en-US
search-icon

SonicOS 6.2 Admin Guide

SonicPoint
* 
NOTE: SonicPoints are not supported on the SuperMassive 9800.

Understanding SonicPoints

* 
NOTE: SonicPoints are not supported on the SuperMassive 9800.

About SonicPoints

SonicWall SonicPoints are wireless access points specially engineered to work with SonicWall security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the Management Interface lets you manage the SonicPoints connected to your system.

In addition to describing the settings available for managing SonicPoints in SonicOS, this section contains a best practices guide for deploying SonicPoints in your network. See SonicPoint Deployment Best Practices.

Topics:  

About SonicPoint Wireless Features

SonicOS 6.2 includes the following wireless and SonicPoint features:

SonicPoint Capabilities

SonicPoints are wireless access points designed to work with SonicWall network security appliances to provide secure wireless access to enterprise networks. SonicPoint AC provides higher throughput in the 5GHz band by providing more antennas, wider channels, more spatial streams, and other features that boost throughput and reliability. SonicPoint AC devices support both the 5GHz and 2.4GHz radio bands. SonicPoint AC has the following key technical components:

Wider Channels—80 MHz channel bandwidths
Up to 4 Spatial Streams—Adding spatial streams increases throughput proportionally. Two streams doubles the throughput of a single stream. Four streams increases the throughput four times.

SonicPoint AC provides higher throughput, making it better for wireless displays, HDTV, downloading large files, and campus and auditorium use.

SonicPoint Layer 3 Management Phase I – Provides the DHCP and tunneling solution to support SonicPoint deployment in a Layer 3 network:
SonicWall DHCP-based Discovery Protocol (SDDP) is based on the well-known DHCP protocol and allows the SonicWall gateway and SonicPoint to discover each other automatically across Layer 3 local networks.
The remote network management protocol, SonicWall SSL VPN-based Management Protocol (SSMP), is based on SonicWall SSL VPN infrastructure to allow SonicPoints to be managed by a SonicWall SSL VPN enabled network security appliance over the Internet. Supported on SonicPoint AC/N2/N/Ni/Ne/NDR, all SuperMassive, NSA, and TZ firewalls running SonicOS 6.2 or later.
Dynamic Frequency Selection (DFS) Support – After a DFS certificate is issued, the SonicPoints support dynamic frequency selection to allow a SonicPoint to be deployed in sensitive channels of the 5GHz frequency band.

To view and select from these 5GHz channels, navigate to SonicPoint > SonicPoints and configure a SonicPoint profile or an individual SonicPoint. On the Radio tab, select any 5GHz setting in the Mode field, then select either Standard or Wide as the Radio Band. The Standard Channel or Primary Channel drop-down menus display a choice of sensitive channels.

SonicPoint Wi-Fi Multimedia – SonicPoints support Wi-Fi Multimedia (WMM) to provide a better Quality of Service experience on miscellaneous applications, including VoIP on Wi-Fi phones and multimedia traffic on wireless networks. WMM is a Wi-Fi Alliance interoperability certification based on the IEEE 802.11e standard. WMM prioritizes traffic according to four access categories: voice, video, best effort, and background.
* 
NOTE: WMM does not provide guaranteed throughput.

Each Access Category has its own transmit queue. WMM requires the SonicPoint N to implement multiple queues for multiple priority access categories. The SonicPoint N relies on either the application or the firewall to provide type of service (TOS) information in the IP data to differentiate traffic types. One way to provide TOS is through firewall services and access rules; another way is through VLAN tagging.

* 
NOTE: For more information about WMM and SonicPoints, see SonicPoint WMM Configuration.
SonicPoint Statistics - The SonicPoint > Station Status page reports the statistics of each SonicPoint. The Station Status table lists entries for each wireless client connected to each SonicPoint. The sections of the Station Status table are divided by SonicPoint.
Radio Frequency Security - SonicPoint provides protection for Radio Frequency (RF) devices. RF technology used in wireless networking devices is a target for intruders. SonicPoint uses direct RF monitoring to detect threats without interrupting the current operation of your wireless or wired network.
Radio Frequency Analysis - Radio Frequency Analysis (RFA) is a feature that enables the network administrator to understand how wireless channels are utilized by the SonicPoints and other neighboring wireless access points.
Retaining SonicPoint Customized Configuration - You can configure SonicPoint profiles so the SonicPoints retain portions of their configuration even after they are deleted or resynchronized.
SonicPoint Diagnostics - A SonicPoint can collect critical runtime data and save it into persistent storage. If the SonicPoint fails, the SonicWall managing appliance retrieves that data when the SonicPoint reboots, and incorporates it into the Tech Support Report (TSR). A subsequent SonicPoint failure overwrites the data.
Daisy Chaining – Daisy chaining allows users with a small environment (that is, a low-density switch infrastructure) to deploy several SonicPoints while using as few switch ports as possible. For example, connecting numerous devices scattered throughout the store into the store's switch infrastructure, including multiple APs to cover the entire store even though the infrastructure is small in terms of switch port density/availability. SonicPoints are daisy chained through the LAN2 interface.
* 
IMPORTANT: Daisy chaining SonicPoints affects throughput, with each addition lessening throughput. If throughput is:
A concern, then to keep throughput at an acceptable level for the:
SonicPoint N2, daisy chain no more than three SonicPoints.
SonicPoint ACe/ACi, daisy chain no more than two SonicPoints.
Not a concern, daisy chain no more than four SonicPoints.

If you have a mixture of SonicPoint AC models with SonicPoint N or N2 models, place the SonicPoint AC model at the beginning of the chain.

Wi-Fi Alliance Certification

* 
NOTE: SonicPoint Dual Radio (SonicPointNDR and SonicPointACe/ACi/N2) are Wi-Fi Certified by the Wi-Fi Alliance, designated by the Wi-Fi CERTIFIED logo.

The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance, and indicates that the product has undergone rigorous testing by the Wi-Fi Alliance and has demonstrated interoperability with other products, including those from other companies that bear the Wi-Fi CERTIFIED Logo.

FCC U-NII New Rule Compliance

Beginning in SonicOS 6.2.5.1, FCC U-NII (Unlicensed –National Information Infrastructure) New Rule (Report and Order ET Docket No. 13-49) is supported on SonicPointACe/ACi/N2 running firmware version 9.0.1.0-2 or higher. To comply with FCC New Rules for Dynamic Frequency Selection (DFS), a SonicPoint detects and avoids interfering with radar signals in DFS bands.

* 
NOTE: SonicPointACe/ACi/N2 wireless access points manufactured with FCC New Rule-compliant firmware are only supported with SonicOS 6.2.5.1 and higher. Older SonicPointACe/ACi/N2 access points are automatically updated to the FCC New Rule-compliant firmware when connected to a firewall running SonicOS 6.2.5.1 or higher.

VLAN Tagging

Prioritization is possible in VLAN over Virtual Access Point (VAP) because the SonicPoint N and AC allow a VAP to be configured to connect with a VLAN by using same VLAN ID. You can set priority for VLAN traffic through a firewall access rule.

SonicPoint WMM Configuration

The SonicPoint > Wi-Fi Multimedia page provides a way to configure WMM profiles, including parameters and priority mappings.

You can also create a WMM profile or select an existing WMM profile when configuring a SonicPoint or a SonicPoint profile from the SonicPoint > SonicPoints page. The Add SonicPoint Profile dialog provides a WMM (Wi-Fi Multimedia) drop-down menu on the Advanced tab with these options.

When configuring the WMM profile, you can configure the size of the contention window and the arbitration interframe space (AIFS) number. These values can be configured individually for each priority on the Access Point (SonicPoint) and for the Station (firewall).

You can map priority levels to DSCP values. The default DSCP values are as same as the ones in Firewall > Access Rules, QoS mapping.

SonicPoint RADIUS Server Failover – Provides round-robin algorithm and more flexibility to manage primary and secondary RADIUS servers of SonicPoint.
SonicPoint WPA TKIP Countermeasures and MIC Failure Flooding Detection and Protection – Wi-Fi Protected Access (WPA) TKIP countermeasures lock down the entire Wireless LAN network in situations where an intruder launches a WPA passphrase dictionary attack to generate a Message Integrity Check (MIC) failure flood in an attempt to impact the WLAN functionality and performance. This SonicWall solution can detect a TKIP MIC failure flood and take action with TKIP countermeasures against the source to automatically block them by adding them to the runtime blacklist, protecting the overall system.
SonicPoint FairNet Support – After optimizing the system resources, SonicPoint FairNet provides you with a simple method to control the bandwidth of wireless clients and ensure the bandwidth is distributed fairly across all access points. You can configure the SonicPoint FairNet bandwidth limits for all wireless clients, specific IP address ranges, or individual clients to provide fairness and network efficiency.
SonicPoint Auto Provisioning – A SonicPoint can be re-provisioned automatically according to a wireless zone profile. This increases management efficiency and ease of use, as previously a SonicPoint had to be deleted and re-added to be re-provisioned with a modified profile.
SonicPoint Diagnostics – A SonicPoint can collect critical runtime data and save it into persistent storage. If the SonicPoint has a failure, the SonicWall managing appliance retrieves that data when the SonicPoint reboots, and incorporates it into the Tech Support Report (TSR). A subsequent SonicPoint failure overwrites the data.

Wireless PCI Compliance and Intrusion Detection/Prevention

Intrusion Detection Services - Intrusion Detection Services (IDS) enables the SonicWall network security appliance to recognize and take countermeasures against this common type of illicit wireless activity. IDS reports on all access points that the firewall can find by scanning the 802.11a/b/g/n/ac radio bands on the SonicPoints.
Advanced Intrusion Detection and Prevention - Advanced Intrusion Detection and Prevention (IDP) monitors the radio spectrum for the presence of unauthorized access points (intrusion detection) and automatically takes countermeasures (intrusion prevention). When Advanced IDP is enabled on a SonicPoint, its radio functions as a dedicated IDP sensor.
Rogue Device Detection and Prevention – A SonicPoint can be configured in dedicated sensor mode to focus on rogue device detection and prevention, either passively or proactively on both the 2.4GHz and 5GHz bands. Both bands can be scanned even if only one is in use. The rogue device can be analyzed to report whether it is connected to the network and if it is blocked by a wired or wireless mechanism.
Built-in Wireless Radio Scan Schedule – SonicPoints can now be scheduled to perform Intrusion Detection/Prevention scanning with granular scheduling options to cover up to 24 hours a day, 7 days a week. The scheduling options are available on the 802.11n Radio tab (or comparable tab) when editing SonicPoint profiles for all SonicPoint models.

Virtual Access Points

A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP), so that a single AP appears as multiple discrete Access Points or VAPs. To wireless LAN clients, each VAP appears as an independent physical AP, when in actuality there is only one physical AP.

Virtual Access Point Schedule Support – Each Virtual Access Point schedule can be individually enabled or disabled, for ease of use.
Virtual Access Point Layer 2 Bridging – Each Virtual Access Point can be bridged to a corresponding VLAN interface on the LAN zone, providing better flexibility.
Virtual Access Point ACL Support – Each Virtual Access Point can support an individual Access Control List (ACL) to provide more effective authentication control.
Virtual Access Point Group Sharing on SonicPoint N Dual Radios – The same Virtual Access Point/VLAN settings can be applied to dual radios. This allows you to use a unified policy for both radios, and to share a VLAN trunk in the network switch.

Guest Services

Traffic Quota Based Guest Server Policy – Guest sessions can be controlled based on traffic quota policy for better usability. This allows you to configure different transmit/receive limits for different guest clients, possibly based on payment.
External Guest Service FQDN Support – Fully Qualified Domain Names (FQDN) are supported for Lightweight Hotspot Messaging (LHM) server configuration.
External Guest Service Apache Web Server / PHP Support – Apache Web server and PHP scripts are supported for Lightweight Hotspot Messaging infrastructure purposes. This allows support for Linux based Web servers that run Apache and PHP, rather than the Microsoft .Net Framework and ASP scripts.
Guest Administrator Support – A Guest Administrator privileges group is available to provide administrator access only to manage guest accounts and sessions. After logging in, the Guest Administrator can manage guest accounts and sessions, but cannot access any other resources or management interface pages.
Internal Radio IDS Scan Scheduling – Wireless Intrusion Detection and Prevention (WIDP) monitors the radio spectrum for the presence of unauthorized access points (intrusion detection) and automatically takes counter measures (intrusion prevention). SonicOS provides a solution that detects rogue access points and takes action according to the administrator settings.

SonicOS Wireless Intrusion Detection and Prevention turns SonicPoints into dedicated WIDP sensors that detect unauthorized access points connected to a network.

Japanese and International SonicPoint Support

SonicOS 6.2.2.2 and above supports both Japanese and international SonicPointACe/ACi/N2 wireless access points. An international SonicPoint is one that is deployed and operating in a country other than the United States or Japan.

When an international SonicPoint is connected to a SonicWall network security appliance, SonicOS displays a Register button on the SonicPoint > SonicPoints page. Clicking Register brings up a dialog in which you can select the appropriate Country Code.

* 
NOTE: Be sure to select the country code for the country in which the SonicPoint is deployed, even if you are not in that country while registering the SonicPoint.

For international SonicPoints registered with country codes other than Canada, the country code can be changed in the SonicPoint profile on the SonicPoint > SonicPoints page.

* 
IMPORTANT: When the SonicPoint is registered with the country code for Canada, the country code cannot be changed except by contacting SonicWall Support.

Before Managing SonicPoints

Before you can manage SonicPoints in the SonicOS management interface, you must first:

Verify that the SonicPoint image is downloaded to your SonicWall security appliance. See Updating SonicPoint Firmware.
Configure your SonicPoint Provisioning Profiles.
Configure a Wireless zone.
Assign profiles to wireless zones. This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone will use the first profile in the list.
Assign an interface to the Wireless zone.
Attach the SonicPoints to the interfaces in the Wireless zone.
Test the SonicPoints.

SonicPoint Deployment Best Practices

This section provides SonicWall recommendations and best practices regarding the design, installation, deployment, and configuration issues for SonicWall’s SonicPoint wireless access points. The information covered allows you to properly deploy SonicPoints in environments of any size. This section also covers related external issues that are required for successful operation and deployment.

* 
IMPORTANT: SonicWall cannot provide any direct technical support for any of the third-party Ethernet switches referenced in this section. The material is also subject to change without SonicWall’s knowledge when the switch manufacturer releases new models or firmware that might invalidate the information contained herein.

Further information about SonicPoint best practices can be found in the SonicWall SonicPoint Deployment Best Practices Guide.

