en-US
search-icon

SonicOS 5.9 Admin Guide

Wireless

Viewing WLAN Settings, Statistics, and Station Status

Wireless Overview

The SonicWall Wireless security appliances support wireless protocols called IEEE 802.11b, 802.11g, and 802.11n commonly known as Wi-Fi, and send data via radio transmissions. The SonicWall wireless security appliance combines three networking components to offer a fully secure wireless firewall: an Access Point, a secure wireless gateway, and a stateful firewall with flexible NAT and VPN termination and initiation capabilities. With this combination, the wireless security appliance offers the flexibility of wireless without compromising network security.

Typically, the wireless security appliance is the access point for your wireless LAN and serves as the central access point for computers on your LAN. In addition, it shares a single broadband connection with the computers on your network. Since the wireless security appliance also provides firewall protection, intruders from the Internet cannot access the computers or files on your network. This is especially important for an “always-on” connection such as a DSL or T1 line that is shared by computers on a network.

However, wireless LANs are vulnerable to “eavesdropping” by other wireless networks which means you should establish a wireless security policy for your wireless LAN. On the wireless security appliance, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated via User Level Authentication. Wireless access to Guest Services and MAC Filter Lists are managed by the wireless security appliance. If all of the security criteria are met, then wireless network traffic can then pass via one of the following Distribution Systems (DS):

LAN
WAN
Wireless Client on the WLAN
DMZ or other zone on Opt port
VPN tunnel

Topics:

Information about wireless status can be found in Wireless > Status.

Considerations for Using Wireless Connections

Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections.
Convenience - wireless networks do not require cabling of individual computers or
opening computer cases to install network cards.
Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
Range and Coverage - if your network environment contains numerous physical barriers or interference factors, wireless networking may not be suitable for your network.
Security - wireless networks have inherent security issues due to the unrestricted nature of the wireless transmissions. However, the wireless security appliance is a firewall and has NAT capabilities which provides security, and you can use WPA or WPA2 to secure data transmissions.
* 
NOTE: For the latest information about regulatory approvals and restrictions for SonicWall wireless devices, please see the product documentation for your product at https://support.sonicwall.com/technical-documents. Each device has a unique regulatory document or Getting Started Guide that provides the relevant information.

Recommendations for Optimal Wireless Performance

Place the wireless security appliance near the center of your intended network. This can also reduce the possibility of eavesdropping by neighboring wireless networks.
Minimize the number of walls or ceilings between the wireless security appliance and the receiving points such as PCs or laptops.
Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other.
Building construction can make a difference on wireless performance. Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects. Placing the wireless security appliance near metal objects such as computer cases, monitors, and appliances can affect performance of the unit.
Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce signal strength if the wireless security appliance is installed near these types of materials.
Installing the wireless security appliance in a high place can help avoid obstacles and improve performance for upper stories of a building.
Neighboring wireless networks and devices can affect signal strength, speed, and range of the wireless security appliance. Also, devices such as cordless phones, radios, microwave ovens, and televisions may cause interference on the wireless security appliance.

Adjusting the Antennas

The antennas on the wireless security appliance can be adjusted for the best radio reception. Begin with the antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as the area directly below the wireless security appliance, get relatively poor reception. Pointing the antenna directly at another wireless device does not improve reception. Do not place the antennas next to metal doors or walls as this can cause interference.

Wireless Node Count Enforcement

Users connecting to the WLAN or connecting through the SonicWall GroupVPN are not counted towards the node enforcement on the SonicWall. Only users on the LAN and non-Wireless zones on the Opt port are counted towards the node limit.

The Station Status table lists all the wireless nodes connected.

MAC Filter List

The SonicWall wireless security appliance networking protocol provides native MAC address filtering capabilities. When MAC address filtering is enabled, filtering occurs at the 802.11 layer, wireless clients are prevented from authenticating and associating with the wireless access point. Since data communications cannot occur without authentication and association, access to the network cannot be granted until the client has given the network administrator the MAC address of their wireless network card.

Wireless > Status

The Wireless > Status page provides status information for wireless network, including WLAN Settings, WLAN Statistics, WLAN Activities and Station Status.

The Wireless > Status page has four tables:

WLAN Settings

The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.

 

WLAN Configurable Settings

WLAN Settings

Value

WLAN

Enabled or Disabled

SSID

Wireless network identification information

MAC Address (BSSID)

Serial Number of the wireless security appliance

WLAN IP Address

IP address of the WLAN port

WLAN Subnet Mask

Subnet information

Regulatory Domain

FCC - North America for domestic appliances

ETSI - Europe for international appliances

Channel

Channel Number selected for transmitting wireless signal

Radio Tx Rate

Network speed in Mbps

Radio Tx Power

Current power level of the radio signal transmission

Authentication Type

Encryption settings for the radio, or Disabled--see the Wireless > Security

MAC Filter List

Enabled or Disabled

Guest Services

Enabled or Disabled

Intrusion Detection

Enabled or Disabled

Wireless Firmware

Firmware version on the radio card

Associated Stations

Number of clients associated with the wireless security appliance

Radio Mode

Current power level of the radio signal transmission

WLAN Statistics

The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic.

