select Custom, enter the Service URL.
7. You can enter a Test Account number and Test SMS Settings to verify that the configuration
works.
If you have configured everything right, this will send a test SMS to the number you entered.
Configure Payment Gateway Settings

This is the payment gateway used to bill users when you select Paid or Free + Paid WiFi.
common settings.
Note: When using Paid or Free + Paid WiFi, we recommend that you add the general sites
mentioned in Walled Garden Sites for Captive Portal to the Walled Garden list in the captive
45
portal settings. This will ensure that the captive portal isn't suppressed and users are not
forced into an "in-app" browser.
Mojo currently supports only the Stripe payment gateway. To configure payment gateway
account settings:
3. Click the "two coins" icon for Payment Gateway.
The Payment Gateway Settings appear.
4. Under the Stripe Account option, select an existing account or select Add New to add a new
account.
5. Enter a Name for the account.
6. Open the Stripe website in a new tab and login to your Stripe account.
7. On the Stripe home page, click API on the left navigation menu.
Note: If you were already logged in to Stripe, you need to logout and log back in to be
able to access the API menu.
8. Copy the Live Publishable Key and the Live Secret Key from the Stripe API menu, and paste
them in the respective fields in the payment gateway settings in Mojo Aware.
Configure Clickthrough Plugin

The Clickthrough plugin has no authentication, only a Welcome or Terms-of-Use type page on
which the user can click and access WiFi.
You must select Cloud Hosted captive portal under SSID > Captive Portal to configure plugins.
To configure Clickthrough plugin:
2. Select Clickthrough and click the edit icon (pencil) to edit settings.
The Clickthrough Settings appear.
3. Configure the Common Plugin Settings.
4. Click Save.
This takes you back to the Plugin & QoS page.
5. Click Save on the Plugin & QoS page to save the clickthrough settings.
6. Save the SSID.
46
Access Wi-Fi Using Social Media Plug-Ins
The figure below explains how Mojo authenticates the guests using social media plug-ins.
Figure 4: Mojo Social Media Login Workflow
When guests try to access the Wi-Fi through an access point (AP), the captive portal page is
displayed. The portal provides options for authenticating with social media accounts. When a
guest chooses a social media to authenticate, the portal redirects the user to the social media
login page for his social media account credentials. The social media validates the user account
credentials. If successful, the portal and the social media exchange certain information and
perform a handshake. The user is requested for permission to share some of the information in
his social media account with the social media App. The social media checks whether the user
Likes or Follows your page on the social media and, if not, requests the user to Like or Follow
your page. The AP then opens the gate for the users to access the Internet.
Configure Social Media Plugins

You can configure social media plug-ins on your captive portal. You must configure only the
plug-ins that you have selected for your portal. Following are the social media plugins that can
be configured from captive portal:
• Facebook
• Foursquare
• Google+
• Instagram
• Linkedin
• Twitter
47
Configure Facebook Plug-In
To configure the Facebook plug-in on your captive portal, you need to know App ID and App
Secret of your Facebook App.
To configure the Facebook plug-in:
1. Navigate to CONFIGURE > SSID > Captive Portal > Authentication Plugins & Quality of
Service > Social.
2. Select Facebook.
3. Enter App ID provided by Facebook to communicate with the Facebook API.
4. Enter App Secret.
App Secret that Mojo Guest Manager uses to connect to Facebook App.
5. Select Display Like Page if you wish the guests must Like your Facebook page when they
authenticate using their Facebook account credentials.
If selected, a text box requesting the user to Follow the facebook page is displayed.
6. Enter Like Page URL of the the Facebook page that guests see and can 'Like'.
7. Select Extended Profile Permissions if you want to ask the guest user for permission to
access additional information such as email address, birthday, likes and location.
If selected, the user is asked for permissions to access above-mentioned information from
the user profile. Select the check boxes for the information fields(Email address, Birthday,
Likes, Location) that you want to request access for from the guest user.
8. Refer Configure Commom Social Media Plugin Settings for Quality of Service and Redirect
URL configuration.
9. Click Save.
Configure Foursquare Plug-In

To configure the Foursquare plug-in:
Service > Social.
2. Select Foursquare.
3. Enter Client ID provided by Foursquare to communicate with the Foursquare application that
uses OAuth 2.0 protocol to call Foursquare APIs.
4. Enter Client Secret.
Secret that Mojo Guest Manager uses to connect to LinkedIn. Secret or passphrase that the
portal uses to connect to and communicate securely with Foursquare.
URL configuration.
6. Click Save.
48
Configure Google+ Plug-In
To configure the Google+ plug-in:
Service > Social.
2. Select Google+.
3. Enter the Client ID provided by Google+ to communicate with the Google+ application that
uses OAuth 2.0 protocol to call Google APIs.
4. Enter the Client Secret.
Secret or passphrase that the portal uses to connect to and communicate securely with
Google+.
5. Enter an API Key generated by Google+ for each project and is used to communicate with
other APIs enabled in the project.
access additional information such as email address, and advanced profiles.
If selected, the user is asked for permissions to access above-mentioned information

from the user profile. Select the check boxes for the information fields(Email address, and
Advanced Profiles) that you want to request access for from the guest user.
URL configuration.
8. Click Save.
Configure Instagram Plug-In

To configure the Instagram plug-in:
Service > Social.
2. Select Instagram.
3. Enter Client ID provided by Instagram to communicate with the Instagram application that
uses OAuth 2.0 protocol to call Instagram APIs.
4. Enter Client Secret.
Secret or passphrase that the portal uses to connect to and communicate securely with
Instagram.
URL configuration.
6. Click Save.
49
Configure LinkedIn Plug-In
You can configure LinkedIn plug-ins on your captive portal. You must have the Administrator
role to configure the LinkedIn plug-ins. Before you configure the LinkedIn plug-in you must
ensure that you have created your application/ project in the social media.
To configure the LinkedIn plug-in:
Service > Social.
2. Select LinkedIn.
3. Enter App ID provided by LinkedIn to communicate with the LinkedIn API.
4. Enter Secret Key.
Secret that Mojo Guest Manager uses to connect to LinkedIn.

5. Select Display Follow Page if you wish the guests must Follow you on LinkedIn when they
authenticate using their LinkedIn account credentials.
If selected, a text box requesting the user to Follow the LinkedIn page is displayed.
6. Enter the Follow Page URL to be displayed to the guest.
access additional information such as Email Address, Phone Number, and Full Profile .
If selected, the user is asked for permissions to access above-mentioned information from
the user profile. Select the check boxes for the information fields(Email address, Phone
Number, and ,Full Profile) that you want to request access for from the guest user.
URL configuration.
9. Click Save.
Configure Twitter Plug-In

You can configure Twitter plug-ins on your captive portal. You must have the Administrator role
to configure the Twitter plug-ins. Before you configure the Twitter plug-in you must ensure that
you have created your application/ project in the social media.
To configure the Twitter plug-in:
Service > Social.
2. Select Twitter.
3. Enter Customer Key provided by Twitter to communicate with the Twitter API.
4. Enter Customer Secret.
Secret that Mojo Guest Manager uses to connect to Twitter.

5. Select Display Follow Page if you wish the guests must Follow you on Twitter when they
authenticate using their Twitter account credentials.
If selected, a text box to provide Follow Page URL is enabled.
50
6. Enter the Follow Page URL for the Twitter page that the guests can see and 'Follow'.
URL configuration.
8. Click Save.
Configure QOS and Redirect Settings

Quality of Service and Redirect URL are the two common settings to be configured for every
plugin.
To know more about the below configuring parameters refer QoS Settings for Plugins.
To configure Quality of Service and Redirect URL:
1. Scroll down to Quality of Service on Social Media Plugin Settings page.

2. Enter the Login Timeout.
3. Enter the Blackout Time.
4. Enter Limit the maximum download bandwidth to.
The maximum download bandwidth, in Kbps or Mbps for the guest user.
5. Enter Limit the maximum upload bandwidth to.
The maximum upload bandwidth, in Kbps or Mbps for the guest user.
6. Enter Custom URL in Redirect URL section.
The URL of the page to which a guest must be redirected to on successful authentication.
Configure Username Password Plugin

With the Username / Password plugin, you can allow users to self-register or have them use
Guestbook, i.e., admin generated credentials.
To configure Username / Password plugin:
2. To let users self-register, select Allow Guest Users to Self-Register.
The options for self-registering appear.
3. Select the option you want to use for self-registration.
• Select Free Wi-Fi to allow free WiFi access to users. Click on the "gift" icon to configure
the free WiFi. With free WiFi you can:
• Allow self-registered users to set password

• Enable Forgot Password Link
• Allow guest users to activate expired account
• Allow self-registered guest users to auto login
• Show credentials to a self-registered guest user on a webpage
51
• Select Paid Wi-Fi to have users pay for WiFi access. Click on the "$" icon to configure paid
WiFi. With paid WiFi, you can do all of the things listed in free WiFi above, such as allow
self-registered users to set password, enable forgot password link, etc. Additionally, you
can define Payment Tiers for a payment gateway to bill users. The steps are:
• If you have not yet configured a payment gateway, you must do so before you can
proceed any further. Click Configure to set up a payment gateway. See Configure
Payment Gateway Settings for details.
• Select Currency for payment
• Click the "+" icon to Add Tier.
• Configure the Amount, and the access Duration for this amount.
• Enter the Email Content you want to include as part of the paid WiFi welcome
message.
• Enter the SMS Content you want to include as part of the paid WiFi welcome
message.
• Select Free & Paid Wi-Fi to offer users free access for some time and then charge them.
The configuration is essentially a combination of the items in the free WiFi and th paid
WiFi cases. The only additional task is that you need to define the initial period for which
the WiFi is free and how often you want to renew this free period. The steps for this task
are:
• Expand the Free for first option.

• Enter the Free WiFi Duration.
• Select Renew Every and enter the period after which you want to renew the free
access.
Note: Some scripts from the payment gateway do not load in Android native web view
(i.e. the native browser that Android uses). To avoid this, you must add ssl.gstatic.com
to the Walled Garden list of the captive portal. if you don't add this entry to the Walled
Garden, the user sees an error message saying that the page could not be loaded
and asking them to use a different browser.
• Select Host Approval for users to request host approval vie email. To understand how
this works, see Guest WiFi Authentication with Host Approval. Click on the host approval
icon (person with tick mark) to configure the Host Approval Settings. For host approval
settings:
• Enter the Email domains to receive approval requests for guest access. With this
you can ensure that requests are only sent to authorized domains.
• You can define approvers by entering Approver Email Addresses.
Additionally, you can:
• Allow guest users to skip host's email on splash page

• Allow self-registered guest users to auto login
• Show credentials to a self-registered guest user on a webpage
4. To use a Guestbook to authorize logins, select Admin Generated Credentials.
52
Note: You can use the Guestbook icon only after you have saved the SSID.
a) Click on the Guestbook icon.

This opens a new Mojo Guest Manager tab in your browser, where you can define new
guest WiFi accounts. For details on how to configure Guestbook, see the Mojo Guest
Manager User Guide.
5. Click Save.
6. Click Save on the Plugin & QoS page to save the plugin settings.
7. Save the SSID.
Configure Passcode Through SMS Plugin

In this method, users provide their mobile numbers and receive a passcode for WiFi access via
SMS.
To configure Passcode through SMS plugin:
2. Select Passcode through SMS and click the edit icon (pencil) to edit settings.
The Passcode through SMS Settings appear.
3. Select the limit for the maximum number of devices per user.
This is the maximum number of devices that can use the same passcode to access WiFi.
4. Select the Passcode Length and the Passcode Validity.
The passcode will expire after the validity time interval elapses.
5. Select the parameters for re-sending the SMS: the limit for the maximum number of times
you want the SMS to be re-sent, and the minimum time interval that must elapse before an
SMS is re-sent.
6. Enter the text to be sent to guest users in the SMS.
7. Configure the Quality of Service settings and the Redirect URL. See Common Plugin
Settings.
8. Click Save.
9. Click Save on the Plugin & QoS page to save the clickthrough settings, and then save the
SSID.
Configure Webform Plugin

This is an enhanced form of clickthrough. There is no authentication but users fill out their
details such as name, email, and contact number.
53
To configure Webform plugin:
2. Select Webform and click the edit icon (pencil) to edit settings.
The Webform Settings appear.
3. For each Field (e.g. First Name), select whether you want to Display the field on the webform
and whether you want the field to be Mandatory.
4. Configure the Common Plugin Settings.
5. Click Save.
6. Click Save on the Plugin & QoS page to save the clickthrough settings.
7. Save the SSID.
Configure External RADIUS Plugin

In this method, authentication happens via an external RADIUS server.
Note: You cannot use the RADIUS plugin with any other plugins. If you select External
RADIUS, Mojo Aware automatically disables the other plugins.
To configure external RADIUS plugin:
2. Select External RADIUS
The 802.1x Settings appear. For an explanation of these settings, see 802.1x or RADIUS
Settings.
3. For common plugin settings, click the edit icon (pencil).
The External RADIUS Settings window appears. For details on these settings, see Common
Plugin Settings.
4. Select the Authentication Server.
If you have not yet added any RADIUS servers, you can do so by clicking Add / Edit. The
RADIUS Server Settings window appears. For details on how to add a RADIUS server, see
Configure RADIUS Profile.
Note: You must select at least one Primary Authentication server. Optionally, you can
select a Primary Accounting sever and Secondary Authentication and Accounting servers
as well.
5. Select the Accounting Server.
If you have not yet added any RADIUS servers, you can do so by clicking Add / Edit. The
RADIUS Server Settings window appears. For details on how to add a RADIUS server, see
Configure RADIUS Profile.
54
6. Select the Accounting Interval.
7. Enter the Called Station and NAS ID values.
8. Click Save.
9. Click Save on the Plugin & QoS page to save the plugin settings, and then save the SSID.
QoS Settings for Plugins

Field Description
Login Timeout The time period after which the guest user
session for the portal expires. The user must
re-authenticate with his login credentials if
he wants to continue using the WiFi service.
"0" indicates that the user session does not
timeout and the user must explicitly log
out from the portal. A non-zero timeout
configured on the plug-in takes precedence
over the timeout configured on the SSID
profile. The time period, can be specified in
Hours, Minutes, Days, Weeks or Months.
Blackout Time The time period for which a user cannot log
in to the portal after the last successful login
has timed out. "0" indicates no blackout time.
The blackout time configured on the plug-
in takes precedence over the blackout time
configured on the SSID profile. The time
period, can be specified in Hours, Minutes,
Days, Weeks or Months.
Redirect URL The URL of the page to which the guest user
must be redirected to on successful login
from the portal using the plug-in.
Max Download Bandwidth Maximum download bandwidth, in Kbps or