Topics:  

Prerequisites

The following are required for a successful SonicPoint deployment:

SonicOS requires public Internet access for the network security appliance to download and update the SonicPoint firmware images. If the device does not have public Internet access, you will need to obtain and download the SonicPoint firmware manually.
One or more SonicWall SonicPoint wireless access points.
If you are using a PoE/PoE+ switch to power the SonicPoint, it must be one of the following:
An 802.3at-compliant Ethernet switch for SonicPointACe/ACi/N2
An 802.3af-compliant Ethernet switch for other SonicPoint models
Vendor-specific switch programming notes can be found towards the end of this section for HP, Cisco, Dell, and D-Link. If not, you need to use the power adapter that ships with the SonicPoint or SonicWall’s PoE Injector. See the SonicWall Power over Ethernet (PoE) Injector User’s Guide.
It is strongly recommended you obtain a support contract for your SonicWall network security appliance as well as the PoE/PoE+ switch. The contract allows you to update to new versions if issues are found on the switch side, on the firewall side, or when new features are released.
Be sure to conduct a full site survey before installation (see Site Survey and Planning).
Check wiring and cable infrastructure to verify that end-to-end runs between SonicPoints and the Ethernet switches are CAT5, CAT5e, or CAT6.
Check building codes for install points, and work with the building’s facilities staff, as some desired install points may violate regulations.

Tested Switches

Cisco – Most Cisco switches work well; however, SonicWall does not recommend deploying SonicPoints using the Cisco Express switch line.
Netgear – SonicWall does not recommend deploying SonicPoints using Netgear PoE switches.
D-Link PoE switches – Shut off all their proprietary broadcast control and storm control mechanisms, as they interfere with the provisioning and acquisition mechanisms in the SonicPoint (see PoE and PoE+ regarding this).
Dell – Ensure to configure STP for fast start on SonicPoint ports.
Extreme – Ensure to configure STP for fast start on SonicPoint ports.
Foundry – Ensure to configure STP for fast start on SonicPoint ports.
HP ProCurve – Ensure to configure STP for fast start on SonicPoint ports.

Wiring Considerations

Make sure wiring is CAT5, CAT5e, or CAT6 end to end.
Due to signaling limitations in 802.3af, and 802.3at for SonicPoint AC appliances, Ethernet cable runs should not extend over 100 meters between the PoE switch and the SonicPoint.
You will need to account for PoE power loss as the cable run becomes longer; this can be up to 16 percent. For longer cable runs, the port requires more power to be supplied.

Site Survey and Planning

Conduct a full site walk of all areas where SonicPoints will be deployed with a wireless spectrum scanner. Note any existing access points (APs) and the channels they are broadcasting on. SonicWall currently recommends using Fluke or AirMagnet products to conduct full site surveys. You may also wish to try out NetStumbler/MiniStumbler, which while free does a decent job of surveying, providing it works with your wireless card.
Blueprints of floor plans are helpful; here you can mark the position of APs and the range of the wireless cell. Make multiple copies of these as the site-survey results may cause the original design not to be the best and a new start will be needed. Also, you see where walls, halls, and elevators are located, which can influence the signal. Areas in which users are—and are not—located can be seen. During the site-survey, keep an eye open for electrical equipment that may cause interference (microwaves, CAT Scan equipment, etc.) In area’s were a lot of electrical equipment is placed, also take a look at the cabling being used. In areas with a lot of electrical equipment, also take a look at the cabling being used.
Survey three dimensionally, as wireless signals cross over to different floors.
Determine where you can locate APs based on power and cabling. Remember that you should not place APs close to metal or concrete walls, and you should put them as close to the ceiling as possible.
Use the wireless scanning tool to check signal strengths and noise. Signal-to-noise ratio should at least be 10 dB (minimum requirements for 11 Mbps), however, 20 dB is preferred. Both factors influence the quality of the service.
Relocate the APs and re-test, depending of the results of your survey.
Save settings, logs and note the location of the APs for future reference.
When using older SonicPoint models, if you find that certain areas, or all areas, are saturated with existing overlapping 802.11b/g channels, you may wish to deploy SonicPoints using the 802.11a radio. This provides a much larger array of channels to broadcast on, although the range of 802.11a is limited, and the SonicPoint does not allow for the addition of external antennas.
When planning, make sure you note the distance of cable runs from where the SonicPoint will be mounted; this must be no more than 100 feet. If you are not using PoE switches, you will also need to consider a power adapter or PoE injector for the SonicPoint. Make sure you are not creating an electrical fire hazard.
Be wary of broadcasting your wireless signal into areas that you do not control; check for areas where people might be able to leach signal and tune the SonicPoints accordingly.
For light use, you can plan for 15-20 users for each SonicPoint. For business use, you should plan for 5-10 users for each SonicPoint.
Plan accordingly for roaming users—this will require tuning the power on each SonicPoint so that the signal overlap is minimal. Multiple SonicPoints broadcasting the same SSID in areas with significant overlap can cause ongoing client connectivity issues.
Use the scheduling feature in SonicOS to shut off SonicPoints when not in use—it’s recommended that you do not operate your SonicPoints during non-business-hours (off nights and weekends).

Channels

The default setting of SonicPoints is auto-channel. When this is set, at boot-up the SonicPoint does a scan to check if there are other wireless devices transmitting. Then, it tries to find an unused channel to use for transmission. Especially in larger deployments, this process can cause trouble. In large deployments, it is recommended to assign fixed channels to each SonicPoint.

* 
TIP: A diagram of the SonicPoints and their MAC Addresses helps to avoid overlaps. It is recommended to mark the location of the SonicPoints and MAC Addresses on a floor-plan.

Wireless Card Tuning

If you are experiencing connectivity issues with laptops, check to see if the laptop has an Intel embedded wireless adapter. The following Intel chip sets are publicly known and acknowledged by Intel to have disconnect issues with third-party wireless access points:

Intel PRO/Wireless 2100 Network Connection
Intel PRO/Wireless 2100A Network Connection
Intel PRO/Wireless 2200BG Network Connection
Intel PRO/Wireless 2915ABG Network Connection
Intel PRO/Wireless 3945ABG Network Connection

These wireless cards are provided to OEM laptop manufacturers and are often rebranded under the manufacturers name—for example, both Dell and IBM use the above wireless cards, but the drivers are branded under their own name.

To tune the wireless card:
1
Identify the adapter:
a
Go to Intel’s support site.
b
Do a search for Intel Network Connection ID Tool.
c
Install and run this tool on any laptop experiencing frequent wireless disconnect issues. The tool identifies which Intel adapter is installed inside the laptop.
2
After you have identified the Intel wireless adapter, go to Intel’s support site and download the newest software package for that adapter.
* 
IMPORTANT: It is recommended that you download and install the full Intel PRO/Set package and allow it to manage the wireless card, instead of Windows or any OEM-provided wireless network card management program previously used. SonicWall recommends that you use version 10.5.2.0 or newer of the full Intel PRO/Set Wireless software driver/manager.
3
Be sure to use the Intel wireless management utility and to disable Microsoft’s Wireless Zero Config management service—the Intel utility should control the card, not the OS.
4
In the Advanced section:
a
Disable the power management by clearing the checkbox next to Use default value.
b
Move the slider under the checkbox to Highest. This instructs the wireless card to operate at full strength and not go into sleep mode.
c
When you are done, click on the OK button to save and activate the change.
d
Reboot the laptop.
5
To the Advanced section again:
a
Adjust the roaming aggressiveness by clearing the checkbox next to Use default value,.
b
Move the slider under the checkbox to Lowest. This instructs the wireless card to stay stuck to the AP it is associated with as long as possible, and only roam if the signal is significantly degraded.
* 
TIP: This is extremely helpful in environments with large numbers of access points broadcasting the same SSID.
c
When you are done, click on the OK button to save and activate the change.
d
Reboot the laptop.

If you continue to have issues, you may also try adjusting the Preamble Mode on the wireless card. By default the Intel wireless cards above are set to auto. All SonicWall wireless products by default are set to use a Long preamble, although this can be adjusted in the Management GUI.

To adjust the Intel wireless card’s preamble setting:
1
Go to the Advanced section
2
Clear the checkbox next to Use default value.
3
Select Long Tx Preamble from the drop-down menu below the checkbox.
4
When you are done, click on the OK button to save and activate the change.
5
Reboot the laptop.

PoE and PoE+

Long cable runs cause loss of power; 100-meter runs between SonicPoint and PoE switch may incur up to 16 percent power/signal degradation; because of this, the PoE switch needs to supply more power to the port to keep the SonicPoint operational.

Topics:  
SonicPointACe/ACi/N2

Full 802.3at compliance is required on any switch supplying Power over Ethernet/Power over Ethernet plus (PoE/PoE+) to SonicPointACe/ACi/N2. Do not operate SonicPoints on non-compliant switches as SonicWall does not support it.

* 
IMPORTANT: Turn off pre-802.3at-spec detection as it may cause connectivity issues.

SonicPoint ACs (Type 1) can be set to Class 0, 1, 2, or 3 PD. SonicPoint ACs (Type 2) are set to Class 4 PD. The minimum and maximum power output values are as follows:

Type 1, Class 0 PD uses 0.5 W minimum to 15.4 W maximum
Type 1, Class 1 PD uses 0.5 W minimum to 4.0 W maximum
Type 1, Class 2 PD uses 4.0 W minimum to 7.0 W maximum
Type 1, Class 3 PD uses 7.0 W minimum to 15.4 W maximum
Type 2, Class 4 PD uses 15.4 W minimum to 30 W maximum
* 
IMPORTANT: A mismatch in Class causes confusion in the handshake and reboots the SonicPoint.

Ensure each SonicPointACe/ACi/N2 is guaranteed to get 25 watts.

Be particularly careful to ensure all PoE/PoE+ switches can provide a minimum of 25 watts of power to each of its PoE ports. For example, a port that supports a SonicPointACe/ACi/N2 needs 25 watts of power. If a switch cannot guarantee each port 25 watts to each port, an external redundant power supply must be added. You need to work closely with the manufacturer of the PoE/PoE+ switch to ensure that enough power is supplied to the switch to power all of your PoE/PoE+ devices.

Legacy and SonicPoint N/Ni/Ne/NDR

Legacy SonicPoints and SonicPoint N/Ni/Ne/NDR are set to Class 0 PD, which uses 0.44W minimum up to 12.95W maximum power.

Full 802.3af compliance is required on any switch supplying PoE to legacy SonicPoints and SonicPoint N/Ni/Ne/NDR. Do not operate SonicPoints on non-compliant switches as SonicWall does not support it.

Turn off pre-802.3af-spec detection as it may cause connectivity issues.

Ensure each port can get 10 watts guaranteed, and set the PoE priority to critical or high.

Spanning-Tree

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds, the port does not pass any traffic—this feature is well-known to cause problems with SonicPoints.

If you do not need spanning-tree, disable it globally on the switch or disable it on each port connected to a SonicPoint device. If this is not possible, check with the switch manufacturer to determine if they allow for fast spanning-tree detection, which is a method that runs spanning-tree in a shortened time so as to not cause connectivity issues. Refer to Sample Dell switch configuration (per interface) for programming samples on how to do this.

VTP and GVRP

Turn these trunking protocols off on ports connected directly to SonicPoints as they have been known to cause issues with SonicPoints, especially the high-end Cisco Catalyst series switches.

Port-Aggregation

Many switches have port aggregation turned on by default, which causes a lot of issues. Port aggregation should be deactivated on ports connected directly to SonicPoints.
PAGP/Fast EtherChannel/EtherChannel should be turned off on the ports going to SonicPoints.
LACP should be turned off on the ports going to SonicPoints.

Portshielding SonicPoints

SonicPoints can be portshielded by configuring them as a member of a PortShield group. If the SonicPoints are configured to a X‑Series switch, the PortShield group to which it is a member must be configured as a port for a dedicated link. For further information, see SonicOS Support of X‑Series Switches and the SonicWall X-Series Solution Deployment Guide.

Broadcast Throttling/Broadcast Storm

This feature is an issue on some switches, especially D-Link. Disable on a per-port basis if possible, if not, disable globally.

Speed and Duplex

At present, auto-negotiation of speed and duplex is the only option for SonicPoints.
Locking speed and duplex on the switch and rebooting the SonicPoint may help with connectivity issues.
Check the port for errors, as this is the best way to determine if there is a duplex issue (the port will also experience degraded throughput).

Virtual Access Point (VAP) Issues

Only VLAN-supported SonicWall platforms can offer VAP features for existing releases. Each SSID should be associated with the unique VLAN ID to segment traffic in different broadcast domains. SDP/SSPP protocol packets must be untagged before reaching SonicWall WLAN interface or SonicPoint.

The switch between the SonicWall network security appliance and the SonicPoint must be configured properly to allow both untagged SDP/SSPP traffic and tagged traffic with VLAN ID for each VAP SSID.

If at all possible assign each VAP to its own VLAN/Security Zone—this will provide maximum security and, although not explicitly required for PCI compliance, puts you solidly in the green zone.

* 
NOTE: If you use VLANs, do not use the parent interface and do not use the default VLAN.

Troubleshooting

When creating a Wireless zone and interface, make sure to configure the interface for the number of SonicPoints you wish to support—new interfaces are set to No SonicPoints by default. If you do not do this, the network security appliance will not create the necessary DHCP scope and will not acquire any SonicPoints added to the interface.
If you added SonicPoints and only a certain number were detected and acquired, check interface settings as noted above, as it might be set for too few SonicPoints.
If throughput seems sluggish, check to see how many SonicPoints you have on an interface — in large deployments it’s advisable to spread them across more than one. Try to limit the interfaces to a 4-to-1 oversubscription ratio. For example, if you have a 100Mbps, you can safely attach up to 20 SonicPoints to it and expect reasonable performance.
The throughput speed on SonicPoints can vary and is limited by the specifications found in the IEEE 802.11 standards: 802.11a/b/g/n/ac.
Make sure your security zone (the default WLAN, or your own custom wireless zone) has the right settings—they might be blocking traffic for various reasons.
If the SonicPoints are not being acquired, check the DHCP scopes; they might be off or missing entirely.
Stuck in provisioning mode? Unplug, clear the profile configuration, reboot, and plug back in.
For a SonicPoint to be discovered and provisioned, the SonicWall network security appliance must be connected to the Internet.
On older model SonicPoints, it is NOT advisable to use the same SSID for the 802.11bg and the 802.11a radios, as clients with tri-band cards might experience disconnect issues—name them separately.
If a SonicPoint cannot find a SonicWall network security appliance, you might have issues as all of the SonicPoints revert to the same default IP address of 192.168.1.20/24.
When troubleshooting wireless issues, logging, Syslog, and SNMP are your friends—SonicWall’s Global Management System (GMS) package can centralize all of these for all of your SonicWall devices, regardless of location. A free alternative is Kiwi’s Syslog Server that can accept Syslog streams and SNMP traps from all SonicWall network security appliances. The most current version can be found here: http://www.kiwisyslog.com/
Check the network cabling: Is shielded or unshielded TP cable being used?

