SonicPoint Virtual AP Configuration Task List

A SonicPoint VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth examination of the parts that make up a successful VAP deployment. This subsequent sections describe VAP deployment requirements and provides an administrator configuration task list:

•	SonicPoint VAP Configuration Overview

•	Network Zones

•	VLAN Subinterfaces

•	DHCP Server Scope

•	Sonic Point Provisioning Profiles

•	Thinking Critically About VAPs

•	Deploying VAPs to a SonicPoint

SonicPoint VAP Configuration Overview

The following are required areas of configuration for VAP deployment:

•	Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of VLAN subinterfaces.

•	Interface (or VLAN Subinterface) - The Interface (X2, X3, etc...) represents the physical connection between your SonicWALL UTM appliance and your SonicPoint(s). Your individual zone settings are applied to these interfaces and then forwarded to your SonicPoints.

•

DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes.” The default ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.

•	VAP Profile - The VAP Profile feature allows for creation of SonicPoint configuration profiles which can be easily applied to new SonicPoint Virtual Access Points as needed.

•	VAP Objects - The VAP Objects feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings.

•	VAP Groups - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to your SonicPoint(s).

•	Assign VAP Group to SonicPoint Provisioning Profile Radio- The Provisioning Profile allows a VAP Group to be applied to new SonicPoints as they are provisioned.

•

Assign WEP Key (for WEP encryption only) - The Assign WEP Key allows for a WEP Encryption Key to be applied to new SonicPoints as they are provisioned. WEP keys are configured per-SonicPoint, meaning that any WEP-enabled VAPs assigned to a SonicPoint must use the same set of WEP keys. Up to 4 keys can be defined per-SonicPoint, and WEP-enabled VAPs can use these 4 keys independently. WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint > SonicPoints page.

Figure 6. SonicPoint VAP configuration

Network Zones

A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.

For detailed information on configuring zones, see Configuring Network Zones .

Topics:

•	The Wireless Zone

•	Custom Wireless Zone Settings

The Wireless Zone

The Wireless zone type, of which the WLAN Zone is the default instance, provides support to SonicWALL SonicPoints. When an interface or subinterface is assigned to a Wireless zone, the interface can discover and provision Layer 2 connected SonicPoints, and can also enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.

NOTE: SonicPoints can only be managed using untagged, non-VLAN packets. When setting up your WLAN, ensure that packets sent to the SonicPoints are non VLAN tagged.

Custom Wireless Zone Settings

Although SonicWALL provides the pre-configured Wireless zone, administrators also have the ability to create their own custom wireless zones. When using VAPs, several custom zones can be applied to a single, or multiple SonicPoint access points.

The following three sections describe settings for custom wireless zones:

•

General

•

Wireless

•	Guest Services

General

 

Table 8. General settings

Feature	Description
Name	Create a name for your custom zone
Security Type	Select Wireless in order to enable and access wireless security options.
Allow Interface Trust	Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.
SonicWALL Security Services	Select the security services you wish to enforce on this zone. This allows you to extend your SonicWALL UTM security services to your SonicPoints.

Wireless

 

Table 9. Wireless settings

Feature	Description
SSL VPN Enforcement	Redirects all traffic entering the Wireless zone to a defined SonicWALL SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic. NOTE: Wireless traffic that is tunnelled through an SSL VPN will appear to originate from the SSL VPN rather than from the Wireless zone. • SSL VPN server - Select the Address Object representing the SSL VPN appliance to which you wish to redirect wireless traffic. • SSL VPN service - Select a service for encryption.
SonicPoint Provisioning Profile SonicPointN Provisioning Profile SonicPointNDR Provisioning Profile	Select a predefined SonicPoint/SonicPointN/SonicPointNDR Provisioning Profile to be applied to all current and future SonicPoints on this zone.
Only allow traffic generated by a SonicPoint / SonicPointN	Restricts traffic on this zone to SonicPoint/SonicPointN-generated traffic only.

Guest Services

The Enable Guest Services option allows the following guest services to be applied to a zone:

 

Table 10. Guest Services settings

Feature	Description
Enable inter-guest communication	Allows guests connecting to this Guest Services Zone to communicate directly and wirelessly with each other.
Bypass AV Check for Guests	Allows guest traffic to bypass Anti-Virus protection
Bypass Client CF Check for Guests	Allows guest traffic to bypass client CF check protection.
Enable External Guest Authentication	Requires guests connecting from the Guest Services Zone to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. If selected, this option must be configured by clicking on the Configure button to display the External Guest Authentication window. NOTE: Enabling this option disables the Enable Policy Page without authentication, Custom Authentication Page, and Post Authentication Page options.
Enable Policy Page without authentication	Redirects users to a guest policy page when they first connect to a SonicPoint in the WLAN Zone. Guests will be authenticated by accepting the policy instead of providing a user name and password.
Custom Authentication Page	Redirects users to a custom authentication page when they first connect to the Guest Services Zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
Post Authentication Page	Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.
Bypass Guest Authentication	Grants unrestricted Wireless Guest Services. Specify a MAC Address Group from the drop-down menu or create a new one. This feature automates the Guest Services authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. NOTE: This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
Redirect SMTP traffic to	Redirects SMTP traffic incoming on this zone to an SMTP server you specify. From the drop-down menu, select the address object to receive redirected traffic or create a new one.
Deny Networks	Blocks traffic to the networks you specify. Select the subnet, address object, or address object group for denial or create a new address object or address object group.
Pass Networks	Automatically allows traffic through the Guest Services Zone to the networks you select from the drop-down menu. Select a subnet, address object, or address object group, or create a new address object or address object group.
Max Guests	Specifies the maximum number of guest users allowed to connect to the WLAN Zone. The default is 10.
Enable Dynamic Address Translation (DAT)	Grants access to non-DHCP guests.

