How to configure WiFiSec Enforcement in SonicWall TZ devices with built-in wireless (SonicOS Enhanc
03/26/2020 4 12951
How to configure WiFiSec Enforcement in SonicWall TZ devices with built-in wireless (SonicOS Enhanced)
WiFiSec Enforcement is the ability to require that all traffic that enters into the WLAN Zone interface be either IPSec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints (SonicWall Wireless Device) attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPSec. The VPN connection inherent in WiFiSec terminates at the "WLAN GroupVPN", which you can configure independently of "WAN GroupVPN" or other Zone GroupVPN instances.
Enforcing WiFiSec ensures that wireless users are authenticated and that their wireless traffic is fully encrypted. This method of deployment ensures that only authorized users are attaching to the SonicWall, and that the wireless traffic of authorized users is truly secure against interception and decoding from undesired third parties. Activating this causes the SonicWall to pass only IPSec, WPA or both packets to and from its WLAN Zone.
All wireless clients must connect to the SonicWall using the SonicWall Global VPN Client if they wish to access anything (policy-allowed LAN resources, policy-allowed WAN access, and other wireless clients). The encryption and authentication run transparently over any manufacturer's wireless card no need to worry about patching or updating the card's software driver to support it.
This scenario ensures that wireless users are authenticated and that their wireless traffic is fully encrypted:
- In this scenario, wireless computers must use WPA-PSK encryption to initially associate with the wireless network. (other wireless encryptions may also be used)
- Wireless traffic passing thru the WLAN Zone is secured by IPSec.
- Managing the SonicWall Appliance via WLAN Zone is completely disabled.
- All Wireless users must authenticate and use SonicWall Global VPN Client (GVC) to access the network.
- Internet Access is allowed only via the SonicWall Appliance, this ensures that the wireless traffic is also checked by SonicWall Security Services (Intrusion Prevention Service, Gateway Anti-Virus, Content Filtering Service, etc).
The configuration procedure is divided into two parts:
PART ONE: Configuration on the SonicWall Appliance
Step 1: Configuring the WLAN Interface.
Step 2: Enabling WifiSec Enforcement on the WLAN Zone to allow only IPSEC traffic.
Step 3: Configuring Wireless settings (Enabling WPA-PSK encryption)
Step 4: Configuring WLANGroupVPN policy (IPSEC Settings)
Step 5: Configuring DHCP over VPN to lease an IP Address to Wireless clients (Connecting via GVC)
Step 6: Configuring User Authentication to allow access only to authenticated wireless users.
PART TWO: Configuration on the Wireless client computer
Step 1: Connectivity using the wireless card utility for initial association with WLAN (wireless) Zone.
Step 2: Connectivity using SonicWall Global VPN Client (GVC) to ensure that the wireless traffic is encrypted with IPSec.
Part One: Configuration on the SonicWall Appliance
Step 1: Configuring the WLAN Interface
The WLAN interface is only available on the TZ 170 Wireless and TZ 170 SP Wireless. You can only configure the WLAN interface with a static IP address.
1. Login to SonicWall Management GUI, go to Network > Interfaces.
2. Click on the Notepad icon in the Configure column for WLAN Interface. The Edit Interface window is displayed.
3. Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP Address and Subnet Mask fields.
4. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
5. Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario we are not allowing wireless clients to manage the SonicWall to ensure complete security).
6. Click OK.
Step 2: Enabling WiFiSec Enforcement on the WLAN Zone to allow only IPSEC traffic
1. Go to Network > Zones; Click the Edit icon for the WLAN zone. The Edit Zone window is displayed.
2. In the General tab, uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.
Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
Enforce Client Anti-Virus Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones.
3. Click the Wireless tab, Uncheck Only allow traffic generated by a SonicPoint (if enabled: allows only traffic from SonicWall SonicPoints to enter the WLAN Zone interface)
Please Note: SonicOS Enhanced firmware 220.127.116.11 onwards the WifiSec Enforcement settings are not available on the WLAN Zone > Wireless tab, these settings are hidden and have to be enabled from the diag.html page (Eg: 192.168.168.168/diag.html).
For complete instructions refer KBID 6496: UTM: Wireless WifiSec Enforcement settings not visible in the WLAN Zone > Wireless tab
4. Select WiFiSec Enforcement.
(All wireless clients must connect to the SonicWall via the SonicWall Global VPN Client if they wish to access anything (policy-allowed LAN resources, policy-allowed WAN access, and other wireless clients).
5. When WiFiSec Enforcement is enabled, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement.
6. When WiFiSec Enforcement enabled, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN.
7. Uncheck Trust WPA traffic as WiFiSec. (This will ensure all wireless clients must connect to the SonicWall via the SonicWall Global VPN Client if they wish to access the resources)
8. Click the Guest Services tab. Uncheck Enable Wireless Guest Services (In this scenario we will not be enabling Wireless Guest Users)
9. Click OK to apply these settings to the WLAN zone.
Step 3: Configuring Wireless settings (Enabling WPA-PSK encryption)
1. Go to Wireless > Settings page, select Access Point from the Radio Role menu.
Note: WPA support is only available in Access Point Mode. WPA support is not available in Wireless Bridge Mode.