 

WLAN Statistics

Wireless Statistics

Rx/TX

Good Packets

Number of allowed packets received and transmitted.

Bad Packets

Number of packets that were dropped that were received and transmitted.

Good Bytes

Total number of bytes in the good packets.

Management Packets

Number of management packets received and transmitted.

Control Packets

Number of control packets received and transmitted.

Data Packets

Number of data packets received and transmitted.

WLAN Activities

The WLAN Activities table describes the history of wireless clients connecting to the SonicWall wireless security appliance.

 

WLAN Activities Statistics

Wireless Activities

Value

Associations

Number of wireless clients that have connected to the wireless security appliance.

Disassociations

Number of wireless clients that have disconnected to the wireless security appliance.

Reassociations

Number of wireless clients that were previously connected that have re-connected.

Authentications

Number of wireless clients that have been authenticated.

Deauthentications

Number of authenticated clients that have disconnected.

Discards Packets

Number of discarded packets.

Station Status

The Station Status table displays information about wireless connections associated with the wireless security appliance.

Station - the name of the connection used by the MAC address
MAC Address - the wireless network card MAC address
Authenticated - status of wireless authentication
Associated - status of wireless association
AID - Association ID, assigned by the security appliance
Signal - strength of the radio signal
Timeout - number of seconds left on the session
Configure - options for configuring the station:
- configure power management on the wireless network card of this station, if enabled.
- block the station from the security appliance and add it to the Deny MAC Filter List.
- dissociate the station from the security appliance.

Discovered Access Points

The Discovered Access Points table appears when the SonicWall appliance is in Wireless Client Bridge mode.

To create a wireless bridge with another access point:
1
Before you begin, verify that your wireless security settings match that of the access point to which you are bridging, and that you have switched your SonicWall TZ wireless appliance to Wireless Client Bridge mode in the Wireless > Settings page.
2
In the Wireless > Status screen, locate the access point you wish to bridge to and click the Connect button.
3
The configuration is set and your SSID changes to mirror that of the wireless bridge host.
* 
NOTE: For security reasons, never create a bridge over an open wireless connection.

Configuring Wireless Settings

Wireless > Settings

The Wireless > Settings page allows you to configure settings for the 802.11 wireless antenna.

Topics:

Wireless Radio Mode

The Radio Role allows you to configure the SonicWall TZ wireless for one of two modes:

* 
NOTE: Be aware that when switching between radio roles, the SonicWall appliance may require a restart.
Access Point - Configures the SonicWall appliance as an Internet/network gateway for wireless clients.

Wireless Radio Mode: Access point

Wireless Client Bridge - The SonicWall TZ wireless provides Internet/network access by bridging wirelessly to another SonicWall wireless device or SonicPoint access point, selected on the Wireless > Status screen. This mode allows for the possibility of secure network communications between physically separate locations, without the need for long and costly ethernet cabling runs.

Wireless Radio Mode: Wireless Client Bridge

* 
NOTE: For more information on Wireless Client Bridging, refer to the SonicWall Secure Wireless Network Integrated Solutions Guide, or the SonicWall Wireless Bridging Technote, available at https://support.sonicwall.com/kb-product-select.

Wireless Settings

The following options are available on the Wireless > Settings page:

Enable WLAN Radio: Check this box to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect.
Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page. The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)
Country Code: The country code determines which regulatory domain the radio operation falls under.
Radio Mode: Select your preferred radio mode from the Radio Mode menu. The wireless security appliance supports the following modes:
2.4GHz 802.11n Mixed - Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.
* 
TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
802.11n Only - Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
2.4GHz 802.11b/g Mixed - Supports 802.11b and 802.11g clients simultaneously. If your wireless network comprises both types of clients, select this mode.
802.11g Only - If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.
802.11b Only - Select this mode if only 802.11b clients access your wireless network.
Topics:

802.11n Wireless Settings

When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed:

Radio Band (802.11n only): Sets the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed.
Standard Channel - This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed:
Primary Channel - By default this is set to Auto. Optionally, you can specify a specific primary channel.
Secondary Channel - The configuration of this drop-down menu is controlled by your selection for the primary channel:
If the primary channel is set to Auto, the secondary channel is also set to Auto.
If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel.
Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.
Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput.
* 
TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
SSID: The SSID (service set identifier) can be changed to any alphanumeric value with a maximum of 32 characters. The default value for the SSID on a TZ Wireless appliance is sonicwall- plus the last four characters of the BSSID (basic service set ID, equal to the appliance MAC address); for example, sonicwall-C587.

802.11b/g Wireless Settings

When the wireless radio is configured for 802.11b or 802.11g, the Channel drop-down menu is displayed. An Auto setting allows the wireless security appliance to automatically detect and set the optimal channel for wireless operation based upon signal strength and integrity. Auto is the default channel setting, and it displays the selected channel of operation to the right. Alternatively, an operating channel within the range of your regulatory domain can be explicitly defined.

