How can I configure WGS (Wireless Guest Services) in SonicWall TZ devices with built-in wireless?
06/21/2023 902 People found this article helpful 500,718 Views
Description
How can I configure WGS (Wireless Guest Services) in SonicWall TZ devices with built-in wireless?
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Configuring the WLAN Zone
- Log into the SonicWall Management GUI, navigate to Object | Match Objects | Zones; Click the Edit icon for the WLAN zone. The Edit Zone window is displayed
- In the General tab, Uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.
- Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
- Enforce Client AV Enforcement Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
- Enforce Client CF Service - Enforces Client Content Filtering on the Zone.
- Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
- Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable App Control Service - Enforces Application Control on the zone.
Under the Guest Services Tab you can choose from the following configuration options for Wireless Guest Services.
- Check Enable Guest Services - enables guest services
- Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly with each other.
- Bypass AV Check for Guests - allows guest traffic to bypass Anti-Virus protection.
- Bypass Client CF Check for Guests - allows guest traffic to bypass Client Content Filter
- Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the firewall to support any IP addressing scheme for WGS users. EXAMPLE: The WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
- Enable External Guest Authentication - requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
- Enable Policy Page without authentication - redirects user to a custom policy page without authentication.
Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. - Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
- Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
- Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
- Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
- Pass Networks - automatically allows traffic through the WLAN zone from the networks you select.
- Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
- For this Example we just want to Enable Guest Services.
- Under the Wireless Settings heading, select the SonicPoint/Sonicwave Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint/Sonicwave Provisioning Profile, unless you have individually configured it with different settings.
Assigning an available Interface to the WLAN Zone
The WLAN interface is only available on the TZ appliances with wireless features. WLAN interface is already configured with a static IP address.
- Navigate to Network | System | Interfaces.
- Click Configure icon in the Configure column for the Wireless Interface W0. The Edit Interface window is displayed.
- Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table. ( default is Default WLAN )
- Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario, we are not allowing wireless clients to manage the SonicWall to ensure complete security).
- Click OK.
Configuring Wireless
SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints/Sonicwaves across a Distributed Wireless Architecture. SonicPoint/Sonicwave Profile definitions include all of the settings that can be configured on a SonicPoint/Sonicwave, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint/Sonicwave profile, you can apply it to a Wireless zone.
- Navigate to Device | Internal Wireless | Settings, select Access Point from the Radio Role menu.
- Enable the WLAN port by selecting the Enable WLAN Radio checkbox.
- Country Code: Select the country where you are operating the SonicPoints/Sonicwaves. The country code determines which regulatory domain the radio operation falls under.
- Radio Mode: This lets you select whether you will use 2.4Ghz or 5Ghz and what 802.11 standards the wireless will allow to connect.
- Radio Band: This selects the size of the channel used.
- Primary Channel: Set to Auto by default, or you can specify a specific a primary channel.
- Secondary Channel: The configuration of this drop-down menu is controlled by your selection for the primary channel:
- If the primary channel is set to Auto, the secondary channel is also set to Auto.
- If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel. - SSID: Enter a recognizable string for the SSID; the default string is SonicWall. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. This is the name that will appear in clients’ lists of available wireless connections. (For example: SonicLAB).
- Navigate to Device | Internal Wireless | Security.
- Authentication Type: This lets you select the Authentication used to connect to the wireless.
- Preshared Key Settings
- Passphrase: This is where you define the passphrase for the wireless.
Configuring Guest Profiles (WGS Profiles)
You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them
- Navigate to Device | Users | Guest Services; Enable Show guest login status window with logout button. (A user login window on the users’s workstation is displayed whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window).
- You can edit the Default profile or click Add next to the Show guest login status window with logout button to display the Add Guest Profile window.
- Profile Name: Enter the name of the profile.
- User Name Prefix: Enter the first part of every user account name generated from this profile.
- Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
- Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
- Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation.
- Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires.
- Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
- Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
- Comment: Any text can be entered as a comment in the Comment field
- Click OK.
Configuring Guest Accounts (WGS Users)
You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Account:
- Navigate to Device | Users | Guest Accounts | click Add Guest(to create an Individual Account) or click Generate(to create Multiple Accounts) .
- Profile: Select the Guest Profile from which to generate this account.
- Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
- Comment: Enter a descriptive comment.
- Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters.
- Confirm Password: If you did not generate the password, re-enter
- In the Guest Services tab, configure.
- Enable Guest Services Privilege: Check this for the account to be enabled upon creation.
- Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to access this account at once.
- Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
- Activate account upon first login: Check this option to begin the timing for the account expiration.
- Account Expires: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
- Click OK.
Testing the Connection
- You should now see the SSID you created in Step 3 listed on your wireless client.
