configuring virtual access points in sonicos 5.0...

Click here to load reader

Post on 01-Nov-2020

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  •   

    11Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Configuring Virtual Access Points inConfiguring Virtual Access Points inSonicOS 5.0 EnhancedSonicOS 5.0 Enhanced

    This document describes the Virtual Access Point feature and includes the following sections:This document describes the Virtual Access Point feature and includes the following sections:

       •• “SonicPoint VAP Overview” section on page 1“SonicPoint VAP Overview” section on page 1

       •• “Supported Platforms” section on page 4“Supported Platforms” section on page 4

       •• ““PrerePrerequisites” quisites” section osection on pagn page 5e 5

       •• “Deployment Restrictions” section on page 5“Deployment Restrictions” section on page 5

       •• “SonicPoint Virtual AP Configuration Tasklist” section on page 5“SonicPoint Virtual AP Configuration Tasklist” section on page 5

       •• “Thinking Critically About VAPs” section on page 18“Thinking Critically About VAPs” section on page 18

       •• “VAP Sample Configurations” section on page 21“VAP Sample Configurations” section on page 21

       •• “Document Version History” section on page 36“Document Version History” section on page 36

    SonicPoint VAP OverviewSonicPoint VAP OverviewThis section provides an introduction to the Configuring SonicPoint Virtual APs feature. This sectionThis section provides an introduction to the Configuring SonicPoint Virtual APs feature. This sectioncontains the following subsections:contains the following subsections:

       •• “What Is a Virtual Access Point?” section on page 2“What Is a Virtual Access Point?” section on page 2

       •• “What Is an SSID?” section on page 3“What Is an SSID?” section on page 3   •• ““Wireless RoamWireless Roaming wing with Eith ESSSIDSID” secti” section on page on on page 33

       •• “What Is a BSSID?” section on page 3“What Is a BSSID?” section on page 3

       •• “Benefits of Using Virtual APs” section on page 4“Benefits of Using Virtual APs” section on page 4

       •• “Benefits of Using Virtual APs with VLANs” section on page 4“Benefits of Using Virtual APs with VLANs” section on page 4

  •   

    SonicPoint VAP OverviewSonicPoint VAP Overview

    22 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    What Is a Virtual Access Point?What Is a Virtual Access Point?

     A  A “V“Viirrttuuaal l AcAccceesss s PPooiinntt” ” iis s a a mmuullttiipplelexxeed d iinnssttaannttiiaattioion n oof f a a ssiinngglle e pphhyyssicicaal l AcAccceesss s PPooinint t ((APAP) ) sso o tthhaat t ititpresepresents itnts itself self as as multiplmultiple discree discrete Access Pointte Access Points. To wireless s. To wireless LALAN cliN clients, eaents, each Vich Virtual Artual AP appeP appears ars to be anto be anindependeindependent physical Ant physical APP, when , when in actuain actualility there is only a singty there is only a single physical AP. Befole physical AP. Before the re the evolutevolutioion of n of thethe

     Vi Virrttuuaal l AP AP fefeaattuurre e ssuuppppoorrtt, , wwirireelleesss s nneettwwoorrkks s wweerre e rreeleleggaatteed d tto o a a oonnee-t-too-o-onne e rreellaattiioonnsshhiip p bbeettwweeeen n pphhyyssicicaall Ac Accceesss s PPoioinntts s aannd d wwirireelleesss s nneettwwoorrk k sseeccuurriitty y cchhaarraacctteerriissttiiccss, , ssuucch h aas s aauutthheenntticicaattioion n aannd d eennccrryyppttioionn. . In In ootthheerrwords, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAPwords, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAPconnectivconnectivity ity to to clients, clients, and if and if the latter werthe latter were reqe required, they would had to have been provided by a separauired, they would had to have been provided by a separate,te,distinctly configured Access Points. This forced WLAN network administrators to find a solution to scaledistinctly configured Access Points. This forced WLAN network administrators to find a solution to scaletheir existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APstheir existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs(VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11(VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11standastandard frd for the media aor the media access cccess contontrol rol (MAC) (MAC) protoprotocol col layer thalayer that it includes a uncludes a unique Basic Snique Basic Service Seervice SettIIdentifdentifier (BSSier (BSSIIDD) and ) and SServiervice ce SeSet It Identifdentified (Sied (SSIDSID). T). This allows fohis allows for ser segmgmenting wenting wireless neireless network stwork serviervicesceswithin a single rawithin a single radio fdio frequrequency fooency footprint otprint of f a singa single physical ale physical access ccess poipoint device.nt device.

     V VAPAPs s aalllloow w tthhe e nneettwwoorrk k aaddmmiinniissttrraattoor r tto o ccoonnttrrool l wwiirreelleesss s uusseer r aacccceesss s aannd d sseeccuurriitty y sseettttiinnggs s bby y sseettttiinng g uuppmumultltipliple cue custom confstom configuraiguratiotions on a singns on a single physical interfle physical interfaceace. E. Eacach of h of these cthese custom confustom configuraiguratiotions ans acts ascts asa sea separaparate (vte (virtirtual) acceual) access poiss point, nt, and caand can be groupen be grouped and ed and enfnforced on single or multiorced on single or multiple physical SonicPoiple physical SonicPointntaccaccess pointess points simultaneously as ills simultaneously as illustrateustrated below ind below in Figure 1Figure 1..

    FFigurigure e 11 VVAP AP DeDeployploymement nt with with SSoniconicWWALL ALL SSoniconicPPointoint

    For more infFor more informatioormation on Sonin on SonicOcOS SS Securecure Wireless featurese Wireless features, ref, refer to theer to theSonSoniiccWAWALLL L SeSeccureureWWiirerelleess ss IIntenteggratedratedSoSolutilutionons Gs Guideuide..

    SonicWALL PRO 2040SonicWALL PRO 2040Radius Server Radius Server 

    InternetInternet

    VLAN 50VLAN 50 - SSID: VAP-Corporate- SSID: VAP-CorporateVLAN 100VLAN 100 - SSID:  - SSID: VAP-LegacyVAP-LegacyVLAN 150VLAN 150 - SSID:  - SSID: VAP-Guest_SecureVAP-Guest_SecureVLAN 200VLAN 200 - SSID: VAP-Guest- SSID: VAP-GuestVLAN 250VLAN 250 - SSID: VAP-SSL-VPN- SSID: VAP-SSL-VPN

    VLAN IDs Provisioned to SonicPointsVLAN IDs Provisioned to SonicPoints

    SSID:SSID:VAP-SSL-VPNVAP-SSL-VPN

    SSID:SSID:VAP-CorporateVAP-Corporate

    SSID:SSID:VAP-GuestVAP-Guest

    SSID:SSID:VAP-LegacyVAP-Legacy

    SSID:SSID:VAP-GuestVAP-Guest

    SecureSecure

    SSID:SSID:VAP-GuestVAP-Guest

  •   

    SonicPoint VAP OverviewSonicPoint VAP Overview

    33Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    What Is an SSID?What Is an SSID?

     A  A SSeerrvivicce e SSeet t IDeIDennttififiieer r ((SSSSID) ID) iis s tthhe e nnaamme e aassssigignneed d tto o a a wwiirreelelesss s nneettwwoorrkk. . WWiirreelelesss s ccllieienntts s mmuusst t uusse e tthhisissame, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up tosame, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up to32 bytes lo32 bytes longng. Multi. Multiple SonicPoiple SonicPoints on nts on a nea network can utwork can use the sase the same Sme SSIDSIDs. Ys. You can confou can configure igure up to up to 8 unique8 uniqueSSSIDSIDs on SonicPoins on SonicPoints and ts and assigassign difn difffereerent confnt configuraiguratition settion settings ngs to each Sto each SSID.SID.

    SSonionicPointcPoints broadcs broadcast a ast a beabeacon (announcemecon (announcements of nts of avaavaililabiliability of ty of a wa wireless netwireless network) fork) for every Sor every SSIDSIDconfconfigureigured. By default, d. By default, the Sthe SSID SID is iis included wncluded witithin the beacon so that wireless clients can sehin the beacon so that wireless clients can see the we the wirelessireless

    networks. The option to suppress the SSID within the beacon is provided on a per-SSID (e.g. per-VAP ornetworks. The option to suppress the SSID within the beacon is provided on a per-SSID (e.g. per-VAP orper-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect byper-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect bymamanually specifnually specifying the SSying the SSIID.D.

    TThe fohe follllowing seowing settittings cngs can be an be assigassigned to eacned to each VAPh VAP::

       ••  Au Autthheennttiiccaattiioon n mmeetthhoodd

       ••  VL VLANAN

       •• MaMaxiximum mum numnumber of ber of cliclient associations ent associations using the Susing the SSSIIDD

       •• SSSSIID D SuSuppressionppression

    Wireless Roaming with ESSIDWireless Roaming with ESSID

     An  An ESESSSID ID ((ExExtteennddeed d SSeerrvviicce e SSeet t IDeIDennttififiieerr) ) iis s a a ccoolllleeccttiioon n oof f AcAccceesss s PPooinintts s ((oor r ViVirrttuuaal l AcAccceesss s PPooiinnttss))sharsharing the saming the same Se SSID. SID. A A typical wireless netwtypical wireless network comprises more than one Aork comprises more than one AP fP for tor the purpose of he purpose of coveringcoveringgegeographic areographic areas largeas larger than can be servir than can be serviced by a single Aced by a single APP. . AAs cls clients movients move through the wireless netwe through the wireless network,ork,the strengthe strength oth of f their wireless connection their wireless connection decredecreaseases as they ms as they move awove away from oay from one Access Point ne Access Point (A(AP1) andP1) andincreasincreases aes as they move towas they move toward another (Ard another (AP2). P2). ProvProvidiiding AP1 and APng AP1 and AP2 ar2 are on the same on the same ESSe ESSIID D (f(for example,or example,‘soni‘sonicwcwall’all’) and that the (V)) and that the (V)AAPs share Ps share the samthe same Se SSID SID and sand securecurity coity confnfiguraiguratiotions, the client will ns, the client will be abe able toble toroam from one to roam from one to the other. Tthe other. This rohis roamaming process is controing process is controlllled by the wed by the wireless cliireless client harent hardwdware are and driverand driver,,so roaming so roaming behabehavivior can difor can difffer from one client to er from one client to the next, but it ithe next, but it is gs generenerally dependeally dependent upon the signalnt upon the signalstrength of each AP within an ESSID.strength of each AP within an ESSID.

