en-US
search-icon

SonicOS 6.2 Admin Guide

Wireless
(Wireless platforms only)

Wireless Overview

* 
NOTE: For Wireless platforms only.

About Wireless

The SonicWall Wireless security appliances support wireless protocols called IEEE 802.11ac, 802.11b, 802.11g, and 802.11n commonly known as Wi-Fi, and send data via radio transmissions. The SonicWall wireless security appliance combines three networking components to offer a fully secure wireless firewall: an Access Point, a secure wireless gateway, and a stateful firewall with flexible NAT and VPN termination and initiation capabilities. With this combination, the wireless security appliance offers the flexibility of wireless without compromising network security.

Typically, the wireless security appliance is the access point for your wireless LAN and serves as the central access point for computers on your LAN. In addition, it shares a single broadband connection with the computers on your network. Since the wireless security appliance also provides firewall protection, intruders from the Internet cannot access the computers or files on your network. This is especially important for an “always-on” connection such as a DSL or T1 line that is shared by computers on a network.

However, wireless LANs are vulnerable to “eavesdropping” by other wireless networks which means you should establish a wireless security policy for your wireless LAN. On the wireless security appliance, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated via User Level Authentication. Wireless access to Guest Services and MAC Filter Lists are managed by the wireless security appliance. If all of the security criteria are met, then wireless network traffic can then pass via one of the following Distribution Systems (DS):

LAN
WAN
Wireless Client on the WLAN
DMZ or other zone on Opt port
VPN tunnel
Topics:  

Information about wireless status can be found in Wireless > Status.

FCC U-NII New Rule Compliance

Beginning in SonicOS 6.2.5.1, FCC U-NII (Unlicensed –National Information Infrastructure) New Rule (Report and Order ET Docket No. 13-49) is supported on TZ series and SOHO wireless appliances. To comply with FCC New Rules for Dynamic Frequency Selection (DFS), a TZ series or SOHO wireless appliance detects and avoids interfering with radar signals in DFS bands.

* 
NOTE: TZ series and SOHO wireless appliances manufactured with FCC New Rule-compliant firmware are only supported with SonicOS 6.2.5.1 and higher.
* 
NOTE: For the latest information about regulatory approvals and restrictions for SonicWall wireless devices, see the Product Documentation pages for your product under Support on www.SonicWall.com. Each device has a unique regulatory document or Getting Started Guide that provides the relevant information.

Considerations for Using Wireless Connections

Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections.
Convenience - wireless networks do not require cabling of individual computers or
opening computer cases to install network cards.
Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
Range and Coverage - if your network environment contains numerous physical barriers or interference factors, wireless networking may not be suitable for your network.
Security - wireless networks have inherent security issues due to the unrestricted nature of the wireless transmissions. However, the wireless security appliance is a firewall and has NAT capabilities which provides security, and you can use WPA or WPA2 to secure data transmissions.

Recommendations for Optimal Wireless Performance

Place the wireless security appliance near the center of your intended network. This can also reduce the possibility of eavesdropping by neighboring wireless networks.
Minimize the number of walls or ceilings between the wireless security appliance and the receiving points such as PCs or laptops.
Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other.
Building construction can make a difference on wireless performance. Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects. Placing the wireless security appliance near metal objects such as computer cases, monitors, and appliances can affect performance of the unit.
Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce signal strength if the wireless security appliance is installed near these types of materials.
Installing the wireless security appliance in a high place can help avoid obstacles and improve performance for upper stories of a building.
Neighboring wireless networks and devices can affect signal strength, speed, and range of the wireless security appliance. Also, devices such as cordless phones, radios, microwave ovens, and televisions may cause interference on the wireless security appliance.

Adjusting the Antennas

The antennas on the wireless security appliance can be adjusted for the best radio reception. Begin with the antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as the area directly below the wireless security appliance, get relatively poor reception. Pointing the antenna directly at another wireless device does not improve reception. Do not place the antennas next to metal doors or walls as this can cause interference.

Wireless Node Count Enforcement

Users connecting to the WLAN or connecting through the SonicWall GroupVPN are not counted towards the node enforcement on the SonicWall. Only users on the LAN and non-Wireless zones on the Opt port are counted towards the node limit.

The Station Status table lists all the wireless nodes connected.

MAC Filter List

The SonicWall wireless security appliance networking protocol provides native MAC address filtering capabilities. When MAC address filtering is enabled, filtering occurs at the 802.11 layer, wireless clients are prevented from authenticating and associating with the wireless access point. Since data communications cannot occur without authentication and association, access to the network cannot be granted until the client has given the network administrator the MAC address of their wireless network card.

OAuth Social Login and LHM

SonicOS 6.2.7 and later support wireless OAuth and Social Login for social media such as Facebook, Twitter, and Google+. LHM is also supported. For more information, see Configuring Open Authentication, Social Login, and LHM.

 

Viewing WLAN Settings, Statistics, and Station Status

* 
NOTE: The Wireless > Status page applies only to Wireless platforms.

Wireless > Status

The Wireless > Status page provides status information for the wireless network: WLAN Settings, WLAN Statistics, WLAN Activities, and Station Status.

The Wireless > Status page comprises these tables:

WLAN Settings

The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.

 

WLAN configurable settings

WLAN Settings

Value

WLAN

Enabled (Active) or Disabled (Inactive)

SSID

Wireless network identification information

MAC Address (BSSID)

Serial Number of the wireless security appliance

WLAN IP Address

IP address of the WLAN port

WLAN Subnet Mask

Subnet information

Regulatory Domain

FCC - North America for domestic appliances

ETSI - Europe for international appliances

Channel

Channel number selected for transmitting wireless signal

Radio Tx Rate

Network speed in Mbps

Radio Tx Power

Current power level of the radio signal transmission

Primary Security

Encryption settings for the radio, or Disabled; see Wireless > Security

MAC Filter List

Enabled or Disabled

Wireless Guest Services

Enabled or Disabled

Intrusion Detection

Enabled or Disabled

Wireless Firmware

Firmware version on the radio card

Associated Stations

Number of clients associated with the wireless security appliance

Radio Mode

Current power level of the radio signal transmission

WLAN Statistics

The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic.

