en-US
search-icon

SonicOS 5.9 Admin Guide

SonicPoint

Managing SonicPoints

SonicPoint > SonicPoints

SonicWall SonicPoints are wireless access points specially engineered to work with SonicWall security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the management interface lets you manage the SonicPoints connected to your system.

In addition to describing the settings available for managing SonicPoints in SonicOS, this section contains a best practices guide for deploying SonicPoints in your network. See SonicPoint Deployment Best Practices.

Topics:

SonicPoint certifications and compliance

Topics:

Wi-Fi Alliance Certification

The SonicPoint ACe, ACi, N2, and NDR (Dual Radio) are Wi-Fi Certified by the Wi-Fi Alliance, which is designated by the Wi-Fi Certified logo.

The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance, and indicates that the product has undergone rigorous testing by the Wi-Fi Alliance and has demonstrated interoperability with other products, including those from other companies that bear the Wi-Fi CERTIFIED Logo.

FCC U-NII New Rule Compliance

Beginning in SonicOS 5.9.1.6, FCC U-NII (Unlicensed –National Information Infrastructure) New Rule (Report and Order ET Docket No. 13-49) is supported on SonicPoint ACe/ACi/N2 running firmware version 9.0.1.0-2 or higher. To comply with FCC New Rules for Dynamic Frequency Selection (DFS), a SonicPoint detects and avoids interfering with radar signals in DFS bands.

* 
NOTE: SonicPoint ACe/ACi/N2 wireless access points manufactured with FCC New Rule-compliant firmware are only supported with SonicOS 5.9.1.6 and higher. Older SonicPoint ACe/ACi/N2 access points are automatically updated to the FCC New Rule-compliant firmware when connected to a firewall running SonicOS 5.9.1.6 or higher.

Before Managing SonicPoints

Before you can manage SonicPoints in the Management Interface, you must first:

1
Verify that the SonicPoint image is downloaded to your SonicWall security appliance. See Updating SonicPoint Firmware.
2
Configure your SonicPoint Provisioning Profiles.
3
Configure a Wireless zone.
4
Assign profiles to wireless zones. This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone will use the first profile in the list.
5
Assign an interface to the Wireless zone.
6
Attach the SonicPoints to the interfaces in the Wireless zone.
7
Test the SonicPoints.
* 
VIDEO: For more information and links to videos about SonicPoint configuration, see the Knowledge Base article at: https://support.sonicwall.com/videos-product-select.

SonicPoint Deployment Best Practices

The SonicPoint best practices includes information regarding the design, installation, deployment, and configuration issues for SonicWall’s SonicPoint wireless access points. The information covered allows you to properly deploy SonicPoints in environments of any size. This section also covers related external issues that are required for successful operation and deployment.

* 
NOTE: SonicWall cannot provide any direct technical support for any of the third-party Ethernet switches referenced in this section. The material is also subject to change without SonicWall’s knowledge when the switch manufacturer releases new models or firmware that may invalidate the information contained here.

Further information about SonicPoint best practices can be found in the SonicPoint Deployment Best Practices Guide at https://support.sonicwall.com/search?k=sonicpoint+best+practices+guide.

Topics:

Prerequisites

The following are required for a successful SonicPoint deployment:

SonicOS requires public Internet access in order for the network security appliance to download and update the SonicPoint firmware images. If the device does not have public Internet access, you will need to obtain and download the SonicPoint firmware manually.
One or more SonicWall SonicPoint wireless access points.
If you are using a PoE switch to power the SonicPoint, it must be one of the following:
An 802.3at compliant Ethernet switch for SonicPoint ACe/ACi/N2
An 802.3af compliant Ethernet switch for other SonicPoint models
Vendor-specific switch programming notes can be found towards the end of this section for HP, Cisco, , and D-Link. If not, you will need to use the power adapter that ships with the SonicPoint or SonicWall’s PoE Injector. See the SonicWall Power over Ethernet (PoE) Injector User’s Guide:

https://support.sonicwall.com/technical-documents/sonicwall-sonicpoint-series/aci/poe-user-guide/

It is strongly recommended you obtain a support contract for your SonicWall network security appliance as well as the PoE switch. The contract will allow you to update to new versions if issues are found on the switch side or on the firewall side, or when new features are released.
Be sure to conduct a full site survey before installation (see Site Survey and Planning).
Check wiring and cable infrastructure to verify that end-to-end runs between SonicPoints and the Ethernet switches are CAT5, CAT5e, or CAT6.
Check building codes for install points and work with building’s facilities staff, as some desired install points may violate regulations.

Tested Switches

Most Cisco switches work well; however SonicWall does not recommend deploying SonicPoints using the “Cisco Express” switch line.

SonicWall does not recommend deploying SonicPoints using Netgear PoE switches.

If you are using D-Link PoE switches, you will need to shut off all their proprietary broadcast control and storm control mechanisms, as they will interfere with the provisioning and acquisition mechanisms in the SonicPoint (see “About PoE” regarding this).

– make sure to configure STP for fast start on SonicPoint ports.
Extreme – make sure to configure STP for fast start on SonicPoint ports.
Foundry – make sure to configure STP for fast start on SonicPoint ports.
HP ProCurve – make sure to configure STP for fast start on SonicPoint ports.

Wiring Considerations

Make sure wiring is CAT5, CAT5e, or CAT6 end to end.

Due to signaling limitations in 802.3af and 802.3at, Ethernet cable runs cannot go over 100 meters between the PoE switch and SonicPoint.

You will need to account for PoE power loss as the cable run becomes longer; this can be up to 16%. For longer cable runs, the port will require more power to be supplied.

Site Survey and Planning

Conduct a full site walk of all areas SonicPoints will be deployed in with a wireless spectrum scanner. Note any existing access points and the channels they are broadcasting on. SonicWall currently recommends the following products to conduct full site surveys.

Metageek inSSider (best for Android Phones due to portability)
WiSpy
Channelyzer

Blueprints of floor plans are helpful as you can mark the position of Access Points and the range of the wireless cell. Make multiple copies of these as the site-survey results may cause the original design not to be the best and a new start will be needed. Also, you see where walls, halls, and elevators are located, which can influence the signal. Areas in which users are located—and not located—can be seen. During the site survey, keep an eye open for electrical equipment that may cause interference (microwaves, CAT Scan equipment, etc.) In areas containing a lot of electrical equipment, also take a look at the cabling being used.

Survey three dimensionally, as wireless signals cross over to different floors.

Determine where you can locate access points based on power and cabling. Remember that you shouldn't place access points close to metal or concrete walls and you should put them as close to the ceiling as possible.

Use the wireless scanning tool to check signal strengths and noise. Signal-to-noise ratio should at least be 10dB (minimum requirements for 11 Mbps); however, 20dB is preferred. Both factors influence the quality of the service.

Relocate the access points and re-test, depending of the results of your survey.

Save settings and logs and note the location of the access point for future reference.

When planning, make sure you note the distance of cable runs from where the SonicPoint will be mounted; this must be 100 meters or less. If you are not using PoE switches, you will also need to consider the power adapter or PoE injector for the SonicPoint. Make sure you are not creating an electrical or fire hazard.

Be wary of broadcasting your wireless signal into areas that you do not control; check for areas where people might be able to leach signal and tune the SonicPoints accordingly.

For light use, you can plan for 15-20 users for each SonicPoint. For business use, you should plan for 5-10 users for each SonicPoint.

Plan accordingly for roaming users – this will require tuning the power on each SonicPoint so that the signal overlap is minimal. Multiple SonicPoints broadcasting the same SSID in areas with significant overlap can cause ongoing client connectivity issues.

Use the scheduling feature in SonicOS to shut off SonicPoints when not in use – it’s recommended that you do not operate your SonicPoints during non-business-hours (off nights and weekends).

Channels

The default setting of SonicPoints is auto-channel. When this is set, at boot-up the SonicPoint will do a scan and check if there are other wireless devices transmitting. Then, it will try to find an unused channel and use this for transmission. Especially in larger deployments, this process can cause trouble. In large deployments, it is recommended to assign fixed channels to each SonicPoint. A diagram of the SonicPoints and their MAC addresses helps to avoid overlaps. It is recommended is to mark the location of the SonicPoints and MAC addresses on a floor-plan.

Wireless Card Tuning

If you are experiencing connectivity issues with laptops, check to see if the laptop has an Intel embedded wireless adapter. The following Intel chip sets are publicly known and acknowledged by Intel to have disconnect issues with third-party wireless access points:

Intel PRO/Wireless 2100 Network Connection
Intel PRO/Wireless 2100A Network Connection
Intel PRO/Wireless 2200BG Network Connection
Intel PRO/Wireless 2915ABG Network Connection
Intel PRO/Wireless 3945ABG Network Connection

These wireless cards are provided to OEM laptop manufacturers and are often rebranded under the manufacturers name – for example, both and IBM use the above wireless cards, but the drivers are branded under their own name.

To identify the adapter, go to Intel’s support site and do a search for Intel Network Connection ID Tool. Install and run this tool on any laptop experiencing frequent wireless disconnect issues. The tool will identify which Intel adapter is installed inside the laptop.

Once you have identified the Intel wireless adapter, go to Intel’s support site and download the newest software package for that adapter – it is recommended that you download and install the full Intel PRO/Set package and allow it to manage the wireless card, instead of Windows or any OEM provided wireless network card management program previously used.

Be sure to use the Intel wireless management utility and to disable Microsoft’s Wireless Zero Config management service – the Intel utility should control the card, not the OS.

In the Advanced section of the Intel wireless management utility, disable the power management by clearing the box next to Use default value, then move the slider under it to Highest. This instructs the wireless card to operate at full strength and not go into sleep mode. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

In the Advanced section of the Intel wireless management utility, adjust the roaming aggressiveness by clearing the check box next to Use default value, then move the slider under it to Lowest. This instructs the wireless card to stay stuck to the access point to which it’s associated as long as possible and only roam if the signal is significantly degraded. This is extremely helpful in environments with large numbers of access points broadcasting the same SSID. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

If you continue to have issues, you may also try adjusting the Preamble Mode on the wireless card. By default, the Intel wireless cards above are set to auto. All SonicWall wireless products by default are set to use a Long preamble. To adjust the Intel wireless card’s preamble setting, go to the Advanced section and clear the check box next to Use default value, then select Long Tx Preamble from the drop-down menu below it. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

About PoE

A SonicPoint ACe, ACi, or N2 using Power Over Ethernet (PoE) at full power can draw up to 25 watts.

Earlier SonicPoints are set to Class 0 PD and use from 0.44 W minimum to 12.95 W maximum power.

* 
NOTE: A mismatch in Class will cause confusion in the handshake and reboot the SonicPoint.

SonicPoint ACe, ACi, and N2 (Type 2) are set to Class 4 PD. Earlier SonicPoints (Type 1) can be set to Class 0, 1, 2, or 3 PD. The minimum and maximum power output values are as follows:

Type 1, Class 0 PD uses 0.5 W minimum to 15.4 W maximum
Type 1, Class 1 PD uses 0.5 W minimum to 4.0 W maximum
Type 1, Class 2 PD uses 4.0 W minimum to 7.0 W maximum
Type 1, Class 3 PD uses 7.0 W minimum to 15.4 W maximum
Type 2, Class 4 PD uses 15.4 W minimum to 30 W maximum

Full 802.3at compliance is required on any switch that supplies PoE to a SonicPoint ACe, ACi, or N2. Full 802.3af compliance is required on any switch that supplies PoE to an earlier SonicPoint model. Do not operate SonicPoints on non-compliant switches as SonicWall does not support them.

Turn off pre-802.3af-spec detection and pre-802.3at-spec detection as they may cause connectivity issues.

Long cable runs cause loss of power; 100 meter runs between the SonicPoint and the PoE switch may incur up to 16% power/signal degradation; because of this the PoE switch will need to supply more power to the port to keep the SonicPoint operational.

Ensure that each port providing PoE can guarantee the minimum required Watts to the SonicPoint, and set the PoE priority to critical or high.

One thing to be particularly careful to plan for is that not all PoE switches can provide the full required watts of power to each of its PoE ports – the switch might have 30 watts, but it can’t actually have all ports with PoE devices attached without the addition of an external redundant power supply. You will need to work closely with the manufacturer of the PoE switch to ensure that enough power is supplied to the switch to power all of your PoE devices.

Spanning-Tree

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints.

If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device. If this is not possible, check with the switch manufacturer to determine if they allow for “fast spanning-tree detection,” which is a method that runs spanning-tree in a shortened time so as to not cause connectivity issues.

VTP and GVRP

Turn these trunking protocols off on ports connected directly to SonicPoints, as they have been known to cause issues with SonicPoints – especially the high-end Cisco Catalyst series switches.

Port-Aggregation

Many switches have port aggregation turned on by default, which causes a lot of issues. Port aggregation should be deactivated on ports connected directly to SonicPoints.

PAGP/Fast EtherChannel/EtherChannel should be turned off on ports going to SonicPoints.

LACP should be turned off on the ports going to SonicPoints.

Broadcast Throttling/Broadcast Storm

This feature is an issue on some switches, especially D-Link. SonicWall recommends that you disable the feature on a per-port basis if possible; if not, disable globally.

Speed and Duplex

Auto-negotiation of speed and duplex is the default option for SonicPoints.

