The Add Zone or Edit Zone screens for WLAN zones contain two tabs that are not available for other zones. This section describes the settings on the Wireless and Guest Services tabs of the Add or Edit Zone screens. For instructions about WLAN configuration settings on the General tab, see Configuring Zones .
|
2
|
|
3
|
|
4
|
Click the Wireless tab.
|
|
5
|
On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection.
|
|
6
|
Select SRA Enforcement to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWALL SRA appliance. If you select both SRA Enforcement, and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a SRA or an IPsec VPN.
|
|
7
|
In the SRA Server list, select an address object to direct traffic to the SonicWALL SRA appliance.
|
|
8
|
In the SRA Service list, select the service or group of services you want to allow for clients authenticated through the SRA.
|
|
9
|
Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec. The VPN connection inherent in WiFiSec terminates at the “WLAN GroupVPN”, which you can configure independently of “WAN GroupVPN” or other Zone GroupVPN instances. If you select both WiFiSec Enforcement, and SRA Enforcement, the Wireless zone allows traffic authenticated by either a SRA or an IPsec VPN.
|
|
10
|
If you have enabled WiFiSec Enforcement, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement.
|
|
11
|
If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN.
|
|
12
|
Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
|
|
13
|
Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
|
|
14
|
Click the Guest Services tab. You can choose from the following configuration options for Wireless Guest Services:
|
– Enable Wireless Guest Services—Enables guest services on the WLAN zone.
– Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services.
– Enable inter-guest communication—Allows guests connecting to SonicPoints in this WLAN Zone to communicate directly and wirelessly with each other.
– Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection.
– Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
|
NOTE: Refer to the SonicWALL Lightweight Hotspot Messaging tech note available at the SonicWALL documentation Web site https://support.software.dell.com/download/downloads?id=5447759 for complete configuration of the Enable External Guest Authentication feature.
|
– Custom Authentication Page—Redirects you to a custom authentication page when you first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
– Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.
– Bypass Guest Authentication—Allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
– Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
– Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
– Pass Networks—Automatically allows traffic through the WLAN zone from the networks you select.
– Max Guests—Specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
– Enable Dynamic Address Translation (DAT)—Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWALL appliance Wireless DHCP services, and authenticate using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the SonicWALL Wireless to support any IP addressing scheme for WGS users. For example, the SonicWALL Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
|
15
|
Click OK to apply these settings to the WLAN zone.
|