WiFi Network Configuration Guide
Summary
This document outlines the comprehensive Wi-Fi network configuration for XNET's neutral host network, applying to all XNET-managed Wi-Fi deployments across enterprise and public venues. It ensures enterprise-grade security, carrier-grade performance, and regulatory compliance, incorporating standards such as Passpoint/Hotspot 2.0.
Configuration Status Overview
Enterprise-Grade Implementation
Security: WPA3-Enterprise, PMF, client isolation, attack prevention
Authentication: EAP-SIM/AKA + certificate-based methods, RADIUS integration
Passpoint: Hotspot 2.0 with US carrier MCC/MNC and ANQP discovery
Performance: 802.11k/v/r mobility, WMM QoS, RSSI management, MBO/OCE steering
Infrastructure: Multi-VLAN segmentation, tri-band RF optimization
Configuration Categories
This document categorizes parameters to indicate implementation requirements:
(Mandatory) - Must be implemented exactly as specified
(Standard) - Recommended values that can be optimized
(Site-Specific) - Must be customized per location
(Vendor-Specific) - Equipment-dependent configurations
(Carrier-Specific) - Varies by mobile network operator
1. Wireless LAN Configuration
These three subsections establish the fundamental wireless network infrastructure: (1.1) defines core SSID settings, network identifiers, and deployment parameters with mandatory, site-specific, and vendor-specific configurations, (1.2) implements traffic segmentation through multi-VLAN architecture to isolate carrier, guest, and management traffic into appropriate security zones, and (1.3) manages client connections through capacity limits, timeout controls, and load balancing mechanisms to ensure optimal network performance and resource utilization.
1.1 SSID and Network Settings (Mandatory/Site-Specific/Vendor-Specific)
SSID Name (Mandatory)
XNET Passpoint
XNET network identifier
SSID Broadcast (Mandatory)
Enabled
While Hotspot 2.0-capable devices can discover hidden SSIDs via 802.11u/ANQP, enabling broadcast improves compatibility and simplifies troubleshooting. Disabling SSID broadcast may be considered for high-security environments but is not recommended for general deployments.
Site Name (Mandatory)
“XNET-Default”
Management system identifier - unique, detailed naming improves network operations and asset tracking
Time Zone (Site-Specific)
[Local Timezone] e.g. America/Los_Angeles
Configure per geographic location
VLAN ID (Site-Specific)
1 (default)
Native/untagged traffic - coordinate with existing network infrastructure
Network Type (Vendor-Specific)
[Enterprise-Grade] e.g. Standard (Ruckus), Employee (Aruba), Corporate (Cisco/Ubiquiti)
Enterprise-grade deployment
For AP location legitimacy and approved deployment sites, refer to Section 7.2 – Access Point Location Legitimacy.
1.2 Traffic Segmentation via Multi-VLAN (Site-Specific)
(Example Only)
100
MNO Primary
Primary carrier traffic segment
Restricted
200
MNO Secondary
Secondary carrier traffic segment
Restricted
300
Guest Network
Public internet access
DMZ
10
Management
Infrastructure control (out-of-band)
Secure
1.3 Station Management (Standard)
Station Limits
50 max concurrent
Per-AP capacity management
Inactivity Timeout
600 seconds (10 min)
Automatic client cleanup
Probe Response Control
Disabled when max STA
Load balancing mechanism
2. Radio Frequency (RF) Configuration
These two subsections establish the foundation for optimal wireless RF performance: (2.1) defines core radio parameters including beacon timing, channel utilization, and power management settings across both 2.4 GHz and 5 GHz bands, and (2.2) implements intelligent signal quality management through RSSI-based thresholds that control client association, maintain connection quality, and trigger seamless handoffs to ensure consistent wireless coverage and performance.