Locking speed and duplex on the switch and rebooting the SonicPoint may help with connectivity issues.

Check the port for errors, as this is the best way to determine if there is a duplex issue (the port will also experience degraded throughput).

RADIUS Accounting

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provide centralized authentication, authorization, and accounting. SonicOS uses RADIUS protocols to delivery account information from the NAS (Network Access Server), which is the SonicPoint in our case, to the RADIUS Accounting Server. You can take advantage of the account information to apply various billing rules on the RADIUS Accounting Server side. The accounting information can be based on session duration or traffic load being transferred for each user.

The overall authentication, authorization, and accounting process works as follows:

1
A user associates to a SonicPoint which is connected to a SonicWall firewall.
2
Authentication is performed using the method designated.
3
IP subnet/VLAN assignment is enabled.
4
The SonicPoint send the RADIUS Account Request start message to an accounting server.
5
Re-authentication is performed as necessary.
6
Based on the results of the re-authentication, the SonicPoint sends the interim account update to the accounting server.
7
The user disconnects from the SonicPoint.
8
The SonicPoint sends the RADIUS Account Request stop message to the accounting server.

Virtual Access Point Issues

Only VLAN-supported SonicWall platforms can offer VAP features for existing releases. Each SSID should be associated with the unique VLAN ID to segment traffic in different broadcast domains. SDP/SSPP protocol packets must be untagged before reaching a SonicWall WLAN interface or SonicPoint.

The switch between the SonicWall network security appliance and the SonicPoint must be configured properly to allow both untagged SDP/SSPP traffic and tagged traffic with VLAN ID for each VAP SSID.

If at all possible assign each VAP to its own VLAN/Security Zone -- this will provide maximum security and although not explicitly required for PCI compliance, puts you solidly in the "green" zone.

* 
NOTE: If you use VLANs, do not use the parent interface and do not use the default VLAN.

Troubleshooting

When creating a Wireless zone and interface, make sure to configure the interface for the number of SonicPoints you wish to support. If you do not do this, the firewall will not create the necessary DHCP scope and will not acquire any SonicPoints added to the interface.

If you added SonicPoints and only a certain number were detected and acquired, check interface settings as noted above, as it might be set for too few SonicPoints.

If throughput seems sluggish, check to see how many SonicPoints you have on an interface – in large deployments it’s advisable to spread them across more than one. Try to limit the interfaces to a 4-to-1 oversubscription ratio. For example, if you have a 100Mbps, you can safely attach up to 20 SonicPoints to it and expect reasonable performance.

The throughput speed on SonicPoints can vary and is limited by the specifications found in the IEEE 802.11 standards: 802.11a/b/g/n/ac/af.

Make sure your security zone (the default WLAN, or your own custom wireless zone) has the right settings – they might be blocking traffic for various reasons.

If the SonicPoints are not being acquired, check the DHCP scopes; they might be off, or missing entirely.

Stuck in provisioning mode? Unplug, clear the profile configuration, reboot and plug back in.

For a SonicPoint to be discovered and provisioned, the SonicWall network security appliance must be connected to the Internet.

On older model SonicPoints, it is NOT advisable to use the same SSID for the 802.11bg and the 802.11a radios, as clients with tri-band cards may experience disconnect issues; name them separately.

When troubleshooting wireless issues, logging, Syslog, and SNMP are your friends – SonicWall’s Global Management System (GMS) package can centralize all of these for all of your SonicWall devices, regardless of location. A free alternative is Kiwi’s Syslog Server, which can accept Syslog streams and SNMP traps from all SonicWall network security appliances.

The most current version can be found here: http://www.kiwisyslog.com/.

Check the network cabling. Is shielded or unshielded cable being used?

Troubleshooting Older SonicPoints

If you have an older SonicPoint and it is consistently port flapping, or does not power up at all, or is stuck in reboot cycling, or stuck in provisioning, check to see if you are running a current version of the firmware, and that the SonicWall network security appliance has public internet access. You may need a newer SonicPoint.

Resetting the SonicPoint

The SonicPoint has a reset switch inside a small hole in the back of the unit, next to the console port. You can reset the SonicPoint at any time by pressing the reset switch with a straightened paperclip, a tooth pick, or other small, straight object.

The reset button resets the configuration of the mode the SonicPoint is operating in to the factory defaults. It does not reset the configuration for the other mode. Depending on the mode the SonicPoint is operating in, and the amount of time you press the reset button, the SonicPoint behaves in one of the following ways:

Press the reset button for at least three seconds, and less than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint.
Press the reset button for more than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint in SafeMode.

Daisy Chaining

Daisy chaining allows users with a small environment (that is, a low-density switch infrastructure) to deploy several SonicPoints while using as few switch ports as possible. For example, connecting numerous devices scattered throughout the store into the store's switch infrastructure, including multiple APs to cover the entire store even though the infrastructure is small in terms of switch port density/availability. SonicPoints are daisy chained through the LAN2 interface.

* 
IMPORTANT: Daisy chaining SonicPoints affects throughput, with each addition lessening throughput. If throughput is:
A concern, then to keep throughput at an acceptable level for the:
SonicPoint N2, daisy chain no more than three SonicPoints.
SonicPoint ACe/ACi, daisy chain no more than two SonicPoints.
Not a concern, daisy chain no more than four SonicPoints.

If you have a mixture of SonicPoint AC models with SonicPoint N or N2 models, place the SonicPoint AC model at the beginning of the chain.

Switch Programming Tips

Topics:

Sample HP ProCurve Switch Commands (per-interface)

name ‘link to SonicPoint X’
no lacp
no cdp
power critical
no power-pre-std-detect (note: global command)
speed-duplex 100-half (note: only if you are seeing FCS errors)
spanning-tree xx admin-edge-port (note: replace xx with port number)
mdix-mode mdix

Sample Switch Configuration (per interface)

spanning-tree portfast
no back-pressure
no channel-group
duplex half (note: only if you are seeing FCS errors)
speed 100
no flowcontrol
no gvrp enable
no lldp enable
mdix on
mdix auto
no port storm-control broadcast enable

Sample D-Link Switch Configuration

The D-Link PoE switches do not have a CLI, so you will need to use their web GUI.

* 
NOTE: If you are using multicast in your environment, check with D-Link for the recommended firmware version.

Disable spanning-tree, broadcast storm control, LLDP and the Safeguard Engine on the switch before adding SonicPoints to the switch, as all may impact their successful provisioning, configuration, and functionality.

SonicPoint Provisioning Profiles

Topics:

Provisioning Overview

When a SonicPoint appliance is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, the appliance attempts to find a SonicOS device with which to peer.

If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWall Discovery Protocol, an encrypted exchange between the two units ensues wherein the profile assigned to the relevant Wireless zone is used to configure automatically (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings.

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSIDs, and channels of operation.

Once you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.

SonicOS includes default profiles for three generations of SonicPoints:

SonicPoint ACe/ACi/N2
SonicPoint NDR
SonicPoint N (for SonicPoint Ne and SonicPoint Ni)

You can modify these profiles or create new ones.

Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:

Via manual configuration changes—Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.
Via un-provisioning—Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.

Configuring a SonicPoint Profile

For a SonicPoint overview, see SonicPoint > SonicPoints.

You can add any number of SonicPoint profiles. The SonicPoint profile configuration process varies slightly, depending on whether you are configuring a single-radio (SonicPoint N) or a Dual Radio (SonicPoint NDR and SonicPoint AC/N2).

The following sections describe how to configure SonicPoint profiles:

* 
NOTE: You can use Auto Provisioning to automatically provision SonicPoint profiles. For information on how to enable automatic provisioning, see SonicPoint Auto Provisioning.

Configuring a SonicPoint ACe, ACi, or N2 Profile

* 
NOTE: SonicPoint AC requires POE+ (802.3at Type 2) which supplies at least 25 watts of power.

You can add any number of SonicPoint AC profiles. The specifics of the configuration will vary slightly depending on which protocols you select.

To configure a SonicPoint AC provisioning profile:
1
Navigate to SonicPoint > SonicPoints page.
2
To add a new SonicPoint AC profile, click the Add SonicPoint AC Profile button.
or
To edit an existing AC profile, click the Configure icon on the same row as the profile you want to edit.

The Add/Edit SonicPoint AC Profile dialog appears.

You configure the SonicPoint AC through options on these tabs:

SonicPoint AC General Tab

The Add/Edit SonicPoint Profile General tab.

In the General tab, configure the desired settings:

SonicPoint AC Settings

Check Enable SonicPoint to enable each SonicPoint AC automatically when it is provisioned with this profile. This option is selected by default.

Optionally, check Retain Settings to have the SonicPoint ACs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default. If you select this option, the Edit button becomes active and the Retain Settings dialog displays.

To specify the settings to retain:
1
If you are editing an existing SonicPoint AC profile, click the Edit button. The Retain Settings dialog displays.

2
Do one of the following:
Click the Retain All Settings check box; all the other options become dimmed.
Click the check boxes of the individual settings to be retained.
3
Click OK.
4
Optionally, select Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default.
5
Enter a prefix for the names of all SonicPoint ACs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint AC on a zone. When each SonicPoint AC is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint AC 126008.
6
Select the country where you are operating the SonicPoint ACs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.
7
From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security.
SonicPoint AC Virtual Access Point Settings

Optionally, you can assign a SonicPoint AC to an 802.11ac Virtual Access Point (VAP) group. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see SonicPoint > Virtual Access Point.

To assign a SonicPoint AC to a VAP:
1
From the Radio 0 Basic Virtual AP Group drop-down menu, select the VAP group that you want.
2
From the Radio 1 Basic Virtual AP Group drop-down menu, select the VAP group that you want.
SonicPoint AC Layer 3 SSL VPN Tunnel Setting
1
In the SSL VPN Server field, enter the IP address of the SSL VPN server.
2
In the User Name field, enter the User Name of the SSL VPN server.
3
In the Password field, enter the Password for the SSL VPN server.
4
In the Domain field, enter the domain that the SSL VPN server is located in.
5
Check the Auto-Reconnect box for the SonicPoint to auto-reconnect to the SSL VPN server.
* 
NOTE: To configure Layer 3 SSL VPN, refer to SonicPoint Layer 3 Management.
SonicPoint AC Radio 0 Basic and Radio 1 Basic Tabs

The Radio 0 Basic and Radio 1 Basic tabs are similar and have only a few differences, which are noted in the steps.

* 
NOTE: The sections and options displayed on the Radio 0 Basic/1 tabs change depending on whether you selected a VAP group in the Radio 0 Basic/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected.
1
Click the Radio 0 Basic or Radio 1 Basic tab.

Configure the settings for the 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios:
SonicPoint AC Radio 0 Basic Settings and Radio 1 Basic Settings

The options change depending on the mode you select.

1
Select Enable Radio to automatically enable the 802.11ac radio bands on all SonicPoint ACs provisioned with this profile. This option is selected by default.
From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule.
2
Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the modes shown in Mode Options:
 

Mode Options

Radio 0 Basic

Radio 1 Basic

Description

5GHz 802.11n Only

2.4GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed

2.4GHz 802.11n/g/b Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

5GHz 802.11a Only

 

Select this mode if only 802.11a clients access your wireless network.

 

2.4GHz 802.11g Only

If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.

5GHz 802.11ac Only

 

Allows only 802.11ac clients access to your wireless network. Other clients are unable to connect under this restricted radio mode.

5GHz 802.11ac/n/a Mixed

 

Supports 802.11ac, 802.11a, and 802.11n (Radio 0) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

 
* 
TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
 
* 
NOTE: The available 801.11n Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.
Does not support 802.11n, only the Channel option is displayed.
3
Optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS), which allows wireless devices to share the same spectrum with existing radar systems within the 5 GHz band.
 
* 
NOTE: If you select this option, choose either Standard - 20MHz Channel or Wide - 40 MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels.
 
* 
NOTE: This option only appears on the Radio 0 Basic tab as the Radio 1 Basic does not have a wireless speed connection mode of at least 5 GHz.
4
In the SSID field, enter a recognizable string for the SSID of each SonicPoint AC using this profile. This is the name that will appear in clients’ lists of available wireless connections.
 
* 
NOTE: If all SonicPoint ACs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint AC to another.
5
If you selected a mode that
Supports 802.11n, go to Step 7.
Does not support 802.11n, select a channel from the Channel drop-down menu.
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel – You can select a single channel within the range of your regulatory domain. Selecting a specific channel also can help with avoiding interference with other wireless networks in the area.
 

Available Channels

Radio 0: 802.11a Only

Radio 1: 802.11g Only

Channel 36 (5180 MHz)

Channel 40 (5200 MHz)

Channel 44 (5220 MHz)

Channel 48 (5240 MHz)

Channel 149 (5745 MHz)

Channel 153 (5765 MHz)

Channel 157 (5785 MHz)

Channel 161 (5805 MHz)

Channel 1 (2412 Mhz)

Channel 2 (2417 MHz)

Channel 3 (2422 MHz)

Channel 4 (2427 MHz)

Channel 5 (2432 MHz)

Channel 6 (2437 MHz)

Channel 7 (2442 MHz)

Channel 8 (2447 MHz)

Channel 8 (2452 MHz)

Channel 10 (2457 MHz)

Channel 11 (2462 MHz)

6
Go to Step 10.
* 
NOTE: When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed.
7
For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting.
Standard - 20 MHz Channel—Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options.
Standard Channel—This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity.

Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring:

 

Available Channels

Radio 0

Same as for 802.11a in Table in Step 5

Radio 1

Same as for 802.11g in Table in Step 5

Wide - 40 MHz Channel—Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active:
Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 5.
Secondary Channel—Is set to Auto regardless of the setting of Primary Channel.
8
Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns).
* 
NOTE: This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An access point identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long).

Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each access point. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference.

Some outdoor deployments may, however, require a longer guard interval. The need for a long guard interval of 800ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of, as legacy systems will not be able to understand the new format of the larger packets.

Ensure the wireless client also can support aggregation to avoid compatibility issues.

* 
TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (for example, interference, weak signals), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
9
The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected. Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.
* 
NOTE: Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.
SonicPoint AC Wireless Security
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed.

The options change depending on the authentication type you select:

For how to configure the Wireless Security settings, see Wireless Security section.

SonicPoint AC Virtual Access Point Encryption Settings
* 
NOTE: This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab.

For how to configure the Virtual Access Point Encryption Settings settings, see Virtual Access Point Encryption Settings Section.

SonicPoint AC ACL Enforcement

For how to configure the ACL Enforcement settings, see ACL Enforcement section.

SonicPoint AC Radio 0 Advanced and Radio 1 Advanced Tabs

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time.

The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar.

The options on the Radio 0 Advanced and Radio 1 Advanced tabs are the same except that Radio 0 Advanced has the Fragmentation Threshold (bytes) field.

To configure the Radio 0 Advanced and Radio 1 Advanced setting:
1
Select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID before connecting. By default, this option is unchecked.
2
From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled, the default.
* 
NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a Sonicpoint or a third party access point.
3
From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best (default) automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate, from a minimum of 1 Mbps to a maximum of 54 Mbps.
4
From the Transmit Power drop-down menu, select the transmission power. Transmission power effects the range of the SonicPoint.
Full Power (default)
Half (-3 dB)
Quarter (-6 dB)
Eighth (-9 dB)
Minimum
5
From the Antenna Diversity drop-down menu, select the method that determines which antenna the SonicPoint uses to send and receive data.
Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply.
2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.
6
In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending wireless SSID beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds.
7
In the DTIM Interval field, enter the DTIM interval in milliseconds. The minimum number of frames is 1, the maximum is 255, and the default is 1.

For 802.11 power-save mode clients of incoming multicast packets, the Delivery Traffic Indication Message (DTIM) interval specifies the number of beacon frames to wait before sending a DTIM.

8
In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. Fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes.
9
In the RTS Threshold (bytes) field, enter the threshold for a packet size, in bytes, at which a request to send (RTS) will be sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but may not be in range of each other. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 byes.
10
In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number of clients is 1, the maximum number is 128, and the default number is 32.
11
In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity before Access Points age out the wireless client, in seconds. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default is 300 seconds.
12
From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is to be associated with this profile:
Disabled (default)
Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile dialog displays. For information about configuring a WMM profile, see Configuring Wi-Fi Multimedia Parameters.
Custom WLAN WMM profile
13
Select Enable Short Slot Time to allow clients to disassociate and reassociate more quickly. Specifying this option increases throughput on the 802.11n/g wireless band by shortening the time an access point waits before relaying packets to the LAN. By default, this option is not selected.
14
Select Does not allow Only 802.11b Clients to Connect if you are using Turbo G mode and, therefore, are not allowing 802.11b clients to connect. Specifying this option limits wireless connections to 802.11g clients only. By default, this option is not selected.
15
Select Enable Green AP to allow the SonicPoint ACe/ACi/N2 radio to go into sleep mode. This saves power when no clients are actively connected to the SonicPoint. The SonicPoint will immediately go into full power mode when any client attempts to connect to it. Green AP can be set on each radio independently, Radio 0 (5GHz) and Radio 1 (2,4GHz).
16
In the Green AP Timeout(s) field, enter the timeout value in seconds that the access point will wait while it has no active connections before it goes into sleep mode. The timeout values can range from 10 seconds to 600 seconds. The default value is 20 seconds.
SonicPoint AC Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

 
* 
NOTE: If this option is selected, Access Point or Virtual Access Point(s) functionality will be disabled automatically.
1
Select Enable WIDF sensor to have the SonicPoint operate as a dedicated WIDP sensor.
2
From the drop-down menu, select the schedule for when the SonicPoint operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPoint NDR Profile

You can add any number of SonicPoint NDR profiles. The specifics of the configuration will vary slightly depending on which 802.11 protocols you select.

To configure a SonicPoint NDR provisioning profile:
1
Navigate to SonicPoint > SonicPoints page.
2
To add a new SonicPoint NDR profile, click the Add SonicPoint NDR Profile button in the SonicPoint N Provisioning Profiles table. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you want to edit. The Add/Edit SonicPoint NDR Profile dialog displays.

You configure the SonicPoint NDR through options on these tabs:

General Tab

In the General tab, configure the desired settings:

SonicPoint Settings section
1
Check Enable SonicPoint to enable each SonicPoint NDR automatically when it is provisioned with this profile. This option is selected by default.
2
Optionally, check Retain Settings to have the SonicPoint NDRs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, the Edit button becomes active and the Retain Settings dialog displays. To specify the settings to retain:

a
If you are editing an existing SonicPoint NDR profile, click the Edit button. The Retain Settings dialog displays.

b
Do one of the following:
Check the Retain All Settings box; all the other options become dimmed.
Check the boxes of the individual settings to be retained.
c
Click OK.
3
Optionally, check the Enable RF Monitoring box to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default.
4
Enter a prefix for the names of all SonicPoint NDRs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint NDR on a zone. When each SonicPoint NDR is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint NDR 126008.
5
Select the country where you are operating the SonicPoint NDRs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.
6
From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security.
Virtual Access Point Settings section
1
Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint NDRs to a VAP from the 802.11n Radio 0 Virtual AP Group and 802.11n Radio 1 Virtual AP Group drop-down menus. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see SonicPoint > Virtual Access Point.
L3 SSL VPN Tunnel Setting section
1
In the SSL VPN Server field, enter the IP address of the SSL VPN server.
2
In the User Name field, enter the User Name of the SSL VPN server.
3
In the Password field, enter the Password for the SSL VPN server.
4
In the Domain field, enter the domain that the SSL VPN server is located in.
5
Click the Auto-Reconnect check box for the SonicPoint to auto-reconnect to the SSL VPN server.
* 
NOTE: To Configure L3 SSL VPN, refer to SonicPoint Layer 3 Management and SSL VPN > Client Settings.
802.11n Radio 0 and 802.11n Radio 1 Tabs

The 802.11n Radio 0 and 802.11n Radio 1 tabs are similar and have only a few differences, which are noted in the steps.

* 
NOTE: The sections and options displayed on the 802.11n Radio 0/1 tabs change depending on whether you selected a VAP group in the 802.11n Radio 0/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected.
1
Click the 802.11n Radio 0/1 tab.

2
Configure the settings for the 802.11 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios:
802.11n Radio 0 Settings and 802.11n Radio 1 Settings section
* 
NOTE: The options change depending on the mode you select.

1
Check the Enable Radio check box to automatically enable the 802.11n radio bands on all SonicPoint NDRs provisioned with this profile. This option is selected by default.
From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule.
2
Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the modes shown in Mode Options.
 

Mode Options

802.11n Radio 0

802.11n Radio 1

 

5GHz 802.11n Only

2.4GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed

2.4GHz 802.11n/g/b Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

5GHz 802.11a Only

 

Select this mode if only 802.11a clients access your wireless network.

 

2.4GHz 802.11g Only

If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.

* 
TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
* 
NOTE: The available 801.11n Radio 0/1 S.ettings options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.
Does not support 802.11n, only the Channel option is displayed.
3
Optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS), which allows wireless devices to share the same spectrum with existing radar systems within the 5 GHz band.
* 
NOTE: If you select this option, choose either Standard - 2MHz Channel or Wide - 40 MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels.
* 
NOTE: This option only appears on the 802.11n Radio 0 tab as the 802.11n Radio 1 does not have a wireless speed connection mode of at least 5 GHz.
4
In the SSID field, enter a recognizable string for the SSID of each SonicPoint NDR using this profile. This is the name that will appear in clients’ lists of available wireless connections.
* 
NOTE: If all SonicPoint NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint NDR to another.
5
If you selected a mode that:
Supports 802.11n, go to Step 7.
Does not support 802.11n, select a channel from the Channel drop-down menu.
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel – You can select a single channel within the range of your regulatory domain. Selecting a specific channel also can help with avoiding interference with other wireless networks in the area.
 

Available Channels

Radio 0: 802.11a Only

Radio 1: 802.11g Only

Channel 36 (5180 MHz)

Channel 40 (5200 MHz)

Channel 44 (5220 MHz)

Channel 48 (5240 MHz)

Channel 149 (5745 MHz)

Channel 153 (5765 MHz)

Channel 157 (5785 MHz)

Channel 161 (5805 MHz)

Channel 1 (2412 Mhz)

Channel 2 (2417 MHz)

Channel 3 (2422 MHz)

Channel 4 (2427 MHz)

Channel 5 (2432 MHz)

Channel 6 (2437 MHz)

Channel 7 (2442 MHz)

Channel 8 (2447 MHz)

Channel 8 (2452 MHz)

Channel 10 (2457 MHz)

Channel 11 (2462 MHz)

6
Go to Step 10.
* 
NOTE: When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed.
7
For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting.
Standard - 20 MHz Channel—Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options.
Standard Channel—This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity.

Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring:

Radio 0: Same as for 802.11a in Step 5
Radio 1: Same as for 802.11g in Step 5
Wide - 40 MHz Channel—Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active:
Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 5.
Secondary Channel—Is set to Auto regardless of the setting of Primary Channel.
8
Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns).
* 
NOTE: This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long).

Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference

Some outdoor deployments may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues.

9
Select Enable Aggregation to enable 802.11n frame aggregation, which combines multiple data frames in a single transmission to reduce overhead and increase throughput.
* 
NOTE: This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of, as legacy systems will not be able to understand the new format of the larger packets.

Ensure the wireless client also can support aggregation to avoid compatibility issues.

* 
TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
10
The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.
* 
NOTE: Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.
Wireless Security section
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings Section.

The options change depending on the authentication type you select.

The Wireless Security sections of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see Wireless Security section.

Virtual Access Point Encryption Settings section
* 
NOTE: This section displays only if a VAP was selected from the 802.11n Radio 0/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab.

The Virtual Access Point Encryption Settings section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see Virtual Access Point Encryption Settings Section.

ACL Enforcement section

The ACL Enforcement section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see ACL Enforcement section.

Remote MAC Address Access Control Settings section
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Go to Radio 0 Advanced and Radio 1 Advanced Tabs.

The Remote MAC Address Access Control Settings section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see Remote MAC Address Access Control Settings section.

* 
CAUTION: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you try to enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled, you will get the following error message:
Remote MAC address access control can not be set when IEEE 802.11i EAP is enabled.
Radio 0 Advanced and Radio 1 Advanced Tabs

These settings affect the operation of the 802.11n Radio 1 radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time.

The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar; the difference is that the Radio 1 Advanced tab has more options.

The options on the Radio 0 Advanced and Radio 1 Advanced tabs are the same as for the SonicPoint N Advanced tab. For how to configure the Virtual Access Point Encryption Settings settings, see Advanced Tab.

Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

* 
NOTE: If this option is selected, Access Point or Virtual Access Point(s) functionality will be disabled automatically.
1
Select Enable WIDF sensor to have the SonicPoint N operate as a dedicated WIDP sensor.
2
From the drop-down menu, select the schedule for when the SonicPoint N operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPoint N Profile

For a SonicPoint overview, see SonicPoint > SonicPoints.

SonicPoint N profiles are used for SonicPoint Ne and SonicPoint Ni access points. You can add any number of SonicPoint N profiles. The specifics of the configuration varies slightly depending on which 802.11 protocols you select.

To configure a SonicPoint N provisioning profile:
1
Navigate to SonicPoint > SonicPoints page.
2
To add a new SonicPoint N profile, click the Add SonicPoint N Profile button in the SonicPoint N Provisioning Profiles table. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you want to edit. The Add/Edit SonicPoint N Profile dialog displays.

