Configuring a Virtual Access Point (VAP) Profile for Sonicwall Access Points

Configuring a Virtual Access Point (VAP) Profile for Wireless Corporate Users using SonicWall access points.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

You can use a Corporate LAN VAP for a set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network's Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS ' Internet Authentication Services

Configuring a Zone

In this section you will create and configure a new corporate wireless zone with SonicWall UTM security services and enhanced WiFiSec/WPA2 wireless security.

1. Log into the management interface of your SonicWall UTM appliance.
2. In the left-hand menu, navigate to the OBJECT | Match Objects  | Zones page.
3. Click the Add Zone button to add a new zone.

General Settings Tab

1. In the General tab, enter a friendly name such as 'VAP-Corporate' in the Name field.
2. Select Wireless from the Security Type drop-down menu.
3. Select the Allow Interface Trust checkbox to allow communication between wireless guests.
4. Select checkboxes for all of the security services you would normally apply to wired corporate LAN users.
   
   
   
   
5. Press the OK button to save changes and create the group.
   
   

Wireless Settings Tab

1. In the Wireless tab, check the Only allow traffic generated by a SonicPoint checkbox.  If you are using a third party access point, make sure to disable this option to allow the traffic flow.
2. Select the 

   Auto Provisioning SonicPoint N/Ni/Ne Provisioning Profile and also select the SonicPoint N/Ni/Ne Provisioning Profile and the same can be used for all the SonicPoint and SonicWave profiles.

3. Select the 

   Prefer SonicPoint/SonicWave 2.4GHz Auto Channel Selection to be 1, 6 and 11 only for the channels configuration in the 2.4ghz radio band.

4.  We can also enforce the SonicWave licenses activation by enabling the option 

   Enforce SonicWave license activation from secure trusted license manager.

5. Management over the SonicPoint/SonicWave can be enabled/disabled through 

   Disable SonicPoint/SonicWave management.

6. We can also configure the Guest services settings and Radius Server settings under the same zone.
   
            

   
   
   
   

7. Click the OK button to save these changes.
   Your new Zone now appears at the bottom of the Object|Match Objects | Zones  page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a VLAN Sub-Interface on the WLAN

In this section you will create and configure a new VLAN sub-interface on your current WLAN. This VLAN will be linked to the Zone you created in the Configuring a Zone section

1. In the Network |System |Interfaces page, click the Add Interface button and Virtual Interface on the firewall.
2. In the Zone drop-down menu, select the Zone you created in configuring a zone. In this case,we have chosen VAP-Corporate.
3. Enter a VLAN Tag for this interface. This number allows the SonicWall access points to identify which traffic belongs to the 'VAP-Corporate' VLAN. You should choose a number based on an organized scheme. In this case, we choose 50 as our tag for the VAP-Corporate VLAN.
4. In the Parent Interface drop-down menu, select the interface that your SonicWall access points are physically connected to. In this case, we are using X2, which is our WLAN interface.
5. Enter the desired IP Address for this sub-interface.
6. Select a limit for the number of SonicWall access points from the drop-down menu. This defines the maximum number of SonicWall access points this interface will support and allows for appropriate address space allocation.
7. Optionally, you may add a comment about this sub-interface in the Comment field.
   
   
   
   
8. Click the OK button to add this Sub-Interface. Your VLAN sub-interface now appears in the Interface Settings list.
   
   

Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/sub-interface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. 

1. In the left-hand menu, navigate to the Network |System| DHCP Server page.
2. Click on DHCP server lease Scopes to add the DHCP server.
3. Locate the interface you just created, in our case this is the X2:V50 (virtual interface 50 on the physical X2 interface) interface. Click the Configure (Edit) icon corresponding to the desired interface.
4. Click the OK button to save these changes. Your new DHCP lease scope now appears in the DHCP Server Lease Scopes list.
   
   NOTE: If the interface you created does not appear on the Network | DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicWall.

Creating a SonicWall Access Point VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

1. Navigate to the Device |External Controllers|Access Points, Click on Virtual Access Point page.
2. Click the Add button in the Virtual Access Point Profiles section.
3. Enter a Profile Name such as 'Corporate-WPA2' for this VAP Profile.
4. Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
5. In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
6. In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. Wireless clients will communicate with this EAP capable RADIUS server for credential controlled access to the SonicWall access point, and for establishing shared key information for encrypted communication.
7. Click the OK button to create this VAP Profile.
   
   
                                          
   
   
   

Creating the SonicWall Access Point VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in 'Creating a VLAN Sub-Interface on the WLAN' section

1. In the left-hand menu, navigate to the Access Points | Virtual Access Point page.
2. Click the Add button in the Virtual Access Points objects section.
3. Enter a default name (SSID) for the VAP. In this case we chose VAP-Corporate, the same name as the Zone to which it will be associated.
4. Select the VLAN ID you created in "VLAN Sub-Interfaces"section from the drop-down list. In this case we chose 50, the VLAN ID of our VAP-Corporate VLAN.
5. Check the Enable Virtual Access Point checkbox to enable this access point upon creation.
6. Check the Enable SSID Suppress checkbox to hide this SSID from users.
   
