BAT Controller Virtual

Virtual WLAN Controller and VPN Concentrator, runs on ESXi or HyperV

Hirschmann BAT Controller Virtual is a software-based solution to monitor and control BAT Access Points as well as serve as a VPN Concentrator for OWL and EAGLE Products. It is based on our stable and reliable HiLCOS operating system that also powers our WLAN devices from small AGV projects to large Metro CBTC communication. You can deploy it on VMWares ESXi platform or on Microsoft HyperV. The BAT Controller Virtual includes High Availability
Get Product Alerts

Product description


BAT Controller Virtual

Radio protocol

IEEE 802.11d support (regulatory domain broadcast); 802.11u (HotSpot 2.0) to transition seamlessly from cellular to WLAN. Authentication methods using SIM card information, certificates or username and password, enable an automatic, encrypted login to WLAN hotspots of roaming partners - without the need to manually enter login credentials


VMWare ESXi 6 (or newer) or Microsoft Hyper-V; Intel Xeon with AES-NI and VT-x; Recommendation: License 100, 200: 1x x86 vCPU; License 1000: 2-3x vCPU with very high CPU Rate (MHz);

Hard disk space

Recommendation: 512MB SSD


Recommendation: 1GB for License 100; 2GB for License 200; 6GB for License 1000;

Product Life Cycle


Available for Order

More Interfaces


1-5 virtual Ethernet ports based on VMXnet3 (ESXi) or Synthetic NIC (HyperV); Each port can be freely configured (LAN, DMZ, WAN, monitor port)

Radio technology


Seamless handover between radio cells; IAPP support with optional restriction to an ARF context; IEEE 802.11r allows Fast Roaming procedures between access points. This is possible when using IEEE 802.1X authentication or pre-shared keys;

Security features

Stateful inspection firewall

Stateful IPv4/IPv6 firewall functionality: Packet filtering, extended port forwarding, N:N IP address mapping

Other services

IPv4/IPv6: DHCP (Server and Client), DNS (Server, Relay, Proxy and Client), VPN, Radius; Internal Syslog; LLDP; ARP; Proxy ARP; BOOTP


Opportunistic Key Caching

OKC allows fast roaming processes between access points. WLAN installations utilizing a WLAN controller and IEEE 802.1X authentication cache the access keys of the clients and are transmitted by the WLAN controller to all mananged access points

Time Control

time-based activation and deactivation of WLAN networks

Radius Server

Radius/EAP Server: User administration MAC-based, rate limiting, passphrases, VLAN user based, authentication of IEEE 802.1X clients via EAP-TLS, EAP-TTLS, EAP-MD5, EAP-GTC, PEAP, MSCHAP or MSCHAPv2


Script distribution enables the complete configuration of non-WLAN specific functions such as Redirects, Protocol Filter, ARF etc. Internal storage of up to three script files (max. 64 kByte) for provisioning access points without a separate HTTP server.

Software features

Central Firmware deployment (requires external webserver) and management of the Access Points. The Controller checks every day, depending on the defined policy, for the latest Firmware and compares it with the versions in the devices. The Controller downloads the matching Firmware from the server and updates the corresponding Access Points.


VLAN IEEE 802.1q, Q-in-Q tagging, Multicast Snooping (IGMP and MLD), The WLAN controller can switch user data per AP Radio or per SSID in the following ways: Direct injection into the network at the Access Point (or into VLAN) or central tunneling to the Controller (Layer 3 tunneling between different IP Subnets)


IPv4/IPv6: HTML5 webinterface (HTTP, HTTPs), Command Line, LANConfig


Includes High Availability Clustering function to synchronize and load-share between multiple BAT Controllers., Access Points are able to operate (permanently or based on a configurable time out) in Stand-Alone mode; VMWare High Availability is not supported; HiLCOS High Availability Clustering is included (up to 3 BAT Controllers can be combined to increase capacity or redundancy, each Controller needs to have its own license)


Access Points automatically discover the WLAN controller by means of DNS name or IP addresses. Access Points can be authenticated manually or automatically. Signaling of new access points by LED, e-mail message, SYSLOG or SNMP traps. Manual authentication via LANmonitor or WEBconfig GUI tools. Semi-automatic authentication based on access-point lists in the Controller ('bulk mode'). Fully automatic authentication with default configuration assignment (can be activated/deactivated separately, e.g. during the rollout phase). Authenticated access points can be identified by means of digital certificates, Certificate generation by integrated CA (Certificate Authority), Certificate distribution by SCEP (Simple Certificate Enrollment Protocol). Access Points can be blocked by CRL (Certificate Revocation List). Management of APs over CAPWAP (Control and Provisioning Protocol for Wireless Access Points)


IPv4/IPv6, Traffic shaping, Bandwidth reservation, DiffServ/TOS, PPP, Advanced Routing and Forwarding - ARF (separate routing contexts), Layer-3 Tunneling in conformity with the CAPWAP standard allows the bridging of WLANs per SSID to a separate IP subnet. Layer-2 packets are encapsulated in Layer-3 tunnels and transported to a LANCOM WLAN controller. By doing this the access point is independent of the present infrastructure of the network. Possible applications are roaming without changing the IP address and compounding SSIDs without using VLANs, A fixed VLAN can be set for each SSID. The WLAN controller can independently provide up to 64 separate IP networks, and each of these can be individually mapped to VLANs and, consequently, to SSIDs (Advanced Routing and Forwarding, ARF). The Controller can provide, among others, individual DHCP, DNS, routing, firewall and VPN functions for these networks.

Dynamic routing


Management Software

IPv4/IPv6: HTML5 webinterface (HTTP, HTTPs), Command Line, LANConfig



60 months (please refer to the terms of guarantee for detailed information)

WLAN Access Point

Access Point Functionality

Configures and monitors BAT Access Points in Managed Mode: BAT-F, BAT-R, BAT867-R, BAT867-F, BAT450-F; Public Spot including PMS accounting plus; 802.11u (Hotspot 2.0); 802.11d (Country information in beacon frames); Opportunistic Key Caching (OKC); 802.11r fast roaming; WPA2-Enterprise with 802.1X or WPA2-PSK;

Scope of delivery and accessories

Scope of delivery

License Key will be delivered. The License Key is used with the Hardware-ID to request a License File. This License File is used to activate the product.

Further Instructions

Product Documentation


Software Download


Update and Revision

Revision Number: 0.60 Revision Date: 04-26-2024

Part Numbers
Item # Type
942313001 BAT Controller License 100
942313002 BAT Controller License 200
942313010 VWLC-1000 nodes