You configure the SonicPoint N through options on these tabs:

Settings Tab

The Settings tab has these sections:

SonicPoint Settings section
1
Check Enable SonicPoint to enable each SonicPoint N automatically when it is provisioned with this profile. This option is selected by default.
2
Optionally, check Retain Settings to have the SonicPoint Ns provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, the Edit button becomes active. To specify the settings to retain:

a
Click the Edit button. The Retain Settings dialog displays.

b
Do one of the following:
Click the Retain All Settings check box; all the other options become dimmed.
Click the check boxes of the individual settings to be retained.
c
Click OK.
3
Optionally, check the Enable RF Monitoring check box to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default.
4
Optionally, check the Enable LED (Ni/Ne) check box to turn SonicPoint N LEDs on/off. This option is not selected by default.
* 
NOTE: This option applies only to the SonicPoint N model that has controllable LED hardware support.
5
Enter a prefix for the names of all SonicPoint Ns connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint N on a zone. When each SonicPoint N is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint N 126008.
6
Select the country where you are operating the SonicPoint Ns from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.
7
From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security.
Virtual Access Point Settings section
1
Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint Ns to a VAP from the 802.11n Radio Virtual AP Group drop-down menu. This drop-down menu allows you to create a new VAP group.
L3 SSL VPN Tunnel Settings section
1
In the SSL VPN Server field, enter the IP address of the SSL VPN server.
2
In the User Name field, enter the User Name of the SSL VPN server.
3
In the Password field, enter the Password for the SSL VPN server.
4
In the Domain field, enter the domain that the SSL VPN server is located in.
5
Click the Auto-Reconnect check box for the SonicPoint to auto-reconnect to the SSL VPN server.
* 
NOTE: To configure L3 SSL VPN, click the link to SSL VPN > Client Settings. For information about Layer 3 SSL VPN, refer to SonicPoint Layer 3 Management.
802.11n Radio Tab
* 
NOTE: The sections and options displayed on the 802.11n Radio tab change depending on whether you selected a VAP group in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab and the mode you select in the Mode drop-down menu.
1
Click the 802.11n Radio tab.

2
Configure the radio settings for the 802.11n radio:
802.11n Radio Settings section
* 
NOTE: The options change depending on the mode you select.

1
Check the Enable Radio box to automatically enable the 802.11n radio bands on all SonicPoints provisioned with this profile. This option is selected by default.
From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule.
2
Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the following modes:
2.4GHz 802.11n Only—Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
2.4GHz 802.11n/g/b Mixed—Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.
* 
TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
2.4GHz 802.11g Only—If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.
5GHz 802.11n Only—Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
5GHz 802.11n/a Mixed—Supports 802.11n and 802.11a clients simultaneously. If your wireless network comprises both types of clients, select this mode.
5GHz 802.11a Only—Select this mode if only 802.11a clients access your wireless network.
* 
NOTE: The available 801.11n Radio Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel.
Does not support 802.11n, only the Channel option is displayed.
Supports 802.11a, the Enable DFS Channels option is displayed.
3
If you selected a mode that supports 802.11a, optionally check the Enable DFS Channels checkbox. The Enable Dynamic Frequency Selection (DFS) option allows wireless devices to share spectrum with existing radar systems in the 5 GHz band.
4
In the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections.
* 
NOTE: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.
5
If you selected a mode that
Supports 802.11n, go to Step 7.
Does not support 802.11n, select a channel from the Channel drop-down menu.
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel – You can select a single channel within the range of your regulatory domain. Selecting a specific channel also can help with avoiding interference with other wireless networks in the area.
 

Available Channels

802.11a

802.11g

Channel 36 (5180 MHz)

Channel 40 (5200 MHz)

Channel 44 (5220 MHz)

Channel 48 (5240 MHz)

Channel 149 (5745 MHz)

Channel 153 (5765 MHz)

Channel 157 (5785 MHz)

Channel 161 (5805 MHz)

Channel 1 (2412 Mhz)

Channel 2 (2417 MHz)

Channel 3 (2422 MHz)

Channel 4 (2427 MHz)

Channel 5 (2432 MHz)

Channel 6 (2437 MHz)

Channel 7 (2442 MHz)

Channel 8 (2447 MHz)

Channel 8 (2452 MHz)

Channel 10 (2457 MHz)

Channel 11 (2462 MHz)

6
Go to Step 10.
* 
NOTE: When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed.
7
For 802.11n only: from the Radio Band drop-down menu, select the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting.
Standard - 20 MHz Channel—Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options.
Standard Channel—This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity.

Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 5.

Wide - 40 MHz Channel—Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active:
Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 5.
Secondary Channel—The configuration of this drop-down menu is controlled by your selection for the primary channel:
If the primary channel is set to Auto, the secondary channel is also set to Auto.
If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel.
8
Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns).
* 
NOTE: This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long).

Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference

Some outdoor deployments may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues.

9
Enable Aggregation—Enables 802.11n frame aggregation, which combines multiple data frames in a single transmission to reduce overhead and increase throughput.
* 
NOTE: This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of, as legacy systems will not be able to understand the new format of the larger packets.

Ensure the wireless client also can support aggregation to avoid compatibility issues.

* 
TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (for example, interference, weak signals), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
10
The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected. Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.
Wireless Security section
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings Section.

The options change depending on the authentication type you select.

1
Select the method of authentication for your wireless network from the Authentication Type drop-down menu:
* 
NOTE: The options available change with the type of configuration you select.
WEP - Both (Open System & Shared Key)
WEP - Open System – All options are dimmed; go to ACL Enforcement section.
WEP - Shared Key
* 
NOTE: For WEP - Both (Open System & Shared Key) and WEP - Shared Key, go to WEP Configuration section.
WPA - PSK
WPA - EAP
WPA2-PSK
WPA2-EAP
WPA2-AUTO-PSK
WPA2-AUTO-EAP
* 
NOTE: For WPA and WPA2 options, go to WPA or WPA2 Configuration section.
WEP Configuration section

WEP (Wired Equivalent Privacy) is a standard for Wi-Fi wireless network security.

A WEP key is a security code system for Wi-Fi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.

WEP keys are chosen by a network administrator. When WEP security is enabled on a network, matching WEP keys must be set on Wi-Fi routers and each device connecting over Wi-Fi for them all to communicate with each other.

1
Select the size of the encryption key from the WEP Key Mode drop-down menu:
None – default for WEP - Both (Open System & Shared Key). If selected, the rest of the options in this section remain dimmed; go to ACL Enforcement section
64 bit
128 bit
152 bit (default for WEP - Shared Key)
2
From the Default Key drop-down menu, select the default key, which will be tried first when trying to authenticate a user:
Key 1 (default)
Key 2
Key 3
Key 4
3
From the Key Entry drop-down menu, select whether the key is:
Alphanumeric (default)
Hexadecimal (0-9, A-F)
4
In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys to be used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key.
* 
NOTE: The length of each key is based on the selected key type (alphanumeric or hexadecimal) and WEP strength (64, 128, or 152 bits)
Key 1: First static WEP key associated with the key index.
Key 2: Second static WEP key associated with the key index.
Key 3: Third static WEP key associated with the key index.
Key 4: Fourth static WEP key associated with the key index.
WPA or WPA2 Configuration section
* 
NOTE: The options change depending on the authentication type selected.

1
From the Cipher Type drop-down menu, select the cipher to encrypt your wireless data.
AES (newer, more secure; default): AES (Advanced Encryption Standard) is a set of ciphers designed to prevent attacks on wireless networks. AES is available in block ciphers of either 128, 192 or 256 bits depending on the hardware you intend to use with it. In the networking field, AES is considered to be among the most secure of all commonly installed encryption packages.
TKIP (older, more compatible): TKIP (Temporary Key Integrity Protocol) is not actually a cipher, but a set of security algorithms meant to improve the overall safety of WEP (wired equivalent privacy networks). WEP is widely known to have a host of serious security vulnerabilities. TKIP adds a few extra layers of protection to WEP.
Auto: the appliance chooses the cipher type automatically.
2
In the Group Key Interval field, enter the time period for which a Group Key is valid, that is, the time interval before the encryption key is changed automatically for added security. The default value is 86400 seconds (24 hours). Setting too low of a value can cause connection issues.
3
For EAP authentication types, go to RADIUS Server Settings Section.
4
For PSK authentication types only, enter a passphrase in the Passphrase field. This is the shared passphrase your network users must enter to gain network access when they connect with PSK-based authentication.
* 
NOTE: This option will be displayed only if you selected WPA-PSK, WPA2-PSK, or WPA2‑AUTO‑PSK for your authentication type.
RADIUS Server Settings Section
* 
NOTE: This section displays only if you selected WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP for your authentication type.

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP-capable RADIUS server for key generation. An EAP-compliant RADIUS server provides 802.1X authentication. The RADIUS server must be configured to support this authentication and all communications with the SonicWall.

1
Click the Configure button in the Radius Server Settings section. The SonicPoint Radius Server Settings dialog displays.

2
In the Radius Server Retries field, enter the number retries allowed for the Radius server.
3
In the Retry Interval (seconds) field enter the time, in seconds, between retries.
4
To configure the Radius Server Settings, see WPA-EAP / WPA2-EAP Encryption Settings.
Virtual Access Point Encryption Settings Section
* 
NOTE: This section displays only if a VAP was selected from the 802.11n Radio Virtual AP Group drop-down menu in the Virtual Access Point Settings section of the Settings tab.

1
Click the Configure button. The Edit 802.11n Virtual Access Point WEP Key dialog displays.

2
From the Key Entry Method radio buttons, select whether the key is:
Alphanumeric (default)
Hexadecimal (0-9, A-F)
3
From the Default Key radio buttons, select the default key, which will be tried first when trying to authenticate a user:
Key 1 (default)
Key 2
Key 3
Key 4
4
In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys to be used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key.
Key 1: First static WEP key associated with the key index.
Key 2: Second static WEP key associated with the key index.
Key 3: Third static WEP key associated with the key index.
Key 4: Fourth static WEP key associated with the key index.
5
From the Key Type drop-down menus, select the size of each key:
None (default)
64 bit
128 bit
152 bit
ACL Enforcement section

1
Select Enable Mac Filter List to enforce Access Control by allowing or denying traffic from specific devices.
2
From the Allow List drop-down menu, select a MAC address group to automatically allow traffic from all devices with a MAC address in the group.
Create new Mac Address Object Group… – the Add Address Object Group dialog displays
All MAC Addresses
Default SonicPoint ACL Allow Group
Custom MAC Address Object Groups
3
From the Deny List drop-down menu, select a MAC address group to automatically deny traffic from all devices with a MAC address in the group.
Create new Mac Address Object Group…
No MAC Addresses
Default SonicPoint ACL Deny Group
Custom MAC Address Object Groups
* 
NOTE: The Deny List is enforced before the Allow List.
4
Select Enable MIC Failure ACL Blacklist to detect WPA TKIP MIC failure floods and automatically place the problematic wireless station(s) into a blacklist to stop the attack. As wireless clients generate the TKIP countermeasures, they will also be automatically moved into blacklist, so the other wireless stations within the same wireless LAN network will not be affected.
* 
NOTE: It is recommended that the Allow List be set to All MAC Addresses and the Deny List be set to Default SonicPoint ACL Deny Group.
5
Enter the maximum number of MIC failures per minute in the MIC Failure Frequency Threshold field; default is 3.
Remote MAC Address Access Control Settings section
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Go to Advanced Tab.

1
Select Enable Remote MAC Access Control to enforce 802.11n wireless access control based on MAC-based authentication policy in a remote Radius server.
* 
CAUTION: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you try to enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled, you will get the following error message:
Remote MAC address access control can not be set when IEEE 802.11i EAP is enabled.
2
Click the Configure button to display the SonicPoint Radius Server Settings dialog.

3
For information about configuring these settings, see RADIUS Server Settings Section.
Advanced Tab

In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance.

1
Select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID before connecting. By default, this option is unchecked.
2
From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled, the default.
* 
NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized APs, the RF medium, and the wired network. An authorized or valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either a Sonicpoint or a third party AP.
3
From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best (default) automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate, from a minimum of 1 Mbps to a maximum of 54 Mbps.
4
From the Transmit Power drop-down menu, select the transmission power. Transmission power effects the range of the SonicPoint.
Full Power (default)
Half (-3 dB)
Quarter (-6 dB)
Eighth (-9 dB)
Minimum
5
From the Antenna Diversity drop-down menu, select the method that determines which antenna the SonicPoint uses to send and receive data.
Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply.
2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.
6
In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending wireless SSID beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds.
7
In the DTIM Interval field, enter the DTIM interval in milliseconds. The minimum number of frames is 1, the maximum is 255, and the default is 1.

For 802.11 power-save mode clients of incoming multicast packets, the Delivery Traffic Indication Message (DTIM) interval specifies the number of beacon frames to wait before sending a DTIM.

8
In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. Fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes.
9
In the RTS Threshold (bytes) field, enter the threshold for a packet size, in bytes, at which a request to send (RTS) will be sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but may not be in range of each other. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 byes.
10
In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number of clients is 1, the maximum number is 128, and the default number is 32.
11
In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity before Access Points age out the wireless client, in seconds. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default is 300 seconds.
12
From the Preamble Length drop-down menu, select the length of the preamble--the initial wireless communication sent when associating with a wireless host: Long (default) or Short.
13
From the Protection Mode drop-down menu, select the CTS or RTS protection: None (default), Always, or Auto.
14
From the Protection Rate drop-down menu, select the speed for the CTS or RTS protection:
1 Mbps (default)
2 Mbps
5 Mbps
11 Mbps
15
From the Protection Type drop-down menu, select the type of protection, CTS-only (default) or RTS‑CTS.
16
From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is to be associated with this profile:
Disabled (default)
Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile dialog displays. For information about configuring a WMM profile, see Configuring Wi-Fi Multimedia Parameters.
Custom WLAN WMM profile
* 
NOTE: Each Access Category has its own transmit queue. WMM requires the SonicPoint N to implement multiple queues for multiple priority access categories. The SonicPoint N relies on either the application or the firewall to provide type of service (TOS) information in the IP data in order to differentiate traffic types. One way to provide TOS is through firewall services and access rules; another way is through VLAN tagging.
17
Select Enable Short Slot Time to allow clients to disassociate and reassociate more quickly. Specifying this option increases throughput on the 802.11n/g wireless band by shortening the time an access point waits before relaying packets to the LAN. By default, this option is not selected.
18
Select Does not allow Only 802.11b Clients to Connect if you are using Turbo G mode and, therefore, are not allowing 802.11b clients to connect. Specifying this option limits wireless connections to 802.11g clients only. By default, this option is not selected.
Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

1
Select Enable WIDF sensor to have the SonicPoint N operate as a dedicated WIDP sensor.
2
From the drop-down menu, select the schedule for when the SonicPoint N operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.
* 
NOTE: If this option is selected, Access Point or Virtual Access Point(s) functionality is disabled automatically.

