Configuring Virtual Access Points NOTE: Virtual access points are supported when using wireless access points along with SonicWall NSA appliances. A Virtual Access Point (VAP) is a multiplexed representation of a single physical access point—it presents itself as multiple discrete access points. To wireless LAN clients, each virtual access point appears to be an independent physical access point, when actually only one physical access point exists. VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point and can be grouped and enforced on a single internal wireless radio. The SonicWall VAP feature is in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This segments the wireless network services within a single radio frequency footprint on a single physical access point. VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical access points simultaneously. Topics: • Before Configuring VAPs • Access Point VAP Configuration Task List • Virtual Access Points Profiles • Virtual Access Points • Virtual Access Point Groups Virtual Access Point Configuration VAPs afford the following benefits: • Each VAP can have its own security services settings (for example, GAV, IPS, CFS, etc.). • Traffic from each VAP can be easily controlled using access rules configured from the zone level. • Separate Guest Services or Lightweight Hotspot Messaging (LHM) configurations can be applied to each, facilitating the presentation of multiple guest service providers with a common set of access points . • Bandwidth management and other access rule-based controls can easily be applied. Before Configuring VAPs Before configuring your virtual access points, you need to have in understanding of what your options are and what you can do. Topics: • Determining Your VAP Needs • Determining Security Configurations • Sample Network Definitions • Determining Security Configurations • VAP Configuration Worksheet Determining Your VAP Needs When deciding how to configure your VAPs, begin by considering your communication needs, particularly: • • • • • • How many different classes of wireless users do I need to support? How do I want to secure these different classes of wireless users? Do my wireless client have the required hardware and drivers to support the chosen security settings? What network resources do my wireless users need to communicate with? Do any of these wireless users need to communicate with other wireless users? What security services do I wish to apply to each of these classes or wireless users? Determining Security Configurations After understanding your security requirements, you can then define the zones (and interfaces) and VAPs that provide the most effective wireless services to these users. The following are examples of ways you can define certain types of users. • Corp Wireless – Highly trusted wireless zone. Employs WPA2-AUTO-EAP security. WiFiSec (WPA) Enforced. • WEP & PSK – Moderate trust wireless zone. Comprises two virtual APs and subinterfaces, one for legacy WEP devices (for example, wireless printers, older handheld devices) and one for visiting clients who will use WPA-PSK security. • Guest Services – Using the internal Guest Services user database. • LHM – Lightweight Hotspot Messaging enabled zone, configured to use external LHM authentication-back-end server. Sample Network Definitions The following list shows one possible way you and configure your virtual access points to ensure proper access: • VAP #1, Corporate Wireless Users – A set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services. • VAP#2, Legacy Wireless Devices – A collection of older wireless devices, such as printers, PDAs and handheld devices, that are only capable of WEP encryption. • VAP#3, Visiting Partners – Business partners, clients, and affiliated who frequently visit the office, and who need access to a limited set of trusted network resources, as well as the Internet. These users are not located in the company’s Directory Services. • VAP# 4, Guest Users – Visiting clients to whom you wish to provide access only to untrusted (for example, Internet) network resources. Some guest users will be provided a simple, temporary username and password for access. • VAP#5, Frequent Guest Users – Same as Guest Users, however, these users will have more permanent guest accounts through a back-end database. Prerequisites Before configuring your virtual access points, be aware of the following: • Each SonicWall access point must be explicitly enabled for virtual access point support. To verify, navigate to Connectivity | Access Points > Base Settings. Then click the Edit icon for the SonicPoint/SonicWave Provisioning Profiles > General Settings: Enable SonicPoint checkbox and enabling either Radio A or G. • Access points must be linked to a WLAN zone on your SonicWall network security appliance to provision the access points. • When using VAPs with VLANs, you must ensure that the physical access point discovery and provisioning packets remain untagged (unless being terminated natively into a VLAN subinterface on the firewall). • You must also ensure that VAP packets that are VLAN tagged by the access point are delivered unaltered (neither un-encapsulated nor doubleencapsulated) by any intermediate equipment, such as a VLAN capable switch, on the network. • Be aware that maximum access point restrictions apply and differ based on your SonicWall security appliance. VAP Configuration Worksheet The VAP Configuration Worksheet provides some common VAP setup questions and solutions along with a space for you to record your own configurations. VAP Configuration Worksheet Questions Examples Solutions How many different types of users will I need to support? Corporate wireless, guest access, visiting Plan out the number of different partners, wireless devices are all common VAPs needed. Configure a zone user types, each requiring their own VAP and VLAN for each VAP needed Your Configurations: How many users will A corporate campus has 100 employees, The DHCP scope for the visitor each VAP need to all of whom have wireless capabilities zone is set to provide at least support? 