2. Enable WLAN port by selecting the Enable WLAN checkbox.
3. SSID: Enter a recognizable string for the SSID; the default string is SonicWall, for the SSID can be changed to any alphanumeric value with a maximum of 32 characters. This is the name that will appear in clients' lists of available wireless connections. (For example: SonicLAB)
4. Click Apply button located at the top of the page.
5. Go to Wireless > WEP/WPA Encryption page,
6. In the Authentication Type field: Select WPA PSK and enter a Passphrase (Min 8 - Max 63 characters)
7. Click Apply button.
8. If you wish to configure Mac Fitter List go to Wireless > Mac Filter List page. Click Apply button when finished.
Step 4: Configuring WLANGroupVPN Policy (IPSec Settings)
1. Go to VPN > Settings; enable WLAN GroupVPN checkbox and click the Edit icon to configure.
2. In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A Shared Secret is automatically generated by the SonicWall security appliance in the Shared Secret field, or you can generate your own shared secret. Shared Secrets must be minimum of four characters. You cannot change the name of any GroupVPN policy.
3. Click the Proposals tab, (You can accept default settings or change the settings to suit your requirement)
Uncheck the option Perfect forward secrecy
Note: Ensure that the IPsec (Phase 1 and Phase 2) proposal values are the same; else you would not be able to establish a successful GVC connection.
4. Click the Advanced tab,
Select Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows Network
Uncheck HTTP and HTTPS checkboxes in the Management via this SA.
Select Require Authentication of VPN Clients via XAUTH - Ensures that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default (Select Everyone; if you have configured Wireless Guest Services settings from the User Group for XAUTH users list.)
5. Click the Client tab,
Under Virtual Adapter Settings select DHCP Lease (The GVC Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.)
Under Allow Connections to select All Secured Gateways (Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled).
Select Set Default Route as this Gateway - You can only configure one VPN policy to use this setting.
Select Use Default Key for Simple Client Provisioning (The GVC will fetch the Pre-shared Secret automatically; this allows administrators can change the Shared Secret key anytime without notifying the users).
6. Click OK.
Step 5: Configuring DHCP over VPN to lease an IP Address to Wireless clients connecting via GVC
1. Go to VPN > DHCP over VPN.
2. Select Central Gateway from the DHCP Relay Mode menu.
3. Click Configure button. The DHCP over VPN Configuration window is displayed
4. Select Use Internal DHCP Server to enable the SonicWall Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing
5. Check the For Global VPN Client checkbox to use the DHCP Server for Global VPN Clients.
If you want to send DHCP requests to specific servers,
Select Send DHCP requests to the server addresses listed below.
Click Add. The IP Address window is displayed.
Enter the IP addresses of DHCP servers in the IP Address field, and click OK. The SonicWall now directs DHCP requests to the specified servers.
Enter the IP address of a relay server in the Relay IP Address (Optional) field.
6. Click OK to exit the DHCP over VPN Configuration window.
Step 6: Configuring User Authentication to allow access only to authenticated wireless users
The default user Authentication method for login is Local Users; you can add local users to the internal database on the SonicWall security appliance from the Users > Local Users page. To add local users to the database:
1. Go to Users > Local Users page; Click Add User. The Add User configuration window displays.
2. Click the Settings tab, type the user name into the Name field.
3. In the Password field, type a password for the user. Passwords are case-sensitive and should consist of a combination of letters and numbers rather than names of
family, friends, or pets.
4. Confirm the password by retyping it in the Confirm Password field.
5. Optionally, select the User must change password checkbox to force users to change their passwords the first time they login.
6. Optionally enter a comment in the Comment field.
7. Click the Groups tab, (ensure Everyone and Trusted Users groups are listed under the Member of list).
8. Click the VPN Access tab, to allow authenticated wireless users to access the LAN network using a VPN tunnel, select LAN Subnets from the Networks list and click the arrow button -> to move them to the Access List.
9. Click OK to complete the user configuration settings.
Part Two: Configuration on the Wireless client computer
Step 1: Connectivity using the Wireless card utility for initial association with the WLAN Zone.
In this scenario a NetGear WG111 USB wireless adapter is used to connect to the SonicWall.
The procedure to associate with a wireless network differs for each manufacturer; refer to your Wireless card product guides for detailed information.
If you are using third party wireless card utility, it is highly recommended that you disable the "Wireless Zero Configuration" service. Click here for instructions.
1. Ensure that the Wireless card driver and utility software has been configured correctly on the wireless computer.
2. Ensure that the Wireless Network Connection is enabled under Start > Control Panel > Network Connections.
3. Launch the NetGear Smart Wizard wireless utility software.
4. Click on Networks tab and scan for "Available Wireless Networks - (SSID)" (For example: SonicLAB)
5. Double click on the SSID to associate with the wireless network.
6. The NetGear wireless utility programs will identify the encryption type automatically while associating with the Wireless network.
7. Enter the WPA-PSK passphrase (minimum of 8 max 63 characters)
8. Click on the About tab and ensure that a valid WLAN IP address