Managing SonicPoint Settings

Topics:

Modifying a SonicPoint Profile

To modify a SonicPoint Profile:
1
Navigate to the SonicPoint > SonicPoints page.
2
Click the Edit icon for the SonicPoint profile that you want to modify.
3
In the SonicPoint Profile Settings dialog, edit the profile settings as you wish.
4
Click OK.

Updating SonicPoint Settings

You can change the settings of any individual SonicPoint list on the Sonicpoint > SonicPoints page.

Topics:
Edit SonicPoint Settings
To edit the settings of an individual SonicPoint:
1
Navigate to the SonicPoint > SonicPoints page.
2
Click the Edit icon in the same line as the SonicPoint you want to edit.
3
In the Edit SonicPoint dialog, make the changes you want.
4
Click OK to apply these settings.
Synchronize SonicPoints

Click the Synchronize SonicPoints button at the top of the SonicPoint > SonicPoints page to issue a query directive from the firewall to the WLAN zone. All connected SonicPoints report their current settings and statistics to SonicOS. SonicOS also attempts to locate the presence of newly connected SonicPoints that have not yet registered with the firewall.

Enable and Disable Individual SonicPoints

You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page:

1
Select the check box in the Enable column for the SonicPoint you want to enable or disable. (Select the check box to enable the SonicPoint, clear the box to disable it.)
2
Click Accept to apply this setting to the SonicPoint.
Disable All SonicPoints

Click the Delete All button above or below the table.

SonicPoint Diagnostics Enhancement

A SonicPoint can collect critical runtime data and save it into persistent storage in the global SonicPoint Peer List. If the SonicPoint experiences a failure, the diagnostic enhancement feature allows the SonicWall managing appliance to retrieve the log data when the SonicPoint reboots. Then, this log data is incorporated into the Tech Support Report (TSR).

To enable the SonicPoint diagnostic enhancement feature:
1
Navigate to the System > Diagnostics page.
2
Check the SonicPoint Diagnostics box in the Tech Support Report section.
3
Click Accept. You can then generate a TSR with information available for the SonicPoint Diagnostics by clicking the Download Report button.
* 
NOTE: You may need to re-synchronize your SonicPoint and SonicWall managing appliance to the latest SonicPoint Firmware in order to retrieve the latest SonicPoint Diagnostics.

Updating SonicPoint Firmware

Not all SonicOS Enhanced firmware contains an image of the SonicPoint firmware. To check, scroll to the bottom of the SonicPoint > SonicPoints page and look for the Download link.

If your SonicWall appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device.

If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must perform the following steps:

1
Download the SonicPoint image https://www.MySonicWall.com/ to a local system with Internet access.

You can download the SonicPoint image from one of the following locations:

On the same page where you can download the SonicOS firmware
On the Download Center page, by selecting SonicPoint in the Type drop-down menu
2
Load the SonicPoint image onto a local Web server that is reachable by your SonicWall appliance.

You can change the file name of the SonicPoint image, but you should keep the extension intact (for example, .bin.sig).

3
In the SonicOS user interface on your SonicWall appliance, in the navigation pane, click System and then click Administration.
4
In the System > Administration page, under Download URL, click the Manually specify SonicPoint image URL check box to enable it.
5
In the text field, type the URL for the SonicPoint image file on your local Web server.
* 
NOTE: When typing the URL for the SonicPoint image file, do NOT include http:// in the field.
6
Click Accept.

SonicPoint States

SonicPoint devices can function in and report the following states:

Initializing—The state when a SonicPoint starts up and advertises itself via SDP prior to it entering into an operational mode.

Operational—Once the SonicPoint has peered with a SonicOS device and has its configuration validated, it will enter into a operational state, and will be ready for clients.

Provisioning—If the SonicPoint configuration requires an update, the SonicOS device will engage an SSPP channel to update the SonicPoint. During this brief process it will enter the provisioning state.

Safemode—Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP. The SonicPoint must then be rebooted to enter either a stand-alone, or some other functional state.

* 
NOTE: You can access the web pages hosted by the SonicPoint when in SafeMode by navigating your browser to http://IP_of_SP

Non-Responsive—If a SonicOS device loses communications with a previously peered SonicPoint, it will report its state as non-responsive. It will remain in this state until either communications are restored, or the SonicPoint is deleted from the SonicOS device’s table.

Updating Firmware—If the SonicOS device detects that it has a firmware update available for a SonicPoint, it will use SSPP to update the SonicPoint’s firmware.

Downloading Firmware—The SonicWall appliance is downloading new SonicPoint firmware from the configured URL, which can be customized by the administrator.

Downloading Failed—The SonicWall appliance cannot download the SonicPoint firmware from the configured URL.

Writing Firmware—While the SonicPoint is writing new firmware to its flash, the progress is displayed as a percentage in the SonicOS management interface in the SonicPoint status field.

Over-Limit—The number of SonicPoint devices that can be attached to the Wireless zone interface depends on the model of the SonicWall network security device. If more units are detected than the firewall can handle, the firewall will report an over-limit state, and will not enter an operational mode.

Rebooting—After a firmware or configuration update, the SonicPoint will announce that it is about to reboot, and will then do so.

Firmware failed—If a firmware update fails, the SonicPoint will report the failure, and will then reboot.

Provision failed—In the unlikely event that a provision attempt from a SonicOS device fails, the SonicPoint will report the failure. So as not to enter into an endless loop, it can then be manually rebooted, manually reconfigured, or deleted and re-provisioned.

SonicPoint Auto Provisioning

Topics:

Automatic Provisioning (SDP & SSPP)

The SonicWall Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS. SDP is the foundation for the automatic provisioning of SonicPoint units via the following messages:

Advertisement—SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed.
Discovery—SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units.
Configure Directive—A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode.
Configure Acknowledgement—A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive.
Keepalive—A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.

If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (for example, on calculating a checksum mismatch, or when a firmware update is available), the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWall Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process.

Enabling Auto Provisioning

SonicPoint Auto Provisioning can be enabled to automatically provision the following wireless SonicPoint provisioning profiles:

SonicPoint ACe, ACi, N2
SonicPoint NDR
SonicPoint N

Initial configuration of a wireless SonicPoint is provisioned from a SonicPoint profile, which is attached to the wireless LAN managing zone. After a wireless SonicPoint is provisioned, the profile remains an offline configuration template that is not directly associated with any SonicPoint. So, modifying a profile does not automatically trigger a SonicPoint for reprovisioning.

Before SonicPoint Auto Provisioning was introduced, administrators had to manually delete all SonicPoints, and then synchronize new SonicPoints to the profile, which was time consuming. To simplify configuration and ease management overhead, SonicPoint Auto Provisioning was introduced.

Checkboxes to enable Auto Provisioning for each of the SonicPoint Provisioning Profiles are provided in the Network > Zones > Configure > Wireless configuration dialog; see Configuring the WLAN Zone. By default, the check boxes for the SonicPoint Provisioning Profiles are not checked and Auto Provisioning is not enabled.

When the check box for a provisioning profile is checked and that profile is changed, all SonicPoint devices linked to that profile are reprovisioned and rebooted to the new operational state.

Enabling SonicPoint Auto Provisioning for a WLAN Zone

To enable SonicPoint Auto Provisioning:
1
Navigate to Network > Zones.
2
Click the Edit icon for a WLAN (or any other wireless) SonicPoint profile. The Edit Zone dialog displays.
3
Select the Wireless tab.

4
Under Sonic Point Settings, select Auto Provisioning for each of the SonicPoint Provisioning Profiles that you want to be auto provisioned.
5
Click OK.

The following warning message is displayed, informing you that all Sonic Point devices in the same zone will be auto provisioned.

6
Click OK.

After you click OK, all linked SonicPoint devices are reprovisioned and rebooted.

SonicPoint Management over SSL VPN

As a part of SonicWall Advanced Management Protocol (SAMP) suite, SonicWall SSL VPN Based Management Protocol (SSMP) utilizes the SonicWall SSL VPN solution to provide remote SonicPoint management. SonicPoint has an integrated NetExtender client and supports SSL VPN remote access as SonicPoint SSL VPN Support shows.

SonicPoint SSL VPN Support

SonicPoint is used as a managed bridge to work with the firewall as a secure wireless solution. The SonicPoint is configured and managed centrally by the SonicWall Gateway appliance. The SonicPoint retrieves the latest firmware and configuration information from the firewall and automatically configures itself.

SAMP manages SonicPoints at Layer 3, and SSMP provides the functionality for running the SonicPoint management protocol over SSL VPN.

Topics:

Creating a WLAN Tunnel Interface

WLAN Tunnel Interfaces are supported on E-Class NSA and most NSA platforms. They are not supported on NSA 240 and TZ series platforms.

To create a WLAN Tunnel Interface:
1
Go to the Network > Interfaces page,
2
From the Add Interface menu, select Add WLAN Tunnel Interface.

When you select Add WLAN Tunnel Interface, the Add WLAN Tunnel Interface dialog appears.

3
In the Interface Settings fields, configure the WLAN Tunnel Interface values that you want.
a
Set the Zone field to WLAN.
b
Set the Tunnel Source Interface field to the interface used for the SSL VPN tunnel (such as X2).
c
Configure the other fields and options as you wish.
4
Click OK.

Configuring the SSL VPN Settings

To configure the SSL VPN Settings:
1
Go to the SSL VPN > Client Settings page.

2
Click the Configure button for the Default Device Profile for SonicPoint.

3
Under Basic Settings, enter the Name and Description that you want for the SonicPoint device.
4
In the Zone IP V4 drop-down menu, select SSLVPN.
5
In the Network Address IP V4 drop-down menu, select:
The network that you want.
Select Create new network to create a new network object, create the network object, then select it from the Network Address IP V4 drop-down menu.
6
Click the Client Routes tab.

7
In the Networks list, select the subnet interface to which the WLAN Tunnel Interface has been bound.
8
Click the Right Arrow button to add it to the Client Routes list.
9
Select the SP L3 Settings tab.

10
Select the WLAN Tunnel Interface to which you want to bind the remote SonicPoint device.
11
Click OK.
Creating a User for the SSL VPN Client
To create a user for an SSL VPN Client:
1
Go to the Users > Local Users page.

2
Click the Add User button or the Edit button for the user you want to edit.
3
The Add/Edit User dialog appears.
4
Click the Groups tab.
5
Add SSL VPN Services to the Member of field.
6
Click the VPN Access tab.

7
Add the Subnet of the Interface that WLAN Tunnel interface has been bound to into the Access List. In this case, it is X2 Subnet.
8
Click OK.
SonicPoint Traffic Routing

In addition to the route to the subnet of the WLAN Tunnel Interface (X2 Subnet), users can also add other routes under the Client Route tab of the SSL VPN Edit Device dialog.

Adding other routes will enable remote wireless clients to access internal networks via the SSL VPN tunnel of the SonicPoint and the SonicOS. The traffic to other destinations will be routed locally on the SonicPoint without tunneling to the SonicOS side.

Provisioning SSL VPN Server Information to SonicPoint
To provision SSL VPN Server information to a SonicPoint device:
1
Go to the SonicPoint > SonicPoints page.
2
Click one of the following buttons:
Add SonicPoint ACe/ACi/N2 Profile
Add SonicPoint NDR Profile
Add SonicPoint N Profile

3
Under L3 SSLVPN Tunnel Settings, enter the SSL VPH Server, User Name, Password, and Domain.
4
Select the Auto Reconnect option.
5
Click OK.

To push the settings to the SonicPoint device, connect the SonicPoint device to SSL VPN Server via a Layer 2 connection.

Establishing an SSL VPN Tunnel to a Remote Network

If the remote network site supports DHCP, set the SonicPoint to the factory default settings and connect it the network. The SonicPoint will get the IP address and the Gateway automatically from DHCP. The SSL VPN server information will be saved after factory default settings are in place. After the SonicPoint gets its DHCP lease, it will connect to the remote SonicWall Gateway.

If the remote network site does not support DHCP, set the SonicPoint to the factory default settings and set the network parameters. Then the SonicPoint will automatically connect to remote SonicWall Gateway.

SonicPoint Layer 3 Management

SonicPoint Layer 3 Management is supported on these appliances:

NSA E8510
NSA 5000
NSA 2400
TZ 215/215 Wireless
NSA E8500
NSA 4500
NSA 2400MX

 

NSA E7500
NSA 3500
NSA 250M/250M Wireless

 

NSA E6500

 

NSA 220/220 Wireless

 

NSA E5500

 

 

 

Topics:

What is SonicPoint Layer 3 Management?

