Download - Configuring Virtual Access Points in SonicOS 5.0 Enhanceddocshare04.docshare.tips/files/28349/283497100.pdf · SonicOS 5.0 Enhanced ... This forced WLAN network administrators to

11Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

Configuring Virtual Access Points inConfiguring Virtual Access Points inSonicOS 5.0 EnhancedSonicOS 5.0 Enhanced

This document describes the Virtual Access Point feature and includes the following sections:This document describes the Virtual Access Point feature and includes the following sections:

•• “SonicPoint VAP Overview” section on page 1“SonicPoint VAP Overview” section on page 1

•• “Supported Platforms” section on page 4“Supported Platforms” section on page 4

•• ““PrerePrerequisites” quisites” section osection on pagn page 5e 5

•• “Deployment Restrictions” section on page 5“Deployment Restrictions” section on page 5

•• “SonicPoint Virtual AP Configuration Tasklist” section on page 5“SonicPoint Virtual AP Configuration Tasklist” section on page 5

•• “Thinking Critically About VAPs” section on page 18“Thinking Critically About VAPs” section on page 18

•• “VAP Sample Configurations” section on page 21“VAP Sample Configurations” section on page 21

•• “Document Version History” section on page 36“Document Version History” section on page 36

SonicPoint VAP OverviewSonicPoint VAP OverviewThis section provides an introduction to the Configuring SonicPoint Virtual APs feature. This sectionThis section provides an introduction to the Configuring SonicPoint Virtual APs feature. This sectioncontains the following subsections:contains the following subsections:

•• “What Is a Virtual Access Point?” section on page 2“What Is a Virtual Access Point?” section on page 2

•• “What Is an SSID?” section on page 3“What Is an SSID?” section on page 3 •• ““Wireless RoamWireless Roaming wing with Eith ESSSIDSID” secti” section on page on on page 33

•• “What Is a BSSID?” section on page 3“What Is a BSSID?” section on page 3

•• “Benefits of Using Virtual APs” section on page 4“Benefits of Using Virtual APs” section on page 4

•• “Benefits of Using Virtual APs with VLANs” section on page 4“Benefits of Using Virtual APs with VLANs” section on page 4

SonicPoint VAP OverviewSonicPoint VAP Overview

22 Configuring SonicPoint Virtual APsConfiguring SonicPoint Virtual APs

What Is a Virtual Access Point?What Is a Virtual Access Point?

A A “V“Viirrttuuaal l AcAccceesss s PPooiinntt” ” iis s a a mmuullttiipplelexxeed d iinnssttaannttiiaattioion n oof f a a ssiinngglle e pphhyyssicicaal l AcAccceesss s PPooinint t ((APAP) ) sso o tthhaat t ititpresepresents itnts itself self as as multiplmultiple discree discrete Access Pointte Access Points. To wireless s. To wireless LALAN cliN clients, eaents, each Vich Virtual Artual AP appeP appears ars to be anto be anindependeindependent physical Ant physical APP, when , when in actuain actualility there is only a singty there is only a single physical AP. Befole physical AP. Before the re the evolutevolutioion of n of thethe

Vi Virrttuuaal l AP AP fefeaattuurre e ssuuppppoorrtt, , wwirireelleesss s nneettwwoorrkks s wweerre e rreeleleggaatteed d tto o a a oonnee-t-too-o-onne e rreellaattiioonnsshhiip p bbeettwweeeen n pphhyyssicicaall Ac Accceesss s PPoioinntts s aannd d wwirireelleesss s nneettwwoorrk k sseeccuurriitty y cchhaarraacctteerriissttiiccss, , ssuucch h aas s aauutthheenntticicaattioion n aannd d eennccrryyppttioionn. . In In ootthheerrwords, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAPwords, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAPconnectivconnectivity ity to to clients, clients, and if and if the latter werthe latter were reqe required, they would had to have been provided by a separauired, they would had to have been provided by a separate,te,distinctly configured Access Points. This forced WLAN network administrators to find a solution to scaledistinctly configured Access Points. This forced WLAN network administrators to find a solution to scaletheir existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APstheir existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs(VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11(VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11standastandard frd for the media aor the media access cccess contontrol rol (MAC) (MAC) protoprotocol col layer thalayer that it includes a uncludes a unique Basic Snique Basic Service Seervice SettIIdentifdentifier (BSSier (BSSIIDD) and ) and SServiervice ce SeSet It Identifdentified (Sied (SSIDSID). T). This allows fohis allows for ser segmgmenting wenting wireless neireless network stwork serviervicesceswithin a single rawithin a single radio fdio frequrequency fooency footprint otprint of f a singa single physical ale physical access ccess poipoint device.nt device.

V VAPAPs s aalllloow w tthhe e nneettwwoorrk k aaddmmiinniissttrraattoor r tto o ccoonnttrrool l wwiirreelleesss s uusseer r aacccceesss s aannd d sseeccuurriitty y sseettttiinnggs s bby y sseettttiinng g uuppmumultltipliple cue custom confstom configuraiguratiotions on a singns on a single physical interfle physical interfaceace. E. Eacach of h of these cthese custom confustom configuraiguratiotions ans acts ascts asa sea separaparate (vte (virtirtual) acceual) access poiss point, nt, and caand can be groupen be grouped and ed and enfnforced on single or multiorced on single or multiple physical SonicPoiple physical SonicPointntaccaccess pointess points simultaneously as ills simultaneously as illustrateustrated below ind below in Figure 1Figure 1..

FFigurigure e 11 VVAP AP DeDeployploymement nt with with SSoniconicWWALL ALL SSoniconicPPointoint

For more infFor more informatioormation on Sonin on SonicOcOS SS Securecure Wireless featurese Wireless features, ref, refer to theer to theSonSoniiccWAWALLL L SeSeccureureWWiirerelleess ss IIntenteggratedratedSoSolutilutionons Gs Guideuide..

SonicWALL PRO 2040SonicWALL PRO 2040Radius Server Radius Server

InternetInternet

VLAN 50VLAN 50 - SSID: VAP-Corporate- SSID: VAP-CorporateVLAN 100VLAN 100 - SSID: - SSID: VAP-LegacyVAP-LegacyVLAN 150VLAN 150 - SSID: - SSID: VAP-Guest_SecureVAP-Guest_SecureVLAN 200VLAN 200 - SSID: VAP-Guest- SSID: VAP-GuestVLAN 250VLAN 250 - SSID: VAP-SSL-VPN- SSID: VAP-SSL-VPN

VLAN IDs Provisioned to SonicPointsVLAN IDs Provisioned to SonicPoints

SSID:SSID:VAP-SSL-VPNVAP-SSL-VPN

SSID:SSID:VAP-CorporateVAP-Corporate

SSID:SSID:VAP-GuestVAP-Guest

SSID:SSID:VAP-LegacyVAP-Legacy


SecureSecure


SonicPoint VAP OverviewSonicPoint VAP Overview


What Is an SSID?What Is an SSID?

A A SSeerrvivicce e SSeet t IDeIDennttififiieer r ((SSSSID) ID) iis s tthhe e nnaamme e aassssigignneed d tto o a a wwiirreelelesss s nneettwwoorrkk. . WWiirreelelesss s ccllieienntts s mmuusst t uusse e tthhisissame, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up tosame, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up to32 bytes lo32 bytes longng. Multi. Multiple SonicPoiple SonicPoints on nts on a nea network can utwork can use the sase the same Sme SSIDSIDs. Ys. You can confou can configure igure up to up to 8 unique8 uniqueSSSIDSIDs on SonicPoins on SonicPoints and ts and assigassign difn difffereerent confnt configuraiguratition settion settings ngs to each Sto each SSID.SID.

SSonionicPointcPoints broadcs broadcast a ast a beabeacon (announcemecon (announcements of nts of avaavaililabiliability of ty of a wa wireless netwireless network) fork) for every Sor every SSIDSIDconfconfigureigured. By default, d. By default, the Sthe SSID SID is iis included wncluded witithin the beacon so that wireless clients can sehin the beacon so that wireless clients can see the we the wirelessireless

networks. The option to suppress the SSID within the beacon is provided on a per-SSID (e.g. per-VAP ornetworks. The option to suppress the SSID within the beacon is provided on a per-SSID (e.g. per-VAP orper-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect byper-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect bymamanually specifnually specifying the SSying the SSIID.D.

TThe fohe follllowing seowing settittings cngs can be an be assigassigned to eacned to each VAPh VAP::

•• Au Autthheennttiiccaattiioon n mmeetthhoodd

•• VL VLANAN

•• MaMaxiximum mum numnumber of ber of cliclient associations ent associations using the Susing the SSSIIDD

•• SSSSIID D SuSuppressionppression

Wireless Roaming with ESSIDWireless Roaming with ESSID

An An ESESSSID ID ((ExExtteennddeed d SSeerrvviicce e SSeet t IDeIDennttififiieerr) ) iis s a a ccoolllleeccttiioon n oof f AcAccceesss s PPooinintts s ((oor r ViVirrttuuaal l AcAccceesss s PPooiinnttss))sharsharing the saming the same Se SSID. SID. A A typical wireless netwtypical wireless network comprises more than one Aork comprises more than one AP fP for tor the purpose of he purpose of coveringcoveringgegeographic areographic areas largeas larger than can be servir than can be serviced by a single Aced by a single APP. . AAs cls clients movients move through the wireless netwe through the wireless network,ork,the strengthe strength oth of f their wireless connection their wireless connection decredecreaseases as they ms as they move awove away from oay from one Access Point ne Access Point (A(AP1) andP1) andincreasincreases aes as they move towas they move toward another (Ard another (AP2). P2). ProvProvidiiding AP1 and APng AP1 and AP2 ar2 are on the same on the same ESSe ESSIID D (f(for example,or example,‘soni‘sonicwcwall’all’) and that the (V)) and that the (V)AAPs share Ps share the samthe same Se SSID SID and sand securecurity coity confnfiguraiguratiotions, the client will ns, the client will be abe able toble toroam from one to roam from one to the other. Tthe other. This rohis roamaming process is controing process is controlllled by the wed by the wireless cliireless client harent hardwdware are and driverand driver,,so roaming so roaming behabehavivior can difor can difffer from one client to er from one client to the next, but it ithe next, but it is gs generenerally dependeally dependent upon the signalnt upon the signalstrength of each AP within an ESSID.strength of each AP within an ESSID.

What Is a BSSID?What Is a BSSID?

A A BBSSSSID ID ((BBaassic ic SSeerrvviicce e SSeet t IDeIDennttiififieerr) ) is is tthhe e wwirireelleesss s eeqquuiivvaalelennt t of of a a MMAAC C ((MMeeddiia a AcAccceesss s CCoonnttrrolol) ) aaddddrreessss,,or a unique or a unique hardwhardware are addraddress of an Aess of an AP or VAP or VAP fP for the purposes of or the purposes of identifidentificatioication. Contn. Continuing the exainuing the examplemple

of of the roamthe roaming wing wireless client fireless client from the ESSrom the ESSIID D section above, as section above, as the client on the ‘sonithe client on the ‘sonicwcwall’ Eall’ ESSSID SID movesmovesawaway from Aay from AP1 and towaP1 and toward Ard AP2, the strength of P2, the strength of the signathe signal fl from the from the former wormer wilill decreal decrease wse whilhile the lattere the latterincreasincreaseses. T. The client’s wireless cahe client’s wireless card and driver constantly monird and driver constantly monitors ttors these levels, difhese levels, difffereerentiatintiating beng betwetween theen the(V(V)A)APs by their BSPs by their BSSID. When the caSID. When the card/rd/ driver’s driver’s criteria fcriteria for roaming or roaming are are memet, the clit, the client went wilill detach l detach ffrom therom theBSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the ‘sonicwall’ ESSID.BSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the ‘sonicwall’ ESSID.

Supported PlatformsSupported Platforms


Benefits of Using Virtual APsBenefits of Using Virtual APs

This section includes a list of benefits in using the Virtual AP feature:This section includes a list of benefits in using the Virtual AP feature:

•• Radio Channel ConservationRadio Channel Conservation——Prevents buildiPrevents building overlappeng overlapped infd infrastructurerastructures by as by allllowing a owing a singlesinglePhysical Access Point to be used for multiple purposes to avoid channel collision problem. ChannelPhysical Access Point to be used for multiple purposes to avoid channel collision problem. Channelconservatioconservation. Multin. Multiple proviple providers aders are bere becoming the norm wcoming the norm withiithin public spaces sn public spaces such auch as airports. Wis airports. Withinthinan aan airpoirport, rt, it it might be nemight be necessacessary to ry to support an FAA support an FAA netwnetwork, ork, one or more airlione or more airline netwne networks, and perhaorks, and perhapspsone or moone or more Wireless ISPs. Hore Wireless ISPs. Howewever, in ver, in the US athe US and Eurond Europe, 802.11pe, 802.11b netwb networks can onlorks can only support y support threethree

usausable (noble (non-n-overlapping) channels, and in Fraoverlapping) channels, and in France ance and Japan only ond Japan only one chane channel is nnel is avaavaililable. Oable. Once thence thechannechannels are uls are utiltilizized by ed by existiexisting APs, additing APs, additional Aonal APs will Ps will interfinterfere ere with eawith each other and rech other and reduceduceperfoperformancrmance. By ae. By allllowing a owing a single netwsingle network to ork to be usebe used fd for multior multiple purposes, Viple purposes, Virtual Artual APs conservePs conservechannels.channels.