 

WLAN statistics

Wireless Statistics

Rx/TX

Good Packets

Number of allowed packets received and transmitted.

Bad Packets

Number of packets that were dropped that were received and transmitted.

Good Bytes

Total number of bytes in the good packets.

Management Packets

Number of management packets received and transmitted.

Control Packets

Number of control packets received and transmitted.

Data Packets

Number of data packets received and transmitted.

WLAN Activities

The WLAN Activities table describes the history of wireless clients connecting to the SonicWall wireless security appliance.

 

WLAN activities statistics

Wireless Activities

Value

Associations

Number of wireless clients that have connected to the wireless security appliance.

Disassociations

Number of wireless clients that have disconnected to the wireless security appliance.

Reassociations

Number of wireless clients that were previously connected that have re-connected.

Authentications

Number of wireless clients that have been authenticated.

Deauthentications

Number of authenticated clients that have disconnected.

Discards Packets

Number of discarded packets.

Station Status

The Station Status table displays information about wireless connections associated with the wireless security appliance.

 

Station Status information

Wireless Information

Value

Station

The name of the connection used by the MAC address

MAC Address

The wireless network card MAC address

Vendor

Name of the equipment’s manufacturer

SSID

Wireless network identification information

Authenticated

Status of wireless authentication

Associated

Status of wireless association

AID

Association ID, assigned by the security appliance

Signal

Strength of the radio signal

Timeout

Number of seconds left on the session

Configure

Options for configuring the station:

- configure power management on the wireless network card of this station, if enabled.
- block the station from the security appliance and add it to the Deny MAC Filter List.
- dissociate the station from the security appliance.

Discovered Access Points

The Discovered Access Points table appears when the SonicWall appliance is in Wireless Client Bridge mode.

To create a wireless bridge with another access point:
1
Before you begin, verify that your wireless security settings match that of the access point to which you are bridging, and that you have switched your SonicWall TZ wireless appliance to Wireless Client Bridge mode in the Wireless > Settings page.
2
On the Wireless > Status page, locate the access point to which you wish to bridge.
3
Click the Connect button.
4
The configuration is set and your SSID changes to mirror that of the wireless bridge host.
* 
IMPORTANT: For security reasons, never create a bridge over an open wireless connection.

Configuring Wireless Settings

* 
NOTE: The Wireless > Settings page applies only to Wireless platforms.

Wireless > Settings

The Wireless > Settings page allows you to configure settings for the 802.11 wireless antenna.

Topics:  

Wireless Radio Mode

The Radio Role drop-down menu allows you to configure the SonicWall TZ Series or SOHO W wireless appliance for one of two modes:

* 
NOTE: Be aware that when switching between radio roles, the SonicWall may require a restart.
* 
IMPORTANT: Changing from one mode to the other drops clients and requires a reboot.

Access Point

Selecting Access Point configures the SonicWall as an Internet/network gateway for wireless clients. See Wireless Radio Mode: Access point.

Wireless Radio Mode: Access point

Wireless Client Bridge

The wireless appliance provides Internet/network access by bridging wirelessly to another SonicWall wireless device or SonicPoint access point, selected on the Wireless > Status page; see Wireless Radio Mode: Wireless Client Bridge. Selecting Wireless Client Bridge mode allows for the possibility of secure network communications between physically separate locations, without the need for long and costly ethernet cabling runs.

Wireless Radio Mode: Wireless Client Bridge

* 
NOTE: For more information on Wireless Client Bridging, refer to the SonicWall Secure Wireless Network Integrated Solutions Guide, or the SonicWall Wireless Bridging Technote, available at http://www.SonicWall.com/us/support.html.

Wireless Settings

The following options are available on the Wireless > Settings page:

Enable WLAN Radio: Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect.
Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page. The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)
Country Code: The country code determines which regulatory domain the radio operation falls under.
Radio Mode: Select your preferred radio mode from the Radio Mode menu. The wireless security appliance supports the following modes:
2.4GHz 802.11n/g/b Mixed - Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.
* 
TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
802.11n Only - Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
2.4GHz 802.11b/g Mixed - Supports 802.11b and 802.11g clients simultaneously. If your wireless network comprises both types of clients, select this mode.
802.11g Only - If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.
802.11n/a Mixed - Select this mode if 802.11a and 802.11b clients access your wireless network.
802.11n Only - Select this mode if only 802.11n clients access your wireless network.
802.11a Only - Select this mode if only 802.11a clients access your wireless network.
802.11n/a/ac Mixed - Select this mode if 8011.a, 802.11ac, and 802.11n clients access your wireless network.
802.11ac Only - Select this mode if only 802.11ac clients access your wireless network.
Topics:  

802.11n Wireless Settings

When the wireless radio is configured for a mode that supports 802.11n, the following options display:

* 
NOTE: Options depend on the type of appliance, TZ Series, SOHO W, or NSA, that is being configured.
Radio Band (802.11n only and mixed): Sets the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed.
Standard Channel - This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed:
Primary Channel - By default this is set to Auto. Optionally, you can specify a specific primary channel.
Secondary Channel - The configuration of this drop-down menu is controlled by your selection for the primary channel:
If the primary channel is set to Auto, the secondary channel is also set to Auto.
If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel.
Wide - 80 MHz Channel - Specifies that the 802.11n radio uses only the wide 80 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed The options are the same as for Wide - 40 MHz Channel.
Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.
Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput.
* 
TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
SSID: The SSID can be changed to any alphanumeric value with a maximum of 32 characters. The default value is sonicwall- plus the last four characters of BSSID; for example, sonicwall-C587.

