Configuring Virtual Access Points

Configuring Virtual Access Points
NOTE: Virtual access points are supported when using wireless access points along with
SonicWall NSA appliances.
A Virtual Access Point (VAP) is a multiplexed representation of a single physical access point—it presents itself as multiple discrete access points. To
wireless LAN clients, each virtual access point appears to be an independent physical access point, when actually only one physical access point exists.
VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of
these custom configurations acts as a separate (virtual) access point and can be grouped and enforced on a single internal wireless radio.
The SonicWall VAP feature is in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique
Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This segments the wireless network services within a single radio frequency
footprint on a single physical access point.
VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of
these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical access points
simultaneously.
Topics:
• Before Configuring VAPs
• Access Point VAP Configuration Task List
• Virtual Access Points Profiles
• Virtual Access Points
• Virtual Access Point Groups
Virtual Access Point Configuration
VAPs afford the following benefits:
• Each VAP can have its own security services settings (for example, GAV, IPS, CFS, etc.).
• Traffic from each VAP can be easily controlled using access rules configured from the zone level.
• Separate Guest Services or Lightweight Hotspot Messaging (LHM) configurations can be applied to each, facilitating the presentation of multiple
guest service providers with a common set of access points .
• Bandwidth management and other access rule-based controls can easily be applied.
Before Configuring VAPs
Before configuring your virtual access points, you need to have in understanding of what your options are and what you can do.
Topics:
• Determining Your VAP Needs
• Determining Security Configurations
• Sample Network Definitions
• Determining Security Configurations
• VAP Configuration Worksheet
Determining Your VAP Needs
When deciding how to configure your VAPs, begin by considering your communication needs, particularly:
•
•
•
•
•
•
How many different classes of wireless users do I need to support?
How do I want to secure these different classes of wireless users?
Do my wireless client have the required hardware and drivers to support the chosen security settings?
What network resources do my wireless users need to communicate with?
Do any of these wireless users need to communicate with other wireless users?
What security services do I wish to apply to each of these classes or wireless users?
Determining Security Configurations
After understanding your security requirements, you can then define the zones (and interfaces) and VAPs that provide the most effective wireless services
to these users. The following are examples of ways you can define certain types of users.
• Corp Wireless – Highly trusted wireless zone. Employs WPA2-AUTO-EAP security. WiFiSec (WPA) Enforced.
• WEP & PSK – Moderate trust wireless zone. Comprises two virtual APs and subinterfaces, one for legacy WEP devices (for example, wireless
printers, older handheld devices) and one for visiting clients who will use WPA-PSK security.
• Guest Services – Using the internal Guest Services user database.
• LHM – Lightweight Hotspot Messaging enabled zone, configured to use external LHM authentication-back-end server.
Sample Network Definitions
The following list shows one possible way you and configure your virtual access points to ensure proper access:
• VAP #1, Corporate Wireless Users – A set of users who are commonly in the office, and to whom should be given full access to all network
resources, providing that the connection is authenticated and secure. These users already belong to the network’s Directory Service, Microsoft
Active Directory, which provides an EAP interface through IAS – Internet Authentication Services.
• VAP#2, Legacy Wireless Devices – A collection of older wireless devices, such as printers, PDAs and handheld devices, that are only capable
of WEP encryption.
• VAP#3, Visiting Partners – Business partners, clients, and affiliated who frequently visit the office, and who need access to a limited set of trusted
network resources, as well as the Internet. These users are not located in the company’s Directory Services.
• VAP# 4, Guest Users – Visiting clients to whom you wish to provide access only to untrusted (for example, Internet) network resources. Some
guest users will be provided a simple, temporary username and password for access.
• VAP#5, Frequent Guest Users – Same as Guest Users, however, these users will have more permanent guest accounts through a back-end
database.
Prerequisites
Before configuring your virtual access points, be aware of the following:
• Each SonicWall access point must be explicitly enabled for virtual access point support. To verify, navigate to Connectivity | Access Points > Base
Settings. Then click the Edit icon for the SonicPoint/SonicWave Provisioning Profiles > General Settings: Enable SonicPoint checkbox and
enabling either Radio A or G.
• Access points must be linked to a WLAN zone on your SonicWall network security appliance to provision the access points.
• When using VAPs with VLANs, you must ensure that the physical access point discovery and provisioning packets remain untagged (unless being
terminated natively into a VLAN subinterface on the firewall).
• You must also ensure that VAP packets that are VLAN tagged by the access point are delivered unaltered (neither un-encapsulated nor doubleencapsulated) by any intermediate equipment, such as a VLAN capable switch, on the network.
• Be aware that maximum access point restrictions apply and differ based on your SonicWall security appliance.
VAP Configuration Worksheet
The VAP Configuration Worksheet provides some common VAP setup questions and solutions along with a space for you to record your own
configurations.