Troubleshooting Older SonicPoints

If you have an older SonicPoint and it is consistently port flapping, does not power up at all, is stuck reboot cycling, or reports in the GUI as stuck in provisioning, check to see if you are running a current version of the firmware and the SonicWall network appliance has public internet access. You may need a newer SonicPoint.

Resetting the SonicPoint

The SonicPoint has a reset switch inside a small hole in the back of the unit, next to the console port. You can reset the SonicPoint at any time by pressing the reset switch with a straightened paperclip, a tooth pick, or other small, straight object.

The reset button resets the configuration of the mode the SonicPoint is operating in to the factory defaults. It does not reset the configuration for the other mode. Depending on the mode the SonicPoint is operating in, and the amount of time you press the reset button, the SonicPoint behaves in one of the following ways:

Press the reset button for at least three seconds, but less than eight seconds, with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint.
Press the reset button for more than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint in SafeMode.
Press the reset button for at least three seconds, to reset the configuration to factory defaults and reboot the SonicPoint.

Switch Programming Tips

Topics:  
Sample HP ProCurve switch commands (per-interface)
name ‘link to SonicPoint X’
no lacp
no cdp
power critical
no power-pre-std-detect (note: global command)
speed-duplex 100-half (note: only if you are seeing FCS errors)
spanning-tree xx admin-edge-port (note: replace xx with port number)
mdix-mode mdix
Sample Dell switch configuration (per interface)
spanning-tree portfast
no back-pressure
no channel-group
duplex half (note: only if you are seeing FCS errors)
speed 100
no flowcontrol
no gvrp enable
no lldp enable
mdix on
mdix auto
no port storm-control broadcast enable
Sample D-Link switch configuration

The D-Link PoE switches do not have a CLI, so you need to use their web GUI.

* 
NOTE: If you are using multicast in your environment, check with D-Link for the recommended firmware version.

Disable spanning-tree, broadcast storm control, LLDP, and the Safeguard Engine on the switch before adding SonicPoints to the switch, as all may impact their successful provisioning, configuration, and functionality.

SonicPoint Provisioning Profiles

For a SonicPoint overview, see About SonicPoints.

Topics:  

Provisioning Overview

When a SonicPoint unit is first connected and powered up, it has a factory default configuration (IP address: 192.168.1.20, username: admin, password: password). Upon initializing, the unit attempts to find a SonicOS device with which to peer.

If the SonicPoint does locate, or is located by, a peer SonicOS device, through the SonicWall Discovery Protocol, an encrypted exchange between the two units ensues wherein the profile assigned to the relevant Wireless zone is used to automatically configure (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS assigns the discovered SonicPoint device a unique name, and records its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS then uses the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings.

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation.

After you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.

SonicOS includes default profiles for three generations of SonicPoints: SonicPointACe/ACi/N2, SonicPoint NDR/Ne/Ni and SonicPoint N. You can modify these profiles or create new ones.

Modifications to profiles do not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:

Via manual configuration changes—Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.
Via un-provisioning—Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it automatically engages the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at the same time that can cause service disruptions.

To configure SonicPoint profiles, see Configuring a SonicPoint Profile.

Updating SonicPoint Firmware

Not all SonicOS firmware contains an image of the SonicPoint firmware. To check, scroll to the bottom of the SonicPoint > SonicPoints page and look for the Download link.

If your SonicWall appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the firewall server when you connect a SonicPoint.

If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must update the SonicPoint image manually.

To manually update SonicPoint firmware:
1
Download the SonicPoint image from http://www.mysonicwall.com to a local system with Internet access.

You can download the SonicPoint image from one of the following locations:

On the same page where you can download the SonicOS firmware
On the Download Center page, by selecting SonicPoint in the Type drop-down menu
2
Load the SonicPoint image onto a local Web server that is reachable by your SonicWall appliance.

You can change the file name of the SonicPoint image, but you should keep the extension intact (for example, .bin.sig).

3
In the SonicOS user interface on your SonicWall appliance, in the navigation pane, click System > Administration.
4
In the System > Administration page, under Download URL section, select the appropriate checkbox for the SonicPoint image to download (you can download more than one image):
Manually specify SonicPoint-N image URL (http://)
Manually specify SonicPoint-Ni/Ne image URL (http://)
Manually specify SonicPoint-NDR image URL (http://)
Manually specify SonicPoint-ACe/ACi/N2 image URL (http://)
5
In the field(s), type the URL for the SonicPoint image file on your local Web server.
* 
NOTE: When typing the URL for the SonicPoint image file, do NOT include http:// in the field.
6
Click Accept.

SonicPoint N, SonicPointNDR, SonicPoint AC States

* 
NOTE: SonicPoint ACs are supported on appliances running SonicOS 6.2.2 and above.

SonicPoint N, SonicPointNDR, and SonicPoint AC devices can function in and report the following states (in all states listed as follows, SonicPoint refers to SonicPoint N, SonicPointNDR, and SonicPointNDR AC devices):

Initializing—The state when a SonicPoint starts up and advertises itself through SDP prior to it entering into an operational mode.
Operational—After the SonicPoint has peered with a SonicOS device and has its configuration validated, it enters into a operational state, and is ready for clients.
Provisioning—If the SonicPoint configuration requires an update, the SonicOS device engages an SSPP channel to update the SonicPoint. During this brief process it enters the provisioning state.
SafeMode—SafeMode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into SafeMode returns its configuration to defaults, disables the radios, and disables SDP. The SonicPoint must then be rebooted to enter a functional state.
Non-Responsive—If a SonicOS device loses communications with a previously peered SonicPoint, it reports its state as non-responsive. It remains in this state until either communications are restored, or the SonicPoint is deleted from the SonicOS device’s table.
Updating Firmware—If the SonicOS device detects that it has a firmware update available for a SonicPoint, it uses SSPP to update the SonicPoint’s firmware.
Downloading Firmware—The SonicWall appliance is downloading new SonicPoint firmware from the configured URL that you can customize.
Downloading Failed—The SonicWall appliance cannot download the SonicPoint firmware from the configured URL.
Writing Firmware—While the SonicPoint is writing new firmware to its flash, the progress is displayed as a percentage in the SonicOS management interface in the SonicPoint status field.
Over-Limit—By default, up to two SonicPoint devices can be attached to the Wireless zone interface. If more than two units are detected, the over-limit devices reports an over-limit state, and does not enter an operational mode. The number can be reduced from two as needed.
Rebooting—After a firmware or configuration update, the SonicPoint announces that it is about to reboot, and then does so.
Firmware failed—If a firmware update fails, the SonicPoint reports the failure, and then reboots.
Provision failed—In the unlikely event that a provision attempt from a SonicOS device fails, the SonicPoint reports the failure. So as not to enter into an endless loop, it can then be manually rebooted, manually reconfigured, or deleted and re-provisioned.

SonicPoint Auto Provisioning

Topics:  

Automatic Provisioning (SDP & SSPP)

The SonicWall Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS. SDP is the foundation for the automatic provisioning of SonicPoint units via the following messages:

Advertisement – SonicPoints without a peer periodically and on startup announce or advertise themselves via a broadcast. The advertisement includes information that is used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device then reports the state of all peered SonicPoints and takes configuration actions as needed.
Discovery – SonicOS devices periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units.
Configure Directive – A unicast message from a SonicOS device to a specific SonicPoint to establish encryption keys for provisioning and to set the parameters for and to engage configuration mode.
Configure Acknowledgement – A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive.
Keepalive – A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.

If through the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (such as on calculating a checksum mismatch or when a firmware update is available), the Configure directive engages a 3DES encrypted, reliable TCP-based SonicWall Simple Provisioning Protocol (SSPP) channel. The SonicOS device then sends the update to the SonicPoint through this channel, and the SonicPoint restarts with the updated configuration. State information is provided by the SonicPoint and is viewable on the SonicOS device throughout the entire discovery and provisioning process.

Enabling Auto Provisioning

SonicPoint Auto Provisioning can be enabled to automatically provision the following wireless SonicPoint provisioning profiles:

SonicPoint
SonicPoint N
SonicPointNDR
SonicPoint AC

Initial configuration of a wireless SonicPoint is provisioned from a SonicPoint profile that is attached to the wireless LAN managing zone. After a wireless SonicPoint is provisioned, the profile remains an offline configuration template that is not directly associated with any SonicPoint. So, modifying a profile does not automatically trigger a SonicPoint for reprovisioning.

Before SonicPoint Auto Provisioning was introduced, administrators had to manually delete all SonicPoints, and then synchronize new SonicPoints to the profile, which was time consuming. To simplify configuration and ease management overhead, SonicPoint Auto Provisioning was introduced.

Checkboxes to enable Auto Provisioning for each of the SonicPoint Provisioning Profiles are provided in the Network > Zones > Configure > Wireless configuration dialog; see Configuring the WLAN Zone. By default, the checkboxes for the SonicPoint Provisioning Profiles are not checked and Auto Provisioning is not enabled.

When the checkbox for a provisioning profile is checked and that profile is changed, all SonicPoints linked to that profile are reprovisioned and rebooted to the new operational state.

Topics:  
Enabling SonicPoint Auto-Provisioning for a WLAN Zone
To enable SonicPoint Auto Provisioning:
1
Navigate to Network > Zones.
2
Click the Edit icon for a WLAN (or any other wireless) SonicPoint profile. The Edit Zone dialog displays.
3
Select the Wireless tab.

4
Under SonicPoint Settings, select Auto Provisioning for each of the SonicPoint Provisioning Profiles you want to be auto provisioned.
5
Click OK.
Remote MAC Access Control for SonicPoints
* 
IMPORTANT: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you try to enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled, this error message displays:
Remote MAC address access control can not be set
when IEEE 802.11i EAP is enabled.
* 
NOTE: Remote MAC Access Control is also supported for VAPs. See Remote MAC Access Control for VAPs.

You can enforce radio wireless access control based on a MAC-based authentication policy in a remote RADIUS server. For the procedure for:

SonicPoint Diagnostics Enhancement

A SonicPoint can collect critical runtime data and save it into persistent storage in the global SonicPoint Peer List. If the SonicPoint experiences a failure, the diagnostic enhancement feature allows the firewall managing appliance to retrieve the log data when the SonicPoint reboots. Then, this log data is incorporated into the Tech Support Report (TSR). For more information regarding the TSR, refer to Tech Support Report.

To enable the SonicPoint-N diagnostic enhancement feature:
1
Navigate to the System >Diagnostics page.
2
Select the SonicPointN Diagnostics checkbox in the Tech Support Report section.
3
Click Accept. You can then generate a TSR with information available for the SonicPoint-N Diagnostics by clicking the Download Report button.
* 
NOTE: To retrieve the latest SonicPoint-N Diagnostics, you may need to re-synchronize your SonicPoint and SonicWall managing appliance to the latest SonicPoint Firmware.

OAuth Social Login and LHM

SonicOS 6.2.7 and later support OAuth and Social Login for social media such as Facebook, Twitter, and Google+. LHM is also supported. For more information, see Configuring Open Authentication, Social Login, and LHM.

SonicPoint Management over SSL VPN

As a part of SonicWall Advanced Management Protocol (SAMP) suite, SonicWall SSL VPN Based Management Protocol (SSMP) uses the SonicWall SSL VPN solution to provide remote SonicPoint N management. SonicPoint N has integrated NetExtender client and supports SSL VPN remote access as SonicPoint N with integrated NetExtender shows.

SonicPoint N with integrated NetExtender

SonicPoint is used as a managed bridge to work with the firewall as a secure wireless solution. The SonicPoint is configured and managed centrally by the SonicWall Gateway. The SonicPoint retrieves the latest firmware and configuration information from the firewall and automatically configures itself.

SAMP manages SonicPoints at Layer 3, and SSMP provides the functionality for running the SonicPoint management protocol over SSL VPN.

Topics:  

Configuring SonicPoint Management over SSL VPN

Topics:  

Creating a WLAN Tunnel Interface

To create a WLAN Tunnel Interface:
1
Go to the Network > Interfaces page,
2
Depending on your appliance, below the Interface Settings table, there is either an:
Add Interface drop-down menu:

Add WLAN Tunnel Interface button.

Display the Add WLAN Tunnel Interface dialog by either:

Selecting WLAN Tunnel Interface from the drop-down menu.
Clicking the Add WLAN Tunnel Interface button.

3
Set the Zone field to WLAN. More options appear.

4
Specify a tunnel ID in the Tunnel Id field. The default is 0.
5
Set the Tunnel Source Interface field to the interface used for the SSL VPN tunnel (such as X2).
6
Configure the other fields and options as you wish. You must enter an IP address in the IP Address field. The default is 0.0.0.0.
7
Click OK.

Configuring the SSL VPN Settings

To configure the SSL VPN settings:
1
Go to the SSL VPN > Client Settings page.

2
Click the Configure icon for the Default Device Profile for the SonicPoint in the Default Device Profile section. The Edit Device Profile dialog displays.

* 
NOTE: The Name and Description of the Default Device Profile cannot be changed.
3
For the zone binding for this profile, from the Zone IP V4 drop-down menu, select SSLVPN.
4
In the Network Address IP V4 drop-down menu, select:
The network you want.
IPv4 NetExtender address object that you created previously.
Create new network to create a new network object, then select it.
5
Select SSLVPN or a custom zone from the Zone IP V6 drop-down menu. This is the zone binding for this profile.
6
From the Network Address IP V6 drop-down menu, select the IPv6 NetExtender address object that you created.
7
Click the Client Routes tab.

8
The Client Routes tab allows you to control the network access allowed for SSL VPN users. For configuring this feature, see Configuring the Client Routes Tab.
9
To configure NetExtender client settings, select the Client Settings tab. For the procedure, see Configuring the Client Settings tab.
10
Click OK.

Creating a User for the SSL VPN Client

* 
NOTE: For a complete description of configuring local user settings, see Configuring Local User Settings.
To create a user for an SSL VPN Client:
1
Go to the Users > Local Users page.

2
Click the Add User button or the Edit icon for the user you want to edit. The Add/Edit User dialog displays.

3
Configure the user settings as desired.
4
Click the Groups tab.

5
From the User Groups list, add SSL VPN Services to the Member Of list.
6
Click the VPN Access tab.

7
From the Networks list, add the Subnet of the Interface that WLAN Tunnel interface has been bound to into the Access List. For example, X2 Subnet.
8
Click OK.

SonicPoint Traffic Routing

In addition to the route to the subnet of the WLAN Tunnel Interface (X2 Subnet), you can also add other routes under the Client Route tab of the SSL VPN Edit Device dialog.

Adding other routes enables remote wireless clients to access internal networks through the SSL VPN tunnel of the SonicPoint and SonicOS. The traffic to other destinations are routed locally on the SonicPoint without tunneling to the SonicOS side.

