Configuring a VAP for Guest Access

You can use a Guest Access VAP for visiting clients to whom you wish to provide access only to untrusted (for example, Internet) network resources. Guest users will be provided a simple, temporary username and password for access. More advanced configurations also offer more permanent guest accounts, verified through a back-end database.

Topics:
Configuring a Zone

In this section, you will create and configure a new wireless zone with guest login capabilities.

1
2
Navigate to the Network > Zones page.
3
Click the Add... button to add a new zone. The Add Zone dialog displays.
General Settings Tab

4
In the General tab, enter a friendly name such as “VAP-Guest” in the Name field.
5
Select Wireless from the Security Type drop-down menu.
6
De-select the Allow Interface Trust check box to disallow communication between wireless guests.
7
Click the Wireless tab.
Wireless Tab

8
Check the Only allow traffic generated by a SonicPoint checkbox.
9
10
Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).
11
Click on the Guest Services tab.
Guest Services Tab

12
In the Guest Services tab, check the Enable Guest Services check box.
NOTE: In the following example, Step 13 through Step 18 are optional, they only represent a typical guest VAP configuration using guest services. Step 13 and Step 18, however, are recommended.
13
Check the Enable Dynamic Address Translation (DAT) check box to allow guest users full communication with addresses outside the local network.
14
Check the Custom Authentication Page check box and click the Configure button to configure a custom header and footer for your guest login page. The Customize Login Page dialog displays.

15
Click the OK button to save these changes.
16
Check the Post Authentication Page check box and enter a URL to redirect wireless guests to after login.
17
Check the Pass Networks check box to configure a website (such as your corporate site) that you wish to allow access to without logging in to guest services.
18
19
Click the OK button to save these changes.

Your new zone now appears in the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a Wireless LAN (WLAN) Interface

In this section you will configure one of your ports to act as a WLAN. If you already have a WLAN configured, skip to the Creating a Wireless LAN (WLAN) Interface.

1
In the Network > Interfaces page, click the Configure icon corresponding to the interface you wish to use as a WLAN. The Edit Interface dialog displays.

2
Select WLAN from the Zone drop-down list. More options appear.

3
Enter the desired IP Address for this interface.
4
In the SonicPoint Limit drop-down menu, select a limit for the number of SonicPoints. This defines the total number of SonicPoints your WLAN interface will support.
NOTE: The maximum number of SonicPoints depends on your platform. Refer to the Custom VLAN Settings to view the maximum number of SonicPoints for your platform.
5
Click the OK button to save changes to this interface.

The WLAN interface will appear in the Interface Settings list on the Network > Interfaces page.

Creating a VLAN Subinterface on the WLAN

In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the Configuring a Zone.

1
In the Network > Interfaces page, select the interface type from the Add Interface drop-down menu. The Add Interface dialog displays.

2
In the Zone drop-down menu, select the zone you created in “Configuring a Zone. In this case, we have chosen VAP-Guest.
3
Enter a VLAN Tag for this interface. This number allows the SonicPoint(s) to identify which traffic belongs to the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, we choose 200 as our tag for the VAP-Guest VLAN.
4
In the Parent Interface drop-down menu, select the interface that your SonicPoint(s) are physically connected to. In this case, it is the WLAN interface.
5
Enter the desired IP Address for this subinterface.
6
Select a limit for the number of SonicPoints from the SonicPoint Limit drop-down menu. This defines the total number of SonicPoints your VLAN will support.
7
8
Click the OK button to add this subinterface.

Your VLAN subinterface now appears in the Interface Settings list.

Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. To view the maximum number of DHCP leases for your SonicWall security appliance, refer to the DHCP Server Scope.

1
Navigate to the Network > DHCP Server page.
2
In the DHCPv4 Server Lease Scopes section, locate the interface you just created; in this example, it is the X2:V200 (virtual interface 200 on the physical X2 interface) interface.

3
Click the Configure icon corresponding to the desired interface.

The Dynamic Range Configuration dialog displays.

4
Edit the Range Start and Range End fields to meet your deployment needs.
5
Click the OK button to save these changes.

Your updated DHCP lease scope now appears in the DHCP Server Lease Scopes list.

Creating a SonicPoint VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs.

1
Navigate to the SonicPoint > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Point Profiles section. The Add/Edit Virtual Access Point Profile dialog displays.

3
Enter a Profile Name, such as Guest, for this VAP Profile.
4
Choose an Authentication Type. For unsecured guest access, we chose Open, which is the default.
5
Click the OK button to create this VAP Profile.

The SonicPoint Profile now appears in the Virtual Access Point Profiles list.

Creating the SonicPoint VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in Creating a VLAN Subinterface on the WLAN.

1
Navigate to the SonicPoint > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Points section. The Add/Edit Virtual Access Point dialog displays.

3
In the Name field, enter a friendly name for the VAP.
4
In the SSID field, enter a SSID name for the SonicPoints using this profile. This name appears in wireless client lists when searching for available access points. In this case we chose VAP-Guest, the same name as the zone to which it will be associated.
5
Select the VLAN ID you created in VLAN Subinterfaces from the drop-down menu. In this case, we chose 200, the VLAN ID of our VAP-Guest VLAN.
6
Check the Enable Virtual Access Point box to enable this VAP on groups to which it is applied.
7
Optionally, check the Enable SSID Suppress box if you do not wish for your SSID to be seen by unauthorized wireless clients.This option is disabled by default.

This option suppresses broadcasting of the SSID name and disables responses to probe requests. A Virtual Access Point Object can suppress SSID in beacon and Probe Response for SonicPoint or internal G radio.

8
Click the Advanced Tab to edit encryption settings.

9
If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and chose a guest profile, Guest, which uses Open as the authentication method.
10
Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.

Now that you have successfully set up your Guest configuration, you can choose to add more custom VAPs, or to deploy this configuration to your SonicPoint(s) in Deploying VAPs to a SonicPoint.