    What Is a BSSID?What Is a BSSID?

     A  A BBSSSSID ID ((BBaassic ic SSeerrvviicce e SSeet t IDeIDennttiififieerr) ) is is tthhe e wwirireelleesss s eeqquuiivvaalelennt t of of a a MMAAC C ((MMeeddiia a AcAccceesss s CCoonnttrrolol) ) aaddddrreessss,,or a unique or a unique hardwhardware are addraddress of an Aess of an AP or VAP or VAP fP for the purposes of or the purposes of identifidentificatioication. Contn. Continuing the exainuing the examplemple

    of of the roamthe roaming wing wireless client fireless client from the ESSrom the ESSIID D section above, as section above, as the client on the ‘sonithe client on the ‘sonicwcwall’ Eall’ ESSSID SID movesmovesawaway from Aay from AP1 and towaP1 and toward Ard AP2, the strength of P2, the strength of the signathe signal fl from the from the former wormer wilill decreal decrease wse whilhile the lattere the latterincreasincreaseses. T. The client’s wireless cahe client’s wireless card and driver constantly monird and driver constantly monitors ttors these levels, difhese levels, difffereerentiatintiating beng betwetween theen the(V(V)A)APs by their BSPs by their BSSID. When the caSID. When the card/rd/ driver’s driver’s criteria fcriteria for roaming or roaming are are memet, the clit, the client went wilill detach l detach ffrom therom theBSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the ‘sonicwall’ ESSID.BSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the ‘sonicwall’ ESSID.

  •   

    Supported PlatformsSupported Platforms

    44 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Benefits of Using Virtual APsBenefits of Using Virtual APs

    This section includes a list of benefits in using the Virtual AP feature:This section includes a list of benefits in using the Virtual AP feature:

       •• Radio Channel ConservationRadio Channel Conservation——Prevents buildiPrevents building overlappeng overlapped infd infrastructurerastructures by as by allllowing a owing a singlesinglePhysical Access Point to be used for multiple purposes to avoid channel collision problem. ChannelPhysical Access Point to be used for multiple purposes to avoid channel collision problem. Channelconservatioconservation. Multin. Multiple proviple providers aders are bere becoming the norm wcoming the norm withiithin public spaces sn public spaces such auch as airports. Wis airports. Withinthinan aan airpoirport, rt, it it might be nemight be necessacessary to ry to support an FAA support an FAA netwnetwork, ork, one or more airlione or more airline netwne networks, and perhaorks, and perhapspsone or moone or more Wireless ISPs. Hore Wireless ISPs. Howewever, in ver, in the US athe US and Eurond Europe, 802.11pe, 802.11b netwb networks can onlorks can only support y support threethree

    usausable (noble (non-n-overlapping) channels, and in Fraoverlapping) channels, and in France ance and Japan only ond Japan only one chane channel is nnel is avaavaililable. Oable. Once thence thechannechannels are uls are utiltilizized by ed by existiexisting APs, additing APs, additional Aonal APs will Ps will interfinterfere ere with eawith each other and rech other and reduceduceperfoperformancrmance. By ae. By allllowing a owing a single netwsingle network to ork to be usebe used fd for multior multiple purposes, Viple purposes, Virtual Artual APs conservePs conservechannels.channels.

    •• OptiOptimmize ize SSonicPoint LAonicPoint LAN N InfrastruInfrastructur ctur e—e—ShaShare the sare the same Sme SonionicPoint cPoint LALAN iN infnfrastructure rastructure amamongongmultiplmultiple providers, rathee providers, rather than building an overlapping infr than building an overlapping infrasrastructure, to ltructure, to lower ower down the cadown the capitpitalalexpenditure for installation and maintenance of your WLANs.expenditure for installation and maintenance of your WLANs.

    Benefits of Using Virtual APs with VLANsBenefits of Using Virtual APs with VLANs

     Al Altthhoouuggh h tthhe e imimpplleemmeennttaattiioon n oof f VVAPAPs s ddoeoes s nnoot t rreeqquuiirre e tthhe e uusse e oof f VLVLANANss, , VLVLAN AN uusse e ddoeoes s pprroovvidideeprapractical traffctical traffic dific difffererentiaentiatiotion benen beneffits. When not using VLAits. When not using VLANs, the traNs, the traffffic fic from erom eacach VAP h VAP is handis handled by aled by acommon interface on the SonicWALL security appliance. This means that all traffic from each VAP willcommon interface on the SonicWALL security appliance. This means that all traffic from each VAP will

    belong to the sabelong to the same me ZZone aone and sand same me subnet (Notsubnet (Note: a e: a ffuture veuture version orsion of f SonicOSonicOS S Enhanced wEnhanced wilill allol allow w ffor traffor trafficicfrom different VAPs to exist on different subnets within the same Zone, providing a measure of trafficfrom different VAPs to exist on different subnets within the same Zone, providing a measure of trafficdifdifffererentiaentiation tion eveeven without VLn without VLAN AN tagtaggging). By tagging). By tagging the tring the traffaffic fic from erom eacach VAP h VAP wwith a unique ith a unique VLVLAN AN IID,D,and and by creby creating the cating the corresponding sub-orresponding sub-interfinterfaceaces on the SonicWs on the SonicWAALL LL secursecurity appliity applianceance, it , it is pois possible to ssible to havehaveeaeach VAP ch VAP occupy a unique soccupy a unique subnet, and to assign eaubnet, and to assign each sub-ich sub-interfnterface ace to to its its own Zoown Zone.ne.

    This affords the following benefits:This affords the following benefits:

    •• Each VAEach VAP can have its own secP can have its own security serviurity services seces settittings (engs (e.g. G.g. GAVAV, I, IPSPS, CFS, etc.), CFS, etc.)

       •• Traffic from each VAP can be easily controlled using Access Rules configured from the Zone level.Traffic from each VAP can be easily controlled using Access Rules configured from the Zone level.

       •• SeSeparaparate Wireless Gte Wireless Guest Suest Services (WGervices (WGSS) o) or Lir Lightwghtweight Hoteight Hotspot spot MeMessagssaging (Ling (LHM) confHM) configuraiguratitions canons canbe abe applipplied to eaed to each, fch, faciliacilitating the pretating the presentation of sentation of mumultltipliple ge guest seuest servirvice prce provioviders ders with a commwith a common seton setof of SonicPoiSonicPoint hardwnt hardwareare..

       •• BandwBandwidth idth mamanagnagemeement and ont and other Ather Access Ruccess Rule-le-basebased contd controls rols can eacan easilsily be applied.y be applied.

    Supported PlatformsSupported PlatformsThis feature is supported on the following platforms running SonicOS Enhanced 3.5 or higher:This feature is supported on the following platforms running SonicOS Enhanced 3.5 or higher:

       •• SonicWALL PRO 2040SonicWALL PRO 2040

       •• SonicWALL PRO 3060SonicWALL PRO 3060

       •• SonicWALL PRO 4060SonicWALL PRO 4060

       •• SonicWALL PRO 4100SonicWALL PRO 4100

       •• SonicWALL PRO 5060SonicWALL PRO 5060

  •   

    PrerequisitesPrerequisites

    55Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    PrerequisitesPrerequisites   •• Each SEach SonicWonicWALALL L SSonicPoint onicPoint mumust be explicitlst be explicitly enay enabled fbled for Vor Virtual Airtual Acceccess Point ss Point suppsupport ort by seleby selectingcting

    thetheSonSonicPoiicPoint > Sonnt > SonicicPoints > GPoints > Genereneral Settings Tabal Settings Tab: “Enable SonicPoint” checkbox in the: “Enable SonicPoint” checkbox in theSonicOSonicOS mS manaanagegement interfment interface ace and enaand enablibling either Radng either Radio io A A or Gor G..

       •• SonicPoints must be linked to a WLAN zone on your SonicWALL UTM appliance in order forSonicPoints must be linked to a WLAN zone on your SonicWALL UTM appliance in order forprovisioning of APs to take place.provisioning of APs to take place.

       •• When using VWhen using VAAPs with VPs with VLALANs, you must ensuNs, you must ensure thare that the physical SonicPoit the physical SonicPoint discovnt discovery aery andndproviprovisiosioning paning packeckets remts remain untaggain untagged (unless beed (unless being terminated ing terminated natively intnatively into a VLo a VLAAN sub-N sub-intinterface onerface onthe Sthe SonionicWcWAALLLL). ). YoYou muu must also ensure thast also ensure that VAt VAP packeP packets that are VLAts that are VLAN taggeN tagged by the Sd by the SonionicPoint cPoint arearedelivered unadelivered unaltered (neitltered (neither un-her un-encaencapsulated nor doublpsulated nor double-e-encaencapsulated) by any intpsulated) by any intermeermediate equipmediate equipment,nt,such asuch as a VLs a VLAAN capable swN capable swititch, on tch, on the netwhe network.ork.

    Deployment RestrictionsDeployment RestrictionsWhen confWhen configuring iguring your VAP setup, be ayour VAP setup, be awaware of tre of the fohe follllowing deowing deployment restrictioployment restrictions:ns:

       •• MaMaxiximum mum SonicPoiSonicPoint restrictint restrictions apply and difons apply and difffer baer based on your SonicWsed on your SonicWAALL LL PRO PRO series haseries hardwrdwareare..Review thesReview these ree restrictistrictions ions in then the“Custom VLAN Settings” section on page 12“Custom VLAN Settings” section on page 12  

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist A  A SSoonniiccPPooinint t VVAP AP ddeepploloyymmeennt t rreeqquuirirees s sseevveerraal l sstteepps s tto o ccoonnfifigguurree. . ThThe e fofolllolowwining g sseeccttiioon n pprroovvididees s fifirrsst t aabrief obrief overviverview ew of of the steps involthe steps involved, and theved, and then a n a more in-more in-depth exadepth examinatiomination of n of the pathe parts that marts that make uke up ap asuccesuccessfssful VAul VAP deployment. TP deployment. This subsequehis subsequent sectiont sections descrns describe VAibe VAP deployment requiremP deployment requirements and prents and proviovidesdesan administrator configuration task list:an administrator configuration task list:

       •• “SonicPoint VAP Configuration Overview” section on page 6“SonicPoint VAP Configuration Overview” section on page 6

       •• “Network Zones” section on page 7“Network Zones” section on page 7

       •• “VLAN Sub-Interfaces” section on page 12“VLAN Sub-Interfaces” section on page 12

       •• ““DDHCP Server HCP Server ScScope” ope” section osection on pagn page 13e 13

       •• “Sonic Point Provisioning Profiles” section on page 17“Sonic Point Provisioning Profiles” section on page 17

       •• “Thinking Critically About VAPs” section on page 18“Thinking Critically About VAPs” section on page 18

       •• “Deploying VAPs to a SonicPoint” section on page 34“Deploying VAPs to a SonicPoint” section on page 34

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    66 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    SonicPoint VAP Configuration OverviewSonicPoint VAP Configuration Overview

    The following are required areas of configuration for VAP deployment. This sequence of steps is designedThe following are required areas of configuration for VAP deployment. This sequence of steps is designedspecifspecificallically to honor dependey to honor dependencies, provide confncies, provide configuraiguratiotion task n task effefficiiciencyency, and , and minimizminimize e the total numbethe total number ofr ofrerequirequired steps fd steps for VAor VAP confP configuiguraration.tion.

