SONICWALL SonicOS 7.1 SonicOS Access Points User Guide
- June 15, 2024
- SONICWALL
Table of Contents
SONICWALL SonicOS 7.1 SonicOS Access Points
Product Information
Specifications
- Product Name: SonicOS 7.1 Access Points
- Administration Guide: Included
Product Usage Instructions
About SonicOS
SonicOS is the operating system used in SonicWall Access Points.
It provides a user-friendly interface for configuring and managing the access
points.
Working with SonicOS
SonicOS offers a range of features and functionalities to enhance your wireless network. It allows you to synchronize access points, create and modify provisioning profiles, manage access point objects, perform firmware management, and more.
SonicOS Workflow
The workflow in SonicOS involves the following steps:
- Synchronize Access Points
- Create or Modify Provisioning Profiles
- Manage Access Point Objects
- Perform Firmware Management
- Manage Floor Plans
- Manage Access Points
- Configure Virtual Access Points
- Enable Intrusion Detection Services
- Perform Packet Capture
- Configure RF Monitoring
- Perform RF Analysis
How to Use the SonicOS Administration Guides
The SonicOS Administration Guides provide detailed instructions on how to configure and manage SonicWall Access Points. They are organized into sections for easy navigation.
Guide Conventions
The administration guides use the following conventions:
- Section headings: Indicates the topic of the section
- Subheadings: Provide additional details or instructions
- Step-by-step instructions: Walks you through the configuration process
- Notes: Provide additional information or tips
About Access Points
Access points are devices that enable wireless communication between devices and a network. SonicOS Access Points provide secure and reliable wireless connectivity.
FAQs
Q: What is SonicOS?
A: SonicOS is the operating system used in SonicWall Access Points. It provides a user-friendly interface for configuring and managing the access points.
Q: How do I synchronize access points?
A: To synchronize access points, follow these steps:
- Access the SonicOS interface.
- Navigate to the Synchronize Access Points section.
- Click on the Synchronize button.
- Follow the on-screen instructions to complete the synchronization process.
SonicOS 7.1 Access Points
Administration Guide
Contents
About SonicOS
6
Working with SonicOS
6
SonicOS Workflow
8
How to Use the SonicOS Administration Guides
9
Guide Conventions
11
About Access Points
12
Settings
14
Synchronize Access Points
15
Provisioning Overview
15
Creating/Modifying Provisioning Profiles
16
Adding/Editing a Provisioning Profile – Getting Started
17
General Settings for Provisioning Profiles
18
5GHz/2.4GHz Radio Basic Settings for Provisioning Profiles
21
5GHz/2.4GHz Radio Advanced Settings for Provisioning Profiles
35
Sensor Settings for WIDP in Provisioning Profiles
42
Mesh Network Settings for Provisioning Profiles
43
3G/4G/LTE WWAN Settings for Provisioning Profiles
45
Bluetooth LE Settings for Provisioning Profiles
47
Deleting Access Point Profiles
48
Product Specific Configuration Notes
48
Managing Access Point Objects
48
Deleting Access Point Objects
49
Rebooting Access Point Objects
49
Modifying Access Point Objects
50
Firmware Management
51
About Firmware Management
51
Obtaining the Latest SonicWall Firmware
52
Downloading Firmware from a Specific URL
53
Uploading Firmware to an Access Point
54
Floor Plan View
55
Managing the Floor Plans
56
Selecting a Floor Plan
56
Creating a Floor Plan
56
Editing a Floor Plan
57
SonicOS 7.1 Access Points Administration Guide
2
Contents
Managing Access Points
58
Available Devices
59
Added Access Points
59
Removing Access Points
60
Export Image
60
Context Menu
60
Station Status
61
Intrusion Detection Services
63
Scanning Access Points
64
Authorizing Access Points
65
Advanced IDP
66
Enabling Wireless IDP on a Profile
67
Configuring Wireless IDP Settings
68
Viewing KRACK Sniffer Packets
69
Packet Capture
71
SonicWave Capture Radio Settings
72
SonicWave 802.11 Packet Capture Settings
73
SonicWave Packet Capture Filter Settings
73
Virtual Access Points
75
Before Configuring VAPs
77
Determining Your VAP Needs
77
Determining Security Configurations
77
Sample Network Definitions
78
Prerequisites
78
VAP Configuration Worksheet
79
Access Point VAP Configuration Task List
80
Virtual Access Point Groups
81
Virtual Access Point Objects
81
General Tab
82
Advanced Tab
83
Virtual Access Point Profiles
84
Virtual Access Point Schedule Settings
86
Virtual Access Point Profile Settings
86
Remote MAC Address Access Control Settings
87
ACL Enforcement
88
IEEE802.11R Settings
89
IEEE802.11K Settings
89
IEEE802.11V Settings
89
Agile Multiband Settings
89
SonicOS 7.1 Access Points Administration Guide
3
Contents
RF Monitoring
90
Prerequisites
91
RF Monitoring Summary
92
802.11 General Frame Setting
92
802.11 Management Frame Setting
93
802.11 Data Frame Setting
94
Discovered RF Threat Stations
95
Adding a Threat Station to the Watch List
96
Practical RF Monitoring Field Applications
96
Using Sensor ID to Determine RF Threat Location
97
Using RSSI to Determine RF Threat Proximity
98
RF Analysis
100
Choosing RF Analysis
100
The RF Environment
100
Using RF Analysis on SonicWall Access Points
101
Understanding the RF Score
101
Channel Utilization Graphs and Information
102
Viewing Overloaded Channels
103
RFA Highly Interfered Channels
104
RF Spectrum
105
FairNet
107
Supported Platforms
108
FairNet Features
108
Management Interface Overview
108
Configuring FairNet
109
Wi-Fi Multimedia
111
WMM Access Categories
111
Assigning Traffic to Access Categories
113
Specifying Firewall Services and Access Rules
113
VLAN Tagging
114
Configuring Wi-Fi Multimedia Parameters
114
Configuring WMM
114
Creating a WMM Profile for an Access Point
116
3G/4G/LTE WWAN
117
Bluetooth LE Devices
118
Viewing BLE Scanned Data
118
Radio Management
120
SonicOS 7.1 Access Points Administration Guide
4
Contents
Configuring Radio Management