Configuring Wireless Security

Wireless > Security

Wired Equivalent Protocol (WEP)

Can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWall. It is designed to provide a minimal level of protection for transmitted data, and is not recommended for network deployments requiring a high degree of security.

Wi-Fi Protected Access (WPA and WPA2)

Provides much greater security than WEP, but requires a separate authentication protocol, such as RADIUS, be used to authenticate all users. WPA uses a dynamic key that constantly changes, as opposed to the static key that WEP uses.

The SonicWall security appliance provides a number of permutations of WEP and WPA encryption.

Authentication Overview

Below is a list of available authentication types with descriptive features and uses for each:

WEP
Lower security
For use with older legacy devices, PDAs, wireless printers
WPA
Good security (uses TKIP)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
No client software needed in most cases
WPA2
Best security (uses AES)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
Client software install may be necessary in some cases
Supports 802.11i “Fast Roaming” feature
No backend authentication needed after first log-in (allows for faster roaming)
WPA2-AUTO
Tries to connect using WPA2 security.
If the client is not WPA2 capable, the connection will default to WPA.

WPA/WPA2 Encryption Settings

Both WPA and WPA2 support two protocols for storing and generating keys:

Pre-Shared Key (PSK)—PSK allows WPA to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server.
Extensible Authentication Protocol (EAP)—EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework.

WPA2 also supports EAP and PSK protocols, but adds an optional AUTO mode for each protocol. WPA2 EAP AUTO and WPA2 PSK AUTO try to connect using WPA2 security, but will default back to WPA if the client is not WPA2 capable.

* 
NOTE: EAP support is only available in Access Point Mode. EAP support is not available in Bridge Mode.
Topics:

WPA2 and WPA PSK Settings

Topics:
Encryption Mode

In the Authentication Type field, select either WPA-PSK, WPA2-PSK, or WPA2-Auto-PSK.

EAPOL Settings
V1—selects the extensible authentication protocol over LAN version 1.
V2—selects the extensible authentication protocol over LAN version 2. This provides better security than version 1, but may not be supported by some wireless clients.
WPA Settings
Cypher Type—select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Group Key Update—Specifies when the SonicWall security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds. Select By Packet to generate a new group key after a specific number of packets. Select Disabled to use a static key.
Interval—If you selected By Timeout, enter the number of seconds before WPA automatically generates a new group key.
Preshared Key Settings (PSK)
Passphrase—Enter the passphrase from which the key is generated. Click Apply in the top right corner to apply your WPA settings.

WPA2 and WPA EAP Settings

Topics:
Encryption Mode

In the Authentication Type field, select either WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP.

WPA Settings
Cypher Type—Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Group Key Interval—Enter the number of seconds before WPA automatically generates a new group key.
EAPOL Settings
V1—selects the extensible authentication protocol over LAN version 1.
V2—selects the extensible authentication protocol over LAN version 2. This provides better security than version 1, but may not be supported by some wireless clients.
Extensible Authentication Protocol Settings (EAP)
Radius Server 1 IP and Port—Enter the IP address and port number for your primary RADIUS server.
Radius Server 1 Secret—Enter the password for access to Radius Server
Radius Server 2 IP and Port—Enter the IP address and port number for your secondary RADIUS server, if you have one.
Radius Server 2 Secret—Enter the password for access to Radius Server

Applying Changes

Click Apply in the top right corner to apply your WPA settings.

WEP Encryption Settings

The SonicWall security appliance offers the following WEP encryption options:

WEP - Open system: In open-system authentication, the SonicWall allows the wireless client access without verifying its identity.
WEP -Shared key: Uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed.
Both (Open System & Shared Key): The Default Key assignments are not important as long as the identical keys are used in each field. If Shared Key is selected, then the key assignment is important.

To configure wireless security on the SonicWall, navigate to the Wireless > Security page and perform the following tasks:

1
Select the appropriate authentication type from the Authentication Type list.

2
In the Default Key drop-down menu, select which key will be the default key.
3
In the Key Entry menu, select if your keys will be Alphanumeric or Hexadecimal:
 

Key Types

Key Type

WEP - 64-bit

WEP - 128-bit

WEP - 152-bit

Alphanumeric (0-9, A-Z)

5 characters

13 characters

16 characters

Hexadecimal (0-9, A-F)

10 characters

26 characters

32 characters

4
You can enter up to four keys. For each key, select whether it will be 64-bit, 128-bit, or 152-bit. The higher the bit number, the more secure the key is.
5
Enter the keys.
6
Click Apply.

Configuring Advanced Wireless Settings

Wireless > Advanced

To access Advanced configuration settings for the SonicWall wireless security appliance, log into the SonicWall, click Wireless, and then Advanced. The Wireless > Advanced page is only available when the SonicWall is acting as an access point.

