Citrix SD-WAN Orchestrator

Wi-Fi Access Point

You can configure a Citrix SD-WAN appliance that supports Wi-Fi as a Wi-Fi Access Point. Citrix SD-WAN appliance configured as a Wi-Fi access point eliminates the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN appliance through Wi-Fi.

Note

Ensure that a DHCP server is available on the network to assign IP addresses to the host machines. If another DHCP server is not available on the network, you can configure the SD-WAN appliance as a DHCP server. For instructions, see DHCP server.

The following two variants of Citrix SD-WAN 110 platform support Wi-Fi and can be configured as a Wi-Fi access point:

  • Citrix SD-WAN 110-WiFi-SE
  • Citrix SD-WAN 110-LTE-WiFi

For more information about the platforms, see Citrix SD-WAN 110 SE.

Note

Wi-Fi feature does not support High Availability (HA) in Citrix SD-WAN 11.3 release.

You can configure and manage Citrix SD-WAN appliances that are configured as Access Points through Citrix SD-WAN Orchestrator service.

To configure Wi-Fi capabilities on a Citrix SD-WAN 110 appliance, ensure that the appropriate device model and submodel are selected on the Configuration > Site Configuration page.

110 device model

Select Enable Wi-Fi on the Wi-Fi Details page, to make the Citrix SD-WAN 110 appliance act as a Wi-Fi Access Point.

Enable Wi-Fi

Configure Wi-Fi radio settings

Configure the Wi-Fi radio settings by providing the following details.

  • Country: The country where the appliance is deployed. The country determines the allowed wireless radio settings for that country.

    Note

    The Country field is locked to USA and Canada for appliances sold to USA and Canada. For appliances sold to other countries, the Country field is set to Worldwide by default, allowing you to choose the appropriate country.

  • Band: The Citrix SD-WAN 110 appliance supports 2.4 GHz and 5 GHz frequency bands. The 5 GHz band provides greater performance than the 2.4 GHz band, but is not compatible with all wireless devices. Select the band and protocol based on the devices that connect to the Citrix SD-WAN appliance. The Citrix SD-WAN 110 appliance does not support dual band, you can only choose one band at a time.
  • Protocol: Select the protocol based on the selected band. The 2.4 GHz band supports 802.11n protocol, whereas the 5 GHz band supports both 802.11n and 802.11ac protocol.

    Note

    The 802.11ac protocol is backwards compatible to 802.11n. It is recommended to use 802.11ac protocol, if 5 GHz band is selected.

  • Channel: The available channels depend on the selected country and wireless protocol. By default, the channel is set to Auto. The Citrix SD-WAN appliance selects a channel with the least interference from the list available for the band. While not recommended, you can also manually select a channel, if necessary.

  • Channel Width: You can configure the channel to use a channel width of 20 MHz, 40 MHz, or 80 MHz (for certain 5 GHz channels only). By default, the channel width is set to the maximum available channel width for the band and channel selected.

Configure SSID

The Service set identifier (SSID) is used to identify a wireless network profile to establish and maintain wireless connectivity. You can configure up to four SSIDs on the Citrix SD-WAN appliance. SSIDs help you to configure your wireless network with different security levels, serving different type of users such as corporate users, home users, or guests.

Note

The Wi-Fi radio settings are common to all the SSIDs.

SSID settings

To configure SSIDs, provide the following details:

  • SSID Type: Citrix SD-WAN Orchestrator allows you to configure two types of SSID Corporate and Home. For a Corporate SSID it is recommended to create and use a Corporate SSID profile. For more details, see SSID profiles.
  • SSID Name: A unique identifier for the wireless network profile. The SSID names are case sensitive and can contain up to 32 alphanumeric characters. Do not include leading or trailing spaces in your SSID name.
  • SSID Broadcast: Enabling SSID broadcast makes the SSID name visible to all the devices in your network, allowing them to easily identify and connect to the Wi-Fi network. Disabling SSID broadcast makes the SSID name invisible to other devices. However, it only hides the name, not the network itself. Users that know the SSID name can still connect to your Wi-Fi network.
  • Client Isolation: Client isolation prevents clients connected to the same SSID from communicating with each other. For open authentication, where untrusted clients may connect, it is recommended to set Client Isolation to On.
  • Security: Citrix SD-WAN supports the following types of Wi-Fi security protocols:

    • Open: The Wi-Fi network is unsecure and anybody can connect to the wireless network. It is recommended to isolate open SSIDs to their own routing domain, to prevent untrusted clients from compromising personal (home) or corporate networks.
    • WPA2 Personal: The Wi-Fi Protected Access (WPA) 2 protocol, pre-shared key mode, commonly referred to as “personal”, is used to secure the Wi-Fi network. With this protocol, you can configure a passphrase as a pre-shared key (PSK). Anybody that knows the SSID and passphrase can connect to your Wi-Fi network. This is typically used for home networks. It is recommended to isolate home SSIDs to their own routing domain, to prevent untrusted clients from compromising the corporate network.
    • WPA2 Enterprise: The Wi-Fi Protected Access (WPA) 2 protocol, enterprise version is used to provide enterprise-grade authentication to access your Wi-Fi network. A user name and password is required to log in. A RADIUS server authenticates the user name and password. You can select the Primary and Secondary RADIUS profiles, which point to a primary and secondary RADIUS server respectively. If the primary RADIUS server is down, the secondary server is used for authentication. For more information on creating RADIUS profiles, see RADIUS server profiles.