802.11a/b/g Wireless Settings

When the wireless radio is configured for 802.11a, 802.11b, or 802.11g, the following option displays:

Channel pull-down menu – Select a channel:
Auto – Allows the wireless security appliance to automatically detect and set the optimal channel for wireless operation based upon signal strength and integrity. Auto is the default channel setting, and it displays the selected channel of operation to the right. Alternatively, an operating channel within the range of your regulatory domain can be explicitly defined.
Specific channel – For the available channels, see the Radio mode choices table in Radio 0/Radio 1 Basic Settings.

802.11ac Wireless Settings

When the wireless radio is configured for 802.11ac only, these options display:

Radio Band drop-down menu – Sets the band for the 802.11ac radio. For a description of the options, see 802.11n Wireless Settings.
Channel drop-down menu – Select a channel:
Auto – Allows the wireless security appliance to automatically detect and set the optimal channel for wireless operation based upon signal strength and integrity. Auto is the default channel setting, and it displays the selected channel of operation to the right. Alternatively, an operating channel within the range of your regulatory domain can be explicitly defined.
Specific channel – For the available channels, see the Specific channel choices table in Radio 0/Radio 1 Basic Settings.

Wireless Virtual Access Point

From the Virtual Access Point Group drop-down menu, select:

Internal AP Group – This is system configured. If this is selected, the SSID option under Wireless Settings is not displayed.
A VAP Group previously defined.

 

Configuring Wireless Security

* 
NOTE: The Wireless > Security page applies only to Wireless platforms.

Wireless > Security

* 
NOTE: The configuration of the Wireless > Security page changes according to the type of authentication you select.
Topics: :

About Authentication

Authentication types lists the authentication types with descriptive features and uses for each.

 

Authentication types

Type

Features and use

WEP

Lower security
For use with older legacy devices, PDAs, wireless printers

WPA

Good security (uses TKIP)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
No client software needed in most cases

WPA2

Best security (uses AES)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
Client software install may be necessary in some cases
Supports 802.11i “Fast Roaming” feature
No backend authentication needed after first log-in (allows for faster roaming)

WPA2-AUTO

Tries to connect using WPA2 security.
If the client is not WPA2 capable, the connection will default to WPA.
Topics:  

Wired Equivalent Protocol (WEP)

Can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWall. It is designed to provide a minimal level of protection for transmitted data, and is not recommended for network deployments requiring a high degree of security.

Wi-Fi Protected Access (WPA and WPA2)

Provides much greater security than WEP, but requires a separate authentication protocol, such as RADIUS, be used to authenticate all users. WPA uses a dynamic key that constantly changes, as opposed to the static key that WEP uses.

The SonicWall security appliance provides a number of permutations of WEP and WPA encryption.

WPA/WPA2 Encryption Settings

Both WPA and WPA2 support two protocols for storing and generating keys:

Pre-Shared Key (PSK)—PSK allows WPA to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server.
Extensible Authentication Protocol (EAP)—EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework.

WPA2 also supports EAP and PSK protocols, but adds an optional AUTO mode for each protocol. WPA2 EAP AUTO and WPA2 PSK AUTO try to connect using WPA2 security, but will default back to WPA if the client is not WPA2 capable.

* 
NOTE: EAP support is only available in Access Point Mode. EAP support is not available in Bridge Mode.

Configuring WPA2 PSK and WPA PSK Settings

When you finish configuring the settings, click Accept to apply your WPA/WPA2 PSK settings.

Topics:  

Encryption Mode

From the Authentication Type drop-down menu, select either WPA-PSK, WPA2-PSK, or WPA2-Auto-PSK.

EAPOL Settings

From the EAPOL Version drop-down menu, select:

V1—Selects the extensible authentication protocol over LAN version 1.
V2 (default)—Selects the extensible authentication protocol over LAN version 2. This provides better security than version 1, but may not be supported by some wireless clients.

WPA2/WPA Settings

Specify these settings:

Cypher Type—Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Group Key Update—Specifies when the SonicWall security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds; this is the default. Select Disabled to use a static key.
Interval—If you selected By Timeout, enter the number of seconds before WPA automatically generates a new group key. The default is 86400 seconds. If you selected Disabled for Group Key Update, this option is not displayed.

Preshared Key Settings (PSK)

In the Passphrase field, enter the passphrase from which the key is generated.

WPA2 EAP and WPA EAP Settings

When you finish configuring the settings, click Accept to apply your WPA/WPA2 EAP settings.

Topics:  

Encryption Mode

From the Authentication Type drop-down menu, select either WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP.

EAPOL Settings

From the EAPOL Version drop-down menu, select:

V1—Selects the extensible authentication protocol over LAN version 1.
V2—Selects the extensible authentication protocol over LAN version 2. This provides better security than version 1, but may not be supported by some wireless clients.

WPA2/WPA Settings

Specify these settings:

Cypher Type—Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Group Key Update—Specifies when the SonicWall security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds; this is the default. Select Disabled to use a static key.
Interval—If you selected By Timeout, enter the number of seconds before WPA automatically generates a new group key. The default is 86400 seconds. If you selected Disabled for Group Key Update, this option is not displayed.