2.1 Basic Radio Parameters (Standard)
Beacon Interval
100ms
100ms
100ms
Discovery timing
Channel Width
20/40 MHz
20/40/80/160 MHz
20/40/80/160/320 MHz
Throughput optimization
DTIM Period
1
1
1
Optimized for carrier responsiveness; DTIM=1 minimizes wake delays for VoLTE/VoWiFi at moderate battery cost
UAPSD
Enabled
Enabled
Enabled
Enables client-triggered power save for better battery life (may require compatibility testing)
MLO (Wi-Fi 7)
Enabled (Optional - less beneficial due to spectrum constraints)
Enabled (Recommended)
Enabled (Recommended)
Multi-Link Operation for faster roaming and throughput
2.2 Signal Quality Management - RSSI Thresholds (Standard)
Probe Response Ignore
-75 dBm
Prevent weak initial connections
Association Reject
-70 dBm
Maintain connection quality
Disassociation Trigger
-85 dBm
Force handoff to stronger AP
Retry Timeout
30 seconds
Optimize for dense deployments
3. Performance Optimization
These four subsections form a complete wireless performance optimization framework: (3.1) maps wired network DSCP markings to wireless WMM categories at the controller level, (3.2) controls how clients compete for wireless medium access, (3.3) manages how Access Points (APs) prioritize outbound transmissions to clients, and (3.4) enhances client connectivity and mobility through intelligent steering, roaming assistance, and optimized association control for seamless network performance.
3.1 DSCP-to-WMM Mapping: Controller Level (Standard)
Voice
EF (46)
6 (AC_VO)
VoLTE, VoWiFi calls
Video
AF41 (34)
5 (AC_VI)
Video streaming, conferencing
Best Effort
Default (0)
0 (AC_BE)
Web browsing, email
Background
CS1 (8)
1 (AC_BK)
Software updates, backups
3.2 EDCA Parameters: Client-Side Transmission (Standard)
AC_VO (Voice)
2
3
1
47μs
0
AC_VI (Video)
3
4
1
94μs
0
AC_BE (Best Effort)
4
6
3
0
0
AC_BK (Background)
4
10
7
0
0
3.3 TX Queue Parameters: AP-Side Transmission (Standard)
Data0 (VO)
1
3
7
1.5ms
Data1 (VI)
1
7
15
3.0ms
Data2 (BE)
3
15
63
0
Data3 (BK)
7
15
1023
0
3.4 Connectivity & Mobility Enhancements (Standard/Site-Specific)
MBO (Standard)
multi_band_operation = true
Multi-band optimization
OCE (Standard)
optimized_connectivity = true
Enhanced connectivity experience
802.11k (Standard)
neighbor_reports = true
Radio resource management
802.11v (Standard)
bss_transition = true
Network-assisted roaming
802.11r (Standard /Site-Specific)
fast_roaming = true mobility_domain = [site-specific-hex]
Fast BSS transition
4. Security Configuration
These four subsections implement a comprehensive multi-layered security framework: (4.1) establishes enterprise-grade encryption and authentication using WPA3/WPA2-Enterprise with EAP-SIM/AKA methods for carrier integration and certificate-based options for community access, (4.2) deploys Layer 2 security controls including client isolation and broadcast filtering to prevent lateral threats, (4.3) enables proactive attack prevention mechanisms against KRACK vulnerabilities and connection exploits, and (4.4) configures access control policies and traffic filtering aligned with carrier offload requirements and site-specific service needs.
