WiFi Network Configuration Guide
Summary
This document outlines the comprehensive Wi-Fi network configuration for XNET's neutral host network, applying to all XNET-managed Wi-Fi deployments across enterprise and public venues. It ensures enterprise-grade security, carrier-grade performance, and regulatory compliance, incorporating standards such as Passpoint/Hotspot 2.0.
Configuration Status Overview
Enterprise-Grade Implementation
- Security: WPA3-Enterprise, PMF, client isolation, attack prevention
- Authentication: EAP-SIM/AKA + certificate-based methods, RADIUS integration
- Passpoint: Hotspot 2.0 with US carrier MCC/MNC and ANQP discovery
- Performance: 802.11k/v/r mobility, WMM QoS, RSSI management, MBO/OCE steering
- Infrastructure: Multi-VLAN segmentation, tri-band RF optimization
Configuration Categories
This document categorizes parameters to indicate implementation requirements:
- (Mandatory) - Must be implemented exactly as specified
- (Standard) - Recommended values that can be optimized
- (Site-Specific) - Must be customized per location
- (Vendor-Specific) - Equipment-dependent configurations
- (Carrier-Specific) - Varies by mobile network operator
1. Wireless LAN Configuration
These three subsections establish the fundamental wireless network infrastructure: (1.1) defines core SSID settings, network identifiers, and deployment parameters with mandatory, site-specific, and vendor-specific configurations, (1.2) implements traffic segmentation through multi-VLAN architecture to isolate carrier, guest, and management traffic into appropriate security zones, and (1.3) manages client connections through capacity limits, timeout controls, and load balancing mechanisms to ensure optimal network performance and resource utilization.
1.1 SSID and Network Settings (Mandatory/Site-Specific/Vendor-Specific)
| Parameter | Value | Notes |
|---|
| SSID Name (Mandatory) | XNET Passpoint | XNET network identifier |
| SSID Broadcast (Mandatory) | Enabled | While Hotspot 2.0-capable devices can discover hidden SSIDs via 802.11u/ANQP, enabling broadcast improves compatibility and simplifies troubleshooting. Disabling SSID broadcast may be considered for high-security environments but is not recommended for general deployments. |
| Site Name (Mandatory) | "XNET-Default" | Management system identifier - unique, detailed naming improves network operations and asset tracking |
| Time Zone (Site-Specific) | [Local Timezone] e.g. America/Los_Angeles | Configure per geographic location |
| VLAN ID (Site-Specific) | 1 (default) | Native/untagged traffic - coordinate with existing network infrastructure |
| Network Type (Vendor-Specific) | [Enterprise-Grade] e.g. Standard (Ruckus), Employee (Aruba), Corporate (Cisco/Ubiquiti) | Enterprise-grade deployment |
For AP location legitimacy and approved deployment sites, refer to Section 7.2 – Access Point Location Legitimacy.
1.2 Traffic Segmentation via Multi-VLAN (Site-Specific)
(Example Only)
| VLAN ID | Purpose | Description | Security Zone |
|---|
| 100 | MNO Primary | Primary carrier traffic segment | Restricted |
| 200 | MNO Secondary | Secondary carrier traffic segment | Restricted |
| 300 | Guest Network | Public internet access | DMZ |
| 10 | Management | Infrastructure control (out-of-band) | Secure |
1.3 Station Management (Standard)
| Parameter | Setting | Purpose |
|---|
| Station Limits | 50 max concurrent | Per-AP capacity management |
| Inactivity Timeout | 600 seconds (10 min) | Automatic client cleanup |
| Probe Response Control | Disabled when max STA | Load balancing mechanism |
2. Radio Frequency (RF) Configuration
These two subsections establish the foundation for optimal wireless RF performance: (2.1) defines core radio parameters including beacon timing, channel utilization, and power management settings across both 2.4 GHz and 5 GHz bands, and (2.2) implements intelligent signal quality management through RSSI-based thresholds that control client association, maintain connection quality, and trigger seamless handoffs to ensure consistent wireless coverage and performance.