- When you connect it will prompt you for the passphrase created earlier as well.
- Once you have entered this it should be connected to the wireless.
- When you launch a web browser and try to connect it will redirect you to a log in page.
- Enter the credentials created earlier.
- You should now have access to the Internet.
- By default the WLAN does not have access the LAN. If you want the WLAN to be able to access LAN resources you will need to create access rules from WLAN to LAN.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Configuring the WLAN Zone
- Log into the SonicWall Management GUI, navigate to Manage | Network | Zones; Click the Edit icon for the WLAN zone. The Edit Zone window is displayed
- In the General tab, Uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.
- Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
- Enforce Client AV Enforcement Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
- Enforce Client CF Service - Enforces Client Content Filtering on the Zone.
- Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
- Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable App Control Service - Enforces Application Control on the zone.
- Under the Guest Services Tab you can choose from the following configuration options for Wireless Guest Services.
- Check Enable Guest Services - enables guest services
- Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly with each other.
- Bypass AV Check for Guests - allows guest traffic to bypass Anti-Virus protection.
- Bypass Client CF Check for Guests - allows guest traffic to bypass Client Content Filter
- Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the firewall to support any IP addressing scheme for WGS users. EXAMPLE: The WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
- Enable External Guest Authentication - requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
- Enable Policy Page without authentication - redirects user to a custom policy page without authentication.
Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. - Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
- Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
- Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
- Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
- Pass Networks - automatically allows traffic through the WLAN zone from the networks you select.
- Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
- For this Example we just want to Enable Guest Services.
- Under the Wireless Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
- Click OK.
Assigning an available Interface to the WLAN Zone
The WLAN interface is only available on the TZ appliances with wireless features. You can configure the WLAN interface with a static IP address or configure L2 bridge to any LAN interface.
- Navigate to Manage | Network | Interfaces.
- Click Configure icon in the Configure column for the Wireless Interface. The Edit Interface window is displayed.
- In the Zone list, select WLAN.
- Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP Address and Subnet Mask fields.
- In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface. (you can accept the default value).
- Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
- Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario, we are not allowing wireless clients to manage the SonicWall to ensure complete security).
- Click OK.
Configuring Wireless
SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone.
- Navigate to Manage | Wireless | Basic Settings, select Access Point from the Radio Role menu.
- Enable the WLAN port by selecting the Enable WLAN checkbox.
- Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.
- Radio Mode: This lets you select whether you will use 2.4Ghz or 5Ghz and what 802.11 standards the wireless will allow to connect.
- Radio Band: This selects the size of the channel used.
- Channel: This selects the channel used.
- SSID: Enter a recognizable string for the SSID; the default string is SonicWall. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. This is the name that will appear in clients’ lists of available wireless connections. (For example: SonicLAB).
- Navigate to Manage | Wireless | Security.
- Authentication Type: This lets you select the Authentication used to connect to the wireless (WPA2-PSK is recommended).
- WPA2/WPA Settings
- Cipher Type: AES is recommended.
- Preshared Key Settings
- Passphrase: This is where you define the passphrase for the wireless.
Configuring Guest Profiles (WGS Profiles)
You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them
- Navigate to Manage | Users | Guest Services; Enable Show guest login status window with logout button. (A user login window on the users’s workstation is displayed whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window).
- You can edit the Default profile or click Add below the Guest Profile list to display the Add Guest Profile window.
- Profile Name: Enter the name of the profile.
- User Name Prefix: Enter the first part of every user account name generated from this profile.
- Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
- Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
- Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation.
- Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires.
- Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
- Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
- Comment: Any text can be entered as a comment in the Comment field
- Click OK.
Configuring Guest Accounts (WGS Users)
You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Account:
- Navigate to Manage | Users | Guest Accounts | click Add Guest(to create an Individual Account) or click Generate(to create Multiple Accounts) In the Settings tab of the Add Guest Account window, configure.
- Profile: Select the Guest Profile from which to generate this account.
- Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
- Comment: Enter a descriptive comment.
- Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters.
- Confirm Password: If you did not generate the password, re-enter
- In the Guest Services tab, configure.
- Enable Guest Services Privilege: Check this for the account to be enabled upon creation.
- Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to access this account at once.
- Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
- Account Expires: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
- Click OK.
Testing the Connection
- You should now see the SSID you created in Step 3 listed on your wireless client.
- When you connect it will prompt you for the passphrase created earlier as well.
- Once you have entered this it should be connected to the SonicPoint.
- When you launch a web browser and try to connect it will redirect you to a log in page.
- Enter the credentials created earlier.
- You should now have access to the Internet.