Topics:

Beaconing and SSID Controls

To configure the Beaconing and SSID Controls:
1
Select Hide SSID in Beacon. Suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthorized wireless clients.

2
Type a value in milliseconds for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently.

Advanced Radio Settings

The following other advanced settings can be configured.

1
Enable Short Slot Time: Select Enable Short Slot Time to increase performance if you only expect 802.11g traffic. 802.11b is not compatible with short slot time.
2
The Antenna Diversity setting determines which antenna the wireless security appliance uses to send and receive data.
3
Select Full Power from the Transmit Power menu to send the strongest signal on the WLAN. For example, select Full Power if the signal is going from building-to-building. Half Power is recommended for office-to-office within a building, and Quarter Power or Eighth Power are recommended for shorter distance communications.
4
Select Short or Long from the Preamble Length menu. Short is recommended for efficiency and improved throughput on the wireless network.
5
The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted.
6
The RTS Threshold (bytes) is 2346 by default. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing.
7
The default value for the DTIM Interval is 1. Increasing the DTIM Interval value allows you to conserve power more effectively.
8
The Association Timeout (seconds) is 300 seconds by default, and the allowed range is from 60 to 36000 seconds. If your network is very busy, you can increase the timeout by increasing the number of seconds in the Association Timeout (seconds) field.
9
Set the Maximum Client Associations to limit the number of stations that can connect wirelessly at one time. The default is 128.
10
Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate.
11
Protection Mode: Protection can decrease collisions, particularly where you have two overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it will engage only in the case of overlapping SonicPoints.
12
Protection Rate: The protection rate determines the data rate when protection is on. The slowest rate offers the greatest degree of protection but the slowest data transmission rate. Choose 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps.
13
Protection Type: Select the type of handshake used to establish a wireless connection: CTS-only or RTS-CTS. 802.11b traffic is only compatible with CTS.
14
Click Apply in the top right corner of the page to apply your changes to the security appliance.
15
(Optional) Click Restore Default to return the radio settings to the default settings.

Configurable Antenna Diversity

The wireless SonicWall security appliances employ dual 5 dBi antennas running in diversity mode. The default implementation of diversity mode means that one antenna acts as a transmitting, and both antennas act as potential receiving antenna. As radio signals arrive at both antennas on the secure wireless appliance, the strength and integrity of the signals are evaluated, and the best received signal is used. The selection process between the two antennas is constant during operation to always provide the best possible signal. To allow for external (higher gain uni-directional) antennas to be used, antenna diversity can be disabled.

The SonicWall NSA 220 and 250M wireless security appliances employ three antennas. The Antenna Diversity is set to Best by default, this is the only setting available for these appliances.

The Antenna Diversity setting determines which antenna the wireless security appliance uses to send and receive data. You can select:

Best—This is the default setting. When Best is selected, the wireless security appliance automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1—Select 1 to restrict the wireless security appliance to use antenna 1 only. Facing the rear of the appliance, antenna 1 is on the left, closest to the console port. You can disconnect antenna 2 when using only antenna 1.
2—Select 2 to restrict the wireless security appliance to use antenna 2 only. Facing the rear of the appliance, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2.

TZ Wireless MAC Filter List

Wireless > MAC Filter List

Wireless networking provides native MAC filtering capabilities which prevents wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. The SonicOS wireless MAC Filter List allows you to configure a list of clients that are allowed or denied access to your wireless network. Without MAC filtering, any wireless client can join your wireless network if they know the SSID and perhaps other security parameters to “break into” your wireless network.

This figure displays typical SonicWall MAC Filter List deployment scenarios:

Typical SonicWall MAC Filter List Deployment

Topics:

Deployment Considerations

Consider the following when deploying the MAC Filter List:

For the SonicPoint-N appliance, this feature requires the gateway to store the MAC Filer List settings.
For the SonicWall TZ series appliance’s internal wireless, some members need to be added to the VAP structure to store the MAC Filter List settings and the complete function should be modified to set the configurations to the driver.
MAC Filter List configurations are added to the Wireless Virtual Access Point (VAP) profile settings. They can be view by navigating to the Wireless > Virtual Access Point page.

Using the Wireless > MAC Filter List Page

In your management interface, navigate to the Wireless > MAC Filter List page.

 

MAC Filter List Page: Button and Field Descriptions

Name

Description

Accept Button

Applies and saves the latest configuration settings.

Cancel Button

Cancels the configuration.

Enable MAC Filter List Check box

Enables the MAC Filter List feature for the selected groups.

Allow List: Drop-Down

Selects the group you want the MAC Filter List to allow access to your wireless network. When you click the Allow List drop-down menu and select Create New MAC Address Object group, the Add Address Object Group dialog displays.

Deny List: Drop-Down

Selects the group you want the MAC Filter List to deny access to your wireless network. When clicking the Deny List drop-down and selecting Create New MAC Address Object group, the Add Address Object Group dialog displays.

Add Address Object Group Dialog

 

Add Address Object Group Wizard: Field Descriptions

Name

Description

Name: text field

Enter a name for the new address object group.