In previous releases, the SonicWall security appliance and the SonicPoints that it manages had to be in the same Layer 2 network, which limits the scalability of networks, especially enterprise networks.

SonicPoint Layer 3 Management provides a wireless solution that can be easily scaled from small to large while maintaining the centralized SonicOS network security protection and providing flexible policy control.

Topics:

Benefits

SonicPoint Layer 3 Management offers the following benefits:

Simplifies the management of multiple wireless networks. SonicPoints located at multiple locations are managed by a single SonicWall security appliance.
Reduces the number of NetExtender licenses and sessions. All remote users are tunneled over a single NetExtender session.

Layer 3 Management Protocols

Topics:
CAPWAP

The Controlling and Provisioning of Wireless Access Points (CAPWAP) protocol is a standard, interoperable protocol that enables an Access Controller (in our case, the SonicWall security appliance) to manage a collection of Wireless Termination Points (SonicPoints), independent of Layer 2 technology. CAPWAP is defined in RFC 5415: http://www.ietf.org/rfc/rfc5415.txt.

SonicWall CAPWAP supports both Layer 2 and Layer 3 management.

SAMP

The SonicWall Advanced Management Protocol (SAMP) suite consists of these three protocols:

SonicWall DHCP-based Discovery Protocol (SDDP) - SDDP enables the SonicWall security appliance and the SonicPoints to be discovered automatically across Layer 3 networks. The appliance acts as the DHCP sever and the SonicPoint acts as the DHCP client. Any routers or other network devices between the appliance and the SonicPoint must be configured to allow DHCP relay.
SonicWall Control and Provisioning Wireless Access Point (SCAPWAP) - SCAPWAP is a SonicWall extension of CAPWAP that is customized for SonicWall products. The SonicWall network security appliance gateway manages the SonicPoints using SCAPWAP, independent of Layer 2 and Layer 3 networks. The SonicWall security appliance and the SonicPoints must be configured to do mutual authentication using either a pre-shared key or a public key-based certificates.
SonicWall SSLVPN-based Management Protocol (SSMP) - SSMP is based on the SonicWall SSL VPN infrastructure and enables the SonicPoints to be managed over the internet by a SonicWall security appliance. In this case, a single NetExtender SSL VPN tunnel is established between the appliance and the SonicPoint. All of a user’s SonicPoint traffic to the appliance is tunneled over this single NetExtender session.

How Does SonicPoint Layer 3 Management Work?

SonicPoint Layer 3 Management provides a broader wireless solution for both local and remote networks and for both small and large deployments—all with centralized SonicOS network security protection and flexible policy control.

The following three SonicPoint deployment scenarios are supported:

Local Layer 2 Management – When a SonicWall network security appliance and its SonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discovery protocol, SDP, is used to manage the access points.
Local Layer 3 Management – When SonicPoints are deployed outside of the Layer 2 network, but within the same Intranet as the SonicWall security appliance (for example when there is a third-party router between the SonicWall security appliance and the SonicPoints), Layer 3 management protocols can be used to manage the access points.
Remote Layer 3 Management – When SonicPoints are deployed in a remote site across the Internet cloud, Layer 3 management can be used to manage the remote network access points. A single SSL VPN NetExtender tunnel is established between the SonicPoint and the remote the SonicWall security appliance. Each wireless client does not need to install and launch NetExtender to establish an SSL VPN tunnel. All the wireless clients share the same VPN tunnel. This reduces the number of NetExtender licenses required on the SonicWall security appliance. It also eliminates the need to establish individual tunnels for each SonicPoint.

Configuring SonicPoint Layer 3 Management

Topics:

Configuring Basic SonicPoint Layer 3 Management

A basic SonicPoint Layer 3 Management scenario is shown in the graphic below. The SonicPoints are connected to a third-party router, which is connected over the LAN zone to the SonicWall security appliance.

Basic SonicPoint Layer 3 Management Configuration

Configuring SonicPoint Layer 3 Management requires configurations across several pages of the SonicOS management interface. Thus, to configure this scenario, the configuration is divided into the following steps:

Configuring the Access Controller Interface
To configure an interface on a firewall connected to a third-party router:
1
Navigate to the Network > Interfaces page.

2
In the Interface Settings section, click the Configure icon for the X4 interface. The Edit Interface dialog appears.

3
Select LAN from the Zone drop-down menu. More options appear.

4
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default value.
5
In the IP Address field, enter the IP address of the interface. For example, 10.10.10.1. A default value of 0.0.0.0 is displayed.
6
in the Subnet Mask field, enter the subnet mask for the interface. For example, 255.255.255.0 (this is the default value).
7
Optionally, enter a comment in the Comment field. This comment will display in the Comment column of the Interface Settings table of Network > Interfaces.
8
Select one or more types of web management for this interface:
HTTPS – Enables remote management of the SonicWall through the HTTPS protocol.
* 
NOTE: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically.
Ping – Enables remote management of the SonicWall through the Ping protocol.
SNMP – Enables remote management of the SonicWall through the SNMP protocol.
SSH – Enables remote management of the SonicWall through the SSH protocol.
* 
NOTE: If you do not enable web management here, you must enable it on another interface. A warning message will appear if you leave the dialog without enabling at least one web management protocol.
9
Optionally, select HTTPS for User Login to enable users with management rights to log in to the SonicWall.
* 
NOTE: The HTTP option is dimmed (unavailable).
10
If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS.
11
Click OK.

The X4 entry in the Interface Settings table is updated.

Configuring the DHCP Server
To configure a DHCP Option Object for CAPWAP and a DHCP pool of IP addresses for the SonicPoints behind a third-party router:
1
Navigate to the Network > DHCP Server page.

2
Click the Advanced button. The DHCP Advanced Settings dialog displays.

3
Click the Add Option button. The Add DHCP Option Object dialog appears.

4
In the Option Name field, enter a descriptive name for the DHCP option object, such as cap.
5
From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List). The Option Array option becomes active, and the Option Type is set to IP Address.
6
Select the Option Array option.
* 
NOTE: The Option Type drop-down menu is dimmed but displays IP Address.
7
In the Option Value field, enter the IP address for the X4 interface you configured in Configuring the Access Controller Interface. For example, 10.10.10.1.

8
Click OK. The new Option Object is displayed in the Option Objects section of the DHCP Advanced Settings dialog.

9
Click OK.
Configuring a DHCP Pool of Addresses
To configure a DHCP pool of addresses for the SonicPoints behind the router:
1
Navigate to the Network > DHCP Server page.

2
Under the DHCPv4 Server Lease Scopes table, click the Add Dynamic button. The Dynamic Range Configuration dialog appears.

3
Select the Enable this DHCP Scope option. This is selected by default.
4
Enter the appropriate IP addresses or values in the Range Start, Range End, Lease Time (minutes) (default is 1440 minutes), Default Gateway, and Subnet Mask fields.

5
Click the Advanced tab.

6
In the DHCP Generic Option Group drop-down menu, select the DHCP Option Object you created in Configuring the DHCP Server.
7
Select the Send Generic options always option.
8
Click OK. The DHCPv4 Server Lease Scopes table is updated.

Configuring the WLAN Tunnel Interface
To configure a WLAN tunnel interface and assign it to the X4 interface:
1
Navigate to the Network > Interfaces page.

2
From the Add Interface drop-down menu, select WLAN Tunnel Interface. The Add WLAN Tunnel Interface dialog displays.

3
From the Zone menu, select WLAN. The options change.

4
Enter the Tunnel ID in the Tunnel ID field. The default is 0.
5
From the Tunnel Source Interface drop-down menu, select the interface, such as X4 in this scenario.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, enter the IP address for the WLAN tunnel interface. For example, 172.17.31.1.
8
In the Subnet Mask box, enter the subnet mask. The default is 255.255.255.0.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface.
10
(Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.
11
If you did not specify a web management protocol in Configuring the Access Controller Interface, select one or more Management options: HTTPS, Ping, SNMP, SSH.
* 
NOTE: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically.
* 
NOTE: If you do not enable web management here, you must enable it on another interface. A warning message will appear if you leave the dialog without enabling at least one web management protocol.
12
If you did not specify a login protocol in Configuring the Access Controller Interface, optionally select HTTPS for User Login to enable users with management rights to log in to the SonicOS.
* 
NOTE: The HTTP option is dimmed (unavailable).
13
If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS.
14
Click OK. The Interface Settings table is updated.

* 
NOTE: A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wireless clients.
15
To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3 Management option in the Access Rules table.

Adding a Route Policy
To configure a route policy that forwards all packets intended for a Layer 3 SonicPoint network to the default gateway:
1
Navigate to the Network > Routing page.

2
In the Route Policies table, click Add…. The Add Route Policy dialog displays.

3
From the Source drop-down menu, select Any. This is the default.
4
From the Destination drop-down menu, select the address object of the default gateway. The default is Any.
5
From the Service drop-down menu, select a service object. The default is Any.
6
From the Gateway drop-down menu, select an address object. The default is 0.0.0.0.
7
From the Interface drop-down menu, select an interface. For this scenario, select X4.
8
In the Metric field, enter 1. The minimum value is 1, the maximum is 254, and the default is 1.

A metric is a weighted cost assigned to static and dynamic routes. Lower metric costs are considered better and take precedence over higher costs. SonicOS adheres to Cisco-defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.

9
Click OK. The Route Policies table is updated.

Configuring a Remote Router Connected to SonicPoints
To configure a third-party router that is connected to a SonicWall security interface at one end and to SonicPoints at the other end:
1
For the interface on the remote router that is connected to the SonicWall security appliance, configure the IP address 10.10.10.2/24.
2
For the interface on the remote router that is connected to the SonicPoint, configure the IP address 30.30.30.1/24.
3
Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4 interface on the SonicWall security appliance, which has the IP address 10.10.10.1.

Configuring SonicPoint Virtual Access Points for Layer 3 Management

This scenario extends the previous example, Configuring Basic SonicPoint Layer 3 Management, by adding Virtual Access Points (VAPs) for the SonicPoints. See SonicPoint Layer 3 Management Using VAPs Configuration.

SonicPoint Layer 3 Management Using VAPs Configuration

To configure VAPs for SonicPoint Layer 3 Management, perform the following steps:

* 
NOTE: For more information about VAPs and configuring them, see SonicPoint > Virtual Access Point.
Configuring a WLAN Interface for VAPs
To configure a WLAN interface for the VAPs:
1
Navigate to the Network > Interfaces page.

2
From the Add Interface drop-down menu, select Virtual Interface. The Add Interface dialog appears.

3
From the Zone drop-down menu, select WLAN. More options appear.

4
In the VLAN Tag field, enter 4. The default is 0. The VLAN Tag is used to identify the new VLAN.
5
From the Parent Interface drop-down menu, select WT0.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, enter the IP address for the WLAN. For example, 172.4.1.1. The default is 0.0.0.0.
8
In the Subnet Mask field, enter the subnet mask. For example, 255.255.255.0. The default is 255.255.255.0.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface. For this scenario, select 48 SonicPoints. The default is 64 SonicPoints.
10
(Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.
11
If you did not specify a web management protocol in Configuring the Access Controller Interface, select one or more Management options: HTTPS, Ping, SNMP, SSH.
* 
NOTE: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically.
* 
NOTE: If you do not enable web management here, you must enable it on another interface. A warning message will appear if you leave the dialog without enabling at least one web management protocol.
12
If you did not specify a login protocol in Configuring the Access Controller Interface, optionally select HTTPS for User Login to enable users with management rights to log in to the SonicWall.
* 
NOTE: The HTTP option is dimmed (unavailable).
13
If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS.

14
Click OK. The Interface Settings table is updated.

Configuring a VAP Object
To configure a VAP object on a SonicWall network security appliance:
1
Navigate to the SonicPoint > Virtual Access Point page.

2
In the Virtual Access Points table, click Add. The Add/Edit Virtual Access Point dialog displays.

3
In the Name field, enter a descriptive name for the VAP.
4
in the SSID field, enter a SSID that represents the Layer 3 management network. For example, wirelessDev_L3_vap.
5
From the VLAN ID drop-down menu, select the VLAN Tag ID that you configured in Configuring a WLAN Interface for VAPs. For example, 4.
6
Select the Enable Virtual Access Point option. By default, this option is selected

7
Click OK. The Virtual Access Points table is updated.

8
To add additional Virtual Access Points, repeat Step 2 through Step 7 for each additional VAP.
Configuring a VAP Group
To configure a VAP group:
1
Navigate to the SonicPoint > Virtual Access Point page.

2
In the Virtual Access Points Groups table, click Add Group. The Add Virtual Access Point Group dialog displays.

3
In the Virtual AP Group Name field, enter a name for the VAP group. For example, L3 VAP Group.

The Available Virtual AP Objects box should be populated with the VAP objects you created in Configuring a VAP Object.

4
Move the VAP objects you want from the Available Virtual AP Objects list to the Member of Virtual AP Group list.
5
Click OK. The Virtual Access Point Groups table is updated.

Assigning a VAP Group to a SonicPoint
To assign a VAP group to a SonicPoint that is connected to a third-party router:
1
Navigate to the SonicPoint > SonicPoints page and scroll to the SonicPoint N Provisioning Profiles section.
2
Click the Configure icon for the SonicPoint you want to configure. The Edit SonicPoint Profile dialog displays.