VLAN Subinterfaces

A Virtual Local Area Network (VLAN) allows you to split your physical network connections (X2, X3, etc.) into many virtual network connection, each carrying its own set of configurations. The VLAN solution allows each VAP to have its own separate subinterface on an actual physical interface.

VLAN subinterfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN subinterfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.

VLAN subinterfaces are configured from the Network > Interfaces page.

Custom VLAN Settings

The table below lists configuration parameters and descriptions for VLAN subinterfaces:

 

Table 11. Custom VLAN settings

Feature	Description
Zone	Select a zone to inherit zone settings from a predefined or custom user-defined zone.
VLAN Tag	Specify the VLAN ID for this subinterface.
Parent Interface	Select a physical parent interface (X2, X3, …) for the VLAN.
IP Configuration	Create an IP address and Subnet Mask in accordance with your network configuration.
Sonic Point Limit	Select the maximum number of SonicPoints to be used on this interface. Below are the maximum number of SonicPoints per interface based on your SonicWALL UTM hardware:
Management Protocols	Select the protocols you wish to use when managing this interface.
Login Protocols	Select the protocols you will make available to clients who access this subinterface.

DHCP Server Scope

The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.

The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.

Virtual Access Points Profiles

A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the Virtual Access Point Profiles section of the SonicPoint > Virtual Access Point page.

To configure an existing VAP profile, click the Edit icon for that profile. To add a new VAP profile, click the Add… button The Add/Edit Virtual Access Point Profile window displays.

NOTE: Options displayed change depending on your selection of other options.

Topics:

•	Virtual Access Point Schedule Settings

•	Virtual Access Point Profile Settings

•	WPA-PSK/WPA2-PSK Encryption Settings

•	Radius Server Settings (WPA-EAP/WPA2-EAP Encryption Settings)

•	WEP Encryption Settings

•	ACL Enforcement

•	Remote MAC Address Access Control Settings

Virtual Access Point Schedule Settings

 

Table 12. Virtual Access Point Schedule settings

Option	Description
VAP Schedule Name	Choose the schedule the VAP is to be in force from the drop-down menu. The default is Always On.

Virtual Access Point Profile Settings

 

Table 13. Virtual Access Point Profile settings

Option	Description
Radio Type	Set to SonicPoint by default. Retain this default setting if using SonicPoints as VAPs (currently the only supported radio type)
Name	Enter a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs.
Authentication Type	Below is a list available authentication types with descriptive features and uses for each: Open (system) • Unsecured access Shared (key) • Shared access Both • Unsecured, shared access WEP • Lower security • For use with older legacy devices, PDAs, wireless printers WPA • Good security (uses TKIP) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • No client software needed in most cases WPA2 • Best security (uses AES) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • Client software install may be necessary in some cases • Supports 802.11i “Fast Roaming” feature • No backend authentication needed after first log-in (allows for faster roaming) WPA2-AUTO • Tries to connect using WPA2 security; if the client is not WPA2 capable, the connection will default to WPA.
Unicast Cipher	The unicast cipher changes, based on the authentication type: Open (system) • None Shared (key) • WEP Both (Open system & Shared key) • None • WEP WPA/WPA2/WPA2-PSK/EAP • AES • TKIP • Auto
Maximum Clients	Choose the maximum number of concurrent client connections permissible for this virtual access point. The default number is 16.

WPA-PSK/WPA2-PSK Encryption Settings

NOTE: This section displays only if WPA/WPA2/WPA2-PSK was selected for Authentication Type.

Pre-Shared Key (PSK) is available when using WPA, WPA2, or WPA-AUTO. This solution utilizes a shared key.

 

Table 14. WPA-PSK/WPA2-PSK encryption settings

Option	Description
Pass Phrase	The shared passphrase users enter when connecting with PSK-based authentication.
Group Key Interval	The time period, in seconds, for which a Group Key is valid and after which the WPA/WPA2 group key is forced to be updated. The default value is 86400 seconds (24 hours). NOTE: Setting too low of a value can cause connection issues.

Radius Server Settings (WPA-EAP/WPA2-EAP Encryption Settings)

NOTE: This section displays only if WPA/WPA2/WPA2-EAP was selected for Authentication Type.

