Applies to:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.

Gen4 PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4 TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.


Firmware: SonicOS Enhanced firmware (3.5 and above)
Service: Wireless, SonicPoint, Virtual Access Point (VAP)
 


Overview / Scenario:

You can use a Guest Access VAP for visiting clients to whom you wish to provide access only to untrusted (e.g. Internet) network resources. Guest users will be provided a simple, temporary username and password for access. More advanced configurations also offer more permanent guest accounts, verified through a back-end database.

Deployment Steps:

Step 1: Configuring a Zone
Step 2: Creating a Wireless LAN (WLAN) Interface
Step 3: Creating a VLAN Sub-Interface on the WLAN
Step 4: Configuring DHCP IP Ranges
Step 5: Creating a SonicPoint VAP Profile
Step 6: Creating the SonicPoint VAP

 


Procedure:

Step 1: Configuring a Zone

In this section you will create and configure a new wireless zone with guest login capabilities.

1. Log into the management interface of your SonicWALL UTM appliance.
2. In the left-hand menu, navigate to the Network > Zones page.
3. Click the Add... button to add a new zone.

General Settings Tab

1. In the General tab, enter a friendly name such as “VAP-Guest” in the Name field.
2. Select Wireless from the Security Type drop-down menu.
3. De-select the Allow Interface Trust checkbox to disallow communication between wireless guests.

Wireless Settings Tab

1. In the Wireless tab, check the Only allow traffic generated by a SonicPoint checkbox.
2. Un-check all other options in this tab.
3. Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu. The default profile is SonicPoint. In this case, we selected a pre-created custom profile, SonicPoint-VAP. For more information on creating your own custom SonicPoint Provisioning Profile, see "Creating a SonicPoint Provisioning Profile
".

Guest Services Tab

1. In the Guest Services tab, check the Enable Wireless Guest Services checkbox.

Note: In the following example, steps 2 through 7 are optional, they only represent a typical guest VAP configuration using wireless guest services. Steps 2 and 7, however, are recommended.

2. Check the Enable Dynamic Address Translation (DAT) checkbox to allow guest users full communication with addresses outside the local network.
3. Check the Custom Authentication Page checkbox and click the Configure button to configure a custom header and footer for your guest login page.



4. Click the OK button to save these changes.
5. Check the Post Authentication Page checkbox and enter a URL to redirect wireless guests to after login.
6. Check the Pass Networks checkbox to configure a website (such as your corporate site) that you wish to allow user access to without being logging in to guest services.
7. Enter the maximum number of guests this VAP will support in the Max Guests field.



8. Click the OK button to save these changes.

Your new Zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.


Step 2: Creating a Wireless LAN (WLAN) Interface

In this section you will configure one of your ports to act as a WLAN. If you already have a WLAN configured, skip this section.

1. In the Network > Interfaces page, click the Configure (Edit) icon corresponding to the interface you wish to use as a WLAN. The Interface Settings screen displays.
2. Select WLAN from the Zone drop-down list.
3. Enter the desired IP Address for this interface.
4. In the SonicPoint Limit drop-down menu, select a limit for the number of SonicPoints. This defines the total number of SonicPoints your WLAN interface will support.

Note: The maximum number of SonicPoints depends on how many are attached to your platform.

5. Click the OK button to save changes to this interface. Your WLAN interface now appears in the Interface Settings list.


Step 3: Creating a VLAN Sub-Interface on the WLAN

In this section you will create and configure a new VLAN sub-interface on your current WLAN. This VLAN will be linked to the Zone you created in the “Configuring a Zone” section

1. In the Network > Interfaces page, click the Add Interface button.
2. In the Zone drop-down menu, select the Zone you created in “Configuring a Zone”. In this case,we have chosen VAP-Guest.

3. Enter a VLAN Tag for this interface. This number allows the SonicPoint(s) to identify which traffic belongs to the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, we choose 200 as our tag for the VAP-Guest VLAN.

4. In the Parent Interface drop-down menu, select the interface that your SonicPoint(s) are physically connected to. In this case, we are using X2, which is our WLAN interface.
5. Enter the desired IP Address for this sub-interface.

6. Select a limit for the number of SonicPoints from the SonicPoint Limit drop-down menu. This defines the maximum number of SonicPoints this interface will support and allows for appropriate address space allocation to the SonicPoints.

7. Optionally, you may add a comment about this sub-interface in the Comment field.

8. Click the OK button to add this Sub-Interface. Your VLAN sub-interface now appears in the Interface Settings list.


Step 4: Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/sub-interface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. To view the maximum number of DHCP leases for your SonicWALL PRO series UTM appliance, refer to the “SonicOS: Maximum allowed DHCP leases for SonicWALL Security Appliances” article.

1. In the left-hand menu, navigate to the Network > DHCP Server page.
2. Locate the interface you just created, in our case this is the X2:V200 (virtual interface 200 on the physical X2 interface) interface. Click the Configure (Edit) icon corresponding to the desired interface.

Note:  If the interface you created does not appear on the Network > DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicWALL. For more information on DHCP lease exhaustion, refer to the “SonicOS: Maximum allowed DHCP leases for SonicWALL Security Appliances” article.