•• OptiOptimmize ize SSonicPoint LAonicPoint LAN N InfrastruInfrastructur ctur e—e—ShaShare the sare the same Sme SonionicPoint cPoint LALAN iN infnfrastructure rastructure amamongongmultiplmultiple providers, rathee providers, rather than building an overlapping infr than building an overlapping infrasrastructure, to ltructure, to lower ower down the cadown the capitpitalalexpenditure for installation and maintenance of your WLANs.expenditure for installation and maintenance of your WLANs.

Benefits of Using Virtual APs with VLANsBenefits of Using Virtual APs with VLANs

Al Altthhoouuggh h tthhe e imimpplleemmeennttaattiioon n oof f VVAPAPs s ddoeoes s nnoot t rreeqquuiirre e tthhe e uusse e oof f VLVLANANss, , VLVLAN AN uusse e ddoeoes s pprroovvidideeprapractical traffctical traffic dific difffererentiaentiatiotion benen beneffits. When not using VLAits. When not using VLANs, the traNs, the traffffic fic from erom eacach VAP h VAP is handis handled by aled by acommon interface on the SonicWALL security appliance. This means that all traffic from each VAP willcommon interface on the SonicWALL security appliance. This means that all traffic from each VAP will

belong to the sabelong to the same me ZZone aone and sand same me subnet (Notsubnet (Note: a e: a ffuture veuture version orsion of f SonicOSonicOS S Enhanced wEnhanced wilill allol allow w ffor traffor trafficicfrom different VAPs to exist on different subnets within the same Zone, providing a measure of trafficfrom different VAPs to exist on different subnets within the same Zone, providing a measure of trafficdifdifffererentiaentiation tion eveeven without VLn without VLAN AN tagtaggging). By tagging). By tagging the tring the traffaffic fic from erom eacach VAP h VAP wwith a unique ith a unique VLVLAN AN IID,D,and and by creby creating the cating the corresponding sub-orresponding sub-interfinterfaceaces on the SonicWs on the SonicWAALL LL secursecurity appliity applianceance, it , it is pois possible to ssible to havehaveeaeach VAP ch VAP occupy a unique soccupy a unique subnet, and to assign eaubnet, and to assign each sub-ich sub-interfnterface ace to to its its own Zoown Zone.ne.

This affords the following benefits:This affords the following benefits:

•• Each VAEach VAP can have its own secP can have its own security serviurity services seces settittings (engs (e.g. G.g. GAVAV, I, IPSPS, CFS, etc.), CFS, etc.)

•• Traffic from each VAP can be easily controlled using Access Rules configured from the Zone level.Traffic from each VAP can be easily controlled using Access Rules configured from the Zone level.

•• SeSeparaparate Wireless Gte Wireless Guest Suest Services (WGervices (WGSS) o) or Lir Lightwghtweight Hoteight Hotspot spot MeMessagssaging (Ling (LHM) confHM) configuraiguratitions canons canbe abe applipplied to eaed to each, fch, faciliacilitating the pretating the presentation of sentation of mumultltipliple ge guest seuest servirvice prce provioviders ders with a commwith a common seton setof of SonicPoiSonicPoint hardwnt hardwareare..

•• BandwBandwidth idth mamanagnagemeement and ont and other Ather Access Ruccess Rule-le-basebased contd controls rols can eacan easilsily be applied.y be applied.

Supported PlatformsSupported PlatformsThis feature is supported on the following platforms running SonicOS Enhanced 3.5 or higher:This feature is supported on the following platforms running SonicOS Enhanced 3.5 or higher:

•• SonicWALL PRO 2040SonicWALL PRO 2040





PrerequisitesPrerequisites


PrerequisitesPrerequisites •• Each SEach SonicWonicWALALL L SSonicPoint onicPoint mumust be explicitlst be explicitly enay enabled fbled for Vor Virtual Airtual Acceccess Point ss Point suppsupport ort by seleby selectingcting

thetheSonSonicPoiicPoint > Sonnt > SonicicPoints > GPoints > Genereneral Settings Tabal Settings Tab: “Enable SonicPoint” checkbox in the: “Enable SonicPoint” checkbox in theSonicOSonicOS mS manaanagegement interfment interface ace and enaand enablibling either Radng either Radio io A A or Gor G..

•• SonicPoints must be linked to a WLAN zone on your SonicWALL UTM appliance in order forSonicPoints must be linked to a WLAN zone on your SonicWALL UTM appliance in order forprovisioning of APs to take place.provisioning of APs to take place.

•• When using VWhen using VAAPs with VPs with VLALANs, you must ensuNs, you must ensure thare that the physical SonicPoit the physical SonicPoint discovnt discovery aery andndproviprovisiosioning paning packeckets remts remain untaggain untagged (unless beed (unless being terminated ing terminated natively intnatively into a VLo a VLAAN sub-N sub-intinterface onerface onthe Sthe SonionicWcWAALLLL). ). YoYou muu must also ensure thast also ensure that VAt VAP packeP packets that are VLAts that are VLAN taggeN tagged by the Sd by the SonionicPoint cPoint arearedelivered unadelivered unaltered (neitltered (neither un-her un-encaencapsulated nor doublpsulated nor double-e-encaencapsulated) by any intpsulated) by any intermeermediate equipmediate equipment,nt,such asuch as a VLs a VLAAN capable swN capable swititch, on tch, on the netwhe network.ork.

Deployment RestrictionsDeployment RestrictionsWhen confWhen configuring iguring your VAP setup, be ayour VAP setup, be awaware of tre of the fohe follllowing deowing deployment restrictioployment restrictions:ns:

•• MaMaxiximum mum SonicPoiSonicPoint restrictint restrictions apply and difons apply and difffer baer based on your SonicWsed on your SonicWAALL LL PRO PRO series haseries hardwrdwareare..Review thesReview these ree restrictistrictions ions in then the“Custom VLAN Settings” section on page 12“Custom VLAN Settings” section on page 12

SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist A A SSoonniiccPPooinint t VVAP AP ddeepploloyymmeennt t rreeqquuirirees s sseevveerraal l sstteepps s tto o ccoonnfifigguurree. . ThThe e fofolllolowwining g sseeccttiioon n pprroovvididees s fifirrsst t aabrief obrief overviverview ew of of the steps involthe steps involved, and theved, and then a n a more in-more in-depth exadepth examinatiomination of n of the pathe parts that marts that make uke up ap asuccesuccessfssful VAul VAP deployment. TP deployment. This subsequehis subsequent sectiont sections descrns describe VAibe VAP deployment requiremP deployment requirements and prents and proviovidesdesan administrator configuration task list:an administrator configuration task list:

•• “SonicPoint VAP Configuration Overview” section on page 6“SonicPoint VAP Configuration Overview” section on page 6

•• “Network Zones” section on page 7“Network Zones” section on page 7

•• “VLAN Sub-Interfaces” section on page 12“VLAN Sub-Interfaces” section on page 12

•• ““DDHCP Server HCP Server ScScope” ope” section osection on pagn page 13e 13

•• “Sonic Point Provisioning Profiles” section on page 17“Sonic Point Provisioning Profiles” section on page 17

•• “Thinking Critically About VAPs” section on page 18“Thinking Critically About VAPs” section on page 18

•• “Deploying VAPs to a SonicPoint” section on page 34“Deploying VAPs to a SonicPoint” section on page 34

SonicPoint Virtual AP Configuration TasklistSonicPoint Virtual AP Configuration Tasklist


SonicPoint VAP Configuration OverviewSonicPoint VAP Configuration Overview

The following are required areas of configuration for VAP deployment. This sequence of steps is designedThe following are required areas of configuration for VAP deployment. This sequence of steps is designedspecifspecificallically to honor dependey to honor dependencies, provide confncies, provide configuraiguratiotion task n task effefficiiciencyency, and , and minimizminimize e the total numbethe total number ofr ofrerequirequired steps fd steps for VAor VAP confP configuiguraration.tion.

1.1. ZoneZone - The Zone is the backbone of your VAP configuration. Each Zone you create will have its own - The Zone is the backbone of your VAP configuration. Each Zone you create will have its ownsecursecuritity and acy and access control cess control settings and you can cresettings and you can create aate and apply multiplnd apply multiple zones te zones to a sio a single physicangle physicallinterface by way of VLAN sub-interfaces.interface by way of VLAN sub-interfaces.

2.2. Interface (or VLAN Interface (or VLAN SSub-Interfaceub-Interface)) - - TThe Interface he Interface (X(X2, X2, X3, etc3, etc...) ...) reprepreresensents the phyts the physicasical connectionl connectionbetwbetweeeen your Sn your SonionicWcWAALL LL UTUTM aM applippliance ance and yand your Sour SonionicPointcPoint(s). (s). YoYour indiviur individuadual Zl Zone settings aone settings arereapplied to tapplied to these hese interfinterfaceaces and thes and then fn forwaorwarded rded to yoto your Sur SonionicPointcPoints. Os. On PRO n PRO series deseries devivicesces, each, eachinterface may have multiple sub-interfaces, or VLANs (X2:100, X3:150, etc...) to which your Zoneinterface may have multiple sub-interfaces, or VLANs (X2:100, X3:150, etc...) to which your Zonesettings are applied.settings are applied.

SonicPointSonicPoint

ZoneZone

DHCP ScopesDHCP Scopes

VLANsVLANs

VAP ProfilesVAP Profiles

VAP ConfigurationVAP Configuration

Network ConfigurationNetwork Configuration

VAP ObjectsVAP Objects

SonicPoint ProfileSonicPoint Profile



3.3. DHDHCP ServeCP Serverr- - TThe DHhe DHCP server assigns leaCP server assigns leased IP sed IP addraddresseesses to s to userusers within s within specifspecified rangied rangeses, kno, knownwnas “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPointas “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPointdeployments, fodeployments, for instance, a r instance, a scope of scope of 200 200 addraddresseesses fs for an interfor an interface ace that will that will onlonly use y use 30. Beca30. Because ofuse ofthithis, Ds, DHCP rangeHCP ranges muss must be set caret be set careffully iully in order to ensure the an order to ensure the available lease scope is not vailable lease scope is not exhausexhausted.ted.

4.4. V VAAP P PPrrooffiillee - The VAP Profile feature allows for creation of SonicPoint configuration profiles which - The VAP Profile feature allows for creation of SonicPoint configuration profiles whichcan be can be eaeasilsily applied to new Sy applied to new SonionicPoint cPoint VVirtirtual Access Pointual Access Points as nes as needeeded.d.

5.5. V VAAP P ObObjjeeccttss - The VAP Objects feature allows for setup of general VAP settings. SSID and VLAN- The VAP Objects feature allows for setup of general VAP settings. SSID and VLANIID D are are confconfigureigured through Vd through VAAP SeP Settittingsngs..

6.6. V VAAP P GGrroouuppss - The VAP Group feature allows for grouping of multiple VAP objects to be - The VAP Group feature allows for grouping of multiple VAP objects to besimultaneously applied to your SonicPoint(s).simultaneously applied to your SonicPoint(s).

7.7. A Assssiiggn n WWEP EP KKeey y ((ffoor r WWEP EP eennccrryyppttiioon n oonnllyy)) - The Assign WEP Key allows for a WEP Encryption - The Assign WEP Key allows for a WEP EncryptionKKey to be aey to be applipplied to new ed to new SonicPoiSonicPoints as thents as they ay are prre proviovisionsioned. WEP keys aed. WEP keys are cre confonfigureigured perd per--SSonionicPointcPoint,,meameaning that any WEP-ning that any WEP-enaenabled VAbled VAPs assignePs assigned to a SonicPoid to a SonicPoint must use the sant must use the same seme set ot of f WEP WEP keyskeys. Up. Upto to 4 keys ca4 keys can be defin be defined perned per--SonicPoiSonicPoint, and WEnt, and WEP-P-enaenabled VAbled VAPs can use thesPs can use these 4 kee 4 keys independeys independently.ntly.WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint >WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint >SonicPoiSonicPoints pagents page..

8.8. A Assssigign n VVAAP P GGrroouup p tto o SSoonniiccPPooinint t PPrroovvisisioionniinng g PPrrooffiille e RRaaddioio- The Provisioning Profile allows a- The Provisioning Profile allows a V VAP AP GrGroouup p tto o bbe e aappppllieied d tto o nneew w SSoonnicicPPooiinntts s aas s tthheey y aarre e pprroovivissioionneedd..

Network ZonesNetwork Zones

This section contains the following sub-sections:This section contains the following sub-sections:

•• “The Wireless Zone” section on page 8“The Wireless Zone” section on page 8

•• ““Custom Wireless ZoCustom Wireless Zone Sne Settings” sectioettings” section on pagn on page 8e 8

A A nneettwwoorrk k sseeccuurriitty y zzoonne e is is a a llogogicicaal l mmeetthhood d oof f ggrrououppining g oonne e oor r mmoorre e inintteerrfafaccees s wwiitth h frfriieennddllyy,,useruser--confconfiguraigurable namble nameses, and a, and applyipplying sng securecuritity rules ay rules as traffs traffic passeic passes fs from one zone to rom one zone to another zone. Withanother zone. Withthe zothe zone-ne-basebased securd securitityy, t, the ahe administratodministrator can gr can group similroup similar interfaces and aar interfaces and apply tpply the sahe same polime policies to cies to them,them,instead of instead of having to write the sahaving to write the same me polpolicy ficy for eacor each inth interface. Netwerface. Network Zork Zones arones are confe configureigured fd from therom theNetwork > ZonesNetwork > Zones page page



‹‹

The Wireless ZoneThe Wireless Zone

The Wireless Zone type, of which the “WLAN Zone” is the default instance, provides support toThe Wireless Zone type, of which the “WLAN Zone” is the default instance, provides support toSonicWALL SonicPoints. When an interface or sub-interface is assigned to a Wireless Zone, the interfaceSonicWALL SonicPoints. When an interface or sub-interface is assigned to a Wireless Zone, the interfacecan discover acan discover and provind provision sion Layer 2 Layer 2 connected Sconnected SonionicPointcPoints, and cas, and can also enfn also enforce secuorce security settirity settings angs above thebove the802802.11 laye.11 layer, includir, including WiFiSeng WiFiSec Enfc Enforcemeorcement, SSnt, SSL-L-VVPN redirectioPN redirection, Wireless Gn, Wireless Guest Suest Services, Liervices, LightwghtweighteightHotHotspot spot MeMessagssaging and aing and all ll lilicensecensed Dd Deep Paeep Packecket It Inspection security servnspection security services.ices.