Provisioning SSL VPN Server Information to SonicPoint

You can provision SSL VPN server information to a SonicPoint on the SonicPoint > SonicPoints > Add SonicPoint … Profile dialog. For further information:

SonicPointACe/ACi/N2, see L3 SSL VPN Tunnel Settings.
SonicPoint N, see L3 SSL VPN Tunnel Settings.

Establishing an SSL VPN Tunnel to a Remote Network

If the remote network site supports DHCP, set the SonicPoint to the factory default settings and connect it to the network. The SonicPoint automatically gets the IP address and the Gateway from DHCP. The SSL VPN server information is saved when the factory default settings are in place. After the SonicPoint gets its DHCP lease, it connects to the remote SonicWall Gateway.

If the remote network site does not support DHCP, set the SonicPoint to the factory default settings and set the network parameters. Then the SonicPoint automatically connects to the remote SonicWall Gateway.

SonicPoint Layer 3 Management

This section provides an introduction to the SonicPoint Layer 3 Management feature.

Topics:  

What is SonicPoint Layer 3 Management?

In previous releases, the SonicWall security appliance and the SonicPoints that it manages had to be in the same Layer 2 network, which limits the scalability of networks, especially enterprise networks.

SonicPoint Layer 3 Management provides a wireless solution that can be easily scaled from small to large while maintaining the centralized SonicOS network security protection and providing flexible policy control.

Benefits

SonicPoint Layer 3 Management offers the following benefits:

Simplifies the management of multiple wireless networks. SonicPoints located at multiple locations are managed by a single SonicWall security appliance.
Reduces the number of NetExtender licenses and sessions. All remote users are tunneled over a single NetExtender session.

Supported Platforms

SonicPoint Layer 3 Management is supported on all SonicWall security appliances that can provision SonicPoints.

Layer 3 Management Protocols

Topics:  
CAPWAP

The Controlling and Provisioning of Wireless Access Points (CAPWAP) protocol is a standard, interoperable protocol that enables an Access Controller (in this case, the SonicWall security appliance) to manage a collection of Wireless Termination Points (SonicPoints) independent of Layer 2 technology. CAPWAP is defined in RFC 5415: http://www.ietf.org/rfc/rfc5415.txt

SonicWall CAPWAP supports both Layer 2 and Layer 3 management.

SAMP

The SonicWall Advanced Management Protocol (SAMP) suite consists of these three protocols:

SonicWall DHCP-based Discovery Protocol (SDDP) - SDDP enables the SonicWall security appliance and the SonicPoints to discover each other automatically across Layer 3 networks. The appliance acts as the DHCP server and the SonicPoint acts as the DHCP client. Any routers or other network devices between the appliance and the SonicPoint must be configured to allow DHCP relay.
SonicWall Control and Provisioning Wireless Access Point (SCAPWAP) - SCAPWAP is a SonicWall extension of CAPWAP that is customized for SonicWall products. The SonicWall network security appliance gateway manages the SonicPoints using SCAPWAP, independent of Layer 2 and Layer 3 networks. The SonicWall security appliance and the SonicPoints must be configured to do mutual authentication using either a pre-shared key or a public key-based certificates.
SonicWall SSLVPN-based Management Protocol (SSMP) - SSMP is based on the SonicWall SSL VPN infrastructure and enables the SonicPoints to be managed over the Internet by a SonicWall security appliance. In this case, a single NetExtender SSL VPN tunnel is established between the appliance and the SonicPoint. All of a user’s SonicPoint traffic to the appliance is tunneled over this single NetExtender session.

How SonicPoint Layer 3 Management Works

SonicPoint Layer 3 Management provides a broader wireless solution for both local and remote networks and for both small and large deployments—all with centralized SonicOS network security protection and flexible policy control.

The following three SonicPoint deployment scenarios are supported:

Local Layer 2 Management – When a SonicWall network security appliance and its SonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discovery protocol, SDP, is used to manage the access points.
Local Layer 3 Management – When SonicPoints are deployed outside of the Layer 2 network, but within the same Intranet as the SonicWall security appliance (for example when there is a third-party router between the SonicWall security appliance and the SonicPoints), Layer 3 management protocols can be used to manage the access points.
Remote Layer 3 Management– When SonicPoints are deployed in a remote site across the Internet cloud, Layer 3 management can be used to manage the remote network access points. A single SSL VPN NetExtender tunnel is established between the SonicPoint and the remote the SonicWall security appliance. Each wireless client does not need to install and launch NetExtender to establish an SSL VPN tunnel. All the wireless clients share the same VPN tunnel. This reduces the number of NetExtender licenses required on the SonicWall security appliance. It also eliminates the need to establish individual tunnels for each SonicPoint.

Configuring SonicPoint Layer 3 Management

Topics:  
Configuring Basic SonicPoint Layer 3 Management

A basic SonicPoint Layer 3 Management scenario is shown in Basic SonicPoint Layer 3 Management scenario. The SonicPoints are connected to a third-party router that is connected over the LAN zone to the SonicWall security appliance.

Basic SonicPoint Layer 3 Management scenario

Configuring SonicPoint Layer 3 Management requires configurations across several pages of the SonicOS UI. Thus, to configure this scenario, the configuration is divided into the following steps:

Configuring the Access Controller Interface

This procedure shows how to configure the access controller interface for the X4 interface.

To configure an interface on a SonicWall security appliance that is connected to a third-party router:
1
Navigate to the Network > Interfaces page.

2
Click the Configure icon for the X4 interface. The Edit Interface dialog appears.

3
Select LAN from the Zone drop-down menu. More options appear.

4
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default value.
5
In the IP Address field, enter the IP address of the interface; for example, 10.10.10.1. A default value of 0.0.0.0 is displayed.
6
in the Subnet Mask field, enter the subnet mask for the interface; for example, 255.255.255.0 (this is the default value).
7
Optionally, enter a comment in the Comment field. This comment displays in the Comment column of the Interface Settings table of Network > Interfaces.
8
Select one or more types of web management for this interface:
HTTPS – Enables remote management of the SonicWall through the HTTPS protocol.
* 
TIP: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically. For more information about this option, see HTTP/HTTPS Redirection.
Ping – Enables remote management of the SonicWall through the Ping protocol.
SNMP – Enables remote management of the SonicWall through the SNMP protocol.
SSH – Enables remote management of the SonicWall through the SSH protocol.
* 
IMPORTANT: If you do not enable web management here, you must enable it on another interface. A warning message appears if you leave the window without enabling at least one web management protocol.
9
Optionally, select HTTPS for User Login to enable users with management rights to log in to the SonicWall. The Add rule to enable redirect from HTTP to HTTPS is also selected automatically. For more information about this option, see HTTP/HTTPS Redirection.
* 
NOTE: If you select HTTP, the Add rule to enable redirect from HTTP to HTTPS option becomes dimmed (unavailable).
10
Click OK.
Configuring the DHCP Server
To configure a DHCP Option Object for CAPWAP and a DHCP pool of IP addresses for the SonicPoints behind a third-party router:
1
Navigate to the Network > DHCP Server page.

2
Click the Advanced button. The DHCP Advanced Settings dialog displays.

3
Click Add Option. The Add DHCP Option Object dialog displays.

4
In the Option Name field, enter a descriptive name for the DHCP option object, such as CAPWAP addr list.
5
From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List). The Option Array checkbox becomes active, and the Option Type drop-down menu is set to IP Address and dimmed.
6
Select the Option Array checkbox.
7
In the Option Value field, enter the IP address for the X0 interface you configured in Configuring the Access Controller Interface. For example, 10.10.10.1.
8
Click OK. The new Option Object is displayed in the Option Objects section of the DHCP Advanced Settings dialog.

9
Click OK.
Configuring a DHCP Pool of Addresses
To configure a DHCP pool of addresses for the SonicPoints behind the router:
1
Navigate to the DHCPv4 Server Lease Scopes table of the Network > DHCP Server page.

2
Click Add Dynamic. The Dynamic Range Configuration dialog displays.

3
Select the Enable this DHCP Scope checkbox. This is selected by default.
4
Enter the appropriate IP addresses or values in the Range Start and Range End fields.
5
Enter the lease time in the Lease Time (minutes) field. The default is 1440 minutes.
6
Enter the default gateway IP address in the Default Gateway field.
7
Enter the subnet mask in the Subnet Mask field.
8
Optionally, enter a comment in the Comment field.
9
Click the Advanced tab.

10
In the DHCP Generic Option Group drop-down menu, select the DHCP Option Object you created in Configuring the DHCP Server.
11
Select the Send Generic options always option.
12
Click OK. The DHCPv4 Server Lease Scopes table is updated.
Configuring the WLAN Tunnel Interface
To configure a WLAN tunnel interface and assign it to the X4 interface:
1
Navigate to the Network > Interfaces page.
2
From the Add Interface drop-down menu, select Tunnel Interface. The Add Tunnel Interface dialog appears.
3
From the Zone menu, select WLAN. The options change.
4
Enter the Tunnel ID in the Tunnel ID field. The default is 0.
5
From the Tunnel Source Interface drop-down menu, select the interface, such as X4 in this scenario.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, enter the IP address for the WLAN tunnel interface. For example, 172.17.31.1.
8
In the Subnet Mask box, enter the subnet mask. The default is 255.255.255.0.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface. The defaults are dependent upon the type of SonicPoints being used.
10
(Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.
11
If you did not specify a web management protocol in Configuring the Access Controller Interface, select one or more Management options: HTTPS, Ping, SNMP, SSH.
* 
TIP: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically. For more information about this option, see HTTP/HTTPS Redirection.
* 
IMPORTANT: If you do not enable web management here, you must enable it on another interface. A warning message appears if you leave the window without enabling at least one web management protocol.
12
If you did not specify a login protocol in Configuring the Access Controller Interface, optionally select HTTPS for User Login to enable users with management rights to log in to the SonicWall. The HTTP option is dimmed (unavailable).
13
If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS. For more information about this option, see HTTP/HTTPS Redirection.
14
Click OK. The Interface Settings table is updated.
* 
NOTE: A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wireless clients.
15
To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3 Management option in the Access Rules table.
Adding a Route Policy
To configure a route policy that forwards all packets intended for a Layer 3 SonicPoint network to the default gateway:
1
Navigate to the Network > Routing page.
2
In the Route Policies table, click Add…. The Add Route Policy dialog displays.
3
From the Source drop-down menu, select Any. This is the default.
4
From the Destination drop-down menu, select the address object of the default gateway. The default is Any.
5
From the Service drop-down menu, select a service object. The default is Any.
6
From the Gateway drop-down menu, select an address object. The default is 0.0.0.0.
7
From the Interface drop-down menu, select an interface. For this scenario, select X4.
8
In the Metric field, enter 1. The minimum value is 1, the maximum is 254, and the default is 1.

A metric is a weighted cost assigned to static and dynamic routes. Lower metric costs are considered better and take precedence over higher costs. SonicOS adheres to Cisco-defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.

9
Click OK. The Route Policies table is updated.
Configuring a Remote Router Connected to SonicPoints
To configure a third-party router that is connected to a SonicWall security interface at one end and to SonicPoints at the other end:
1
For the interface on the remote router that is connected to the SonicWall security appliance, configure the IP address 10.10.10.2/24.
2
For the interface on the remote router that is connected to the SonicPoint, configure the IP address 30.30.30.1/24.
3
Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4 interface on the SonicWall security appliance that has the IP address 10.10.10.1.
Configuring SonicPoint Virtual Access Points for Layer 3 Management

This scenario extends the previous example, Configuring Basic SonicPoint Layer 3 Management, by adding Virtual Access Points (VAPs) for the SonicPoints. See Basic SonicPoint Layer 3 Management scenario.

To configure VAPs for SonicPoint Layer 3 Management:

For more information about VAPs and configuring them, see SonicPoint > Virtual Access Point.

Configuring a WLAN Interface for VAPs
To configure a WLAN interface for the VAPs:
1
Navigate to the Network > Interfaces page.
2
From the Add Interface drop-down menu, select Virtual Interface. The Add Interface dialog appears.
3
From the Zone drop-down menu, select WLAN. More options appear.
4
In the VLAN Tag field, enter 4. The default is 0. The VLAN Tag is used to identify the new VLAN.
5
From the Parent Interface drop-down menu, select WT0.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, enter the IP address for the WLAN. For example, 172.4.1.1. The default is 0.0.0.0.
8
In the Subnet Mask field, enter the subnet mask. For example, 255.255.255.0. The default is 255.255.255.0.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface. For this scenario, select 48 SonicPoints. The default is 64 SonicPoints.
10
(Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.
11
If you did not specify a web management protocol in Configuring the Access Controller Interface, select one or more Management options: HTTPS, Ping, SNMP, SSH.
* 
TIP: If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically. For more information about this option, see HTTP/HTTPS Redirection.
* 
IMPORTANT: If you do not enable web management here, you must enable it on another interface. A warning message appears if you leave the window without enabling at least one web management protocol.
12
If you did not specify a login protocol in Configuring the Access Controller Interface, optionally select HTTPS for User Login to enable users with management rights to log in to the SonicWall appliance. The HTTP option is dimmed (unavailable).
13
If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS. For more information about this option, see HTTP/HTTPS Redirection.
14
Click OK. The Interface Settings table is updated.
Configuring a VAP Object
To configure a VAP object on a SonicWall network security appliance:
1
Navigate to the SonicPoint > Virtual Access Point page.
2
In the Virtual Access Points table, click Add. The Add/Edit Virtual Access Point dialog displays.
3
In the Name field, enter a descriptive name for the VAP.
4
in the SSID field, enter a SSID that represents the Layer 3 management network. For example, wirelessDev_L3_vap.
5
From the VLAN ID drop-down menu, select the VLAN Tag ID that you configured in Configuring a WLAN Interface for VAPs. For example, 4.
6
Select the Enable Virtual Access Point option. By default, this option is selected.
7
Click OK. The virtual access points table is updated.
8
To add additional Virtual Access Points, repeat Step 2 through Step 7 for each additional VAP.
Configuring a VAP Group
To configure a VAP group:
1
Navigate to the SonicPoint > Virtual Access Point page.
2
In the Virtual Access Points Groups table, click Add Group. The Add Virtual Access Point Group dialog displays.
3
In the Virtual AP Group Name field, enter a name for the VAP group. For example, L3 VAP Group. The Available Virtual AP Objects box should be populated with the VAP objects you created in Configuring a VAP Object.
4
Move the VAP objects you want from the Available Virtual AP Objects list to the Member of Virtual AP Group list.
5
Click OK. The Virtual Access Point Groups table is updated.
Assigning a VAP Group to a SonicPoint
To assign a VAP group to a SonicPoint that is connected to a third-party router:
1
Navigate to the SonicPoint > SonicPoints page.
2
Scroll to the SonicPointN Provisioning Profiles section.
3
Click the Configure icon for the SonicPoint you want to configure. The Edit SonicPoint <type> Profile dialog appears.
4
Select the Enable SonicPoint option. This is selected by default.
5
From the <802.11n> Radio <0/1> Virtual AP Group drop-down menu in the Virtual Access Point Settings section, select the Virtual AP Group you created in Configuring a VAP Group. For example, L3 VAP Group.
6
Click OK.
Configuring Layer 3 Management over IPSec

In this example, the central IPSec gateway acts as the SonicPoint WLAN controller. The SonicPoint is deployed under the VPN local LAN subnet of the remote IPSec gateway. SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on the central gateway. The DHCP over VPN feature must be configured on the remote IPSec gateway. See Layer 3 Management over IPSec.