Mbps, for this plug-in on the portal.
Max Upload Bandwidth Maximum upload bandwidth, in Kbps or Mbps,

for this plug-in on the portal.
Configure Third-Party Hosted Captive Portal

To configure Third-Party Hosted Captive Portal settings:
1. Navigate to CONFIGURATION > SSID > Captive Portal.
55
2. Select Enable Captive Portal to display a portal page to be shown to the client on using the
guest network.
3. Select the mode of access as Third-Party Hosted.
The guest user is redirected to a portal hosted on an external server.
4. To configure basic settings within Third-Party Hosted do the following
a) Select With RADIUS Authentication.
The guest user is authenticated by a RADIUS server, when he logs in to the external
portal. Once you select With RADIUS Authentication a link to configure 802.1x Settings.
b) To configure 802.1x Settings refer Configure External RADIUS Plugin.
c) Enter Splash Page URL.
Using this URL wireless user will be redirected to external portal.
d) Enter a Shared Secret for SSID-external portal communication.
e) Enter Websites That Can Be Accessed Before Login.
5. For Post Login configuration enter details for the below fields:
a) Specify the Redirect URL.
The browser is redirected to this URL after the user clicks the submit button on the portal
page. If left empty, the browser is redirected to the original URL accessed from the
browser for which the portal page was displayed.
b) Specify the value of the Service Identifier.
This is a free form parameter that can be passed to the external portal.
c) Specify Login Timeout, in minutes, for which a wireless user can access the guest
network after submitting the portal page.
After the timeout, access to guest network is stopped and the portal page is displayed
again. The user has to submit the portal page to regain access to the guest network. If the
user disconnects and reconnects to the guest network before his session times out, he
does not have to enter his credentials on the splash page.
d) Specify Blackout Time, in minutes.
This is the time for which a user is not allowed to login after his previous successful
session was timed out. For example, if the session time-out is 1 hour and the blackout
time is 30 minutes, a user will be timed out one hour after a successful login. Now after
this point, the user will not be able to login again for 30 minutes. At the end of 30 minutes,
the user can login again.
e) Select the Detect when Internet connection is down and inform guest users, if you
want to check the internet connectivity and inform guest users in case of loss of Internet
connectivity.
6. To configure Advanced Portal Parameters refer Request and Response Parameters.
7. Click Save.
56
Request and Response Parameters
Request Attributes Description
Request Type Field name for request type field.
Challenge Field name for random text used for

authentication.
Client MAC Address Field name for the MAC address of the client.
Access Point MAC Address Field name for MAC address of the access
point that is communicating with the external
portal.
Access Point IP Address Field name for the IP address of the access
point that is communicating with the external
portal. This should match the field name used
by the external portal.
Access Point Port Number Field name for the AP port number on which
the AP and external server communicate.
Failure Count Field name for the count of the number of

failed login attempts.
Requested URL Field name for the requested URL that is the
URL requested by the client through the AP,
to the external server.
Login URL Field name for the login URL.
Logoff URL Field name for the logoff URL.
Remaining Blackout Time Field name for the remaining blackout time.
Service Identifier Name of the portal parameter that is used

to pass the service identifier value to the
external portal. The service identifier value is
specified in the Captive Portal section of the
SSID Profile. This parameter can be used by
the external portal to implement SSID profile
specific functionality like different portals for
different SSIDs etc.
Response Attributes
Challenge Field name for the challenge
Response Type Field name for the response type.
Challenge Response Field name for the challenge response.
57
Request Attributes Description
Redirect URL Field name for the redirect URL
Login Timeout Field name for login timeout.
User name Field name for user name.
Password Field name for password.
SSID RF Optimization
The RF (Radio Frequency) Optimization tab is where you can enable RF related optimizations on
the SSID.
Mojo uses a Unified Client Steering approach. That is, the various client steering mechanisms
work together to improve the client Quality of Experience (QoE). On the SSID RF Optimization
tab, you simply enable different types of steering for this SSID. To configure the parameters
related to client steering you need to go to the Radio Settings tab. The Minimum Association
RSSI is the minimum RSSI at which a client is allowed to associate with an AP on this SSID.
The value comes from the Steering RSSI Threshold in the common steering parameters. See
Configure Common Steering Parameters.
Enforce Steering is enabled by default . Some clients directly send Association Request
packets by listening to beacons. Enforce Steering causes an AP to reject such requests on
2.4GHz, thereby force-steering clients to 5GHz.
You can enable 802.11k Neighbor List. This allows clients to request neighbor lists from APs,
which speeds up roaming. See 802.11k Use Case for details. When you enable 802.11k, you can
select Neighbor List Dual Band if you want the AP to send the client neighbor information on
both bands. While 802.11k defines methods that help individualclients understand their radio
environment, 802.11v defines services that help improve overall network performance. See
802.11v Use Case for details.
You can enable or disable 802.11k Neighbour List and 802.11v BSS Transition by navigating to:
Address Resolution Protocol (ARP) is an IPv4 protocol used to resolve a device’s IP address to
its physical MAC address so communication can occur on the Layer 2 segment. A device sends
an ARP broadcast packet containing an IP address, in effect asking who on the Layer 2 segment
knows which MAC address is associated with that IP address. A client may also send an ARP
broadcast that contains its own IP and MAC address to update Layer 2 device ARP tables. IPv6
doesn’t use broadcast packets, it uses a Neighbor Discovery Protocol (NDP). NDP uses multicast
to resolve addresses and to find other network resources.
An AP can act as a proxy for the wireless clients associated to it. When you enable Proxy ARP
and NDP, the AP itself responds to the ARP and NDP requests instead of forwarding them and
transmitting them at a low, basic data rate. Downstream Group-Addressed Forwarding (DGAF)
blocks all broadcast/multicast traffic from the wired to the wireless side. It is used only with
Hotspot 2.0. You can disable it by selecting Disable DGAF.
58
When you enable Broadcast / Multicast Control, the AP blocks broadcast/multicast packets
from Ethernet to wireless. This cleans up the RF airspace is by blocking unnecessary traffic.
You can also block broadcast/multicast packets from wireless to Ethernet by selecting Block
Wireless to Wired. Broadcast / Multicast Control should be used carefully as many network
functions use broadcast packets for basic operations.
For applications that must be allowed to use broadcast / multicast packets, you can create an
exemption by adding the protocol information to the Exemption List.
Bonjour is an Apple protocol designed to make Bonjour-enabled devices and services easy to
use and configure over the network. Bonjour makes heavy use of broadcast and is essential for
Apple products. You can select Allow Bonjour to automatically apply an exemption.
IGMP Snoopingis a mechanism to prune multicast packets so that they are forwarded only to
ports on which clients have subscribed. This saves bandwidth by avoiding unnecessary packet
flows. For details, see IGMP Snooping.
802.11k - Use Case

Consider a client moving from one AP (AP1 in the figure Moving Client Scenario) towards
another AP (AP2 in the figure below). The strength of the signal received from AP1 gets weaker
as the client moves away from it. Without 802.11k, a client needs to scan several channels
before it can determine which AP has the best signal. Clients typically scan channels at 100ms
intervals looking for beacons. Assuming there are 21 channels available in the 5GHz band (with
DFS), a complete scan of all available channels could take as long as 2.1 seconds. Real-time
applications have strict timing requirements (one-way delay must be < 50ms for Voice over Wi-
Fi (VoFi)). A complete scan could thus result in poor user experience. 802.11k provides a better
alternative.
59
Figure 5: Moving Client Scenario
The IEEE 802.11k amendment, also called Radio Resource Measurement (RRM), defines
methods allowing stations to inform each other about their respective radio frequency (RF)
environments. That way, they can make faster and better informed decisions on roaming. With
802.11k, a client can request a Mojo AP to send a Neighbor Report. In case of the client in the
above figure, it requests a Neighbor Report from AP1. It's basically asking AP1, “Which APs are
advertising my current SSID? What channels are these APs operating on? What are their signal
strengths as you see them?” AP1 reports on all the APs it can sense that are advertising this
SSID. Suppose there are 4 such neighbors in the 5GHz band(AP2 through AP5 in the Moving
Client Scenario figure). The client then receives a Neighbor Report containing 4 candidate
channels to scan. At 100ms a channel, the client can decide in under half a second which AP to
move to. It no longer needs to spend 2.1 seconds scanning all available channels for target APs.
60
Table 4: Scan Times with and without 802.11k
5GHz (w DFS) All Channels 11k Neighbors
Channels to scan 21 4
Scan Time 2.1s 400ms
The Neighbor Report from a Mojo AP to a Client figure shows an example of the Neighbor Report
message that a Mojo AP sends its client. The report informs the client that channels 157 and 11
are available on neighboring APs. The client now needs to scan only these channels and pick
the AP with the best signal as its target. This saves time and improves user experience.
Figure 6: Neighbor Report from a Mojo AP to a Client
802.11v - Use Case

Consider a client connected to an AP. The signal strength from the client could drop below a
configured threshold, or the network’s load balancing algorithm might decide that a different
AP can serve the client better. In such situations, an AP might disassociate with the client.
This can be an unexpected shock to a client, causing it to go through a complete scan before
selecting an AP to associate with. This could cause poor user experience, especially for real-
time applications.
61
The IEEE 802.11v amendment is also called Wireless Network Management (WNM). As the
name suggests, 802.11v has a broader scope than 802.11k. While 802.11k defines methods that
help individual clients understand their radio environment, 802.11v defines services that help
improve overall network performance.
An important service is BSS Transition Management (BSTM). When a Mojo AP decides to

disassociate with a client, it sends an 802.11v frame called a BSTM Request. It's basically the AP
warning the client, “Beware. I am going to disassociate in 60 seconds.” (The actual time interval
is configurable.) This is called an Unsolicited Request. It allows a client some time to find and
associate with another AP. The message includes a list of neighboring APs on the same ESS that
the client can associate with. In an 802.11v message called the BSTM Response, the client can
accept or reject the AP's request. It can also ask the AP for more time – the BSTM Response
message includes a BSS Termination Delay field. Essentially, it’s the client saying, “60 seconds is
too short. Let’s disassociate after 3 minutes”. The AP honors this request.
Note that with 802.11k, only a client can request a Neighbor List. With 802.11v, however, either
the client or the AP can initiate a conversation about transitioning. So, a client can send a BSTM
Query asking a Mojo AP, “Should I associate with a different AP? If yes, which one?” Depending
on its implementation, the client may send this query periodically or based on triggers such
as low signal strength. The AP responds with a BSTM Request - called a Solicited Request -
containing the list of recommended APs the client can associate with.
Every time a Mojo AP sends an 802.11v frame, it does not necessarily want to disassociate. It
might simply want to nudge the client into looking for another AP by sending a BSTM Request
with the list of neighbors but without a disassociation warning. This could happen, for instance,
if a neighbor AP is less loaded and close enough. Since 802.11v has a network-wide view of
things, it might recommend (but not force) the client to move to the less loaded AP. To allow
this, 802.11v provides a Disassociation Imminent flag bit, which indicates whether the AP
intends to disassociate with the client.
Configure RF Optimization in SSID Profile

To enable RF related optimizations navigate to CONFIGURE > SSID > RF Optimization.
1. Select types of steering you want to enable.

Types of steering are:
• Smart Client Load Balancing

• Smart Steering
• Min Association RSSI
• Band Steering
• Enforce Steering
2. You can enable 802.11k Neighbour List and 802.11v BSS Transition. By default these two
standards are disabled. Enabling these standards enables few new sub fields.
• If you enable 802.11k Neighbour List:
62
• You can also optionally enable Neighbor List for Both 2.4 GHz and 5 GHz Bands.
• If you enable 802.11v BSS Transition:
• You must enable the Disassociation Imminent and configure it in the Disassociation
Timer field. This is the time after which the client will be disconnected from the AP.
The Disassociation Timer is expressed in number of beacon intervals. The range
of the Disassociation Timer should be between 10 to 3000 TBTT (Target Beacon
Transmission Time). Once the Disassociation Timer reaches zero, then the client can
be disassociated based on the Force Disconnection setting.
• You can select Force Disconnection to forcefully disconnect the client after the
disassociation timer expires. The client will be disconnected even if it responds with a
negative BSS transition response. When Force Disconnection is not selected, the AP
doesn't disconnect the client (but waits for the client to disconnect on its own).
3. Select Proxy ARP and NDP.
When you enable Proxy ARP and NDP, then the AP filters downstream ARP (IPv4) and NDP
(IPv6) packets and also responds as appropriate on behalf of wireless clients to conserve
wireless bandwidth. Enabling Proxy ARP and NDP enables a field that allows you to Disable
DGAF.
4. Select Disable DGAF.
If this option is enabled then AP starts proxy ARP for IPv4 and proxy NDP for IPv6. It also
drops all Multicast and Broadcast packets in the transmit path. Selecting this option disables
Broadcast/Multicast control and IGMP Snooping.
5. Click Save.
IGMP Snooping
Multicast is often used to stream video. Multicast packets need to flood the network to reach
their recipients. Multicast packets are forwarded to many network segments. Video streaming
packets, for example, could end up being sent to segments with no video streaming clients.
These packets waste network bandwidth. The Internet Group Membership Protocol (IGMP)
protocol was developed to cull such wasteful data. IGMP provides a way for a client to inform
the Layer 2 device it is connected to that it wants to receive a multicast stream. A client does
this by sending an IGMP Report with the multicast address of the multicast session it wants
to join. Layer 2 devices use IGMP Snooping to look at multicast packets and match them to
a list of multicast addresses that clients have joined. IGMP and IGMP snooping are effective
ways to prune multicast packets so that they are forwarded only to ports on which clients have
subscribed. When you enable IGMP Snooping, the AP blocks multicast traffic from Ethernet to
wireless. To receive multicast packets, a client must send an IGMP Report with the address of
the multicast group it wants to join (IGMP Report - Join).
The client application is responsible for sending the IGMP Report. If the client application does
not support IGMP (e.g. legacy applications), you can still enable IGMP snooping. But you need
to add the multicast address that the application uses to the IGMP Snooping Exception List.
This will allow multicast traffic for that application to flow. When you add an address to the
63
exception list, all APs using the SSID forward all multicast packets with that address, regardless
of whether a client sent an IGMP Report to join. You can add a maximum of 30 multicast
addresses to the exception list.
When a client receiving multicast packets roams to another AP, the snoop table is forwarded.
The client does not need to send a new IGMP Report to join. Convert Multicast to Unicast
converts multicast packets to unicast, except for the addresses in the exception list.
Table 2 – IGMP Snoop Table
Feature Description Default Range
IGMP Snooping Enables IGMP Enabled -

Snooping
IGMP Snooping Allow multicast to 30 Max

Exception List be delivered without
client sending an
IGMP Report (Join)
Table 3 – IGMP Snooping Restrictions
Feature Restrictions
IGMP Snooping Enabled by default
Based on client IGMP Report (Join)
Enable – blocks multicast, Disable – forwards

all multicast
Applies to multicast going from Ethernet to

wireless
Independent of multicast/unicast conversion
Snoop table forwarded when client roams
AP does not send IGMP Query
IGMP Snoop Protected Address Max 30 multicast addresses
Internal protected addresses
224.0.0.1/24 – query for all systems
224.0.0.22/24 – IGMP v3 addresses
Not converted to unicast even if Convert

Mulicast to Unicast is enabled.
All packets forwarded on match even if no

client sends an IGMP Report to join
64
Configure IGMP Snooping in SSID Profile
IGMP is Internet Group Management Protocol (IGMP). IGMP snooping is the process of listening
to IGMP network traffic. Enabling IGMP Snooping for a selected SSID blocks the multicast
packets if no client joins the multicast group. Enabling the IGMP snooping does not convert the
packets from multicast to unicast until you specifically enable Multicast to Unicast.
To know more about parameters required in configuring IGMP Snooping refer IGMP Snooping
Parameters.
To configure IGMP Snooping:

2. Scroll down and select IGMP Snooping.
3. Enter IP address in IGMP Snooping Exception List.
4. Enter Snoop Timeout in minutes.
5. Select Convert Multicast to Unicast
The Convert Multicast to Unicast is disabled by default. You can enable it only if IGMP
Snooping is enabled. If you enable Convert Multicast to Unicast, then all the multicast
packets are converted to MAC layer unicast packets after passing the snoop check.
6. Select the appropriate value for Tag Packets with Selected Priority.
7. Click Save.
SSID Traffic Shaping and QoS