2.1 Basic Radio Parameters (Standard)
| Parameter | 2.4 GHz | 5 GHz | 6 GHz | Purpose |
|---|
| Beacon Interval | 100ms | 100ms | 100ms | Discovery timing |
| Channel Width | 20/40 MHz | 20/40/80/160 MHz | 20/40/80/160/320 MHz | Throughput optimization |
| DTIM Period | 1 | 1 | 1 | Optimized for carrier responsiveness; DTIM=1 minimizes wake delays for VoLTE/VoWiFi at moderate battery cost |
| UAPSD | Enabled | Enabled | Enabled | Enables client-triggered power save for better battery life (may require compatibility testing) |
| MLO (Wi-Fi 7) | Enabled (Optional - less beneficial due to spectrum constraints) | Enabled (Recommended) | Enabled (Recommended) | Multi-Link Operation for faster roaming and throughput |
2.2 Signal Quality Management - RSSI Thresholds (Standard)
| Threshold Type | Value | Purpose |
|---|
| Probe Response Ignore | -75 dBm | Prevent weak initial connections |
| Association Reject | -70 dBm | Maintain connection quality |
| Disassociation Trigger | -85 dBm | Force handoff to stronger AP |
| Retry Timeout | 30 seconds | Optimize for dense deployments |
These four subsections form a complete wireless performance optimization framework: (3.1) maps wired network DSCP markings to wireless WMM categories at the controller level, (3.2) controls how clients compete for wireless medium access, (3.3) manages how Access Points (APs) prioritize outbound transmissions to clients, and (3.4) enhances client connectivity and mobility through intelligent steering, roaming assistance, and optimized association control for seamless network performance.
3.1 DSCP-to-WMM Mapping: Controller Level (Standard)
| Traffic Type | DSCP Marking | WMM Priority | Use Cases |
|---|
| Voice | EF (46) | 6 (AC_VO) | VoLTE, VoWiFi calls |
| Video | AF41 (34) | 5 (AC_VI) | Video streaming, conferencing |
| Best Effort | Default (0) | 0 (AC_BE) | Web browsing, email |
| Background | CS1 (8) | 1 (AC_BK) | Software updates, backups |
3.2 EDCA Parameters: Client-Side Transmission (Standard)
| Access Category | CWmin | CWmax | AIFS | TXOP Limit | ACM |
|---|
| AC_VO (Voice) | 2 | 3 | 1 | 47μs | 0 |
| AC_VI (Video) | 3 | 4 | 1 | 94μs | 0 |
| AC_BE (Best Effort) | 4 | 6 | 3 | 0 | 0 |
| AC_BK (Background) | 4 | 10 | 7 | 0 | 0 |
3.3 TX Queue Parameters: AP-Side Transmission (Standard)
| Queue | AIFS | CWmin | CWmax | Burst |
|---|
| Data0 (VO) | 1 | 3 | 7 | 1.5ms |
| Data1 (VI) | 1 | 7 | 15 | 3.0ms |
| Data2 (BE) | 3 | 15 | 63 | 0 |
| Data3 (BK) | 7 | 15 | 1023 | 0 |
3.4 Connectivity & Mobility Enhancements (Standard/Site-Specific)
| Feature | Configuration | Purpose |
|---|
| MBO (Standard) | multi_band_operation = true | Multi-band optimization |
| OCE (Standard) | optimized_connectivity = true | Enhanced connectivity experience |
| 802.11k (Standard) | neighbor_reports = true | Radio resource management |
| 802.11v (Standard) | bss_transition = true | Network-assisted roaming |
| 802.11r (Standard /Site-Specific) | fast_roaming = true mobility_domain = [site-specific-hex] | Fast BSS transition |
4. Security Configuration
These four subsections implement a comprehensive multi-layered security framework: (4.1) establishes enterprise-grade encryption and authentication using WPA3/WPA2-Enterprise with EAP-SIM/AKA methods for carrier integration and certificate-based options for community access, (4.2) deploys Layer 2 security controls including client isolation and broadcast filtering to prevent lateral threats, (4.3) enables proactive attack prevention mechanisms against KRACK vulnerabilities and connection exploits, and (4.4) configures access control policies and traffic filtering aligned with carrier offload requirements and site-specific service needs.