Extensible Authentication Protocol Settings (EAP)

Specify these settings:

Radius Server Retries—Enter the number of authentication retries the server attempts. The default is 4.
Retry Interval (seconds)—Enter the delay the server is to wait between retries. The default is 0 (no delay).
Radius Server 1 IP and Port—Enter the IP address and port number for your primary RADIUS server.
Radius Server 1 Secret—Enter the password for access to Radius Server
Radius Server 2 IP and Port—Enter the IP address and port number for your secondary RADIUS server, if you have one.
Radius Server 2 Secret—Enter the password for access to Radius Server

WEP Encryption Settings

To configure wireless security on the firewall:
1
Navigate to the Wireless > Security page.
2
Select the appropriate authentication type from the Authentication Type drop-down menu.
WEP - Open system: In open-system authentication, the firewall allows the wireless client access without verifying its identity.
WEP -Shared key: Uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed. If Shared Key is selected, then the Default Key assignment is important.
Both (Open System & Shared Key) (default): The Default Key assignments are not important as long as the identical keys are used in each field.
3
From the Default Key drop-down menu, select which key will be the default key: Key 1, Key 2, Key 3, or Key 4.
4
From the Key Entry options, select if your keys are Alphanumeric or Hexadecimal (0-9, A-F):
 

Key types

Key Type

WEP - 64-bit

WEP - 128-bit

WEP - 152-bit

Alphanumeric (0-9, A-Z)

5 characters

13 characters

16 characters

Hexadecimal (0-9, A-F)

10 characters

26 characters

32 characters

5
You can enter up to four keys in the designated fields. For each key, select whether it us 64 bit, 128 bit, or 152 bit. The higher the bit number, the more secure the key is.
6
Click Accept.

Configuring Advanced Wireless Settings

* 
NOTE: The Wireless > Advanced page applies only to Wireless platforms.

Wireless > Advanced

* 
NOTE: The Wireless > Advanced page is only available when the firewall is acting as an access point.

To apply your changes to the SonicWall security appliance, click Accept at the top of the page.

To return the radio settings to the default settings, click Restore Default at the bottom of the page.

Topics:  

Beaconing and SSID Controls

To configure the Beaconing and SSID Controls:
1
Select Hide SSID in Beacon, which suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthorized wireless clients. This setting is disabled by default.
2
Type a value, in milliseconds, for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. The default interval is 200 milliseconds.

Green Access Point

To configure power efficiency:
1
To increase power efficiency, select Enable Green AP. This setting is disabled by default.
2
Specify the number of time outs in the Green AP Timeout(s) field. The default is 200.

Advanced Radio Settings

To configure advanced radio settings:
1
Select Enable Short Slot Time to increase performance if you only expect 802.11g traffic. 802.11b is not compatible with short slot time. This setting is disabled by default.
2
From the Antenna Rx Diversity drop-down menu select which antenna the wireless security appliance uses to send and receive data. For information about antenna diversity, see Configurable Antenna Diversity. The default is Best.
3
From the Transmit Power drop-down menu, select:
Full Power to send the strongest signal on the WLAN. For example, select Full Power if the signal is going from building-to-building.
Half (-3 dB) is recommended for office-to-office within a building.
Quarter (-6 dB) is recommended for shorter distance communications.
Eighth (-9 dB) is recommended for shorter distance communications.
Minimum is recommended for very short distance communications.
4
From the Preamble Length drop-down menu, select Short or Long. Short is recommended for efficiency and improved throughput on the wireless network. The default is Long.
5
Specify the fragmentation threshold in the Fragmentation Threshold (bytes) field. the minimum is 256, the maximum is 2346, and the default is 2346.

Fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. Increasing the value means that frames are delivered with less overhead, but a lost or damaged frame must be discarded and retransmitted.

6
Specify the request-to-send (RTS) threshold in the RTS Threshold (bytes) field. the minimum is 1, the maximum is 2347, and the default is 2346.

This field sets the threshold for a packet size (in bytes) at which a RTS is sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but may not be in range of each other. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing.

7
Specify the DTIM (Delivery of Traffic Indication Message) interval in the DTIM Interval field. The minimum is 1, the maximum is 256, and the default is 1.

For 802.11 power-save mode clients of incoming multicast packets, the DTIM interval specifies the number of beacon frames to wait before sending a DTIM. Increasing the DTIM Interval value allows you to conserve power more effectively.

8
Enter the number of seconds for client association in the Association Timeout (seconds) field. The default is 300 seconds, and the allowed range is from 60 to 36000 seconds. If your network is very busy, you can increase the timeout by increasing the number of seconds in this field.
9
Enter the maximum number of clients each SonicPoint using this profile can support in the Maximum Client Associations field. The minimum number is 1, the maximum is 128, and the default is 128. This setting limits the number of stations that can connect wirelessly at one time.
10
From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate from 1 Mbps to 54 Mbps.
11
From the Protection Mode drop-down menu, select the protection mode:
None
Always
Auto

Protection can decrease collisions, particularly where you have two overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it engages only in the case of overlapping SonicPoints.

12
From the Protection Rate drop-down menu select the protection rate: 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. The protection rate determines the data rate when protection mode is on. The slowest rate offers the greatest degree of protection, but also the slowest data transmission rate.
13
From the Protection Type drop-down menu, select the type of handshake used to establish a wireless connection: CTS-only (default) or RTS-CTS.
* 
NOTE: 802.11b traffic is only compatible with CTS.

Configurable Antenna Diversity

The wireless SonicWall security appliances employ dual 5 dBi antennas running in diversity mode. The default implementation of diversity mode means that one antenna acts as a transmitting, and both antennas act as potential receiving antenna. As radio signals arrive at both antennas on the secure wireless appliance, the strength and integrity of the signals are evaluated, and the best received signal is used. The selection process between the two antennas is constant during operation to always provide the best possible signal. To allow for external (higher gain uni-directional) antennas to be used, antenna diversity can be disabled.

The SonicWall NSA 220 and 250M wireless security appliances employ three antennas. The Antenna Diversity is set to Best by default, this is the only setting available for these appliances.

The Antenna Diversity setting determines which antenna the wireless security appliance uses to send and receive data. You can select:

Best—This is the default setting. When Best is selected, the wireless security appliance automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1—Select 1 to restrict the wireless security appliance to use antenna 1 only. Facing the rear of the appliance, antenna 1 is on the left, closest to the console port. You can disconnect antenna 2 when using only antenna 1.
2—Select 2 to restrict the wireless security appliance to use antenna 2 only. Facing the rear of the appliance, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2.