120
Configuring Dynamic Channel Selection Settings
122
SonicWall Support
125
About This Document
126
SonicOS 7.1 Access Points Administration Guide
5
Contents
1
About SonicOS
This administration guide provides information about the SonicWall SonicOS 7.1
release. SonicOS provides an easy-to-use, graphical interface for configuring
your network security appliance. The following sections provide an overview of
the key management interface features:
Topics: l Working with SonicOS l SonicOS Workflow l How to Use the SonicOS
Administration Guides l Guide Conventions
Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and
monitoring the features, policies, security services, connected devices, and
threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure
underlying operating system. The SonicOS management interface facilitates:
l Setting up and configuring your firewall l Configuring external devices like
access points or switches l Configuring networks and external system options
that connect to your firewall l Defining objects and policies for protection l
Monitoring the health and status of the security appliance, network, users,
and connections l Monitoring traffic, users, and threats l Investigating
events SonicWall offers two different modes of operation in SonicOS; the modes
differ mainly in the areas of policy, object configuration and diagnostics.
SonicOS 7.1 Access Points Administration Guide
6
About SonicOS
l Policy Mode provides a unified policy configuration work flow. It combines
Layer 3 to Layer 7 policy enforcement for security policies and optimizes the
work flow for other policy types. This unified policy work flow gathers many
security settings into one place, which were previously configured on
different pages of the management interface.
l Classic Mode is more consistent with earlier releases of SonicOS; you need
to develop individual policies and actions for specific security services. The
Classic Mode has a redesigned interface.
This table identifies which modes can be used on the different SonicWall
firewalls:
Firewall Type TZ Series
NSa Series
NSsp 10700, NSsp 11700, NSsp 13700 NSsp 15700
NSv Series
Classic Mode yes yes
yes no
yes
Policy Mode Comments
no
The entry level TZ Series, also known as desktop
firewalls, deliver revamped features such as 5G
readiness, better connectivity options, improved
threat, SSL and decryption performance that
address HTPPS bandwidth issues; built-in SD-
WAN, and lawful TLS 1.3 decryption support.
no
NSa firewalls provide your mid sized network with
enhanced security . They are designed
specifically for businesses with 250 and up. it can
provide cloud-based and on-box capabilities like
TLS/SSL decryption and inspection, application
intelligence and control, SD-WAN, real-time
visualization, and WLAN management.
no
The NSsp platforms high-end firewalls that
deliver the advanced threat protection and fast
speeds that large enterprises, data centers, and
service providers need.
yes
The NSsp 15700 is designed for large distributed
enterprises, data centers, government agencies
and services providers. It provides advanced
threat protection like Real-Time Deep Memory
Inspection, multi-instance firewall configuration,
and unified policy creation and modification, with
scalability and availability.
yes
The NSv series firewalls offers all the security
advantages of a physical firewall with the
operational and economic benefits of
virtualization. The NSv firewalls can operate in
either Policy Mode or Classic Mode. You can
switch between modes, but some configuration
information from extra interfaces is removed.
SonicOS 7.1 Access Points Administration Guide
7
About SonicOS
In addition to the management interface, SonicOS also has a full-featured API
and a command-line interface (CLI) to manage the firewalls. For more
information, refer to:
l SonicOS 7.1 API Reference Guide l SonicOS Command Line Interface Reference
Guide
SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a
guide for setting up your security solution.
You begin your planning as you start making your purchasing decisions. Your
sales partners can help you assess your network and make recommendations based
on the kinds of security services you need. You can learn more about SonicWall
products by reviewing product information and solutions. After selecting the
solution, you can schedule your implementation.
After planning and scheduling your solution, you begin setting up the
firewalls. The Getting Started Guides for your products can help you begin
setting up the pieces to your solution. The getting started guides are
designed to help you install the firewall to a minimal level of operation.
Before performing any detailed configuration tasks described in the SonicOS
Administration Guides, you should have your firewall set up and basic
operation validated.
The configuration block of the workflow refers to the many tasks that combine
to define how your firewall is integrated into your security solution and how
it behaves when protecting your environment. Depending on the features of your
security solution, this task can be quite complex. The System Administration
Guides are broken into the key command sets and features. Some documents may
be used for all solutions, but others may be used use only if you integrated
that feature into your solution. For example, High Availability or Wireless
Access Points are not necessarily used by all customers. More information
about a feature’s workflow is presented in the feature administration guide.
Refer to the specific Administration Guide for a SonicOS feature for more
information.
Configuration tends to be a one-time activity, although you might make minor
adjustments after monitoring performance or after diagnosing an issue. The
configuration activity can be broken down into the more detailed flow as the
following figure shows. This also mirrors the key functions that are listed
across the top of the management interface.