4.1 Encryption & Authentication Framework (Mandatory/Standard)
| Parameter | Primary | Implementation Notes |
|---|
| Encryption | WPA3/WPA2-Enterprise | WPA3 required for 6GHz; WPA3 as primary/preferred, and WPA2 as fallback for legacy device compatibility |
| EAP Methods | EAP-SIM / EAP-AKA | SIM-based service for MNO offloading |
| Management Protection | PMF (802.11w) enabled | Required for WPA3; universal security requirement for prevention of downgrade attacks |
4.2 Layer 2 Security Controls (Standard)
| Setting | Value | Purpose |
|---|
| Client Isolation | Enabled | Prevents lateral device communication |
| Broadcast Filtering | Enabled | Blocks broadcast from unauthenticated clients |
| Proxy ARP | Enabled | Prevents ARP spoofing, reduces broadcast traffic |
4.3 Attack Prevention Controls (Standard)
| Feature | Status | Purpose |
|---|
| EAPOL Key Retry Protection | Enabled | Prevents KRACK replay attacks on handshake process |
| WNM Sleep Mode Protection | No Key Storage | Prevents key exposure during sleep transitions |
| Low Signal Disassociation | Enabled | Automatic cleanup of weak/problematic connections |
| RSN Pre-authentication | Enabled | Optimizes secure roaming between Access Points (APs) |
| Short Preamble Support | Enabled | Enhanced compatibility and performance |
4.4 Access Control & Filtering (Standard/Site-Specific)
| Feature | Status | Implementation |
|---|
| MAC Address Filtering (Standard) | Disabled | Authentication handled by EAP-SIM/AKA |
| IGMP Proxy (Standard) | Disabled | Not required for carrier offload scenarios |
| Rate Limiting (Site-Specific) | Per-SSID / Per-VLAN / Per-AP | QoS-based traffic shaping by service requirements |
For operational compliance, refer also to Section 7 – Deployment & Compliance Guidelines, covering RADIUS proxy restrictions and AP location legitimacy.
5. Passpoint/Hotspot 2.0 Configuration
These four subsections implement a complete Passpoint ecosystem for seamless carrier offloading: (5.1) establishes core Hotspot 2.0 parameters including venue identification and service advertisement for automatic network discovery, (5.2) configures ANQP (Access Network Query Protocol) settings to enable pre-association network capability exchange and authentication method advertisement, (5.3) defines comprehensive US carrier MCC/MNC mappings with priority levels to support automatic carrier recognition and connection preferences, and (5.4) maps NAI realms to carrier-specific authentication domains, enabling transparent EAP-SIM/AKA authentication for subscribers across all major US mobile network operators.
5.1 Core Configuration Parameters (Mandatory)
| Parameter | Value | Purpose |
|---|
| Hotspot 2.0 Service | Enabled | Activates Passpoint functionality for seamless network authentication |
| Internet Access | Enabled/Advertised | Advertises public Internet availability to client devices |
| Venue Name | "XNET Neutral Host Network" | Public-facing network identifier broadcast during pre-association discovery, providing consistent XNET branding across all deployments |
| Venue URL | "https://xnetmobile.com" | XNET service information portal accessible post-connection, providing service details, terms of use, and MNO offloading support resources |
| Access Network Type | Chargeable Public Network | Defines network as carrier-grade paid service model for MNO offloading operations |
5.2 ANQP Settings (Mandatory/Standard/Carrier-Specific)
| Parameter | Value | Purpose |
|---|
| Interworking Element (Mandatory) | Enabled | Activates 802.11u interworking to support pre-association network discovery |
| NAI Realm Advertisement (Mandatory) | Enabled | Enables NAI realm advertisement for carrier authentication matching |
| Venue Information (Mandatory) | Enabled | Broadcasts venue details during network discovery |
| Authentication Methods (Mandatory) | EAP-SIM, EAP-AKA | Defines supported authentication protocols for carrier credentials |
| Realm Advertisement Policy (Standard) | Supported Realms Only | Advertises only configured carrier realms (recommended for performance) |
| Connection Capability (Standard) | Enabled | Advertises network capabilities (recommended for client optimization) |
| RCOI (Roaming Consortium Organization Identifier) (Carrier-Specific) | Configured Per Carrier [Provided separately] | Sets carrier-specific Organization Identifiers (required only for roaming partnerships) |
5.3 US Carrier MCC/MNC Mapping (Mandatory)
| MCC | MNC | Operator | Notes |
|---|
| 310 | 410 | AT&T Mobility | Primary AT&T network |
| 310 | 150 | AT&T Mobility | Secondary AT&T allocation |
| 310 | 280 | AT&T Mobility | Additional AT&T allocation |
| 311 | 180 | AT&T Mobility | Legacy Pacific-Bell/Cingular |
| 313 | 100 | FirstNet | Dedicated public safety (AT&T) |
5.4 NAI Realm Configuration (Mandatory)
| Operator | 3GPP Standard NAI Realms | Alternative NAI Realms |
|---|
| AT&T | @wlan.mnc410.mcc310.3gppnetwork.org @wlan.mnc150.mcc310.3gppnetwork.org @wlan.mnc280.mcc310.3gppnetwork.org | @att.net |
6. RADIUS Authentication
This section defines the RADIUS authentication setup for carrier credential validation, detailing server parameters, security settings, and site identifiers for EAP-SIM/AKA processing, with accounting integration for carrier billing and identity management.