    1.1. ZoneZone - The Zone is the backbone of your VAP configuration. Each Zone you create will have its own - The Zone is the backbone of your VAP configuration. Each Zone you create will have its ownsecursecuritity and acy and access control cess control settings and you can cresettings and you can create aate and apply multiplnd apply multiple zones te zones to a sio a single physicangle physicallinterface by way of VLAN sub-interfaces.interface by way of VLAN sub-interfaces.

    2.2. Interface (or VLAN Interface (or VLAN SSub-Interfaceub-Interface)) -  - TThe Interface he Interface (X(X2, X2, X3, etc3, etc...) ...) reprepreresensents the phyts the physicasical connectionl connectionbetwbetweeeen your Sn your SonionicWcWAALL LL UTUTM aM applippliance ance and yand your Sour SonionicPointcPoint(s). (s). YoYour indiviur individuadual Zl Zone settings aone settings arereapplied to tapplied to these hese interfinterfaceaces and thes and then fn forwaorwarded rded to yoto your Sur SonionicPointcPoints. Os. On PRO n PRO series deseries devivicesces, each, eachinterface may have multiple sub-interfaces, or VLANs (X2:100, X3:150, etc...) to which your Zoneinterface may have multiple sub-interfaces, or VLANs (X2:100, X3:150, etc...) to which your Zonesettings are applied.settings are applied.

    SonicPointSonicPoint

    ZoneZone

    DHCP ScopesDHCP Scopes

    VLANsVLANs

    VAP ProfilesVAP Profiles

    VAP ConfigurationVAP Configuration

    Network ConfigurationNetwork Configuration

    VAP ObjectsVAP Objects

    SonicPoint ProfileSonicPoint Profile

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    77Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    3.3. DHDHCP ServeCP Serverr- - TThe DHhe DHCP server assigns leaCP server assigns leased IP sed IP addraddresseesses to s to userusers within s within specifspecified rangied rangeses, kno, knownwnas “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPointas “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPointdeployments, fodeployments, for instance, a r instance, a scope of scope of 200 200 addraddresseesses fs for an interfor an interface ace that will that will onlonly use y use 30. Beca30. Because ofuse ofthithis, Ds, DHCP rangeHCP ranges muss must be set caret be set careffully iully in order to ensure the an order to ensure the available lease scope is not vailable lease scope is not exhausexhausted.ted.

    4.4.  V VAAP P PPrrooffiillee - The VAP Profile feature allows for creation of SonicPoint configuration profiles which - The VAP Profile feature allows for creation of SonicPoint configuration profiles whichcan be can be eaeasilsily applied to new Sy applied to new SonionicPoint cPoint VVirtirtual Access Pointual Access Points as nes as needeeded.d.

    5.5.  V VAAP P ObObjjeeccttss - The VAP Objects feature allows for setup of general VAP settings. SSID and VLAN- The VAP Objects feature allows for setup of general VAP settings. SSID and VLANIID D are are confconfigureigured through Vd through VAAP SeP Settittingsngs..

    6.6.  V VAAP P GGrroouuppss - The VAP Group feature allows for grouping of multiple VAP objects to be - The VAP Group feature allows for grouping of multiple VAP objects to besimultaneously applied to your SonicPoint(s).simultaneously applied to your SonicPoint(s).

    7.7.  A Assssiiggn n WWEP EP KKeey y ((ffoor r WWEP EP eennccrryyppttiioon n oonnllyy)) - The Assign WEP Key allows for a WEP Encryption - The Assign WEP Key allows for a WEP EncryptionKKey to be aey to be applipplied to new ed to new SonicPoiSonicPoints as thents as they ay are prre proviovisionsioned. WEP keys aed. WEP keys are cre confonfigureigured perd per--SSonionicPointcPoint,,meameaning that any WEP-ning that any WEP-enaenabled VAbled VAPs assignePs assigned to a SonicPoid to a SonicPoint must use the sant must use the same seme set ot of f WEP WEP keyskeys. Up. Upto to 4 keys ca4 keys can be defin be defined perned per--SonicPoiSonicPoint, and WEnt, and WEP-P-enaenabled VAbled VAPs can use thesPs can use these 4 kee 4 keys independeys independently.ntly.WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint >WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint >SonicPoiSonicPoints pagents page..

    8.8.  A Assssigign n VVAAP P GGrroouup p tto o SSoonniiccPPooinint t PPrroovvisisioionniinng g PPrrooffiille e RRaaddioio- The Provisioning Profile allows a- The Provisioning Profile allows a V VAP AP GrGroouup p tto o bbe e aappppllieied d tto o nneew w SSoonnicicPPooiinntts s aas s tthheey y aarre e pprroovivissioionneedd..

    Network ZonesNetwork Zones

    This section contains the following sub-sections:This section contains the following sub-sections:

       •• “The Wireless Zone” section on page 8“The Wireless Zone” section on page 8

       •• ““Custom Wireless ZoCustom Wireless Zone Sne Settings” sectioettings” section on pagn on page 8e 8

     A  A nneettwwoorrk k sseeccuurriitty y zzoonne e is is a a llogogicicaal l mmeetthhood d oof f ggrrououppining g oonne e oor r mmoorre e inintteerrfafaccees s wwiitth h frfriieennddllyy,,useruser--confconfiguraigurable namble nameses, and a, and applyipplying sng securecuritity rules ay rules as traffs traffic passeic passes fs from one zone to rom one zone to another zone. Withanother zone. Withthe zothe zone-ne-basebased securd securitityy, t, the ahe administratodministrator can gr can group similroup similar interfaces and aar interfaces and apply tpply the sahe same polime policies to cies to them,them,instead of instead of having to write the sahaving to write the same me polpolicy ficy for eacor each inth interface. Netwerface. Network Zork Zones arones are confe configureigured fd from therom theNetwork > ZonesNetwork > Zones page page

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    88 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    ‹‹

    The Wireless ZoneThe Wireless Zone

    The Wireless Zone type, of which the “WLAN Zone” is the default instance, provides support toThe Wireless Zone type, of which the “WLAN Zone” is the default instance, provides support toSonicWALL SonicPoints. When an interface or sub-interface is assigned to a Wireless Zone, the interfaceSonicWALL SonicPoints. When an interface or sub-interface is assigned to a Wireless Zone, the interfacecan discover acan discover and provind provision sion Layer 2 Layer 2 connected Sconnected SonionicPointcPoints, and cas, and can also enfn also enforce secuorce security settirity settings angs above thebove the802802.11 laye.11 layer, includir, including WiFiSeng WiFiSec Enfc Enforcemeorcement, SSnt, SSL-L-VVPN redirectioPN redirection, Wireless Gn, Wireless Guest Suest Services, Liervices, LightwghtweighteightHotHotspot spot MeMessagssaging and aing and all ll lilicensecensed Dd Deep Paeep Packecket It Inspection security servnspection security services.ices.

    NoteNote SSonionicPointcPoints can only be ms can only be manaanageged using ud using untaggntagged, non-ed, non-VVLALAN packeN packets. When setting up yts. When setting up your WLAour WLAN,N,ensurensure that pace that packets sent to tkets sent to the She SonionicPointcPoints are s are non Vnon VLALAN taggeN tagged.d.

    Custom Wireless Zone SettingsCustom Wireless Zone Settings

     Al Altthhoouuggh h SSoonnicicWWALALL L pprroovvididees s tthhe e pprree-c-coonnfifigguurreed d WWiirreelelesss s ZoZonnee, , aaddmmiinnisisttrraattoorrs s aallsso o hhaavve e tthhe e aabbililitity y ttoocreacreate their ote their own cuwn custom wireless zostom wireless zonesnes. When usi. When using VAPs, several custom zong VAPs, several custom zones canes can be applied to n be applied to a single,a single,or multiplor multiple Se SonionicPoint cPoint accaccess points. Tess points. The fohe follllowing threowing three see sectioctions desns describe secribe settittings ngs ffor custom wireor custom wirelesslesszones:zones:

    “General” section on page 8“General” section on page 8

    “Wi“Wireless” section oreless” section on pagn page 9e 9

    “G“Guest Suest Services” sectiervices” section on page on on page 1010

    GeneralGeneral

    FFeeaattuurree DDeessccrriippttiioonn

    NameName CreaCreate a nate a name for yome for your custom Zour custom Zonene

    SSecurecurity ity TyTypepe SelectSelect W Wiirreelleessss i in order to n order to enaenable and acceble and access wireless sess wireless security ocurity optiptions.ons.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    99Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    WirelessWireless

     A Alllloow w InIntteerrffaacce e TTrruusstt Select this option to automatically create access rules to allow traffic toSelect this option to automatically create access rules to allow traffic tofflow betwlow betweeeen the interfaces of n the interfaces of a zone. Ta zone. This will his will effeffecectively allow usetively allow users onrs ona wireless zone to communicate with each other. This option is oftena wireless zone to communicate with each other. This option is oftendisabled wdisabled when setting up Wireless Ghen setting up Wireless Guest Suest Services (WGervices (WGSS).).

    SonSonicWALicWALL SecurL SecurityityServicesServices

    SSelect the seelect the security services you wish to enfcurity services you wish to enforce on this zorce on this zone. Tone. This allohis allowsws y yoou u tto o eexxtteennd d yyoouur r SSoonnicicWWALALL L UUTM TM sseeccuurriitty y sseerrviviccees s tto o yyoouurrSonicPoints.SonicPoints.