NoteNote SSonionicPointcPoints can only be ms can only be manaanageged using ud using untaggntagged, non-ed, non-VVLALAN packeN packets. When setting up yts. When setting up your WLAour WLAN,N,ensurensure that pace that packets sent to tkets sent to the She SonionicPointcPoints are s are non Vnon VLALAN taggeN tagged.d.

Custom Wireless Zone SettingsCustom Wireless Zone Settings

Al Altthhoouuggh h SSoonnicicWWALALL L pprroovvididees s tthhe e pprree-c-coonnfifigguurreed d WWiirreelelesss s ZoZonnee, , aaddmmiinnisisttrraattoorrs s aallsso o hhaavve e tthhe e aabbililitity y ttoocreacreate their ote their own cuwn custom wireless zostom wireless zonesnes. When usi. When using VAPs, several custom zong VAPs, several custom zones canes can be applied to n be applied to a single,a single,or multiplor multiple Se SonionicPoint cPoint accaccess points. Tess points. The fohe follllowing threowing three see sectioctions desns describe secribe settittings ngs ffor custom wireor custom wirelesslesszones:zones:

“General” section on page 8“General” section on page 8

“Wi“Wireless” section oreless” section on pagn page 9e 9

“G“Guest Suest Services” sectiervices” section on page on on page 1010

GeneralGeneral

FFeeaattuurree DDeessccrriippttiioonn

NameName CreaCreate a nate a name for yome for your custom Zour custom Zonene

SSecurecurity ity TyTypepe SelectSelect W Wiirreelleessss i in order to n order to enaenable and acceble and access wireless sess wireless security ocurity optiptions.ons.



WirelessWireless

A Alllloow w InIntteerrffaacce e TTrruusstt Select this option to automatically create access rules to allow traffic toSelect this option to automatically create access rules to allow traffic tofflow betwlow betweeeen the interfaces of n the interfaces of a zone. Ta zone. This will his will effeffecectively allow usetively allow users onrs ona wireless zone to communicate with each other. This option is oftena wireless zone to communicate with each other. This option is oftendisabled wdisabled when setting up Wireless Ghen setting up Wireless Guest Suest Services (WGervices (WGSS).).

SonSonicWALicWALL SecurL SecurityityServicesServices

SSelect the seelect the security services you wish to enfcurity services you wish to enforce on this zorce on this zone. Tone. This allohis allowsws y yoou u tto o eexxtteennd d yyoouur r SSoonnicicWWALALL L UUTM TM sseeccuurriitty y sseerrviviccees s tto o yyoouurrSonicPoints.SonicPoints.



OnlOnly allow traffic generatedy allow traffic generatedby a Sonby a SonicPoiicPointnt

Restricts traffic on this zone to SonicPoint-generated traffic only.Restricts traffic on this zone to SonicPoint-generated traffic only.

SSSSLL-V-VPN EPN Enforcemnforcementent Redirects all traffic entering the Wireless Zone to a defined SonicWALLRedirects all traffic entering the Wireless Zone to a defined SonicWALLSSL-VPN appliance. This allows all wireless traffic to be authenticatedSSL-VPN appliance. This allows all wireless traffic to be authenticatedand and encrypted bencrypted by the Sy the SSSL-L-VVPN, using, fPN, using, for examor example, NetEple, NetExtender toxtender totunnel all traffic. Note: Wireless traffic that is tunneled through antunnel all traffic. Note: Wireless traffic that is tunneled through an

SSL-VPN will appear to originate from the SSL-VPN rather than fromSSL-VPN will appear to originate from the SSL-VPN rather than fromthe Wireless Zone.the Wireless Zone.

•• SSSSLL-V-VPN ServerPN Server- - SSelect the Address Oelect the Address Object represebject representing thenting theSSSSL-L-VVPN appliPN appliance ance to which you wish to redirect wirelessto which you wish to redirect wirelesstraffic.traffic.

•• SSSSL-L-VPN VPN SServiceervice - - TThe She Service Oervice Object represbject representing theenting theSSL-VPN service. This is typically HTTPS.SSL-VPN service. This is typically HTTPS.

W WiiFFiiSSeec c EnEnffoorrcceemmeenntt ReRequirequires all traffs all traffic be either IPsec or WPA. Wiic be either IPsec or WPA. With this th this optiooption chen checkecked, alld, allnon-guest connections must be IPsec enforced.non-guest connections must be IPsec enforced.

•• W WiiFFiiSSeec c ExExcceeppttiioon n SSeerrvviiccee - Select the se - Select the servirvice(s) you wce(s) you wish toish tobe ebe exempt froxempt from WiFiSec m WiFiSec EnfEnforcemeorcement.nt.

Require WRequire WiFiFiSec foriSec forSite-to-site VPN TunnelSite-to-site VPN Tunnel

TraversalTraversal

For use wFor use with ith WiFiWiFiSSec enfoec enforcemrcement, requires WiFiSec seent, requires WiFiSec security ocurity on alln allsite-to-site VPN connections through this zone.site-to-site VPN connections through this zone.



Guest ServicesGuest Services

TheTheEEnable Wnable Wireless Guest Servicesireless Guest Services option allows the following guest services to be applied to a zone: option allows the following guest services to be applied to a zone:

Trust WPTrust WPA/A/ WWPA2 PA2 tratraffiffic asc as W WiiFFiiSSeecc

Al Allolowws s WWPPA A oor r WWPPA2 A2 tto o bbe e uusseed d aas s aan n aalltteerrnnaattiivve e tto o WWiiFFiSiSeecc..

SonSonicicPoint Point ProvisiProvisioningoningProfileProfile

Select a pre-defined SonicPoint Provisioning Profile to be applied to allSelect a pre-defined SonicPoint Provisioning Profile to be applied to allcurrecurrent and future Snt and future SonionicPointcPoints on this on this zone.s zone.



EEnable nable inter-guestinter-guest

communicationcommunication

Al Allloowws s WWGSGS// LLHHM M uusseerrs s on on tthhiis s ZoZonne e tto o ccoommmmuunniiccaatte e wwitith h eeaacch h ootthheerr..

TThis fhis feaeature ature also requires that Intlso requires that Interface Trust be eerface Trust be enabled on thenabled on theresperespective Zctive Zone.one.

Bypass AV Check for GuestsBypass AV Check for Guests Al Allolowws s gguueesst t ttrraaffiffic c tto o bbyyppaasss s AnAnttii-Vi-Virruus s pprrootteeccttiioonn

EEnable nable DyDynamnamic Addressic AddressTranslation (DAT)Translation (DAT)

Dynamic Address Translation (DAT) allows the SonicPoint to supportDynamic Address Translation (DAT) allows the SonicPoint to supportany Iany IP addressing scheP addressing scheme fome for WGr WGS useS users.rs.

IIf f thithis optis option ion is disabled (un-checkeds disabled (un-checked), wireless g), wireless guest useuest users mrs must eitherust eitherhave DHCP have DHCP enaenabled, obled, or an Ir an IP addresP addressing schemsing scheme compatible with e compatible with thetheSonicPoiSonicPoint’s netwnt’s network settiork settingsngs..

EEnanable Eble External Guestxternal Guest A Auutthheennttiiccaattiioonn

RequRequires gueires guests connsts connecting fecting from the device orom the device or netwr network yoork you select tou select toauthenticate beauthenticate beffore gaining acore gaining accesscess. T. This fhis feaeature, baseture, based on d on LiLightwghtweighteightHotHotspot Messaspot Messaging ging (L(LHM) is used fHM) is used for authenticating Hotspoor authenticating Hotspot users at users andndproviproviding them paramding them parametrically etrically bound bound netwnetwork ork acceaccess.ss.



Custom AuthenCustom AuthenticticationationPagePage

RedRedirects users to a custoirects users to a custom aum authenticatithentication page won page when they fhen they first irst connectconnectto a SonicPoint in the Wireless Zone. Click Configure to set up theto a SonicPoint in the Wireless Zone. Click Configure to set up thecustom authecustom authenticatintication pageon page. E. Enter either a URL to nter either a URL to an aan authenticatiouthenticationnpagpage or a cue or a custom challenge stom challenge statemestatement in tnt in the text fhe text field, and cliield, and click Ock OKK..

Post Authentication PagePost Authentication Page DDirects userirects users to s to the pagthe page you specife you specify immey immediately afdiately after succeter successfssfululauauthenticathentication. tion. Enter a URL fEnter a URL for the post-or the post-auauthenticathenticatiotion pagn page in the fe in the filed.iled.

Bypass GuestBypass Guest A Auutthheennttiiccaattiioonn

Al Allloowws s a a SSoonniiccPPooiinnt t rruunnnniinng g WWGS GS tto o iinntteeggrraatte e iinntto o eennvviirroonnmmeenntts s aallrreeaaddyyusing some form of user-level authentication. This feature automates theusing some form of user-level authentication. This feature automates theWGS authentication WGS authentication process, allowing wireless useprocess, allowing wireless users to rs to reareach WGch WGSSresourceresources ws withoithout requt requiring auuiring authenticatithentication. Ton. This fhis feaeature should only beture should only beused wused when unrestricthen unrestricted WGS acceed WGS access is desired, oss is desired, or wr when another devihen another deviceceupstreaupstream m of of the Sthe SonionicPoint icPoint is es enfnforcing aorcing authenticatiouthentication.n.

Redirect SRedirect SMTP MTP tratraffic ffic toto Redirects SMTP traffic incoming on this zone to an SMTP server youRedirects SMTP traffic incoming on this zone to an SMTP server youspecifspecifyy. Se. Select the addrlect the address object to ess object to redirect traredirect traffffic to.ic to.

Deny NetworksDeny Networks BloBlocks tracks traffffic fic from the netwrom the networks you speciforks you specifyy. Selec. Select the subnet, addret the subnet, addressssgroup, or IP address to block traffic from.group, or IP address to block traffic from.

Pass NetworksPass Networks Au Auttoommaattiiccaalllly y aalllolowws s ttrraaffiffic c tthhrroouuggh h tthhe e WWiirreelleesss s ZoZonne e frfroom m tthheenetwnetworks orks you select.you select.

Max GuestsMax Guests SSpecifpecifies the maximum nies the maximum numbeumber of r of guguest userest users allowed to cos allowed to connect to nnect to thetheWireless Zone. The default is 10.Wireless Zone. The default is 10.




VLAN Sub-InterfacesVLAN Sub-Interfaces

A A ViVirrttuuaal l LoLoccaal l ArAreea a NNeettwwoorrk k ((VLVLANAN) ) aalllolowws s yyoou u tto o ssppllit it yyoouur r pphhyyssicicaal l nneettwwoorrk k ccoonnnneeccttiioonns s ((X2X2, , X3X3, , eettcc......))into many virtual network connection, each carrying its own set of configurations. The VLAN solutioninto many virtual network connection, each carrying its own set of configurations. The VLAN solutionallows eaallows each VAP ch VAP to to have its own sepahave its own separate srate sub-ub-intinterface on an aerface on an actual physical intctual physical interfaceerface..

VL VLAN AN ssuubb-i-inntteerrfafaccees s hhaavve e mmoosst t oof f tthhe e ccaappaabbiillititiiees s aannd d cchhaarraacctteerriisstticics s oof f a a pphhyyssicicaal l iinntteerrfafaccee, , iinncclluuddiinng g zzoonneeassignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IPassignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IPHelper, routing, and full NAT policy and Access Rule controls. Features excluded from VLANHelper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN

sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.sub-interfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.

VL VLAN AN SSuubb-In-Intteerrfafaccees s aarre e ccoonnfifigguurreed d frfroom m tthheeNNetwork etwork > Interfaces> Interfaces page. page.

Custom VLAN SettingsCustom VLAN Settings

The table below lists configuration parameters and descriptions for VLAN Sub-Interfaces:The table below lists configuration parameters and descriptions for VLAN Sub-Interfaces:


ZoneZone Select a zone to inherit zone settings from a pre-defined or customSelect a zone to inherit zone settings from a pre-defined or customuser-defined zone.user-defined zone.

V VLALAN N TTaagg Specify the VLAN ID for this sub-interface.Specify the VLAN ID for this sub-interface.

ParenParent It Interfacenterface Select a physical parent interface (X2, X3, etc...) for the VLAN.Select a physical parent interface (X2, X3, etc...) for the VLAN.

IP IP ConfigurConfigurationation Create an IP Create an IP address aaddress and Subnet Mand Subnet Mask in sk in accordance with yoaccordance with your networkur networkconfiguration.configuration.



DHCP Server ScopeDHCP Server Scope

TThe Dhe DHCP server assigns leaHCP server assigns leased IP sed IP addraddresseesses to s to userusers within specifs within specified rangied ranges, known aes, known as “s “ScScopes”. opes”. TThehedefault ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, fordefault ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, forinstance, a scope of instance, a scope of 200 a200 addresddresses foses for an interface that will r an interface that will onlonly use 3y use 30. Becau0. Because of se of this, this, DDHCP rangeHCP ranges muss musttbe set carbe set carefulefully ily in order to n order to ensurensure the avae the availilable lease able lease scope is nscope is not ot exhausexhausted.ted.

