wireless

wireless_VAP

Wireless > Virtual Access Point

This chapter describes the Virtual Access Point feature and includes the following sections:

• Wireless Virtual AP Configuration Task List

Wireless VAP Overview

This section provides an introduction to the Virtual Access Point feature for SonicWALL UTM appliances equipped with internal wireless radios.

This section contains the following subsections:

• What Is a Virtual Access Point?

• Benefits of Using Virtual APs

What Is a Virtual Access Point?

A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate, distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device.

VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on a single internal wireless radio.

For more information on SonicOS Secure Wireless features, refer to the SonicWALL Secure Wireless Integrated Solutions Guide.

Benefits of Using Virtual APs

This section includes a list of benefits in using the Virtual AP feature:

• Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.

• Optimize Wireless LAN Infrastructure—Share the same Wireless LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs.

Wireless Virtual AP Configuration Task List

A Wireless VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth examination of the parts that make up a successful VAP deployment. This subsequent sections describe VAP deployment requirements and provides an administrator configuration task list:

• Wireless VAP Overview

• Network Zones

• VLAN Subinterfaces

• DHCP Server Scope

• Deploying VAPs to a SonicPoint

Wireless VAP Configuration Overview

The following are required areas of configuration for VAP deployment:

Step 1 Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets.

Step 2 Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between your SonicWALL UTM appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio.

Step 3 DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.

Step 4 Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed.

Step 5 Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings.

Step 6 Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a sinlge internal wireless radio.

Step 7 Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs.

Network Zones

This section contains the following subsections:

• The Wireless Zone

• Custom Wireless Zone Settings

A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.

For detailed information on configuring zones, see <Bold>Chapter 20, Network > Zones.

The Wireless Zone

The Wireless zone type, of which the “WLAN Zone” is the default instance, provides support to SonicWALL wireless radio. When an interface or subinterface is assigned to a Wireless zone, the interface can enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.

Custom Wireless Zone Settings

Although SonicWALL provides the pre-configured Wireless zone, administrators also have the ability to create their own custom wireless zones. When using VAPs, several custom zones can be applied to a single wireless radio. The following three sections describe settings for custom wireless zones:

• General

• Wireless

• Guest Services

General

Feature	Description
Name	Create a name for your custom zone
Security Type	Select Wireless in order to enable and access wireless security options.
Allow Interface Trust	Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.
SonicWALL Security Services	Select the security services you wish to enforce on this zone. This allows you to extend your SonicWALL UTM security services to your wireless users.

Wireless

Feature	Description
Only allow traffic generated by a SonicPoint	Restricts traffic on this zone to internally-generated traffic only.
SSL VPN Enforcement	Redirects all traffic entering the Wireless zone to a defined SonicWALL SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic. Note: Wireless traffic that is tunneled through an SSL VPN will appear to originate from the SSL VPN rather than from the Wireless zone. SSL VPN Server - Select the Address Object representing the SSL VPN appliance to which you wish to redirect wireless traffic.
SonicPoint Provisioning Profile	Select a predefined SonicPoint Provisioning Profile to be applied to all current and future SonicPoints on this zone.
SonicPointN Provisioning Profile	Select a predefined SonicPointN Provisioning Profile to be applied to all current and future SonicPoints on this zone.

Guest Services

The Enable Guest Services option allows the following guest services to be applied to a zone:

Feature	Description
Enable inter-guest communication	Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.
Bypass AV Check for Guests	Allows guest traffic to bypass Anti-Virus protection
Enable Dynamic Address Translation (DAT)	Dynamic Address Translation (DAT) allows the SonicPoint to support any IP addressing scheme for Guest Services users. If this option is disabled (unchecked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoint’s network settings.
Enable External Guest Authentication	Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
Custom Authentication Page	Redirects users to a custom authentication page when they first connect to a SonicPoint in the Wireless zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
Post Authentication Page	Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
Bypass Guest Authentication	Allows a SonicPoint running Guest Services to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
Redirect SMTP traffic to	Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
Deny Networks	Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from.
Pass Networks	Automatically allows traffic through the Wireless zone from the networks you select.
Max Guests	Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10.

Wireless LAN Subnets

A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations. The WLAN subnet solution allows each VAP to have its own virtual separate subinterface, even though there is only a single 802.11 radio.

WLAN subnets have several key capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from WLAN subnets at this time are VPN policy binding, WAN dynamic client support, and multicast support.

WLAN subnets are configured from the Network > Interfaces page.