You can optimize bandwidth utilization and Quality of Service (QoS) settings for this SSID on the
Traffic Shaping & QoS tab.
Traffic Shaping
You can restrict the upload and download bandwidths on the SSID. Such restrictions could
be really useful for Guest or student SSIDs, for example. You can also limit the number of
simultaneous associations that the SSID allows.
Depending on how you've set up the SSID, the bandwidth limits could come from a source
other than the Traffic Shaping parameters defined here. For example, enterprise networks often
use RADIUS servers to propagate network policies across APs. Users are divided into groups
and policies are applied to each group. So the Sales group might have different bandwidth
limits than those of the HR group. In such cases, the bandwidth limits could come from the
RADIUS server. If an AP doesn't get values from the RADIUS server, it uses values defined on
the Traffic Shaping & QoS tab.
Below are the possible sources from where an SSID might get its bandwidth control values:
• From a RADIUS server being used for authentication by an external Captive Portal. This is if
you have configured an external Captive Portal on this SSID and that portal uses a RADIUS
server to propagate policies.
65
• From a Captive Portal on Mojo Cloud. This is if you have configured the SSID to use a Captive
Portal on Mojo Cloud.
• From a RADIUS server when you have configured the SSID to use 802.1x security.
• From the values defined here, in the Traffic Shaping & QoS tab on the Mojo server.
Typically, only one of the above sources will apply. For example, if you have defined an external
Captive Portal on this SSID, then obviously there is no portal on the Mojo Cloud for this SSID.
The only possibility is that a RADIUS server or a Captive Portal does not pass bandwidth control
values on to a Mojo AP, in which case the values defined in Traffic Shaping & QoS apply.
You can limit the data rate for Unicast traffic between a minimum and maximum value. The
Set the data rate for multicast, broadcast and management traffic to parameter sets the
Basic or Mandatory rate of the AP. This not only controls the data rate at which broadcast /
multicast packets are sent but also sets the data rate at which Beacons are sent. You must set
this rate carefully. Increasing the basic rate of the AP does reduce the transmission airtime,
but it also reduces the effective coverage area. This could cause problems for the client if the
AP's coverage at the client is not enough for that data rate. For example, real-time streaming
of audio and video are applications that commonly use multicast packets for delivery. If clients
have problems receiving multicast packets because the AP coverage is not good enough to
support higher data rates, they will experience choppy audio or pixilation and screen freezing.
Select Per User Bandwidth Control to restrict bandwidth on a per-user basis (the bandwidth
controls discussed earlier were for a per-SSID basis). The RADIUS attributes used to set per-
user bandwidth control fall under vendor-specific attributes, IETF ID:26. The table below shows
the mapping of Mojo attributes to RADIUS attributes. The vendor ID for Mojo is 16901.
Table 5: Mojo to RADIUS - Mapping of Bandwidth Control Attributes
Mojo Attribute RADIUS Attribute
Per-user download limit 5
Per-user upload limit 6
QoS
Quality of Service determines the priorities assigned to various types of traffic. Applications
such as voice over IP, video, and online games need a service guarantee. When network
bandwidth is shared, defining priorities becomes a must for such applications. You must
define the QoS parameters if you are using the SSID for such applications. QoS ensures that
applications that need higher priority get it. The service guarantee for such applications is met
by allocating adequate bandwidth based on the QoS priority.
QoS is essentially about differentiating between services. So, a QoS mechanism might
classify traffic as Background, Best Effort, Video and Voice, in increasing order of priority, i.e.,
Background traffic has the lowest priority while Voice calls have the highest. The main QoS
standards in use are:
66
• Type of Service (TOS) - a field in older versions of IPV4 header.
• Differentiated Services Code Point (DSCP) - the TOS field redefined for better QoS
differentiation. DSCP is also specified in the IP header.
• 802.1p Class of Service - a field in the Ethernet frame
• 802.11e WiFi Multi-Media (WMM) - an 802.11 enhancement that alters MAC-layer behavior
based on the traffic type
These standards differ from each other in how they classify traffic.
Select Enforce WMM Admission Control if you want to enforce the admission control
parameters configured under SSID Radio Settings > Advanced Radio Settings.
Note: The WMM Admission Control settings configured under Radio Settings override the
QoS Settings configured in the Traffic Shaping & QoS tab.
For an 802.11n AP, WMM (Wi-Fi multimedia) is mandatory. For 802.11n APs, if you don't enable
QoS, the system uses the default QoS parameters.
The default QoS settings are:
• SSID Priority is Voice.

• Priority Type is Ceiling.
• Downstream Mapping is DSCP.
• Upstream Marking is enabled and the value is 802.1p Marking.
The system applies user-configured QoS settings if you enable QoS.
With SSID Priority, you can select which type of traffic — Background, Best Effort, Video or
Voice — you want to prioritize. There are two types of priority:
Fixed Select this if you want all traffic transmitted

on this SSID to have the selected priority,
irrespective of the priority indicated in the
802.1p or IP header. For example, you could
set all traffic to Background, in which case the
SSID treats even voice and video packets as
Background traffic.
Ceiling Select this if you want traffic on this SSID

to have priorities equal to or lower than the
selected priority. For example, if you set SSID
Priority to Video and Type to Ceiling, the SSID
differentiates Background, Best Effort, and
Video traffic but not Voice, since that is higher
than Video. In effect, it treats Voice and Video
equally.
67
If you select Fixed, Mojo Aware grays out the Downstream Mapping, since all traffic is marked
with the selected priority and there is no downstream mapping to be done. If you select Ceiling,
however, you can choose from among DSCP, 802.1p or TOS to map downstream traffic.
A Mojo AP translates the traffic class mark from a standard (say, DSCP) to a service guarantee
by mapping the downstream traffic to a WMM Access Category, since 802.11e WMM is what
induces MAC-layer behavior to allocate appropriate WiFi bandwidth. So an AP extracts the
priority from the selected standard (802.1p, DSCP or TOS) and maps it to the WMM Access
Category, subject to a maximum of the selected SSID Priority (i.e. the Ceiling). For downstream
traffic, the mapping depends on the first 3 bits (Class selector) of the DSCP value, TOS value, or
802.1p access category. The only exception is DSCP value 46 which is mapped to WMM access
category 'Voice'. The table below shows downstream traffic mapping.
DSCP / TOS / 802.1p Class of Service 802.11e/WMM access category
0 (Background) 1 (Background)
1 (Best Effort) 0 (Best Effort)
2 (Excellent Effort) 3 (Best Effort)
3 (Critical Apps) 4 (Video)
4 (Video) 5 (Video)
5 (Voice) 6 (Voice)
6 (Internetwork Ctrl) 7 (Voice)
7 (Network Ctrl) 7 (Voice)
For Upstream Mapping, you can enable both 802.1p and DSCP / TOS Marking, since 802.1p is
an Ethernet frame field and DSCP / TOS is in the IP header. The table below shows the mapping
used for upstream traffic.
802.1p Class of Service DSCP 802.11e/WMM Access Category
1 0 0
0 10 1
0 18 2
2 0 3
3 26 4
4 34 5
5 46 6
6 48 7
68
Configure Traffic Shaping
Traffic Shaping helps in effective utilization of network bandwidth by setting an upload and
download limit for the network, restricting the number of client association, band steering etc.
You can opt for one or more of these ways depending on the network traffic, the applications
used on the SSID, and the Mojo device model in use.
To configure Traffic Shaping:
1. Navigate to Configure > SSID > Traffic Shaping and QOS.

2. You can limit the upload and/or download bandwidth on an SSID in SSID Bandwidth
Control. To restrict the upload bandwidth on the SSID:
a) Select Limit the maximum upload bandwith on the SSID to and enter a data rate, from
0 through 1024 Kbps, to restrict the upload bandwidth for the SSID to the value specified
here.
b) Select Limit the maximum download bandwith on the SSID to and enter a data rate,
from 0 through 1024 Kbps, to restrict the download bandwidth for the SSID to the value
specified here.
3. You can limit the number of clients associating with an SSID per radio. To limit the number of
clients association:
a) Select the Limit maximum number of simultaneous associations to, if you want to
specify the maximum number of clients that can associate with an SSID per radio.
b) Specify the maximum number of clients in the field below to the Limit maximum number
of simultaneous associations to field.
4. You can specify the minimum and maximum data rate for the AP-client communication in
Unicast Rate Control. To specify a minimum and maximum data rate:
a) Select Limit the minimum data rate for unicast traffic to and Specify the minimum data
rate for communication in the field below the Limit the minimum data rate for unicast
traffic to field.
b) Select Limit the maximum data rate for unicast traffic to and Specify the maximum
data rate for communication in the field below the Limit the maximum data rate for
unicast traffic to field.
Maximum threshold for minimum as well as maximum data rate is 54 Mbps. Selecting
Limit the maximum data rate for unicast traffic to field enables Apply to all clients
including 802.11n and 802.11ac
c) Select Apply to all clients including 802.11n and 802.11ac field if you wish to apply
specified maximum data rate for unicast traffic to all the clients.
5. Click Save.
69
Configure Quality of Service (QoS)
Quality of Service determines the priorities assigned to various types of traffic. The service
guarantee is imperative in case of streaming multimedia applications, for example, voice over IP,
video, online games etc.
Before you configure Quality of Service settings for the SSID, refer SSID Traffic Shaping and
QoS to understand the Quality of Service concept.
To configure Quality of Service (QoS):
1. Navigate to Configure > SSID > Traffic Shaping and QOS.

2. Scroll down and Select QoS to define your own QoS settings for Wi-Fi multimedia on the
SSID profile.
Selecting QoS enables parameters required for QoS settings.
3. Select Enforce WMM Admission Control.
This field helps you specify whether the admission control parameters configured in
the device template applied to the Mojo device must be enforced for the network. The
admission control parameters are configured under Radio Advanced Settings for Mojo
devices functioning as access points.
Note: The WMM Admission Control settings configured for the radio on which the Wi-Fi
profile is applied, override the QoS Settings configured in the Wi-Fi profile.
4. Select voice, video, best effort or background as the SSID Priority depending on your
requirement.
5. Select Priority Type as Fixed or Ceiling.
Priority Type is selected as Fixed if all traffic of this SSID has to be transmitted at the
selected priority irrespective of the priority indicated in the 802.1p or IP header. Priority Type
is selected as Ceiling if traffic of this SSID can be transmitted at priorities equal to or lower
than the selected priority.
6. Downstream mapping option is enabled if Priority Type is selected as Ceiling. Select the
appropriate Mapping Type.
The priority is extracted from the selected field (802.1p, DSCP or TOS) and mapped to the
wireless access category for the downstream traffic subject to a maximum of the selected
SSID Priority. For the downstream mappings, the mapping depends on the first 3 bits (Class
selector) of the DSCP value, TOS value or 802.1p access category. The only exception will be
DSCP value 46 which will be mapped to WMM access category 'Voice'.
7. Select the Upstream marking option as per the requirement.
The incoming wireless access category is mapped to a priority subject to a maximum of the
selected SSID priority and set in the 802.1p header and the IP header as selected.
8. Click Save.
70
SSID Scheduling
If you want to limit the duration for which the SSID is active, you can define a schedule for the
SSID.
You can also specify if an SSID is to be permanently active or valid for only a limited time
duration. This could be useful if, for example, you have an event coming up for which you want
to use a special Guest SSID with a different splash page. Another use case might be to restrict
employee SSID use to office hours. When you enable Select Timeslot, Mojo Aware shows a
calendar view of the week split into days (rows) and hours (columns). You can then go ahead
and select the timeslots when you want the SSID Turned On.
Configure SSID Scheduling

After you create a SSID profile, by default, the profile remains active throughout until you delete
it. However, you can make a SSID available or active only for a limited time period, or only for a
limited number of hours during the day, by using the SSID scheduling feature.
To configure SSID Scheduling:

2. Click Add New SSID.
3. Click menu icon (three vertical dots) next to Network tab.
4. Select SSID Scheduling.

5. Select Validity Type as Now to Forever or Custom depending on you want to keep a SSID
active throughout or for specific hours.
71
Now to Forever indicates that the SSID is deployed permanently. Selecting Custom enables
From and To fields.
6. If you select Custom as validity type then specify start and end date in From and To fields.
This will deploy SSID for a limited time duration.
7. Select Select Timeslot.
8. Select the active timeslots for the SSID.
Active timeslots is the time during which the SSID is active. The minimum active time
duration that you can select is 30 minutes. Click between the squares representing the time
of the day (12 a.m. - 11 p.m.) to select the desired active intervals. The blue color indicates
active duration and the white color indicates inactive duration.
9. Click Save.
Turn an SSID On
You need to turn an SSID on before it becomes available for access to users.
1. You can turn on a new SSID once you're done configuring it, or you can turn an existing SSID
on.
• If you are adding a new SSID, you can click Save & Turn SSID On after you are done
configuring at least the three mandatory SSID tabs (Basic, Security and Network).
• If you are turning an existing SSID on, just go to Configure and click the OFF / ON switch
on the SSID you want to turn on.
A Turn SSID On dialog window opens up.

2. Select whether you want the SSID on the 2.4GHz band, the 5GHz band or Both bands. and
click Turn SSID On.
• Some features in an SSID depend on Background Scanning under Configuration

> Device settings. If you have enabled any such features on the SSID, but you have
not enabled background scanning, then the dialog window prompts you to do so.
Click Continue on the dialog window. This takes you to stage 2, where Mojo Aware
recommends that you turn background scanning on. You can still turn the SSID on
without enabling background scanning, but features in the SSID that depend on
background scanning might not work properly.
72
The following message appears : "SSID turned on successfully. It may take some time for
these changes to take effect on the access point(s)".
Edit an SSID
You can modify an existing SSID.
To edit an existing SSID at a location:
1. Go to Configure.
2. On the SSID you want to edit, click Edit (the pencil icon).
The Basic tab opens up.
3. To modify the settings on any of the SSID tabs, simply click the tab you want to edit.
If the tab you want to edit is not visible, click the Menu icon (three vertical dots) next to the
Network tab to see all the SSID tabs.
4. Click Save to save the SSID or click Save & Turn SSID On to save and turn it on.
An "SSID updated successfully" message appears.
73
Delete an SSID
You can delete an SSID from a location
To delete an SSID at a location:
1. Go to Configure.
2. On the SSID you want to delete, click the Menu icon (three vertical dots) and select Delete.
A dialog appears confirming that you want to delete the SSID.
3. Click Delete.
An "SSID deleted successfully" message appears.
Duplicate an SSID
You can duplicate an SSID at the same location or at a different one.
To duplicate an SSID:
1. Go to Configure.
2. On the SSID you want to duplicate, click the Menu icon (three vertical dots) and select
Duplicate.
A popup dialog appears, asking you if you want to duplicate the SSID in the current folder or
a different one.
3. Select Currently Selected Folder to duplicate the SSID in the current folder or At a
Different Folder to duplicate it at a different location, and click Continue.
• If you chose Currently Selected Folder, an "SSID duplicated successfully" message

appears and you can see a duplicate SSID in the current location.
Note: If you duplicate the SSID at the current location, the SSID Profile Name is
different for the duplicate copy. For example, if you duplicate "ABC Corp" at the same
location, then the new SSID name will be "ABC Corp" but its profile name will be
"Copy of ABC Corp(1)".
• If you chose At a Different Folder, the location hierarchy appears on the right pane
window. Select the location where you want the SSID duplicated and click Duplicate. An
"SSID duplicated successfully" message appears.
74
RADIUS
You can create, edit and delete RADIUS servers on the RADIUS tab.
Enterprise networks often use RADIUS (Remote Authentication Dial-In User Service) servers
for Authentication, Authorization and Accounting (AAA) in the network. You can define the IP
Address of the RADIUS server, the port numbers for Authentication and Accounting, and the
Shared Secret between the APs at this location and the RADIUS server.
You can define multiple RADIUS profiles at a location. You can then directly invoke these
RADIUS profiles in different SSID contexts by just selecting one of them. For example, if you use
802.1x Authentication in the SSID Security settings or in the SSID Captive Portal settings, you
can select from among the RADIUS profiles defined here on the RADIUS tab. To take some use
cases, an "Employee" SSID and a "Guest" SSID could both use the same RADIUS profile but in
different contexts — employees might use WPA2-PSK with 802.1x, while guests might use a
captive portal. Or, SSIDs at child "Branch" locations of an enterprise, for example, could all use
the same "HQ RADIUS" profile defined at the parent HQ location.
Configure RADIUS Profile

Radius Profile configuration is location hierarchy specific. RADIUS Profiles defined at a specific
location is visible at all its child locations. Whereas vice versa is not true. RADIUS Profile listing is
available in Card Grid View layout.
To know more about parameters required in configuring RADIUS Settings refer RADIUS Settings
Parameters.
To configure RADIUS profile settings:
1. Navigate to CONFIGURE -> RADIUS.