TThe DHCP he DHCP scope should be rescope should be resized as esized as each ach intinterface/erface/sub-sub-interfinterface ace is defis defined to ensure ined to ensure that adethat adequaquateteDDHCP space rHCP space remaemains fins for all subsequeor all subsequently defntly defined interfined interfaceaces. Fas. Faililure ure to do to do so may so may caucause the ase the auto-uto-creacreatiotionnof of subseqsubsequent DHuent DHCP scopes to fCP scopes to fail, requiring maail, requiring manuanual creal creatiotion after perfon after performing the rrming the requisite scope reequisite scope resizsizing.ing.DDHCP Server SHCP Server Scope is set fcope is set from therom theNetwork > DHCNetwork > DHCP SP Server erver page. page.

TThe table behe table below shows malow shows maxiximumum am alllloweowed Dd DHCP lHCP leaeases foses for Sr SonionicWcWAALL LL PRO PRO SSeries UTM aeries UTM applipplianceancess

SSonic Point Lonic Point Limitimit SeSelect the maximum lect the maximum numbenumber of r of SonicPoiSonicPoints to nts to be usebe used on td on thishisinterfinterfaceace. Belo. Below aw are the mare the maxiximum mum numbenumber of r of SonicPoiSonicPoints per interfnts per interfaceacebased based on your Sonion your SonicWALcWALL UTL UTM M hardwahardware:re:

•• PRO 2040 - 64 SonicPointsPRO 2040 - 64 SonicPoints

•• PRO 3060 - 96 SonicPoints (Limit of 64 per-interface)PRO 3060 - 96 SonicPoints (Limit of 64 per-interface)

•• PRO 4060 - 96 SonicPoints (Limit of 64 per-interface)PRO 4060 - 96 SonicPoints (Limit of 64 per-interface)



ManagemManagement Protocolent Protocolss SeSelect the prolect the protocotocols yols you wish to u wish to use wuse when mahen managnaging thiing this ints interface.erface.

Login ProtocolsLogin Protocols SeSelect the protolect the protocolcols you will make s you will make avaavaililable to cliable to clients wents who access ho access thisthissub-interface.sub-interface.


PPllaattffoorrmm MMaaxxiimmuum m DDHHCCP P LLeeaasseess

PPRRO O 22004400, , 33006600 11,,00224 4 lleeaasseess

PPRRO O 44006600, , 44110000, , 55006600 44,,00996 6 lleeaasseess



Virtual Access Points ProfilesVirtual Access Points Profiles

A A ViVirrttuuaal l AcAccceesss s PPooiinnt t PPrroofifile le aan n ooppttioionnaal l fefeaattuurre e tthhaat t aalllloowws s tthhe e aaddmmininisisttrraattoor r tto o pprree-c-coonnfifigguurre e aannd d ssaavveeaccess point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Accessaccess point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual AccessPoints. Virtual Access Point Profiles are configured from thePoints. Virtual Access Point Profiles are configured from the SonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

Virtual Access Point Profile SettingsVirtual Access Point Profile Settings

The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:


Radio TypeRadio Type SSet toet to SonicPointSonicPoint by default. Retain this default setting if using by default. Retain this default setting if usingSSonionicPointcPoints as as VAPs VAPs (currently the only supports (currently the only supported red radio type)adio type)

Profile NProfile Namamee Choose a friendly name for this VAP Profile. Choose somethingChoose a friendly name for this VAP Profile. Choose something

descrdescriptiiptive and eve and easy to remeasy to remember mber as yas you will ou will later apply this prolater apply this proffilile toe tonew new VAVAPs.Ps.

A Auutthheennttiiccaattiioon n TyTyppee Below is a list available authentication tBelow is a list available authentication types wypes witith descrh descriptiiptive fve feaeaturesturesand uses foand uses for eacr each:h:

W WEPEP

•• LoLowewer securityr security

•• For use wFor use with ith ololder legder legacy deacy devivicesces, PD, PDAAs, wireless printerss, wireless printers

W WPPA A

•• Good security (uses TKIP)Good security (uses TKIP)

•• For use wFor use with ith trusted corpotrusted corporate wrate wireless cliireless clientsents

•• Transparent authentication with Windows log-inTransparent authentication with Windows log-in

•• No No client soclient sofftwatware neere needed in most casesded in most cases

W WPPAA22

•• Best secuBest security (rity (uses AEuses AES)S)

•• For use wFor use with ith trusted corpotrusted corporate wrate wireless cliireless clientsents

•• Transparent authentication with Windows log-inTransparent authentication with Windows log-in

•• CliClient sofent softwatware install re install mamay be necessay be necessary iry in son some came casesses

•• SuSupports pports 802802.11i “.11i “FaFast Roaming” fst Roaming” feaeatureture

•• No backend authentication needed after first log-in (allows forNo backend authentication needed after first log-in (allows forffasteaster roaming)r roaming)

W WPPAA22-A-AUUTOTO

•• Tries to connect using WPA2 security, if the client is not WPA2Tries to connect using WPA2 security, if the client is not WPA2capable, the connection will default to WPA.capable, the connection will default to WPA.



WPA-PSK / WPA2-PSK Encryption SettingsWPA-PSK / WPA2-PSK Encryption Settings

Pre-Pre-SSharehared Kd Key (PSK) ey (PSK) is available wheis available when using WPn using WPA A or WPA2. Tor WPA2. This solhis solutioution utiln utilizizes a es a shareshared keyd key..

WPA-EAP / WPA2-EAP Encryption SettingsWPA-EAP / WPA2-EAP Encryption Settings

Extensible AuthenticaExtensible Authentication tion Protocol Protocol (E(EAPAP) i) is as availabvailable whle when uen using Wsing WPA or WPA2. TPA or WPA2. This solutiohis solution utilizn utilizes aes annexteexternarnal 802.1x/l 802.1x/EAEAP capaP capable RADble RADIIUS sUS serveerver fr for key gor key geneeneraration.tion.

Shared / Both (WEP) Encryption SettingsShared / Both (WEP) Encryption Settings

WEP WEP is proviis provided for use with legaded for use with legacy decy devices that do not vices that do not suppsupport tort the nehe newwer WPer WPAA// WPWPA2 encryptionA2 encryptionmemethods. Tthods. This solhis solutioution utiln utilizizes a es a shareshared keyd key..

Unicast CiUnicast Ciphepher r TThe unicast cipher whe unicast cipher wilill be automatically chosen based on thel be automatically chosen based on theautheauthenticatintication type.on type.

MuMulticast lticast Cipher Cipher TThe mhe multiulticast cipher wcast cipher wilill be automatically chosen based on thel be automatically chosen based on theautheauthenticatintication type.on type.

Maximum Maximum CliClientsents ChooChoose the mse the maximum aximum numbenumber of r of concurrent client coconcurrent client connectionsnnectionspermissible for this virtual access point.permissible for this virtual access point.



Pass PhrasePass Phrase TThe sharehe shared passphrad passphrase userse users will s will enter wenter when connecting with hen connecting with PSKPSK--basebaseddauthentication.authentication.

Group KeGroup Key Iy Intervalnterval TThe time he time period (iperiod (in secn seconds) during wonds) during which the WPhich the WPAA// WPA2 grWPA2 group key oup key is enfis enforcedorcedto to be updabe updated.ted.


Radius Server 1Radius Server 1 TThe nahe nameme// location olocation of f your Rayour Radius audius authenticathenticatiotion serven serverr

RadiRadius Server 1 us Server 1 PortPort TThe port on which your Radius auhe port on which your Radius authenticatiothentication server commn server communicates wunicates witith clih clientsentsand network devices.and network devices.

RadiRadius Server 1 Sus Server 1 Secretecret TThe sehe secret pascret passcode fscode for your Radius authentication serveror your Radius authentication server

RadiRadius Server 2us Server 2 TThe nahe nameme// location location of of your bayour backuckup Radius ap Radius autheuthentication serverntication server

RadiRadius Server 2 us Server 2 PortPort TThe port ohe port on which your backun which your backup Radius aup Radius authenticatithentication server communicateon server communicates withs with

clients clients and netwand network deviork devicesces..RadiRadius Server 2 us Server 2 SecretSecret TThe seche secret passcode foret passcode for your backup Rar your backup Radius authenticatiodius authentication servern server

Group KeGroup Key Iy Intervalnterval TThe time he time period (iperiod (in secn seconds) during wonds) during which the WPhich the WPAA// WPA2 group kWPA2 group key is eey is enfnforcedorcedto to be updabe updated.ted.


EEncryption Kencryption Key y Select the key to use for WEP connections to this VAP. WEP encryption keys areSelect the key to use for WEP connections to this VAP. WEP encryption keys are

confconfigureigured in thed in theSonSonicPoiicPoint > Snt > SonicPoionicPointsntspage underpage underSonicPointSonicPointProvisioning ProfilesProvisioning Profiles..



Virtual Access PointsVirtual Access Points

The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configuredThe VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configuredthrough VAP Sethrough VAP Settittingsngs. V. Virtirtual Access Points are ual Access Points are confconfigureigured frod from them theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

General VAP SettingsGeneral VAP Settings

Advanced VAP SettingsAdvanced VAP Settings

Ad Advvaanncceed d sseettttininggs s aalllolowws s tthhe e aaddmmiinniissttrraattoor r tto o ccoonnfifigguurre e aauutthheennttiiccaattiioon n aannd d eennccrryyppttioion n sseettttiinnggs s fofor r tthhiissconnection. Choose aconnection. Choose aProfilProfile e NameNameto to inherit tinherit these hese settings fsettings from a userom a user crear created profted profilile. Se. Seeee“Virtual“Virtual

Ac Accceesss s PPooiinntts s PPrroofifilleess” ” sseeccttiion on on on ppaagge e 1144 for complete authentication and encryption configuration for complete authentication and encryption configurationinformation.information.


SSIDSSID CreaCreate a fte a friendly name foriendly name for your VAr your VAPP..

V VLALAN N IDID Select a VLAN ID to associate this VAP with.Select a VLAN ID to associate this VAP with.

EEnanable Vible Virtuartuall A Acccceesss s PPooiinntt

Enable or disable this VAP.Enable or disable this VAP.

EEnable nable SSSSIIDDSuppressSuppress

SuSuppresseppresses broadcasting of s broadcasting of the SSthe SSIID D namname and disables responses to pe and disables responses to proberoberequrequests. Cheests. Check this optck this optioion if n if you do not wish fyou do not wish for your Sor your SSSIID D to be seeto be seen byn by

unauunauthorithorized wireless clients.zed wireless clients.



Virtual Access Point GroupsVirtual Access Point Groups

The VAThe VAP GP Group featurroup feature ae allollows for grouping of multiple VAws for grouping of multiple VAP objP objects to be simuects to be simultaneltaneously applied to yourously applied to yourSonicPoint(s). Virtual Access Point Groups are configured from theSonicPoint(s). Virtual Access Point Groups are configured from theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Pointpage.page.

Sonic Point Provisioning ProfilesSonic Point Provisioning Profiles

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring andSonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring andprovisioniprovisioning mng multiple SonicPoints across a Distributed Wireleultiple SonicPoints across a Distributed Wireless Ass Archrchitecturitecture. Se. SonicPoint onicPoint ProfProfile defiile definitionitionsnsinclinclude ude all of all of the settings that cathe settings that can be confin be configugured red on a Son a SonionicPointcPoint, such a, such as ras radio settdio settings foings for the 2.4GHz r the 2.4GHz andand5GHz 5GHz raradios, SSdios, SSIIDD’s’s, , anand chad channennels ols of f operaoperation.tion.

OOnce ynce you have dou have defiefined a ned a SonicPoiSonicPoint profnt profilile, you cae, you can apply it to n apply it to a Wireless a Wireless zozone. Each Wireless zone cane. Each Wireless zone can ben beconfigured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when aconfigured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when aSonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.

SonicOS includes a default SonicPoint profile, named SonicPoint. You can modify this profile or create aSonicOS includes a default SonicPoint profile, named SonicPoint. You can modify this profile or create anew new one.one.

The default SonicPoint profile has the following settings:The default SonicPoint profile has the following settings:

880022..1111a a RRaaddiioo 880022..1111g g RRaaddiioo

EEnablnable 80e 802.112.11aa RadioRadio

Ye Yes s - A- Alwlwaayys s oonn EEnablnable 80e 802.112.11gg RadioRadio

Ye Yes s - A- Allwwaayys s oonn

SSIDSSID SonicWALLSonicWALL SSIDSSID SonicWALLSonicWALL

Radio ModeRadio Mode 54Mbps - 802.11a54Mbps - 802.11a Radio ModeRadio Mode 2.4 G2.4 GHz 54Mbps - 802.11gHz 54Mbps - 802.11g

ChannelChannel Au AuttooCChhaannnneell ChannelChannel Au AuttooCChhaannnneell

A ACCL L EnEnffoorrcceemmeenntt DisabledDisabled A ACCL L EnEnffoorrcceemmeenntt DisabledDisabled

A Auutthheennttiiccaattiioonn

TypeType

WEP - BothWEP - Both

OOpen System & Spen System & Shared Khared Keyey

A Auutthheennttiiccaattiioonn

TypeType

WEP - BothWEP - Both

OOpen System & Spen System & Shared Keyhared KeySchSchedule Iedule IDS ScanDS Scan DisabledDisabled SchSchedule Iedule IDS ScanDS Scan DisabledDisabled

Thinking Critically About VAPsThinking Critically About VAPs


Thinking Critically About VAPsThinking Critically About VAPsTThis sectiohis section provin provides content to des content to help determine whelp determine what your VAP hat your VAP requrequiremeirements are ants are and how to apply tnd how to apply theseheserequirements to a useful VAP configuration. This section contains the following sub-sections:requirements to a useful VAP configuration. This section contains the following sub-sections:

•• ““DDetermining Your VAP Needs” sectioetermining Your VAP Needs” section on pagn on page 1e 188

•• “A Sam“A Sample Network” ple Network” section section on page 18on page 18

•• ““DDetermining Setermining Secuecurity Confrity Configuraiguratiotions” sections” section on pagn on page 1e 199

•• “VAP Configuration Worksheet” section on page 19“VAP Configuration Worksheet” section on page 19

Determining Your VAP NeedsDetermining Your VAP Needs

When decWhen decidiiding how to confng how to configure igure your VAyour VAPs, begin by considering your commuPs, begin by considering your communicationication needsn needs, parti, particularly:cularly:

•• How maHow many difny difffereerent classes of nt classes of wireless wireless userusers do I s do I neeneed to suppod to support?rt?