3
Select the Enable SonicPoint option.
4
From the 802.11n Radio Virtual AP Group drop-down menu, select the Virtual AP Group you created in Configuring a VAP Group. For example, L3 VAP Group.
5
Click OK.

Configuring Layer 3 Management over IPsec

In this example, the central IPsec gateway acts as the SonicPoint WLAN controller; see SonicPoint Layer 3 Management over IPsec Configuration. The SonicPoint is deployed under the VPN local LAN subnet of the remote IPsec gateway. SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on the central gateway. The DHCP over VPN feature must be configured on the remote IPsec gateway.

SonicPoint Layer 3 Management over IPsec Configuration

* 
NOTE: This example assumes that the VPN IPsec tunnel between the two SonicWall security appliances is established successfully.

To configure SonicPoint Layer 3 Management over IPsec, perform the following steps:

Configuring the VPN Tunnel on the Central Gateway
To configure the VPN tunnel on the Central Gateway:
1
Navigate to the VPN > Settings page.

2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.

3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the method you want. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Central Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.77.
7
If you are using IKE, configure the IKE authentication settings.
8
Click the Network tab.

9
Under Local Networks, select the Choose local network from list option.
10
From the Choose local network from list drop-down menu, select X0 Subnet.
11
Under Remote Networks, select the option you want and, if applicable, the network you want from the associate drop-down menu.
12
Click the Advanced tab.

13
Select the Allow SonicPoint N Layer 3 Management option.
14
Click OK. The VPN Policies table is updated.

15
Navigate to the VPN > DHCP over VPN page.

16
From the DHCP over VPN drop-down menu, select Central Gateway. This is the default.
17
Click the Configure button. The DHCP over VPN Configuration dialog displays.

18
Select the following options:
User Internal DHCP Server
For Global VPN Client
For Remote Firewall
19
Click OK.
Configuring the VPN Tunnel on the Remote Gateway
To configure the VPN tunnel on the remote gateway:
1
Navigate to the VPN > Settings page.
2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.

3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the appropriate method for your network. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Remote Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.79.
7
Click the Network tab.

8
Under Local Networks, select the Choose local network from list option. This is the default.
9
From the Choose local network from list drop-down menu, select X1 Subnet.
10
Under Remote Networks, select the option you want and, if appropriate, the network from the associated drop-down menu. The default is Choose destination network from list.
* 
NOTE: If you have not created an address object for your remote gateway, you can do so by selecting Create new address object from one of the menus.
11
Under Remote Networks, select Create new address object from the appropriate menu. The Add Address Object dialog displays.

12
In the Name field, enter Remote Gateway X0 Subnet.
13
From the Zone Assignment drop-down menu, select LAN. This is the default.
14
From the Type drop-down menu, select Network. Another option appears.

15
In the Network field, enter the IP address of the remote gateway. For example, 192.168.168.0.
16
In the Netmask/Prefix Length field, enter the mask. For example, 255.255.255.0.
17
Click OK.
18
Click the Advanced tab.

19
Select the Allow SonicPointN Layer 3 Management option.
20
Click OK. the VPN Policies table is updated.

21
Navigate to the VPN > DHCP over VPN page.

22
From the DHCP over VPN drop-down menu, select Remote Gateway.
23
Click the Configure button. The DHCP over VPN Configuration dialog displays.

24
From the DHCP lease bound to drop-down menu, select the interface that is connected to the SonicPoint. For example, Interface X4.
25
(Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want it.
26
In the Relay IP Address field, enter the IP address of the interface connected to the SonicPoint. For example 30.30.30.1.
* 
NOTE: If enabled, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central gateway’s address and must be reserved in the DHCP scope on the HDCP server.

This address also can be used to manage this SonicWall remotely through the VPN tunnel from behind the Central Gateway.

27
In the Remote Management IP Address field, enter the IP address that is used to manage this SonicWall security appliance remotely from behind the Central Gateway.
* 
NOTE: This IP address was configured in Configuring the Access Controller Interface, and must be reserved in the DHCP scope on the DHCP server. In the example it is 10.10.10.1.
28
Select the Block traffic through tunnel when IP spoof detected option.
29
Select the Obtain temporary lease from local DHCP server if tunnel is down option.
30
In the Temporary Lease Time (minutes) field, leave the default value of 2.
31
Click OK.
Configuring the CAPWAP DHCP Option Object on the Central Gateway
To configure the CAPWAP DHCP Option Object on the Central Gateway:
1
Navigate to the Network > DHCP Server page.

2
In the DHCP Server Settings section, click Advanced. The DCHP Advanced Settings dialog displays.

3
Click Add Option. The Add DHCP Option Object dialog displays.

4
In the Option Name field, enter a descriptive name, such as capwap or CAPWAP DHCP.
5
From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List).
6
In the Option Value field, enter the IP address you want to use for the DHCP group. For example, 192.168.168.168.
7
Click OK to add the DHCP Option Object.
8
Click OK to close the DHCP Advanced Settings dialog and return to the Network > DHCP Server page.
Configuring the DHCP Scope on the Central Gateway
To configure the DHCP Scope on the Central Gateway:
1
Navigate to the Network > DHCP Server page.

2
Click the Add Dynamic button. The Dynamic Range Configuration dialog displays.

3
Select the Enable this DHCP Scope option. This is the default.
4
In the Range Start field, enter the IP address at which to start the DHCP range. For example, 30.30.30.2.
* 
NOTE: The range values must be within the same subnet as the Default Gateway. For example, 30.30.30.2 to 30.30.30.100.
5
In the Range End field, enter the IP address at which to end the DHCP range. For example, 30.30.30.100.
6
In the Lease Time (minutes) field, use the default value, 1440.
7
In the Default Gateway field, enter the IP address of the default gateway.
* 
NOTE: This value will be the IP address of the interface connected to the SonicPoint. For example, 30.30.30.1.
8
In the Subnet Mask field, enter the subnet mask of the default gateway. For example, 255.255.255.0.
9
Click the Advanced tab.

10
In the DHCP Generic Options section, from the DHCP Generic Option Group drop-down menu, select the CAPWAP DHCP option.
* 
NOTE: The CAPWAP DHCP option was created in Configuring the CAPWAP DHCP Option Object on the Central Gateway.
11
Select the Send Generic options always option. This is the default.
12
Click OK. The DHCPv4 Server Lease Scopes table is updated.

Configuring the WT0 Interface on the Central Gateway
To configure the Wireless Tunnel interface (WT0) on the Central Gateway:
1
Navigate to the Network > Interfaces page.
2
From the Add Interface drop-down menu in the Interface Settings section, select Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface dialog is displayed.

3
From the Zone drop-down menu, select WLAN. More options display.

4
In the Tunnel Id field, select 0. This is the default.
5
From the Tunnel Source Interface drop-down menu, select X0.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, select 172.17.31.1.
8
In the Subnet Mask field, select 255.255.255.0. This is the default.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints allowed on your network. For example, 48 SonicPoints. The default is 64 SonicPoints.
10
Optionally, enter a comment in the Comment field.
11
Click OK. The Interface Settings table is updated.

SonicPoint RADIUS Accounting

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provide centralized authentication, authorization, and accounting. SonicOS uses RADIUS protocols to delivery account information from the NAS (Network Access Server), which is the SonicPoint in our case, to the RADIUS Accounting Server. You can take advantage of the accounting information to apply various billing rules on the RADIUS Accounting Server side. The accounting information can be based on session duration or traffic load being transferred for each user.

The overall authentication, authorization, and accounting process works as follows:

1
A user associates to a SonicPoint which is connected to a SonicWall firewall.
2
Authentication is performed using the method designated.
3
IP subnet/VLAN assignment is enabled.
4
The SonicPoint send the RADIUS Account Request start message to an accounting server.
5
Re-authentication is performed as necessary.
6
Based on the results of the re-authentication, the SonicPoint sends the interim account update to the accounting server.
7
The user disconnects from the SonicPoint.

The SonicPoint sends the RADIUS Account Request stop message to the accounting server.

 
* 
NOTE: Expanded Radius Server Settings can be applied only for ACe/ACi/N2 SonicPoints.
Topics:  

Configuring the SonicPoint

To configure RADIUS Accounting on SonicPoints:
1
Navigate to SonicPoint > SonicPoints.

2
Select a SonicPoint from the table and select the Edit icon. See the example below.

3
Select the Radio 0 Basic tab.

4
Select the Authentication Type from the drop down menu. The supported types are WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP.
5
Under Radius Server Settings, click Configure.
6
Configure the Radius Server Settings.

a
Under Radius Server Settings, enter the IP address in the Server 1 IP field.
b
Enter the Port number for the Radius Server.
c
Enter the server password in the Server 1 Secret field.
7
Configure the Radius Accounting Server Settings.
a
Under Radius Accounting Server Settings, enter the IP address in the Server 1 IP field.
b
Enter the Port number for the Radius Server.
c
Enter the server password in the Server 1 Secret field.
 
* 
NOTE: Radius Server and Radius Accounting Server don’t need to be located at the same IP.
8
To send the NAS identifier to the RADIUS server, select the type from the NAS Identifier Type drop-down menu:
Not Included (default)
SonicPoint’s Name
SonicPoint’s MAC Address
9
To send the NAS IP address to the RADIUS Server, enter the address in the NAS IP Addr field.
10
Click on OK.

Setting up the Radius Accounting Server

To set up the Radius Accounting Server:
1
Add the RADIUS client entry into the file /etc/freeradius/clients.conf:

Client <IP address> {
     Secret = “<
password>”
}

Where <IP address> should be replaced with the IP address of the RADIUS Server and <password> should be replaced with the server password.

 
* 
NOTE: The IP address is the WAN IP of the SonicWall GW from which the Radius Server could be reached.

<... GW = what? ...>

2
Add the user information into the file /etc/freeradius/users:

user_name Cleartext-Password := “<password>”

Where <password> should be replaced with the server password.

3
Run the command sudo feeradius -X from the command line to start freeradius.

 

Viewing Station Status

SonicPoint > Station Status

The SonicPoint > Station Status page reports on the statistics of each SonicPoint.

The table lists entries for each wireless client connected to each SonicPoint.

By default, the page displays the first 50 entries found. Clicking the arrow icons navigates you to more pages when there are more than 50 entries.

The sections of the table are divided into sections by SonicPoint. Under each SonicPoint is a list of all the clients currently connected to it.

The Refresh button refreshes and updates the list in the table.

The View Style: SonicPoint: menu lists all of the SonicPoint devices on your network. When you select one of the SonicPoints, a new screen shows just the clients for that SonicPoint device.

The Station Status column headings display the following information:

Station—The IP address of the SonicPoint address.
MAC Address—The hardware address of the SonicPoint.
Status—The status of the SonicPoint, such as Connected or Unavailable.
Type—The type of SonicPoint device identified by the radio frequency, such as 2.4GHz.
SSID—The service set identifier that identifies the network to which packets on the wireless network belong.
AID—The Association ID number, assigned by the security appliance.
Connect Rate—The speed at which connections are established.
TxRate—The speed at which transmission packets are sent.
Signal Strength—The percentage of strength of the radio signal.
Statistics—The Statistics icon opens the Station Statistics window.
Topics:

Station Statistics Dialog

Clicking the Statistics icon in the Statistics column of the table, on the row for the SonicPoint station that you want, displays the Station Statistics dialog that displays a detailed report for the selected SonicPoint station. The Station Statistics dialog displays Station Information, Radio Statistics, and Traffic Statistics.

The Station Information section displays the following information:

Name—The name of the SonicPoint station.
MAC Address—The hardware address of the SonicPoint station.
IP Address—The IP address of the SonicPoint station.
SonicPoint—The SonicPoint identifier.
AID—The Association ID number, assigned by the firewall.
Status—The state of the SonicPoint station:
None
Authenticated
Associated
Joined
Connected
Up
Down
Connect Rate—The speed at which connections are established.
TxRate—The speed at which transmission packets are sent.
Signal Strength—The percentage the total strength of the radio signal that is currently transmitting.

The Radio Statistics section displays the following information:

Radio—The type of radio signal.
SSID—The service set identifier that identifies the network to which packets on the wireless network belong.
Channel—The type of channel in use on the radio, such as 802.11n 5GHz Mixed - AutoBand Auto (149|153) or 802.11n 2.4GHz Mixed - Standard Band.
Associations—The total number of associations since power up.
Dis-Associations—The total number of dis-associations.
Re-Associations—The total number of re-associations.
Authentications—Number of authentications.
De-Authentications—Number of de-authentications.
Discarded Packets—The total number of frames discarded. Discarded frames are generally a sign of network congestion.

The Traffic Statistics section displays the following information for Radio 0 and Radio 1:

Good Packets—The total number of good packets received and transmitted.
Bad Packets—The total number of bad packets received and transmitted.
Good Bytes—The total number of good bytes received and transmitted.
Management Packets—The total number of management packets received and transmitted.
Control Packets—The total number of control packets received and transmitted.
Data Packets—The total number of data packets received and transmitted.

SonicPoint N Statistics Dialog

Clicking the Statistics button displays the SonicPoint N Statistics dialog that displays a detailed report for the selected SonicPoint device. The SonicPoint N Statistics dialog displays SonicPoint N Information, Radio Statistics, and Traffic Statistics.