VAP Configuration Worksheet
Questions
Examples
Solutions
How many different
types of users will I
need to support?
Corporate wireless, guest access, visiting Plan out the number of different
partners, wireless devices are all common VAPs needed. Configure a zone
user types, each requiring their own VAP and VLAN for each VAP
needed
Your Configurations:
How many users will A corporate campus has 100 employees, The DHCP scope for the visitor
each VAP need to
all of whom have wireless capabilities
zone is set to provide at least
support?
100 addresses
A corporate campus often has a few
dozen wireless capable visitors
Your Configurations:
The DHCP scope for the visitor
zone is set to provide at least 25
addresses
How do I want to
secure different
wireless users?
A corporate user who has access to
corporate LAN resources.
Configure WPA2-EAP
A guest user who is restricted to only
Internet access
Enable Guest Services but
configure no security settings
A legacy wireless printer on the
corporate LAN
Configure WEP and enable
MAC address filtering
Your Configurations:
What network
resources do my
users need to
communicate with?
A corporate user who needs access to
Enable Interface Trust on your
the corporate LAN and all internal LAN corporate zone.
resources, including other WLAN users.
A wireless guest who needs to access
InternetInternet and should not be
allowed to communicate with other
WLAN users.
Disable Interface Trust on your
guest zone.
Your Configurations:
What security
services to I wish to
apply to my users?
Corporate users who you want protected Enable all SonicWall security
by the full SonicWall security suite.
services.
Guest users who you do not give a hoot
about since they are not even on your
LAN.
Disable all SonicWall security
services.
Your Configurations:
Access Point VAP Configuration Task List
An access point VAP deployment requires several steps to configure. The following section provides a brief overview of the steps involved.
1 Network Zone - The zone is the backbone of your VAP configuration. Each zone you create has its own security and access control settings and
you can create and apply multiple zones to a single physical interface by way of VLAN subinterfaces. For more information on network zones, refer
to the section on Manage | Network > Zones in SonicWall SonicOS 6.5 System Setup.
2 Interface (or VLAN Subinterface) - The Interface (X2, X3, etc...) represents the physical connection between your SonicWall network security
appliance and your physical access points. Your individual zone settings are applied to these interfaces and then forwarded to your access points.
For more information on wireless interfaces, refer to the section on Manage | Network > Interfaces in SonicWall SonicOS 6.5 System Setup.
3 DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. The default ranges for DHCP
scopes are often excessive for the needs of most access points , for instance, a scope of 200 addresses for an interface that only uses 30. Because
of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted. For more information on setting up the
DHCP server, refer to the section on Manage | Network > DHCP Server in SonicWall SonicOS 6.5 System Setup.
4 Virtual Access Point Profiles - The Virtual Access Point Profile feature allows for creation of access point configuration profiles which can be
easily applied to new virtual access points as needed. Refer to Virtual Access Points Profiles for more information.
5 Virtual Access Point Objects - The Virtual Access Point Objects feature allows for setup of general VAP settings. SSID and VLAN ID are
configured through VAP Settings. Refer to Virtual Access Points for more information.
6 Virtual Access Point Groups - The Virtual Access Point Groups feature allows grouping of multiple virtual access point objects to be
simultaneously applied to your access points.
7 Assign Virtual Access Group to Access Point Provisioning Profile Radio- The Provisioning Profile allows a VAP Group to be applied to new
access points as they are provisioned.
8 Assign WEP Key (for WEP encryption only) - The Assign WEP Key allows for a WEP Encryption Key to be applied to new access points as
they are provisioned. WEP keys are configured per-access point, meaning that any WEP-enabled virtual access points assigned to a physical access
point must use the same set of WEP keys. Up to 4 keys can be defined, and WEP-enabled VAPs can use these 4 keys independently. WEP keys
are configured on individual physical access points or on Access Point Profiles from the Configuration | Access Points > Base Settings page.
Virtual Access Points Profiles
A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. Virtual Access Point Profiles allows settings to be
easily applied to new virtual access points. Virtual Access Point Profiles are configured from the Virtual Access Point Profiles section of the Connectivity |
Access Points > Virtual Access Point page.
To configure an existing VAP profile, click the Edit icon for that profile. To add a new VAP profile, click the ADD button.
NOTE: Options displayed change depending on your selection of other options.
Topics:
• Virtual Access Point Schedule Settings
• Virtual Access Point Profile Settings
• ACL Enforcement
• Remote MAC Address Access Control Settings
Virtual Access Point Schedule Settings
Each Virtual Access Point can have its own schedule associated with it and by extension each profile can have a set schedule defined for it as well.
To associate a schedule with a Virtual Access Point Profile:
1
2
3
4
Select the MANAGE view.
Under Connectivity, select Access Points > Virtual Access Point.
Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile.