SonicOS 7.1 Access Points Administration Guide
8
About SonicOS
There is some flexibility in the order in which you do things, but this is the
general work-flow you would follow when configuring your firewall. Start by
defining the settings on the firewall. Next you set up the system and other
devices that your firewall is connected to, and you can choose to implement
High Availability when done. After your device, network, and system is
configured, you should define the objects that you want to monitor. Then you
use those objects to define the policies that protect your network. The final
step to preparing your setup is to validate the user authentication.
How to Use the SonicOS Administration Guides
The SonicOS Administration Guide is a collection of guides that detail the
features represented by each of the main menu items in the management
interface. Within each guide, you can find topics covering commands in that
menu group, along with procedures and in-depth information. The exceptions are
the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine
the topics for each of those functions into a single book.
To help you understand how the books align with the features and commands, the
following figure shows the books organized like the SonicWall management
interface.
SonicOS 7.1 Access Points Administration Guide
9
About SonicOS
The SonicOS Administration Guides, along with related documentation, such as
the getting started guides, are available on the
https://www.sonicwall.com/support/technical-documentation/.
SonicOS 7.1 Access Points Administration Guide 10 About SonicOS
Guide Conventions
These text conventions are used in this guide:
NOTE: A NOTE icon indicates supporting information. IMPORTANT: An IMPORTANT
icon indicates supporting information. TIP: A TIP icon indicates helpful
information. CAUTION: A CAUTION icon indicates potential damage to hardware or
loss of data if instructions are not followed. WARNING: A WARNING icon
indicates a potential for property damage, personal injury, or death.
Convention Bold text
Function | Menu group > Menu item
Code
Italics
Description
Used in procedures to identify elements in the management interface like
dialog boxes, windows, screen names, messages, and buttons. Also used for file
names and text or values you are being instructed to select or type into the
interface.
Indicates a multiple step menu choice on the user interface. For example,
NETWORK | System > Interfaces means to select the NETWORK functions at the top
of the window, then click on System in the left navigation menu to open the
menu group (if needed) and select Interfaces to display the page.
Indicates sample computer programming code. If bold, it represents text to be
typed in the command line interface.
Represents a variable name. The variable name and angle brackets need to be
replaced with an actual value. For example in the segment serialnumber=<your
serial number>, replace the variable and brackets with the serial number from
your device, such as serialnumber=2CB8ED000004.
Indicates the name of a technical manual. Also indicates emphasis on certain
words in a sentence, such as the first instance of a significant term or
concept.
SonicOS 7.1 Access Points Administration Guide 11 About SonicOS
2
About Access Points
The sections that follow include configuration options and procedures for
wireless access point settings, firmware management, using the floor plan
view, intrusion detection (IDS), advanced intrusion and preventions (IDP),
packet capture for wireless traffic, virtual access points, radio frequency
monitoring and spectrum, Fairnet, WiFi multimedia, 3G/4G/LTE WWAN, Bluetooth,
radio resource management. You can also find information on viewing station
status. SonicWall SonicPoint and SonicWave wireless access points are
specially engineered to work with SonicWall security appliances to provide
wireless access throughout your enterprise. SonicWall access points integrate
with SonicWall TZ, NSa and NSsp firewalls to create a secure wireless solution
that delivers comprehensive protection for wired and wireless networks. They
provide high-speed wireless access with enhanced signal quality and
reliability that takes advantage of the latest capabilities to achieve gigabit
wireless performance. With support for IEEE 802.11a/b/g/n/ac standards, the
SonicPoint/SonicWave series enables your organization for bandwidth-intensive
mobile applications in high density environments without signal degradation.
You can connect SonicPoint/SonicWave access points to your firewall or to a
connected switch, and manage them from the DEVICE | Access Points pages in
SonicOS.
SonicOS 7.1 Access Points Administration Guide 12 About Access Points
Topics: l Settings l Firmware Management l Floor Plan View l Station Status l
Intrusion Detection Services l Advanced IDP l Packet Capture l Virtual Access
Points l RF Monitoring l RF Analysis l RF Spectrum l FairNet l Wi-Fi
Multimedia l 3G/4G/LTE WWAN l Bluetooth LE Devices l Radio Management
SonicOS 7.1 Access Points Administration Guide 13 About Access Points
3
Settings
The most effective way to provision wireless access points is let the SonicOS
firewall automatically detect the access points and use one of the default
profiles. SonicOS includes five default profiles, one for each generation of
SonicWall access points: SonicPointN, SonicPointNDR,SonicPointACe/ACi/N2,
SonicWave, and SonicWaveAX. These can be used as is, or they can be customized
to suit your configuration. You can also build new profiles based on the type
of access points you manage. The DEVICE | Access Points > Settings > Access
Point Objects tab displays informational messages and shows the firmware
version for all operational access points on the DEVICE | Access Points >
Firmware Management page.
The access point profiles are displayed in the Access Point Provisioning
Profiles tab. You can edit each profile or add a new profile. The Access Point
Objects tab displays the settings for connected access points, and provides
Edit icons to edit them or perform other actions.
NOTE: When wireless LAN is disabled, all Access Points and Wireless related
pages disappear. Wireless Zone is removed from zone type. And any existing
WLAN zones or objects are not editable anymore. Topics: l Synchronize Access
Points l Provisioning Overview l Creating/Modifying Provisioning Profiles l
Managing Access Point Objects
SonicOS 7.1 Access Points Administration Guide 14 Settings
Synchronize Access Points
Click Synchronize Access Points at the top of the DEVICE | Access Points >
Settings | Access Point Objects page to issue a query from the SonicWall
appliance to the WLAN Zone. All connected access points report their current
settings and statistics to the appliance. SonicOS also attempts to locate the
presence of any newly connected access points that are not yet registered with
the firewall.