Layer 3 Management over IPSec

* 
NOTE: This example assumes that the VPN IPSec tunnel between the two SonicWall security appliances is established successfully.
To configure SonicPoint Layer 3 Management over IPSec:
Configuring the VPN Tunnel on the Central Gateway
To configure the VPN tunnel on the Central Gateway:
1
Navigate to the VPN > Settings page.
2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.
3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the method you want. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Central Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.77.
7
If you are using IKE, configure the IKE authentication settings.
8
Click the Network tab.
9
Under Local Networks, select the Choose local network from list option.
10
From the Choose local network from list drop-down menu, select X0 Subnet.
11
Under Remote Networks, select the option you want and, if applicable, the network you want from the associated drop-down menu.
12
Click the Advanced tab.
13
Select the Allow SonicPoint N Layer 3 Management option.
14
Click OK. The VPN Policies table is updated.
15
Navigate to the VPN > DHCP over VPN page.
16
From the DHCP over VPN drop-down menu, select Central Gateway. This is the default.
17
Click Configure. The DHCP over VPN Configuration dialog displays.
18
Select the following options:
User Internal DHCP Server
For Global VPN Client
For Remote Firewall
19
Click OK.
Configuring the VPN Tunnel on the Remote Gateway
To configure the VPN tunnel on the remote gateway:
1
Navigate to the VPN > Settings page.
2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.
3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the appropriate method for your network. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Remote Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.79.
7
Click the Network tab.
8
Under Local Networks, select the Choose local network from list option. This is the default.
9
From the Choose local network from list drop-down menu, select X1 Subnet.
10
Under Remote Networks, select the option you want and, if appropriate, the network from the associated drop-down menu. This is the Choose destination network from list.
* 
TIP: If you have not created an address object for your remote gateway, you can do so by selecting Create new address object from one of the menus.
11
Under Remote Networks, select Create new address object from the appropriate menu. The Add Address Object dialog appears.
12
In the Name field, enter Remote Gateway X0 Subnet.
13
From the Zone Assignment drop-down, select LAN. This is the default.
14
From the Type drop-down menu, select Network. Another option appears.
15
In the Network field, enter the IP address of the remote gateway. For example, 192.168.168.0.
16
In the Netmask/Prefix Length field, enter the mask. For example, 255.255.255.0.
17
Click OK.
18
Click the Advanced tab.
19
Select the Allow SonicPoint N Layer 3 Management option.
20
Click OK. The VPN Policies table is updated.
21
Navigate to the VPN > DHCP over VPN page.
22
From the DHCP over VPN drop-down menu, select Remote Gateway.
23
Click Configure. The DHCP over VPN Configuration dialog appears.
24
From the DHCP lease bound to drop-down menu, select the interface that is connected to the SonicPoint. For example, Interface X4.
25
(Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want it.
26
In the Relay IP Address field, enter the IP address of the interface connected to the SonicPoint. For example 30.30.30.1.
* 
NOTE: If enabled, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central gateway’s address and must be reserved in the DHCP scope on the HDCP server. This address also can be used to manage this SonicWall remotely through the VPN tunnel from behind the Central Gateway.
27
In the Remote Management IP Address field, enter the IP address that is used to manage this SonicWall security appliance remotely from behind the Central Gateway.
* 
NOTE: This IP address was configured in Configuring the Access Controller Interface, and must be reserved in the DHCP scope on the DHCP server. In the example it is 10.10.10.1.
28
Select the Block traffic through tunnel when IP spoof detected option.
29
Select the Obtain temporary lease from local DHCP server if tunnel is down option.
30
In the Temporary Lease Time (minutes) field, leave the default value of 2.
31
Click OK.
Configuring the WT0 Interface on the Central Gateway
To configure the Wireless Tunnel interface (WT0) on the Central Gateway:
1
Navigate to the Network > Interfaces page.
2
From the Add Interface drop-down menu in the Interface Settings section, select Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface dialog displays.
3
From the Zone drop-down menu, select WLAN. More options display.
4
In the Tunnel ID field, select 0. This is the default.
5
From the Tunnel Source Interface drop-down menu, select X0.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, select 172.17.31.1.
8
In the Subnet Mask field, enter 255.255.255.0. This is the default.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints allowed on your network. For example, 48 SonicPoints. The default is 64 SonicPoints.
10
Optionally, enter a comment in the Comment field.
11
Click OK. The Interface Settings table is updated.
Configuring the CAPWAP DHCP Option Object on the Central Gateway
To configure the CAPWAP DHCP Option Object on the Central Gateway:
1
On the Central Gateway management interface, navigate to the Network > DHCP Server page.
2
In the DHCP Server Settings section, click Advanced. The DCHP Advanced Settings dialog displays.
3
Click Add Option. The Add DHCP Option Object dialog displays.
4
In the Option Name field, enter a descriptive name, such as capwap or CAPWAP DHCP.
5
From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List).
6
In the Option Value field, enter the IP address you want to use for the DHCP group. For example, 192.168.168.168.
7
Click OK to add the DHCP Option Object.
8
Click OK to close the DHCP Advanced Settings dialog and return to the Network > DHCP Server page.
Configuring the DHCP Scope on the Central Gateway
To configure the DHCP Scope on the Central Gateway:
1
Navigate to the Network > DHCP Server page.
2
Click Add Dynamic. The Dynamic Range Configuration dialog displays.
3
Select Enable this DHCP Scope.
4
In the Range Start field, enter the IP address at which to start the DHCP range; for example, 30.30.30.2. The range values must be within the same subnet as the Default Gateway; for example, 30.30.30.2 to 30.30.30.100.
5
In the Range End field, enter the IP address at which to end the DHCP range. For example, 30.30.30.100.
6
In the Lease Time (minutes) field, use the default value, 1440.
7
In the Default Gateway field, enter the IP address of the default gateway. This value is the IP address of the interface connected to the SonicPoint. For example, 30.30.30.1.
8
In the Subnet Mask field, enter the subnet mask of the default gateway. For example, 255.255.255.0.
9
Click the Advanced tab.
10
In the DHCP Generic Options section, from the DHCP Generic Option Group drop-down menu, select the CAPWAP DHCP option created in Configuring the CAPWAP DHCP Option Object on the Central Gateway.
11
Select the Send Generic options always option. This is the default.
12
Click OK. The DHCPv4 Server Lease Scopes table is updated.

SonicPoints and RADIUS Accounting

* 
NOTE: For using RADIUS to authenticate users, see Using RADIUS for Authentication and Configuring RADIUS Authentication.

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provide centralized authentication, authorization, and accounting. SonicOS uses RADIUS protocols to deliver account information from the NAS (Network Access Server), that is, the SonicPoint, to the RADIUS Accounting Server. You can take advantage of the account information to apply various billing rules on the RADIUS Accounting Server side. The accounting information can be based on session duration or traffic load being transferred for each user.

The overall authentication, authorization, and accounting process works as follows:

1
A user associates to a SonicPoint which is connected to a SonicWall firewall.
2
Authentication is performed using the method designated.
3
IP subnet/VLAN assignment is enabled.
4
The SonicPoint sends the RADIUS Account Request start message to an accounting server.
5
Re-authentication is performed as necessary.
6
Based on the results of the re-authentication, the SonicPoint sends the interim account update to the accounting server.
7
The user disconnects from the SonicPoint.

The SonicPoint sends the RADIUS Account Request stop message to the accounting server.

Setting up the Radius Accounting Server

To set up the Radius Accounting Server:
1
Add the RADIUS client entry into the file, /etc/freeradius/clients.conf:
Client <IP address> {
     Secret = “<password>”
}

Where <IP address> is the IP address of the RADIUS Server and <password> is the server password.

 
* 
NOTE: The IP address is the WAN IP of the SonicWall GW from which the RADIUS Server is reached.
2
Add the user information into the file, /etc/freeradius/users:
user_name Cleartext-Password := “<password>”

Where user_name is the user’s ID and <password> should be replaced with the user’s password.

3
To start freeradius, run the command,
sudo feeradius -X

from the command line.

 

Managing SonicPoints

* 
NOTE: SonicPoints are not supported on the SuperMassive 9800.

SonicPoint > SonicPoints

This section describes how to configure and deploy SonicPoints in your network. For information about SonicPoints, see Understanding SonicPoints.

* 
NOTE: SonicPoint AC refers to SonicPoint ACe/ACi/N2; SonicPoint refers to all SonicPoints. SonicPoint ACs are supported on appliances running SonicOS 6.2.2 and above, SonicOS 6.3 and above, or SonicOS 6.4 and above.
Topics:  

SonicPointN Provisioning Profiles

The SonicPointN Provisioning Profiles table displays this information:

Name Prefix – Either the name you specified when you configured the SonicPoint or one of these:
SonicPointACe/ACi/N2
SonicPointN
SonicPointNDR
Applied Zone – The zone to which the SonicPoint applies.
Radio 0 – SSID and Mode for either the radio (SonicPoint N) or Radio 0 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 0 Channel – Band and Channel selection for either the radio (SonicPoint N) or Radio 0 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 1 – SSID and Mode for Radio 1 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 1 Channel – Band and Channel selection for Radio 1 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Configure – Contains the Edit and Delete icons for the SonicPoint provisioning profile.
* 
NOTE: SonicPoint ACe/ACi/N2, SonicPoint N, and SonicPoint NDR provisioning profiles cannot be deleted, and the corresponding Delete icon is dimmed.

SonicPointNs

The SonicPointNs table displays this information:

Name – The name and model of the SonicPoint.
Interface – The interface of the zone to which the SonicPoint is applied.
Network Settings – The IP address, MAC address, and MGMT layer.
Status – Whether the SonicPoint is operational (green) or disabled.
Radio 0 – SSID and Mode for either the radio (SonicPoint N) or Radio 0 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 0 Channel – Band, Channel, and radio status (Enabled [Active] or Disabled [Inactive]) for either the radio (SonicPoint N) or Radio 0 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 1 – SSID and Mode for Radio 1 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Radio 1 Channel – Band, Channel, and radio status (Enabled [Active] or Disabled [Inactive]) for Radio 1 (SonicPoint ACe/ACi/N2 or SonicPoint NDR).
Enable – A checkbox that allows easy enabling/disabling of a SonicPoint.
Configure – Contains the Edit, Delete and Reboot icons for the SonicPoint provisioning profile.

Below the SonicPointNs table is a Note that lists the current firmware version of each type of SonicPoint.

Configuring a SonicPoint Profile

* 
NOTE: You can use Auto Provisioning to automatically provision SonicPoint profiles. For information on how to enable automatic provisioning, see Enabling Auto Provisioning.

You can add any number of SonicPoint profiles. The SonicPoint profile configuration process varies slightly, depending on whether you are configuring a single-radio (SonicPoint N) or a Dual Radio (SonicPoint AC and SonicPoint NDR) SonicPoint.

The following sections describe how to configure the types of SonicPoint profiles:

Configuring a SonicPoint ACe/ACi/N2 or NDR Profile

* 
IMPORTANT: SonicPoint AC requires POE+ (802.3at Type 2) that supplies 30 watts of peak power.
* 
NOTE: SonicPoint ACs are supported on firewalls running SonicOS 6.2.2 and above, SonicOS 6.3 and above, or SonicOS 6.4 and above.
* 
TIP: The configuration dialogs for SonicPoint ACe/ACi/N2 and SonicPoint NDA profiles are quite similar. Differences are noted in the procedures. In this section, SonicPoint refers to both SonicPoint ACe/ACi/N2 and SonicPoint NDA.

For a SonicPoint overview, see About SonicPoints. For information about auto provisioning SonicPoints, see SonicPoint Auto Provisioning.

* 
VIDEO: For a detailed description of how to connect a SonicPoint access point to a TZ firewall, see the How to Manage SonicPoint ACe/ACi/N2 Access Points with SonicWall TZ Series Products video.
* 
NOTE: For a description on how to manage SonicPoint ACe/ACi/N2 access points with the SonicWall X‑Series Solution, see the Knowledge Base article, SonicWall TZ Series and SonicWall X-Series solution managing SonicPoint ACe/ACi/N2 access points (SW13970).

You can add any number of SonicPoint profiles. The specifics of the configuration vary slightly depending on which SonicPoint profile and protocols you select.

To configure a SonicPoint provisioning profile:
1
Navigate to SonicPoint > SonicPoints page.
2
Do one of the following:
To add a new:
SonicPoint AC profile, click Add SonicPoint ACe/ACi/N2 Profile.
SonicPoint NDR profile, click Add SonicPoint NDR Profile.
To edit an existing AC or NDR profile, click the Configure icon on the same row as the profile you want to edit.

The Add/Edit SonicPoint … Profile dialog appears. The Add/Edit dialogs are the same except if you are editing an existing profile, the existing settings are displayed. There is a difference in options displayed, depending on the type of SonicPoint:

Add/Edit SonicPointACe/ACi/N2 Profile

Add/Edit SonicPointNDR Profile

3
You configure the SonicPoint profile through settings on these tabs:
General Tab

In the General tab, configure the desired settings:

SonicPoint Settings

SonicPointACe/ACi/N2 Settings

SonicPoint NDR Settings

To configure SonicPoint Settings
1
Check Enable SonicPoint to enable each SonicPoint automatically when it is provisioned with this profile. This option is selected by default.
2
Optionally, check Retain Settings to have the SonicPoints provisioned by this profile retain portions of their customized settings after they are deleted and resynchronized. The settings are retained until the SonicPoint is rebooted. This option is not selected by default.