Custom Wireless Subnet Settings

The table below lists configuration parameters and descriptions for wireless subnets:

Feature	Description
Zone	Select a pre-defined or custom zone. Only zones with security type of “wireless” are available for selection.
Parent Interface	The default WLAN interface, normally W0.
Subnet Name	Choose a friendly name for this interface.
IP Configuration	Create an IP address and Subnet Mask in accordance with your network configuration.
Sonic Point Limit	The number of radios supported in your deployment, the default value is 1 SonicPoint.
Management	Select the protocols you wish to use when managing this subnet.
User Login	Select the protocols you will make available to clients who access this subnet.
DHCP Server	Select the Create default DHCP Lease Scope option to enable DHCP on this subnet, along with the default number of available leases. Read the DHCP Server Scope for more information on DHCP lease requirements.

DHCP Server Scope

The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. Take care in making these settings manually, as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to connection issues due to lease exhaustion.

The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.

Virtual Access Point Profiles

A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the Wireless > Virtual Access Point page.

This feature is especially useful for quick setup in situations where multiple virtual access points will share the same authenticaiton methods.

Virtual Access Point Profile Settings

The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:

Feature	Description
Name	Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs.
Type	Set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type)
Authentication Type	Below is a list available authentication types with descriptive features and uses for each: WPA • Good security (uses TKIP) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • No client software needed in most cases WPA2 • Best security (uses AES) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • Client software install may be necessary in some cases • Supports 802.11i “Fast Roaming” feature • No backend authentication needed after first log-in (allows for faster roaming) WPA2-AUTO • Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection will default to WPA.
Unicast Cipher	The unicast cipher will be automatically chosen based on the authentication type.
Multicast Cipher	The multicast cipher will be automatically chosen based on the authentication type.
Maximum Clients	Choose the maximum number of concurrent client connections permissible for this virtual access point.

WPA-PSK / WPA2-PSK Encryption Settings

Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.

Feature	Description
Pass Phrase	The shared passphrase users will enter when connecting with PSK-based authentication.
Group Key Interval	The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.

WPA-EAP / WPA2-EAP Encryption Settings

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP capable RADIUS server for key generation.

Feature	Description
RADIUS Server 1	The name/location of your RADIUS authentication server
RADIUS Server 1 Port	The port on which your RADIUS authentication server communicates with clients and network devices.
RADIUS Server 1 Secret	The secret passcode for your RADIUS authentication server
RADIUS Server 2	The name/location of your backup RADIUS authentication server
RADIUS Server 2 Port	The port on which your backup RADIUS authentication server communicates with clients and network devices.
RADIUS Server 2 Secret	The secret passcode for your backup RADIUS authentication server
Group Key Interval	The time period (in seconds) during which the WPA/WPA2 group key is enforced to be updated.

Virtual Access Points

The VAP Settings feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. Virtual Access Points are configured from the Wireless > Virtual Access Point page.

General VAP Settings

Feature	Description
SSID	Create a friendly name for your VAP.
Subnet Name	Select a subnet name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list.
Enable Virtual Access Point	Enables this VAP.
Enable SSID Suppress	Suppresses broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients.

Advanced VAP Settings

Advanced settings allows the administrator to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user created profile. See Virtual Access Points Profiles for complete authentication and encryption configuration information.

Virtual Access Point Groups

The Virtual Access Point Groups feature is available on SonicWALL NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.

Enabling the Virtual Access Point Group

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group.

After this selection has been made and applied.

Schedulable VAP

Schedulable VAP is the latest enhancement of the current VAP feature. Currently, the wireless radio associated with the SonicWALL appliance shares the same schedule. As a result, each virtual access point is active and/or inactive at the same time, although there may be several configured VAPs. Schedulable VAP allows each VAP to have its own setting for the schedules. The VAP on the SonicPoint-N DR device has two radios, yet shares one schedule, and the SonicPoint-N, SonicPoint-Ne, and SonicPoint-Ni devices share one schedule.

Note that if you are configuring a VAP schedule with a SonicPoint, the SonicWALL appliance it is associated with will record the configured schedule. If configuring this enhancement on a SonicWALL appliance, the administrator will have to add members to the VAP group in order to store and configure the VAP Schedule settings. When the VAP is enabled for the SonicPoint radio, the schedule settings for the radio are disabled.

Configuring a Schedulable VAP

To schedule and enable a Virtual Access Point, follow the procedures below:

Step 1 Navigate to the SonicPoint > Virtual Access Point page.