2. Click on buttonAdd New RADIUS Profile.
3. Specify a name for the new RADIUS profile in RADIUS Name field.
4. Specify the server IP or hostname in IP Address field.
5. Specify the port no of authenticating RADIUS server in Authentication Port field.
6. Specify the port no of accounting RADIUS server in Accounting Port field.
7. Specify a Shared Secret key.
Use the eye icon to toggle between displaying the shared secret and hiding it.
8. Click Save.
If the configuration is correct and saved successfully, Mojo Aware displays a success
message. The existing RADIUS profile can be Edited, Duplicated, and Deleted.
75
RADIUS Setting Parameters
The below table provides information related to RADIUS Settings parameters.
Field Description
RADIUS Name Name for the RADIUS profile.
IP Address/Hostname IP / Hostname address of accounting RADIUS

server.
Authentication Port The port number at which RADIUS server

listens for authentication requests. The value
can be between 1 to 65535. The default value
is 1812.
Accounting Port The port number on which to contact the

RADIUS accounting server. The value can be
between 1 to 65535. The default value is 1813.
Shared Secret The secret shared between the primary

RADIUS server and the AP.
Edit a RADIUS Profile

Any existing RADIUS profile can be edited at the location it was created. Changes made in
profile created on the parent location reflect in the inherited profile on the child location.
To know more about parameters required in editing RADIUS Settings refer RADIUS Settings
Parameters
To edit the RADIUS profile:
1. Click on the options tab (three vertical dots), of the RADIUS profile that is to be edited.
2. Select Edit.
• If you are on the location where profile was created, then directly go to step 3.
• If you are on the child location and the profile is a
inherited profile, then choose the appropriate option.
76
Option Description
If you select GO to Parent Folder and Edit. Then perform the Step 2 again and then
perform step 3.
If you select Duplicate & Continue. Then a ready to edit duplicate profile gets
created on the child location.
3. Make the necessary changes and click on Save.
Once the Profile is edited successfully, Mojo Aware displays a success message.
Duplicate a RADIUS Profile

Any existing RADIUS profile can be duplicated. Duplication, creates an exact copy of an existing
RADIUS profile. The duplicate profile contains name and configured properties as that of the
original profile. The copy of duplicate profile created on parent location exists on child location
as well. Where as vise versa is not true.
To duplicate the existing RADIUS profile:

1. Click on the options tab (three vertical dots), of the RADIUS profile that is to be duplicated.
2. Select Duplicate.
3. Select option dependent on location where you would like to duplicate the RADIUS.
• If you select Currently Selected Folder in the above step, then the RADIUS profile gets
duplicated in the current location.
• If you select At a Different Folder in the above step, then select the new location from
the Duplicate Radius to window, at which the RADIUS profile is to be duplicated.
4. Click on Duplicate.
Once the Profile is duplicated successfully, Mojo Aware displays a success message.
77
Delete a RADIUS Profile
An existing RADIUS profile and a duplicate RADIUS profile can be deleted using the delete
option. The profile once deleted is removed permanently from its specific location and its child
location as well. Inherited profiles can not be deleted from the child location. Profiles can be
deleted only on the location, where they were created.
Note: You cannot delete a RADIUS profile that is currently in use on an SSID. You need to
disable / remove the RADIUS profile from the SSID configuration before you delete it.
To delete the RADIUS profile:
1. Click on the options tab (three vertical dots), of the RADIUS profile that is to be deleted.
2. Select Delete.
3. Perform the below location dependent actions:
• If you are on the location where you had created the RADIUS profile, then select Delete.
• If you are on the child location and profile to be deleted is an

inherited profile then click on Go to Parent Folder & Delete.
This action will divert you to its parent location, with an appropriate message. Once you
are diverted to the parent location, perform all the above steps again.
Once the Profile is deleted successfully, Mojo Aware displays a success message.
78
Tunnel Interface
A Tunnel Interface is useful when you want to route network traffic on the SSID to and from a
single end point, and apply policies at this end point.
One use case for this could be a distributed enterprise that wants to channel all traffic through
HQ. The way to do this is to define a Tunnel Interface Profile in Mojo Aware and to specify
a Remote Endpoint — say, an aggregation device. All traffic is then "tunneled" to this point,
processed for whatever purpose (for example, inspected for unauthorized traffic), and then
routed to its destination.
You can define multiple Tunnel Interface profiles at a location. You can then invoke the tunnel
interface in an SSID context by selecting one of them. For example, if you choose the Tunneled
mode in the SSID Network Settings, you can select from among the Tunnel Interface profiles
defined here on the Tunnel Interface tab. A typical use case would be when all traffic is
"tunneled" to the HQ location of an enterprise. Then, SSIDs at child "Branch" locations of the
enterprise could all use the same "HQ Tunnel Interface" profile defined at the parent HQ
location
A standard L2 tunnelling protocol is Ethernet over GRE (EoGRE), where GRE itself is a Generic
Routing Encapsulation protocol. See EoGRE for details.
For redundancy, you can define a Primary and a Secondary remote endpoint. Traffic is bridged
to the secondary endpoint if the primary endpoint fails. The secondary endpoint checks for the
availability of the primary endpoint and transfers control to the primary endpoint once it is up
and running. You can also use an optional GRE Primary Key at both ends of the tunnel.
You must assign a VLAN ID to this interface. This is the VLAN ID that the tunnelled traffic is
tagged with.
You must also configure theRetry Parameters that govern how the AP pings the remote
endpoint to check for connectivity. See Tunnel Interface Parameters for details.
What is EoGRE?
The Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a variety
of network layer protocols inside virtual point-to-point links over an IP internetwork. Ethernet
over GRE (EoGRE) encapsulates over Ethernet packet and provides the ability to set up one or
more EoGRE tunnels from an access point to an aggregation device such as a router.
79
The packet sent by the client contains the following:
• Inner Eth – source: client MAC / destination : gateway MAC address

• Inner IP – source: client IP / destination: IP of the destination the client is trying to reach
• Data
The AP appends this packet with the following:
• SSID VLAN (optional) – If a VLAN ID is configured in the SSID, then it is appended to the
packet.
• GRE – All flags set to 0; Ether-Type set to 0x6558 for native Ethernet
• Outer IP – source: IP of the AP / IP of the tunnel end-point
• N/W VLAN (optional) – If a VLAN is configured for the tunnel, then it is appended to the
packet.
• Outer Eth – source: AP MAC / destination: MAC of the next hop.
A packet layout as seen in Mojo Packets is shown below:
Configure Tunnel Interface

A Tunnel Interface represents the tunnel through which network traffic from the configured
SSIDs can be routed to a remote endpoint. This feature is used to configure EoGRE (Ethernet
over Generic Routing Encapsulation). Multiple such tunnels can be configured. Tunnel Interface
configuration is location hierarchy specific. Tunnel Interface Profile defined at a specific location
80
is visible at all its child locations. Whereas vice versa is not true. Tunnel Interface Profile listing, is
available in Card Grid View layout.
To know more about parameters required in configuring RADIUS Settings refer Tunnel Interface
Parameters.
To configure Tunnel Interface profile:
1. Navigate to CONFIGURE -> Tunnel Interface.

2. Click button Add Tunnel Interface Profile
3. Enter the profile name in Enter Profile Name field.
4. Select endpoint as Primary or Secondary.
5. Enter IP Address or Hostname of remote endpoint in Remote Endpoint (IP Address/
Hostname).
6. Enter Key of the primary endpoint GRE header in the GRE Primary Key field.
7. Enter the VLAN ID through which the wireless network traffic is to be routed in Local
Endpoint VLAN field.
8. You can optionally select or deselectPrefer Primary Endpointfrom Secondary tab.
It is by default selected. If it is not selected than primary endpoint will be active only in case
of failure.
9. To configure Retry Parameters, enter value for Network Probe Interval in multiples of 10.
10. Enter value for Network Ping Retry Count and Network Ping Timeout.
11. Click Save.
Once the Tunnel Interface profile is created successfully, it prompts the message Tunnel
profile saved successfully.. The existing Tunnel Interface profile can be edited, duplicated,
and deleted.
Edit a Tunnel Interface

An existing Tunnel Interface profile can be edited at the location it was created. Changes made
in profile created on parent location reflect in the inherited profile on child location.
To know more about parameters required in editing RADIUS Settings refer Tunnel Interface
Parameters.
To edit the Tunnel Interface profile:
1. Click on the options tab (three vertical dots), of the Tunnel Interface profile that is to be
edited.
2. Select Edit.
• If you are on the location where profile was created, then directly go to step 3.
81
• If you are on the child location and the profile is an
Option Description
perform step 3.
If you select Duplicate & Continue. Then a ready to edit duplicate profile gets
created on the child location.
3. Make the necessary changes and click on Save.
Tunnel Interface Parameters

The table below provides information required to configureTunnel Interface Profile.
Field Description
Profile Name Name of the tunnel interface profile. It can

have a maximum length of 260 bytes.
Tunnel Type Select Tunnel Type as Ethernet over GRE

(EoGRE).
Remote Endpoint (IP Address/Hostname) IP address/hostname of the remote endpoint

of the GRE tunnel.
GRE Primary Key Key in the primary endpoint GRE header. If

configured, key should be same at both ends
of the tunnel. Key is not mandatory to be
configured in GRE tunnel
Local Endpoint VLAN The VLAN ID through which the wireless

network traffic is to be routed. A value
between 0 and 4094 should be entered here.
Prefer Primary Endpoint Select the check box if you want the AP
to check for the availability of the primary
82
Field Description
tunnel . If the check box is not selected and
the primary tunnel is down, the AP continues
to operate on the secondary tunnel .
Network Probe interval The interval, in seconds, after which the AP

checks connectivity with remote endpoint by
sending a ping request packet. This can have
a value between 10 and 3600. The interval
must be a multiple of 10. It should be greater
than Network Ping Timeout.
Network Ping Retry Count Count of ping request packets that the AP
sends to the remote endpoint. The default
value is 2.
Network Ping Timeout Time, in seconds, till which the AP waits for a
ping reply. The default value is 10 seconds.
Duplicate a Tunnel Interface

Any existing Tunnel Interface profile and an inherited profile both can be duplicated.
Duplication, creates an exact copy of an existing Tunnel Interface profile on the same location.
The duplicate profile contains name and configured properties as that of the original profile. The
copy of duplicate profile created on parent location exists on child location as well. Where as
vise versa is not true.
To duplicate the existing Tunnel Interface profile:
duplicated.
3. Select option dependent on location you would like to duplicate the Tunnel Interface.
83
• If you select Currently Selected Folder in the above step, then the Tunnel Interface
profile gets duplicated in the current location.
the Duplicate Tunnel Interface to window that appears at the right of the screen, at
which the Tunnel Interface profile is to be duplicated.
Delete a Tunnel Interface

An existing Tunnel Interface profile and a duplicate Tunnel Interface profile both can be deleted
using the delete option. The profile once deleted is removed permanently from its specific
location and its child location as well. Inherited profiles can not be deleted from the child
location. Profiles can be deleted only on the location, where they were created.
Note: You cannot delete a Tunnel Interface that is currently in use on an SSID. You need to
disable / remove the Tunnel Interface from the SSID configuration before you delete it.
To delete the Tunnel Interface profile:
deleted.
2. Select Delete.
• If you are on the location where you had created the Tunnel Interface profile, then select
Delete.
84
are diverted to the parent location, perform all the above steps.
85
Role Profile
A Role Profile defines restrictions such as VLAN, Firewalls and Bandwidth control for users to
whom the role is assigned.
Role Profiles are a Mojo way to implement Role Based Access Control (RBAC). RBAC enables
network administrators to restrict system access to authorized users. Users are granted
controlled access to network resources based on the roles assigned to them or the groups
to which they belong. RBAC often involves a RADIUS server that propagates policies to the
network.
You can configure these aspects - VLAN, firewall rules and bandwidth controls - in different
places. For example, you can set the VLAN ID for an SSID in the SSID > Network tab, the firewall
rules in the SSID > Access Control tab, and the bandwidth control values in the SSID > Traffic
Shaping & QoS tab. (For information on firewall rules , see L3-4 Firewall and Application Firewall).
So, what happens if you have different settings in one or more of the SSID tabs and different
ones here in the Role Profile tab? The answer is that there is a well-defined precedence in
which roles are assigned to users. The figure below shows this precedence.
The precedence can be summarized as:
• RADIUS settings, if configured, always trump both Role Profile settings and SSID settings
• Role Profile settings trump SSID settings unless you select Inherit from SSID.
86
One way to understand this precedence is to look at the scope of the three contenders: the
RADIUS server and the Role Profile are defined at the level of a location, which could cover
multiple SSIDs, while the SSID settings obviously apply only to a single SSID.
Some important things to keep in mind when configuring the Role Profile:
• Inherit from SSID: If you select this option, you can give the SSID settings preference over
the Role Profile. But remember: if these settings are defined in the RADIUS server, then
those always trump any other settings. By default, it's always RADIUS, Role Profile, and SSID
Settings in decreasing order of precedence — this option is the only way you can modify
the default behavior by having the Role Profile inherit its settings from the SSID. You would
choose to inherit the SSID settings if you do not want to enforce an alternate setting. For
example, if you have set the firewall rules in the SSID > Access Control tab, and want the
same rules to be applied to all users, then you can select this option in the role profile and
you need not configure the firewall rules in the role profile.
Note: Not selecting the Inherit from SSIDoption has some consequences that you
should keep in mind. Suppose you don't select the Inherit from SSID option and you
don't specify any firewall rules. Then, because Role Profile settings trump SSID settings,
no firewall rules are applied to the user at all, even if you have defined rules in the SSID
settings.
• VLAN: If you do not configure this setting in the Role Profile, then you must select the Inherit
from SSID option, since the role must have at least one VLAN assigned. Conversely, if you do
not select the Inherit from SSID, then you must select VLAN.
• Bandwidth Control: If you configure Bandwidth Control in the role profile, then you must
select Enable per user bandwidth control in the SSID > Traffic Shaping & QoS tab.
The following table lists the precedence for each setting if a role profile is applied to a user. The
footnotes below explain what settings apply to the user's session.
Setting SSID Profile Role Profile Inherit from SSID Precedence