    FFeeaattuurree DDeessccrriippttiioonn

    FFeeaattuurree DDeessccrriippttiioonn

    OnlOnly allow traffic generatedy allow traffic generatedby a Sonby a SonicPoiicPointnt

    Restricts traffic on this zone to SonicPoint-generated traffic only.Restricts traffic on this zone to SonicPoint-generated traffic only.

    SSSSLL-V-VPN EPN Enforcemnforcementent Redirects all traffic entering the Wireless Zone to a defined SonicWALLRedirects all traffic entering the Wireless Zone to a defined SonicWALLSSL-VPN appliance. This allows all wireless traffic to be authenticatedSSL-VPN appliance. This allows all wireless traffic to be authenticatedand and encrypted bencrypted by the Sy the SSSL-L-VVPN, using, fPN, using, for examor example, NetEple, NetExtender toxtender totunnel all traffic. Note: Wireless traffic that is tunneled through antunnel all traffic. Note: Wireless traffic that is tunneled through an

    SSL-VPN will appear to originate from the SSL-VPN rather than fromSSL-VPN will appear to originate from the SSL-VPN rather than fromthe Wireless Zone.the Wireless Zone.

       •• SSSSLL-V-VPN ServerPN Server- - SSelect the Address Oelect the Address Object represebject representing thenting theSSSSL-L-VVPN appliPN appliance ance to which you wish to redirect wirelessto which you wish to redirect wirelesstraffic.traffic.

       •• SSSSL-L-VPN VPN SServiceervice -  - TThe She Service Oervice Object represbject representing theenting theSSL-VPN service. This is typically HTTPS.SSL-VPN service. This is typically HTTPS.

     W WiiFFiiSSeec c EnEnffoorrcceemmeenntt ReRequirequires all traffs all traffic be either IPsec or WPA. Wiic be either IPsec or WPA. With this th this optiooption chen checkecked, alld, allnon-guest connections must be IPsec enforced.non-guest connections must be IPsec enforced.

       ••  W WiiFFiiSSeec c ExExcceeppttiioon n SSeerrvviiccee - Select the se - Select the servirvice(s) you wce(s) you wish toish tobe ebe exempt froxempt from WiFiSec m WiFiSec EnfEnforcemeorcement.nt.

    Require WRequire WiFiFiSec foriSec forSite-to-site VPN TunnelSite-to-site VPN Tunnel

    TraversalTraversal

    For use wFor use with ith WiFiWiFiSSec enfoec enforcemrcement, requires WiFiSec seent, requires WiFiSec security ocurity on alln allsite-to-site VPN connections through this zone.site-to-site VPN connections through this zone.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1010 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Guest ServicesGuest Services

    TheTheEEnable Wnable Wireless Guest Servicesireless Guest Services option allows the following guest services to be applied to a zone: option allows the following guest services to be applied to a zone:

    Trust WPTrust WPA/A/ WWPA2 PA2 tratraffiffic asc as W WiiFFiiSSeecc

     Al Allolowws s WWPPA A oor r WWPPA2 A2 tto o bbe e uusseed d aas s aan n aalltteerrnnaattiivve e tto o WWiiFFiSiSeecc..

    SonSonicicPoint Point ProvisiProvisioningoningProfileProfile

    Select a pre-defined SonicPoint Provisioning Profile to be applied to allSelect a pre-defined SonicPoint Provisioning Profile to be applied to allcurrecurrent and future Snt and future SonionicPointcPoints on this on this zone.s zone.

    FFeeaattuurree DDeessccrriippttiioonn

    FFeeaattuurree DDeessccrriippttiioonn

    EEnable nable inter-guestinter-guest

    communicationcommunication

     Al Allloowws s WWGSGS// LLHHM M uusseerrs s on on tthhiis s ZoZonne e tto o ccoommmmuunniiccaatte e wwitith h eeaacch h ootthheerr..

    TThis fhis feaeature ature also requires that Intlso requires that Interface Trust be eerface Trust be enabled on thenabled on theresperespective Zctive Zone.one.

    Bypass AV Check for GuestsBypass AV Check for Guests  Al Allolowws s gguueesst t ttrraaffiffic c tto o bbyyppaasss s AnAnttii-Vi-Virruus s pprrootteeccttiioonn

    EEnable nable DyDynamnamic Addressic AddressTranslation (DAT)Translation (DAT)

    Dynamic Address Translation (DAT) allows the SonicPoint to supportDynamic Address Translation (DAT) allows the SonicPoint to supportany Iany IP addressing scheP addressing scheme fome for WGr WGS useS users.rs.

    IIf f thithis optis option ion is disabled (un-checkeds disabled (un-checked), wireless g), wireless guest useuest users mrs must eitherust eitherhave DHCP have DHCP enaenabled, obled, or an Ir an IP addresP addressing schemsing scheme compatible with e compatible with thetheSonicPoiSonicPoint’s netwnt’s network settiork settingsngs..

    EEnanable Eble External Guestxternal Guest A Auutthheennttiiccaattiioonn

    RequRequires gueires guests connsts connecting fecting from the device orom the device or netwr network yoork you select tou select toauthenticate beauthenticate beffore gaining acore gaining accesscess. T. This fhis feaeature, baseture, based on d on LiLightwghtweighteightHotHotspot Messaspot Messaging ging (L(LHM) is used fHM) is used for authenticating Hotspoor authenticating Hotspot users at users andndproviproviding them paramding them parametrically etrically bound bound netwnetwork ork acceaccess.ss.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1111Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Custom AuthenCustom AuthenticticationationPagePage

    RedRedirects users to a custoirects users to a custom aum authenticatithentication page won page when they fhen they first irst connectconnectto a SonicPoint in the Wireless Zone. Click Configure to set up theto a SonicPoint in the Wireless Zone. Click Configure to set up thecustom authecustom authenticatintication pageon page. E. Enter either a URL to nter either a URL to an aan authenticatiouthenticationnpagpage or a cue or a custom challenge stom challenge statemestatement in tnt in the text fhe text field, and cliield, and click Ock OKK..

    Post Authentication PagePost Authentication Page DDirects userirects users to s to the pagthe page you specife you specify immey immediately afdiately after succeter successfssfululauauthenticathentication. tion. Enter a URL fEnter a URL for the post-or the post-auauthenticathenticatiotion pagn page in the fe in the filed.iled.

    Bypass GuestBypass Guest A Auutthheennttiiccaattiioonn

     Al Allloowws s a a SSoonniiccPPooiinnt t rruunnnniinng g WWGS GS tto o iinntteeggrraatte e iinntto o eennvviirroonnmmeenntts s aallrreeaaddyyusing some form of user-level authentication. This feature automates theusing some form of user-level authentication. This feature automates theWGS authentication WGS authentication process, allowing wireless useprocess, allowing wireless users to rs to reareach WGch WGSSresourceresources ws withoithout requt requiring auuiring authenticatithentication. Ton. This fhis feaeature should only beture should only beused wused when unrestricthen unrestricted WGS acceed WGS access is desired, oss is desired, or wr when another devihen another deviceceupstreaupstream m of of the Sthe SonionicPoint icPoint is es enfnforcing aorcing authenticatiouthentication.n.

    Redirect SRedirect SMTP MTP tratraffic ffic toto Redirects SMTP traffic incoming on this zone to an SMTP server youRedirects SMTP traffic incoming on this zone to an SMTP server youspecifspecifyy. Se. Select the addrlect the address object to ess object to redirect traredirect traffffic to.ic to.

    Deny NetworksDeny Networks BloBlocks tracks traffffic fic from the netwrom the networks you speciforks you specifyy. Selec. Select the subnet, addret the subnet, addressssgroup, or IP address to block traffic from.group, or IP address to block traffic from.

    Pass NetworksPass Networks  Au Auttoommaattiiccaalllly y aalllolowws s ttrraaffiffic c tthhrroouuggh h tthhe e WWiirreelleesss s ZoZonne e frfroom m tthheenetwnetworks orks you select.you select.

    Max GuestsMax Guests SSpecifpecifies the maximum nies the maximum numbeumber of r of guguest userest users allowed to cos allowed to connect to nnect to thetheWireless Zone. The default is 10.Wireless Zone. The default is 10.

    FFeeaattuurree DDeessccrriippttiioonn

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1212 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    VLAN Sub-InterfacesVLAN Sub-Interfaces

     A  A ViVirrttuuaal l LoLoccaal l ArAreea a NNeettwwoorrk k ((VLVLANAN) ) aalllolowws s yyoou u tto o ssppllit it yyoouur r pphhyyssicicaal l nneettwwoorrk k ccoonnnneeccttiioonns s ((X2X2, , X3X3, , eettcc......))into many virtual network connection, each carrying its own set of configurations. The VLAN solutioninto many virtual network connection, each carrying its own set of configurations. The VLAN solutionallows eaallows each VAP ch VAP to to have its own sepahave its own separate srate sub-ub-intinterface on an aerface on an actual physical intctual physical interfaceerface..

     VL VLAN AN ssuubb-i-inntteerrfafaccees s hhaavve e mmoosst t oof f tthhe e ccaappaabbiillititiiees s aannd d cchhaarraacctteerriisstticics s oof f a a pphhyyssicicaal l iinntteerrfafaccee, , iinncclluuddiinng g zzoonneeassignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IPassignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IPHelper, routing, and full NAT policy and Access Rule controls. Features excluded from VLANHelper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN

    sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.

     VL VLAN AN SSuubb-In-Intteerrfafaccees s aarre e ccoonnfifigguurreed d frfroom m tthheeNNetwork etwork > Interfaces> Interfaces page. page.

    Custom VLAN SettingsCustom VLAN Settings

    The table below lists configuration parameters and descriptions for VLAN Sub-Interfaces:The table below lists configuration parameters and descriptions for VLAN Sub-Interfaces:

    FFeeaattuurree DDeessccrriippttiioonn

    ZoneZone Select a zone to inherit zone settings from a pre-defined or customSelect a zone to inherit zone settings from a pre-defined or customuser-defined zone.user-defined zone.

     V VLALAN N TTaagg Specify the VLAN ID for this sub-interface.Specify the VLAN ID for this sub-interface.