4.1 Encryption & Authentication Framework (Mandatory/Standard)
Encryption
WPA3/WPA2-Enterprise
WPA3 required for 6GHz; WPA3 as primary/preferred, and WPA2 as fallback for legacy device compatibility
EAP Methods
EAP-SIM / EAP-AKA
SIM-based service for MNO offloading
Management Protection
PMF (802.11w) enabled
Required for WPA3; universal security requirement for prevention of downgrade attacks
4.2 Layer 2 Security Controls (Standard)
Client Isolation
Enabled
Prevents lateral device communication
Broadcast Filtering
Enabled
Blocks broadcast from unauthenticated clients
Proxy ARP
Enabled
Prevents ARP spoofing, reduces broadcast traffic
4.3 Attack Prevention Controls (Standard)
EAPOL Key Retry Protection
Enabled
Prevents KRACK replay attacks on handshake process
WNM Sleep Mode Protection
No Key Storage
Prevents key exposure during sleep transitions
Low Signal Disassociation
Enabled
Automatic cleanup of weak/problematic connections
RSN Pre-authentication
Enabled
Optimizes secure roaming between Access Points (APs)
Short Preamble Support
Enabled
Enhanced compatibility and performance
4.4 Access Control & Filtering (Standard/Site-Specific)
MAC Address Filtering (Standard)
Disabled
Authentication handled by EAP-SIM/AKA
IGMP Proxy (Standard)
Disabled
Not required for carrier offload scenarios
Rate Limiting (Site-Specific)
Per-SSID / Per-VLAN / Per-AP
QoS-based traffic shaping by service requirements
For operational compliance, refer also to Section 7 – Deployment & Compliance Guidelines, covering RADIUS proxy restrictions and AP location legitimacy.
5. Passpoint/Hotspot 2.0 Configuration
These four subsections implement a complete Passpoint ecosystem for seamless carrier offloading: (5.1) establishes core Hotspot 2.0 parameters including venue identification and service advertisement for automatic network discovery, (5.2) configures ANQP (Access Network Query Protocol) settings to enable pre-association network capability exchange and authentication method advertisement, (5.3) defines comprehensive US carrier MCC/MNC mappings with priority levels to support automatic carrier recognition and connection preferences, and (5.4) maps NAI realms to carrier-specific authentication domains, enabling transparent EAP-SIM/AKA authentication for subscribers across all major US mobile network operators.
5.1 Core Configuration Parameters (Mandatory)
Hotspot 2.0 Service
Enabled
Activates Passpoint functionality for seamless network authentication
Internet Access
Enabled/Advertised
Advertises public Internet availability to client devices
Venue Name
"XNET Neutral Host Network"
Public-facing network identifier broadcast during pre-association discovery, providing consistent XNET branding across all deployments
Venue URL
“https://xnetmobile.com”
XNET service information portal accessible post-connection, providing service details, terms of use, and MNO offloading support resources
Access Network Type
Chargeable Public Network
Defines network as carrier-grade paid service model for MNO offloading operations
5.2 ANQP Settings (Mandatory/Standard/Carrier-Specific)
Interworking Element (Mandatory)
Enabled
Activates 802.11u interworking to support pre-association network discovery
NAI Realm Advertisement (Mandatory)
Enabled
Enables NAI realm advertisement for carrier authentication matching
Venue Information (Mandatory)
Enabled
Broadcasts venue details during network discovery
Authentication Methods (Mandatory)
EAP-SIM, EAP-AKA
Defines supported authentication protocols for carrier credentials
Realm Advertisement Policy (Standard)
Supported Realms Only
Advertises only configured carrier realms (recommended for performance)
Connection Capability (Standard)
Enabled
Advertises network capabilities (recommended for client optimization)
RCOI (Roaming Consortium Organization Identifier) (Carrier-Specific)
Configured Per Carrier [Provided separately]
Sets carrier-specific Organization Identifiers (required only for roaming partnerships)
5.3 US Carrier MCC/MNC Mapping (Mandatory)
310
410
AT&T Mobility
Primary AT&T network
310
150
AT&T Mobility
Secondary AT&T allocation
310
280
AT&T Mobility
Additional AT&T allocation
311
180
AT&T Mobility
Legacy Pacific-Bell/Cingular
313
100
FirstNet
Dedicated public safety (AT&T)
5.4 NAI Realm Configuration (Mandatory)
6. RADIUS Authentication
This section defines the RADIUS authentication setup for carrier credential validation, detailing server parameters, security settings, and site identifiers for EAP-SIM/AKA processing, with accounting integration for carrier billing and identity management.