In the VAP Schedule Name field, select the schedule you want from the options in the drop-down menu.
Virtual Access Point Profile Settings
To set the Virtual Access Point Profile settings:
1
2
3
4
Select the MANAGE view.
Under Connectivity, select Wireless > Virtual Access Point.
Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile.
Set the Radio Type. It is set to SonicPoint/SonicWave by default if using the access points as virtual access points (currently the only supported
radio type).
5 In the Profile Name field, type a friendly name for this Virtual Access Point Profile. Choose something descriptive and easy to remember as you
apply this profile to new VAPs.
6 Select the Authentication Type from the drop-down list. Choose from these options:
Authentication Type
Definition
Open
No authentication is specified; unsecured access.
Shared
A shared key is used to authenticate and ensure basis
security.
Both
Unsecured, shared access.
WPA2-PSK
Best security used with trusted corporate wireless clients.
Transparent authentication with Windows login. Supports
fast-roaming feature. Uses pre-shared key for
authentication.
WPA2-EAP
Best security used with trusted corporate wireless clients.
Transparent authentication with Windows login. Supports
fast-roaming feature. Uses extensible authentication
protocol.
WPA2-AUTO-PSK
Tries to connect using WPA2 security, if the client is not
WPA2 capable, the connection defaults to WPA.Uses preshared key for authentication.
WPA2-AUTO-EAP
Tries to connect using WPA2 security, if the client is not
WPA2 capable, the connection defaults to WPA. Uses
extensible authentication protocol.
The Unicast Cipher field is auto-populated based on what authentication type you selected.
NOTE: Different setting appear on the page depending upon which option you select.
Depending on the Authentication Type selected, an additional section with options is added to the Add/Edit Virtual Access Point Profile page.
•
•
•
•
If you selected Open, refer to Radius Server and Radius Accounting on RADIUS settings.
If you selected Both or Shared, refer to WEP Encryption Settings for information on the settings.
If you selected an option requiring a pre-shared key (PSK), refer to WPA-PSK > WPA2-PSK Encryption Settings for information on the settings.
If you selected an option using the extensible authentication protocol (EAP), refer to Radius Server and Radius Accountingfor information on the
settings.
WEP Encryption Settings
If you selected Both or Shared in Step 6 of the prior procedure, the section called WEP Encryption Settings appears. WEP settings are commonly shared
by virtual access points within a common physical access point.
To set the encryptions settings:
1 In the Encryption Key field, select Key 1, Key 2, Key 3 or Key 4 from the drop-down list.
2 Go to Radius Server and Radius Accounting to set up the RADIUS settings, if you kept Remote MAC Access Control enabled.
WPA-PSK > WPA2-PSK Encryption Settings
If you selected an option in Step 6 that requires a pre-shared key—WPA2-PSK or WPA2-AUTO-PSK—the section called WPA/WPA2-PSK
Encryption Settings appears. When these settings are defined, a preshared key is used for authentication.
To set the encryptions settings:
1 Input a password in the Pass Phrase field.
2 Go to Radius Server and Radius Accounting to set up the RADIUS settings, if you kept Remote MAC Access Control enabled.
Radius Server and Radius Accounting
You can set up a RADIUS server for any of the options selected in Step 6. When these settings are defined, an external 802.1x/EAP capable RADIUS
server is used for key generation and authentication. Input values in the following fields:
To set the Radius Server Settings:
Field Name
Description
Radius Server Enter the number times a user can try to authenticate before access is
Retries
denied. The default is 4.
Retry Interval Enter the time period during which retries are valid. The default is 0.
(seconds)
RADIUS
Server 1
Input the name/location of the RADIUS authentication server.
Port
Input the port on which your primary RADIUS authentication server
communicates with clients and network devices.
RADIUS
Enter the secret passcode for your primary RADIUS authentication
Server 1 Secret server.
RADIUS
Server 2
Input the name/location of your backup RADIUS authentication server.
Port
Input the port on which your backup RADIUS authentication server
communicates with clients and network devices.
RADIUS
Enter the secret passcode for your backup RADIUS authentication
Server 2 Secret server.
To set the Radius Accounting Server Settings:
No
Field Name
Description
Server 1 IP
Enter the IP address for the first RADIUS server.
Port
Input the port on which your primary RADIUS accounting server
communicates with clients and network devices.
Server 1 Secret
Enter the secret passcode for your primary RADIUS accounting
server.
Server 2 IP
Enter the IP address for the backup RADIUS server.
Port
Input the port on which your backup RADIUS accounting server
communicates with clients and network devices.
Server 2 Secret
Enter the secret passcode for your backup RADIUS accounting
server.
NAS Identifier Type
Select the NAS Identifier Type from the drop-down menu.
Options include: Not Included (default), Access Point Name and
Access Point MAC Address
NAS IP Addr
Input the NAS system IP address.