    ParenParent It Interfacenterface Select a physical parent interface (X2, X3, etc...) for the VLAN.Select a physical parent interface (X2, X3, etc...) for the VLAN.

    IP IP ConfigurConfigurationation Create an IP Create an IP address aaddress and Subnet Mand Subnet Mask in sk in accordance with yoaccordance with your networkur networkconfiguration.configuration.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1313Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    DHCP Server ScopeDHCP Server Scope

    TThe Dhe DHCP server assigns leaHCP server assigns leased IP sed IP addraddresseesses to s to userusers within specifs within specified rangied ranges, known aes, known as “s “ScScopes”. opes”. TThehedefault ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, fordefault ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, forinstance, a scope of instance, a scope of 200 a200 addresddresses foses for an interface that will r an interface that will onlonly use 3y use 30. Becau0. Because of se of this, this, DDHCP rangeHCP ranges muss musttbe set carbe set carefulefully ily in order to n order to ensurensure the avae the availilable lease able lease scope is nscope is not ot exhausexhausted.ted.

    TThe DHCP he DHCP scope should be rescope should be resized as esized as each ach intinterface/erface/sub-sub-interfinterface ace is defis defined to ensure ined to ensure that adethat adequaquateteDDHCP space rHCP space remaemains fins for all subsequeor all subsequently defntly defined interfined interfaceaces. Fas. Faililure ure to do to do so may so may caucause the ase the auto-uto-creacreatiotionnof of subseqsubsequent DHuent DHCP scopes to fCP scopes to fail, requiring maail, requiring manuanual creal creatiotion after perfon after performing the rrming the requisite scope reequisite scope resizsizing.ing.DDHCP Server SHCP Server Scope is set fcope is set from therom theNetwork > DHCNetwork > DHCP SP Server erver  page. page.

    TThe table behe table below shows malow shows maxiximumum am alllloweowed Dd DHCP lHCP leaeases foses for Sr SonionicWcWAALL LL PRO PRO SSeries UTM aeries UTM applipplianceancess

    SSonic Point Lonic Point Limitimit SeSelect the maximum lect the maximum numbenumber of r of SonicPoiSonicPoints to nts to be usebe used on td on thishisinterfinterfaceace. Belo. Below aw are the mare the maxiximum mum numbenumber of r of SonicPoiSonicPoints per interfnts per interfaceacebased based on your Sonion your SonicWALcWALL UTL UTM M hardwahardware:re:

       •• PRO 2040 - 64 SonicPointsPRO 2040 - 64 SonicPoints

       •• PRO 3060 - 96 SonicPoints (Limit of 64 per-interface)PRO 3060 - 96 SonicPoints (Limit of 64 per-interface)

       •• PRO 4060 - 96 SonicPoints (Limit of 64 per-interface)PRO 4060 - 96 SonicPoints (Limit of 64 per-interface)

       •• PRO 4100 - 128 SonicPointsPRO 4100 - 128 SonicPoints

       •• PRO 5060 - 128 SonicPointsPRO 5060 - 128 SonicPoints

    ManagemManagement Protocolent Protocolss SeSelect the prolect the protocotocols yols you wish to u wish to use wuse when mahen managnaging thiing this ints interface.erface.

    Login ProtocolsLogin Protocols SeSelect the protolect the protocolcols you will make s you will make avaavaililable to cliable to clients wents who access ho access thisthissub-interface.sub-interface.

    FFeeaattuurree DDeessccrriippttiioonn

    PPllaattffoorrmm MMaaxxiimmuum m DDHHCCP P LLeeaasseess

    PPRRO O 22004400, , 33006600 11,,00224 4 lleeaasseess

    PPRRO O 44006600, , 44110000, , 55006600 44,,00996 6 lleeaasseess

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1414 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Virtual Access Points ProfilesVirtual Access Points Profiles

     A  A ViVirrttuuaal l AcAccceesss s PPooiinnt t PPrroofifile le aan n ooppttioionnaal l fefeaattuurre e tthhaat t aalllloowws s tthhe e aaddmmininisisttrraattoor r tto o pprree-c-coonnfifigguurre e aannd d ssaavveeaccess point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Accessaccess point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual AccessPoints. Virtual Access Point Profiles are configured from thePoints. Virtual Access Point Profiles are configured from the SonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

    Virtual Access Point Profile SettingsVirtual Access Point Profile Settings

    The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:

    FFeeaattuurree DDeessccrriippttiioonn

    Radio TypeRadio Type SSet toet to SonicPointSonicPoint by default. Retain this default setting if using by default. Retain this default setting if usingSSonionicPointcPoints as as VAPs VAPs (currently the only supports (currently the only supported red radio type)adio type)

    Profile NProfile Namamee Choose a friendly name for this VAP Profile. Choose somethingChoose a friendly name for this VAP Profile. Choose something

    descrdescriptiiptive and eve and easy to remeasy to remember mber as yas you will ou will later apply this prolater apply this proffilile toe tonew new VAVAPs.Ps.

     A Auutthheennttiiccaattiioon n TyTyppee Below is a list available authentication tBelow is a list available authentication types wypes witith descrh descriptiiptive fve feaeaturesturesand uses foand uses for eacr each:h:

     W WEPEP

       •• LoLowewer securityr security

       •• For use wFor use with ith ololder legder legacy deacy devivicesces, PD, PDAAs, wireless printerss, wireless printers

     W WPPA A 

       •• Good security (uses TKIP)Good security (uses TKIP)

       •• For use wFor use with ith trusted corpotrusted corporate wrate wireless cliireless clientsents

       •• Transparent authentication with Windows log-inTransparent authentication with Windows log-in

       •• No No client soclient sofftwatware neere needed in most casesded in most cases

     W WPPAA22

       •• Best secuBest security (rity (uses AEuses AES)S)

       •• For use wFor use with ith trusted corpotrusted corporate wrate wireless cliireless clientsents

       •• Transparent authentication with Windows log-inTransparent authentication with Windows log-in

       •• CliClient sofent softwatware install re install mamay be necessay be necessary iry in son some came casesses

       •• SuSupports pports 802802.11i “.11i “FaFast Roaming” fst Roaming” feaeatureture

       •• No backend authentication needed after first log-in (allows forNo backend authentication needed after first log-in (allows forffasteaster roaming)r roaming)

     W WPPAA22-A-AUUTOTO

       •• Tries to connect using WPA2 security, if the client is not WPA2Tries to connect using WPA2 security, if the client is not WPA2capable, the connection will default to WPA.capable, the connection will default to WPA.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1515Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    WPA-PSK / WPA2-PSK Encryption SettingsWPA-PSK / WPA2-PSK Encryption Settings

    Pre-Pre-SSharehared Kd Key (PSK) ey (PSK) is available wheis available when using WPn using WPA A or WPA2. Tor WPA2. This solhis solutioution utiln utilizizes a es a shareshared keyd key..

    WPA-EAP / WPA2-EAP Encryption SettingsWPA-EAP / WPA2-EAP Encryption Settings

    Extensible AuthenticaExtensible Authentication tion Protocol Protocol (E(EAPAP) i) is as availabvailable whle when uen using Wsing WPA or WPA2. TPA or WPA2. This solutiohis solution utilizn utilizes aes annexteexternarnal 802.1x/l 802.1x/EAEAP capaP capable RADble RADIIUS sUS serveerver fr for key gor key geneeneraration.tion.

    Shared / Both (WEP) Encryption SettingsShared / Both (WEP) Encryption Settings

    WEP WEP is proviis provided for use with legaded for use with legacy decy devices that do not vices that do not suppsupport tort the nehe newwer WPer WPAA// WPWPA2 encryptionA2 encryptionmemethods. Tthods. This solhis solutioution utiln utilizizes a es a shareshared keyd key..

    Unicast CiUnicast Ciphepher r  TThe unicast cipher whe unicast cipher wilill be automatically chosen based on thel be automatically chosen based on theautheauthenticatintication type.on type.

    MuMulticast lticast Cipher Cipher  TThe mhe multiulticast cipher wcast cipher wilill be automatically chosen based on thel be automatically chosen based on theautheauthenticatintication type.on type.

    Maximum Maximum CliClientsents ChooChoose the mse the maximum aximum numbenumber of r of concurrent client coconcurrent client connectionsnnectionspermissible for this virtual access point.permissible for this virtual access point.

    FFeeaattuurree DDeessccrriippttiioonn

    FFeeaattuurree DDeessccrriippttiioonn

    Pass PhrasePass Phrase TThe sharehe shared passphrad passphrase userse users will s will enter wenter when connecting with hen connecting with PSKPSK--basebaseddauthentication.authentication.

    Group KeGroup Key Iy Intervalnterval TThe time he time period (iperiod (in secn seconds) during wonds) during which the WPhich the WPAA// WPA2 grWPA2 group key oup key is enfis enforcedorcedto to be updabe updated.ted.

    FFeeaattuurree DDeessccrriippttiioonn

    Radius Server 1Radius Server 1 TThe nahe nameme// location olocation of f your Rayour Radius audius authenticathenticatiotion serven serverr

    RadiRadius Server 1 us Server 1 PortPort TThe port on which your Radius auhe port on which your Radius authenticatiothentication server commn server communicates wunicates witith clih clientsentsand network devices.and network devices.

    RadiRadius Server 1 Sus Server 1 Secretecret TThe sehe secret pascret passcode fscode for your Radius authentication serveror your Radius authentication server

    RadiRadius Server 2us Server 2 TThe nahe nameme// location location of of your bayour backuckup Radius ap Radius autheuthentication serverntication server

    RadiRadius Server 2 us Server 2 PortPort TThe port ohe port on which your backun which your backup Radius aup Radius authenticatithentication server communicateon server communicates withs with

    clients clients and netwand network deviork devicesces..RadiRadius Server 2 us Server 2 SecretSecret TThe seche secret passcode foret passcode for your backup Rar your backup Radius authenticatiodius authentication servern server

    Group KeGroup Key Iy Intervalnterval TThe time he time period (iperiod (in secn seconds) during wonds) during which the WPhich the WPAA// WPA2 group kWPA2 group key is eey is enfnforcedorcedto to be updabe updated.ted.

    FFeeaattuurree DDeessccrriippttiioonn

    EEncryption Kencryption Key y  Select the key to use for WEP connections to this VAP. WEP encryption keys areSelect the key to use for WEP connections to this VAP. WEP encryption keys are

    confconfigureigured in thed in theSonSonicPoiicPoint > Snt > SonicPoionicPointsntspage underpage underSonicPointSonicPointProvisioning ProfilesProvisioning Profiles..