NOTE: The button polls the access points, but does not push configuration to
them.
Provisioning Overview
SonicPoint/SonicWave Provisioning Profiles provide a scalable and highly
automated method of configuring and provisioning multiple access points across
a Distributed Wireless Architecture. SonicPoint/SonicWave Profile definitions
include all of the settings that can be configured on a SonicWall access
point, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and
channels of operation.
After you have defined a access point profile, you can apply it to a Wireless
zone. Each Wireless zone can be configured with one access point profile. Any
profile can apply to any number of zones. Then when an access point is
connected to a zone, it is automatically provisioned with the profile assigned
to that zone.
When an access point is first connected and powered up, it has a factory
default configuration (IP address: 192.168.1.20, username: admin, password:
password). Upon initializing, the unit attempts to find a SonicOS device with
which to peer. When a SonicOS device starts up, it also searches for access
points through the SonicWall Discovery Protocol. If the access point and a
peer SonicOS device find each other, they communicate through an encrypted
exchange where the profile assigned to the relevant Wireless zone is used to
automatically provision the newly added access point unit.
As part of the provisioning process, SonicOS assigns the discovered access
point a unique name and records its MAC address, the interface, and zone on
which it was discovered. If part of the profile, it can also automatically
assign an IP address so that the access point can communicate with an
authentication server for WPA-EAP support. SonicOS then uses the profile
associated with the relevant zone to configure the 2.4GHz and 5GHz radio
settings.
Note that changes to profiles do not affect units that have already been
provisioned and are in an operational state. Configuration changes to
operational access points can occur in two ways:
l Through manual configuration changes This option is the best choice when a
single, or a small set of changes are to be made, particularly when that
individual access point requires settings that are different from the profile
assigned to its zone.
l Through the “Auto Provisioning SonicWave Provisioning Profile” This option
is configured on the OBJECT | Match Objects > Zones | Wireless configuration
page, After this option enabled, changes to the profile affects the unit. The
following warning appears when the profile is edited: “Warning! This profile
has been enabled to provision all associated SonicPoint/SonicWave devices
within the same zone automatically.”
l Through un-provisioning
SonicOS 7.1 Access Points Administration Guide 15 Settings
Deleting an access point effectively un-provisions the unit. It clears its
configuration and places it into a state where it automatically engages the
provisioning process anew with its peer SonicOS device. This technique is
useful when the profile for a zone is updated or changed, and the change is
set for propagation. It can be used to update firmware on access points, or to
simply and automatically update multiple access points in a controlled
fashion, rather than changing all peered access points at the same time,
causing service disruptions.
Creating/Modifying Provisioning Profiles
On the DEVICE | Access Points > Settings page, you can configure and manage
the provisioning profiles as well as the individual objects. You can add any
number of profiles.
NOTE: SonicPoint AC refers to SonicPoint ACe/ACi/N2/AX; SonicPoint refers to
all SonicPoint devices. SonicWave refers to SonicWave
681/641/621/432e/432i/432o/224w/231c/231o. Navigate to DEVICE | Access Points
Settings > Access Point Provisioning Profiles page. The five default SonicOS profiles are listed along with any custom profiles you have developed under the SonicPoint/SonicWave Provisioning Profiles section. To modify any of the default provisioning profiles, hover on the profile and click the Edit icon, and make the appropriate changes.
IMPORTANT: Because creating or modifying the SonicPoint SonicWave Provisioning Profiles are very similar across all access point types, this section reviews how to add a new profile for a SonicWave device. Significant differences in the general process are noted and described in more detail later in this section. NOTE: The SonicWall-provided provisioning profiles cannot be deleted so the corresponding Delete icon is grayed out and not active. The Add New Profile option has several screens where similar settings are grouped. The procedures are grouped to match those screens.
SonicOS 7.1 Access Points Administration Guide 16 Settings
Topics: l Adding/Editing a Provisioning Profile – Getting Started l General
Settings for Provisioning Profiles l 5GHz/2.4GHz Radio Basic Settings for
Provisioning Profiles l 5GHz/2.4GHz Radio Advanced Settings for Provisioning
Profiles l Sensor Settings for WIDP in Provisioning Profiles l Mesh Network
Settings for Provisioning Profiles l Bluetooth LE Settings for Provisioning
Profiles l Deleting Access Point Profiles l Product Specific Configuration
Notes
Adding/Editing a Provisioning Profile – Getting Started
To add a new provisioning profile: 1. Navigate to the DEVICE | Access Points >
Settings > Access Point Provisioning Profiles page. 2. From the Add New
Profile drop-down menu, select the type of profile you want to build. As an
example, SonicWave Profile was selected. NOTE: To modify an existing profile,
click the Edit icon for the profile you want to update.
SonicOS 7.1 Access Points Administration Guide 17 Settings
General Settings for Provisioning Profiles
To configure the options on the General screen
SonicOS 7.1 Access Points Administration Guide 18 Settings
1. Set the SonicWave General Settings.
Option Action
Enable When selected, enables the SonicWave access point. By default, this
option is enabled. Retain When selected, retains the customized until the next
time the unit is rebooted. Edit Settings option is enabled and the Retain
Settings dialog is displayed. You can customize which
settings needs to be retained.
Enable RF Monitori ng
When selected, enables wireless RF-threat, real-time monitoring and management.
Enable When selected, turns on the SonicWave LEDs. If left unchecked, which is the default, the
LED
LEDs stay off.