Group Key Interval
The time period, in seconds, for which a group key is valid and
after which the group key is forced to be updated. The default is
86400 seconds (24 hours).
ACL Enforcement
Each virtual access point can support an individual Access Control List (ACL) to provide more effective authentication control. The wireless ACL feature
works in tandem with the wireless MAC Filter List currently available on SonicOS. Using the ACL Enforcement feature, users are able to enable or
disable the MAC Filter List, set the Allow List, and set the Deny list.
Each VAP can have its own MAC Filter List settings or use the global settings. When the global settings are enabled, the SonicWave, SonicPoint-N/
SonicPointNDR/ SonicPoint Ni/Ne, the SonicPoint, or SonicPoint-N appliance uses these settings by default. In Virtual Access Point (VAP) mode, each
VAP of this group shares the same MAC Filter List settings.
ACL Enforcement settings
Option
Description
Enable
MAC
Filter
List
Enforces Access Control by allowing or denying traffic from specific devices. By default,
this option is not selected and all options in this section are dimmed and unavailable.
Use
Uses global ACL settings.
Global
NOTE: ACL support per virtual access point is only supported by SonicPointN. If one
ACL
Settings virtual access point is used by SonicPoint/SonicWave, global ACL configuration is
applied by default.
Allow
List
Select a MAC address group to automatically allow traffic from all devices with the
MAC addresses listed in a particular group:
• Create new Mac Address Object Group…
• All MAC Addresses
NOTE: It is recommended that the Allow List be set to All MAC Addresses.
• Default SonicPoint ACL Allow Group
• Custom MAC Address Object Groups that you developed
Deny
List
Select a MAC address group from the drop-down menu to automatically deny traffic
from all devices with MAC address in the group.
NOTE: The Deny List is enforced before the Allow List.
• Create new Mac Address Object Group…
• No MAC Addresses
• Default SonicPoint ACL Deny Group
NOTE: It is recommended that the Deny List be set to Default SonicPoint ACL Deny
Group.
• Custom MAC Address Object Groups that you developed
Remote MAC Address Access Control Settings
NOTE: This section is not displayed if WPA2-EAP/WPA2-AUTO-EAP is selected for
Authentication Type.
Option
Remote MAC Address Access Control settings
Description
Enable Remote Check the box to enforce radio wireless access control based on MAC-based
MAC Access authentication policy in a remote Radius server. By default, this option is not
Control
selected.
NOTE: If you selected other than WPA2-EAP/WPA2-AUTO-EAP for
Authentication Type, selecting Enable Remote MAC Access Control displays the
Radius Server Settings section.
Virtual Access Points
The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. virtual access points are
configured from the Access Point > Virtual Access Point page.
To configure an existing VAP, click the Edit icon for that virtual access point. To add a new VAP, click the ADD button.
Topics:
• General Panel
• Advanced Tab
General Panel
Set the following features on the General panel.
Virtual Access Point General Settings
Feature
Description
Name
Create a friendly name for your VAP.
SSID
Enter an SSID name for the SonicPoints using this VAP. This name appears in
wireless client lists when searching for available access points.
VLAN ID
When using platforms that support VLAN, you may optionally select a VLAN ID
to associate this VAP with. Settings for this VAP will be inherited from the VLAN
you select.
Enable Virtual Enables this VAP. This option is selected by default.
Access Point
Enable SSID Suppresses broadcasting of the SSID name and disables responses to probe
Suppress
requests. Check this option if you do not wish for your SSID to be seen by
unauthorized wireless clients. This option is not selected by default.
Enable
Dynamic
VLAN ID
Assignment
Check to enable. Dynamic VLAN can only be enabled when the authenication
type is set to EAP.
Advanced Tab
Advanced settings allows you to configure authentication and encryption settings for a specific virtual access point. Choose a Profile Name to inherit these
settings from a user-created profile. As the Advanced tab of the Add/Edit Virtual Access Point window is the same as Add/Edit Virtual Access Point
Profile window, see Virtual Access Points Profiles for complete authentication and encryption configuration information.
Virtual Access Point Groups
The Virtual Access Point Groups feature is available on SonicWall NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously
applied to your access points. Virtual Access Point Groups are configured from the Connectivity | Access Points > Virtual Access Point page.
Add a virtual access point group:
1 Select the MANAGE view.
2 Under Connectivity, select Wireless > Virtual Access Point.
3 Select ADD if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile.
4 Enter the Virtual AP Group Name in the field provided.
5 Select the objects you want to add from the Available Virtual AP Objects list and click the Left Arrow to move it to the Member of Virtual AP
Group list.
Or, click ADD ALL to add all the objects to the group.
6 Select an object and use the Right Arrow or the REMOVE ALL button to remove objects from the group.
7 Click OK to save your settings.