|
Home > Configuration—Network Policies > Configure the SSID for a Standard Wireless Network > SSID Usage in Standard Wireless Networks > Configure Enterprise SSID Authentication
Logo

Configure Enterprise SSID Authentication

First, create a standard wireless network policy. For more information, see Configure the SSID for a Standard Wireless Network.

This task is part of the network policy configuration workflow. Use this task to configure the SSID AUTHENTICATION options for Enterprise SSID authentication.

  1. On the 2 Wireless page for the policy, select to add a new one.

    Alternatively, select an existing Enterprise SSID to edit.

  2. Under SSID Usage > SSID Authentication, select Enterprise.

    This option requires users to authenticate by entering a user name and password, which the system checks against a RADIUS authentication server.

  3. Optional: Enable Hotspot 2.0 support, or WBA Open Roaming.

    IQ Engine v10.7.4 is required. For more information, see Configure a Hotspot or Configure WBA Open Roaming.

  4. Select the required Key Management from the menu, or keep the default value.

    Key Management options:

    • WPA3-802.1X uses 128-bit encryption and automatically enables 802.11w Protected Management Frames, found in the Advanced Access Security Settings section of the Wireless Network configuration. If all wireless clients support WPA3, it is a better choice than WPA2.
    • WPA3-802.1X (192-bit) uses GCMP256 encryption, offering stronger protection than standard WPA2 or WPA3-Enterprise (128-bit). Requires IQ Engine version 10.8r5, or higher.
      Note

      Note

      Selecting WPA3-802.1X (1920bit) automatically selects GCMP256 encryption.
    • WPA2-802.1X supports PMK caching and preauthentication (WPA does not). If the wireless clients support WPA2, it is the better choice over WPA. If you have a lot of legacy clients connecting to the network, WPA2 is a good choice.
    • WPA-802.1X does not support PMK caching or preauthentication. However, if you know that all the clients that are going to use this SSID were released before IEEE 802.11i was ratified in 2004 and only support WPA (not WPA2), this option allows the Extreme Networks devices to support them.
  5. Select an Encryption Method:
    • CCMP (AES): Counter Mode-Cipher Block Chaining Message Authentication Code Protocol (CCMP) uses AES (Advanced Encryption Standard) encryption. CCMP provides message integrity by combining counter mode with CBC (cipher block chaining) to produce a MAC (message authentication code).
    • GCMP256: Galois/Counter Mode Protocol with 256-bit keys is an advanced encryption algorithm that uses 256-bit AES-GCMP encryption. GCMP256 offers stronger encryption and better performance in high-security wireless networks, particularly in WPA3-Enterprise (192-bit mode). GCMP256 provides message integrity by using a GMAC (Galois Message Authentication Code).
  6. Toggle Transition Mode if Applicable on.

    802.11w settings might have been changed. See Customize Advanced Access Security Controls to confirm.

    Important

    Important

    Transmission mode with Auto Protected Frame Management across all radios (including 6 GHz) requires IQ Engine 10.7.3. If you push the Auto setting to an AP with IQ Engine below 10.7.3, the AP defaults to the best available 802.11w setting available, so Protected Management Frames will be set to Mandatory.

    For more information, see Transition Mode Overview.

  7. Select SAVE.

Copyright © 2026 Extreme Networks. All rights reserved. Published February 17, 2026.