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1616 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Virtual Access PointsVirtual Access Points

    The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configuredThe VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configuredthrough VAP Sethrough VAP Settittingsngs. V. Virtirtual Access Points are ual Access Points are confconfigureigured frod from them theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

    General VAP SettingsGeneral VAP Settings

    Advanced VAP SettingsAdvanced VAP Settings

     Ad Advvaanncceed d sseettttininggs s aalllolowws s tthhe e aaddmmiinniissttrraattoor r tto o ccoonnfifigguurre e aauutthheennttiiccaattiioon n aannd d eennccrryyppttioion n sseettttiinnggs s fofor r tthhiissconnection. Choose aconnection. Choose aProfilProfile e NameNameto to inherit tinherit these hese settings fsettings from a userom a user crear created profted profilile. Se. Seeee“Virtual“Virtual

     Ac Accceesss s PPooiinntts s PPrroofifilleess” ” sseeccttiion on on on ppaagge e 1144 for complete authentication and encryption configuration for complete authentication and encryption configurationinformation.information.

    FFeeaattuurree DDeessccrriippttiioonn

    SSIDSSID CreaCreate a fte a friendly name foriendly name for your VAr your VAPP..

     V VLALAN N IDID Select a VLAN ID to associate this VAP with.Select a VLAN ID to associate this VAP with.

    EEnanable Vible Virtuartuall A Acccceesss s PPooiinntt

    Enable or disable this VAP.Enable or disable this VAP.

    EEnable nable SSSSIIDDSuppressSuppress

    SuSuppresseppresses broadcasting of s broadcasting of the SSthe SSIID D namname and disables responses to pe and disables responses to proberoberequrequests. Cheests. Check this optck this optioion if n if you do not wish fyou do not wish for your Sor your SSSIID D to be seeto be seen byn by

    unauunauthorithorized wireless clients.zed wireless clients.

  •   

    SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist

    1717Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Virtual Access Point GroupsVirtual Access Point Groups

    The VAThe VAP GP Group featurroup feature ae allollows for grouping of multiple VAws for grouping of multiple VAP objP objects to be simuects to be simultaneltaneously applied to yourously applied to yourSonicPoint(s). Virtual Access Point Groups are configured from theSonicPoint(s). Virtual Access Point Groups are configured from theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

    Sonic Point Provisioning ProfilesSonic Point Provisioning Profiles

    SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring andSonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring andprovisioniprovisioning mng multiple SonicPoints across a Distributed Wireleultiple SonicPoints across a Distributed Wireless Ass Archrchitecturitecture. Se. SonicPoint onicPoint ProfProfile defiile definitionitionsnsinclinclude ude all of all of the settings that cathe settings that can be confin be configugured red on a Son a SonionicPointcPoint, such a, such as ras radio settdio settings foings for the 2.4GHz r the 2.4GHz andand5GHz 5GHz raradios, SSdios, SSIIDD’s’s, , anand chad channennels ols of f operaoperation.tion.

    OOnce ynce you have dou have defiefined a ned a SonicPoiSonicPoint profnt profilile, you cae, you can apply it to n apply it to a Wireless a Wireless zozone. Each Wireless zone cane. Each Wireless zone can ben beconfigured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when aconfigured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when aSonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.

    SonicOS includes a default SonicPoint profile, named SonicPoint. You can modify this profile or create aSonicOS includes a default SonicPoint profile, named SonicPoint. You can modify this profile or create anew new one.one.

    The default SonicPoint profile has the following settings:The default SonicPoint profile has the following settings:

    880022..1111a a RRaaddiioo 880022..1111g g RRaaddiioo

    EEnablnable 80e 802.112.11aa  RadioRadio

     Ye Yes s - A- Alwlwaayys s oonn EEnablnable 80e 802.112.11gg  RadioRadio

     Ye Yes s - A- Allwwaayys s oonn

    SSIDSSID SonicWALLSonicWALL SSIDSSID SonicWALLSonicWALL

    Radio ModeRadio Mode 54Mbps - 802.11a54Mbps - 802.11a Radio ModeRadio Mode 2.4 G2.4 GHz 54Mbps - 802.11gHz 54Mbps - 802.11g

    ChannelChannel  Au AuttooCChhaannnneell ChannelChannel  Au AuttooCChhaannnneell

     A ACCL L EnEnffoorrcceemmeenntt DisabledDisabled  A ACCL L EnEnffoorrcceemmeenntt DisabledDisabled

     A Auutthheennttiiccaattiioonn  

    TypeType

    WEP - BothWEP - Both  

    OOpen System & Spen System & Shared Khared Keyey

     A Auutthheennttiiccaattiioonn  

    TypeType

    WEP - BothWEP - Both  

    OOpen System & Spen System & Shared Keyhared KeySchSchedule Iedule IDS ScanDS Scan DisabledDisabled SchSchedule Iedule IDS ScanDS Scan DisabledDisabled

  •   

    Thinking Critically About VAPsThinking Critically About VAPs

    1818 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Thinking Critically About VAPsThinking Critically About VAPsTThis sectiohis section provin provides content to des content to help determine whelp determine what your VAP hat your VAP requrequiremeirements are ants are and how to apply tnd how to apply theseheserequirements to a useful VAP configuration. This section contains the following sub-sections:requirements to a useful VAP configuration. This section contains the following sub-sections:

       •• ““DDetermining Your VAP Needs” sectioetermining Your VAP Needs” section on pagn on page 1e 188

       •• “A Sam“A Sample Network” ple Network” section section on page 18on page 18

       •• ““DDetermining Setermining Secuecurity Confrity Configuraiguratiotions” sections” section on pagn on page 1e 199

       •• “VAP Configuration Worksheet” section on page 19“VAP Configuration Worksheet” section on page 19

    Determining Your VAP NeedsDetermining Your VAP Needs

    When decWhen decidiiding how to confng how to configure igure your VAyour VAPs, begin by considering your commuPs, begin by considering your communicationication needsn needs, parti, particularly:cularly:

       •• How maHow many difny difffereerent classes of nt classes of wireless wireless userusers do I s do I neeneed to suppod to support?rt?

       •• How do I How do I wawant to nt to secursecure these de these dififffereerent clnt classeasses of s of wireless uwireless users?sers?

       –– DDo o my wmy wireless cliireless client have the requent have the required hardwired hardware aare and drivers to nd drivers to support support the chosen securitythe chosen securitysettings?settings?

       •• What network resources do my wWhat network resources do my wirelireless users ess users need to communineed to communicate wcate witith?h?

       –– DDo any oo any of f these wthese wireless users neireless users need to ed to commucommunicate with onicate with other wireless usether wireless users?rs?

       •• What secuWhat security servrity services do I ices do I wish to apply twish to apply to each of o each of these classethese classes or wireless uses or wireless users?rs?

    A Sample NetworkA Sample Network

    TThe fohe follllowing owing is a sis a samample VAP network confple VAP network configuraiguratiotion, describing fivn, describing five se separeparate ate VAPVAPs:s:

       ••  V VAAP P ##11, , CCoorrppoorraatte e WWiirreelleesss s UUsseerrss– A set of users who are commonly in the office, and to whom– A set of users who are commonly in the office, and to whom

    should be given fshould be given full ull accaccess to all ess to all netwnetwork resourceork resources, provis, providing that the connectioding that the connection is authenticated an is authenticated andndsecursecure. Te. These hese users users alreaalready belong to the network’dy belong to the network’s Ds Directory Service, Microsofirectory Service, Microsoft At Active Dctive Directory,irectory,whwhich provides an EAich provides an EAP iP internterffacace througe through Ih IAS – AS – IInternenternet At Autheuthentication Sentication Servicesrvices

       ••  V VAAPP##22, , LeLeggaaccy y WWirireelleesss s DDeevviicceess– – A A collection collection of of older wolder wirelesireless devicess devices, such as pr, such as printersinters, PD, PDAs As andandhandhehandheld devices, that are ld devices, that are onlonly cay capable of pable of WEP WEP encryption.encryption.

       ••  V VAAPP##33, , VViissiittiinng g PPaarrttnneerrss– Business partners, clients, and affiliated who frequently visit the office,– Business partners, clients, and affiliated who frequently visit the office,and wand who need acceho need access to ss to a limita limited set of ed set of trusted network restrusted network resourcesources, as well as the I, as well as the Internet. Tnternet. These ushese usersersare are not not lolocated in the company’cated in the company’s Ds Directorirectory Sy Serviervicesces..

       ••  V VAAPP# # 44,,  Guest UsersGuest Users– – VVisiisititing ng cliclients to whom ents to whom you wyou wish to provish to provide aide access ccess onlonly to untrusted (e.gy to untrusted (e.g..IInternetnternet) network resources. Some g) network resources. Some guest users wuest users wilill be provl be provided a simple, tided a simple, temporary username emporary username andandpasswpassword ford for access.or access.

       ••  V VAAPP##55, , FFrreeqquueennt t GGuueesst t UUsseerrss –  – SaSame ame as Gs Guest Users, however, these users wuest Users, however, these users wilill have morel have morepermanent guepermanent guest accountst accounts thros through a ugh a back-back-end databaend database.se.

    Data RateData Rate BestBest Data RateData Rate BestBest

     A Anntteennnna a DiDivveerrssiitty y  BestBest  A Anntteennnna a DiDivveerrssiitty y  BestBest

  •   

    Thinking Critically About VAPsThinking Critically About VAPs

    1919Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Determining Security ConfigurationsDetermining Security Configurations

    UndersUnderstanding these tanding these requrequiremeirements, you can then defints, you can then define the Zone the Zones (and interfnes (and interfaceaces) and VAPs) and VAPs that wills that willproviprovide wde wireless serviireless services to tces to these uhese users:sers:

       •• Corp WirelessCorp Wireless –  – Highly trusteHighly trusted wd wirelesireless Zos Zonene. E. Employs Wmploys WPA2-APA2-AUTOUTO--EAEAP secuP securityrity. WiFiSe. WiFiSec (WPA)c (WPA)Enforced.Enforced.