100 addresses A corporate campus often has a few dozen wireless capable visitors Your Configurations: The DHCP scope for the visitor zone is set to provide at least 25 addresses How do I want to secure different wireless users? A corporate user who has access to corporate LAN resources. Configure WPA2-EAP A guest user who is restricted to only Internet access Enable Guest Services but configure no security settings A legacy wireless printer on the corporate LAN Configure WEP and enable MAC address filtering Your Configurations: What network resources do my users need to communicate with? A corporate user who needs access to Enable Interface Trust on your the corporate LAN and all internal LAN corporate zone. resources, including other WLAN users. A wireless guest who needs to access InternetInternet and should not be allowed to communicate with other WLAN users. Disable Interface Trust on your guest zone. Your Configurations: What security services to I wish to apply to my users? Corporate users who you want protected Enable all SonicWall security by the full SonicWall security suite. services. Guest users who you do not give a hoot about since they are not even on your LAN. Disable all SonicWall security services. Your Configurations: Access Point VAP Configuration Task List An access point VAP deployment requires several steps to configure. The following section provides a brief overview of the steps involved. 1 Network Zone - The zone is the backbone of your VAP configuration. Each zone you create has its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of VLAN subinterfaces. For more information on network zones, refer to the section on Manage | Network > Zones in SonicWall SonicOS 6.5 System Setup. 2 Interface (or VLAN Subinterface) - The Interface (X2, X3, etc...) represents the physical connection between your SonicWall network security appliance and your physical access points. Your individual zone settings are applied to these interfaces and then forwarded to your access points. For more information on wireless interfaces, refer to the section on Manage | Network > Interfaces in SonicWall SonicOS 6.5 System Setup. 3 DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. The default ranges for DHCP scopes are often excessive for the needs of most access points , for instance, a scope of 200 addresses for an interface that only uses 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted. For more information on setting up the DHCP server, refer to the section on Manage | Network > DHCP Server in SonicWall SonicOS 6.5 System Setup. 4 Virtual Access Point Profiles - The Virtual Access Point Profile feature allows for creation of access point configuration profiles which can be easily applied to new virtual access points as needed. Refer to Virtual Access Points Profiles for more information. 5 Virtual Access Point Objects - The Virtual Access Point Objects feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. Refer to Virtual Access Points for more information. 6 Virtual Access Point Groups - The Virtual Access Point Groups feature allows grouping of multiple virtual access point objects to be simultaneously applied to your access points. 7 Assign Virtual Access Group to Access Point Provisioning Profile Radio- The Provisioning Profile allows a VAP Group to be applied to new access points as they are provisioned. 8 Assign WEP Key (for WEP encryption only) - The Assign WEP Key allows for a WEP Encryption Key to be applied to new access points as they are provisioned. WEP keys are configured per-access point, meaning that any WEP-enabled virtual access points assigned to a physical access point must use the same set of WEP keys. Up to 4 keys can be defined, and WEP-enabled VAPs can use these 4 keys independently. WEP keys are configured on individual physical access points or on Access Point Profiles from the Configuration | Access Points > Base Settings page. Virtual Access Points Profiles A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. Virtual Access Point Profiles allows settings to be easily applied to new virtual access points. Virtual Access Point Profiles are configured from the Virtual Access Point Profiles section of the Connectivity | Access Points > Virtual Access Point page. To configure an existing VAP profile, click the Edit icon for that profile. To add a new VAP profile, click the ADD button. NOTE: Options displayed change depending on your selection of other options. Topics: • Virtual Access Point Schedule Settings • Virtual Access Point Profile Settings • ACL Enforcement • Remote MAC Address Access Control Settings Virtual Access Point Schedule Settings Each Virtual Access Point can have its own schedule associated with it and by extension each profile can have a set schedule defined for it as well. To associate a schedule with a Virtual Access Point Profile: 1 2 3 4 Select the MANAGE view. Under Connectivity, select Access Points > Virtual Access Point. Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile. In the VAP Schedule Name field, select the schedule you want from the options in the drop-down menu. Virtual Access Point Profile Settings To set the Virtual Access Point Profile settings: 1 2 3 4 Select the MANAGE view. Under Connectivity, select Wireless > Virtual Access Point. Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile. Set the Radio Type. It is set to SonicPoint/SonicWave by default if using the access points as virtual access points (currently the only supported radio type). 5 In the Profile Name field, type a friendly name for this Virtual Access Point Profile. Choose something descriptive and easy to remember as you apply this profile to new VAPs. 6 Select the Authentication Type from the drop-down list. Choose from these options: Authentication Type Definition Open No authentication is specified; unsecured access. Shared A shared key is used to authenticate and ensure basis security. Both Unsecured, shared access. WPA2-PSK Best security used with trusted corporate wireless clients. Transparent authentication with Windows login. Supports fast-roaming feature. Uses pre-shared key for authentication. WPA2-EAP Best security used with trusted corporate wireless clients. Transparent authentication with Windows login. Supports fast-roaming feature. Uses extensible authentication protocol. WPA2-AUTO-PSK Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection defaults to WPA.Uses preshared key for authentication. WPA2-AUTO-EAP Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection defaults to WPA. Uses extensible authentication protocol. The Unicast Cipher field is auto-populated based on what authentication type you selected. NOTE: Different setting appear on the page depending upon which option you select. Depending on the Authentication Type selected, an additional section with options is added to the Add/Edit Virtual Access Point Profile page. • • • • If you selected Open, refer to Radius Server and Radius Accounting on RADIUS settings. If you selected Both or Shared, refer to WEP Encryption Settings for information on the settings. If you selected an option requiring a pre-shared key (PSK), refer to WPA-PSK > WPA2-PSK Encryption Settings for information on the settings. If you selected an option using the extensible authentication protocol (EAP), refer to Radius Server and Radius Accountingfor information on the settings. WEP Encryption Settings If you selected Both or Shared in Step 6 of the prior procedure, the section called WEP Encryption Settings appears. WEP settings are commonly shared by virtual access points within a common physical access point. To set the encryptions settings: 1 In the Encryption Key field, select Key 1, Key 2, Key 3 or Key 4 from the drop-down list. 2 Go to Radius Server and Radius Accounting to set up the RADIUS settings, if you kept Remote MAC Access Control enabled. WPA-PSK > WPA2-PSK Encryption Settings If you selected an option in Step 6 that requires a pre-shared key—WPA2-PSK or WPA2-AUTO-PSK—the section called WPA/WPA2-PSK Encryption Settings appears. When these settings are defined, a preshared key is used for authentication. To set the encryptions settings: 1 Input a password in the Pass Phrase field. 2 Go to Radius Server and Radius Accounting to set up the RADIUS settings, if you kept Remote MAC Access Control enabled. Radius Server and Radius Accounting You can set up a RADIUS server for any of the options selected in Step 6. When these settings are defined, an external 802.1x/EAP capable RADIUS server is used for key generation and authentication. Input values in the following fields: To set the Radius Server Settings: Field Name Description Radius Server Enter the number times a user can try to authenticate before access is Retries denied. The default is 4. Retry Interval Enter the time period during which retries are valid. The default is 0. (seconds) RADIUS Server 1 Input the name/location of the RADIUS authentication server. Port Input the port on which your primary RADIUS authentication server communicates with clients and network devices. RADIUS Enter the secret passcode for your primary RADIUS authentication Server 1 Secret server. RADIUS Server 2 Input the name/location of your backup RADIUS authentication server. Port Input the port on which your backup RADIUS authentication server communicates with clients and network devices. RADIUS Enter the secret passcode for your backup RADIUS authentication Server 2 Secret server. To set the Radius Accounting Server Settings: No Field Name Description Server 1 IP Enter the IP address for the first RADIUS server. Port Input the port on which your primary RADIUS accounting server communicates with clients and network devices. Server 1 Secret Enter the secret passcode for your primary RADIUS accounting server. Server 2 IP Enter the IP address for the backup RADIUS server. Port Input the port on which your backup RADIUS accounting server communicates with clients and network devices. Server 2 Secret Enter the secret passcode for your backup RADIUS accounting server. NAS Identifier Type Select the NAS Identifier Type from