   

Advanced Tab (Authentication Settings)

1. Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a 'Corporate-WPA2' profile, which uses WPA2-AUTO-EAP as the authentication method. If you have not set up a VAP Profile, continue with steps 2 through 4. Otherwise, continue to Create More / Deploy Current VAPs section,
2. In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
3. In the Maximum Clientsfield, enter the maximum number of concurrent connections VAP will support.
4. In the WPA-EAP Encryption Settingssection, enter your current RADIUS server information. This information will be used to support authenticated login to the VLAN.
   
   
   
   
   
5. Click the OK button to add this VAP. Your new VAP now appears in the Virtual Access Points list.
   
   

Deploying VAPs to SonicWall Access Points

In the following section you will group and deploy your new VAPs, associating them with one or more SonicWall access point radios. Users will not be able to access your VAPs until you complete this process:

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SonicWall access points.

1. In the left-hand menu, navigate to the Access Points | Virtual Access Point page.
2. Click the Add Group button in the Virtual Access Point Group section.
3. Enter a Virtual AP Group Name.
4. Select the desired VAPs from the list and add them to the group
5. Press the OK button to save changes and create the group.
   
   
   

Creating a Provisioning Profile

In this section, you will associate the group you created in the 'Grouping Multiple VAPs' section by creating a provisioning profile. This profile will allow you to provision settings from a group of VAPs to all of your SonicWall access points.

1. In the left-hand menu, navigate to the Access Points | Settings page.
2. Click the Add button in the Provisioning Profiles section.
3. Click the Enable checkbox to enable this profile.
4. In the Name Prefix field, enter a name for this profile.
5. Select a Country Code from the drop-down list.
6. From the 802.11 Radio Virtual AP Group pull-down list, select the group you recently created.
   
   
   
   
7. To setup Radio base settings use the 802.11n Radio option under the Profile settings. If any of your VAPs use encryption, configure these settings before your SonicWall access point VAPs will function.
   
   Note: If any of the VAPs in your VAP Group use WEP, the WEP settings must be defined on the Profile (or the individual access point) prior to the assignment of that VAP Group to the target. For

   example, if you configure a VAP within the group to use WEP Key 1, you must configure WEP Key 1 on the target Profile or prior to VAP Group assignment.
   
   

8.  

   Click the OK button to save changes and create this Provisioning Profile
9. Click the Synchronize SonicPoints button at the top of the screen to apply your provisioning profile to available SonicWall access points.

    

    

   
   
   The SonicWall access point may take a moment to reboot before changes take place. After this process is complete, all of your VAP profiles will be available to wireless users.
   
   
   NOTE:

   If you are setting up guest services for the first time, be sure to make necessary configurations in the Users | Guest Services pages.

    

    
   

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

You can use a Corporate LAN VAP for a set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network's Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS ' Internet Authentication Services

Configuring a Zone

In this section you will create and configure a new corporate wireless zone with SonicWall UTM security services and enhanced WiFiSec/WPA2 wireless security.

1. Log into the management interface of your SonicWall UTM appliance.
2. In the left-hand menu, navigate to the Network | Zones page.
3. Click the Add... button to add a new zone.

General Settings Tab

1. In the General tab, enter a friendly name such as 'VAP-Corporate' in the Name field.
2. Select Wireless from the Security Type drop-down menu.
3. Select the Allow Interface Trust checkbox to allow communication between wireless guests.
4. Select checkboxes for all of the security services you would normally apply to wired corporate LAN users.

Wireless Settings Tab

1. In the Wireless tab, check the Only allow traffic generated by a SonicPoint checkbox.
2. Select the checkbox for WiFiSec Enforcement to enable WiFiSec security on this connection.
3. Select Trust WPA/WPA2 traffic as WiFiSec to enable WPA/WPA2 users access to this connection.
4. Select a provisioning profile. You may also create and select a custom provisioning profile.

5. Click the OK button to save these changes.

Your new Zone now appears at the bottom of the Network | Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a VLAN Sub-Interface on the WLAN

In this section you will create and configure a new VLAN sub-interface on your current WLAN. This VLAN will be linked to the Zone you created in the Configuring a Zone section

1. In the Network | Interfaces page, click the Add Interface button.
2. In the Zone drop-down menu, select the Zone you created in configuring a zone. In this case,we have chosen VAP-Corporate..
3. Enter a VLAN Tag for this interface. This number allows the SonicWall access points to identify which traffic belongs to the 'VAP-Corporate' VLAN. You should choose a number based on an organized scheme. In this case, we choose 50 as our tag for the VAP-Corporate VLAN.
4. In the Parent Interface drop-down menu, select the interface that your SonicWall access points are physically connected to. In this case, we are using X2, which is our WLAN interface.
5. Enter the desired IP Address for this sub-interface.
6. Select a limit for the number of SonicWall access points from the drop-down menu. This defines the maximum number of SonicWall access points this interface will support and allows for appropriate address space allocation.
7. Optionally, you may add a comment about this sub-interface in the Comment field.