Enable Low Power Mode
When selected, allows the SonicWave to operate in a low power mode because of the power source not being standard 802.3at PoE.
PoE Out When selected, the Power over Ethernet ports operate in strict order: resistance checks are disabled on the port, continually checks that overload limit is not reached or a short circuit detected.
Name Prefix
Type the prefix used for the name in the field provided.
Country From the drop-down menu, select the country code for the country in which the access Code point is deployed.
EAPOL Select EAPoL version from the drop-down menu. Note that V2 provides the better Version security.
Band Select the band steering mode from the drop-down menu. Options include: Disable, Steering Auto, Prefer 5GHz, or Force 5GHz. Mode
SonicOS 7.1 Access Points Administration Guide 19 Settings
Option Action
Proxy Client DNS Request
When selected, a DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
2. Set the Virtual Access Point Settings:
a. For 5GHz Radio Virtual AP Group, select a Virtual Access Point object group
from the dropdown menu.
b. For 2.4GHz Radio Virtual AP Group, select a Virtual Access Point object
group from the dropdown menu.
3. Scroll down to see the other General Settings.
4. Set the Dynamic VLAN ID Assignment. To enable the options under Dynamic
VLAN ID Assignment, you need create a WLAN zone under OBJECT | Match Objects >
Zones and add a VLAN interface on the NETWORK | System > Interfaces page.
Click + Add Interface and choose the Virtual Interface option. The Add Virtual
Interface page appears.
5. Configure the L3 SSLVPN Tunnel Settings: a. Type in the SSLVPN Server name
or IP address in the field provided. b. Type the User Name for the SSLVPN
server in the field provided. c. Type the Password to authenticate on the
SSLVPN server. d. Type the Domain name in the field provided. e. Select the
Auto-reconnect option to enable it. f. If you want to configure Layer 3
SSLVPN, click NETWORK | SSL VPN > Client Settings and on the SonicPoint /
SonicWave L3 Management Default Device Profile tab, define the appropriate
settings using the Edit Device Profile dialog.
SonicOS 7.1 Access Points Administration Guide 20 Settings
6. Set the Administrator Settings: a. Type in the user Name of the network
administrator. b. Type in the Password for the network administrator.
5GHz/2.4GHz Radio Basic Settings for Provisioning Profiles
The basic settings for 5GHz Radio and 2.4GHz Radio across the different types
of access points are similar and have only a few differences. These
differences are noted in the steps. If a VAP group was selected in General
Settings, however, different options display. The following topics describe
the settings on the 5GHz/2.4GHz Radio Basic screens: Topics:
l Radio Settings l Wireless Security l Protected Management Frames (PMF
Option) l About Local Radius Servers and EAP Authentication Balancing l
Configuring Radius Server Settings l ACL Enforcement l Remote MAC Address
Access Control Settings
Radio Settings
To configure 5GHz Radio/2.4GHz Radio Basic Settings: 1. Click 5GHz Radio Basic
or 2.4GHz Radio Basic.
2. Select Enable Radio to enable the radio bands automatically on all access
points provisioned with this profile. This option is selected by default.
3. From the Enable Radio drop-down menu, select a schedule for when the radio
is on or create a new schedule. The default is Always On.
SonicOS 7.1 Access Points Administration Guide 21 Settings
4. Select your preferred radio mode from the Mode drop-down menu:
RADIO MODE CHOICES
5GHz Radio Basic 5GHz 802.11n Only
5GHz 802.11n/a Mixed
5GHz 802.11a Only (SonicPoint NDR default)
5GHz 802.11ax/ac/n/a Mixed (SonicWave and SonicPoint AC default) 5GHz 802.11ac
Only
5GHz 802.11ax Only
2.4GHz Radio Basic 2.4GHz 802.11n Only
2.4GHz 802.11n/g/b Mixed (SonicPoint AC/NDR default)
2.4GHz 802.11g Only
2.4GHz 802.11ax/n/g/b Mixed
2.4GHz 802.11ax Only
Definition
Allows only 802.11n clients access to your wireless network. 802.11a/b/g
clients are unable to connect under this restricted radio mode.
Supports 802.11a and 802.11n (5GHz Radio) or 802.11b, 802.11g, and 802.11n
(2.4GHz Radio) clients simultaneously. If your wireless network comprises
multiple types of clients, select this mode.
Select this mode if only 802.11a clients access your wireless network.
If your wireless network consists only of 802.11g clients, you might select
this mode for increased 802.11g performance. You might also select this mode
if you wish to prevent 802.11b clients from associating.
Supports 802.11ax, 802.11ac, 802.11a, and 802.11n clients simultaneously. If
your wireless network comprises multiple types of clients, select this mode.
Allows only 802.11ac clients access to your wireless network. Other clients
are unable to connect under this restricted radio mode.
Allows only 802.11ax clients access to your wireless network. Other clients
are unable to connect under this restricted radio mode.
TIP: For 802.11n clients only: If you want optimal throughput, SonicWall
recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode
for multiple wireless client authentication compatibility. For optimal
throughput for 802.11ac clients, SonicWall recommends the 802.11ac Only radio
mode. Use the 802.11ac/n/a Mixed radio mode for multiple wireless client
authentication compatibility. NOTE: The available 802.11n 5GHz/2.4GHz Radio
Settings options change depending on the mode selected. If the wireless radio
is configured for a mode that:
l Supports 802.11n, the following options are displayed: Radio Band, Primary
Channel, Secondary Channel, Enable Short Guard Interval, and Enable
Aggregation.
l Does not support 802.11n, only the Channel option is displayed.