      Note

      Each site can have up to two RADIUS server profiles assigned on each WPA2 enterprise SSID.

    • WPA3 Personal: Similar to WPA2 Personal, you use a PSK to connect to the network. It uses the latest version of the Wi-Fi Protected Access protocol. Only the devices that support WPA3 can connect to this network.
    • WPA3 Transition: Allows WPA3 capable devices to connect using the new WPA3 security protocol, and the unsupported devices to continue to use the WPA2 security protocol. Devices that use WPA3 or WPA2 Personal version can use the same PSK to connect to this network.
    • VLAN ID: Associates the SSID with a VLAN identifier. The VLAN identifier can be reused when the SSID is assigned to a virtual interface, to associate it with an external VLAN or associate it with a distinct routing domain.

You can also save the Corporate SSID configuration as an SSID profile. It allows you to easily reuse and manage SSID configuration across multiple sites. For more details, see SSID profiles.

The SSIDs configured are reflected as virtual interfaces while configuring Interfaces. It further allows you to use the SSIDs in your SD-WAN configuration or enhance network security. For example, you can have a configuration to mark all the traffic over a particular SSID to belong to a particular routing domain or assigned to a specific VLAN. This routing domain can further be configured to have access to specific network and resources. If a combination of corporate, home, and guest wireless networks are configured, it is critical to associate them with different routing domains, to ensure tenant isolation and prevent rogue or compromised clients in one network from compromising the others.

SSID in Interfaces

RADIUS server profiles

The WPA2 Enterprise protocol provides enterprise-grade authentication to your wireless network. A user name and password is required to log in into the wireless network using the WPA2 enterprise protocol. The user name and password is authenticated by a RADIUS server, which is configured using RADIUS profiles. The RADIUS profiles can be applied to multiple sites while configuring SSIDs. For more details, see Configure SSIDs.

The RADIUS profiles are dynamic in nature. Any changes made to the RADIUS profile, will reflect across all the different sites where the RADIUS profile is used. Each WPA2 enterprise SSID can have up to two RADIUS server profiles assigned to it. To manage RADIUS profiles, at the network level, navigate to Configuration > Security > RADIUS Profiles. A list of all the available RADIUS profiles are listed, you can edit or delete the profiles.

RADIUS profiles

To create a RADIUS profile click Add and provide the following details:

  • Radius Profile Name: A unique name to identify the RADIUS server profile.
  • Auth Server IP: The IP address of the RADIUS authentication server. The authentication server might be located at the Data Center, accessible through the management interface or in-band management.
  • Auth Server Port: The port number of the RADIUS authentication server. The default port number is 1812.
  • Auth Server Secret: The secret passphrase to connect to the authentication server. Only the authorized clients that know the secret key can connect to the authentication server and send authentication requests.
  • NAS-identifier: Configure the same Network Access Server (NAS) identifier on the RADIUS server and Citrix SD-WAN appliance. It allows the RADIUS server to identify the correct RADIUS client and perform the authentication. It is a Fully Qualified Domain Name. A special tag {SITENAME} is used. The tag is replaced in the NAS identifier with the respective site name for each site.

The RADIUS accounting server optionally collects network monitoring and statistics data. The accounting process starts when access to the RADIUS server is granted and if the Acct-Interim-Interval AVP is present in the RADIUS Access-Accept message. In this case, the Citrix SD-WAN RADIUS client reports session details such as total time, total data and packets transferred for every Acct-Interim-Interval seconds. The accounting server can be the same as the authentication server or a different server. To enable the optional RADIUS accounting capability select Configure RADIUS accounting and provide the following details.

  • Account Server IP: The IP address of the accounting server.
  • Account Server Port: The port number of the accounting server. The default port number is 1813.
  • Account Server Secret: The secret passphrase to connect to the accounting server. Only the authorized clients that know the secret key can connect to the accounting server and send accounting requests.

Create RADIUS profiles

You can also create a RADIUS profile directly from the Wi-Fi details page, while configuring sites. You can also perform operations such as edit, clone, and delete.

SSID profiles

The Service set identifier (SSID) is used to identify a wireless network profile to establish and maintain wireless connectivity. You can configure up to four SSIDs on the Citrix SD-WAN appliance. SSIDs help you to configure your wireless network with different security levels, serving different type of users such as corporate users, home users, or guests.

In large deployments, that uses corporate SSIDs, it is expected that the same SSID settings be replicated across numerous appliances. The commonly used settings can be stored as an SSID profile. The SSID profiles are dynamic in nature. Any changes made to an SSID profile, reflects across all the different sites where this SSID profile is used.

To manage SSID profiles, at the network level, navigate to Configurations > Security > SSID Profiles. A list of all the available SSID profiles are listed.

Manage SSID profiles

To create a new SSID profile click Add. For more details on configuring SSID, see Configure SSIDs.

You can also perform operations such as edit, clone, and delete.

Wi-Fi diagnostics

To capture Wi-Fi traffic details, at the network level, navigate to Troubleshooting > Diagnostics and select the Packet Capture check box. Choose the appropriate Wi-Fi interface.

NOTE

Traffic between wireless clients is isolated from the data path in Citrix SD-WAN 110 platform and therefore is not part of the packet capture.

For detailed information on packet capture, see Diagnostics.

Wi-Fi Access Point