1
VLAN Yes/No Yes Yes/No Role Profile
2
VLAN Yes No Yes SSID Profile
Bandwidth Yes/No Yes Yes/No Role Profile

Control
Bandwidth Yes No Yes SSID Profile

Control
3
Bandwidth Yes Yes Yes Role Profile/
3
Control SSID Profile
4
Bandwidth Yes Yes/No No Role Profile
Control
Firewall Rules Yes/No Yes Yes/No Role Profile
87
Setting SSID Profile Role Profile Inherit from SSID Precedence
Firewall Rules Yes No Yes SSID Profile

5
Firewall Rules Yes Yes Yes Role Profile/
5
SSID Profile
6
Firewall Rules Yes Yes/No No Role Profile
Redirection Yes Yes Yes/No Role Profile

7
Redirection Yes No Yes SSID Profile
Redirection Yes No No Role Profile
1. If no VLANs are configured in the SSID, the default value of 0 indicating untagged VLAN is
set.
2. If you have not enabled Inherit from SSID, then you must define VLAN settings in the role
profile.
3. In Bandwidth Control, you can set the upload and download bandwidth limits. If you don't
set any of these values in the Role Profile, then, because Inherit from SSID is "Yes", the
corresponding value in the SSID > Traffic Shaping & QoS settings is applied to a user's
session.
4. In Bandwidth Control, you can set the upload and download bandwidth limits. If any of
these values are not set in the Role Profile, then, because Inherit from SSID is "No", only
values defined in the Role Profile are applied to the user's session. Any corresponding values
defined in the SSID settings are ignored.
5. In Firewall, you can enable and configure L3-4 and application firewall rules. If you have not
configured either of the firewalls in the Role Profile tab, then, because Inherit from SSID is
"Yes", the corresponding configuration in the SSID settings is applied to the user's session.
6. In Firewall, you can enable and configure L3-4 and application firewall rules. If you have not
configured either of the firewalls in the Role Profile tab, then, because Inherit from SSID is
"No", only the firewall rules defined in the Role Profile are applied to the user's session. Any
firewall rule defined in the SSID settings is ignored.
7. Redirection in Role Profile maps to Access Control or Captive Portal configuration on the
SSID. You can configure either Redirection in Access Control, or Captive Portal settings in an
SSID, but not both. If you do not select Redirection on the Role Profile tab, then, because
Inherit from SSID is "Yes", any Redirection or Captive Portal configuration defined in the SSID
settings is applied to the user's session.
Configure a Role Profile

A Role Profile is created to enforce Role Based Access Control on Wi-Fi users. Role Profiles
defined at a specific location is visible at all its child locations. Whereas vice versa is not true.
Role Profile listing is available in Card Grid View layout.
To create a Role Profile:

88
1. Navigate to CONFIGURE -> Role Profile
2. Click Add New Role Profile.
3. Enter the role name in Enter Role Name field.
You can use the same role name that you have defined in your RADIUS server for ease of
mapping.
4. Enter a profile name in Enter Profile Name field.
5. Click Save.
Once the Profile is configured successfully, Mojo Aware displays a success message.
Configure Inherit from SSID in Role Profile

All of the above listed configurations are also available in the SSID profile and apply to user
that connect to the SSID profile. You can choose to inherit the configurations from the SSID
profile for one or more of the above listed settings, if you do not want to enforce an alternate
setting. For example, if you have set the firewall rules in the SSID profile and want the same to
be applied to all users, then you can select this option in the role profile and need not configure
the firewall rules in the role profile.
To configure Inherit from SSID:

2. Select Inherit from SSID to inherit the role attributes from the SSID profile.
You can optionally choose to inherit the role profile settings from the SSID profile in which
the role profile is added to a role based control rule.
3. Click Save.
Configure VLAN in Role Profile

You can specify one or more VLANs that the user to whom the profile is assigned can access
over the WLAN network. Any VLAN setting configured in the role profile will override the
corresponding setting in the SSID profile, when the role is assigned to a Wi-Fi user.
Important: If you do not configure this setting in the Role Profile, then you must select the
Inherit from SSID option.
SSID Profile Role Profile Inherit from SSID Precedence Notes
Yes / No Yes Yes / No Role Profile If no VLANs are

configured in
the SSID, the
default value
of 0 indicating
89
untagged VLAN
is set.
Yes No Yes SSID Profile If Inherit from

SSID is not
enabled in the
role profile,
then VLAN
settings must be
configured in the
role profile.
To configure VLAN:

2. In the VLAN section, enable VLAN.
3. Specify a VLAN ID that the user can access if the role profiles is assigned to the user.
The VLAN ID range is between 0 to 4094. To map to untagged VLAN in switch port, enter
VLAN ID = 0, irrespective of what VLAN ID is assigned to untagged VLAN in switch.
4. Click Save.
Configure Firewall Rules in Role Profile

You can define two sets of firewall rules. The L3 firewall rules that define whether
communication to a host/IP:port is allowed or disallowed using a particular protocol. The
communication can be blocked/allowed to or from the client device or in both directions.
The second set of firewall rules define which applications in each system-defined application
category that the client device can access. The rule can be defined for allowing and disallowing
such access. Additionally, you can define the default rule that must be applied on the client
device if none of the defined rules are applicable. The default rule is common for L3 and
application firewall.
Based on the SSID Profile and Role Profile configurations, the following table lists the
precedence for Firewall Rules configuration if a role profile is applied on the user.
Yes / No Yes Yes / No Role Profile -
Yes No Yes SSID Profile -
Yes Yes Yes Role Profile / In Firewall Rule,

SSID Profile you can enable
and configure L3
90
and application
firewall rules.
If either of the
firewall is not
configured
in the Role
Profile, then the
corresponding
configuration in
the SSID Profile
is applied to the
user session.
Yes Yes / No No Role Profile In Firewall Rule,

you can enable
and configure L3
and application
firewall rules.
If either of the
firewall is not
configured in the
Role Profile, then
only the firewall
rules defined in
the Role Profile
are applied to
the user session.
Any firewall rule
defined in the
SSID Profile is not
applied to the
user session.
To configure Firewall Rules:

2. Click Firewall.
Enable Firewall and define the L3 firewall rules. For specifying application firewall rules,
enable Application Firewall. If you enable Application Firewall, you must select Application
Visibility in the SSID profile
3. Enable and define L3 Firewall Rules.
4. Enable and define Application Firewall rules.
91
If you enable Application Firewall, you must select Application Visibility in the SSID profile.
5. In Default Rule section provide an Action.
Action can be one of the following, Allow, Block and Allow and Mark.
6. Click Save.
Configure User Bandwidth Control in Role Profile

Bandwidth control lets you define the limits to be applied on the upload and download
bandwidth available to a user. This can range from 0 Kbps through to 1024 Mbps.
Important: If you configure Bandwidth Control in the role profile then Enable per user
bandwidth control must be selected in the Traffic Shaping & QoS section of the SSID Profile.
precedence for Bandwidth Control configuration if a role profile is applied on the user.
Yes No Yes SSID Profile -
Yes Yes / No No Role Profile In Bandwidth

Control, you can
set the upload
and download
bandwidth. If any
of these values
are not set it
the Role Profile,
then only values
defined in the
Role Profile are
applied to the
user session. Any
corresponding
values defined in
the SSID Profile
are ignored.
Yes Yes Yes Role Profile / In Bandwidth

SSID Profile Control, you can
set the upload
and download
bandwidth. If
92
any of these
values are not
set it the Role
Profile, then the
corresponding
value configured
in the SSID
Profile is applied
to the user
session.
To configure User Bandwidth Control:
1. Navigate toCONFIGURE -> Role Profile

2. Scroll down to User Bandwidth Control tab.
3. Select Limit the maximun upload bandwith per user to to set the upload limit.
4. Enter upload limit value in Kbps.
A value between 0 -1024 should be entered over here.
5. Select Limit the maximun download bandwith per user to to set the download limit.
6. Enter download limit value in Kbps.
A value between 0 -1024 should be entered over here.
7. Click Save.
Configure Redirection in Role Profile

You can specify whether a user to whom the profile is assigned must be redirected to a URL
whenever the user accesses the SSID. This URL can host an informative page stating what the
access the user has or does not have on the WLAN network. Additionally, you can specify sites
in the Walled Garden that such a user can access. Any site that is not in the Walled Garden list
will not be accessible to the user.
precedence for Bandwidth Control configuration if a role profile is applied on the user.
Yes No Yes SSID Profile Redirection

in Role Profile
maps to BYOD
or Captive Portal
93
configuration
on the SSID
Profile. You can
configure eith
BYOD or Captive
Portal settings in
an SSID Profile,
not both. If
Redirection is not
configured and
Inherit from SSID
is selected in
the Role Profile,
then any BYOD
or Captive Portal
configuration
defined in the
SSID Profile is
applied to the
user session.
Yes No No Role Profile -
To configure Redirection:

2. Select Redirection.
3. Enter Redirect URL.
4. Enter the name of website that will be accessible before login in field Websites That Can Be
Accessed Before Login.
5. Click Save.
Edit a Role Profile

An existing Role profile can be edited at the location it was created. Changes made in profile
created on parent location reflect in the inherited profile on child location.
To edit the Role Profile:
1. Click on the options tab (three vertical dots), of the Role Profile that is to be edited.
2. Select Edit.
• If you are at a specific location where profile was created, then directly go to step 3.
94
• If you are on the child location and the profile is an
Option Description
perform step 3.
If you select Duplicate & Continue. Then a duplicate profile gets created and
then you can edit the profile on the child
location by performing step 2 and then step
3 on the duplicate profile.
3. Make the necessary changes.

4. Click Save.
Duplicate a Role Profile

Any existing Role profile and an inherited profile both can be duplicated. Duplication, creates an
exact copy of an existing Role Profile on the same location. The duplicate profile contains name
and configured properties as that of the original profile. The copy of duplicate profile created on
parent location exists on child location as well. Where as vise versa is not true.
To duplicate the existing Role profile:
1. Click on the options tab (three vertical dots), of the Role profile that is to be duplicated.
3. Select the option dependent on location where you would like to duplicate the Role Profile.
95
• If you select Currently Selected Folder in the above step, then the Role profile gets
duplicated in the current location.
the Duplicate Role Profile to window, at which the Role profile is to be duplicated.
Delete a Role Profile

An existing Role profile and a duplicate Role profile both can be deleted using the delete
option. The profile once deleted is removed permanently from its specific location and its child
location as well. Inherited profiles can not be deleted from the child location. Profiles can be
deleted only on the location, where they were created.
Note: You cannot delete a Role Profile that is currently in use on an SSID. You need to
disable / remove the Role Profile from the SSID configuration before you delete it.
To delete the Role profile:
1. Click on the options tab (three vertical dots), of the Role profile that is to be deleted.
2. Select Delete.
• If you are on the specific location where you had created the Role profile, then select
Delete.
96
are diverted to the parent location, perform the step 3 again.
97
Radio Settings
The Radio Settings tab allows you to configure settings related to the WiFi access point radios
at a location.
Note: By default, Radio Settings applied to a location are automatically inherited by its child
1 and Branch 2. Then a radio setting applied to HQ automatically applies to Branch 1 and
Branch 2. You can, however, customize the radio settings of a child location so that they are
different from those of its parent.
A Mojo AP has two radios (except for tri-radio models such as the C-110 and C-130, where a
third radio acts as a sensor). One of the two radios operates in the 2.4GHz band and the other
one in the 5GHz band. You can configure radio settings for each of these bands using the
2.4GHz and the 5GHz tabs.
By default, a Mojo AP selects its operating channel automatically when in AP mode. It picks a
channel with minimum Wi-Fi interference. The AP first selects a channel when it boots. Then,
it periodically looks for a better channel and changes its operating channel if necessary; you
can specify this period in the Selection Interval field. So, once every Selection Interval, the
AP checks if the Wi-Fi interference on the current channel has increased. If the interference
has increased, then the AP looks for a channel with minimum Wi-Fi interference and starts
operating on that channel.
In case of the 2.4GHz (i.e. 802.11 b/g/n) radio , you can select some or all of the available
candidate channels. Similarly, for the 5GHz (i.e. 802.11 a/n/ac) radio, you can select some or all
of the available DFS channels and/or non-DFS channels as candidate channels. DFS stands for
dynamic frequency selection. It is a mechanism using which interference by RADAR signals in
5GHz is prevented. The available candidate channels depend on the country selected.
Note: If channel 14 is available as a candidate channel, and it is the only channel selected,
we recommended you use the manual option and then select this channel. Channel 14 does
not work with auto mode when it is the only candidate channel selected.
Advanced Radio Settings
Under Advanced Radio Settings, you can configure transmit power, client steering and load
balancing parameters, and admission control policies.
Transmit Power Control
You can set the Transmit Power Control (TPC) to Manual or Auto. In the Auto TPC mode, a Mojo
AP automatically adjusts its transmit power to minimize interference with neighboring Mojo APs.
Smart Steering
98
Smart Steering solves the "sticky client" problem. A sticky client is one that stays connected
to an AP with poor signal strength, even when there is another AP that can offer better signal
strength. In such situations, a Mojo AP smartly steers a client to the better AP. Smart Steering
thresholds ensure that a Mojo AP doesn't steer clients too frequently, since that can worsen
QoE.
Smart Client Load Balancing
In high-density user environments (Auditoriums, Lecture Halls, Conference Centers, Company

meetings etc.) where APs are densely deployed to provide bandwidth to all clients, a client
sees multiple APs with very good signal strength. Most clients will connect to the AP/band
with the best signal strength resulting in a few heavily loaded APs. This could result in poor
performance. Smart Client Load Balancing corrects this situation by steering clients to less
loaded APs with good signal strength.
Band Steering
Band Steering is when a Mojo AP steers a client from the 2.4GHz radio to the 5GHz radio
because the 5GHz band has more non-overlapping channels and offers better speeds.
Note: Band steering is unidirectional, i.e., clients are always steered from 2.4GHz to 5GHz.
As a result, you can configure Band Steering parameters only on the 2.4GHz tab, and not on
the 5GHz tab.
WMM Admission Control Policy
Wi-Fi Multi Media (WMM) prioritizes the network traffic based on four access categories - voice,
video, best effort and background. You can make Admission Control mandatory. If you do so,
you must configure the admission control parameters for voice and video calls — the Maximum
Allowed Calls count and the Maximum Share of Medium Time. You also need to set aside a
fraction of these resources for roaming clients, under Roaming Reservation. This ensures that
clients that roam on this SSID are guaranteed some resources when they're on a voice or a
video call.
How Unified Client Steering Works