SonicOS 7.1 Access Points Administration Guide 22 Settings
5. In the SSID field, enter a recognizable string for the SSID of each access
point using this profile. This is the name that appears in clients’ lists of
available wireless connections. TIP: If all SonicPoints or SonicWaves in your
organization share the same SSID, it is easier for users to maintain their
wireless connection when roaming from one access point to another.
6. Select a radio band from the Radio Band drop-down menu: NOTE: When Mode =
5GHz 802.11a Only, the Radio Band option is not available.
l Auto – Allows the appliance to automatically detect and set the optimal
channel for wireless operation based on signal strength and integrity. If
selected for one, both the Primary Channel and Secondary Channel should set to
Auto. This is the default setting.
l Standard – 20MHz Channel–Specifies that the radio uses only the standard
20MHz channel.
l Wide – 40MHz Channel–Available when any mode except 5GHz 802.11a Only is
selected for the Radio Band. It specifies that the radio uses only the wide
40MHz channel.
l Wide – 80MHz Channel–Available only when 5GHz 802.11ax/ac/n/a Mixed or 5GHz
802.11ac only is selected for the Radio Band, specifies that the 5GHz Radio
uses only the wide 80MHz channel. (Not available when the Mode is 5GHz 802.11n
Only, 5GHz 802.11n/a Mixed, or 5GHz 802.11a Only.)
7. For the 5GHz Radio Basic tab, select the channel or channels based on the
MODE and Radio Band options chosen:
Mode
Radio Band
Standard Channel
5GHz 802.11n Only Auto
The Primary Channel and Secondary Channel fields default to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Primary Channel. The Secondary Channel is automatically defined as Auto.
5GHz 802.11n/a Mixed Auto
The Primary Channel and Secondary Channel fields default to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Primary Channel. The Secondary Channel is automatically defined as Auto.
5GHz 802.11a Only (no option)
Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
SonicOS 7.1 Access Points Administration Guide 23 Settings
Mode 5GHz 802.11ac/n/a Mixed
5GHz 802.11ac Only
5GHz 802.11ax Only
Radio Band
Standard Channel
Auto
The Standard Channel field defaults to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Channel drop-down menu.
Wide – 80 MHz Channel
Select Auto or one of the radio channels in the Channel drop-down menu.
Auto
The Standard Channel field defaults to Auto.
Standard 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
Wide 40 MHz Channel
Select Auto or one of the radio channels in the Standard Channel drop-down menu.
Wide 80 MHz Channel
Select Auto or one of the radio channels in the Standard Channel drop-down menu.
Auto
The Standard Channel field defaults to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel drop-down menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Standard Channel drop-down menu.
Wide – 80 MHz Channel
Select Auto or one of the radio channels in the Standard Channel drop-down menu.
8. For the 2.4GHz Radio Basic tab, select the channel or channels based on the MODE and Radio Band options chosen:
Mode
Radio Band
Standard Channel
2.4GHz 802.11n Only Auto
The Primary Channel and Secondary Channel fields default to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel dropdown menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Primary Channel. The Secondary Channel is automatically defined as Auto.
2.4GHz 802.11g Only (no option)
Select Auto or one of the radio channels specified in the Standard Channel dropdown menu.
SonicOS 7.1 Access Points Administration Guide 24 Settings
Mode
Radio Band
Standard Channel
2.4GHz 802.11n/g/b Auto Mixed
The Standard Channel field defaults to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel dropdown menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Channel drop-down menu.
2.4GHz 802.11ax/n/g/b Auto Mixed
The Standard Channel field defaults to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel dropdown menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Channel drop-down menu.
2.4GHz 802.11ax Only Auto
The Standard Channel field defaults to Auto.
Standard – 20 MHz Channel Select Auto or one of the radio channels specified in the Standard Channel dropdown menu.
Wide – 40 MHz Channel
Select Auto or one of the radio channels in the Standard Channel drop-down menu.
9. Select Enable Short Guard Interval to enable it. This allows you to
increase the radio data rate by shortening the guard interval. Be sure the
wireless client can support this to avoid compatibility issues.
10. Select Enable Aggregation to enable it. This allows you to increase the
radio throughput by sending multiple data frames in a single transmission. Be
sure the wireless client can support this to avoid compatibility issues.
Wireless Security
NOTE: The SonicOS interface is context-sensitive. If a VAP Group was selected
in the General screen, the Wireless Security section is hidden and you can
skip this section.
To set the Wireless Security options:
1. Scroll down to the Wireless Security section. The options vary depending
on the selected Authentication Type.
SonicOS 7.1 Access Points Administration Guide 25 Settings
SonicOS 7.1 Access Points Administration Guide 26 Settings
To configure Wireless Security:
1. In the Wireless Security section, select the Authentication Type from the
drop-down menu. NOTE: The options available change with the type of
configuration you select. If a WPA2 – EAP option is selected, the Radius
Server Settings section is displayed.
2. Define the remaining settings, using the following tables as a reference:
WPA2 SETTINGS FOR WIRELESS SECURITY
Description
Authentication Type
Settings
WPA and WPA2 (Wi-Fi Protected Access) are protocols for protecting wireless devices. Selecting one of the WPA2 – AUTO options allows the WPA protocol to be used if a device is not enabled for WPA2.
WPA2 – PSK
l Select Cipher Type from the drop-down menu. Options are AES (default), TKIP, or Auto.
l Set the Group Key Interval in seconds. The default is 86400.
l For SonicWave, select the PMF Option from the dropdown menu. See Protected Management Frames (PMF Option).