       ••  W WEP EP & & PPSSK K  –  – ModerModerate ate trust wireless trust wireless ZZone. Comprises twone. Comprises two vio virtual APrtual APs as and sub-ind sub-interfaces, one nterfaces, one ffororlegalegacy WEP devicy WEP devices (eces (e.g. w.g. wireless printers, older handheireless printers, older handheld devices) and one fld devices) and one for vior visitisiting cng clilients wents who willho willuse use WPA-WPA-PSK security.PSK security.

       ••  W WGGSS –  – Wireless GWireless Guest Suest Services Zervices Zone, using the intone, using the internal WGS user dernal WGS user databaatabase.se.

       •• LHLHMM –  – LiLightwghtweight Hotspoeight Hotspot Mest Messagsaging enaing enabled Zbled Zone, confone, configureigured to use external LHMd to use external LHMautheauthentintication-cation-bacback-k-end end serverserver..

    VAP Configuration WorksheetVAP Configuration Worksheet

    TThe whe worksheet on the forksheet on the folollolowing wing pagpage provides some ce provides some common VAommon VAP setup queP setup questiostions and ns and solsolutioutions along wns along witithha spaa space foce for you to record your own confr you to record your own configuraiguratiotions.ns.

  •   

    Thinking Critically About VAPsThinking Critically About VAPs

    2020 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    QQuueessttiioonnss EExxaammpplleess SSoolluuttiioonnss

    HHow mow many diffany different types of userserent types of users w wiilll l I I nneeeed d tto o ssuuppppoorrtt??

    CorpoCorporate wrate wireless, gueireless, guest accessst access, , vivisitisitingngpartnerspartners, , wireleswireless devis devices arces are all e all commoncommonuser types, eauser types, each requiring their och requiring their own VAPwn VAP

    Plan out the number of different VAPsPlan out the number of different VAPsneeneededed. Confd. Configuigure a re a ZZone aone and VLnd VLAAN fN fororeach VAP neededeach VAP needed

     Y Yoouur r CCoonnffiigguurraattiioonnss::

    HHow mow many users will any users will each VAP needeach VAP needto support?to support?

     A  A ccoorrppororaatte e ccaammppuus s hhaas s 11000 0 eemmppllooyyeeeess, , aallllof of whom hawhom have wireve wireless capaless capabilbilititiesies

    The DHCP scope for the visitor Zone isThe DHCP scope for the visitor Zone isset to set to proviprovide at least 100 ade at least 100 addressddresseses

     A  A ccoorrppoorraatte e ccaammppuus s ooftfteen n hhaas s a a fefew w ddoozzeennwireless cwireless capaapable vible visitositorsrs

    The DHCP scope for the visitor Zone isThe DHCP scope for the visitor Zone isset to set to proviprovide at least 25 addrede at least 25 addressessses

     Y Yoouur r CCoonnffiigguurraattiioonnss::

    HHow do I want to secure differentow do I want to secure different w wiirreelleesss s uusseerrss??

     A  A ccoorrppoorraatte e uusseer r wwhho o hhaas s aacccceesss s ttoocorporate LAcorporate LAN resourcesN resources..

    ConfiguConfigure WPre WPA2-A2-EAEAPP

     A  A gguueesst t uusseer r wwhho o is is rreessttrriicctteed d tto o oonnllyyinternet internet acceaccessss

    Enable WGEnable WGS S but confbut configure igure no securityno securitysettingssettings

     A  A lleeggaaccy y wwiirreelleesss s pprrinintteer r oon n tthhe e ccoorrppoorraatteeLALANN

    ConfConfigure WEP and enable Migure WEP and enable MAC AC addraddressessfilteringfiltering

     Y Yoouur r CCoonnffiigguurraattiioonnss::

     W Whhaat t nneettwwoorrk k rreessoouurrccees s ddo o mmy y uusseerrssneed to commneed to communicatunicate with?e with?

     A  A ccoorrppoorraatte e uusseer r wwhho o nneeeedds s aacccceesss s tto o tthheecorporate LAN and all internal LANcorporate LAN and all internal LANresourceresources, incls, including other WLAuding other WLAN usersN users..

    Enable Interface Trust on yourEnable Interface Trust on yourcorporate zone.corporate zone.

     A  A wwiirreelelesss s gguueesst t wwhho o nneeeedds s tto o aacccceessssinternet and should not internet and should not be abe alllloweowed tod tocommucommunicate with otnicate with other WLAher WLAN usersN users..

    Disable Interface Trust on yourDisable Interface Trust on yourguest guest zozone.ne.

     Y Yoouur r CCoonnffiigguurraattiioonnss::

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2121Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    VAP Sample ConfigurationsVAP Sample ConfigurationsTThis sectiohis section provin provides des confconfiguraiguratiotion exan examples bamples based sed on real-on real-wworlorld wd wireless neireless needseds. T. This sectiohis section contains then contains thefollowing sub-sections:following sub-sections:

       •• “Configuring a VAP for Guest Access” section on page 21“Configuring a VAP for Guest Access” section on page 21

       •• “Configuring a VAP for Corporate Users” section on page 29“Configuring a VAP for Corporate Users” section on page 29

       •• “Deploying VAPs to a SonicPoint” section on page 34“Deploying VAPs to a SonicPoint” section on page 34

    Configuring a VAP for Guest AccessConfiguring a VAP for Guest Access

     Yo You u ccaan n uusse e a a GuGueesst t AcAccceesss s VVAP AP fofor r vviissiittiinng g ccllieienntts s tto o wwhhoom m yyoou u wwiissh h tto o pprroovviidde e aacccceesss s oonnlly y tto o uunnttrruusstteedd(e.g(e.g. . IInternet) network resourcesnternet) network resources. . GGuest users wuest users wilill l be provibe provided a simple, tded a simple, tememporary usernaporary username ame and passwnd passwordordffor accesor access. More as. More advancedvanced confd configuraiguratitions also ons also ofofffer mer more permaore permanent gunent guest accounts, verifest accounts, verified through aied through aback-back-end databaseend database..

    This section contains the following sub-section:This section contains the following sub-section:

       •• “Configuring a Zone” section on page 21“Configuring a Zone” section on page 21

       •• “Creating a Wireless LAN (WLAN) Interface” section on page 24“Creating a Wireless LAN (WLAN) Interface” section on page 24

       •• “Creating a VLAN Sub-Interface on the WLAN” section on page 25“Creating a VLAN Sub-Interface on the WLAN” section on page 25

       •• “Configuring DHCP IP Ranges” section on page 26“Configuring DHCP IP Ranges” section on page 26

       •• “Creating a SonicPoint VAP Profile” section on page 27“Creating a SonicPoint VAP Profile” section on page 27

       •• “Creating the SonicPoint VAP” section on page 28“Creating the SonicPoint VAP” section on page 28

    Configuring a ZoneConfiguring a Zone

    IIn thin this section yos section you will u will creacreate and confte and configure igure a new a new wireless zone with guewireless zone with guest lst login capabilitogin capabilities.ies.

    Step 1Step 1 LoLog into tg into the mhe manaanagegemement int interface of nterface of your Syour SonionicWcWAALL LL UTUTM aM applipplianceance..

    Step 2Step 2 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theNetwork > ZonesNetwork > Zones page. page.

    Step 3Step 3 Click theClick the A Adddd...... butto button to n to add a add a new new zozone.ne.

    General Settings TabGeneral Settings Tab

    Step 1Step 1 In theIn theGeneralGeneraltab, enter a friendly name such as “VAP-Guest” in thetab, enter a friendly name such as “VAP-Guest” in the NameNamefield.field.

     W Whhaat t sseeccuurriitty y sseerrvvicicees s tto o I I wwiissh h ttooapply apply to mto my users?y users?

    CorpoCorporate userate users who you rs who you wawant pront protected bytected bythe full SonicWALL security suite.the full SonicWALL security suite.

    Enable all SonicWALEnable all SonicWALL security services.L security services.

    GuesGuest ut usesers rs wwho hho haave ve no LAN ano LAN accccesesss.. DisaDisable ble aall Sll SoniconicWWALL seALL secucurity rity seservicervicess..

     Y Yoouur r CCoonnffigiguurraattiioonnss::

    QQuueessttiioonnss EExxaammpplleess SSoolluuttiioonnss

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2222 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Step 2Step 2 SelectSelect W Wiirreelleessss from the from the SSecurecurity ity TyTypepe drop- drop-down medown menu.nu.

    Step 3Step 3 De-select theDe-select the A Alllloow w InIntteerrffaacce e TTrruusstt checkbox t checkbox to o disallodisallow commw communicatiounication betwen between wireless gen wireless guestsuests..

    Wireless Settings TabWireless Settings Tab

    Step 1Step 1 In theIn the W Wiirreelleessss tab, check thetab, check theOnlOnly allow traffiy allow traffic genec generated by a rated by a SoSonicPoinicPointnt checkbox. checkbox.

    Step 2Step 2 Un-check all other options in this tab.Un-check all other options in this tab.

    Step 3Step 3 Select a provisioning profile from theSelect a provisioning profile from the SSonicPoint Provisioning ProfilonicPoint Provisioning Profilee drop-down menu. The default drop-down menu. The defaultprofile isprofile isSonicPointSonicPoint. I. In thin this cass case, we, we see selected a lected a pre-created cpre-created custom profustom profilile,e,SonicPoint-VAPSonicPoint-VAP. For more. For moreinformation on creating your own custom SonicPoint Provisioning Profile, seeinformation on creating your own custom SonicPoint Provisioning Profile, see “Creating a “Creating a SonicPoiSonicPointntProvisioning Profile” section on page 35Provisioning Profile” section on page 35..

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2323Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Guest Services TabGuest Services Tab

    Step 1Step 1 In theIn theGuest SGuest Serviervicesces tab, check the tab, check theEEnable Wnable Wireless Gireless Guest Suest Serviervicesces checkbox. checkbox.

    NoteNote IIn the fn the folollowing examlowing example, steps 2 through 7 ple, steps 2 through 7 are are optioptional, tonal, they only represehey only represent a typical guent a typical guest VAst VAPPconfconfiguratiiguration usion using wng wirelireless gess guest serviuest services. Sces. Steps 2 and 7teps 2 and 7, however, are , however, are recommended.recommended.

    Step 2Step 2 Check theCheck theEEnanable Dyble Dynamnamic ic AddresAddress Translats Translation (DAion (DATT)) chec checkbox tkbox to allo allow gow guest useuest users frs fullullcommucommunicationication with addressen with addresses outsis outside the lode the local netwcal network.ork.