Table Types of Client Steering shows the different types of client steering. They are classified
based on when the client is steered (pre-association or post-association) and the criteria used
to steer the client (received signal strength (RSSI), load or band).
Table 6: Types of Client Steering
Stage Method Short Description
Pre-Association Min Association RSSI Rejects association request if

client’s RSSI is less than the
configured threshold
99
Stage Method Short Description
Band Steering Rejects association requests

on 2.4 GHz for dual band
clients. Band steering is
unidirectional. The AP always
steers a client from 2.4GHz to
5GHz because the 5GHz band
has more non-overlapping
channels and offers higher
speeds.
Smart Client Load Balancing Rejects association request

if the client load on an AP is
high and less loaded neighbor
APs are available
Post-Association Smart Steering Disconnects client if RSSI

drops below a certain
threshold
Band Steering When a 5GHz AP radio comes

up after being down for
a while (for example, due
to Radar detection, auto
channel selection epoch, or
channel change due to high
RF interference detection), AP
steers dual band clients that
were connected to 2.4 GHz
when 5 GHz was down
Note: Unified Client Steering works only on 11ac Mojo devices. It is not supported for 11n
Mojo devices.
General Considerations
Unified Client Steering binds different types of steering together in a well-defined, coherent
framework. Two general considerations motivate Unified Client Steering:
• APs must have a unified view of the network

• Clients should not be steered too frequently
Inter AP Sync
An AP must have a unified, client-aware view of the network. That is, it must know how the
network looks to its neighboring APs and to clients – both its own clients and those of the
neighbors. The AP can then make informed steering decisions to ensure optimum client QoE.
100
To facilitate this, Mojo APs periodically exchange information about their respective clients
with each other. A Mojo AP broadcasts periodic client RSSI updates on the wired side. Only
its RF neighbors update the client RSSI values. So, each Mojo AP maintains a database of the
RSSI values of its clients and of the clients connected to its neighboring Mojo APs. The AP
incorporates this information into its steering algorithms. It steers a client only if the client’s RSSI
is above the minimum threshold for at least one RF neighbor, i.e., only if the client has at least
one other AP that it can successfully connect to.
Note: Sharing of client RSSI values among APs works only for tri-radio platforms such as
C-130. All other features described in the document work for both dual-radio and tri-radio
APs.
Example: Minimum Association RSSI
To appreciate the value of a unified view of the network, consider the client in figure Minimum
Association RSSI Example . It is located between two APs, AP1 and AP2. Suppose the client’s
RSSI values, as seen by both APs, are lower than the minimum needed to associate with them.
Then, without Unified Client Steering, the client cannot connect because neither AP1 nor AP2
accepts the client’s association request. With Unified Client Steering, however, AP1 is aware of
the client’s RSSI as seen by AP2 and vice versa. Because AP1 knows that there is no neighboring
AP that can see the client with an RSSI greater than the minimum association threshold, it does
not reject the client’s association request. This allows the client to connect, improving user
experience.
Figure 7: Minimum Association RSSI Example
101
Frequency of Client Steering
APs must not steer clients too frequently. Clients that are moving or happen to be in the
coverage overlap region of two APs could “ping-pong” between the two APs because
of constant back and forth steering. This is wasteful signaling and could cause poor user
experience.
To avoid this, Mojo APs should not attempt to steer a client too often. You can configure a
Steering Attempts Threshold parameter that determines the maximum number of attempts to
steer a client allowed in a 10-minute window (see Configuration section for details). The default
value is 2. So, if a Mojo AP has attempted to steer a client twice in 10 minutes, the client enters
a configurable Blackout Interval (default 15 minutes). The AP does not attempt to steer such a
client until the Blackout Interval has elapsed. A Mojo AP shares the steering attempt epochs of
its clients with its RF neighbors in its periodic wired-side broadcasts.
Example: Smart Steering
Figure Smart Steering Example shows a client located in the coverage overlap region between
two APs, AP1 and AP2. The client’s RSSI could change quite frequently because of channel
fading or because it might be moving. Without Unified Client Steering, when the client’s RSSI
at AP1 drops below the configured threshold, AP1 steers it to AP2; when the RSSI at AP2 drops,
the client is steered in the opposite direction. The client could thus constantly “ping-pong”
between two APs. With Unified Client Steering, after being steered at most twice in 10 minutes,
the client enters a 15-minute Blackout Interval (assuming all default values). This solves the
client’s frequent “ping-pong” problem.
Figure 8: Smart Steering Example
102
Configure Basic Radio Settings
Radio Settings configuration can be done on two frequency bands 2.4GHz and 5GHz. The
Configuration is location specific.
To know more about parameters required in configuring Radio Settings refer Basic Radio
Settings Parameters.
To configure basic radio settings :
1. Navigate to CONFIGURE -> Radio Settings.

2. Select appropriate Operating Region from the drop down list.
3. Select the frequency band.

Radio Settings can be configured for 2.4 GHz and 5 GHz band.
4. Configure Channel by selecting Operating Channel.
Selection of Auto Operating Channel enables Selection Interval and Enable Dynamic
Channel Selection fields. Whereas Selection of Manual Operating Channel enables
Channel Number field.
• If you select Operating Channel as Auto then, select Selection Interval in hours and
select the Enable Dynamic Channel Selection to enable automatic switching of the
current channel to an available channel with lower interference.
• If you select Operating Channel as Manual then provide the the operating channel
number in Channel Number field.
5. Configure Candidate Channels by selecting the channels depending on the operating
region selected.
This filed is visible only when Operating Channel is set to Auto.
6. Click Save.
Basic Radio Settings Parameters

Field Description
Operating Region contains list of region or country, default it

United States. User is allowed to change it if
he has an entitlement or license.
Frequency Band The radio frequency band. The possible

values are 2.4 GHz and 5 GHz. Default value is
2.4 GHz.
Channel
Operating Channel The operating channel for the radio. By

default, the AP automatically selects the
operating channel as automatically (Auto).
103
Field Description
User can manually set the channel if desired.
Select Manual, to set the operating channel.
Based on the location selected, a list of
channel numbers are presented for manual
channel selection. If the manually selected
channel is not present in the country of
operation selected for the device in the
applied AP template, the AP automatically
reverts to Auto mode and selects a channel.
Channel Width The channel width for the radio. Possible

values are 20 MHz or 20 MHz /40 MHz. In
case of a/n/ac devices, the 20/40/80 MHz
option is available. The options are enabled
for 2.4 GHz and 5 GHz modes.
Selection Interval This field is visible only when the Operating

Channel is set to Auto. This field specifies
the time interval, in hours, at which the
channel selection happens. You can enter
any value from 1 to 48. The channel may
change automatically after this time interval
if some other channel is found to have lower
interference than the current channel.
Enable Dynamic Channel Selection This field is visible only when the Operating
Channel is set to Auto . Select the Enable
Dynamic Channel Selection check box to
enable automatic switching of the current
channel to an available channel with lower
interference, when the interference on the
current channel increases. The mechanism
is independent of the Selection Interval,
and channel is changed only when the
interference on current channel is very high.
Candidate Channels This field is relevant in case of auto-channel

selection. It enhances the behavior of auto-
channel selection. The AP dynamically
checks if the current channel interference
has increased and selects a channel with
lower interference and diverts the traffic to
this channel. For countries where channel 13
or above are permitted on the b/g band, only
104
Field Description
the channels 1,5,9,13 are selected, by default.
You can modify the candidate channel list.
Configure Transmit Power Control in Radio Settings

Transmit Power Control enables you to control the transmission power of the AP.
To know more about parameters required in configuring Transmit Power Control refer Transmit
Power Control Parameters.
To configure Transmit Power Control in radio settings :
1. Navigate to CONFIGURE > Radio Settings.

2. Click Advance Radio Settings.
3. In the Transmit Power Control section select Auto or Manual option.
Selection of Manual option enables a text box to provide transmission power of the AP in
dbm.
4. Select Fragmentation Threshold in bytes.
5. Select RTS (Request to Send) Threshold in bytes.
6. Select DTIM (Delivery Traffic Indication Message) Period.
7. Select 802.11n Guard Interval as Half or Full.
8. Select or deselect Enable A-MPDU if you want MAC protocol Data Unit (MPDU)
aggregationaggregation to be enabled or disabled.
Bi-default it is enabled.
9. Select or deselect Enable A-MSDU if you want MAC Service Data Unit (MSDU) aggregation
to be enabled or disabled.
Bi-default it is enabled.
10. Click Save.
Transmit Power Control Parameters

Field Description
Advanced Radio Settings
Transmit Power Control (Auto and Manual This field enables you to control the
radio buttons) transmission power of the AP. It is a
mandatory field.
• Manual - Select the Manual option to

manually specify the transmission power
of the AP in dbm. If the custom transmit
105
Field Description
check box is deselected, the maximum
allowed transmit power allowed for the
country of operation is set for the AP.
• Automatic - Select the Automatic option
for optimizing the transmit power of the
AP automatically when it is placed in a
network of another neighbor Mojo AP.
A 'neighbor' for a Mojo AP is defined as
another Mojo AP with the radio working in
the same band but not necessarily on the
same channel. This neighbor AP must be
connected to the same MWM instance ID
(should have same CUSTOMER ID) and at
least one profile ID.
Fragmentation Threshold The fragmentation threshold, in bytes.

Permissible value for this field is from 256
through 2346 bytes. This field is applicable to
5 GHz and 2.4 GHz modes. It is a mandatory
field.
RTS Threshold The threshold for Request to Send (RTS)

in bytes. It specifies the threshold for the
size of frame above which the AP should
use Request to Send (RTS)/Clear to Send
(CTS) handshake for transmission. This field is
applicable to 5 GHz and 2.4 GHz modes. It is a
mandatory field.
Note: If the threshold is set to very
small value the wireless channel is
not efficiently utilized.This threshold is
meant to be used for large frames to
avoid losing them due to collisions and
causing channel resource wastage.
DTIM Period DTIM (Delivery Traffic Indication Message)

period is the time period after which clients
connected to the AP should check for
buffered data waiting on the AP. It is a
mandatory field.
802.11n/ac Guard Interval A time period at the end of each OFDM

symbol to allow the signal to dissipate prior
106
Field Description
to transmitting the next signal. This prevents
overlaps between two consecutive symbols.
Legacy 802.11a/b/g devices use 800ns GI.
GI of 400ns is optional for 802.11n. This field is
802.11n/ac specific. Half guard interval is not
supported for SS-300-AT-C-50 when channel
width is 20 MHz.
Enable A-MPDU This field specifies the enabling or disabling of

MAC protocol Data Unit (MPDU) aggregation.
This field is 802.11n/ac specific. In case of
802.11 ac radio, frame aggregation is enabled
by default and it cannot be disabled.
Enable A-MSDU This field specifies the enabling or disabling of

MAC Service Data Unit (MSDU) aggregation.
This field is 802.11n specific.
Configure Smart Steering in Radio Settings

Smart Steering feature helps you to resolve the issue of sticky client.
To configure Smart Steering in Radio Settings :

3. In the Smart Steering section enter the time interval, in seconds for Roam Initiation Interval.
Roam Initiation Interval is the time interval, for which the client's signal strength should be
lower than the Roam Initiation RSSI Threshold for the AP to initiate the roam. The time can
range from 5 to 900. Default value is 10.
4. Enter the RSSI threshold to disconnect a client in Roam Initiation Packet Threshold field.
When the signal strength of the client is less than this threshold, the AP disconnects the
client and initiates a roam. The packet threshold can be between 5 to 500. Default value is 5.
5. Click Save.
Configure Smart Client Load Balancing in Radio Settings

Smart Client Load Balancing is configured per SSID but it acts per radio. The radio is shared by
all SSIDs associated with the band (2.4 or 5GHz). Balancing clients across APs provides each
client a larger slice of radio time. The balancing mechanism may deny immediate access to the
AP when a client roams. Clients that use real-time applications such as video and voice may
107
be impacted. It is not recommended that Smart Client Load Balancing be enable on SSIDs that
support real-time applications.
To configure Smart Client Load Balancing in radio settings :

3. In the Smart Client Load Balancing section enter the minimum number of clients that can
connect to an AP in Minimum Client Load field.
This field lets you specify the minimum number of clients that can connect to an AP before
client load balancing is triggered. The default value for this field is 30 and the threshold is 45.
The minimum client load on each radio is taken into consideration while the load on a single
AP is checked.
4. Enter The minimum difference between the number of clients connected on neighboring
APs in Minimum Client Load Difference field.
This minimum difference is considered to balance client load. Default value is 5 and range
varies from 2 to 10.
5. Click Save.
Configure Band Steering in Radio Settings

Band steering is a load balancing feature that lets the Wi-Fi client switch to the other available
band to balance the load of the Mojo access point in case more clients are operating on a single
band.
To configure Band Steering in Radio Settings :

3. Scroll down to Band Steering section.
4. Enter the value for Band Steering Client Load Difference.
It is the load balancing parameter that is useful for tuning the load distribution between
2.4 GHz and 5 GHz bands. If the difference between the number of clients associated in 5
GHz and 2.4 GHz exceeds the threshold, band steering to 5 GHz is not performed until the
difference comes below the threshold. Default value for this field is 25 and the threshold is
50.
5. Click Save.
108
Configure WMM Admission Control Policy in Radio Settings
Wi-Fi Multi Media (WMM) prioritizes the network traffic. Configuration is done for the admission
control parameters for voice and video calls. All the fields involved in configuration will be
configured depending upon the choice made between video or voice calls.
To configure WMM admission control policy in radio settings :
1. Navigate to CONFIGURE -> Radio Settings -> Advanced Radio Settings .

2. Scroll Down to WMM Admission Control Policy.
3. Select Admission control policy as Voice Calls or Video Calls.
4. Select Admission Control Mandatory to make admission control mandatory.
5. Select No Ack Policy to enable no acknowledgement policy.
When you enable no acknowledgement policy, the acknowledgement for the unicast QoS
data packets is not required from the receiver. No retransmission take place for the QoS data
packets when the no ack policy is enabled.
6. Provide the maximum number of allowed voice or video calls depending upon choice in
Maximum Allowed Calls field.
Limit for number of voice calls is 127.
7. Enter the maximum percentage share of the medium time for voice calls in Maximum Share
Of Medium Time field.
The value for maximum percentage share ranges from 0 to 100. Default value is 0.
8. Enter the number of voice calls reserved for roaming clients in Call Reserved field.
The range for this field is from 0 to the number of maximum allowed calls specified in
Maximum Allowed Calls field.
9. Enter the percentage share of the medium time reserved for roaming clients in Share Of
Medium Time Reserved field.
The range for percentage share is from 0 to the percentage share specified in Maximum
Share Of Medium Time field.
10. Click Save.
109
Device Settings
Under Device Settings, you can configure Device related settings such as Background Scanning
and Security related settings such as WIPS.
Note: By default, Device Settings applied to a location are automatically inherited by its child
locations. For example, suppose there is an HQ location with two child locations: Branch 1
and Branch 2. Then a device setting applied to HQ automatically applies to Branch 1 and
Branch 2. You can, however, customize the device settings of a child location so that they
are different from those of its parent.
Configurations in Device Settings typically apply to a device, i.e., to all the radios of the device.
Since a Mojo AP can operate as an access point and / or as a WIPS sensor, Device Settings in
Mojo Aware is further divided into two tabs: Device tab and Security tab.
Device Tab
You can configure device related settings such as Background Scanning on the Device Tab.
You can turn the access point into a WIPS sensor on the Device tab. When you do so, Mojo
Aware permanently erases WiFi access related settings (Background Scanning, for example) in
that folder.
You can enable Background Scanning on the Device tab. When you enable Background
Scanning, an access point radio periodically scans channels in its band (2.4GHz or 5GHz). You
can configure for how long the AP scans channels (say, for 100ms) and how often it does so
(say, every 10 seconds). A Mojo AP uses information obtained during a background scan mainly
for two purposes: performance optimization (e.g. Dynamic Channel Selection, Client Steering)
and security (e.g. WIPS rogue AP detection). As a result, many of the RF Optimization features
require Background Scanning to be enabled.
A Mojo AP can steer a client to a different band or to another Mojo AP. With Client Steering
Common Parameters, the different types of client steering work together towards the common
goal of improving client Quality of Experience (QoE). For example, Smart Steering and Band
Steering use the Common RSSI threshold as their reference. See What is Unified Client Steering
for details.
VLAN Extension applies only to the W-68 model and only when it's in AP mode (i.e. not
configured as a sensor). VLAN Extension allows you to map a W-68 LAN port to a VLAN ID. It's
essentially a way to extend your wired network - a typical use case could be plugging a laptop
in to one of these ports to connect directly to the wired network.
Note: You can map multiple LAN ports to the same VLAN ID but one LAN port can have
only one VLAN ID.
110
Link Aggregation applies only to the Mojo C-120 and C-130 models. When you enable Link
Aggregation, multiple ports merge into a single logical link. This results in higher aggregate
bandwidth on servers with heavy traffic. It also utilizes the bandwidth more efficiently since the
logical overheads are shared between two physical links.
Note: If you enable Link Aggregation, you must use a switch capable of link aggregation.
Antenna Settings allow you to choose whether APs at the location use internal or external
antennas.
Device Password allows you to set the username and password for devices at the location.
You can enable Device Access Log and specify the hostname or IP address of a Syslog server
to which you want devices to send their access logs.
IPv4/IPv6 Dual Stack enables both stacks in the devices.
Enable SSH IP Whitelisting allows you to restrict the IP addresses that are allowed to SSH to
Mojo APs.
NTP Configuration defines the primary and secondary servers that a Mojo device uses to get its
clock reference.
When you enable Analytics Integration with Third Party Server, a Mojo device sends analytics
information to an external server. You can specify the format in which the analytics information
is sent, the server URL, and the interval for sending the analytics.
Access Radio Exceptions apply to Single Radio devices or to dual-radio devices that can
operate in a "combo" mode with one radio in access mode and the other one in WIPS mode.
For Single Radio devices, you can select the band you want the device to operate on. For Dual
Radio AP-Sensor Combo devices, you can select the band of operation of the access radio.
Turn Access Point into a WIPS Sensor

Turning access points into WIPS sensors permanently erases Wi-Fi access related settings at
the selected folder.
To turn access point into a WIPS sensor:
1. Navigate to CONFIGURE > Device Settings > Device.