6.1 Primary RADIUS Configuration (Mandatory/Standard/Site-Specific)
| Parameter | Value | Notes |
|---|
| Server IP (Mandatory) | [Provided separately] | XNET RADIUS server |
| Protocol (Mandatory) | RADIUS/UDP | RadSec for WRIX compliance - See 7.1. |
| Authentication Port (Mandatory) | 1812 | Standard RFC 2865 |
| Accounting Port (Mandatory) | 1813 | Standard RFC 2866 |
| Shared Secret (Mandatory) | [Provided separately] | Minimum 32 characters |
| Message Authenticator (Mandatory) | Enabled | For EAP packet integrity |
| EAP Re-authentication (Mandatory) | 3600 seconds (1 hour) | Periodic credential refresh |
| CUI Request (Mandatory) | Enabled | For billing |
| Request Timeout (Standard) | 5 seconds | Per-request timeout |
| Retry Attempts (Standard) | 3 | Max retransmission attempts |
| Accounting Interval (Standard) | 300 seconds | Interim accounting updates (5-minute intervals) |
| Dead-Time (Standard) | 600 seconds | Server failure recovery period |
| NAS-ID (Site-Specific) | [Site-Specific value] | Unique per Access Point (AP)/controller |
| NAS IP (Site-Specific) | [Site-Specific value] | Unique per Access Point (AP)/controller |
| NAS-Port-Type (Site-Specific) | Wireless-802.11 (19) | RFC 2865 defined port type |
| Called-Station-ID (Site-Specific) | [BSSID:SSID] | Format: AA:BB:CC:DD:EE:FF:NetworkName |
| VSA – Type 26 (Mandatory) | Type: 26 (Vendor-Specific) Vendor-ID: 126 (XNET) Vendor-Data: "34584e45543a5553" (hex-encoded for "4XNET:US") | Vendor-ID 126 used to identify XNET for routing & service segmentation |
Note: Compliance with RADIUS proxy restrictions and message integrity requirements is mandatory. See Section 7.1 for full policy details.
7. Deployment & Compliance Guidelines
These guidelines establish operational, legal, and security requirements for all XNET-managed deployments, ensuring regulatory compliance, service integrity, and trust across carrier and venue partners.
7.1 RADIUS Proxy Restrictions (Mandatory)
To ensure accuracy, accountability, and fairness in XNET's WiFi roaming and carrier offload ecosystem, RADIUS proxying on the WiFi infrastructure side is strictly prohibited.
| Requirement | Implementation Notes |
|---|
| No Infrastructure-Side Proxies | Access Points (APs) or Controllers must send authentication and accounting requests directly to XNET's RADIUS server—no intermediary translation, filtering, or aggregation devices. Only carrier or partner-side proxies explicitly approved and registered with XNET are allowed. |
| Raw Message Integrity | Transmit all RADIUS attributes (session time, data volume, AP/session identifiers) in original form, without modification. |
| Source Validation | All RADIUS requests are subject to IP whitelisting and Message Authenticator verification where applicable. |
Rationale: Prevents data loss or alteration, eliminates revenue disputes, and preserves trust among ISPs, MSPs, ANPs, IDPs, and end-users.
7.2 Access Point Location Legitimacy (Mandatory)
All APs must be installed at approved, contracted locations and accurately registered in XNET's asset management system.
| Requirement | Implementation Notes |
|---|
| Approved Physical Address | APs must be deployed at the physical address registered with XNET and listed in site onboarding records. Residential deployment is prohibited unless serving a public or business venue. |
| Accurate Registration | Location details must be correct at activation and continuously thereafter. Any change that invalidates the registered location will immediately revoke eligibility for rewards, carrier location approval, and paid offload participation. |
| Unauthorized Relocation Prohibited | APs may not be moved to unapproved locations without prior XNET authorization. |
| Venue Owner Consent | Installation requires documented consent from the property owner or authorized venue representative. |
Rationale: Ensures lawful deployment, prevents fraudulent traffic origination, and upholds carrier contractual obligations.
This document provides a vendor-aligned, standards-based configuration guide to ensure secure, consistent, and efficient Wi-Fi deployments across all XNET-managed sites, with support for carrier offload.