WPA2 – EAP
l Define the Passphrase for the public shared key.
l For SonicWave , select the Authentication Balance Method from the drop-down
menu. See About Local Radius Servers and EAP Authentication Balancing.
l Select Cipher Type from the drop-down menu. Options are AES (default), TKIP, or Auto.
l Set the Group Key Interval in seconds. The default is 86400.
l For SonicWave, select the PMF Option from the dropdown menu. See Protected Management Frames (PMF Option).
WPA2 – AUTO – PSK
l Select Cipher Type from the drop-down menu. Options are AES (default), TKIP, or Auto.
l Set the Group Key Interval in seconds. The default is 86400.
l For SonicWave , select the PMF Option from the dropdown menu. See Protected Management Frames (PMF Option).
l Define the Passphrase for the public shared key.
SonicOS 7.1 Access Points Administration Guide 27 Settings
Authentication Type WPA2 – AUTO – EAP
Description
Settings
l For SonicWave, select the Authentication Balance Method from the drop-down
menu. See About Local Radius Servers and EAP Authentication Balancing.
l Select Cipher Type from the drop-down menu. Options are AES (default), TKIP,
or Auto.
l Set the Group Key Interval in seconds. The default is 86400.
l For SonicWave, select the PMF Option from the dropdown menu. See Protected
Management Frames (PMF Option).
WPA3 SETTINGS FOR WIRELESS SECURITY
Description
Authentication Type
Settings
WPA3 (Wi-Fi Protected Access 3) is the latest iteration protocol for protecting wireless devices. Selecting one of the WPA3 options signs up new devices through processes that do not require the use of shared passwords.
WPA3 – OWE
Opportunistic Wireless Encryption (OWE).
WPA3 – PSK
l Select Cipher Type from the drop-down menu. Options are AES (default).
l Set the Group Key Interval in seconds. The default is 86400.
l Define the Passphrase for the individual access key.
WPA2 – EAP
l For SonicWave , select the Authentication Balance Method from the drop-down menu. See About Local Radius Servers and EAP Authentication Balancing.
l Select Cipher Type from the drop-down menu. Options are AES (default).
l Set the Group Key Interval in seconds. The default is 86400.
WPA3/WPA2 – PSK
l Select Cipher Type from the drop-down menu. Options are AES (default).
l Set the Group Key Interval in seconds. The default is 86400.
l Define the Passphrase for the individual access key.
SonicOS 7.1 Access Points Administration Guide 28 Settings
Authentication Type WPA3/WPA2 – EAP
WPA3 – EAP – 192B
Description
Settings
l For SonicWave, select the Authentication Balance Method from the drop-down
menu. See About Local Radius Servers and EAP Authentication Balancing.
l Select Cipher Type from the drop-down menu. Options are AES (default).
l Set the Group Key Interval in seconds. The default is 86400.
l For SonicWave, select the Authentication Balance Method from the drop-down
menu. See About Local Radius Servers and EAP Authentication Balancing.
l Select Cipher Type from the drop-down menu. Options are GCMP (default).
l Set the Group Key Interval in seconds. The default is 86400.
Protected Management Frames (PMF Option)
In the Wireless Security section, when Authentication Type is set to any WPA2
option, the PMF Option setting becomes available. The PMF Option setting is
supported for SonicWave profiles. This feature supports the IEEE 802.11w-2009
amendment to the IEEE 802.11 standard for protection of wireless management
frames. It is also known as the Protected Management Frames (PMF) standard.
You can select one of the following settings from the PMF Option drop-down
menu under Wireless Security:
l Disabled The service is not enabled. Clients connect without PMF.
l Enabled The service is optional for wireless clients. Clients can connect
with or without PMF, based on client settings.
l Required Clients must have PMF enabled to connect.
While the 802.11i amendment protects data frames, management frames such as
authentication, deauthentication, association, dissociation, beacons, and
probes are used by wireless clients to initiate and tear down sessions for
network services. Unlike data traffic, which can be encrypted to provide a
level of confidentiality, these frames must be heard and understood by all
clients and therefore must be transmitted as open or unencrypted. While these
frames cannot be encrypted, they must be protected from forgery to protect the
wireless medium from attacks. For example, if an attacker obtains the MAC
address of a client, it can send a disassociation request to the client in the
name of an AP, or send a re-association request to an AP in the name of the
client. The client is logged off in either situation.
The 802.11w amendment applies to a set of robust management frames that are
protected by the Protected Management Frames (PMF) service. These include
Disassociation, De-authentication, and Robust Action frames. 802.11w protects
only specific management frames and does not affect the communication between
SonicOS 7.1 Access Points Administration Guide 29 Settings
access points and clients. 802.11w can only take effect when both access
points and clients have 802.11w enabled.
802.11w provides the following benefits:
Confidentiality
Group addressed frame protection
Connection protection
Encrypts Unicast management frames:
Uses same PTK as for data frames
Protects the previously unencrypted frame header through additional
authentication data (AAD)
Extended AES-CCM to handle Unicast management frames
Separate Receive Sequence Counter (RSC) for replay protection
Broadcast/Multicast Integrity Protocol (BIP) protects the integrity of
broadcasts and multi casts, prevents replay attacks, and protects clients from
spoofing broadcast/multicast attacks. For Broad-/Multi casts Management
Frames:
Uses new Integrity Group Temporal Key (IGTK) received during WPA key handshake
New Algorithm: Broadcast Integrity Protocol (BIP)
New Information Element: Management MIC IE with Sequence Number +
Cryptographic Hash (AES128-CMAC-based)
Security Association (SA) Query can prevent clients from going offline caused
by spoofing re-association requests.