8. Click the OK button to add this Sub-Interface. Your VLAN sub-interface now appears in the Interface Settings list.

Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/sub-interface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. 

1. In the left-hand menu, navigate to the Network | DHCP Server page.
2. Locate the interface you just created, in our case this is the X2:V50 (virtual interface 50 on the physical X2 interface) interface. Click the Configure (Edit) icon corresponding to the desired interface.

Note:  If the interface you created does not appear on the Network | DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicWall.

3. Edit the Range Start and Range End fields to meet your deployment needs.

4. Click the OK button to save these changes. Your new DHCP lease scope now appears in the DHCP Server Lease Scopes list.

Creating a SonicWall Access Point VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This section is optional, but will facilitate greater ease of use when configuring multiple VAPs.

1. In the left-hand menu, navigate to the Access Points | Virtual Access Point page.
2. Click the Add... button in the Virtual Access Point Profiles section.
3. Enter a Profile Name such as 'Corporate-WPA2' for this VAP Profile.
4. Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).
5. In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.
6. In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. Wireless clients will communicate with this EAP capable RADIUS server for credential controlled access to the SonicWall access point, and for establishing shared key information for encrypted communication.
7. Click the OK button to create this VAP Profile.

Creating the SonicWall Access Point VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in 'Creating a VLAN Sub-Interface on the WLAN' section

1. In the left-hand menu, navigate to the Access Points | Virtual Access Point page.
2. Click the Add... button in the Virtual Access Points section.
3. Enter a default name (SSID) for the VAP. In this case we chose VAP-Corporate, the same name as the Zone to which it will be associated.
4. Select the VLAN ID you created in "VLAN Sub-Interfaces"section from the drop-down list. In this case we chose 50, the VLAN ID of our VAP-Corporate VLAN.
5. Check the Enable Virtual Access Point checkbox to enable this access point upon creation.
6. Check the Enable SSID Suppress checkbox to hide this SSID from users

7. Click the OK button to add this VAP. Your new VAP now appears in the Virtual Access Points list.

Advanced Tab (Authentication Settings)

1. Click the Advanced Tab to edit encryption settings. If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and choose a 'Corporate-WPA2' profile, which uses WPA2-AUTO-EAP as the authentication method. If you have not set up a VAP Profile, continue with steps 2 through 4. Otherwise, continue to Create More / Deploy Current VAPs section,

2. In the Advanced tab, select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings (Set below).

3. In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.

4. In the WPA-EAP Encryption Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the VLAN.

Create More / Deploy Current VAPs

Now that you have successfully set up a VLAN for Corporate LAN access, you can choose to add more custom VAPs, or to deploy this configuration to your SonicWall access points in the 'Deploying VAPs' section

Time saver:  Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously to all of your SonicWall access points by following the steps in the 'Deploying VAPs'.

Deploying VAPs to SonicWall Access Points

In the following section you will group and deploy your new VAPs, associating them with one or more SonicWall access point radios. Users will not be able to access your VAPs until you complete this process:

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SonicWall access points.

1. In the left-hand menu, navigate to the Access Points | Virtual Access Point page.
2. Click the Add Group... button in the Virtual Access Point Group section.
3. Enter a Virtual AP Group Name.
4. Select the desired VAPs from the list and click the -| button to add them to the group. Optionally, click the Add All button to add all VAPs to a single group.

5. Press the OK button to save changes and create the group.

Creating a Provisioning Profile

In this section, you will associate the group you created in the 'Grouping Multiple VAPs' section by creating a provisioning profile. This profile will allow you to provision settings from a group of VAPs to all of your SonicWall access points.

1. In the left-hand menu, navigate to the Access Points | Base Settings page.
2. Click the Add button in the Provisioning Profiles section.
3. Click the Enable checkbox to enable this profile.
4. In the Name Prefix field, enter a name for this profile.
5. Select a Country Code from the drop-down list.
6. From the 802.11 Radio Virtual AP Group pull-down list, select the group you recently created.

7. To setup 802.11g WEP or 802.11a WEP/WPA encryption, or to enable MAC address filtering, use the 802.11g and 802.11a tabs. If any of your VAPs use encryption, configure these settings before your SonicWall access point VAPs will function.

Note: If any of the VAPs in your VAP Group use WEP, the WEP settings must be defined on the Profile (or the individual access point) prior to the assignment of that VAP Group to the target. For example, if you configure a VAP within the group to use WEP Key 1, you must configure WEP Key 1 on the target Profile or prior to VAP Group assignment.

8. Click the OK button to save changes and create this Provisioning Profile.

9. Click the Synchronize SonicPoints button at the top of the screen to apply your provisioning profile to available SonicWall access points.

The SonicWall access point may take a moment to reboot before changes take place. After this process is complete, all of your VAP profiles will be available to wireless users.

Note: If you are setting up guest services for the first time, be sure to make necessary configurations in the Users | Guest Services pages.