6.1 Primary RADIUS Configuration (Mandatory/Standard/Site-Specific)
Server IP (Mandatory)
[Provided separately]
XNET RADIUS server
Protocol (Mandatory)
RADIUS/UDP
RadSec for WRIX compliance - See 7.1.
Authentication Port (Mandatory)
1812
Standard RFC 2865
Accounting Port (Mandatory)
1813
Standard RFC 2866
Shared Secret (Mandatory)
[Provided separately]
Minimum 32 characters
Message Authenticator (Mandatory)
Enabled
For EAP packet integrity
EAP Re-authentication (Mandatory)
3600 seconds (1 hour)
Periodic credential refresh
CUI Request (Mandatory)
Enabled
For billing
Request Timeout (Standard)
5 seconds
Per-request timeout
Retry Attempts (Standard)
3
Max retransmission attempts
Accounting Interval (Standard)
300 seconds
Interim accounting updates (5-minute intervals)
Dead-Time (Standard)
600 seconds
Server failure recovery period
NAS-ID (Site-Specific)
[Site-Specific value]
Unique per Access Point (AP)/controller
NAS IP (Site-Specific)
[Site-Specific value]
Unique per Access Point (AP)/controller
NAS-Port-Type (Site-Specific)
Wireless-802.11 (19)
RFC 2865 defined port type
Called-Station-ID (Site-Specific)
[BSSID:SSID]
Format: AA:BB:CC:DD:EE:FF:NetworkName
VSA – Type 26 (Mandatory)
Type: 26 (Vendor-Specific) Vendor-ID: 126 (XNET) Vendor-Data: "34584e45543a5553" (hex-encoded for "4XNET:US")
Vendor-ID 126 used to identify XNET for routing & service segmentation
Note: Compliance with RADIUS proxy restrictions and message integrity requirements is mandatory. See Section 7.1 for full policy details.
7. Deployment & Compliance Guidelines
These guidelines establish operational, legal, and security requirements for all XNET-managed deployments, ensuring regulatory compliance, service integrity, and trust across carrier and venue partners.
7.1 RADIUS Proxy Restrictions (Mandatory)
To ensure accuracy, accountability, and fairness in XNET’s WiFi roaming and carrier offload ecosystem, RADIUS proxying on the WiFi infrastructure side is strictly prohibited.
No Infrastructure-Side Proxies
Access Points (APs) or Controllers must send authentication and accounting requests directly to XNET’s RADIUS server—no intermediary translation, filtering, or aggregation devices. Only carrier or partner-side proxies explicitly approved and registered with XNET are allowed.
Raw Message Integrity
Transmit all RADIUS attributes (session time, data volume, AP/session identifiers) in original form, without modification.
Source Validation
All RADIUS requests are subject to IP whitelisting and Message Authenticator verification where applicable.
Rationale: Prevents data loss or alteration, eliminates revenue disputes, and preserves trust among ISPs, MSPs, ANPs, IDPs, and end-users.
7.2 Access Point Location Legitimacy (Mandatory)
All APs must be installed at approved, contracted locations and accurately registered in XNET’s asset management system.
Approved Physical Address
APs must be deployed at the physical address registered with XNET and listed in site onboarding records. Residential deployment is prohibited unless serving a public or business venue.
Accurate Registration
Location details must be correct at activation and continuously thereafter. Any change that invalidates the registered location will immediately revoke eligibility for rewards, carrier location approval, and paid offload participation.
Unauthorized Relocation Prohibited
APs may not be moved to unapproved locations without prior XNET authorization.
Venue Owner Consent
Installation requires documented consent from the property owner or authorized venue representative.
Rationale: Ensures lawful deployment, prevents fraudulent traffic origination, and upholds carrier contractual obligations.
This document provides a vendor-aligned, standards-based configuration guide to ensure secure, consistent, and efficient Wi-Fi deployments across all XNET-managed sites, with support for carrier offload.
Last updated