Deploying the TZ Wireless MAC Filter List

* 
NOTE: The Wireless > MAC Filter List page applies only to Wireless platforms.

Wireless > MAC Filter List

Topics:  

About MAC Filtering

Topics:  

Effect of MAC Filtering on Authentication

Wireless networking provides native MAC filtering capabilities that prevent wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. The SonicOS wireless MAC Filter List allows you to configure a list of clients that are allowed or denied access to your wireless network. Without MAC filtering, any wireless client can join your wireless network if they know the SSID and perhaps other security parameters to “break into” your wireless network.

Typical SonicWall MAC filter list deployment displays a typical 703 MAC Filter List deployment scenario:

Typical SonicWall MAC filter list deployment

Deployment Considerations

Consider the following when deploying the MAC Filter List:

For the SonicPoint-N appliance, this feature requires the gateway to store the MAC Filer List settings.
For the SonicWall TZ series appliance’s internal wireless, some members need to be added to the VAP structure to store the MAC Filter List settings and the complete function should be modified to set the configurations to the driver.
MAC Filter List configurations are added to the Wireless Virtual Access Point (VAP) profile settings. They can be view by navigating to the Wireless > Virtual Access Point page.

Using the Wireless > MAC Filter List Page

 

Enable MAC Filter List

Enables the MAC Filter List feature for the selected groups.

Allow List:

Selects the group you want the MAC Filter List to allow access to your wireless network:

All MAC Addresses (default)
Default ACL Allow Group
ACL Allow List
Legacy AntiSpyware Group

To create a new group, select Create New MAC Address Object group to display the Add Address Object Group dialog (see Add Address Object Group Dialog).

Deny List:

Selects the group you want the MAC Filter List to deny access to your wireless network:

No MAC Addresses (default)
Default ACL Deny Group
ACL Allow List
Legacy AntiSpyware Group

When clicking the Deny List drop-down and selecting Create New MAC Address Object group, the Add Address Object Group dialog displays.

Add Address Object Group Dialog

 

Name:

Enter a name for the new address object group.

Left Panel

Displays the available objects. Select the objects you want to include in your new group.

Right Panel

Displays the objects selected for your new group.

Configuring the MAC Filter List

To configure the MAC filter list to allow or deny address object groups:
1
Navigate to the Wireless > MAC Filter List page.

2
Click the Enable MAC Filter List checkbox. This setting is disabled by default.
3
From the Allow List drop-down menu, select the address group you want to allow.
4
From the Deny List drop-down menu, select the address group you want to deny.
5
To add new address objects to the allow and deny lists, from the drop-down menu select Create New MAC Address Object Group... The Add Address Object dialog displays.

6
In the Name: text field, enter a name for the new group.
7
In the left column, select the group(s) or individual address object(s) you want to allow or deny. You can use Ctrl-click to select more than one item at a time.
8
Click the Right Arrow -> button to add the items to the group.
9
Click OK. The address displays in the drop-down menu for selection.

10
Select the object.
11
Click the Accept button.

Configuring Wireless IDS

* 
NOTE: The Wireless > IDS page applies only to Wireless platforms.

Wireless > IDS

Topics:  

About Wireless Intrusion Detection Services

Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWall wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services:

Sequence Number Analysis
Association Flood Detection
Rogue Access Point Detection

Wireless IDS logging and notification can be enabled under Log > Categories by selecting the WLAN IDS checkbox under Log Categories and Alerts.

Topics:  

Access Point IDS

When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation). Selecting Scan Now momentarily changes the Radio Role to allow the wireless security appliance to perform an active scan, and may cause a brief loss of connectivity for associated wireless clients. While in Access Point mode, the Scan Now function should only be used if no clients are actively associated, or if the possibility of client interruption is acceptable.

Rogue Access Points

Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.

The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a, 802.11g, and 802.11n channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation.

Configuring IDS Settings

To apply the settings you’ve configured, click Accept. To discard the changes, click Cancel.

Topics:  

Wireless Intrusion Detection Settings

Select the Enable Rogue Access Point Detection checkbox to specify the rogue access point detection method. The Authorized Access Points menu allows you to specify All Authorized Access Points, Create new MAC Address Object Group, or Select an Address Object Group.

The Authorized Access Points menu allows you to specify which access points the SonicWall security appliance will considered authorized when it performs a scan. You can select:

All Authorized Access Points to allow all SonicPoints.
Create new MAC Address Object Group to create an address object group containing a group of MAC address to limit the list to only those SonicPoints whose MAC addresses are contained in the address object group. When this option is selected, the Add Address Object Group dialog displays.

Enter a new for the new group in the Name field, and then select the address objects for the group.

IDS Settings

To schedule when to run an IDS scan, from the Schedule IDS Scan drop-down menu, select or create a schedule:

Disabled (default) – IDS scans do not take place
Create a new schedule... – The Add Schedule dialog displays

Work Hours
M-T-W-TH-F 08:00 to 17:00
After Hours
M-T-W-TH-F 00:00 to 08:00
M-T-W-TH-F 17:00 to 24:00
SU-S 00:00 to 24:00
Weekend Hours

Discovered Access Points

* 
NOTE: To refresh the entries in the Discovered Access Points table, click Refresh. To do an immediate scan, click Scan Now.
Topics:  
Settings

The Note above the table displays the number of Access Points found and the time, in days, hours, minutes, and seconds, since the last scan.