2. Select Turn Access Point into a WIPS Sensor.
111
It asks for confirmation.
3. Click Yes to turn APs into WIPS sensor.
4. Click Save.
Turning Access Point into a WIPS Sensor skips the configuration for Background Scanning and
Client RSSI Update Interval settings.
Configure Background Scanning in Device Settings

After every AP Interval, radio scans one background channel for Scan Interval. Connected
clients are not disconnected during Scan Interval. In background scanning, you can configure
the Scan Interval and AP Interval.
Important: Do not enable background scanning if the radio is being used for Voice over IP
(VoIP).
If you disable background scanning, then "Smart Client Load Balancing", "RF Neighbours",
"Dynamic Channel Selection, and "Periodic Auto Channel Switch" if configured in the SSID
profile will be rendered non-functional.
For C-130 device, background scanning is disabled by default as the one of the radios is always
in WIPS mode. To know more about parameters required in configuring Background Scanning
refer Background Scanning Parameters.
To configure Background Scanning:

2. Select Background Scanning.
3. Enter Scan Interval in millisecond.
4. Enter AP Interval in seconds.
5. Click Save.
Enabling Background Scanning enables Wi-Fi Security Features and Inter AP Sync for Client
Steering settings.
112
Background Scanning Parameters
The below table provides information about parameters of Background Scanning. It includes
possible values, behavior, and all the related information about the parameters.
Field Description
Scan Interval Time interval, in milliseconds, for which

the AP scans a background channel when
background scanning is turned on. Scan
interval alternates with the AP interval.
Connected clients remain connected to the
AP during the scan interval.
You can specify a value between 50 and
150 milliseconds. The default value is 100
milliseconds.
AP Interval Time interval, in seconds, after which

the AP scans a background channel
when background scanning is turned on.
Background scanning does not happen during
this interval. AP interval alternates with the
scan interval.
You can specify a value between 5 and 3600

seconds. The default value is 10 seconds.
Configure Inter AP Sync for Client Steering in Device Settings

Inter AP Sync if enabled syncs with neighboring APs to share client visibility information for an
improved steering experience.
You should enable inter AP sync for multiple AP deployments only.
Background scanning must be turned on all AP radios except for the devices with 3rd scanning
radio.
To configure Inter AP Sync for Client Steering:

2. Select Inter AP Sync for Client Steering.
3. Enter Sync Period in seconds.
Sync Period is the time interval specified to broadcast periodic Sync messages. The time
interval can be minimum 10 seconds and maximum 60 seconds.
4. Click Save.
113
Configure Client Steering Common Parameters in Device Settings
In Client Steering Common Parameters, the different types of client steering work together
towards the common goal of improving client Quality of Experience (QoE).
To know more about parameters required in configuring Client Steering Common Parameters
refer Client Steering Parameters.
To configure Client Steering Common Parameters in device settings :
1. Navigate to CONFIGURE > Device Settings > Device .

2. Scroll down to Client Steering Common Parameters section.
3. Enter value for Steering RSSI Threshold.

4. Set max number of steering attempts for a client in Steering Attempts Threshold field.
5. Set steering suspension period for a client in Steering Blackout Period field.
6. Click Save.
What is Unified Client Steering

A Mojo AP can steer a client to a different band or to another Mojo AP. Clients can be steered
before or after association. The decision to steer a client is based on considerations such as
signal strength, load (i.e. number of clients connected to the radio) and the preferred band of
operation. While client steering is important for best user Quality of Experience (QoE), frequent
and ad-hoc steering of the client can in fact worsen the QoE. Mojo APs use an approach called
Unified Client Steering. In this approach, APs exchange information with each other, resulting
in a “big picture” view of the client experience. Different types of client steering then work
together towards the common goal of improving client QoE. For example, Smart Steering and
Band Steering use the Common RSSI threshold as their reference.
Client Steering Parameters

Field Description
Client Steering Common Parameters
Client Steering Common Parameters Client Steering Common Parameters can be

configured only on11ac devices.
Steering RSSI Threshold The steering RSSI threshold can be between

-60 to - 85 dBm. Default value is -70 dBm.
Steering Attempts Threshold This is the max number of steering attempts

for a client within a 10 minutes window after
which the client's steering is suspended for a
period specified by Steering Blackout Period.
The default value for steering attempts is 2.
114
Field Description
The minimum value is 1 and maximum value is
5.
Steering Blackout Period This is the steering suspension period for

a client. No steering methods would be
employed for a client if it sojourns within this
time period. The default value for steering
blackout period is 15 minutes. The minimum
value is 10 minutes and maximum is 60
minutes.
Configure Client RSSI Update Interval in Device Settings

This feature provides Client RSSI Update after every specific interval.
To configure Client RSSI Update Interval:

2. Scroll down to Client RSSI Update Interval tab.
3. Enter Interval in seconds.
Device updates the RSSI of visible WiFi clients with this periodicity.
4. Click Save.
Configure VLAN Extension in Device Settings

Enabling VLAN Extension, takes precedence over the Wired Extension configured in the Wi-Fi
Profile.
To configure VLAN Extension:

2. Select VLAN Extension.
3. Select the LAN port and specify the VLAN ID.
The applicable values are 0 through 4094, where 0 indicates an untagged VLAN. A LAN port
can be mapped to only one VLAN ID. But, the same VLAN ID can be mapped with more than
one LAN port.
4. Click Save.
115
Configure Link Aggregation in Device Settings
Enabling Link Aggregation allows multiple ports to merge logically in a single link. This leads
to minimizing the wastage of bandwidth as the full bandwidth of each physical link is available.
Link aggregation offers higher aggregate bandwidth on servers having heavy traffic.
If you enable Link Aggregation for the device, the Enable Wired Extension option in the SSID
profile, if set, will be ignored and not take effect. This option is applicable only for C-120 and
C-130 devices.
To configure Link Aggregation:

2. Select Link Aggregation.
3. Select the Transmit Hash Policy.
You can choose from one of the following options to define the transmit hash policy:
• Layer 2 (MAC)
• Layer 3+4 (IP+Port)
• Layer 2+3 (MAC+IP)
Note: If you enable link aggregation, then you must use a switch that is capable of link
aggregation.
4. Click Save.
Configure Antenna Settings in Device Settings

This configuration is applicable for C-50, C-60, C-10, SS-200-AT-01. User can select internal or
external antenna depending on preferences.
To configure Antenna Settings:

2. Scroll down to Antenna Settings.
3. Select the Antenna Type.
This field has 2 values-internal and external. If you want to work with internal antennas,
select Internal. If you want to work with external antennas, select External.
4. Click Save.
116
Configure Device Password in Device Settings
Device Password configuration helps you manage the password for the Mojo device. By
defining a password in this setting, you can manage the password for a group of devices
without having to change it on each device separately.
To configure Device Password:

2. Scroll down to Device Password tab.
3. Enter username.
Default user name is config.
4. Enter Password.
The password should be at least 6 characters long and it cannot contain spaces or your login
ID.
5. Confirm the new password by entering again the same password in Confirm Password field.
6. Click Save.
The new password is applied on all the associated devices.
Configure Device Access Logs in Device Settings

Mojo Wireless Manager provides you with a functionality to send the sensor access logs to the
Syslog server. This functionality is useful for audit purposes and can be enabled or disabled.
To configure Device Access Logs:

2. Select Device Access Logs.
3. Enter Syslog Server IP/Hostname.
Syslog server IP/Hostname to which the access logs are to be sent.
4. Click Save.
Configure IPv4/IPv6 Dual Stack in Device Settings

You can enable or disable the support for IPv4/IPv6 dual stack network. When you enable
support for IPv4/IPv6 dual stack network, the AP, to which the device settings are applied, is
able to operate on both IPv4 and IPv6 addresses simultaneously. When you disable support for
IPv4/IPv6 dual stack network, the AP, to which the device template is applied, can operate on
IPv4 networks only.
To configure IPv4/IPv6 Dual Stack:
117
2. Select IPv4/IPv6 Dual Stack.
3. Click Save.
Enable SSH IP Whitelisting in Device Settings

The Enable SSH IP Whitelisting option in the Device Settings is unchecked by default. You can
enforce SSH access from specific IP addresses by checking this option. If this option is enabled,
only IP addresses that match the specified criteria can SSH to the AP.
For more details on SSH IP Whitelisting parameters refer SSH IP Whitelisting Parameters.
To enable SSH IP Whitelisting:

2. Select Enable SSH IP Whitelisting.
3. Enter an IPv4 IP address in the IP Address field.
4. Enter a Wildcard Mask. in the Wildcard Mask fileld.
5. Click Add.
You must provide at least one IP address and wildcard mask. You can provide a maximum
of 20 such entries. SSH access to the communication IP of the access point is enabled only
from the IP addresses that match the IP address and wildcard mask criteria.
SSH IP Whitelisting Parameters

Field Description
IP Address A valid IPv4 IP address.
Wildcard Mask The wildcard mask is a mask of bits that helps

identify the parts of the IP address that must
match and the parts that can be ignored.
The binary equivalent of the IP address and
wildcard mask is used for examining the bits
that must match. Wildcard mask acts as an
inverted subnet masks, i.e, the zero bits in
the mask indicate that the corresponding bit
position in the IP addresses must match. The
one bits indicate that the corresponding bit
position doesn't have to match.
For example: if the IP address is 10.10.0.0 and

the mask is 0.0.0.255 then the IP addresses
10.10.0.0 through 10.10.0.255 will match.
However, if the mask is 0.0.1.255 then the IP
118
Field Description
address 10.10.0.0 through 10.10.0.255 and
10.10.1.0 through 10.10.1.255 will match.
Configure NTP in Device Setting

The Mojo device system clock resets itself to Epoch time (that is, January 1 1970) after every
reboot as it does not have an internal battery to maintain time across reboots. The system clock
is used to timestamp the logs. You can ensure that the timestamp on the logs reflect the correct
date and time by synchronizing the Mojo device system clock with an NTP server. This can be
done by specifying the details of the NTP server for Mojo device time synchronization under
device settings.
Important: NTP synchronization happens over the communication VLAN of the Mojo device.
Ensure that the incoming UDP port 123 is open on the firewall for the communication VLAN.
To Configure NTP:

2. Scroll down to NTP Configuration tab.
3. Enter Primary NTP Server IP/Hostname.
The default primary NTP server is the NIST (National Institute of Standards and Technology)
NTP server, time.nist.gov. The NIST NTP server is a server cluster maintained by the US
federal government and is connected to high precision atomic clocks. The NIST NTP server
is accessible from almost every corner of the globe.
4. Enter Secondary NTP Server IP/Hostname.
The Mojo device synchronizes time with the secondary NTP server, if specified, when
the primary NTP server is unavailable or inaccessible. It is not mandatory to specify the
secondary NTP server.
5. Click Save.
Configure Analytics Integration with Third-Party Server in Device

Settings
This feature enables integration of Mojo with a third-party external server, and send the visibility
analytics data to the third-party external server. The visibility analytics data can be sent either as
a CSV file or as a JSON file. You can provide either an authorization key or username-password
combination to authenticate to the external server to send the file with RSSI values.
To configure Analytics Integration:

2. Select Analytics Integration with Third-Party Server.
119
3. Enter Visibility Analytics Format.
Visibility Analytics Format can be CSV or JSON.
4. Enter Server URL.
Enter the third-party external server URL or IP address.
5. Enter Send Interval
The time interval at which the Mojo device should send the client RSSI values to the third-
party external server.
6. Select Authorization method to authenticate with the external server.
Authorization method can be key based or Username and Password.
7. Enter the authorization key or the user name and password combination based on the option
selected as the external server authentication method.
8. Click Save.
Configure Access Radio Exceptions in Device Settings

Access Radio Exception is configured for Single Radio or Dual Radio devices. This configuration
helps devices to choose the frequency band in case of model agnostic configuration.
To configure Access Radio Exceptions:

2. Scroll down to Access Radio Exceptions.
3. Select the type of AP between Single Radio AP and Dual Radio AP-Sensor Combo for
which configuration is to be done.
• If you have a single radio AP, then select the frequency band on which your AP should
operate below Single Radio AP tab.
• If you have a dual-radio AP that can operate as an AP and Sensor, then select the
frequency band for an AP to operate.
4. Click Save.
Device Security Settings

On the Security tab under Device Settings, you can configure VLAN Monitoring and WIPS.
Mojo Aware can monitor devices on a VLAN and clients associated with these devices. For
details on Auto VLAN Monitoring, see How Auto VLAN Monitoring Works. You can specify any
additional VLANs you want monitored.
Note: There are limitations on how many VLANs a Mojo AP can monitor. See Number of
VLANs Monitored.
120
It's really easy to set up an unauthorized WiFi network. Small plug-and-play devices can act
as access points. Smart phones and tablets can act as WiFi hotspots. Clients can connect to
any such access point or hotspot and easily access a network that is not adequately protected
against wireless threats. In this way, a network could easily become vulnerable to wireless
attacks. It is therefore important to understand and control authorized and unauthorized access
to WiFi networks. A good Wireless Intrusion Prevention System (WIPS) is a must to prevent
unauthorized access to a network.
Mojo AirTight, Mojo’s industry-best WIPS solution, can automatically classify devices to detect
rogues, and prevent rogue devices from accessing your WiFi network.
Under WIPS Settings, you can enable Offline Mode and select the channels to monitor and
defend. The Offline Mode feature provides some security coverage even when there is no
connectivity between a Mojo sensor and the server. Offline Mode applies only to a Mojo device
functioning as a sensor. In the Offline Mode, the sensor continues some device classification
and prevention, even when it is disconnected from the server. The sensor also raises events,
stores them, and pushes them back to the server on re-connection.
You can select the channels to monitor for WIPS detection and the channels to defend for WIPS
prevention.
How Auto VLAN Monitoring Works