    Step 3Step 3 Check theCheck theCustom AuthenCustom Authentictication Pageation Page checkbox and click the checkbox and click theConfigureConfigurebutton to configure a custombutton to configure a customheaheader ader and fnd fooooter fter for your guest login or your guest login pagpage.e.

    Step 4Step 4 Click theClick theOOKKbuttbutton ton to save these chao save these changes.nges.

    Step 5Step 5 Check theCheck thePost Authentication PagePost Authentication Page checkbox and enter a  checkbox and enter a URL URL to to redirecredirect wireless gut wireless guests to ests to aftafter login.er login.

    Step 6Step 6 Check theCheck thePass NetworksPass Networks chec checkbox tkbox to coo confnfigure a igure a wewebsite (bsite (such asuch as your corpos your corporate srate sitite) that you wish toe) that you wish toallow user acallow user access to withocess to without being lout being logggging in ing in to to gueguest servist servicesces..

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2424 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Step 7Step 7 EntEnter the mer the maximum aximum numbenumber of r of guguests this VAests this VAP will P will support isupport in then theMax GuestsMax Guests field. field.

    Step 8Step 8 Click theClick theOOK K  butto button to sn to save these chaave these changes.nges. Yo Youur r nneew w ZoZonne e nnoow w aappppeeaarrs s aat t tthhe e bboottttoom m oof f tthheeNetwork > ZonesNetwork > Zonespagpage, although you mae, although you may notiy notice it ice it issnot yet lnot yet linked to a Meinked to a Membember Ir Interfnterfaceace. T. This ihis is your next step.s your next step.

    Creating a Wireless LAN (WLAN) InterfaceCreating a Wireless LAN (WLAN) Interface

    In this section you will configure one of your ports to act as a WLAN. If you already have a WLANIn this section you will configure one of your ports to act as a WLAN. If you already have a WLANconfigured, skip to theconfigured, skip to the “Creating a Wireless LAN (WLAN) Interface” section on page 24“Creating a Wireless LAN (WLAN) Interface” section on page 24..

    Step 1Step 1 In theIn theNetwork > InterfacesNetwork > Interfaces page page, cl, click theick the ConfigureConfigure icon corresponding to the interface you wish toicon corresponding to the interface you wish to

    use ause as a WLAs a WLAN. TN. The Ihe Interface Senterface Settittings screngs screen displays.en displays.Step 2Step 2 SelectSelect W WLALANN from the from the ZoneZone drop-down list. drop-down list.

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2525Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Step 3Step 3 EntEnter the deser the desiredired IP IP AddresAddresss for this interface. for this interface.

    Step 4Step 4 In theIn theSSonicPoint LonicPoint Limitimit drop-down menu, select a limit for the number of SonicPoints. This defines the drop-down menu, select a limit for the number of SonicPoints. This defines thetotal number of SonicPoints your WLAN interface will support.total number of SonicPoints your WLAN interface will support.

    NoteNote TThe mahe maxiximum mum numbenumber of r of SonicPoiSonicPoints depends on how mants depends on how many are ny are attacheattached to yod to your platfur platform. Reform. Refer to theer to the“Custom VLAN Settings” section on page 12“Custom VLAN Settings” section on page 12 to view the maximum number of SonicPoints for your to view the maximum number of SonicPoints for your

    platform.platform.

    Step 5Step 5 Click theClick theOK OK  button t button to save chao save changenges to ts to this ihis interface.nterface.

     Yo Youur r WWLALAN N inintteerrfafacce e nnoow w aappppeeaarrs s in in tthheeIInterface Snterface Settingsettings list. list.

    Creating a VLAN Sub-Interface on the WLANCreating a VLAN Sub-Interface on the WLAN

    IIn this section you will crean this section you will create ate and confind configugure a re a new new VLVLAN AN sub-interfsub-interfacace on your cue on your currerrent WLAnt WLAN. TN. This Vhis VLALANNwill be lwill be linked to tinked to the Zohe Zone you crene you created in theated in the“Configuring a Zone” section on page 21“Configuring a Zone” section on page 21..

    Step 1Step 1 In theIn theNNetwork etwork > Interfaces> Interfaces page page, cl, click theick the A Addd d InIntteerrffaacceebutton.button.

    Step 2Step 2 In theIn theZoneZone drop- drop-down medown menu, select the Znu, select the Zone you creaone you created in “ted in “ConfConfiguring a iguring a ZZone, page 2one, page 211””. In this case,. In this case,

    we hawe have chove chosensen V VAAPP-G-Guueesstt..

    Step 3Step 3 EntEnter aer a V VLALAN N TTaagg f for this ior this internterffaacece. T. This numhis number ber allows the allows the SSonicPoint(onicPoint(s) to s) to identifidentify wy which trahich traffffic belongsic belongsto the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, weto the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, wechoosechoose220000 as our tag for the VAP-Guest VLAN. as our tag for the VAP-Guest VLAN.

    Step 4Step 4 In theIn theParenParent It Interfacenterface drop- drop-down mdown menu, seenu, select the intlect the interface that your Serface that your SonionicPointcPoint(s) are physica(s) are physicallllyyconnected to. Iconnected to. In thin this cases case, we ar, we are usinge usingXX22, which is our WLAN interface., which is our WLAN interface.

    Step 5Step 5 EntEnter the deser the desiredired IP IP AddresAddresss for this sub-interface. for this sub-interface.

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2626 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Step 6Step 6 SSelecelect a lit a limit fmit for the numbor the number of er of SSonicPoints onicPoints ffrom therom theSSonicPoint LionicPoint Limmitit drop- drop-down mdown menu. Thienu. This des deffines theines themamaxiximumum numm number of ber of SonicPoiSonicPoints thints this ints interface werface wilill suppol support and allows frt and allows for appropriate addror appropriate address spaess spaceceallocation to the SonicPoints.allocation to the SonicPoints.

    Step 7Step 7 OOptioptionally, you manally, you may add y add a comma comment about this sub-ent about this sub-interfinterface ace in thein theCommentComment field. field.

    Step 8Step 8 Click theClick theOOK K  button to add this Sub-Interface. button to add this Sub-Interface. Yo Youur r VLVLAN AN ssuubb-i-inntteerrfafacce e nnoow w aappppeeaarrs s iin n tthheeIInterface Snterface Settingsettings list. list.

    Configuring DHCP IP RangesConfiguring DHCP IP Ranges

    BecaBecause the use the numbenumber of r of avaavaililable DHCP able DHCP leaseleases vary bas vary based on your platfsed on your platform, torm, the DHhe DHCP scope should beCP scope should beresized aresized as eas each interfch interfaceace// sub-sub-intinterface is defierface is defined to ensure ned to ensure that adethat adequaquate Dte DHCP space reHCP space remamains fins for allor allsubsesubsequequentlntly dey deffined interfined interfaceaces. To vis. To view ew the mathe maximum nuximum number mber of of DDHCP lHCP leaeases foses for your Sr your SonionicWcWAALL LL PROPROseries UTM applianceseries UTM appliance, ref, refer to theer to the “D“DHCP Server SHCP Server Scope” secticope” section oon on pagn page 13e 13..

    Step 1Step 1 In the left-hand menu, navigate to theIn the left-hand menu, navigate to theNetwork > DHNetwork > DHCP Server CP Server  page. page.

    Step 2Step 2 LoLocate the cate the interfinterface ace you just created, in our case you just created, in our case thithis is the Xs is the X2:V2:V200 200 (v(virtirtual interfual interface ace 200 200 on the physicalon the physicalX2 interface) interface. Click theX2 interface) interface. Click theConfigureConfigure icon co icon corresponding to the desired interface.rresponding to the desired interface.

    NoteNote IIf f the intthe interface you creerface you created does not appeaated does not appear on tr on theheNetwork > DHCNetwork > DHCP SP Server erver  pag page, it is poe, it is possible thatssible that y yoou u hhaavve e aallrreeaaddy y eexxcceeeeddeed d tthhe e nnuummbbeer r of of aalllloowweed d DHDHCCP P lleeaassees s fofor r yyoouur r SSoonnicicWWALALL. L. FFoor r mmoorreeinformation on DHCP lease exhaustion, refer to theinformation on DHCP lease exhaustion, refer to the ““DDHCP Server SHCP Server Scope” sectiocope” section on page n on page 1313..

  •   

    VAP Sample ConfigurationsVAP Sample Configurations

    2727Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

    Step 3Step 3 Edit theEdit theRange StartRange Start and andRange EndRange End f fields tields to meet your deploymeo meet your deployment needsnt needs

    Step 4Step 4 Click theClick theOOKKbuttbutton ton to save these chao save these changes.nges.

     Yo Youur r nneew w DHDHCCP P lleeaasse e ssccooppe e nnoow w aappppeeaarrs s in in tthhe e DHDHCCP P SSeerrvveer r LeLeaasse e SSccooppees s lliisstt..

    Creating a SonicPoint VAP ProfileCreating a SonicPoint VAP Profile

    IIn this n this sesection, ction, you wyou will ill crecreate aate and confnd configuigure a nre a new ew ViVirtuartual Al Acceccess Point Pss Point Profrofile. Yile. You can crou can creaeate VAP te VAP ProfProfilesilesffor eacor each type of h type of VAVAPP, and use , and use them to eathem to easilsily apply ay apply advancedvanced settings to new Vd settings to new VAAPs. TPs. This sectiohis section is on is optioptional,nal,but will but will ffacilitacilitate gate greareater eater ease of se of use wuse when confhen configuring miguring multiultiple VAPple VAPs.s.

    Step 1Step 1 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Point page. page.

    Step 2Step 2 Click theClick the A Adddd...... button in the button in the V Virirttuuaal l AAcccceesss s PPooinint t PPrrooffiilleesssection.section.

    Step 3Step 3 EntEnter aer aProfile NProfile Namamee such a such as “Gs “Gueuest” fst” for this VAor this VAP ProfP Profile. Tile. This profhis profile namile name doee does not have s not have to be the sato be the samemeas your VAP as your VAP namename..

    Step 4Step 4 ChooChoose ase ann A Auutthheennttiiccaattiioon n TyTyppee. . For unsecurFor unsecured gued guest acceest access, we css, we choohoose “Ose “Open”.pen”.

    Step 5Step 5 Click theClick theOK OK  button to create this VAP Profile. button to