the drop-down menu. Options include: Not Included (default), Access Point Name and Access Point MAC Address NAS IP Addr Input the NAS system IP address. Group Key Interval The time period, in seconds, for which a group key is valid and after which the group key is forced to be updated. The default is 86400 seconds (24 hours). ACL Enforcement Each virtual access point can support an individual Access Control List (ACL) to provide more effective authentication control. The wireless ACL feature works in tandem with the wireless MAC Filter List currently available on SonicOS. Using the ACL Enforcement feature, users are able to enable or disable the MAC Filter List, set the Allow List, and set the Deny list. Each VAP can have its own MAC Filter List settings or use the global settings. When the global settings are enabled, the SonicWave, SonicPoint-N/ SonicPointNDR/ SonicPoint Ni/Ne, the SonicPoint, or SonicPoint-N appliance uses these settings by default. In Virtual Access Point (VAP) mode, each VAP of this group shares the same MAC Filter List settings. ACL Enforcement settings Option Description Enable MAC Filter List Enforces Access Control by allowing or denying traffic from specific devices. By default, this option is not selected and all options in this section are dimmed and unavailable. Use Uses global ACL settings. Global NOTE: ACL support per virtual access point is only supported by SonicPointN. If one ACL Settings virtual access point is used by SonicPoint/SonicWave, global ACL configuration is applied by default. Allow List Select a MAC address group to automatically allow traffic from all devices with the MAC addresses listed in a particular group: • Create new Mac Address Object Group… • All MAC Addresses NOTE: It is recommended that the Allow List be set to All MAC Addresses. • Default SonicPoint ACL Allow Group • Custom MAC Address Object Groups that you developed Deny List Select a MAC address group from the drop-down menu to automatically deny traffic from all devices with MAC address in the group. NOTE: The Deny List is enforced before the Allow List. • Create new Mac Address Object Group… • No MAC Addresses • Default SonicPoint ACL Deny Group NOTE: It is recommended that the Deny List be set to Default SonicPoint ACL Deny Group. • Custom MAC Address Object Groups that you developed Remote MAC Address Access Control Settings NOTE: This section is not displayed if WPA2-EAP/WPA2-AUTO-EAP is selected for Authentication Type. Option Remote MAC Address Access Control settings Description Enable Remote Check the box to enforce radio wireless access control based on MAC-based MAC Access authentication policy in a remote Radius server. By default, this option is not Control selected. NOTE: If you selected other than WPA2-EAP/WPA2-AUTO-EAP for Authentication Type, selecting Enable Remote MAC Access Control displays the Radius Server Settings section. Virtual Access Points The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. virtual access points are configured from the Access Point > Virtual Access Point page. To configure an existing VAP, click the Edit icon for that virtual access point. To add a new VAP, click the ADD button. Topics: • General Panel • Advanced Tab General Panel Set the following features on the General panel. Virtual Access Point General Settings Feature Description Name Create a friendly name for your VAP. SSID Enter an SSID name for the SonicPoints using this VAP. This name appears in wireless client lists when searching for available access points. VLAN ID When using platforms that support VLAN, you may optionally select a VLAN ID to associate this VAP with. Settings for this VAP will be inherited from the VLAN you select. Enable Virtual Enables this VAP. This option is selected by default. Access Point Enable SSID Suppresses broadcasting of the SSID name and disables responses to probe Suppress requests. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients. This option is not selected by default. Enable Dynamic VLAN ID Assignment Check to enable. Dynamic VLAN can only be enabled when the authenication type is set to EAP. Advanced Tab Advanced settings allows you to configure authentication and encryption settings for a specific virtual access point. Choose a Profile Name to inherit these settings from a user-created profile. As the Advanced tab of the Add/Edit Virtual Access Point window is the same as Add/Edit Virtual Access Point Profile window, see Virtual Access Points Profiles for complete authentication and encryption configuration information. Virtual Access Point Groups The Virtual Access Point Groups feature is available on SonicWall NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your access points. Virtual Access Point Groups are configured from the Connectivity | Access Points > Virtual Access Point page. Add a virtual access point group: 1 Select the MANAGE view. 2 Under Connectivity, select Wireless > Virtual Access Point. 3 Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile. 4 Enter the Virtual AP Group Name in the field provided. 5 Select the objects you want to add from the Available Virtual AP Objects list and click the Left Arrow to move it to the Member of Virtual AP Group list. Or, click ADD ALL to add all the objects to the group. 6 Select an object and use the Right Arrow or the REMOVE ALL button to remove objects from the group. 7 Click OK to save your settings.