•• How do I How do I wawant to nt to secursecure these de these dififffereerent clnt classeasses of s of wireless uwireless users?sers?

–– DDo o my wmy wireless cliireless client have the requent have the required hardwired hardware aare and drivers to nd drivers to support support the chosen securitythe chosen securitysettings?settings?

•• What network resources do my wWhat network resources do my wirelireless users ess users need to communineed to communicate wcate witith?h?

–– DDo any oo any of f these wthese wireless users neireless users need to ed to commucommunicate with onicate with other wireless usether wireless users?rs?

•• What secuWhat security servrity services do I ices do I wish to apply twish to apply to each of o each of these classethese classes or wireless uses or wireless users?rs?

A Sample NetworkA Sample Network

TThe fohe follllowing owing is a sis a samample VAP network confple VAP network configuraiguratiotion, describing fivn, describing five se separeparate ate VAPVAPs:s:

•• V VAAP P ##11, , CCoorrppoorraatte e WWiirreelleesss s UUsseerrss– A set of users who are commonly in the office, and to whom– A set of users who are commonly in the office, and to whom

should be given fshould be given full ull accaccess to all ess to all netwnetwork resourceork resources, provis, providing that the connectioding that the connection is authenticated an is authenticated andndsecursecure. Te. These hese users users alreaalready belong to the network’dy belong to the network’s Ds Directory Service, Microsofirectory Service, Microsoft At Active Dctive Directory,irectory,whwhich provides an EAich provides an EAP iP internterffacace througe through Ih IAS – AS – IInternenternet At Autheuthentication Sentication Servicesrvices

•• V VAAPP##22, , LeLeggaaccy y WWirireelleesss s DDeevviicceess– – A A collection collection of of older wolder wirelesireless devicess devices, such as pr, such as printersinters, PD, PDAs As andandhandhehandheld devices, that are ld devices, that are onlonly cay capable of pable of WEP WEP encryption.encryption.

•• V VAAPP##33, , VViissiittiinng g PPaarrttnneerrss– Business partners, clients, and affiliated who frequently visit the office,– Business partners, clients, and affiliated who frequently visit the office,and wand who need acceho need access to ss to a limita limited set of ed set of trusted network restrusted network resourcesources, as well as the I, as well as the Internet. Tnternet. These ushese usersersare are not not lolocated in the company’cated in the company’s Ds Directorirectory Sy Serviervicesces..

•• V VAAPP# # 44,, Guest UsersGuest Users– – VVisiisititing ng cliclients to whom ents to whom you wyou wish to provish to provide aide access ccess onlonly to untrusted (e.gy to untrusted (e.g..IInternetnternet) network resources. Some g) network resources. Some guest users wuest users wilill be provl be provided a simple, tided a simple, temporary username emporary username andandpasswpassword ford for access.or access.

•• V VAAPP##55, , FFrreeqquueennt t GGuueesst t UUsseerrss – – SaSame ame as Gs Guest Users, however, these users wuest Users, however, these users wilill have morel have morepermanent guepermanent guest accountst accounts thros through a ugh a back-back-end databaend database.se.

Data RateData Rate BestBest Data RateData Rate BestBest

A Anntteennnna a DiDivveerrssiitty y BestBest A Anntteennnna a DiDivveerrssiitty y BestBest



Determining Security ConfigurationsDetermining Security Configurations

UndersUnderstanding these tanding these requrequiremeirements, you can then defints, you can then define the Zone the Zones (and interfnes (and interfaceaces) and VAPs) and VAPs that wills that willproviprovide wde wireless serviireless services to tces to these uhese users:sers:

•• Corp WirelessCorp Wireless – – Highly trusteHighly trusted wd wirelesireless Zos Zonene. E. Employs Wmploys WPA2-APA2-AUTOUTO--EAEAP secuP securityrity. WiFiSe. WiFiSec (WPA)c (WPA)Enforced.Enforced.

•• W WEP EP & & PPSSK K – – ModerModerate ate trust wireless trust wireless ZZone. Comprises twone. Comprises two vio virtual APrtual APs as and sub-ind sub-interfaces, one nterfaces, one ffororlegalegacy WEP devicy WEP devices (eces (e.g. w.g. wireless printers, older handheireless printers, older handheld devices) and one fld devices) and one for vior visitisiting cng clilients wents who willho willuse use WPA-WPA-PSK security.PSK security.

•• W WGGSS – – Wireless GWireless Guest Suest Services Zervices Zone, using the intone, using the internal WGS user dernal WGS user databaatabase.se.

•• LHLHMM – – LiLightwghtweight Hotspoeight Hotspot Mest Messagsaging enaing enabled Zbled Zone, confone, configureigured to use external LHMd to use external LHMautheauthentintication-cation-bacback-k-end end serverserver..

VAP Configuration WorksheetVAP Configuration Worksheet

TThe whe worksheet on the forksheet on the folollolowing wing pagpage provides some ce provides some common VAommon VAP setup queP setup questiostions and ns and solsolutioutions along wns along witithha spaa space foce for you to record your own confr you to record your own configuraiguratiotions.ns.



QQuueessttiioonnss EExxaammpplleess SSoolluuttiioonnss

HHow mow many diffany different types of userserent types of users w wiilll l I I nneeeed d tto o ssuuppppoorrtt??

CorpoCorporate wrate wireless, gueireless, guest accessst access, , vivisitisitingngpartnerspartners, , wireleswireless devis devices arces are all e all commoncommonuser types, eauser types, each requiring their och requiring their own VAPwn VAP

Plan out the number of different VAPsPlan out the number of different VAPsneeneededed. Confd. Configuigure a re a ZZone aone and VLnd VLAAN fN fororeach VAP neededeach VAP needed

Y Yoouur r CCoonnffiigguurraattiioonnss::

HHow mow many users will any users will each VAP needeach VAP needto support?to support?

A A ccoorrppororaatte e ccaammppuus s hhaas s 11000 0 eemmppllooyyeeeess, , aallllof of whom hawhom have wireve wireless capaless capabilbilititiesies

The DHCP scope for the visitor Zone isThe DHCP scope for the visitor Zone isset to set to proviprovide at least 100 ade at least 100 addressddresseses

A A ccoorrppoorraatte e ccaammppuus s ooftfteen n hhaas s a a fefew w ddoozzeennwireless cwireless capaapable vible visitositorsrs

The DHCP scope for the visitor Zone isThe DHCP scope for the visitor Zone isset to set to proviprovide at least 25 addrede at least 25 addressessses


HHow do I want to secure differentow do I want to secure different w wiirreelleesss s uusseerrss??

A A ccoorrppoorraatte e uusseer r wwhho o hhaas s aacccceesss s ttoocorporate LAcorporate LAN resourcesN resources..

ConfiguConfigure WPre WPA2-A2-EAEAPP

A A gguueesst t uusseer r wwhho o is is rreessttrriicctteed d tto o oonnllyyinternet internet acceaccessss

Enable WGEnable WGS S but confbut configure igure no securityno securitysettingssettings

A A lleeggaaccy y wwiirreelleesss s pprrinintteer r oon n tthhe e ccoorrppoorraatteeLALANN

ConfConfigure WEP and enable Migure WEP and enable MAC AC addraddressessfilteringfiltering


W Whhaat t nneettwwoorrk k rreessoouurrccees s ddo o mmy y uusseerrssneed to commneed to communicatunicate with?e with?

A A ccoorrppoorraatte e uusseer r wwhho o nneeeedds s aacccceesss s tto o tthheecorporate LAN and all internal LANcorporate LAN and all internal LANresourceresources, incls, including other WLAuding other WLAN usersN users..

Enable Interface Trust on yourEnable Interface Trust on yourcorporate zone.corporate zone.

A A wwiirreelelesss s gguueesst t wwhho o nneeeedds s tto o aacccceessssinternet and should not internet and should not be abe alllloweowed tod tocommucommunicate with otnicate with other WLAher WLAN usersN users..

Disable Interface Trust on yourDisable Interface Trust on yourguest guest zozone.ne.


VAP Sample ConfigurationsVAP Sample Configurations


VAP Sample ConfigurationsVAP Sample ConfigurationsTThis sectiohis section provin provides des confconfiguraiguratiotion exan examples bamples based sed on real-on real-wworlorld wd wireless neireless needseds. T. This sectiohis section contains then contains thefollowing sub-sections:following sub-sections:

•• “Configuring a VAP for Guest Access” section on page 21“Configuring a VAP for Guest Access” section on page 21

•• “Configuring a VAP for Corporate Users” section on page 29“Configuring a VAP for Corporate Users” section on page 29

•• “Deploying VAPs to a SonicPoint” section on page 34“Deploying VAPs to a SonicPoint” section on page 34

Configuring a VAP for Guest AccessConfiguring a VAP for Guest Access

Yo You u ccaan n uusse e a a GuGueesst t AcAccceesss s VVAP AP fofor r vviissiittiinng g ccllieienntts s tto o wwhhoom m yyoou u wwiissh h tto o pprroovviidde e aacccceesss s oonnlly y tto o uunnttrruusstteedd(e.g(e.g. . IInternet) network resourcesnternet) network resources. . GGuest users wuest users wilill l be provibe provided a simple, tded a simple, tememporary usernaporary username ame and passwnd passwordordffor accesor access. More as. More advancedvanced confd configuraiguratitions also ons also ofofffer mer more permaore permanent gunent guest accounts, verifest accounts, verified through aied through aback-back-end databaseend database..

This section contains the following sub-section:This section contains the following sub-section:

•• “Configuring a Zone” section on page 21“Configuring a Zone” section on page 21

•• “Creating a Wireless LAN (WLAN) Interface” section on page 24“Creating a Wireless LAN (WLAN) Interface” section on page 24

•• “Creating a VLAN Sub-Interface on the WLAN” section on page 25“Creating a VLAN Sub-Interface on the WLAN” section on page 25

•• “Configuring DHCP IP Ranges” section on page 26“Configuring DHCP IP Ranges” section on page 26

•• “Creating a SonicPoint VAP Profile” section on page 27“Creating a SonicPoint VAP Profile” section on page 27

•• “Creating the SonicPoint VAP” section on page 28“Creating the SonicPoint VAP” section on page 28

Configuring a ZoneConfiguring a Zone

IIn thin this section yos section you will u will creacreate and confte and configure igure a new a new wireless zone with guewireless zone with guest lst login capabilitogin capabilities.ies.

Step 1Step 1 LoLog into tg into the mhe manaanagegemement int interface of nterface of your Syour SonionicWcWAALL LL UTUTM aM applipplianceance..

Step 2Step 2 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theNetwork > ZonesNetwork > Zones page. page.

Step 3Step 3 Click theClick the A Adddd...... butto button to n to add a add a new new zozone.ne.

General Settings TabGeneral Settings Tab

Step 1Step 1 In theIn theGeneralGeneraltab, enter a friendly name such as “VAP-Guest” in thetab, enter a friendly name such as “VAP-Guest” in the NameNamefield.field.

W Whhaat t sseeccuurriitty y sseerrvvicicees s tto o I I wwiissh h ttooapply apply to mto my users?y users?

CorpoCorporate userate users who you rs who you wawant pront protected bytected bythe full SonicWALL security suite.the full SonicWALL security suite.

Enable all SonicWALEnable all SonicWALL security services.L security services.

GuesGuest ut usesers rs wwho hho haave ve no LAN ano LAN accccesesss.. DisaDisable ble aall Sll SoniconicWWALL seALL secucurity rity seservicervicess..

Y Yoouur r CCoonnffigiguurraattiioonnss::

QQuueessttiioonnss EExxaammpplleess SSoolluuttiioonnss



Step 2Step 2 SelectSelect W Wiirreelleessss from the from the SSecurecurity ity TyTypepe drop- drop-down medown menu.nu.

Step 3Step 3 De-select theDe-select the A Alllloow w InIntteerrffaacce e TTrruusstt checkbox t checkbox to o disallodisallow commw communicatiounication betwen between wireless gen wireless guestsuests..

Wireless Settings TabWireless Settings Tab

Step 1Step 1 In theIn the W Wiirreelleessss tab, check thetab, check theOnlOnly allow traffiy allow traffic genec generated by a rated by a SoSonicPoinicPointnt checkbox. checkbox.

Step 2Step 2 Un-check all other options in this tab.Un-check all other options in this tab.