The Discovered Access Points table displays information on every access point that can be detected by all your SonicPoints or on a individual SonicPoint basis:

MAC Address (BSSID): The MAC address of the radio interface of the detected access point.
SSID: The radio SSID of the access point.
Channel: The radio channel used by the access point.
Authentication: The type of authentication.
Cipher: The cipher used.
Vendor: The manufacturer of the access point. SonicPoints show a manufacturer of either SonicWall or Senao.
Signal Strength: The strength of the detected radio signal
Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps.
Authorize: Click the Edit icon in the Authorize column to add the access point to the address object group of authorized access points.
Scanning for Access Points

Active scanning occurs when the wireless security appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operating in a Bridge Mode, the Scan Now feature does not cause any interruption to the bridged connectivity. When the wireless security appliance is operating in Access Point Mode, however, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows:

Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
Persistent connections (protocols such as FTP) are impaired or severed.
* 
CAUTION: The Scan Now feature causes a brief disruption in service. If this is a concern, wait to use the Scan Now feature at a time when no clients are active or until the potential for disruption becomes acceptable.
Authorizing Access Points on Your Network

Access Points detected by the wireless security appliance are regarded as rogues until they are identified to the wireless security appliance as authorized for operation. To authorize an access point, select it in the list of access points discovered by the wireless security appliance scanning feature, and add it clicking the Authorize icon.

Configuring Virtual Access Points with Internal Wireless Radio

* 
NOTE: The Wireless > Virtual Access Point page applies only to Wireless platforms.

Wireless > Virtual Access Point

Wireless VAP Overview

This section provides an introduction to the Virtual Access Point (VAP) feature for SonicWall network security appliances equipped with internal wireless radios.

Topics:  

What Is a Virtual Access Point?

A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate, distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Broadcast Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device.

VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on a single internal wireless radio.

For more information on SonicOS Secure Wireless features, refer to the SonicWall Secure Wireless Integrated Solutions Guide.

Benefits of Using Virtual APs

This section includes a list of benefits in using the Virtual AP feature:

Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.
Optimize Wireless LAN Infrastructure—Share the same Wireless LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs.

Wireless Virtual AP Configuration Task List

A Wireless VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth examination of the parts that make up a successful VAP deployment. Subsequent sections describe VAP deployment requirements and provide a configuration task list:

Wireless VAP Configuration Overview

The following are required areas of configuration for VAP deployment:

1
Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets.
2
Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between your SonicWall network security appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio.
3
DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.
4
Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed.
5
Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings.
6
Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a single internal wireless radio.
7
Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs.

Network Zones

A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, you can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.

Topics:  

For detailed information on configuring zones, see Network > Zones.

The Wireless Zone

The Wireless zone type, of which the “WLAN Zone” is the default instance, provides support to SonicWall wireless radio. When an interface or subinterface is assigned to a Wireless zone, the interface can enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.

Custom Wireless Zone Settings

Although SonicWall provides the pre-configured Wireless zone, you also have the ability to create their own custom wireless zones. When using VAPs, several custom zones can be applied to a single wireless radio.

Topics:  
General

General configuration options

Feature

Description

Name

Create a name for your custom zone

Security Type

Select Wireless to enable and access wireless security options.

Allow Interface Trust

Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.

SonicWall Security Services

Select the security services you wish to enforce on this zone. This allows you to extend your SonicWall firewall security services to your wireless users.

Wireless

 

Wireless configuration options

Feature

Description

Only allow traffic generated by a SonicPoint

Restricts traffic on this zone to internally-generated traffic only.

SSL VPN Enforcement

Redirects all traffic entering the Wireless zone to a defined SonicWall SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic. Note: Wireless traffic that is tunnelled through an SSL VPN will appear to originate from the SSL VPN rather than from the Wireless zone.

SSL VPN Server - Select the Address Object representing the SSL VPN appliance to which you wish to redirect wireless traffic.

SonicPoint Provisioning Profile

Select a predefined SonicPoint Provisioning Profile to be applied to all current and future SonicPoints on this zone.

SonicPointN Provisioning Profile

Select a predefined SonicPointN Provisioning Profile to be applied to all current and future SonicPoints on this zone.

Guest Services

The Enable Guest Services option allows the following guest services to be applied to a zone:

 

Guest services configuration options

Feature

Description

Enable inter-guest communication

Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.

Bypass AV Check for Guests

Allows guest traffic to bypass Anti-Virus protection

Enable Dynamic Address Translation (DAT)

Dynamic Address Translation (DAT) allows the SonicPoint to support any IP addressing scheme for Guest Services users.

If this option is disabled (unchecked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoint’s network settings.

Enable External Guest Authentication

Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

Optionally, allows OAuth and Social Login for users. For more information about these features, see Configuring Open Authentication, Social Login, and LHM.

Custom Authentication Page

Redirects users to a custom authentication page when they first connect to a SonicPoint in the Wireless zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

Post Authentication Page

Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.

Bypass Guest Authentication

Allows a SonicPoint running Guest Services to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the SonicPoint is enforcing authentication.

Redirect SMTP traffic to

Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.

Deny Networks

Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from.

Pass Networks

Automatically allows traffic through the Wireless zone from the networks you select.

Max Guests

Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10.

Wireless LAN Subnets

A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations. The WLAN subnet solution allows each VAP to have its own virtual separate subinterface, even though there is only a single 802.11 radio.

WLAN subnets have several key capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from WLAN subnets at this time are VPN policy binding, WAN dynamic client support, and multicast support.

WLAN subnets are configured from the Network > Interfaces page.

Custom Wireless Subnet Settings

the Wireless subnet configuration options table lists configuration parameters and descriptions for wireless subnets:

 

Wireless subnet configuration options

Feature

Description

Zone

Select a pre-defined or custom zone. Only zones with security type of “wireless” are available for selection.

Parent Interface

The default WLAN interface, normally W0.

Subnet Name

Choose a friendly name for this interface.

IP Configuration

Create an IP address and Subnet Mask in accordance with your network configuration.

Sonic Point Limit

The number of radios supported in your deployment, the default value is 1 SonicPoint.

Management

Select the protocols you wish to use when managing this subnet.