3. Edit the Range Start and Range End fields to meet your deployment needs

4. Click the OK button to save these changes. Your new DHCP lease scope now appears in the DHCP Server Lease Scopes list.


Step 5: Creating a SonicPoint VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

1. In the left-hand menu, navigate to the SonicPoint > Virtual Access Point page.
2. Click the Add... button in the Virtual Access Point Profiles section.
3. Enter a Profile Name such as “Guest” for this VAP Profile. This profile name does not have to be the same as your VAP name.
4. Choose an Authentication Type. For unsecured guest access, we choose “Open”.

5. Click the OK button to create this VAP Profile.


Step 6: Creating the SonicPoint VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in Creating a VLAN Sub-Interface on the WLAN section

1. In the left-hand menu, navigate to the SonicPoint > Virtual Access Point page.
2. Click the Add... button in the Virtual Access Points section.
3. Enter a default name (SSID) for the VAP. In this case we chose VAP-Guest, the same name as the Zone to which it will be associated.
4. Select the VLAN ID you created in "VLAN Sub-Interfaces"section from the drop-down list. In this case we chose 200, the VLAN ID of our VAP-Guest VLAN.
5. Check the Enable Virtual Access Point checkbox to enable this access point upon creation.

6. Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a “Guest” profile, which uses Open as the authentication method.

7. Click the OK button to add this VAP. Your new VAP now appears in the Virtual Access Points list.

Now that you have successfully set up your Guest configuration, you can choose to add more custom VAPs, or to deploy this configuration to your SonicPoint(s) in the “Deploying VAPs to a SonicPoint” section.

Timesaver:  Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously to all of your SonicPoints by following the steps in the “Deploying VAPs to a SonicPoint” section below.

 

Step 7: Deploying VAPs to a SonicPoint

In the following section you will group and deploy your new VAPs, associating them with one or more SonicPoint Radios. Users will not be able to access your VAPs until you complete this process:

Grouping Multiple VAPs
• Creating a SonicPoint Provisioning Profile

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).

1. In the left-hand menu, navigate to the SonicPoint > Virtual Access Point page.
2. Click the Add Group... button in the Virtual Access Point Group section.
3. Enter a Virtual AP Group Name.
4. Select the desired VAPs from the list and click the -> button to add them to the group. Optionally, click the Add All button to add all VAPs to a single group.

5. Press the OK button to save changes and create the group.

Creating a SonicPoint Provisioning Profile

In this section, you will associate the group you created in the “Grouping Multiple VAPs” section with a SonicPoint by creating a provisioning profile. This profile will allow you to provision settings from a group of VAPs to all of your SonicPoints.

1. In the left-hand menu, navigate to the SonicPoint > SonicPoints page.
2. Click the Add button in the SonicPoint Provisioning Profiles section.
3. Click the Enable SonicPoint checkbox to enable this profile.
4. In the Name Prefix field, enter a name for this profile.
5. Select a Country Code from the drop-down list.
6. From the 802.11 Radio Virtual AP Group pull-down list, select the group you created in the “Grouping Multiple VAPs” section

7. To setup 802.11g WEP or 802.11a WEP/WPA encryption, or to enable MAC address filtering, use the 802.11g and 802.11a tabs. If any of your VAPs use encryption, configure these settings before your SonicPoint VAPs will function.

Note: If any of the VAPs in your VAP Group use WEP, the WEP settings must be defined on the SonicPoint Profile (or the individual SonicPoint) prior to the assignment of that VAP Group to the target. For example, if you configure a VAP within the group to use WEP Key 1, you must configure WEP Key 1 on the target SonicPoint Profile or SonicPoint prior to VAP Group assignation.

8. Click the OK button to save changes and create this SonicPoint Provisioning Profile.

9. Click the Synchronize SonicPoints button at the top of the screen to apply your provisioning profile to available SonicPoints.

Your SonicPoint may take a moment to reboot before changes take place. After this process is complete, all of your VAP profiles will be available to wireless users through this SonicPoint.

Associating a VAP Group with your SonicPoint

If you did not create a SonicPoint Provisioning Profile, you can provision your SonicPoint(s) manually. You may want to use this method if you have only one SonicPoint to provision. This section is not necessary if you have created and provisioned your SonicPoints using a SonicPoint Profile.

1. In the left-hand menu, navigate to the SonicPoint > SonicPoints page.
2. Click the Configure button next to the SonicPoint you wish to associate your Virtual APs with.
3. In the Virtual Access Point Settings section, select the VAP group you created in Grouping Multiple VAPs from the 802.11g (or 802.11a) Radio Virtual AP Group drop-down list. In this case, we choose VAP as our Virtual AP Group.

4. Click the OK button to associate this VAP Group with your SonicPoint.
5. Click the Synchronize SonicPoints button at the top of the screen to apply your provisioning profile to available SonicPoints.

Your SonicPoint may take a moment to reboot before changes take place. After this process is complete, all of your VAP profiles will be available to wireless users through this SonicPoint.

Note: If you are setting up guest services for the first time, be sure to make necessary configurations in the Users > Guest Services pages. For more information on configuring guest services, refer to the SonicOS Enhanced Administrator’s Guide.

Source: SonicOS Enhanced 4.0: Virtual Access Points