Step 3Step 3 Select a provisioning profile from theSelect a provisioning profile from the SSonicPoint Provisioning ProfilonicPoint Provisioning Profilee drop-down menu. The default drop-down menu. The defaultprofile isprofile isSonicPointSonicPoint. I. In thin this cass case, we, we see selected a lected a pre-created cpre-created custom profustom profilile,e,SonicPoint-VAPSonicPoint-VAP. For more. For moreinformation on creating your own custom SonicPoint Provisioning Profile, seeinformation on creating your own custom SonicPoint Provisioning Profile, see “Creating a “Creating a SonicPoiSonicPointntProvisioning Profile” section on page 35Provisioning Profile” section on page 35..



Guest Services TabGuest Services Tab

Step 1Step 1 In theIn theGuest SGuest Serviervicesces tab, check the tab, check theEEnable Wnable Wireless Gireless Guest Suest Serviervicesces checkbox. checkbox.

NoteNote IIn the fn the folollowing examlowing example, steps 2 through 7 ple, steps 2 through 7 are are optioptional, tonal, they only represehey only represent a typical guent a typical guest VAst VAPPconfconfiguratiiguration usion using wng wirelireless gess guest serviuest services. Sces. Steps 2 and 7teps 2 and 7, however, are , however, are recommended.recommended.

Step 2Step 2 Check theCheck theEEnanable Dyble Dynamnamic ic AddresAddress Translats Translation (DAion (DATT)) chec checkbox tkbox to allo allow gow guest useuest users frs fullullcommucommunicationication with addressen with addresses outsis outside the lode the local netwcal network.ork.

Step 3Step 3 Check theCheck theCustom AuthenCustom Authentictication Pageation Page checkbox and click the checkbox and click theConfigureConfigurebutton to configure a custombutton to configure a customheaheader ader and fnd fooooter fter for your guest login or your guest login pagpage.e.

Step 4Step 4 Click theClick theOOKKbuttbutton ton to save these chao save these changes.nges.

Step 5Step 5 Check theCheck thePost Authentication PagePost Authentication Page checkbox and enter a checkbox and enter a URL URL to to redirecredirect wireless gut wireless guests to ests to aftafter login.er login.

Step 6Step 6 Check theCheck thePass NetworksPass Networks chec checkbox tkbox to coo confnfigure a igure a wewebsite (bsite (such asuch as your corpos your corporate srate sitite) that you wish toe) that you wish toallow user acallow user access to withocess to without being lout being logggging in ing in to to gueguest servist servicesces..



Step 7Step 7 EntEnter the mer the maximum aximum numbenumber of r of guguests this VAests this VAP will P will support isupport in then theMax GuestsMax Guests field. field.

Step 8Step 8 Click theClick theOOK K butto button to sn to save these chaave these changes.nges. Yo Youur r nneew w ZoZonne e nnoow w aappppeeaarrs s aat t tthhe e bboottttoom m oof f tthheeNetwork > ZonesNetwork > Zonespagpage, although you mae, although you may notiy notice it ice it issnot yet lnot yet linked to a Meinked to a Membember Ir Interfnterfaceace. T. This ihis is your next step.s your next step.

Creating a Wireless LAN (WLAN) InterfaceCreating a Wireless LAN (WLAN) Interface

In this section you will configure one of your ports to act as a WLAN. If you already have a WLANIn this section you will configure one of your ports to act as a WLAN. If you already have a WLANconfigured, skip to theconfigured, skip to the “Creating a Wireless LAN (WLAN) Interface” section on page 24“Creating a Wireless LAN (WLAN) Interface” section on page 24..

Step 1Step 1 In theIn theNetwork > InterfacesNetwork > Interfaces page page, cl, click theick the ConfigureConfigure icon corresponding to the interface you wish toicon corresponding to the interface you wish to

use ause as a WLAs a WLAN. TN. The Ihe Interface Senterface Settittings screngs screen displays.en displays.Step 2Step 2 SelectSelect W WLALANN from the from the ZoneZone drop-down list. drop-down list.



Step 3Step 3 EntEnter the deser the desiredired IP IP AddresAddresss for this interface. for this interface.

Step 4Step 4 In theIn theSSonicPoint LonicPoint Limitimit drop-down menu, select a limit for the number of SonicPoints. This defines the drop-down menu, select a limit for the number of SonicPoints. This defines thetotal number of SonicPoints your WLAN interface will support.total number of SonicPoints your WLAN interface will support.

NoteNote TThe mahe maxiximum mum numbenumber of r of SonicPoiSonicPoints depends on how mants depends on how many are ny are attacheattached to yod to your platfur platform. Reform. Refer to theer to the“Custom VLAN Settings” section on page 12“Custom VLAN Settings” section on page 12 to view the maximum number of SonicPoints for your to view the maximum number of SonicPoints for your

platform.platform.

Step 5Step 5 Click theClick theOK OK button t button to save chao save changenges to ts to this ihis interface.nterface.

Yo Youur r WWLALAN N inintteerrfafacce e nnoow w aappppeeaarrs s in in tthheeIInterface Snterface Settingsettings list. list.

Creating a VLAN Sub-Interface on the WLANCreating a VLAN Sub-Interface on the WLAN

IIn this section you will crean this section you will create ate and confind configugure a re a new new VLVLAN AN sub-interfsub-interfacace on your cue on your currerrent WLAnt WLAN. TN. This Vhis VLALANNwill be lwill be linked to tinked to the Zohe Zone you crene you created in theated in the“Configuring a Zone” section on page 21“Configuring a Zone” section on page 21..

Step 1Step 1 In theIn theNNetwork etwork > Interfaces> Interfaces page page, cl, click theick the A Addd d InIntteerrffaacceebutton.button.

Step 2Step 2 In theIn theZoneZone drop- drop-down medown menu, select the Znu, select the Zone you creaone you created in “ted in “ConfConfiguring a iguring a ZZone, page 2one, page 211””. In this case,. In this case,

we hawe have chove chosensen V VAAPP-G-Guueesstt..

Step 3Step 3 EntEnter aer a V VLALAN N TTaagg f for this ior this internterffaacece. T. This numhis number ber allows the allows the SSonicPoint(onicPoint(s) to s) to identifidentify wy which trahich traffffic belongsic belongsto the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, weto the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, wechoosechoose220000 as our tag for the VAP-Guest VLAN. as our tag for the VAP-Guest VLAN.

Step 4Step 4 In theIn theParenParent It Interfacenterface drop- drop-down mdown menu, seenu, select the intlect the interface that your Serface that your SonionicPointcPoint(s) are physica(s) are physicallllyyconnected to. Iconnected to. In thin this cases case, we ar, we are usinge usingXX22, which is our WLAN interface., which is our WLAN interface.

Step 5Step 5 EntEnter the deser the desiredired IP IP AddresAddresss for this sub-interface. for this sub-interface.



Step 6Step 6 SSelecelect a lit a limit fmit for the numbor the number of er of SSonicPoints onicPoints ffrom therom theSSonicPoint LionicPoint Limmitit drop- drop-down mdown menu. Thienu. This des deffines theines themamaxiximumum numm number of ber of SonicPoiSonicPoints thints this ints interface werface wilill suppol support and allows frt and allows for appropriate addror appropriate address spaess spaceceallocation to the SonicPoints.allocation to the SonicPoints.

Step 7Step 7 OOptioptionally, you manally, you may add y add a comma comment about this sub-ent about this sub-interfinterface ace in thein theCommentComment field. field.

Step 8Step 8 Click theClick theOOK K button to add this Sub-Interface. button to add this Sub-Interface. Yo Youur r VLVLAN AN ssuubb-i-inntteerrfafacce e nnoow w aappppeeaarrs s iin n tthheeIInterface Snterface Settingsettings list. list.

Configuring DHCP IP RangesConfiguring DHCP IP Ranges

BecaBecause the use the numbenumber of r of avaavaililable DHCP able DHCP leaseleases vary bas vary based on your platfsed on your platform, torm, the DHhe DHCP scope should beCP scope should beresized aresized as eas each interfch interfaceace// sub-sub-intinterface is defierface is defined to ensure ned to ensure that adethat adequaquate Dte DHCP space reHCP space remamains fins for allor allsubsesubsequequentlntly dey deffined interfined interfaceaces. To vis. To view ew the mathe maximum nuximum number mber of of DDHCP lHCP leaeases foses for your Sr your SonionicWcWAALL LL PROPROseries UTM applianceseries UTM appliance, ref, refer to theer to the “D“DHCP Server SHCP Server Scope” secticope” section oon on pagn page 13e 13..

Step 1Step 1 In the left-hand menu, navigate to theIn the left-hand menu, navigate to theNetwork > DHNetwork > DHCP Server CP Server page. page.

Step 2Step 2 LoLocate the cate the interfinterface ace you just created, in our case you just created, in our case thithis is the Xs is the X2:V2:V200 200 (v(virtirtual interfual interface ace 200 200 on the physicalon the physicalX2 interface) interface. Click theX2 interface) interface. Click theConfigureConfigure icon co icon corresponding to the desired interface.rresponding to the desired interface.

NoteNote IIf f the intthe interface you creerface you created does not appeaated does not appear on tr on theheNetwork > DHCNetwork > DHCP SP Server erver pag page, it is poe, it is possible thatssible that y yoou u hhaavve e aallrreeaaddy y eexxcceeeeddeed d tthhe e nnuummbbeer r of of aalllloowweed d DHDHCCP P lleeaassees s fofor r yyoouur r SSoonnicicWWALALL. L. FFoor r mmoorreeinformation on DHCP lease exhaustion, refer to theinformation on DHCP lease exhaustion, refer to the ““DDHCP Server SHCP Server Scope” sectiocope” section on page n on page 1313..



Step 3Step 3 Edit theEdit theRange StartRange Start and andRange EndRange End f fields tields to meet your deploymeo meet your deployment needsnt needs


Yo Youur r nneew w DHDHCCP P lleeaasse e ssccooppe e nnoow w aappppeeaarrs s in in tthhe e DHDHCCP P SSeerrvveer r LeLeaasse e SSccooppees s lliisstt..

Creating a SonicPoint VAP ProfileCreating a SonicPoint VAP Profile

IIn this n this sesection, ction, you wyou will ill crecreate aate and confnd configuigure a nre a new ew ViVirtuartual Al Acceccess Point Pss Point Profrofile. Yile. You can crou can creaeate VAP te VAP ProfProfilesilesffor eacor each type of h type of VAVAPP, and use , and use them to eathem to easilsily apply ay apply advancedvanced settings to new Vd settings to new VAAPs. TPs. This sectiohis section is on is optioptional,nal,but will but will ffacilitacilitate gate greareater eater ease of se of use wuse when confhen configuring miguring multiultiple VAPple VAPs.s.

Step 1Step 1 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Point page. page.

Step 2Step 2 Click theClick the A Adddd...... button in the button in the V Virirttuuaal l AAcccceesss s PPooinint t PPrrooffiilleesssection.section.

Step 3Step 3 EntEnter aer aProfile NProfile Namamee such a such as “Gs “Gueuest” fst” for this VAor this VAP ProfP Profile. Tile. This profhis profile namile name doee does not have s not have to be the sato be the samemeas your VAP as your VAP namename..

Step 4Step 4 ChooChoose ase ann A Auutthheennttiiccaattiioon n TyTyppee. . For unsecurFor unsecured gued guest acceest access, we css, we choohoose “Ose “Open”.pen”.

Step 5Step 5 Click theClick theOK OK button to create this VAP Profile. button to create this VAP Profile.



Creating the SonicPoint VAPCreating the SonicPoint VAP

IIn this section this section, you will create an, you will create and confnd configure igure a nea new w VVirtual Airtual Access ccess PoiPoint and ant and associate it with the Vssociate it with the VLALAN youN youcreated increated in“Creating a VLAN Sub-Interface on the WLAN” section on page 25“Creating a VLAN Sub-Interface on the WLAN” section on page 25..

Step 1Step 1 In the left-hand menu, navigate to theIn the left-hand menu, navigate to theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Point page. page.

Step 2Step 2 Click theClick the A Adddd...... button in the button in the V Virirttuuaal l AAcccceesss s PPooiinnttsssection.section.

Step 3Step 3 EntEnter a deer a deffault name (ault name (SSIDSSID) for the VAP. In this case we chose) for the VAP. In this case we chose V VAAPP-G-Guueesstt, t, the samhe same name name as the Ze as the Zone toone towhich it will which it will be abe associated.ssociated.

Step 4Step 4 SeSelect tlect thehe V VLALAN N IDID you created in you created in“V“VLALAN SuN Sub-b-IInternterffacaceses” section on pag” section on page 12e 12from the drop-down list. Infrom the drop-down list. Inthithis case ws case we chosee chose220000, the VLAN ID of our VAP-Guest VLAN., the VLAN ID of our VAP-Guest VLAN.

Step 5Step 5 Check theCheck theEEnanable Vible Virtuartual Al Access Pointccess Point chec checkbox tkbox to enable this acceo enable this access point ss point upon creaupon creatition.on.

Step 6Step 6 Click theClick the A Addvvaanncceed d TTaabb to edit encryption settings. If you created a VAP Profile in the previous section,to edit encryption settings. If you created a VAP Profile in the previous section,select that profile from theselect that profile from theProfile NProfile Namamee li list. We st. We creacreated ated and choose a “Gnd choose a “Guest” profuest” profilile, we, which useshich usesopenopen as the auas the authenticatithentication method.on method.

Step 7Step 7 Click theClick theOOK K button to add this VAP. Your new VAP now appears in the Virtual Access Points list. button to add this VAP. Your new VAP now appears in the Virtual Access Points list.