Left Panel

Displays the available objects. Select the objects you want to include in your new group.

Right Arrow Button

Transfers the selected objects from the left panel to the right panel.

Left Arrow Button

Transfers the selected objects from the right panel to the left panel.

Right Panel

Displays the objects selected for your new group.

OK Button

Applies the configuration.

Cancel Button

Cancels the configuration.

Configuring the MAC Filter List

To configure the MAC filter list to allow or deny address object groups:
1
Log into your SonicOS management interface.
2
Navigate to the Wireless > MAC Filter List page.

3
Click the Enable MAC Filter List checkbox.
4
Click the Allow List drop-down menu, select the address group you want to allow.
5
Click the Deny List drop-down menu, select the address group you want to deny.
6
To add new address objects to the allow and deny lists, click the drop-down menu and select Create New MAC Address Object Group... . The Add Address Object dialog displays.

7
In the Name: text field, enter a name for the new group.
8
In the left column, select the groups or individual address objects you want to allow or deny. You can use Ctrl-click to select more than one item at a time.
9
Click the -> button to add the items to the group.
10
Click OK.
11
Click the Accept button.
12
Verify that your list was created.

Configuring Wireless IDS

Wireless > IDS

Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWall wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. Wireless IDS logging and notification can be enabled under Log > Categories by checking the WLAN IDS box under Log Categories and Alerts.

Topics:

Access Point IDS

When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation). Selecting Scan Now momentarily changes the Radio Role to allow the wireless security appliance to perform an active scan, and may cause a brief loss of connectivity for associated wireless clients. While in Access Point mode, the Scan Now function should only be used if no clients are actively associated, or if the possibility of client interruption is acceptable.

Wireless Intrusion Detection Settings

Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.

The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a, 802.11g, and 802.11n channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation.

Check the Enable Rogue Access Point Detection box to specify the rogue access point detection method. The Authorized Access Points menu allows you to specify All Authorized Access Points, Create new MAC Address Object Group, or Select an Address Object Group.

The Authorized Access Points menu allows you to specify which access points the SonicWall security appliance will considered authorized when it performs a scan. You can select All Authorized Access Points to allow all SonicPoints, or you can select Create new MAC Address Object Group to create an address object group containing a group of MAC address to limit the list to only those SonicPoints whose MAC addresses are contained in the address object group.

Select Create Address Object Group to add a new group of MAC address objects to the list.

IDS Settings

To schedule and IDS click the drop-down menu and select or create a schedule. You can also leave this option as Disabled and an IDS scan will not take place. Below are the schedule options:

Create a new schedule...
Work Hours
M-T-W-TH-F 08:00 to 17:00
After Hours
M-T-W-TH-F 00:00 to 08:00
M-T-W-TH-F 17:00 to 24:00
SU-S 00:00 to 24:00
Weekend Hours

Discovered Access Points

The Discovered Access Points table displays information on every access point that can be detected by all your SonicPoints or on a individual SonicPoint basis:

MAC Address (BSSID): The MAC address of the radio interface of the detected access point. This is used as the basic service set identifier for the access point.
SSID: The service set identifier of the network (WLAN).
Channel: The radio channel used by the access point.
Manufacturer: The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWall or Senao.
Signal Strength: The strength of the detected radio signal
Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps.
Authorize: Click the Edit icon in the Authorize column to add the access point to the address object group of authorized access points.

Scanning for Access Points

Active scanning occurs when the wireless security appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operating in a Bridge Mode, the Scan Now feature does not cause any interruption to the bridged connectivity. When the wireless security appliance is operating in Access Point Mode, however, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows:

Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
Persistent connections (protocols such as FTP) are impaired or severed.
* 
CAUTION: The Scan Now feature causes a brief disruption in service. If this is a concern, wait to use the Scan Now feature at a time when no clients are active or until the potential for disruption becomes acceptable.

Authorizing Access Points on Your Network

Access Points detected by the wireless security appliance are regarded as rogues until they are identified to the wireless security appliance as authorized for operation. To authorize an access point, select it in the list of access points discovered by the wireless security appliance scanning feature, and add it clicking the Authorize icon.

Configuring Virtual Access Points with Internal Wireless Radio

Wireless > Virtual Access Point

Wireless VAP Overview

This section provides an introduction to the Virtual Access Point feature for SonicWall network security appliances equipped with internal wireless radios.

Topics:

What Is a Virtual Access Point?

A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate, distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device.

VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on a single internal wireless radio.

For more information on SonicOS Secure Wireless features, refer to the SonicWall Secure Wireless Integrated Solutions Guide.

Benefits of Using Virtual APs

This section includes a list of benefits in using the Virtual AP feature:

Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.
Optimize Wireless LAN Infrastructure—Share the same Wireless LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs.

Wireless VAP Configuration Overview

The following are required areas of configuration for VAP deployment:

1
Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets.
2
Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between your SonicWall network security appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio.
3
DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.
4
Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed.
5
Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings.
6
Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a single internal wireless radio.
7
Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs.