User Login

Select the protocols you will make available to clients who access this subnet.

DHCP Server

Select the Create default DHCP Lease Scope option to enable DHCP on this subnet, along with the default number of available leases. Read DHCP Server Scope, for more information on DHCP lease requirements.

DHCP Server Scope

The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes.

* 
IMPORTANT: Take care in making these settings manually, as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to connection issues due to lease exhaustion.

The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.

Virtual Access Point Profiles

A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the Wireless > Virtual Access Point page.

* 
TIP: This feature is especially useful for quick setup in situations where multiple virtual access points will share the same authentication methods.

Topics:  
Virtual Access Point Profile Settings

the Virtual access point profile configuration options table lists configuration parameters and descriptions for Virtual Access Point Profile Settings:

 

Virtual access point profile configuration options

Feature

Description

Name

Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs.

Type

Set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type)

Authentication Type

Below is a list available authentication types with descriptive features and uses for each:

WPA

Good security (uses TKIP)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
No client software needed in most cases

WPA2

Best security (uses AES)
For use with trusted corporate wireless clients
Transparent authentication with Windows log-in
Client software install may be necessary in some cases
Supports 802.11i “Fast Roaming” feature
No backend authentication needed after first log-in (allows for faster roaming)

WPA2-AUTO

Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection will default to WPA.

Unicast Cipher

The unicast cipher is automatically chosen based on the authentication type.

Multicast Cipher

The multicast cipher is automatically chosen based on the authentication type.

Maximum Clients

Choose the maximum number of concurrent client connections permissible for this virtual access point.

WPA-PSK / WPA2-PSK Encryption Settings

Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.

 

WPA-PSK/WPA2-PSK encryption configuration options

Feature

Description

Pass Phrase

The shared passphrase users will enter when connecting with PSK-based authentication.

Group Key Interval

The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.

WPA-EAP / WPA2-EAP Encryption Settings

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP capable RADIUS server for key generation.

 

WPA-EAP / WPA2-EAP encryption configuration options

Feature

Description

RADIUS Server 1

The name/location of your RADIUS authentication server

RADIUS Server 1 Port

The port on which your RADIUS authentication server communicates with clients and network devices.

RADIUS Server 1 vSecret

The secret passcode for your RADIUS authentication server

RADIUS Server 2

The name/location of your backup RADIUS authentication server

RADIUS Server 2 Port

The port on which your backup RADIUS authentication server communicates with clients and network devices.

RADIUS Server 2 Secret

The secret passcode for your backup RADIUS authentication server

Group Key Interval

The time period (in seconds) during which the WPA/WPA2 group key is enforced to be updated.

Virtual Access Points

The VAP Settings feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. Virtual Access Points are configured from the Wireless > Virtual Access Point page.

Topics:  
General VAP Settings

 

VAP configuration options

Feature

Description

SSID

Create a friendly name for your VAP.

Name

Select a subnet name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list.

VLAN ID

Select the VLAN ID from the drop-down menu.

Enable Virtual Access Point

Enables this VAP.

Enable SSID Suppress

Suppresses broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients.

Advanced VAP Settings

Advanced settings allows you to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user created profile. See Virtual Access Point Profiles for complete authentication and encryption configuration information.

Virtual Access Point Groups

The Virtual Access Point Groups feature is available on SonicWall NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.

Enabling the Virtual Access Point Group

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group.

Schedulable VAP

Schedulable VAP allows each Virtual Access Point to have its own schedule settings. In previous versions, the wireless radio associated with the SonicWall appliance shared the same schedule among multiple Virtual Access Points. As a result, all virtual access points were active and/or inactive at the same time. Schedulable VAP allows each VAP to have its own setting for the schedules.

* 
NOTE: If you are configuring a VAP schedule for a SonicPoint, the schedule is stored on the associated SonicWall appliance it is associated with will record the configured schedule. If configuring this enhancement on a SonicWall appliance, you will have to add members to the VAP group to store and configure the VAP Schedule settings. When the VAP is enabled for the SonicPoint radio, the schedule settings for the radio are disabled.

Configuring a Schedulable VAP

To schedule and enable a Virtual Access Point:
1
Navigate to the SonicPoint > Virtual Access Point page.
2
Add or edit a Virtual Access Point by clicking the Add... button or the Edit icon of the existing Virtual Access Point you wish to edit.
3
In the Configuration dialog, click the Advanced tab.

4
Select the desired schedule from the VAP Schedule Name drop-down menu.
5
Click OK to save changes.

VAP Access Control List

Each Virtual Access Point can support an individual Access Control List (ACL) to provide more effective authentication control. The Wireless ACL Enhancement feature works in tandem with the wireless MAC Filter List currently available on SonicOS. Unified ACL is supported on the internal wireless for the SonicWall TZ and NSA series appliances, SonicPoint-N appliances, SonicPointNDR appliances, and the SonicPoint Ni/Ne appliances. Using the Wireless ACL enhancement, users are able to Enable or Disable the MAC Filter List, set the Allow List, and set the Deny list.

The Wireless ACL Enhancement allows each VAP to have its own MAC Filter List settings or use the global settings. When the global settings are enabled, the SonicPoint-N/ SonicPointNDR/ SonicPoint Ni/Ne the SonicPoint, or SonicPoint-N appliance uses these settings by default. In Virtual Access Point (VAP) mode, each VAP of this group shares the same MAC Filter List settings.

Configuring the SonicPointN VAP MAC Filter List

* 
NOTE: When using the VAP ACL feature with a SonicPointN device, the MAC Filter List settings are first stored on the SonicWall Network Security appliance, then pushed to the SonicPointN device.
To configure the SonicPointN VAP MAC Filter List:
1
Navigate to the SonicPoint > Virtual Access Points page.
2
Click the Add... button under the Virtual Access Points section.
3
In the dialog that displays, click the Advanced tab.