Now that you have Now that you have succesuccessfssfully set up your Gully set up your Guest confuest configuraiguratition, yoon, you cau can choose to n choose to add madd more custom VAPs,ore custom VAPs,or to deploy this configuration to your SonicPoint(s) in theor to deploy this configuration to your SonicPoint(s) in the “Deploying VAPs to a SonicPoint” section on“Deploying VAPs to a SonicPoint” section onpage 34page 34..

Timesaver Timesaver RemeRemember that more VAmber that more VAPs can always be aPs can always be added at a later tidded at a later time. New VAPme. New VAPs can then be depls can then be deployedoyedsimusimultaneoultaneously to sly to all of all of your Syour SonicPoints by fonicPoints by follollowing owing the stepthe steps in ts in thehe“Deploying VAPs to a SonicPoint”“Deploying VAPs to a SonicPoint”

section osection on page 3n page 344..



Configuring a VAP for Corporate UsersConfiguring a VAP for Corporate Users

Yo You u ccaan n uusse e a a CCoorrppoorraatte e LALAN N VVAP AP fofor r a a sseet t oof f uusseerrs s wwhho o aarre e ccoommmmoonnlly y in in tthhe e ooffifficcee, , aannd d tto o wwhhoom m sshhoouuldldbe gbe given fiven full ull accaccess to all ess to all netwnetwork resourcesork resources, prov, providiiding that the connection ng that the connection is authenticated and seis authenticated and securecure..TThese hese userusers ws would already beould already belolong to the netwng to the network’s Diork’s Directory Serectory Servirvice, Mce, Microsoicrosofft At Active Dctive Directorirectoryy, which, whichprovides an EAP interface through IAS – Internet Authentication Servicesprovides an EAP interface through IAS – Internet Authentication Services

This section contains the following sub-section:This section contains the following sub-section:

•• “Configuring a Zone” section on page 29“Configuring a Zone” section on page 29 •• “Creating a VLAN Sub-Interface on the WLAN” section on page 30“Creating a VLAN Sub-Interface on the WLAN” section on page 30

•• “Configuring DHCP IP Ranges” section on page 31“Configuring DHCP IP Ranges” section on page 31

•• “Creating a SonicPoint VAP Profile” section on page 32“Creating a SonicPoint VAP Profile” section on page 32

•• “Creating the SonicPoint VAP” section on page 33“Creating the SonicPoint VAP” section on page 33

Configuring a ZoneConfiguring a Zone

IIn thin this section you wils section you will create l create and confiand configugure a re a new new corporate wirecorporate wireless zoless zone wne with Soniith SonicWcWAALL LL UTM securUTM securitityyservices and enhaservices and enhanced WiFiSec/nced WiFiSec/WPA2 wireless secWPA2 wireless security.urity.

Step 1Step 1 LoLog into tg into the mhe manaanagegemement int interface of nterface of your Syour SonionicWcWAALL LL UTUTM aM applipplianceance..

Step 2Step 2 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theNetwork > ZonesNetwork > Zones page. page.

Step 3Step 3 Click theClick the A Adddd...... butto button to n to add a add a new new zozone.ne.

General Settings TabGeneral Settings Tab

Step 1Step 1 In theIn theGeneralGeneraltabtab, enter a , enter a ffriendly namriendly name sue such ach as “VAs “VAP-P-CorpoCorporate” in therate” in theNameNamefield.field.

Step 2Step 2 SelectSelect W Wiirreelleessss from the from theSSecurecurity ity TyTypepe drop- drop-down medown menu.nu.

Step 3Step 3 SeSelect tlect thehe A Alllloow w InIntteerrffaacce e TTrruusstt checkbox t checkbox to o allow coallow commmmunicatiounication betwen between corpoen corporate wrate wireless usersireless users..

Step 4Step 4 SSelect checelect checkboxes fkboxes for all oor all of f the secuthe security servirity services yces you would normally apply to ou would normally apply to wired wired corporate LAcorporate LAN usersN users..



Wireless Settings TabWireless Settings Tab

Step 1Step 1 In theIn the W Wiirreelleessss tab, check thetab, check theOnlOnly allow traffiy allow traffic genec generated by a rated by a SoSonicPoinicPointnt checkbox. checkbox.

Step 2Step 2 SSelect the checelect the checkbox fkbox foror W WiiFFiiSSeec c EnEnffoorrcceemmeenntt to enable WiFiSe to enable WiFiSec sec security on thicurity on this connection.s connection.

Step 3Step 3 SelectSelectTrust WPTrust WPA/A/ WWPA2 PA2 traffitraffic as Wc as WiFiFiSeciSec to to enaenable WPble WPA/A/ WPWPA2 users aA2 users acceccess to ss to this connection.this connection.

Step 4Step 4 Select a provisioning profile from theSelect a provisioning profile from the SSonicPoint Provisioning ProfilonicPoint Provisioning Profilee drop-down menu. The default drop-down menu. The defaultprofile isprofile isSonicPointSonicPoint, but you ma, but you may also creay also create and te and select a select a custom provicustom provisiosioning profning profilile. For infe. For informatioormation onn on

creating your own custom SonicPoint Provisioning Profile, seecreating your own custom SonicPoint Provisioning Profile, see“Crea“Creating a ting a SSonicPoint PonicPoint Provisiorovisioning Profining Profile”le”section section on page 35on page 35..

Step 5Step 5 Click theClick theOOK K butto button to sn to save these chaave these changes.nges.

Yo Youur r nneew w ZoZonne e nnoow w aappppeeaarrs s aat t tthhe e bboottttoom m oof f tthheeNetwork > ZonesNetwork > Zonespagpage, although you mae, although you may notiy notice it ice it issnot yet lnot yet linked to a Meinked to a Membember Ir Interfnterfaceace. T. This ihis is your next step.s your next step.

Creating a VLAN Sub-Interface on the WLANCreating a VLAN Sub-Interface on the WLAN

IIn this section you will crean this section you will create ate and confind configugure a re a new new VLVLAN AN sub-interfsub-interfacace on your cue on your currerrent WLAnt WLAN. TN. This Vhis VLALANNwill be linked to the Zone you created in thewill be linked to the Zone you created in the “Configuring a Zone” section on page 29“Configuring a Zone” section on page 29..

Step 1Step 1 In theIn theNetwork > InterfacesNetwork > Interfaces page page, cl, click theick the A Addd d InIntteerrffaaccee button. button.

Step 2Step 2 In theIn theZoneZone drop- drop-down medown menu, select the Znu, select the Zone you creaone you created in tted in thehe“C“Confonfiguring iguring a a ZZone” sectioone” section on pan on page 2ge 299..IIn thin this cases case, we have chosen, we have chosen V VAAPP-C-Coorrppoorraattee..

Step 3Step 3 EntEnter aer a V VLALAN N TTaagg f for this ior this internterffacace. This numbee. This number allows the r allows the SSonicPoint(onicPoint(s) to s) to identifidentify wy which trahich traffffic belongsic belongsto the “to the “VAVAP-P-CorpoCorporaterate” V” VLALAN. YoN. You should choose a u should choose a numbenumber bar based on ased on an organ organiznized sed schemcheme. In thie. In this cas case,se,we we choochoosese5500 as our tag for the VAP-Corporate VLAN. as our tag for the VAP-Corporate VLAN.

Step 4Step 4 In theIn theParenParent It Interfacenterface drop- drop-down mdown menu, seenu, select the intlect the interface that your Serface that your SonionicPointcPoint(s) are physica(s) are physicallllyyconnected to. Iconnected to. In thin this cases case, we a, we are usingre usingXX22, which is our WLAN interface., which is our WLAN interface.

Step 5Step 5 EntEnter the desireder the desiredIP IP AddresAddresss for this sub-interface. for this sub-interface.



Step 6Step 6 SSelecelect a lit a limit fmit for the numbor the number of er of SSonicPoints onicPoints ffrom therom theSSonicPoint LonicPoint Limitimit drop- drop-dowdown men menu. Tnu. This defines thehis defines themamaxiximumum numm number of ber of SonicPoiSonicPoints thints this ints interface werface wilill support l support and aand allllows foows for appropriate ar appropriate addresddress spaces spaceallocation to allocation to the Sthe SonicPoints.onicPoints.

Step 7Step 7 OOptioptionally, you manally, you may ady add a commd a comment about this sub-ent about this sub-interfinterface ace in thein theCommentComment field. field.

Step 8Step 8 Click theClick theOK OK button to add this Sub-Interface. button to add this Sub-Interface. Yo Youur r VLVLAN AN ssuubb-i-inntteerrfafacce e nnoow w aappppeeaarrs s iin n tthheeIInterface Snterface Settingsettings list. list.

Configuring DHCP IP RangesConfiguring DHCP IP Ranges

BecaBecause the use the numbenumber of r of avaavaililable DHCP able DHCP leaseleases vary bas vary based on your platfsed on your platform, torm, the DHhe DHCP scope should beCP scope should beresized aresized as eas each interfch interfaceace// sub-sub-interfinterface ace is defis defined to ensure thained to ensure that adeqt adequate uate DDHCP space reHCP space remamains fins for allor allsubsesubsequequentlntly defined inty defined interfaceserfaces. To v. To view the iew the mamaximum nuximum number mber of of DDHCP lHCP leaeases foses for your Sr your SonionicWcWAALL LL PROPROseries UTM applianceseries UTM appliance, ref, refer to theer to the ““DDHCP Server SHCP Server Scope” sectiocope” section on page n on page 1313..

Step 1Step 1 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theNetwork > DHNetwork > DHCP Server CP Server page. page.

Step 2Step 2 LoLocate cate the interfthe interface ace you just creayou just created, in our case ted, in our case this ithis is the X2:Vs the X2:V50 (virt50 (virtual interface 50 ual interface 50 on the physical Xon the physical X22interfinterfaceace) interf) interfaceace. Click the. Click theConfigureConfigure ico icon corresponding to tn corresponding to the dehe desired interfsired interfaceace..

NoteNote IIf f the interfthe interface ace you creayou created does not appear on theted does not appear on theNetwork > DHNetwork > DHCP ServeCP Server r pag page, it is poe, it is possible thatssible that y yoou u hhaavve e aallrreeaaddy y eexxcceeeeddeed d tthhe e nnuummbbeer r oof f aalllloowweed d DHDHCCP P leleaassees s fofor r yyoouur r SSoonniiccWWALALLL. . FFoor r mmoorreeinformation on DHCP lease exhaustion, refer to theinformation on DHCP lease exhaustion, refer to the ““DDHCP Server HCP Server ScScope” ope” section osection on pagn page 13e 13..



Step 3Step 3 Edit theEdit theRange StartRange Start and andRange EndRange End f fields tields to meet your deploymeo meet your deployment needsnt needs


Yo Youur r nneew w DHDHCCP P lleeaasse e ssccooppe e nnoow w aappppeeaarrs s in in tthhe e DHDHCCP P SSeerrvveer r LeLeaasse e SSccooppees s lilisstt..

Creating a SonicPoint VAP ProfileCreating a SonicPoint VAP Profile

IIn this n this secsectiotion, you will n, you will crecreate aate and confind configgure a ure a new new ViVirtuartual Al Acceccess Point Pss Point Profrofile. Yile. You can creou can create Vate VAAP ProfP Profilesilesffor eacor each type of h type of VAP, and uVAP, and use them se them to easily apply advanceto easily apply advanced settings to new Vd settings to new VAAPs. TPs. This sectiohis section is on is optioptional,nal,but will but will ffacilitacilitate gate greareater eater ease of se of use wuse when confhen configuring miguring multiultiple VAple VAPs.Ps.


Step 2Step 2 Click theClick the A Adddd...... button in the button in the V Virirttuuaal l AAcccceesss s PPooiinnt t PPrrooffiilleesssection.section.

Step 3Step 3 EntEnter aer aProfile NProfile Namamee such as “Corporate-WPA2” for this VAP Profile. such as “Corporate-WPA2” for this VAP Profile.

Step 4Step 4 SelectSelect W WPPAA22-A-AUUTOTO-E-EAAPP from the from the A Auutthheennttiiccaattiioon n TyTyppee drop-down menu. This will employ an drop-down menu. This will employ anautomaautomatitic user ac user authenticatiouthentication basen based on your current RAd on your current RADDIIUS seUS server settings (Set berver settings (Set belolow).w).

Step 5Step 5 In theIn theMaximum Maximum CliClientsents field, enter the maximum number of concurrent connections VAP will support. field, enter the maximum number of concurrent connections VAP will support.

Step 6Step 6 In theIn the W WPPAA-E-EAAP P EnEnccrryyppttioion n SSeettttiinnggss section, section, enteenter your currr your current RADent RADIIUS sUS serveerver infr informaormation. tion. WireleWirelessssclients will communicate with this EAP capable RADIUS server for credential controlled access to theclients will communicate with this EAP capable RADIUS server for credential controlled access to theSSonionicPointcPoint, and , and ffor estaor establiblishing sshing sharehared ked key infy informatioormation fon for er encrypted commncrypted communicatiounication wn with the Sith the SonionicPointcPoint..

Step 7Step 7 Click theClick theOOK K button to create this VAP Profile. button to create this VAP Profile.



Creating the SonicPoint VAPCreating the SonicPoint VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN youIn this section, you will create and configure a new Virtual Access Point and associate it with the VLAN youcreated increated in“Creating a VLAN Sub-Interface on the WLAN” section on page 30“Creating a VLAN Sub-Interface on the WLAN” section on page 30..

General TabGeneral Tab

Step 1Step 1 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theSonSonicPoiicPoint > nt > ViVirtual Access Pointrtual Access Point page. page.

Step 2Step 2 Click theClick the A Adddd...... button in the button in the V Virirttuuaal l AAcccceesss s PPooiinnttsssection.section.