Related Configuration Tasks

A Wireless VAP deployment requires several steps to configure, some of which are configured in other areas of the SonicOS management interface. See the following sections:

Network Zones

A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, you can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.

Topics:

For detailed information on configuring zones, see Network > Zones.

The Wireless Zone

The Wireless zone type, of which the “WLAN Zone” is the default instance, provides support to SonicWall wireless radio. When an interface or subinterface is assigned to a Wireless zone, the interface can enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.

Custom Wireless Zone Settings

Although SonicWall provides the pre-configured Wireless zone, you also have the ability to create their own custom wireless zones. When using VAPs, several custom zones can be applied to a single wireless radio.

Topics:
General

General Configuration Options

Feature

Description

Name

Create a name for your custom zone

Security Type

Select Wireless to enable and access wireless security options.

Allow Interface Trust

Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.

SonicWall Security Services

Select the security services you wish to enforce on this zone. This allows you to extend your SonicWall firewall security services to your wireless users.

Wireless

 

Wireless Configuration Options

Feature

Description

Only allow traffic generated by a SonicPoint

Restricts traffic on this zone to internally-generated traffic only.

SSL VPN Enforcement

Redirects all traffic entering the Wireless zone to a defined SonicWall SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic. Note: Wireless traffic that is tunnelled through an SSL VPN will appear to originate from the SSL VPN rather than from the Wireless zone.

SSL VPN Server - Select the Address Object representing the SSL VPN appliance to which you wish to redirect wireless traffic.

SonicPoint Provisioning Profile

Select a predefined SonicPoint Provisioning Profile to be applied to all current and future SonicPoints on this zone.

SonicPointN Provisioning Profile

Select a predefined SonicPointN Provisioning Profile to be applied to all current and future SonicPoints on this zone.

Guest Services

The Enable Guest Services option allows the following guest services to be applied to a zone:

 

Guest Services Configuration Options

Feature

Description

Enable inter-guest communication

Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.

Bypass AV Check for Guests

Allows guest traffic to bypass Anti-Virus protection

Enable Dynamic Address Translation (DAT)

Dynamic Address Translation (DAT) allows the SonicPoint to support any IP addressing scheme for Guest Services users.

If this option is disabled (unchecked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoint’s network settings.

Enable External Guest Authentication

Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

Custom Authentication Page

Redirects users to a custom authentication page when they first connect to a SonicPoint in the Wireless zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

Post Authentication Page

Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.

Bypass Guest Authentication

Allows a SonicPoint running Guest Services to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the SonicPoint is enforcing authentication.

Redirect SMTP traffic to

Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.

Deny Networks

Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from.

Pass Networks

Automatically allows traffic through the Wireless zone from the networks you select.

Max Guests

Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10.

Wireless LAN Subnets

A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations. The WLAN subnet solution allows each VAP to have its own virtual separate subinterface, even though there is only a single 802.11 radio.

WLAN subnets have several key capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from WLAN subnets at this time are VPN policy binding, WAN dynamic client support, and multicast support.

WLAN subnets are configured from the Network > Interfaces page.

Custom Wireless Subnet Settings

The table below lists configuration parameters and descriptions for wireless subnets:

 

Wireless Subnet Configuration Options

Feature

Description

Zone

Select a pre-defined or custom zone. Only zones with security type of “wireless” are available for selection.

Parent Interface

The default WLAN interface, normally W0.

Subnet Name

Choose a friendly name for this interface.

IP Configuration

Create an IP address and Subnet Mask in accordance with your network configuration.

Sonic Point Limit

The number of radios supported in your deployment, the default value is 1 SonicPoint.

Management

Select the protocols you wish to use when managing this subnet.

User Login

Select the protocols you will make available to clients who access this subnet.

DHCP Server

Select the Create default DHCP Lease Scope option to enable DHCP on this subnet, along with the default number of available leases. Read DHCP Server Scope, for more information on DHCP lease requirements.

DHCP Server Scope

The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. Take care in making these settings manually, as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to connection issues due to lease exhaustion.

The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.

Configuring Virtual Access Point Profiles

A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the Wireless > Virtual Access Point page.

* 
TIP: This feature is especially useful for quick setup in situations where multiple virtual access points will share the same authentication methods.

Topics:

Virtual Access Point Profile Settings

Virtual Access Point Profile Configuration Options lists configuration parameters and descriptions for Virtual Access Point Profile Settings:

 

Virtual Access Point Profile Configuration Options

Feature

Description

Name

Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs.

Type

Set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type).

Authentication Type

Below is a list available authentication types with descriptive features and uses for each:

WPA

Good security (uses TKIP)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
No client software needed in most cases

WPA2

Best security (uses AES)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
Client software install may be necessary in some cases
Supports 802.11i “Fast Roaming” feature
No backend authentication needed after first log-in (allows for faster roaming)

WPA2-AUTO

Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection will default to WPA.