- By default the WLAN does not have access the LAN. If you want the WLAN to be able to access LAN resources you will need to create access rules from WLAN to LAN.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Configuring the WLAN Zone
- Log into the SonicWall management GUI, navigate to Network | Zones; Click Edit icon for the WLAN zone. The Edit Zone window is displayed.
- In the General tab, Uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.
- Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
- Enforce Client AV Enforcement Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
- Enforce Client CF Service - Enforces Client Content Filtering on the Zone.
- Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
- Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
- Enable App Control Service - Enforces Application Control on the zone.
- Under the Guest Services Tab you can choose from the following configuration options for Wireless Guest Services.
- Check Enable Guest Services - enables guest services
- Enable inter-guest communication - allows guests connecting to SonicPoints in this WLAN Zone to communicate directly with each other.
- Bypass AV Check for Guests - allows guest traffic to bypass Anti-Virus protection.
- Bypass Client CF Check for Guests - allows guest traffic to bypass Client Content Filter
- Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the DHCP services, and authenticate using any web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the firewall to support any IP addressing scheme for WGS users. EXAMPLE: The WLAN interface is configured with its default address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
- Enable External Guest Authentication - requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
- Enable Policy Page without authentication - redirects user to a custom policy page without authentication.
- Custom Authentication Page - redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
- Post Authentication Page - directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed.
- Bypass Guest Authentication - allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.
- Redirect SMTP traffic to - redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
- Deny Networks - blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
- Pass Networks - automatically allows traffic through the WLAN zone from the networks you select.
- Max Guests - specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.
- For this Example we just want to Enable Guest Services.
- Under the Wireless Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
- Click OK.
Assigning an available Interface to the WLAN Zone
The WLAN interface is only available on the TZ appliances with wireless features. You can configure the WLAN interface with a static IP address or configure L2 bridge to any LAN interface.
- Navigate to Network | Interfaces.
- Click Configure icon in the Configure column for the Wireless Interface. The Edit Interface window is displayed.
- In the Zone list, select WLAN.
- Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP address and Subnet Mask fields.
- In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface. (you can accept the default value).
- Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
- Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario, we are not allowing wireless clients to manage the SonicWall to ensure complete security).
- Click OK.
Configuring Wireless
SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone.
- Navigate to Wireless | Settings, select Access Point from the Radio Role menu.
- Enable the WLAN port by selecting the Enable WLAN checkbox.
- Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.
- Radio Mode: This lets you select whether you will use 2.4Ghz or 5Ghz and what 802.11 standards the wireless will allow to connect.
- Radio Band: This selects the size of the channel used.
- Channel: This selects the channel used.
- SSID: Enter a recognizable string for the SSID; the default string is SonicWall. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. This is the name that will appear in clients’ lists of available wireless connections. (For example: SonicLAB).
- Navigate to Wireless | Security.
- Authentication Type: This lets you select the Authentication used to connect to the wireless (WPA2-PSK is recommended).
- WPA2/WPA Settings
- Cipher Type: AES is recommended.
- Preshared Key Settings
- Passphrase: This is where you define the passphrase for the wireless.
Configuring Guest Profiles (WGS Profiles)
You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them.
- Navigate to Users | Guest Services; Enable Show guest login status window with logout button. (A user login window on the users’s workstation is displayed whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window).
- You can edit the Default profile or click Add below the Guest Profile list to display the Add Guest Profile window.
- Profile Name: Enter the name of the profile.
- User Name Prefix: Enter the first part of every user account name generated from this profile.
- Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
- Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
- Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation.
- Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires.
- Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
- Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
- Comment: Any text can be entered as a comment in the Comment field.
- Click OK.
Configuring Guest Accounts (WGS Users)
You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Account.
- Navigate to Users | Guest Accounts, click Add Guest (to create an Individual Account) or click Generate(to create Multiple Accounts) In the Settings tab of the Add Guest Account window, configure.
- Profile: Select the Guest Profile from which to generate this account.
- Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
- Comment: Enter a descriptive comment.
- Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters.
- Confirm Password: If you did not generate the password, re-enter.
- In the Guest Services tab, configure.
- Enable Guest Services Privilege: Check this for the account to be enabled upon creation.
- Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to access this account at once.
- Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
- Account Expires: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
- Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
- Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
- Click OK.
Testing the Connection
- You should now see the SSID you created in Step 3 listed on your wireless client.
- When you connect it will prompt you for the passphrase created earlier as well.
- Once you have entered this it should be connected to the SonicPoint.
- When you launch a web browser and try to connect it will redirect you to a log in page.
- Enter the credentials created earlier.
- You should now have access to the Internet.
- By default the WLAN does not have access the LAN. If you want the WLAN to be able to access LAN resources you will need to create access rules from WLAN to LAN.
Related Articles
Categories