The SonicPoint N Information dialog displays the following information:

Name—The name of the SonicPoint device.
MAC Address—The hardware address of the SonicPoint device.
IP Address—The IP address of the SonicPoint device.
Interface—The firewall interface to which the SonicPoint device is connected, such as X1, X2, etc.
Zone—The Zone to which the SonicPoint device is configured, such as WLAN.
Status—The state of the station:
Unknown
SafeMode
Unprovisioned
Provisioning
Operational
Non-responsive
Updating Firmware
Downloading Firmware
Initializing
Over-Limit
Rebooting
Provision Failed
Firmware Update Failed
Scanning
Manufacturing
Disabled
WIDP
WIDP_Timeout
Missing Firmware Image
Writing Firmware
Get Crash Log Failed
Operational(Noise SafeMode)
Getting Firmware
Uptime—The time that the SonicPoint device has been running in days, hours, minutes, and seconds.

The Radio Statistics section displays the following information for Radio 0 and Radio 1:

BSSID—The basic service set identifier address for the SonicPoint device. This is the MAC address of the SonicPoint.
SSID / MSSID—The service set identifier or multiple service set identifier that identifies the network to which packets on the wireless network belong.
Channel—The type of channel in use on the radio, such as 802.11n 5GHz Mixed - AutoBand Auto (149|153) or 802.11n 2.4GHz Mixed - Standard Band.
Connected Stations—The total number of SonicPoint stations connected to the firewall.
Associations—The total number of associations since power up.
Dis-Associations—The total number of dis-associations.
Re-Associations—The total number of re-associations.
Authentications—Number of authentications.
De-Authentications—Number of de-authentications.
Discarded Packets—The total number of packets discarded. Discarded packets are generally a sign of network congestion.

The Traffic Statistics section displays the following information for Radio 0 and Radio 1:

Good Packets—The total number of good packets received and transmitted.
Bad Packets—The total number of bad packets received and transmitted.
Good Bytes—The total number of good bytes received and transmitted.
Management Packets—The total number of management packets received and transmitted.
Control Packets—The total number of control packets received and transmitted.
Data Packets—The total number of data packets received and transmitted.

 

Configuring SonicPoint Intrusion Detection Services

SonicPoint > IDS

Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates an easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.

Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWall security appliance because it enables the appliance to recognize and take countermeasures against the most common types of illicit wireless activity. IDS reports on all access points the SonicWall security appliance can find by scanning the 802.11a/b/g/n/ac/af radio bands on the SonicPoints.

The SonicPoint > IDS page reports on all access points detected by the SonicWall security appliance and its associated SonicPoints, and provides the ability to authorize legitimate access points.

The table below describes the entities that are displayed on the SonicPoint > IDS page.

 

SonicPoint > ID Page Elements

Table Column or Entity

Description

Entity

Page Navigation

Allows you to quickly navigate to the next or previous page. You can enter a value to pass large entries. For example, if you have 10 pages, you can enter 7 in the Item text field to view page 7.

Refresh button

Refreshes the screen to display the most current list of access points in your network.

Scan All... button

Initiates a scan all operation to identify.

Discovered Access Points Table

View Style: SonicPoint: Drop-down menu

If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.

SonicPoint

Available when All SonicPoints is selected in the View Style drop-down.

The SonicPoint that detected the access point.

MAC Address (BSSID)

The MAC address of the radio interface of the detected access point.

SSID

The radio SSID of the access point.

Type

The range of radio bands used by the access point, 2.4 GHz or 5 GHz.

Channel

The radio channel used by the access point.

Authentication

The authentication type.

Cipher

The cipher mode.

Manufacturer

The manufacturer of the access point.

Signal Strength

The strength of the detected radio signal.

Max Rate

The fastest allowable data rate for the access point radio, typically 54 Mbps.

Authorize

When the Edit icon is clicked, the access point is added to the address object group of authorized access points.

Topics:

Scanning Access Points

Topics:

Active Scanning and Scanning All

Active scanning occurs when the security appliance starts up. You can also scan access point at any time by clicking Scan All... on the SonicPoint > IDS page. When the security appliance performs a scan, the wireless clients will be interrupted for a few seconds. The scan will effect traffic in the following ways:

Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
Persistent connections (protocols such as FTP) are impaired or severed.
* 
CAUTION: Clicking Scan All will cause all active wireless clients to be disconnected while the scan is performed. If service interruption is a concern, it is recommended that you do not click Scan Now while the SonicWall security appliance is in Access Point mode. Wait until there are no clients active or a short interruption in service is acceptable.

Scanning SonicPoint by SonicPoint

You can also scan on a SonicPoint by SonicPoint basis, as follows:

1
Select the SonicPoint to view in the SonicPoint: drop-down menu.
2
Scroll to the bottom of the Discovered Access Points section.
3
At the lower-right, select the type of scan from the --Perform SonicPoint Scan -- drop-down menu.

Depending on which SonicPoint model you are using, the following options can be displayed:

Scan Both Radios
Scan 802.11a Radio (5GHz)
Scan 802.11g Radio (2.4GHZ)
Scan 802.11n Radio (5GHz)
Scan 802.11n Radio (2.4GHZ)
Scan 802.11ac Radio (5GHz)

Authorizing Access Points

Access Points that the security appliance detects are regarded as rogue access points until the security appliance is configured to authorize them for operation.

To authorize an access point:
1
Click the Edit icon in the Authorize column for the access point you want to authorize. A pop-up warning message displays.

2
Click OK.
3
You can verify that authorization was successful by checking that the address object was created. Navigate to the Firewall > Address Objects page.
4
Click the Configure icon for All Authorized Access Points.

5
Verify that the access point’s MAC address has been added.
6
Click OK.

Logging of Intrusion Detection Services Events

To enable logging and notification of IDS events:
1
Navigate to the Log > Log Settings page.

2
Click on the triangle icon in the Wireless row in the table to expand it
3
Click on the triangle icon for WLAN IDS.
4
Modify the alert settings for any of the following WLAN IDS log categories:
WLAN Probe Check
WLAN Association Flood
Rogue AP Found

 

Configuring Advanced IDP

SonicPoint > Advanced IDP

Advanced Intrusion Detection and Prevention (IDP) is used to monitor the radio spectrum for presence of unauthorized access points (intrusion detection) and to automatically take countermeasures (intrusion prevention). When Advanced IDP is enabled on a SonicPoint, the SonicPoint radio functions as a dedicated IDP sensor.

* 
CAUTION: When Advanced IDP is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients are disconnected.

Advanced IDP configuration is a two-part process that consists of enabling Advanced IDP and configuring Advanced IDP.

Enabling Advanced IDP on a SonicPoint Profile

To enable Advanced IDP scanning on a SonicPoint profile:
1
Go to the SonicPoint > SonicPoints page.

2
From the View Style menu, select SonicPointNs.
3
Click the Configure icon for the appropriate SonicPoint profile. The Edit SonicPoint AC Profile dialog displays.

4
Click the Sensor tab.
* 
NOTE: The Sensor tab is the same for both SonicPoint N and SonicPoint NDR profiles.

5
Select the Enable WIDP Sensor check box. The drop-down menu becomes active.
6
In the drop-down menu, select the appropriate schedule for IDP scanning, or select Create new schedule to create a custom schedule.
* 
CAUTION: Remember that when Advanced IDP scanning is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients will be disconnected.
7
Click OK.

Configuring Advanced IDP

To configure Advanced IDP:
1
Navigate to the SonicPoint > Advanced IDP page.

2
Select the Enable Wireless Intrusion Detection and Prevention check box. This option is not selected by default. The other options become active.
3
For Authorized Access Points, select the Address Object Group that authorized Access Points will be assigned to. By default, this is set to All Authorized Access Points.
4
For Rogue Access Points, select the Address Object Group that unauthorized Access Points will be assigned to. By default, this is set to All Rogue Access Points.
5
Select one of the following two options to determine which APs are considered rogue (only one can be enabled at a time):
Add any unauthorized AP into Rogue AP list automatically assigns all detected unauthorized APs—regardless if they are connected to your network—to the Rogue list.
Add connected unauthorized AP into Rogue AP list assigns unauthorized APs to the Rogue list only if they are connected to your network. The following options determine how IDP detects connected rogue APs; both can be selected:
Enable ARP cache search to detect connected rogue AP – Advanced IDP searches the ARP cache for clients’ MAC addresses. When one is found and the AP it is connected to is not authorized, the AP is classified as rogue.
Enable active probe to detect connected rogue AP – The SonicPoint will connect to the suspect AP and send probe to all LAN, DMZ and WLAN interfaces of the firewall. If the firewall receives any of these probes, the AP is classified as rogue.
6
Select Add evil twin into Rogue AP list to add APs to the rogue list when they are not in the authorized list, but have the same SSID as a managed SonicPoint.
7
Select Block traffic from rogue AP and its associated clients to drop all incoming traffic that has a source IP address that matches the rogue list. From the Rogue Device IP addresses drop-down menu, either:
Select All Rogue Devices (default) or an address object group you’ve created.
Create a new address object group by selecting Create New IP Address Object Group. The Add Address Object Group dialog displays.
8
Select Disassociate rogue AP and its clients to send de-authentication messages to clients of a rogue AP to stop communication between them.

 

Configuring Virtual Access Points

SonicPoint > Virtual Access Point

Topics:

SonicPoint VAP Overview

* 
NOTE: Virtual Access Points are supported when using SonicPoint wireless access points along with SonicWall NSA appliances. For Virtual Access Point configuration using a TZ appliance, see Wireless > Virtual Access Point.
Topics:

What Is a Virtual Access Point?

A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate, distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device. See Virtual Access Point Configurations.

VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously.

Virtual Access Point Configurations

For more information on SonicOS Secure Wireless features, refer to the SonicWall Secure Wireless Integrated Solutions Guide available at http://store.elsevier.com/.

What Is an SSID?

A Service Set IDentifier (SSID) is the name assigned to a wireless network. Wireless clients must use this same, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up to 32 bytes long. Multiple SonicPoints on a network can use the same SSIDs. You can configure up to 8 unique SSIDs on SonicPoints and assign different configuration settings to each SSID.

SonicPoints broadcast a beacon (announcements of availability of a wireless network) for every SSID configured. By default, the SSID is included within the beacon so that wireless clients can see the wireless networks. The option to suppress the SSID within the beacon is provided on a per-SSID (for example, per-VAP or per-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect by manually specifying the SSID.

These settings can be assigned to each VAP:

Authentication method
VLAN
Maximum number of client associations using the SSID
SSID Suppression

Wireless Roaming with ESSID

An ESSID (Extended Service Set IDentifier) is a collection of Access Points (or Virtual Access Points) sharing the same SSID. A typical wireless network comprises more than one AP for the purpose of covering geographic areas larger than can be serviced by a single AP. As clients move through the wireless network, the strength of their wireless connection decreases as they move away from one Access Point (AP1) and increases as they move toward another (AP2). Providing AP1 and AP2 are on the same ESSID (for example, SonicWall) and that the (V)APs share the same SSID and security configurations, the client can roam from one to the other. This roaming process is controlled by the wireless client hardware and driver, so roaming behavior can differ from one client to the next, but it is generally dependent upon the signal strength of each AP within an ESSID.

What Is a BSSID?

A BSSID (Basic Service Set IDentifier) is the wireless equivalent of a MAC (Media Access Control) address, or a unique hardware address of an AP or VAP for the purposes of identification. Continuing the example of the roaming wireless client from the ESSID section above, as the client on the SonicWall ESSID moves away from AP1 and toward AP2, the strength of the signal from the former will decrease while the latter increases. The client’s wireless card and driver constantly monitors these levels, differentiating between the (V)APs by their BSSID. When the card/driver’s criteria for roaming are met, the client will detach from the BSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the SonicWall ESSID.

Benefits of Using Virtual APs

Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.
Optimize SonicPoint LAN Infrastructure—Share the same SonicPoint LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs.

Benefits of Using Virtual APs with VLANs

Although the implementation of VAPs does not require the use of VLANs, VLAN use does provide practical traffic differentiation benefits. When not using VLANs, the traffic from each VAP is handled by a common interface on the SonicWall security appliance. This means that all traffic from each VAP will belong to the same zone and same subnet (Footnote: a future version of SonicOS will allow for traffic from different VAPs to exist on different subnets within the same zone, providing a measure of traffic differentiation even without VLAN tagging). By tagging the traffic from each VAP with a unique VLAN ID, and by creating the corresponding subinterfaces on the SonicWall security appliance, it is possible to have each VAP occupy a unique subnet, and to assign each subinterface to its own zone.

This affords the following benefits:

Each VAP can have its own security services settings (GAV, IPS, CFS, etc.).
Traffic from each VAP can be easily controlled using Access Rules configured from the zone level.
Separate Guest Services or Lightweight Hotspot Messaging (LHM) configurations can be applied to each, facilitating the presentation of multiple guest service providers with a common set of SonicPoint hardware.
Bandwidth management and other Access Rule-based controls can easily be applied.

Prerequisites

Each SonicWall SonicPoint must be explicitly enabled for Virtual Access Point support by selecting the Enable SonicPoint checkbox in one of the following dialogs on the SonicPoint > SonicPoints page: