Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput.

Tip The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.

ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list.

4. In the Wireless Security section of the 802.11n Radio tab, configure the following settings:

– Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP.

WEP Configuration

– WEP Key Mode: Select the size of the encryption key.

– Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user.

– Key Entry: Select whether the key is alphanumeric or hexadecimal.

– Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key.

WPA or WPA2 Configuration:

– Cipher Type: The cipher that encrypts your wireless data. Choose either TKIP (older, more compatible), AES (newer, more secure), or Both (backward compatible).

– Group Key Interval: The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.

– Passphrase (PSK only): This is the passphrase your network users must enter to gain network access.

– RADIUS Server Settings (EAP Only): Configure settings for your RADIUS authentication server.

5. In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance.

– Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast.

– Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections.

– Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate.

– Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum.

– Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal.

– Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon.

– DTIM Interval: Enter the interval in milliseconds.

– Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow.

– RTS Threshold (bytes): Enter the number of bytes.

– Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time.

– Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short.

– Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto. None is the default.

– Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps.

– Protection Type: Select the type of protection, CTS-only or RTS-CTS.

– Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly.

– Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and therefore are not allowing 802.11b clients to connect.

When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.

If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings.

Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:

• Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.

Via un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.

Configuring a SonicPoint Profile for 802.11a or 802.11g

You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile:

1. To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing.

2. In the General tab of the Add Profile window, specify:

Enable SonicPoint: Check this to automatically enable each SonicPoint when it is provisioned with this profile.

– Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain these settings after they are deleted and re-synchronized. Click the Edit button to specify the categories of settings that will be retained.

– Enable RF Monitoring: Check this to enable RF monitoring on the SonicPoints.

– Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.”

– Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.

– 802.11g Virtual AP Group and 802.11a Virtual AP Group: (optional; on SonicWALL NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPoints to a VAP. This pull-down menu allows you to create a new VAP group. For more information on VAPs, see Using and Configuring Virtual Access Points.

3. In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio:

Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on all SonicPoints provisioned with this profile.

– SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections.

Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.

– Radio Mode: Select the speed of the wireless connection. You can choose 11Mbps - 802.11b, 54 Mbps - 802.11g, or 108 Mbps - Turbo G mode. If you choose Turbo mode, all users in your company must use wireless access cards that support turbo mode.

– Channel: Select the channel the radio will operate on. The default is AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a specific reason to use or avoid specific channels.

– ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list.

– Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP.

– WEP Key Mode: Select the size of the encryption key.

– Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user.

– Key Entry: Select whether the key is alphanumeric or hexadecimal.

– Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key.

4. In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.11g advanced options, the default settings give optimum performance.

Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast.

– Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections.

– Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate.

– Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum.

– Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. You can select:

: •: Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.

: •: 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply.

: •: 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.

– Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon.

– DTIM Interval: Enter the interval in milliseconds.

– Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow.

– RTS Threshold (bytes): Enter the number of bytes.

– Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time.

– Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short.

– Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto. None is the default.

– Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps.

– Protection Type: Select the type of protection, CTS-only or RTS-CTS.

– CCK OFDM Power Delta: Select the difference in radio transmit power you will allow between the 802.11b and 802.11g modes: 0 dBm, 1 dBm, or 2 dBm.

– Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly.

– Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and therefore are not allowing 802.11b clients to connect.

5. Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time.

The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this procedure to configure the 802.11a radio.

When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.

If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings.

Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:

• Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.

• Via un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.

Updating SonicPoint Settings

You can change the settings of any individual SonicPoint list on the SonicPoint > SonicPoints page.

Edit SonicPoint settings

To edit the settings of an individual SonicPoint:

1. Under SonicPoint Settings, click the Edit icon in the same line as the SonicPoint you want to edit.

2. In Edit SonicPoint screen, make the changes you want. The Edit SonicPoint screen has the following tabs:

– General

– 802.11a Radio

– 802.11a Advanced

– 802.11g Radio

– 802.11g Advanced
The options on these tabs are the same as the Add SonicPoint Profile screen. Refer to the SonicPoint Provisioning Profiles for instructions on configuring these settings.

3. Click OK to apply these settings.

Synchronize SonicPoints

Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page. When you click Synchronize SonicPoints, SonicOS polls all connected SonicPoints and displays updated settings on the page.

Enable and Disable Individual SonicPoints

You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page:

1. Check the box under Enable to enable the SonicPoint, uncheck the box to disable it.

2. Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the SonicPoint.

3. Click the SonicPoints option.
GMS displays the SonicPoints dialog box.

4. Click Add.
GMS displays the Add SonicPoint Profile dialog box containing a series of tabs.

SonicPoint WLAN Scheduling

GMS now supports scheduling activation of both 802.11a Radio and 802.11g Radio devices. To schedule these devices, perform the following steps:

1. Navigate to the Policies Panel.

2. Select either a SonicPoint G or SonicPoint A device in the unit list.

3. In the Navigation Bar, click the SonicPoint menu to display SonicPoint options.

4. Click the SonicPoints option.
GMS displays the SonicPoints dialog box.

5. Click on an existing SonicPoint device in the device list or click Add.
GMS displays the SonicPoint Profile dialog box containing a series of tabs.

6. Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want to schedule.

7. Click on the Schedule list box at the top of the screen to the right of the Enable checkbox.
The following figure is an example of a scheduling list box (for 802.11g).

 

Updating SonicPoint Firmware

SonicOS Enhanced 2.5 (or greater) contains an image of the SonicPoint firmware. When you connect a SonicPoint to a security appliance running SonicOS Enhanced 2.5 (or greater), the appliance checks the version of the SonicPoint’s firmware, and automatically updates it, if necessary.

Automatic Provisioning (SDP & SSPP)

The SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS Enhanced 2.5 and higher. SDP is the foundation for the automatic provisioning of SonicPoint units via the following messages:

• Advertisement – SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed.

• Discovery – SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units.

• Configure Directive – A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode.

• Configure Acknowledgement – A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive.

• Keepalive – A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.

If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a firmware update is available), the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process.