wireless_VAP
Wireless > Virtual Access Point
This chapter describes the Virtual Access Point feature and includes the following sections:
Wireless VAP Overview
This section provides an introduction to the Virtual Access Point feature for SonicWALL UTM appliances equippped with internal wireless radios.
This section contains the following subsections:
What Is a Virtual Access Point?
A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate, distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device.
VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on a single internal wireless radio.
For more information on SonicOS Secure Wireless features, refer to the SonicWALL Secure Wireless Integrated Solutions Guide .
Benefits of Using Virtual APs
This section includes a list of benefits in using the Virtual AP feature:
• Radio Channel Conservation —Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.
• Optimize Wireless LAN Infrastructure —Share the same Wireless LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs. Wireless Virtual AP Configuration Task List
A Wireless VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth examination of the parts that make up a successful VAP deployment. This subsequent sections describe VAP deployment requirements and provides an administrator configuration task list:
Wireless VAP Configuration Overview
The following are required areas of configuration for VAP deployment:
Step 1 Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets.
Step 2 Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between your SonicWALL UTM appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio.
Step 3 DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.
Step 4 Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed.
Step 5 Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings.
Step 6 Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a sinlge internal wireless radio.
Step 7 Assign VAP Group to Internal Wireless Radio - The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs. Network Zones
This section contains the following subsections:
A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.
For detailed information on configuring zones, see Chapter 18, Network > Zones .
The Wireless Zone
The Wireless zone type, of which the “WLAN Zone” is the default instance, provides support to SonicWALL wireless radio. When an interface or subinterface is assigned to a Wireless zone, the interface can enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.
Custom Wireless Zone Settings
Although SonicWALL provides the pre-configured Wireless zone, administrators also have the ability to create their own custom wireless zones. When using VAPs, several custom zones can be applied to a single wireless radio. The following three sections describe settings for custom wireless zones:
General
Select Wireless in order to enable and access wireless security options.
Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.
SonicWALL Security Services
Select the security services you wish to enforce on this zone. This allows you to extend your SonicWALL UTM security services to your wireless users.
Wireless
Only allow traffic generated by a SonicPoint
Restricts traffic on this zone to internally-generated traffic only.
Redirects all traffic entering the Wireless zone to a defined SonicWALL SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic. Note: Wireless traffic that is tunneled through an SSL VPN will appear to originate from the SSL VPN rather than from the Wireless zone.
SSL VPN Server - Select the Address Object representing the SSL VPN appliance to which you wish to redirect wireless traffic.
SonicPoint Provisioning Profile
Select a predefined SonicPoint Provisioning Profile to be applied to all current and future SonicPoints on this zone.
SonicPointN Provisioning Profile
Select a predefined SonicPointN Provisioning Profile to be applied to all current and future SonicPoints on this zone.
Guest Services
The Enable Guest Services option allows the following guest services to be applied to a zone:
Enable inter-guest communication
Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.
Bypass AV Check for Guests
Enable Dynamic Address Translation (DAT)
Dynamic Address Translation (DAT) allows the SonicPoint to support any IP addressing scheme for Guest Services users.
If this option is disabled (unchecked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoint’s network settings.
Enable External Guest Authentication
Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
Redirects users to a custom authentication page when they first connect to a SonicPoint in the Wireless zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
Bypass Guest Authentication
Allows a SonicPoint running Guest Services to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from.
Automatically allows traffic through the Wireless zone from the networks you select.
Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10.
Wireless LAN Subnets
A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations. The WLAN subnet solution allows each VAP to have its own virtual separate subinterface, even though there is only a single 802.11 radio.
WLAN subnets have several key capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from WLAN subnets at this time are VPN policy binding, WAN dynamic client support, and multicast support.
WLAN subnets are configured from the Network > Interfaces page.
Custom Wireless Subnet Settings
The table below lists configuration parameters and descriptions for wireless subnets:
Select a pre-defined or custom zone. Only zones with security type of “wireless” are available for selection.
Create an IP address and Subnet Mask in accordance with your network configuration.
The number of radios supported in your deployment, the default value is 1 SonicPoint.
Select the protocols you wish to use when managing this subnet.
Select the protocols you will make available to clients who access this subnet.
Select the Create default DHCP Lease Scope option to enable DHCP on this subnet, along with the default number of available leases. Read the “DHCP Server Scope” section for more information on DHCP lease requirements.
DHCP Server Scope
The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. Take care in making these settings manually, as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to connection issues due to lease exhaustion.
The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.
Virtual Access Point Profiles
A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the Wireless > Virtual Access Point page.
This feature is especially useful for quick setup in situations where multiple virtual access points will share the same authenticaiton methods.
Virtual Access Point Profile Settings
The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:
Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs.
Set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type)
Below is a list available authentication types with descriptive features and uses for each:
• No backend authentication needed after first log-in (allows for faster roaming)
• Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection will default to WPA. The unicast cipher will be automatically chosen based on the authentication type.
The multicast cipher will be automatically chosen based on the authentication type.
Choose the maximum number of concurrent client connections permissible for this virtual access point.
WPA-PSK / WPA2-PSK Encryption Settings
Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.