Extensible Authentication Protocol (EAP) is available when using WPA, WPA2, or WPA2-AUTO. This solution utilizes an external 802.1x/EAP-capable RADIUS server for key generation.

 

Table 15. WPA-EAP/WPA2-EAP encryption settings

Option	Description
Radius Server Retries	The number of times SonicOS will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. The default number is 4.
Retry Interval (seconds)	The time, from 0 to 60 seconds, to wait between retries. The default number is 0 or no wait between retries.
Radius Server 1	The name/location of your RADIUS authentication server
Radius Server 1 Port	The port on which your RADIUS authentication server communicates with clients and network devices. The default port is 1812.
Radius Server 1 Secret	The secret passcode for your RADIUS authentication server
Radius Server 2	The name/location of your backup RADIUS authentication server
Radius Server 2 Port	The port on which your backup RADIUS authentication server communicates with clients and network devices. The default port is 1812.
Radius Server 2 Secret	The secret passcode for your backup RADIUS authentication server
Group Key Interval	The time period (in seconds) after which the WPA/WPA2 group key is forced to be updated.

WEP Encryption Settings

NOTE: This section displays only if Shared or Both was selected for Authentication Type.

WEP is provided for use with legacy devices that do not support the newer WPA/WPA2 encryption methods. WEP settings are commonly shared by VAPs within one SonicPoint radio and are configured in the SonicPoint Provisioning Profile. This solution utilizes a shared key.

 

Table 16. Shared / Both (WEP) encryption settings

Option	Description
Encryption Key	Select the key to use for WEP connections to this VAP. WEP encryption keys are configured in the SonicPoint > SonicPoints page under SonicPoint Provisioning Profiles. Choices are Key 1 (default) through Key 4.

ACL Enforcement

 

Table 17. ACL Enforcement settings

Option	Description
Enable MAC Filter List	Enforces Access Control by allowing or denying traffic from specific devices. By default, this option is not selected and all options in this section are dimmed and unavailable.
Use Global ACL Settings	Uses global ACL settings. NOTE: ACL support per Virtual Access Point is only supported by SonicPointN. If one Virtual Access Point is used by SonicPoint, global ACL configuration will be applied by default.
Allow List	Select a MAC address group to automatically allow traffic from all devices with MAC address in the group: • Create new Mac Address Object Group… – The Add Address Object Group window displays. • All MAC Addresses NOTE: It is recommended that the Allow List be set to All MAC Addresses. • Default SonicPoint ACL Allow Group • Custom MAC Address Object Groups
Deny List	Select a MAC address group from the drop-down menu to automatically deny traffic from all devices with MAC address in the group. NOTE: The Deny List is enforced before the Allow List. • Create new Mac Address Object Group… – The Add Address Object Group window displays. • No MAC Addresses • Default SonicPoint ACL Deny Group NOTE: It is recommended that the Deny List be set to Default SonicPoint ACL Deny Group. • Custom MAC Address Object Groups

Remote MAC Address Access Control Settings

NOTE: This section is not displayed if WPA/WPA2/WPA2-AUTO-EAP is selected for Authentication Type.

 

Table 18. Remote MAC Address Access Control settings

Option	Description
Enable Remote MAC Access Control	Enforces radio wireless access control based on MAC-based authentication policy in a remote Radius server. By default, this option is not selected. NOTE: If you selected other than WPA/WPA2/WPA2-AUTO-EAP for Authentication Type, selecting Enable Remote MAC Access Control displays the Radius Server Settings section.

Virtual Access Points

The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. Virtual Access Points are configured from the SonicPoint > Virtual Access Point page.

To configure an existing VAP, click the Edit icon for that VAP. To add a new VAP, click the Add… button The Add/Edit Virtual Access Point window displays.

Topics:

•	General Tab

•	Advanced Tab

General Tab

 

Table 19. Virtual Access Point General Settings

Feature	Description
Name	Create a friendly name for your VAP.
SSID	Enter an SSID name for the SonicPoints using this VAP. This name appears in wireless client lists when searching for available access points.
VLAN ID	When using platforms that support VLAN, you may optionally select a VLAN ID to associate this VAP with. Settings for this VAP will be inherited from the VLAN you select.
Enable Virtual Access Point	Enables this VAP. This option is selected by default.
Enable SSID Suppress	Suppresses broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients. This option is not selected by default.

Advanced Tab

Advanced settings allows you to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user-created profile. As the Advanced tab of the Add/Edit Virtual Access Point window is the same as Add/Edit Virtual Access Point Profile window, see Virtual Access Points Profiles for complete authentication and encryption configuration information.

Virtual Access Point Groups

The Virtual Access Point Groups feature is available on SonicWALL NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your SonicPoint(s). Virtual Access Point Groups are configured from the SonicPoint > Virtual Access Point page.

Sonic Point Provisioning Profiles

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. For more information, see SonicPoint Provisioning Profiles .