Unicast Cipher

The unicast cipher will be automatically chosen based on the authentication type.

Multicast Cipher

The multicast cipher will be automatically chosen based on the authentication type.

Maximum Clients

Choose the maximum number of concurrent client connections permissible for this virtual access point.

WPA-PSK / WPA2-PSK Encryption Settings

Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.

 

WPA-PSK/WPA2-PSK Encryption Configuration Options

Feature

Description

Pass Phrase

The shared passphrase users will enter when connecting with PSK-based authentication.

Group Key Interval

The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.

WPA-EAP / WPA2-EAP Encryption Settings

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP capable RADIUS server for key generation.

 

WPA-EAP / WPA2-EAP Encryption Configuration Options

Feature

Description

RADIUS Server 1

The name/location of your RADIUS authentication server

RADIUS Server 1 Port

The port on which your RADIUS authentication server communicates with clients and network devices.

RADIUS Server 1 vSecret

The secret passcode for your RADIUS authentication server

RADIUS Server 2

The name/location of your backup RADIUS authentication server

RADIUS Server 2 Port

The port on which your backup RADIUS authentication server communicates with clients and network devices.

RADIUS Server 2 Secret

The secret passcode for your backup RADIUS authentication server

Group Key Interval

The time period (in seconds) during which the WPA/WPA2 group key is enforced to be updated.

Configuring Virtual Access Point Objects

Virtual Access Point objects are configured from the Wireless > Virtual Access Point page. The configuration allows for setup of general VAP settings, including SSID and wireless subnet name.

Topics:

General VAP Settings

 

VAP configuration options

Feature

Description

SSID

Create a friendly name for your VAP.

Name

Select a subnet name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list.

VLAN ID

Select the VLAN ID from the drop-down menu.

Enable Virtual Access Point

Enables this VAP.

Enable SSID Suppress

Suppresses broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by
unauthorized wireless clients.

Advanced VAP Settings

Advanced settings allows you to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user created profile. See Configuring Virtual Access Point Profiles for complete authentication and encryption configuration information.

Configuring Virtual Access Point Groups

The Virtual Access Point Groups feature is available on SonicWall NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.

Enabling a Virtual Access Point Group

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group.

Configuring a Schedulable VAP

The Schedulable VAP feature allows each Virtual Access Point to have its own schedule settings. In previous versions, the wireless radio associated with the SonicWall appliance shared the same schedule among multiple Virtual Access Points. As a result, all virtual access points were active and/or inactive at the same time. Schedulable VAP allows each VAP to have its own setting for the schedules.

Note that if you are configuring a VAP schedule for a SonicPoint, the schedule is stored on the associated SonicWall appliance it is associated with will record the configured schedule. If configuring this enhancement on a SonicWall appliance, you will have to add members to the VAP group in order to store and configure the VAP Schedule settings. When the VAP is enabled for the SonicPoint radio, the schedule settings for the radio are disabled.

To schedule and enable a Virtual Access Point:
1
Navigate to the SonicPoint > Virtual Access Point page.
2
Add or edit a Virtual Access Point by clicking the Add... button or the Edit icon of the existing Virtual Access Point you wish to edit.
3
In the configuration window, click the Advanced tab.
4
Select the desired schedule from the VAP Schedule Name drop-down menu. Click OK to save changes.

Configuring the VAP Access Control List

Each Virtual Access Point can support an individual Access Control List (ACL) to provide more effective authentication control. The Wireless ACL Enhancement feature works in tandem with the wireless MAC Filter List currently available on SonicOS. Unified ACL is supported on the internal wireless for the SonicWall TZ and NSA series appliances, and any SonicPoint appliances. Using the Wireless ACL enhancement, users are able to Enable or Disable the MAC Filter List, set the Allow List, and set the Deny list.

The Wireless ACL Enhancement allows each VAP to have its own MAC Filter List settings or use the global settings. When the global settings are enabled, the wireless appliance uses these settings by default. In Virtual Access Point (VAP) mode, each VAP of this group shares the same MAC Filter List settings.

To configure the VAP MAC Filter List:
1
On your SonicWall Network Security appliance, navigate to the Wireless > Virtual Access Points page.
2
Click the Add button under the Virtual Access Points section.
3
In the dialog that displays, click the Advanced tab.

4
Check the box to Enable MAC Filter List. To configure the Global ACL Settings, Allow List, or Deny List, you must enable the MAC Filter List.
5
Check the User Global ACL Settings box to associate this Virtual Access Point with the already existing MAC Filter List settings for the SonicWall Network Security appliance. You will not be able to edit the Allow or Deny Lists with this option enabled.
6
Select an Address Object Group for the Allow List and Deny List.
7
You can also create a new custom MAC Address Object Group by selecting the Create New MAC Address Object Group option from the drop-down menu. The following screen displays:

8
Type the Name of the new address object group you want to create in the specified field.
9
Then, click the value(s) you want associated, followed by the Arrow button.
10
After selecting the value(s) you want associated to the MAC Address Object Group, click OK.
11
Click OK in the Add/Edit Virtual Access Point dialog.