The shared passphrase users will enter when connecting with PSK- based authentication.
The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.
WPA-EAP / WPA2-EAP Encryption Settings
Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP capable RADIUS server for key generation.
RADIUS Server 1 Port
The port on which your RADIUS authentication server communicates with clients and network devices.
RADIUS Server 1 Secret
The name/location of your backup RADIUS authentication server
RADIUS Server 2 Port
The port on which your backup RADIUS authentication server communicates with clients and network devices.
RADIUS Server 2 Secret
The secret passcode for your backup RADIUS authentication server
The time period (in seconds) during which the WPA/WPA2 group key is enforced to be updated.
Virtual Access Points
The VAP Settings feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. Virtual Access Points are configured from the Wireless > Virtual Access Point page.
General VAP Settings
Select a subnet name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list.
Enable Virtual Access Point
Enable SSID Suppress
Suppresses broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by
unauthorized wireless clients.Advanced VAP Settings
Advanced settings allows the administrator to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user created profile. See “Virtual Access Point Profiles” section for complete authentication and encryption configuration information.
Virtual Access Point Groups
The Virtual Access Point Groups feature is available on SonicWALL NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.
Enabling the Virtual Access Point Group
After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group .
After this selection has been made and applied.
VAP Sample Configuration
This section provides configuration examples based on real-world wireless needs. This section contains the following subsections:
Configuring a VAP for School Faculty Access
You can use a VAP for a set of users who are commonly in the office, on campius, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services. This section contains the following subsection:
Configuring a Zone
In this section you will create and configure a new corporate wireless zone with SonicWALL UTM security services and enhanced WiFiSec/WPA2 wireless security.
Step 2 In the left-hand menu, navigate to the Network > Zones page.
Step 3 Click the Add... button to add a new zone. General Settings Tab
Step 1 In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field.
Step 2 Select Wireless from the Security Type drop-down menu.
Step 3 Select the Allow Interface Trust checkbox to allow communication between faculty users.
Step 4 Select checkboxes for all of the security services you would normally apply to faculty on the wired LAN. Wireless Settings Tab
Step 1 In the Wireless tab, check the Only allow traffic generated by a SonicPoint / SonicPointN checkbox.
Step 2 Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).
Step 3 Click the OK button to save these changes. Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet
In this section you will create and configure a new wireless subnet on your current WLAN. This wireless subnet will be linked to the zone you created in the “Configuring a Zone” section .
Step 1 In the Network > Interfaces page, click the Add WLAN Subnet button.
Step 2 In the Zone drop-down menu, select the zone you created in “Configuring a Zone ” . In this case, we have chosen WLAN_Faculty .
Step 3 Enter a Subnet Name for this interface. This name allows the internal wireless radio to identify which traffic belongs to the “WLAN_Faculty” subnet. In this case, we choose Faculty as our subnet name.
Step 4 Enter the desired IP Address for this subinterface.
Step 5 Optionally, you may add a comment about this subinterface in the Comment field.
Step 6 If you intend to use this interface, ensure that the Create default DHCP Lease Scope option is checked. This option automatically creates a new DHCP lease scope for this subnet with 33 addresses. This setting can be adjusted later on the Network > DHCP page.
Step 7 Click the OK button to add this subinterface. Your WLAN Subnet interface now appears in the Interface Settings list.
Creating a Wireless VAP Profile
In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.
Step 1 In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
Step 2 Click the Add... button in the Virtual Access Point Profiles section.
Step 3 Enter a Profile Name such as “Corporate-WPA2” for this VAP Profile.
Step 4 Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
Step 5 In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
Step 6 In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the new subnet.
Step 7 Click the OK button to create this VAP Profile. Creating the Wireless VAP
In this section, you will create and configure a new Virtual Access Point and associate it with the wireless subnet you created in “Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet” section .
General Tab
Step 1 In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
Step 2 Click the Add... button in the Virtual Access Points section.
Step 3 Enter a default name ( SSID ) for the VAP. In this case we chose Campus_Faculty . This is the name users will see when choosing a wireless network to connect with.
Step 4 Select the Subnet Name you created in “Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet” section from the drop-down list. In this case we chose Faculty , the name of our WLAN_Faculty subnet.
Step 5 Check the Enable Virtual Access Point checkbox to enable this access point upon creation.
Step 6 Check the Enable SSID Suppress checkbox to hide this SSID from users.Click the OK button to add this VAP. Your new VAP now appears in the Virtual Access Points list.
Advanced Tab (Authentication Settings)
Step 1 Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a “Corporate-WPA2” profile, which uses WPA2-AUTO-EAP as the authentication method. If you have not set up a VAP Profile, continue with steps 2 through 4. Otherwise, continue to Create More / Deploy Current VAPs .
Step 2 In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
Step 3 In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
Step 4 In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the wireless subnet. Create More / Deploy Current VAPs
Now that you have successfully set up a wireless subnet for faculty access, you can choose to add more custom VAPs, or to deploy this configuration to your internal wireless radio in the “Deploying VAPs to the Wireless Radio” section .
Tip Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously by following the steps in the “Deploying VAPs to the Wireless Radio” section .