Step 3Step 3 EntEnter a deer a deffault name (ault name (SSIDSSID) f) for the VAor the VAPP. I. In this case wn this case we chosee chose V VAAPP-C-Coorrppoorraattee, t, the same he same name name as the Zas the Zoneoneto which it wilto which it will be assl be associated.ociated.

Step 4Step 4 SeSelect tlect thehe V VLALAN N IDID you created in you created in “Creating a VLAN Sub-Interface on the WLAN” section on page 30“Creating a VLAN Sub-Interface on the WLAN” section on page 30 from the drop-down list. In this case we chosefrom the drop-down list. In this case we chose5500, the VLAN ID of our VAP-Corporate VLAN., the VLAN ID of our VAP-Corporate VLAN.

Step 5Step 5 Check theCheck theEEnanable Vible Virtuartual Access Pointl Access Point chec checkbox tkbox to enable this acceo enable this access point ss point upon creaupon creatiotion.n.

Step 6Step 6 Check theCheck theEEnable Snable SSID SID SuSuppressppress checkbox to hide this SSID from users checkbox to hide this SSID from users

Step 7Step 7 Click theClick theOK OK button to add this VAP. button to add this VAP.

Yo Youur r nneew w VVAP AP nnoow w aappppeeaarrs s in in tthhe e ViVirrttuuaal l AcAccceesss s PPooinintts s llisistt..

Advanced Tab (Authentication Settings)Advanced Tab (Authentication Settings)

Step 1Step 1 Click theClick the A Addvvaanncceed d TTaabb to edit encryption settings. If you created a VAP Profile in the previous section,to edit encryption settings. If you created a VAP Profile in the previous section,select that profile from theselect that profile from theProfile NProfile Namamee list list. We . We creacreated ated and choose a nd choose a ““CorpoCorporaterate--WPA2” proWPA2” proffilile, we, whichhichusesuses W WPPAA22-A-AUUTOTO-E-EAAPP as the a as the autheuthentication mentication method. Ithod. If f you hayou have not set up a VAP Pve not set up a VAP Profrofile, contiile, continue nue withwithsteps 2 through 4steps 2 through 4. O. Otherwtherwise, contise, continue toinue to CreaCreate Mte More / ore / DDeploy Current VAPeploy Current VAPs, pags, page 3e 333..

Step 2Step 2 In theIn the A Addvvaanncceedd tab, select tab, select W WPPAA22-A-AUUTOTO-E-EAAPP from the from the A Auutthheennttiiccaattioion n TyTyppee drop-down menu. This drop-down menu. Thiswill will employ an aemploy an automatic user automatic user authenticatiouthentication basen based on yod on your curreur current RAnt RADDIIUS sUS server seerver settittings (Sngs (Set below).et below).

Step 3Step 3 In theIn theMaximum Maximum CliClientsents f field, enter the mield, enter the maximum aximum numbenumber of r of concurrent connections VAconcurrent connections VAP will suppoP will support.rt.

Step 4Step 4 In theIn the W WPPAA-E-EAAP P EnEnccrryyppttioion n SSeettttiinnggss section, enter your current RADIUS server information. This section, enter your current RADIUS server information. Thisinformation will be used to support authenticated login to the VLAN.information will be used to support authenticated login to the VLAN.

Create More / Deploy Current VAPsCreate More / Deploy Current VAPs

Now that you have Now that you have succesuccessfssfully set up a VLully set up a VLAAN fN for Corpoor Corporate rate LALAN acceN access, you can css, you can choohoose to add mse to add moreorecustom VAPs, or to deploy this configuration to your SonicPoint(s) in thecustom VAPs, or to deploy this configuration to your SonicPoint(s) in the “Deploying VAPs to a“Deploying VAPs to aSonicPoint” section on page 34SonicPoint” section on page 34..



Timesaver Timesaver RemeRemember that more VAmber that more VAPs can always be aPs can always be added at a later tidded at a later time. New VAPme. New VAPs can then be depls can then be deployedoyedsimusimultaneoultaneously to sly to all of all of your Syour SonicPoints by fonicPoints by follollowing owing the stepthe steps in ts in thehe“Deploying VAPs to a SonicPoint”“Deploying VAPs to a SonicPoint”section osection on page 3n page 344..

Deploying VAPs to a SonicPointDeploying VAPs to a SonicPoint

IIn the fn the folollowing section you willowing section you will group and del group and deploy your new Vploy your new VAAPs, associating them wPs, associating them with oith one or morene or moreSSonionicPoint RcPoint Radios. Users adios. Users will nowill not be at be able to access ble to access your VAPs untiyour VAPs until you complete this process:l you complete this process:

•• Grouping Multiple VAPs, page 34Grouping Multiple VAPs, page 34

•• Creating a SonicPoint Provisioning Profile, page 35Creating a SonicPoint Provisioning Profile, page 35

Grouping Multiple VAPsGrouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).


Step 2Step 2 Click theClick the A Addd d GGrroouupp...... button in the button in the V Viirrttuuaal l AAcccceesss s PPooiinnt t GGrroouupp section. section.

Step 3Step 3 EntEnter aer a V Viirrttuuaal l AAP P GGrroouup p NaNammee..

Step 4Step 4 SSelect the deselect the desired VAPired VAPs fs from the lirom the list and click thest and click the->->buttobutton to add n to add them them to the group. Optito the group. Optionallonallyy, cli, click theck the A Addd d AAllll button to add all VAPs to a single group. button to add all VAPs to a single group.

Step 5Step 5 Press thePress theOK OK butt button ton to save changeo save changes and creas and create the group.te the group.



Creating a SonicPoint Provisioning ProfileCreating a SonicPoint Provisioning Profile

IIn this section this section, you will n, you will associate the associate the group you cregroup you created ated in thein the“G“Grouping rouping MuMultiltiple VAPs” ple VAPs” sesection oction on pan page 34ge 34 with a SonicPoint by creating a provisioning profile. This profile will allow you to provision settings from awith a SonicPoint by creating a provisioning profile. This profile will allow you to provision settings from agroup of VAPs to all of your SonicPoints.group of VAPs to all of your SonicPoints.

Step 1Step 1 IIn the left-n the left-hand hand memenu, nanu, navivigagate to thete to theSonSonicPoiicPoint > Sont > SonicPoinicPointsnts page. page.

Step 2Step 2 Click theClick the A Addddbutton in thebutton in the SoSonicPoinicPoint nt ProvisiProvisioning oning ProfilProfileses section. section.

Step 3Step 3 Click theClick theEEnable Snable SonicPoionicPointnt checkbox to enable this profile. checkbox to enable this profile.

Step 4Step 4 In theIn theNNamame Prefix e Prefix field, enter a name for this profile. field, enter a name for this profile.

Step 5Step 5 SeSelect lect aaCountCountry ry CodeCode from the drop-down list. from the drop-down list.

Step 6Step 6 From theFrom the80802.12.11 1 RadiRadio Vio Virtual Artual AP GroupP Group pull- pull-down list, down list, select the gselect the group you creroup you created ated in thein the “Grouping“GroupingMultiple VAPs” section on page 34Multiple VAPs” section on page 34..

Step 7Step 7 To setup 80To setup 802.11g 2.11g WEP WEP or 802.11or 802.11a WEP/a WEP/ WPA encryptioWPA encryption, or to n, or to enaenable MAC able MAC addresddress fs fililtering, use tering, use thethe802.802.1111gg and and802.802.1111aa tabs. If any of your VAPs use encryption, configure these settings before your tabs. If any of your VAPs use encryption, configure these settings before yourSonicPoint VAPs will function.SonicPoint VAPs will function.

NoteNote IIf f anany of y of the VAPs in the VAPs in your VAP Gyour VAP Group use roup use WEPWEP, the WEP , the WEP settingsettings mus must be dest be deffined on the Sined on the SonicPointonicPointProfile (or the individual SonicPoint) prior to the assignment of that VAP Group to the target. ForProfile (or the individual SonicPoint) prior to the assignment of that VAP Group to the target. Forexample, if you configure a VAP within the group to use WEP Key 1, you must configure WEP Key 1example, if you configure a VAP within the group to use WEP Key 1, you must configure WEP Key 1on the target SonicPoint Profile or SonicPoint prior to VAP Group assignation.on the target SonicPoint Profile or SonicPoint prior to VAP Group assignation.

Step 8Step 8 Click theClick theOOKKbuttobutton to save n to save changchanges aes and crend create ate this SonicPoithis SonicPoint Provnt Provisiisionioning ng ProfProfilile.e.

Step 9Step 9 Click theClick theSynchrSynchronize onize SoSonicPoinicPointsnts button at the top of the screen to apply your provisioning profile to button at the top of the screen to apply your provisioning profile toavaavaililable Sable SonionicPointcPoints.s.

Yo Youur r SSoonniiccPPooiinnt t mmaay y ttaakke e a a mmoommeennt t tto o rreebboooot t bbeefoforre e cchhaannggees s ttaakke e ppllaaccee. . AftAfteer r tthhis is pprroocceesss s is is ccoommpplleettee, , aallllof your VAP profiles will be available to wireless users through this SonicPoint.of your VAP profiles will be available to wireless users through this SonicPoint.

Associating a VAP Group with your SonicPointAssociating a VAP Group with your SonicPoint

IIf f you did not creayou did not create a Ste a SonicPoint onicPoint ProvisiProvisioning Profoning Profile, you can prile, you can proviovision your SonicPoint(s) mansion your SonicPoint(s) manuaually. Yolly. Youu

mamay wy wanant to t to use this muse this method if ethod if you hayou have only one SonicPoint to ve only one SonicPoint to provision. provision. TThis sechis section tion is not is not necnecessessary ifary if y yoou u hhaavve e ccrreeaatteed d aannd d pprroovviissioionneed d yyoouur r SSoonniiccPPooinintts s uussiinng g a a SSoonnicicPPooiinnt t PPrroofifillee..

Document Version HistoryDocument Version History

3636 Configuring Configuring SonicPoint SonicPoint Virtual Virtual APs APs 232-001240-00 232-001240-00 Rev Rev AA

Step 1Step 1 In the left-hand menu, navigate to theIn the left-hand menu, navigate to theSonSonicPoiicPoint > Snt > SonicPoionicPointsnts page. page.

Step 2Step 2 Click theClick theConfigureConfigurebutton next to thebutton next to the SonicPointSonicPoint you wish to associate your Virtual APs with. you wish to associate your Virtual APs with.

Step 3Step 3 IIn the Vin the Virtual Artual Accesccess Point Settings section, select the VAs Point Settings section, select the VAP group you creP group you created ated ininGrouping Multiple VAPs,Grouping Multiple VAPs,page 34page 34 from the from the80802.12.111g (og (or 8r 80202..1111a) Ra) Radiadio Vio Virtual rtual AP GAP Grouproup drop-down list. In this case, we choose drop-down list. In this case, we choose

V VAAPP as our Virtual AP Group. as our Virtual AP Group.

Step 4Step 4 Click theClick theOOK K button to associate this VAP Group with your SonicPoint. button to associate this VAP Group with your SonicPoint.

Step 5Step 5 Click theClick theSynchrSynchronize onize SoSonicPoinicPointsnts button at the top of the screen to apply your provisioning profile to button at the top of the screen to apply your provisioning profile toavaavaililable Sable SonionicPointcPoints.s.

Yo Youur r SSoonniiccPPooiinnt t mmaay y ttaakke e a a mmoommeennt t tto o rreebboooot t bbeefoforre e cchhaannggees s ttaakke e ppllaaccee. . AftAfteer r tthhis is pprroocceesss s is is ccoommpplleettee, , aallllof your VAP profiles will be available to wireless users through this SonicPoint.of your VAP profiles will be available to wireless users through this SonicPoint.

NoteNote IIf f you are you are setting up gsetting up guest seuest servirvices foces for the fir the first tirst timeme, be sure , be sure to make to make necenecessary cssary confonfiguraiguratiotions in thens in theUsers > Guest SUsers > Guest Serviervicesces pag pageses. For more inf. For more informatioormation on confn on configuring giguring guest seuest servirvicesces, ref, refer to theer to theSSonionicOcOS S Enhanced Enhanced AAdministratodministrator’s r’s GGuide.uide.

Document Version HistoryDocument Version History

VVeerrssiioon n NNuummbbeerr DDaattee NNootteess

11 66/ 2/ 211/ 2/ 2000066 TThhe e ddooccuummeennt t ssttrruuccttuurre e wwaas s ccrreeaatteedd..

22 66// 2288/2/2000066 CCoonntteennt t wwrriitttteen n bby y PPaattrriicck k LLyyddoon n aannd d KKhhaai i TTrraann..

33 77/ 1/ 100/ 2/ 2000066 IInnccoorrppoorraatteed d nneew w ccoonntteennt t bby y JJooe e LLeevvyy

33 77// 1144// 22000066 MMoorre e ccoonntteennt t aaddddiittiioonns s ccoommpplleetteed d ffoor r ddrraafft t rreevviieeww..

44 88/ 2/ 2/ 2/ 2000066 RReewwoorrkkeed d + + aaddddeed d ffeeeeddbbaacck k ffrroom m JJooe e LLeevvyy..

55 88/ 4/ 4/ 2/ 2000066 IInnccoorrppoorraatteed d ffiinnaal l rroouunnd d oof f ffeeeeddbbaacckk..

Download - Configuring Virtual Access Points in SonicOS 5.0 Enhanceddocshare04.docshare.tips/files/28349/283497100.pdf · SonicOS 5.0 Enhanced ... This forced WLAN network administrators to

Top Related