VAP Sample Configuration

This section provides configuration examples based on real-world wireless needs.

Topics:

Configuring a VAP for School Faculty Access

You can use a VAP for a set of users who are commonly in the office, on campus, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services.

Topics:
Configuring a Zone

In this section you will create and configure a new corporate wireless zone with SonicWall firewall security services and enhanced WiFiSec/WPA2 wireless security.

1
Log into the management interface of your SonicWall network security appliance.
2
In the left-hand menu, navigate to the Network > Zones page.
3
Click the Add... button to add a new zone.
General Settings Tab

4
In the General tab, enter a friendly name such as WLAN_Faculty in the Name field.
5
Select Wireless from the Security Type drop-down menu.
6
Check the Allow Interface Trust box to allow communication between faculty users.
7
Check the boxes for all of the security services you would normally apply to faculty on the wired LAN.
Wireless Settings Tab

8
In the Wireless tab, check the Only allow traffic generated by a SonicPoint / SonicPointN checkbox.
9
Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).
10
Click the OK button to save these changes.

Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a New Wireless Subnet

In this section you will create and configure a new wireless subnet on your current WLAN. This wireless subnet will be linked to the zone you created in the Configuring a Zone.

1
In the Network > Interfaces page, click the Add WLAN Subnet button.
2
In the Zone drop-down menu, select the zone you created in “Configuring a Zone. In this example, it is WLAN_Faculty.
3
Enter a Subnet Name for this interface. This name allows the internal wireless radio to identify which traffic belongs to the WLAN_Faculty subnet. In this case, we choose Faculty as our subnet name.
4
Enter the desired IP Address for this subinterface.
5
Optionally, you may add a comment about this subinterface in the Comment field.
6
If you intend to use this interface, ensure that the Create default DHCP Lease Scope option is checked. This option automatically creates a new DHCP lease scope for this subnet with 33 addresses. This setting can be adjusted later on the Network > DHCP page.
7
Click the OK button to add this subinterface.

Your WLAN Subnet interface now appears in the Interface Settings table.

Creating a Wireless VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

1
In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Point Profiles section.
3
Enter a Profile Name, such as Corporate-WPA2, for this VAP Profile.
4
Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (set in Step 6).
5
In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
6
In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the new subnet.
7
Click the OK button to create this VAP Profile.
Creating the Wireless VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the wireless subnet you created in Creating a New Wireless Subnet.

General Tab
1
In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Points section.
3
Enter a default name (SSID) for the VAP. In this case we chose Campus_Faculty. This is the name users will see when choosing a wireless network to connect with.
4
Select the Subnet Name you created in Creating a New Wireless Subnet, from the drop-down list. In this case we chose Faculty, the name of our WLAN_Faculty subnet.
5
Check the Enable Virtual Access Point box to enable this access point upon creation.
6
Check the Enable SSID Suppress box to hide this SSID from users.
7
Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.

Advanced Tab (Authentication Settings)
1
Click the Advanced Tab to edit encryption settings. If you:
Created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a “Corporate-WPA2” profile, which uses WPA2-AUTO-EAP as the authentication method. Continue to Create More / Deploy Current VAPs.
Have not set up a VAP Profile, continue with Step 2 through Step 4.
2
In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
3
In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
4
In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the wireless subnet.
Create More / Deploy Current VAPs

Now that you have successfully set up a wireless subnet for faculty access, you can choose to add more custom VAPs, or to deploy this configuration to your internal wireless radio in the Deploying VAPs to the Wireless Radio.

* 
TIP: Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously by following the steps in the Deploying VAPs to the Wireless Radio.

Deploying VAPs to the Wireless Radio

In this section you will group and deploy your new VAPs, associating them with the internal wireless radio. Users will not be able to access your VAPs until you complete this process:

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).

1
In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
2
Click the Add Group... button in the Virtual Access Point Group section.
3
Enter a Virtual AP Group Name.
4
Select the desired VAPs from the list and click the -> button to add them to the group. Optionally, click the Add All button to add all VAPs to a single group.
5
Press the OK button to save changes and create the group.
6
To setup 802.11g WEP or 802.11a WEP/WPA encryption, or to enable MAC address filtering, use the 802.11g and 802.11a tabs. If any of your VAPs use encryption, you must configure these settings before your wireless VAPs will function.
7
Click the OK button to save changes and create this Wireless Provisioning Profile.
Associating a VAP Group with your Wireless Radio

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio.

1
In the left-hand menu, navigate to the Wireless > Settings page.
2
In the Wireless Virtual Access Point section, select the VAP group you created in Grouping Multiple VAPs from the Virtual Access Point Group drop-down menu. In this case, we choose the default Internal AP Group as our Virtual AP Group.

3
Click the Accept button to continue and associate this VAP group with your internal wireless radio.
* 
NOTE: If you are setting up guest services for the first time, be sure to make necessary configurations in Users > Guest Services