4
Click the checkbox to Enable MAC Filter List. In order to configure the Global ACL Settings, Allow List, or Deny List, you must enable the MAC Filter List.
5
Click the User Global ACL Settings checkbox to associate this Virtual Access Point with the already existing MAC Filter List settings for the SonicWall Network Security appliance. Note you will not be able to edit the Allow or Deny Lists with this option enabled.
6
Select an Address Object Group for the Allow List and Deny List.

7
You can also create a new custom MAC Address Object Group by selecting the option from the drop-down menu. The following dialog displays:

8
Type the Name of the new address object group you want to create in the specified field.
9
Click the value(s) you want associated, followed by the Arrow button.
10
After selecting the value(s) you want associated to the MAC Address Object Group, click OK.

VAP Sample Configuration

This section provides configuration examples based on real-world wireless needs.

Topics:  

Configuring a VAP for School Faculty Access

You can use a VAP for a set of users who are commonly in the office, on campus, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services. This section contains the following subsection:

Configuring a Zone

In this section you will create and configure a new corporate wireless zone with SonicWall firewall security services and enhanced WiFiSec/WPA2 wireless security.

1
Log into the management interface of your SonicWall network security appliance.
2
In the left-hand menu, navigate to the Network > Zones page.
3
Click the Add... button to add a new zone.
Topics: :
General Settings Tab
1
In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field.
2
Select Wireless from the Security Type drop-down menu.
3
Select the Allow Interface Trust checkbox to allow communication between faculty users.
4
Select checkboxes for all of the security services you would normally apply to faculty on the wired LAN.

Wireless Settings Tab
1
Check the Only allow traffic generated by a SonicPoint / SonicPointN checkbox.
2
Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).

3
Click the OK button to save these changes.

Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a New Wireless Subnet

In this section you will create and configure a new wireless subnet on your current WLAN. This wireless subnet will be linked to the zone you created in the Configuring a Zone.

To create a new wireless subnet:
1
In the Network > Interfaces page, click the Add WLAN Subnet button.
2
In the Zone drop-down menu, select the zone you created in “Configuring a Zone. In this case, we have chosen WLAN_Faculty.
3
Enter a Subnet Name for this interface. This name allows the internal wireless radio to identify which traffic belongs to the “WLAN_Faculty” subnet. In this case, we choose Faculty as our subnet name.
4
Enter the desired IP Address for this subinterface.
5
Optionally, you may add a comment about this subinterface in the Comment field.
6
If you intend to use this interface, ensure that the Create default DHCP Lease Scope option is checked. This option automatically creates a new DHCP lease scope for this subnet with 33 addresses. This setting can be adjusted later on the Network > DHCP page.
7
Click the OK button to add this subinterface.

Your WLAN Subnet interface now appears in the Interface Settings list.

Creating a Wireless VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

To create a wireless VAP profile:
1
In the left-hand menu, navigate to the Wireless > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Point Profiles section.
3
Enter a Profile Name such as “Corporate-WPA2” for this VAP Profile.
4
Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
5
In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
6
In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the new subnet.
7
Click the OK button to create this VAP Profile.
Creating the Wireless VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the wireless subnet you created in Creating a New Wireless Subnet.

To create a wireless VAP:
General Tab
1
Navigate to the Wireless > Virtual Access Point page.
2
Click the Add... button in the Virtual Access Points section.
3
Enter a default name (SSID) for the VAP. In this case we chose Campus_Faculty. This is the name users will see when choosing a wireless network to connect with.
4
Select the Subnet Name you created in Creating a New Wireless Subnet, from the drop-down list. In this case we chose Faculty, the name of our WLAN_Faculty subnet.
5
Check the Enable Virtual Access Point checkbox to enable this access point upon creation.
6
Check the Enable SSID Suppress checkbox to hide this SSID from users.
7
Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.

Advanced Tab (Authentication Settings)
1
Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name drop-down menu. We created and choose a “Corporate-WPA2” profile, which uses WPA2-AUTO-EAP as the authentication method. If you have not set up a VAP Profile, continue with steps 2 through 4. Otherwise, continue to Create More / Deploy Current VAPs.
2
In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
3
In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
4
In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the wireless subnet.
Create More / Deploy Current VAPs

Now that you have successfully set up a wireless subnet for faculty access, you can choose to add more custom VAPs, or to deploy this configuration to your internal wireless radio in the Deploying VAPs to the Wireless Radio.

* 
TIP: Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously by following the steps in the Deploying VAPs to the Wireless Radio.

Deploying VAPs to the Wireless Radio

In the following section you will group and deploy your new VAPs, associating them with the internal wireless radio. Users will not be able to access your VAPs until you complete this process:

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).

1
Navigate to the Wireless > Virtual Access Point page.
2
Click the Add Group... button in the Virtual Access Point Group section.
3
Enter a Virtual AP Group Name.
4
Select the desired VAPs from the list and click the -> button to add them to the group. Optionally, click the Add All button to add all VAPs to a single group.
5
Press the OK button to save changes and create the group.
6
To setup 802.11g WEP or 802.11a WEP/WPA encryption, or to enable MAC address filtering, use the 802.11g and 802.11a tabs. If any of your VAPs use encryption, you must configure these settings before your wireless VAPs will function.
7
Click the OK button to save changes and create this Wireless Provisioning Profile.
Associating a VAP Group with your Wireless Radio

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio.

1
Navigate to the Wireless > Settings page.
2
In the Wireless Virtual Access Point section, select the VAP group you created in Grouping Multiple VAPs from the Virtual Access Point Group drop-down menu. In this case, we choose the default Internal AP Group as our Virtual AP Group.

3
Click the Accept button to continue and associate this VAP group with your internal wireless radio.
* 
NOTE: If you are setting up guest services for the first time, be sure to make necessary configurations in Users > Guest Services