Step 2 Add or edit a Virtual Access Point by clicking the Add... button or the Edit icon of the existing Virtual Access Point you wish to edit.

Step 3 In the configuration window, click the Advanced tab.

Step 4 Select the desired schedule from the VAP Schedule Name dropdown list. Click OK to save changes.

VAP Sample Configuration

This section provides configuration examples based on real-world wireless needs. This section contains the following subsections:

• Configuring a VAP for Guest Access

Configuring a VAP for School Faculty Access

You can use a VAP for a set of users who are commonly in the office, on campius, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services. This section contains the following subsection:

• Configuring a Zone

• Creating a VLAN Subinterface on the WLAN

• Creating the SonicPoint VAP

Configuring a Zone

In this section you will create and configure a new corporate wireless zone with SonicWALL UTM security services and enhanced WiFiSec/WPA2 wireless security.

Step 1 Log into the management interface of your SonicWALL UTM appliance.

Step 2 In the left-hand menu, navigate to the Network > Zones page.

Step 3 Click the Add... button to add a new zone.

General Settings Tab

Step 1 In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field.

Step 2 Select Wireless from the Security Type drop-down menu.

Step 3 Select the Allow Interface Trust checkbox to allow communication between faculty users.

Step 4 Select checkboxes for all of the security services you would normally apply to faculty on the wired LAN.

Wireless Settings Tab

Step 1 In the Wireless tab, check the Only allow traffic generated by a SonicPoint / SonicPointN checkbox.

Step 2 Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).

Step 3 Click the OK button to save these changes.

Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet

In this section you will create and configure a new wireless subnet on your current WLAN. This wireless subnet will be linked to the zone you created in the Configuring a Zone.

Step 1 In the Network > Interfaces page, click the Add WLAN Subnet button.

Step 2 In the Zone drop-down menu, select the zone you created in “Configuring a Zone”. In this case, we have chosen WLAN_Faculty.

Step 3 Enter a Subnet Name for this interface. This name allows the internal wireless radio to identify which traffic belongs to the “WLAN_Faculty” subnet. In this case, we choose Faculty as our subnet name.

Step 4 Enter the desired IP Address for this subinterface.

Step 5 Optionally, you may add a comment about this subinterface in the Comment field.

Step 6 If you intend to use this interface, ensure that the Create default DHCP Lease Scope option is checked. This option automatically creates a new DHCP lease scope for this subnet with 33 addresses. This setting can be adjusted later on the Network > DHCP page.

Step 7 Click the OK button to add this subinterface.

Your WLAN Subnet interface now appears in the Interface Settings list.

Creating a Wireless VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

Step 1 In the left-hand menu, navigate to the Wireless > Virtual Access Point page.

Step 2 Click the Add... button in the Virtual Access Point Profiles section.

Step 3 Enter a Profile Name such as “Corporate-WPA2” for this VAP Profile.

Step 4 Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).

Step 5 In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.

Step 6 In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the new subnet.

Step 7 Click the OK button to create this VAP Profile.

Creating the Wireless VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the wireless subnet you created in Creating a VLAN Subinterface on the WLAN.

General Tab

Step 1 In the left-hand menu, navigate to the Wireless > Virtual Access Point page.

Step 2 Click the Add... button in the Virtual Access Points section.

Step 3 Enter a default name (SSID) for the VAP. In this case we chose Campus_Faculty. This is the name users will see when choosing a wireless network to connect with.

Step 4 Select the Subnet Name you created in Creating a VLAN Subinterface on the WLAN from the drop-down list. In this case we chose Faculty, the name of our WLAN_Faculty subnet.

Step 5 Check the Enable Virtual Access Point checkbox to enable this access point upon creation.

Step 6 Check the Enable SSID Suppress checkbox to hide this SSID from users.Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.

Advanced Tab (Authentication Settings)

Step 1 Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a “Corporate-WPA2” profile, which uses WPA2-AUTO-EAP as the authentication method. If you have not set up a VAP Profile, continue with steps 2 through 4. Otherwise, continue to Create More / Deploy Current VAPs.

Step 2 In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).

Step 3 In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.

Step 4 In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the wireless subnet.

Create More / Deploy Current VAPs

Now that you have successfully set up a wireless subnet for faculty access, you can choose to add more custom VAPs, or to deploy this configuration to your internal wireless radio in the Deploying VAPs to a SonicPoint.

Tip Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously by following the steps in the Deploying VAPs to a SonicPoint.