If you select this option, Edit becomes active. To specify the settings to retain:

a
If you are editing an existing SonicPoint profile, click Edit. The Retain Settings dialog displays.

b
Do one of the following:
Click Retain All Settings; all the other options become dimmed.
Click the checkboxes of the individual settings to be retained.
* 
NOTE: The settings for each radio must be selected separately.
c
Click OK.
3
Optionally, check Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default. For more information about RF monitoring, see SonicPoint > RF Monitoring.
4
If you are configuring a:
SonicPoint NDR profile, go to Step 5.
SonicPoint AC profile, optionally, check Enable LED to enable/disable SonicPoint AC LEDs. This option is not selected by default (LEDs are disabled).
5
Enter a prefix for the names of all SonicPoints connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint on a zone. When each SonicPoint is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint AC 126008 or SonicPoint NDR 126009.
6
Select the country where you are operating the SonicPoints from the Country Code drop-down menu. The country code determines under which regulatory domain the radio operation falls.
7
From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v2, which provides better security.
Virtual Access Point Settings

To configure Virtual Access Point Settings:
1
Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoints to a VAP from the Radio 0 Basic Virtual AP Group and Radio 1 Basic Virtual AP Group drop-down menus. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see SonicPoint > Virtual Access Point.
* 
NOTE: Selecting a VAP group for Radio 0 and/or Radio 1 affects options on the appropriate Radio 0/1 Basic tabs.
L3 SSL VPN Tunnel Settings

To configure L3 SSL VPN Tunnel Settings:
1
In the SSL VPN Server field, enter the IP address of the SSL VPN server.
2
In the User Name field, enter the User Name of the SSL VPN server.
3
In the Password field, enter the Password for the SSL VPN server.
4
In the Domain field, enter the domain that the SSL VPN server is located in.
5
Optionally, click Auto-Reconnect for the SonicPoint to auto-reconnect to the SSL VPN server. This option is not selected by default.
* 
IMPORTANT: To push the settings to the SonicPoint device, connect the SonicPoint device to the SSL VPN Server through a Layer 2 connection.
* 
NOTE: To configure L3 SSL VPN, click the link to SSL VPN > Client Settings. For information about Layer 3 SSL VPN, refer to SonicPoint Layer 3 Management and SSL VPN > Client Settings.
SonicPoint Administrator Settings

To configure SonicPoint Administrator Settings:
1
In the Name field, enter the user name for the network administrator.
2
In the Password field, enter the password for the network administrator.
Radio 0 Basic and Radio 1 Basic Tabs
* 
NOTE: The available options on these tabs depend on whether a VAP group was selected in the Virtual Access Point Settings on the General tab.

VAP group not selected on the General tab – SonicPoint ACe/ACi/N2

VAP group not selected on the General tab – SonicPointNDR

VAP group selected on the General tab – SonicPointACe/ACi/N2

VAP group selected on the General tab – SonicPointNDR

The Radio 0 Basic and Radio 1 Basic tabs are similar and have only a few differences that are noted in the steps.

* 
NOTE: The sections and options displayed on the Radio 0/1 Basic tabs change depending on whether you selected a VAP group in the Radio 0/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected, that is, if you select a VAP for Radio 0 but not Radio 1, Radio 1 is not affected and vice versa.

If you are configuring a SonicPointACe/ACi/N2, you can also configure RADIUS Accounting for either or both radios on these tabs.

To configure Radio 0 Basic and Radio 1 Basic tabs:
1
Click the Radio 0 Basic or Radio 1 Basic tab.
2
Configure the settings for the 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios:
Radio 0/Radio 1 Basic Settings
* 
NOTE: The options change depending on the mode you select.
To configure Radio 0/Radio 1 Basic Settings:
1
Check Enable Radio to enable the 802.11ac radio bands automatically on all SonicPoint ACs provisioned with this profile. This option is selected by default.
From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule to display the Add Schedule menu.
2
Select your preferred radio mode from the Mode drop-down menu:

Radio mode choices

Radio 0 Basic

Radio 1 Basic

Definition

5GHz 802.11n Only

2.4GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed

2.4GHz 802.11n/g/b Mixed

SonicPoint AC/NDR default.

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

5GHz 802.11a Only

SonicPoint NDR default.

 

Select this mode if only 802.11a clients access your wireless network.

 

2.4GHz 802.11g Only

If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.

5GHz 802.11ac/n/a Mixed

SonicPoint AC default.

 

Supports 802.11ac, 802.11a, and 802.11n (Radio 0) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

5GHz 802.11ac Only

 

Allows only 802.11ac clients access to your wireless network. Other clients are unable to connect under this restricted radio mode.

* 
TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.

For optimal throughput speed solely for 802.11ac clients, SonicWall recommends the 802.11ac Only radio mode. Use the 802.11ac/n/a Mixed radio mode for multiple wireless client authentication compatibility.

* 
NOTE: The available 802.11n Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.
Does not support 802.11n, only the Channel option is displayed.
3
If you are configuring a:
SonicPoint without VAP, go to Step 4.
SonicPoint with VAP selected on the General tab, optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS) that allows wireless devices to share the same spectrum with existing radar systems within the 5GHz band.
* 
TIP: If you select this option, choose either Standard - 2MHz Channel or Wide - 40MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels.
* 
NOTE: This option only appears on the 802.11n Radio 0 tab as the 802.11n Radio 1 does not have a wireless speed connection mode of at least 5GHz.
4
If you are configuring a:
SonicPoint with VAP, go to Step 5.
SonicPoint without a VAP group, in the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that appears in clients’ lists of available wireless connections.
* 
TIP: If all SonicPoint ACs or NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint AC/NDR to another.
5
If the Mode you selected was:
5GHz 80211a Only or 2.4GHz 802.11g Only, go to Step 6.
Any other mode, select a radio band from the Radio Band drop-down menu:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting.
Standard - 20MHz Channel—Specifies that Radio 0 uses only the standard 20MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options.
Wide - 40MHz Channel—Available only when 5GHz 802.11ac/n/a or 5GHz 802.11ac is selected for the Radio Band, specifies that Radio 0 uses only the wide 80MHz channel. When this option is selected, only the Channel drop-down menu is active
6
Select a channel from the Standard/Primary Channel drop-down menu. Depending on the Mode and Radio Band selections, a Secondary Channel drop-down menu displays.
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting for the Standard/Primary Channels. The Secondary Channel Is set to Auto regardless of the setting of Primary Channel.
Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring; see the Specific channel choices table. If you select Wide – 40 MHz Channel for Radio Band, a Secondary Channel displays and is selected automatically by the selection of the Primary Channel.
 

Specific channel choices

Radio 0: Channel/Primary Channel 1

Radio 1: Standard/Primary Channel

Radio 1: Secondary Channel is set automatically to: 2

Channel 36 (5180MHz)

Channel 1 (2412MHz)

Channel 5 (2432MHz)

Channel 40 (5200MHz)

Channel 2 (2417MHz)

Channel 6 (2437MHz)

Channel 44 (5220MHz)

Channel 3 (2422MHz)

Channel 7 (2442MHz)

Channel 48 (5240MHz)

Channel 4 (2427MHz)

Channel 8 (2447MHz)

Channel 149 (5745MHz)

Channel 5 (2432MHz)

Channel 1 (2412MHz)

Channel 153 (5765MHz)

Channel 6 (2437MHz)

Channel 2 (2417MHz)

Channel 157 (5785MHz)

Channel 7 (2442MHz)

Channel 3 (2422MHz)

Channel 161 (5805MHz)

Channel 8 (2447MHz)

Channel 4 (2427MHz)

Channel 165 (5825MHz) 3

Channel 9 (2452MHz)

Channel 5 (2432MHz)

 

Channel 10 (2457MHz)

Channel 6 (2437MHz)

 

Channel 11 (2462MHz)

Channel 7 (2442MHz)


1
The Secondary Channel is available only when 5GHz 802.11n Only or 5GHz 802.11n/a Mixed is selected for Mode and Wide – 40 MHz Channel is selected for Radio Band. The Secondary Channel is always Auto if either Auto is selected for Radio Band or a VAP group is selected on the General tab.

2
Upon selection of a Primary Channel, the Secondary Channel is set automatically to a preset channel.

3
This option is available only when 5GHz 802.11n Only, 5GHz 802.11n/a Mixed, or 5GHZ 802.11a Only is selected for Mode and Standard – 20 MHz Channel is selected for Radio Band.

7
If, from the Radio Band drop-down menu, you selected:
5GHz 802.11a Only or 2.4GHz 802.11g Only, and are configuring:
SonicPointACe/ACi/N2:
Without VAP, go to Wireless Security.
SonicPointNDR, go to Step 10.
Any other radio band, go to Step 8
8
Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns).
* 
NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.
* 
IMPORTANT: To avoid compatibility issues, ensure the wireless client also supports a short guard interval.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An access point identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long).

Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each access point. A short guard interval of 400 nanoseconds (ns) works in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections are received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference.

Some outdoor deployments might, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n and 802.11ac data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues.

* 
TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options could introduce transmission errors that eliminate any efficiency gains in throughput.
9
Select Enable Aggregation to enable 802.11n and 802.11ac frame aggregation that combines multiple data frames in a single transmission to reduce overhead and increase throughput.
* 
NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.
* 
IMPORTANT: To avoid compatibility issues, ensure the wireless client also supports aggregation.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n and 802.11ac specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n and 802.11ac clients can take advantage of, as legacy systems are not able to understand the new format of the larger packets.

10
If you are configuring:
SonicPointACe/ACi/N2:
Without VAP, go to Wireless Security.
SonicPointNDR, optionally select Enable MIMO. This option is selected by default.

The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.

* 
NOTE: Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.
Wireless Security
* 
NOTE: If a VAP was selected in the Virtual Access Point Settings section of the General tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings.

If you are configuring a profile for a SonicPointACe/ACi/N2, you configure RADIUS Accounting in this section.

* 
NOTE: The options change depending on the authentication type you select.

The Wireless Security sections of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see Wireless Security.

Virtual Access Point Encryption Settings
* 
NOTE: This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab.

The Virtual Access Point Encryption Settings section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPointN 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see Virtual Access Point Encryption Settings.

ACL Enforcement

The ACL Enforcement section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see ACL Enforcement.

Remote MAC Address Access Control Settings
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available; go to Radio 0/Radio 1 Advanced Tabs.

The Remote MAC Address Access Control Settings section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPointN 802.11n Radio tab.

* 
IMPORTANT: You cannot enable the Remote MAC address access control option at the same time that IEEE 802.11i EAP is enabled. If you try to do so, you could receive the following error message:
Remote MAC address access control can not be set when
IEEE 802.11i EAP is enabled.
To configure Remote MAC Address Access Control Settings:
1
Select Enable Remote MAC Access Control. This option enforces radio wireless access control according to the MAC-based authentication policy in the remote Radius server. The Configure button activates.
2
Click Configure. The SonicPoint Radius Server Global Settings dialog displays.

3
In the appropriate fields, enter the RADIUS server settings that you want. See the WPA-EAP/WPA2-EAP encryption settings table.
 

WPA-EAP/WPA2-EAP encryption settings

Option

Description

Radius Server Retries

The number of times SonicOS will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.

Retry Interval (seconds)

The time, from 0 to 60 seconds, to wait between retries. The number 0 means no wait between retries.

Radius Server 1 IP

The name/location of your RADIUS authentication server

Radius Server 1 Port

The port on which your RADIUS authentication server communicates with clients and network devices. The default port is 1812.

Radius Server 1 Secret

The secret passcode for your RADIUS authentication server

Radius Server 2

The name/location of your backup RADIUS authentication server

Radius Server 2 Port

The port on which your backup RADIUS authentication server communicates with clients and network devices. The default port is 1812.

Radius Server 2 Secret

The secret passcode for your backup RADIUS authentication server

4
Click OK.
Radio 0/Radio 1 Advanced Tabs

Radio 0 Advanced tab – SonicPoint

Radio 0 Advanced tab – SonicPoint

Radio 1 Advanced tab – SonicPointACe/ACi/N2 without VAP

Radio 1 Advanced tab – SonicPointACe/ACi/N2 with VAP

Radio 1 Advanced tab – SonicPointNDR without VAP

Radio 1 Advanced tab – SonicPointNDR with VAP

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time.

The Radio 1 Advanced tab has the same options as the Radio 0 Advanced tab plus other options. The tabs for SonicPoint AC and SonicPoint NDR are quite similar. Differences are noted in the procedure.

To configure the Radio 0/Radio 1 Advanced setting:
1
Click the Radio 0/1 Advanced tab.
2
If you:
Selected a VAP on the Settings tab, go to Step 3.
Did not select a VAP on the Settings tab, optionally, select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID to connect. This option is unchecked by default.
3
From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled, the default.
* 
NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure that consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a SonicPoint or a third-party access point.
4
From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best (default) automatically selects the best rate available in your area given interference and other factors.
5
From the Transmit Power drop-down menu, select the transmission power. Transmission power effects the range of the SonicPoint.
Full Power (default)
Half (-3 dB)
Quarter (-6 dB)
Eighth (-9 dB)
Minimum
6
If you are configuring:
SonicPoint AC, go to Step 7.
SonicPoint NDR, from the Antenna Diversity drop-down menu, select Best, the default. The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal.
7
In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending wireless SSID beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds.
8
In the DTIM Interval field, enter the DTIM interval in milliseconds. The minimum number of frames is 1, the maximum is 255, and the default is 1.

For 802.11 power-save mode clients of incoming multicast packets, the DTIM interval specifies the number of beacon frames to wait before sending a DTIM (Delivery Traffic Indication Message).

9
If you are configuring a:
SonicPointACe/ACi/N2, go to Step 10.
SonicPointNDR, in the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. The fragmentation threshold limits the maximum frame size. Limiting frame size reduces the time required to transmit the frame and, therefore, reduces the probability that the frame will be corrupted (at the cost of more data overhead). Fragmented wireless frames increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes.
10
In the RTS Threshold (bytes) field, enter the threshold for a packet size, in bytes, at which a request to send (RTS) is sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but might not be in range of each other. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 byes.
11
In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number of clients is 1, the maximum number is 128, and the default number is 32.
12
In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity before Access Points age out the wireless client, in seconds. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default is 300 seconds.
13
If you are configuring:
Radio 0 Advanced settings, go to Step 17.
Radio 1 Advanced tab settings, go to Step 14.
14
Select a preamble length from the Preamble Length drop-down menu:
Long (default)
Short
15
Select a protection mode from the Protection Mode drop-down menu:
1 Mbps (default)
2 Mbps
5 Mbps
11 Mbps
16
Select a protection type from the Protection Type drop-down menu:
CTS-only (default)
RTS-CTS
17
Optionally, to allow clients to disassociate and reassociate more quickly, select the Enable Short Slot Time checkbox. Specifying this option increases throughput on the 802.11n/g wireless band by shortening the time an access point waits before relaying packets to the LAN. This setting is not selected by default.
18
Optionally, if you are using Turbo G mode and, therefore, are not allowing 802.11b clients to connect, select the Do(es) not allow 802.11b Client to Connect checkbox. Specifying this option limits wireless connections to 802.11g and 802.11n clients only. This setting is not selected by default.
19
From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is to be associated with this profile:
Disabled (default)
Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile dialog displays. For information about configuring a WMM profile, see Configuring Wi-Fi Multimedia Parameters.
A previously configured WMM profile
20
Optionally, select Enable Green AP to allow the SonicPointACe/ACi/N2 radio to go into sleep mode. This saves power when no clients are actively connected to the SonicPoint. The SonicPoint immediately goes into full power mode when any client attempts to connect to it. Green AP can be set on each radio independently, Radio 0 (5GHz) and Radio 1 (2.4GHz).
21
If you are configuring:
Radio 0 Advanced, repeat the procedure for Radio 1 Advanced.
Radio 1 Advanced for:
SonicPointACe/ACi/N2, go to Step 22.
SonicPointNDR, go to Sensor Tab.
22
In the Green AP Timeout(s) field, enter the transition time, in seconds, that the access point waits while it has no active connections before it goes into sleep mode, that is, the time between power-save off to power-save on. The transition values can range from 20 seconds to 65535 seconds with a default value of 20 seconds.
Sensor Tab

In the Sensor tab, enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

* 
IMPORTANT: If this option is selected, Access Point or Virtual Access Point(s) functionality is disabled automatically.
To configure the Sensor tab:
1
Select Enable WIDF sensor to have the SonicPoint operate as a dedicated WIDP sensor. This option is not selected by default.
2
From the drop-down menu, select the schedule for when the SonicPoint operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPoint N Profile

For a SonicPoint overview, see Understanding SonicPoints. For information about auto provisioning SonicPoints, see SonicPoint Auto Provisioning.