Virtual Local Area Network (VLAN) Monitoring allows you to monitor devices on a VLAN
and clients associated with these devices. Mojo AirTight, Mojo’s patented Wireless Intrusion
Prevention System (WIPS) solution, automatically classifies devices on the monitored VLAN as
Authorized, Rogue or External.
Mojo APs can be configured to automatically monitor VLANs. When a Mojo AP detects activity
on a VLAN, it starts monitoring the devices on that VLAN. With Auto VLAN Monitoring, you don't
need to manually configure the VLANs to be monitored in Mojo Wireless Manager or on the
device Command Line Interface (CLI). This is especially useful for networks with a small number
of VLANs and for networks where the VLAN configuration changes frequently.
Number of VLANs Monitored

A Mojo device can operate in Access Point (AP), Sensor or Network Detector (ND) mode. Table
Maximum number of VLANs monitored shows the maximum number of VLANs a Mojo device can
monitor in each of these modes.
Table 7: Maximum number of VLANs monitored
Model AP Mode Sensor Mode ND Mode
C-50 12 16 50
Other Mojo devices 16 16 100
121
By default, a Mojo AP monitors VLANs on which its SSIDs are configured and the VLAN it uses
to communicate with the Mojo Wireless Manager server. Additionally, user defined VLANs can
be monitored by using the Monitor Additional VLANs option. The number of VLANs that an AP
automatically monitors is equal to the maximum number it can monitor minus the sum of SSID
VLANs and user-defined VLANs.
Number of automatically monitored VLANs = Max – (SSID VLANs + User-Defined VLANs)
For example, a Mojo C-120 in AP mode can monitor a maximum of 16 VLANs. If there are 4 SSID
VLANs and 2 user-defined VLANs, the number of automatically monitored VLANs is 16 – (4+2) =
10. The C-120 AP then monitors the first ten VLANs that it detects as being active.
Configure VLAN Monitoring in Device Settings

VLAN monitoring is essential for the wired-side connection status detection, host name
detection, smart device detection, rogue AP detection, and so on.
VLAN Monitoring can be configured and will take effect only if the devices are:
• Configured as WIPS sensors, or

• Configured in the AP mode and have Background Scanning enabled and Wireless Security
Features enabled, or
• Tri-radio devices.
While configuring VLAN Monitoring, two tasks can be performed i.e Auto VLAN Monitoring and
Monitoring Additional VLANs. To know more about parameters required in configuring VLANs
refer VLAN Monitoring Parameters
To configure VLAN Monitoring:
1. Navigate to CONFIGURE > Device Settings > Security.

2. In the VLAN Monitoring tab, selectAuto VLAN Monitoring to automatically monitor the
VLANs.
3. Select Monitor Additional VLANs to enable the device to monitor additional VLANs.
A text box to add VLAN IDs is enabled.
4. Enter the additional VLANs to be monitored as a comma-separated list.
5. Click Save.
122
VLAN Monitoring Parameters
The below table gives you a brief overview of the parameters related to VLAN Monitoring. It
includes possible values, behavior, and all the related information about the parameters.
Field Description
Auto VLAN Monitoring Parameter to automatically monitor the

VLANs that are added by the SSID, configured
through additional VLANs or through CLI.
The behavior of the automatically monitored

VLANs is as follows:
• Priority is always given to the user

configured VLANs. In addition, to the
SSID VLANs, 4 additional VLANs can be
monitored.
• In sensor mode, upto 16 VLANs can be
monitored.
• In ND mode, 50 VLANs for C50 and
100 VLANs for other platforms can be
monitored.
Monitor Additional VLANs Parameter to enable the device to monitor

additional VLANs.
Comma separated list of VLAN IDs The VLAN used by the device to
communicate with the server is always
monitored and need not be specified here.
VLAN IDs can be between 0 to 4094. The
additional VLANs to be monitored must be
configured on the switch port where the
device is connected and must be DHCP
enabled. A VLAN ID '0' indicates untagged
VLAN on the switch port where the device is
connected, irrespective of the actual VLAN
number on the switch.
Important: If a VLAN is configured with
a static IP address, then configure the
VLAN from the CLI.
123
Configure WIPS Settings in Device Settings
In Device Settings while configuring WIPS Settings, you can enable Offline Mode features as
well as you can set channels to monitor and defend intrusion under Channel Settings.
To know in detail about parameters required while configuring WIPS Settings refer WIPS
Settings Parameters on page 124.
Prerequisites
To configure WIPS Settings:
1. Navigate to CONFIGURE > Device Settings > Security.

2. Scroll down for the WIPS Settings.
3. Select Offline Mode.
A text box to enter time to switch to offline mode is enabled.
4. Enter time in minutes to state the time constraint after which device should switch to offline
mode after it detects loss of connectivity.
5. Select Channels To Monitor from Channel Settings to select the list of channels for
monitoring intrusion.
You can optionally select Select All Standard Channels, Select all Allowed Channels and
Additionally, select intermediate channels.
6. Select Channels to Defend from Channel Settings to select the list of channels for
defending intrusion.
You can optionally select Select All Standard Channels and Select all Allowed Channels
7. Click Save.
If the configuration is correct and saved successfully, Mojo Aware displays a success
message.
WIPS Settings Parameters

The below table contains detail information about the parameters included in WIPS Settings.
Field Description
Offline Mode This feature provides some security coverage

even when there is no connectivity between
an Mojo device and the server. The feature
is relevant to an Mojo device functioning as
a sensor. The sensor provides some device
classification and prevention capabilities when
it is disconnected from the server. The sensor
also raises events, stores them, and pushes
them back to the server on reconnecting.
You can specify the time, in minutes, for the

device to switch to offline mode after the
124
Field Description
device detects loss of connectivity from the
server. (Minimum: 1 minute; Maximum: 60
minutes; Default: 15 minutes).
Channel Settings List of channels for the sensor to monitor and

defend intrusion. These channels will differ
according to your country of operation. Refer
the table for the channel number, its protocol
and respective frequency.
Channels To Monitor List of channels to be selected to monitor

intrusion.
Channels to Defend List of channels to be selected to defend

intrusion.
Select All Standard Channels It auto selects all the standard channels.
Select all allowed channels It auto selects all the
Additionally, select intermediate channels
Channel Protocol Frequency (GHz)
1 b/g/n 2.412
2 b/g/n 2.417
3 b/g/n 2.422
4 b/g/n 2.427
5 b/g/n 2.432
6 b/g/n 2.437
7 b/g/n 2.442
8 b/g/n 2.447
9 b/g/n 2.452
10 b/g/n 2.457
11 b/g/n 2.462
12 b/g/n 2.467
13 b/g/n 2.472
14 b/g/n 2.487
125
184 a/n/ac 4.92
188 a/n/ac 4.94
192 a/n/ac 4.96
196 a/n/ac 4.98
208 a/n/ac 5.04
212 a/n/ac 5.06
216 a/n/ac 5.08
34 a/n/ac 5.17
36 a/n/ac 5.18
38 a/n/ac 5.19
40 a/n/ac 5.2
42 a/n/ac 5.21
44 a/n/ac 5.22
46 a/n/ac 5.23
48 a/n/ac 5.24
50 a/n/ac 5.25
52 a/n/ac 5.26
56 a/n/ac 5.28
56 a/n/ac 5.28
58 a/n/ac 5.29
60 a/n/ac 5.3
64 a/n/ac 5.32
100 a/n/ac 5.5
104 a/n/ac 5.52
108 a/n/ac 5.54
112 a/n/ac 5.56
116 a/n/ac 5.58
120 a/n/ac 5.6
126
124 a/n/ac 5.62
128 a/n/ac 5.64
132 a/n/ac 5.66
136 a/n/ac 5.68
140 a/n/ac 5.7
149 a/n/ac 5.745
152 a/n/ac 5.76
153 a/n/ac 5.765
153 a/n/ac 5.765
157 a/n/ac 5.785
160 a/n/ac 5.8
161 a/n/ac 5.805
161 a/n/ac 5.805
165 a/n/ac 5.825
127
Google Integration for Client Device
Authorization
Google provides App sets for enterprises (Google for Work) and educational institutions
(Google for Education). These enable users to communicate and collaborate from a single
platform. From network administrators’ perspective, key functions provided by Google are
User and Device Management, and Organizational Units. Network administrators can create
an organizational structure and control which settings and policies must be applied to users
and devices. User directory offers SSO for all Google applications, while device management
enables administrators to authorize devices that can access the network and restrict access
based on the user role. Once a user logs in with his official Google credentials, the device MAC
is listed on the Google Device Management page. The administrator can then authorize or reject
the device when it attempts to connect to the network.
Mojo Device Authorization Workflow with Google Integration

Let’s see how the client device authorization is effected once the Google Integration is enabled
and configured in Mojo Aware. The following image depicts a high-level workflow starting with
the authorized client devices being synchronized from the Google Cloud through to the client
devices being granted or denied WiFi access.
1. Once the Google App service account key is configured in Mojo Aware, the list of
registered/authorized devices is fetched from Google.
128
2. The relevant details of this list of devices are pushed to the access points, ensuring that
client devices get authenticated even in the case of a WAN outage resulting in access points
being unable to connect to the cloud.
3. When a client connects to the access point, the device details are compared against the
authorized device list and accordingly WiFi access is granted or denied.
4. If Google OU rules are defined in the SSID Profile, then the OU of the device is matched
against the rules and appropriate WiFi access is granted.
So how do you put this into effect? You need to perform these tasks:
• Download Google Service Account JSON Key on page 129

• Configure Google Integration on page 133
• Configure Client Authentication on page 28
Download Google Service Account JSON Key

Mojo requires a service account JSON Key to connect to and make
API calls to Google. You must perform the following tasks to ensure that
the Mojo Wireless Manager and Google Integration works successfully:
• Create and Download JSON Key on page 129

• Define API Scopes for the Service Account on page 132
Create and Download JSON Key

To create a service account JSON key, perform the following steps in Google ( https://
console.developers.google.com/apis/library ) using an Admin ID:
1. From the Project menu on top-left, select Create project and provide a project name.
2. On the Library page, type Admin SDK in the search APIs text box and click Admin SDK from
the search results.

129

3. On the Admin SDK page, click ENABLE on the top.

4. Click the menu icon next to Google APIs and select IAM & Admin and then select Service
accounts.

130

5. Click Create Service Account.

a) Provide a name for the service account.
b) Select Enable Google Apps Domain-wide Delegation.
c) Provide a product name for the consent screen.
d) Click Create.
6. For the newly created service account, click the menu icon on the right and click Create key.

7. Select JSON as the Key type and click Create.

131

The service account JSON key is created and downloaded onto your machine. This JSON key
must be used in Mojo for the Google Integration.
You need the client ID for the service account to define API scopes. Click the View Client ID link
for the service account and copy the Client ID.
Define API Scopes for the Service Account

After you have created a service account, you must specify the API scopes for the service
account.
1. Login to your Google Apps domain control panel (admin.google.com) with an Administrator
account.
2. Click the Security icon. If you do not see Security listed, then select More controls from the
gray bar at the bottom of the page and then select Security from the list of controls. If you
can't see the controls, make sure you're signed in as an administrator for the domain.
3. Go to Show More > Advanced settings > Authentication > Manage API client access.
4. Enter the service account Client ID in the Client Name field. This is the same client ID that
you copied from the Service Accounts page in the previous task..
5. Enter the following list of scopes (comma separated) that your application should be granted
access to:
• https://www.googleapis.com/auth/admin.directory.device.chromeos
• https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
• https://www.googleapis.com/auth/admin.directory.device.mobile
• https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
• https://www.googleapis.com/auth/admin.directory.device.mobile.action
• https://www.googleapis.com/auth/admin.directory.user.readonly
• https://www.googleapis.com/auth/admin.directory.user
6. Click Authorize.
132
Configure Google Integration
You can integrate Google for Work with your network using Mojo Aware.
To configure Google integration:
1. Go to System > Google Integration.

2. Click Upload JSON Key File and .
The file selection window opens.
3. Select the JSON key file you have downloaded from Google and click Open.
The JSON file name shows up on the Aware screen.
4. Enter the Admin Email Address.
This is the email address associated with the service account JSON key created in Google.
5. Click Sync Client List to sync the list of clients with the Google server.
This updates the client list with the latest changes if any.
133

Wifi

Uploaded by

Copyright:

Available Formats

Wifi

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wifi

Uploaded by

Copyright:

Available Formats

WiFi Configuration Guide

Mojo Aware 2.2

The Configuration tab contains the following tabs:

• Add a new SSID

To add an SSID at a location:

An "SSID added successfully" message appears.

SSID Basic Settings

The Basic tab contains the following fields:

SSID Name The name you want to assign to this SSID.

SSID Type This could be a Public or a Guest SSID. If you

Configure SSID Basic Settings

Enter information on the following fields:

SSID Security Settings

Select Security Level for Associations

Open Open means no security settings are to be

WPA2 WPA2 is the latest security protocol and

See 802.1x or RADIUS Settings for details.

Configure SSID Security Settings

Steps to configure the SSID security settings are:

1. Go to the Security tab under Configuration > SSID.

SSID Network Settings

You must enter the default VLAN ID for this SSID.

L2 Broadcast APs broadcast their information over the wired

RF Neighbors APs exchange information only with their RF

This Server APs exchange information via the Mojo

Example Use Case

In this case, we create three SSID profiles:

• If Circuit ID = HQ then assign IP from 172.16.0.0/16 – 172.16.8.255/16 subnet

Steps to configure the SSID network settings are:

1. Go to Configuration > SSID > Network.

SSID Access Control

To configure Redirection, see Configure Redirection in SSID Access Control.

To configure Role Based Control, see Configure Role Based Control.

To configure Client Authentication, see Configure Client Authentication.

Configure SSID Access Control

SSID Access Control consists of the following settings:

1. Configure the Firewall settings.

Example Use Case of L3-4 Firewall

Table 1: Example Rules Table for Retail Store

Rule Rule Name IP / Port Action Protocol Direction

1 Content Filtering DNS1 199.85.126.30 53 Allow UDP Outgoing

2 Content Filtering DNS2 199.85.127.30 53 Allow UDP Outgoing

3 Block All Other DNS * 53 Block UDP Outgoing

5 Allow HTTP / HTTPS * 80, 443 Allow TCP Outgoing

Example Use Case of Application Firewall

Table 2: Example Rule for Enterprise Corporate SSID

Rule Name Category Application Action

Block Facebook and Social Networking Facebook, Block

L3-4 versus Application Firewall Decision Table

L3 Firewall Action Application Firewall Action Final Action

Deny Any Deny

Allow No Match Allow

No Match Deny Deny

No Match Allow Allow

No Match No Match Default

Allow and Mark Allow Allow with L3 Mark

Allow and Mark No Match Allow with L3 Mark

No Match Allow and Mark Allow with App Mark

No Match No Match Default Mark