You can add any number of SonicPoint profiles. The specifics of the configuration varies slightly depending on which 802.11 protocols you select.

To configure a SonicPointN provisioning profile:
1
Navigate to SonicPoint > SonicPoints page.
2
Do one of the following:
To add a new SonicPoint N profile, click Add SonicPoint N Profile.
To edit an existing SonicPoint N profile, click the Configure icon on the same row as the profile you want to edit.

The Add/Edit SonicPointN Profile dialog appears. The two dialogs are the same except if you are editing an existing profile, the existing settings are displayed.

3
Configure the SonicPoint N through options on these tabs:
Settings Tab

The Settings tab has these sections:

SonicPoint Settings

To configure the SonicPoint Settings tab:
1
To automatically enable each SonicPoint when it is provisioned with this profile, select Enable SonicPoint. This option is selected by default.
2
Optionally, check Retain Settings to have the SonicPoint Ns provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, Edit becomes active. To specify the settings to retain:

a
Click Edit. The Retain Settings dialog displays.

b
Do one of the following:
Click Retain All Settings; all the other options are dimmed.
Click the checkboxes of the individual settings to be retained.
c
Click OK.
3
Optionally, check Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default.
4
Optionally, check Enable LED (Ni/Ne) to turn SonicPointN LEDs on/off.
* 
NOTE: This option applies only to the SonicPoint N model that has controllable LED hardware support.
5
Enter a prefix for the names of all SonicPointNs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoints on a zone. When each SonicPointN is provisioned, it is given a name that consists of the name prefix and a unique number, for example: MySonicPoint 126008.
6
Select the country where you are operating the SonicPoint Ns from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.
7
From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v2, which provides better security than v2.
Virtual Access Point Settings

To configure Virtual Access Point Settings:
1
Optionally, from the 802.11n Radio Virtual AP Group drop-down menu, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint Ns to a VAP. This drop-down menu allows you to create a new VAP group. For more information on VAPs, see SonicPoint > Virtual Access Point.
L3 SSL VPN Tunnel Settings

To configure L3 SSL VPN Tunnel Settings:
1
In the SSL VPN Server field, enter the IP address of the SSL VPN server.
2
In the User Name field, enter the user name of the SSL VPN server.
3
In the Password field, enter the password for the SSL VPN server.
4
In the Domain field, enter the domain that the SSL VPN server is located in.
5
Click Auto-Reconnect for the SonicPoint to auto-reconnect to the SSL VPN server.
* 
NOTE: To configure L3 SSL VPN, click the link to SSL VPN > Client Settings. For information about Layer 3 SSL VPN, refer to SonicPoint Layer 3 Management and SSL VPN > Client Settings.
SonicPoint Administrator Settings

To configure SonicPoint Administrator Settings:
1
In the Name field, enter the user name for the network administrator.
2
In the Password field, enter the password for the network administrator.
802.11n Radio Tab
* 
NOTE: The sections and options displayed on the 802.11n Radio tab change depending on whether you selected a VAP group in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab and the mode you selected from the Mode drop-down menu.

VAP group not selected on the Settings tab

VAP group selected on the Settings tab

To configure the 802.11n Radio tab:
1
Click the 802.11n Radio tab.
2
Configure the options on this tab:
802.11n Radio Settings
* 
NOTE: The options change depending on the mode you select.

To configure 802.11n Radio Settings:
1
Check Enable Radio to automatically enable the 802.11n radio bands on all SonicPoints provisioned with this profile. This option is selected by default.
From the Enable Radio drop-down menu, select the schedule for when the802.11n radio is on. The default schedule is Always On. You can create a new schedule by selecting Create new schedule.
2
Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the modes shown in the Radio mode choices table.
* 
NOTE: The available 801.11n Radio Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel.
Does not support 802.11n, only the Channel option is displayed.
Supports 5GHz 802.11n/a, the Enable DFS Channels option is displayed.
* 
TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.

Radio mode choices

2.4GHz

5Ghz

Definition

2.4GHz 802.11n Only

5GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

2.4GHz 802.11n/g/b Mixed

This is the default.

5GHz 802.11n/a Mixed

Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

2.4GHz 802.11g Only

 

If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.

2.4GHz 802.11g/b Mixed

 

If your wireless network consists of both 802.11b and 802.11g clients, you might select this mode for increased performance.

 

5GHz 802.11a Only

Select this mode if only 802.11a clients access your wireless network.

 

5GHz 802.11n/a/ac Mixed

Supports 802.11a, 802.11ac, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

 

5GHz 802.11ac Only

Select this mode if only 802.11ac clients access your wireless network.

3
If you chose 5GHz 802.11n Only, 5GHz 802.11a/n Mixed, or 5GHz 802.11a Only for Mode, optionally check Enable DFS Channels. Enabling Dynamic Frequency Selection (DFS) allows wireless devices to share spectrum with existing radar systems in the 5GHz band. This setting is not selected by default.
4
If you did not specify a VAP group on the Settings tab, in the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that appears in clients’ lists of available wireless connections.
* 
NOTE: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.
5
If the mode you selected supports:
802.11g only or 802.11a only, go to Step 6
802.11n only or 802.11n mixed, go to Step 8
6
Only for 802.11a/g: Select the channel for the radio from the Channel drop-down menu:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel: Select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
 

802.11g/802.11a channels

802.11g Channels

802.11a Channels

Channel 1 (2412 MHz)

Channel 36 (5180 MHz)

Channel 2 (2417 MHz)

Channel 40 (5200 Mhz)

Channel 3(2422 MHz)

Channel 44 (5220 Mhz)

Channel 4 (2427 MHz)

Channel 48 (5240 Mhz)

Channel 5 (2432 MHz)

Channel 149 (5745 Mhz)

Channel 6 (2437 MHz)

Channel 153 (5765 Mhz)

Channel 7 (2442 MHz)

Channel 157 (5785 Mhz)

Channel 8 (2447MHz)

Channel 161 (5805 Mhz)

Channel 9 (2452 MHz)

 

Channel 10 (2457 MHz)

 

Channel 11 (2462 MHz)

 

7
If you selected 5GHz 802.11a Only or 2.4GHz 802.11g Only mode, go to Step 11.
8
For 802.11n only or 802.11n mixed: From the Radio Band drop-down menu, select the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting.
The Primary Channel and Secondary Channel drop-down menus are set to Auto and cannot be changed.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel drop-down menus.
Channel - By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 6.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed:
Primary Channel - By default, this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 6
Secondary Channel - The configuration of this drop-down menu is set to Auto regardless of the primary channel setting.
9
Optionally, select the Enable Short Guard Interval checkbox to specify a short guard interval of 400ns as opposed to the standard guard interval of 800ns. This setting is not selected by default.
* 
NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference

Some outdoor deployments, may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

10
Optionally, to enable 802.11ac or 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput, select the Enable Aggregation checkbox.
* 
NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of as legacy systems will not be able to understand the new format of the larger packets.

* 
TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
11
Select Enable MIMO to enable MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas.

This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected.

* 
IMPORTANT: To avoid compatibility issues, ensure the 802.11a or 802.11g wireless client also can support these antennas. If the client cannot support these antennas, disable the option by deselecting it.

Disabling MIMO may cause weaker signal strength and lower throughput for some wireless clients. If you do disable MIMO for compatibility, a confirmation message displays. Click OK to continue.

12
If you:
Did not select a VAP, go to Wireless Security.
Selected a VAP from the 802.11n Radio Virtual AP Group drop-down menu in the Virtual Access Point Settings section of the Settings tab, go to Virtual Access Point Encryption Settings.
Wireless Security
* 
NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings.

If you are configuring a SonicPointACe/ACi/N2, you configure RADIUS Accounting in this section.

To configure Wireless Security:
1
In the Wireless Security section, select the method of authentication for your wireless network from the Authentication Type drop-down menu:
* 
NOTE: The options available change with the type of configuration you select.
 

WEP 1

WPA 2

WPA2 b.

WEP - Both (Open System & Shared Key) – default

WPA - PSK

WPA2-PSK

WEP - Open System 3

WPA - EAP

WPA2-EAP

WEP - Shared Key

 

WPA2-AUTO-PSK

 

 

WPA2-AUTO-EAP


1
For WEP - Both (Open System & Shared Key) and WEP - Shared Key, go to WEP Configuration.

2
For WPA and WPA2 options, go to WPA or WPA2 Configuration:.

3
All options are dimmed; go to ACL Enforcement.

WEP Configuration

WEP (Wired Equivalent Privacy) is a standard for Wi-Fi wireless network security.

A WEP key is a security code system for Wi-Fi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.

You choose the WEP keys. When WEP security is enabled on a network, matching WEP keys must be set on Wi-Fi routers and each device connecting over Wi-Fi, for them all to communicate with each other.

To configure Wireless Security for WEP
1
Select the size of the encryption key from the WEP Key Mode drop-down menu:
None – Default for WEP - Both (Open System & Shared Key). If selected, the rest of the options in this section remain dimmed; go to ACL Enforcement.
64 bit
128 bit
152 bit - default for WEP - Shared Key
2
From the Default Key drop-down menu, select which key is the default key, that is, the key that is tried first when trying to authenticate a user:
Key 1 (default)
Key 2
Key 3
Key 4
3
From the Key Entry drop-down menu, select whether the key is:
Alphanumeric (default)
Hexadecimal (0-9, A-F)
4
In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key:
* 
NOTE: The length of each key is based on the selected key type (alphanumeric or hexadecimal) and WEP strength (WEP Key Mode): 64, 128, or 152 bits.
Key 1: First static WEP key associated with the key index.
Key 2: Second static WEP key associated with the key index.
Key 3: Third static WEP key associated with the key index.
Key 4: Fourth static WEP key associated with the key index.
5
WPA or WPA2 Configuration:
* 
NOTE: The options change depending on the authentication type selected.

WPA - PSK, WPA2 - PSK, or WPA2 - AUTO - PSK

WPA2 - EAP or WPA2 - AUTO - EAP

To configure Wireless Security for WPA or WPA2
1
From the Cipher Type drop-down menu, select the cipher to encrypt your wireless data:
AES (newer, more secure; default): AES (Advanced Encryption Standard) is a set of ciphers designed to prevent attacks on wireless networks. AES is available in block ciphers of either 128, 192 or 256 bits depending on the hardware you intend to use with it. In the networking field, AES is considered to be among the most secure of all commonly installed encryption packages.
TKIP (older, more compatible): TKIP (Temporary Key Integrity Protocol) is not actually a cipher, but a set of security algorithms meant to improve the overall safety of WEP (wired equivalent privacy networks). WEP is widely known to have a host of serious security vulnerabilities. TKIP adds a few extra layers of protection to WEP. This is the default.
Auto: the appliance chooses the cipher type automatically.
2
In the Group Key Interval (seconds) field, enter the period for which a Group Key is valid, that is, the time interval before the encryption key is changed automatically for added security. The default value is 86400 seconds (24 hours). Setting too low of a value can cause connection issues.
3
If, from the Authentication Type drop-down menu, you selected:
PSK authentication types, go to Step 4.
EAP authentication types, go to RADIUS Server Settings.
4
For PSK authentication types only, in the Passphrase field, enter the passphrase your network users must enter to gain network access.
* 
NOTE: This option displays only if you configure WPA-PSK, WPA2-PSK, or WPA2-AUTO-PSK for your authentication type.
5
RADIUS Server Settings
* 
NOTE: This option displays only if you selected WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP for your authentication type.

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution uses an external 802.1x/EAP-capable RADIUS server for key generation. An EAP-compliant RADIUS server provides 802.1X authentication. The RADIUS server must be configured to support this authentication and all communications with the SonicWall.

If you are configuring a profile for a SonicPointACe/ACi/N2, you can configure RADIUS Accounting in this section.

To configure RADIUS Server Settings:
1
Click the Configure button. The SonicPoint Radius Server Settings dialog displays. The options displayed on this dialog depend on the type of SonicPoint.

SonicPointNDR or SonicPoint N

SonicPointACe/ACi/N2

2
In the Radius Server Retries field, enter the number times, from 1 to 10, the firewall attempts to connect before it fails over to the other Radius server. The default number depends on the SonicPoint:
SonicPointNDR – 0
SonicPointACe/ACi/N2 – 4
3
In the Retry Interval (seconds) field enter the time, from 0 to 60 seconds, to wait between retries. The default number is 0 or no wait between retries.
4
To configure the Radius Server Settings, see Remote MAC Address Access Control Settings.
5
If you are configuring RADIUS for:
SonicPointACe/ACi/N2, go to Step 6.
SonicPointNDR, go to Step 8.
6
To send the NAS identifier to the RADIUS server, select the type from the NAS Identifier Type drop-down menu:
Not Included (default)
SonicPoint’s Name
SonicPoint’s MAC Address
7
To send the NAS IP address to the RADIUS Server, enter the address in the NAS IP Addr field.
8
Click OK.
Virtual Access Point Encryption Settings
* 
NOTE: This section displays only if a VAP was selected from the 802.11n Radio Virtual AP Group drop-down menu in the Virtual Access Point Settings section of the Settings tab.

1
Click Configure. The Edit 802.11n Virtual Access Point WEP Key dialog displays.

2
From the Key Entry Method radio buttons, select whether the key is:
Alphanumeric (default)
Hexadecimal (0-9, A-F)
3
From the Default Key radio buttons, select the default key that is tried first when trying to authenticate a user:
Key 1 (default)
Key 2
Key 3
Key 4
4
In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys to be used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key.
Key 1: First static WEP key associated with the key index.
Key 2: Second static WEP key associated with the key index.
Key 3: Third static WEP key associated with the key index.
Key 4: Fourth static WEP key associated with the key index.
5
From the Key Type drop-down menus, select the size of each key:
None (default)
64-bit
128-bit
152-bit
6
Click OK.
ACL Enforcement

1
Check the Enable MAC Filter List checkbox to enforce Access Control by allowing or denying traffic from specific devices. By default, this option is not selected, and the Allow List and Deny List options are dimmed.
2
From the Allow List drop-down menu, select a MAC address group to allow traffic automatically from all devices with a MAC address in the group:
Create new Mac Address Object Group… – The Add Address Object Group dialog displays.

a)
In the Name field, enter a friendly name for the address object group.
b)
Select one or more objects from the left column.
c)
Click the Right Arrow button to move the selection(s) to the right column.
d)
Repeat Step b and Step c until all you have selected all the objects you want for the address object group.
e)
Click OK. The new group becomes the default selection in the Allow List drop-down menu.
All MAC Addresses
* 
TIP: It is recommended that the Allow List be set to All MAC Addresses.
Default SonicPoint ACL Allow Group
Custom MAC Address Object Groups
3
From the Deny List drop-down menu, select a MAC address group from the drop-down menu to automatically deny traffic from all devices with MAC address in the group.
* 
IMPORTANT: The Deny List is enforced before the Allow List.
Create new Mac Address Object Group… – The Add Address Object Group dialog displays. For configuring the address object group, see Step a.
No MAC Addresses
Default SonicPoint ACL Deny Group
* 
TIP: It is recommended that the Deny List be set to Default SonicPoint ACL Deny Group.
Custom MAC Address Object Groups
4
Optionally, select Enable MIC Failure ACL Blacklist to detect WPA TKIP MIC failure floods and automatically places the problematic wireless station(s) into a blacklist to stop the attack. As wireless clients generate the TKIP countermeasures, they are also moved automatically into blacklist, so the other wireless stations within the same wireless LAN network are not affected. By default, this setting is not selected.
5
Enter the maximum number of MIC failures per minute in the MIC Failure Frequency Threshold field; default is 3. After the threshold is reached, the source is blacklisted.
* 
TIP: When a source is blacklisted, it is added to the dynamically created Default SonicPoint ACL Deny Group. You can view this on the Network > Address Objects page.
6
If you:
Did not specify a VAP on the Settings tab, go to Remote MAC Address Access Control Settings.
Specified a VAP on the Settings tab, go to Advanced Tab.
Remote MAC Address Access Control Settings
* 
IMPORTANT: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Go to Advanced Tab.

If an EAP authentication type was selected in the Authentication Type drop-down menu, this message is displayed:

Remote MAC address access control can not be set
when IEEE 802.11i EAP is enabled.

Click OK.

1
Check the Enable Remote MAC Access Control checkbox to enforce radio wireless access control based on MAC-based authentication policy in a remote Radius server.
2
Click Configure. The SonicPoint Radius Server Global Settings dialog displays.

3
For the procedure in configuring the settings on the SonicPoint Radius Server Global Settings dialog, see Remote MAC Address Access Control Settings.
4
Click OK.
Advanced Tab

In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance.

* 
NOTE: Except for two settings, the advanced settings are the same for both VAP and non-VAP profiles. The differences are noted in the procedure.
1
Click the Advanced tab.
2
If you:
Selected a VAP on the Settings tab, go to Step 3.
Did not select a VAP on the Settings tab, optionally select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID to connect. This option is unchecked by default.
3
From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to schedule an IDS scan to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled (default).
* 
NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized APs, the RF medium, and the wired network. An authorized or valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either a SonicPoint or a third party AP.
4
From the Data Rate: drop-down menu, select the speed at which the data is transmitted and received.
 

Best (default)

9 Mbps

18 Mbps

36 Mbps

54 Mbps

6 Mbps

12 Mbps

24 Mbps

48 Mbps

 

Best automatically selects the best rate available in your area given interference and other factors. Best is the default and is the only choice if you selected a VAP on the Settings tab.

5
From the Transmit Power drop-down menu, select the transmission power, which affects the range of the SonicPoint:
Full Power (default)
Half (-3 dB)
Quarter (-6 dB)
Eighth (-9 dB)
Minimum
6
From the Antenna Diversity drop-down menu, select Best, the default. The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal.
7
In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending out wireless SSID beacons. This interval represents the amount of time between beacon transmissions. Before a station enters power-save mode, the station needs the beacon interval to know when to wake up to receive the beacon (and learn whether there are buffered frames at the access point).

The minimum interval is 20 milliseconds, the maximum is 1000, milliseconds, and the default is 100 milliseconds.

8
In the DTIM Interval field, enter the interval, in milliseconds, between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This interval is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed. When using wireless clients that use power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts. 802.11 power-save mode clients are alerted of incoming multicast packets.

The minimum interval is 1 millisecond, the maximum is 255 milliseconds, and the default is 1 millisecond.

9
In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. The fragmentation threshold limits the maximum frame size. This reduces the time required to transmit the frame, and therefore reduces the probability that the frame will be corrupted (at the cost of more data overhead). Fragmented wireless frames increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments.

The minimum is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes.

10
In the RTS Threshold (bytes) field, enter the number of bytes of the Request to Send (RTS) threshold. The RTS threshold specifies the frame size the transmitter must use. Fragmented wireless frames increase reliability and throughput in areas with RF interference or poor wireless coverage. Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This option also not only can be used to avoid hidden node problems, but also helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting or in range of the same access point, but may not in range of each other.

The minimum value is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. The default value used by many vendors is 2346 bytes. Lower threshold numbers produce more fragments.

11
In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number is 1 client, the maximum is 128 clients, and the default is 32 clients.
12
In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity, in seconds, before access points age out the wireless client. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default number is 300 seconds.
13
If you:
Did not select a VAP on the Settings tab, go to Step 14.
Selected a VAP on the Settings tab, from the Preamble Length drop-down menu, select the length of the preamble—the initial wireless communication sent when associating with a wireless host: Long or Short.
14
From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is associated with this profile:
Disabled (default)
Create new WMM profile. The Add Wlan WMM Profile window displays. For information about configuring a WMM profile, see Configuring Wi-Fi Multimedia Parameters.
Configured WMM profile
Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

* 
IMPORTANT: If this option is selected, Access Point or Virtual Access Point(s) functionality is disabled automatically.
1
Check the Enable WIDF checkbox to have the SonicPoint N operate as a dedicated WIDP sensor.
From the drop-down menu, select the schedule for when the SonicPoint N operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.
2
Click OK.

Managing SonicPoints

Topics:  

Modify (Edit) a SonicPoint Profile

To modify (edit) a SonicPoint Profile:
1
Navigate to the SonicPoint > SonicPoints page.
2
Click the Edit icon for the SonicPoint profile you want to modify. The Edit Sonicpoint <…> Profile dialog displays. The options available on this dialog are depend on the type of SonicPoint you are editing.
3
Edit the profile settings as you wish. The Edit SonicPoint <…> Profile dialogs are the same as the Add SonicPoint <…> Profile dialogs described in the following sections:
4
When finished, click OK. A warning message is displayed, informing you that all SonicPoint devices in the same zone are autoprovisioned.
5
Click OK.

After you click OK, all linked SonicPoint devices are reprovisioned and rebooted.

Updating SonicPoint Settings

You can change the settings of any individual SonicPoint on the SonicPoint > SonicPoints page.

Topics:  
Synchronize SonicPoints

Click the Synchronize SonicPoints button at the top of the SonicPoint > SonicPoints page to issue a query directive from the SonicWall appliance to the WLAN Zone. All connected SonicPoints report their current settings and statistics to the appliance. SonicOS also attempts to locate the presence of any newly connected SonicPoints that are not yet registered with the firewall.

* 
NOTE: The button polls the SonicPoints, but does not push configuration to them.
Delete Individual SonicPoint Profiles
* 
NOTE: You cannot delete the predefined SonicPoint profiles, only those you add.

You can delete individual SonicPoint profiles from the SonicPointN Provisioning Profiles section on the SonicPoint > SonicPoints page:

Delete a SonicPoint profile by:
1)
Clicking its Delete button. A confirmation message appears.
2)
Click OK.
Delete one or more SonicPoint profiles by:
1)
Selecting the checkbox next to the name(s) of the SonicPoint(s) to be deleted. The Delete button becomes active.
2)
Click the Delete button. A confirmation message appears.
3)
Click OK.
Delete All SonicPoint Profiles
* 
NOTE: You cannot delete the predefined SonicPoint profiles, only those you add.

You can delete all SonicPoint profiles from the SonicPointN Provisioning Profiles section on the SonicPoint > SonicPoints page:

1
Select the checkbox next to the # in the column heading. The Delete All button becomes active.
2
Click the Delete All button. A confirmation message appears
3
Click OK.
Delete Individual SonicPoints

You can delete individual SonicPoints from the SonicPointNs section on the SonicPoint > SonicPoints page:

Delete a SonicPoint by:
1)
Clicking its Delete button. A confirmation message appears.
2)
Click OK.
Delete one or more SonicPoints by:
1)
Selecting the checkbox next to the name(s) of the SonicPoint(s) to be deleted. The Delete button becomes active.
2)
Click the Delete button. A confirmation message appears.
3)
Click OK.
Delete All SonicPoints

You can delete all SonicPoints from the SonicPointNs section on the SonicPoint > SonicPoints page:

1
Select the checkbox next to the # in the column heading. The Delete All button becomes active.
2
Click the Delete All button. A confirmation message appears.
3
Click OK.
Reboot Individual SonicPoints

You can reboot individual SonicPoints from the SonicPointNs section on the SonicPoint > SonicPoints page:

1
Check the checkbox next to the name of the SonicPoint to be rebooted. The Reboot icon becomes active.
2
Click the Reboot button. A confirmation message displays.

3
Select the type of reboot:
reboot (default) – Reboots to the configured profile settings.
reboot to factory default – Reboots to factory default settings.
* 
CAUTION: Selecting this option overwrites the SonicPoint profiles with factory default values.
4
Click OK.
Reboot All SonicPoints

You can reboot all SonicPoints on the SonicPoint > SonicPoints page:

1
Click the Reboot All button. The Reboot all SonicPoint Confirmation dialog displays.
2
Select one of the following:
reboot (default) – Reboots to the configured profile settings.
reboot to factor default
* 
CAUTION: Selecting this option overwrites the SonicPoint profiles with factory default values.
3
Click OK to apply to reboot the SonicPoints or Cancel to close the window without rebooting.

 

Viewing Station Status

* 
NOTE: SonicPoints are not supported on the SuperMassive 9800.

SonicPoint > Station Status

The SonicPoint > Station Status page reports on the statistics of each SonicPoint.

The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint is the list of all clients currently connected to it.

Click the Refresh button in the top left corner to refresh the list.

Topics:  

Viewing Statistics

Click on the Statistics icon to see a detailed report for an individual station. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer:

Topics:  

Station/SonicPointN Information

MAC Address – The client’s (Station’s) hardware address.
Status – The state of the station:
None – No state information yet exists for the station.
Authenticated – The station has successfully authenticated.
Associated – The station is associated.
Joined – The station has joined the ESSID.
Connected – The station is connected (joined, authenticated or associated).
Up – An Access Point state, indicating that the Access Point is up and running.
Down – An Access Point state, indicating that the Access Point is not running.

Radio Statistics

Associations – Total number of Associations since power up.
Disassociations – Total number of Disassociations.
Reassociations – Total number of Reassociations.
Authentications – Number of Authentications.
Deauthentications – Number of Deauthentications.
Discards Packets - Number of discarded packets.

Traffic Statistics

Good Packets – Total number of good packets received/transmitted.
Bad Packets – Total number of bad packets received/transmitted.
Good Bytes – Total number of good bytes received/transmitted.
Management Packets – Total number of Management packets received/transmitted. Management packets include:
Authentication Frame – 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC to create resources. Authentication restricts the ability to send and receive on the network.
Deauthentication – This is an announcement packet by a station that sends a de-authentication frame to another station if it wishes to terminate secure communications. It is a one-way communication from the authenticating station.
Association request Frame – 802.11 associations enable the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (for example, supported data rates) and the SSID of the network with which it wishes to associate. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
Association response Frame – An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association and which will include the Association ID of the requester. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates.
Reassociation request Frame – This frame is similar to an association request, but has a different purpose. This frame is mainly useful in client roaming where if a station roams away from the currently associated access point and finds another access point having a stronger beacon signal, the radio NIC will send a re-association frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC. To gain a successful association, the sender must be authenticated already.
Reassociation response Frame – An access point sends a reassociation response frame containing an acceptance or rejection notice to the radio NIC requesting re-association. As in the association process, the frame includes information regarding the association, such as association ID and supported data rates
Probe request – When a station or client becomes active, or on a PC when the WLAN card it enabled becomes active, it sends a probe request frame to obtain needed information from another station or access point. The probe request frame is sent on every channel the client supports in an attempt to find all access points in range that match the SSID and client-requested data rates. It is up to the client to determine to which access point to associate by weighing various factors such as supported data rates.
Probe response – In response to the probe request, AP with matching criteria will respond with a probe response frame containing synchronization information and access point load and may contain other information such as capability information, supported data rates.
Beacon Frame – The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, to help synchronize member stations with the BSS, SSID, and other parameters regarding the access point to radio NICs that are within range.
ATIM message – It is the traffic indication map for IBSS (in a BSS, the TIM is included in the beacon).
Disassociation – A station sends a disassociation frame to another station if it wishes to terminate the association. Disassociation is a simple declaration from either an access point or a device.
Control Packets – Total number of Control packets received/transmitted. Control packets include:
RTS – The RTS (Request to Send) frame reduces frame collisions present when hidden stations have associations with the same access point. A station sends a RTS frame to another station as the first phase of a two-way handshake necessary before sending a data frame.
CTS – A station responds to a RTS with a CTS (Clear to Send) frame, providing clearance for the requesting station to send a data frame. The CTS includes a time value that causes all other stations (including hidden stations) to hold off transmission of frames for a time period necessary for the requesting station to send its frame. This period minimizes collisions among hidden stations, which can result in higher throughput if you implement it properly.
ACK – After receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors. The receiving station will send an ACK (Positive Acknowledgement) frame to the sending station if no errors are found. If the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame.
Data Packets – Total number of Data frames received/transmitted. The main purpose of having a wireless LAN is to transport data. 802.11 defines a data frame type that carries packets from higher layers, such as web pages and printer control data, within the body of the frame.

Client Authentication Process

As per the 802.11 specification, client authentication process consists of the following transactions:

1
The Access points continuously sends out Beacon Frames, which are picked up by the nearby WLAN clients.
2
The client can also broadcast on its own probe request frame on every channel
3
Access points within range respond with a probe response frame
4
The client decides which access point (AP) is the best for access and sends an authentication request
5