About Local Radius Servers and EAP Authentication Balancing
This feature allows local SonicWave access points to provide local radius
authentication service within selected SonicWaves and integrates with
corporate directory services, including native LDAP systems and Active
Directory. In this scenario, the SonicWave provides EAP authentication for
clients and functions as both the authenticator and authentication server
simultaneously. LDAP cache and TLS cache are supported for fast performance
when reconnecting.
To configure this feature, you need:
l An interface in the WLAN zone with one or more local RADIUS servers
configured in the subnet; these are the SonicWave local RADIUS servers
l WLAN zone configured with the Enable Local Radius Server option selected on
the Radius Server screen; this option controls whether this feature is enabled
or not.
l SonicWave profile with the following settings on the Radio Basic screen(s):
l One of the WPA2 – EAP types selected for Authentication Type The Radius
Server Settings section is displayed where you can configure the local RADIUS
server settings. See Configuring Radius Server Settings for details.
l One of the Local Radius Server options selected for Authentication Balance
Method.
SonicOS 7.1 Access Points Administration Guide 30 Settings
Only remote radius server Only use the remote RADIUS server for
authentication. Local radius server first With this option selected, when a
client tries to authenticate, a local RADIUS server is used first. If the
authentication fails, the authentication request is sent to the remote RADIUS
server. Only local radius server Only use the local RADIUS server for
authentication. Local radius server As Failover Mechanism When the remote
RADIUS server is down, the local RADIUS server are used automatically. l NAT
policy, Access Rule, Address Group, RADIUS pool – automatically configured.
When you enable a local radius server on a SonicWave, a NAT policy and access
rule are automatically created. The SonicOS NAT module has failover and load
balance methods, so a Radius server pool is supported. Additional SonicWaves
with a local radius server configured can be added to this pool. More than one
local radius server provides a failover mechanism and optimizes network
performance. The Enable Local Radius Server option and other settings are
configured in the Radius Server screen available when configuring the WLAN
zone, configured from the OBJECT | Match Objects > Zones page. This screen
provides options for setting the number of RADIUS servers per interface, the
server port, the client password, the TLS cache, and LDAP or Active Directory
access settings. When you enable a local radius server on a SonicWave, the
configured RADIUS server port and client password are used on that SonicWave.
NOTE: The SonicWave DNS server must be able to resolve the name of the LDAP
server or Active Directory server domain. The Server Numbers Per Interface
option controls the number of local RADIUS servers under one specific
interface in this zone. Increasing this value means moreSonicWaves can be add
to the RADIUS pool. The minimum value is 1, and the maximum is equal to
maximum number of SonicWaves per interface in a WLAN Zone. Because the number
configured for the option can be smaller than the number of connected
SonicWaves, the specific SonicWaves configured as local radius servers is not
fixed.
SonicOS 7.1 Access Points Administration Guide 31 Settings
When the Enable Local Radius Server TLS Cache option is enabled, the client
and the server can cache TLS session keys and use these to reduce the delay in
time between an authentication request by a client and the response by the
RADIUS server. Clients can also perform a fast reconnect. When enabled, you
can set the Cache Lifetime option to the number of hours that cached entries
are saved. The cache lifetime can be a number between one hour and 24 hours.
When the security appliance powers up, if Enable Local Radius server is
enabled on the WLAN zone, an address object, the Radius Pool, a NAT policy,
and an access rule should be created. The Radius Pool name is a combination of
the interface name plus “Radius Pool,” for example, X2 Radius Pool. A new
address object is automatically created for the SonicWave acting as a Radius
server, which is named with the interface name and MAC address of the
SonicWave, for example, X2 18:b1:69:7b:75:2e. This address object is added to
the RADIUS Pool if seats are available.
If Enable Local Radius server is disabled, the SonicWave address object,
Radius pool, NAT policy, and access rule are removed, and a Delete command by
restApi is sent to the SonicWaves that are in the Radius pool to make the
local Radius server go down.
SonicOS 7.1 Access Points Administration Guide 32 Settings
If the WLAN zone is edited, the NAT policy and access rule are removed and re-
created. The radius pool always exists unless Enable Local Radius server is
disabled. If the interface changes, the NAT policy, access rule, and radius
pool are removed and created again if the interface is still bound to the WLAN
Zone.
Configuring Radius Server Settings
If you selected either WPA2 – EAP or WPA2 – AUTO – EAP in the Wireless
Security section, the Radius Server Settings section appears for configuration
of a RADIUS server to generate authentication keys. The server has to be
configured for this and for communicating with the SonicWall appliance.
To configure Radius Server Settings: 1. Click Radius Server Settings. The
Radius Server Settings dialog displays. The options displayed on this dialog
depend on the type of SonicPoint/SonicWave.
2. In the Retries field, enter the number times, from 1 to 10, the firewall
attempts to connect before it fails over to the other Radius server.
3. In the Retry Interval field enter the time, from 0 to 60 seconds, to wait
between retries. The default number is 0 or no wait between retries.
4. Define the Radius Server Settings as described in the following table:
RADIUS AUTHENTICATION SERVER SETTINGS
Option Server 1 IP Server 1 Port
Server 1 Secret Server 2 IP Server 2 Port
Server 2 Secret
Description
The name/location of your RADIUS authentication server The port on which your
RADIUS authentication server communicates with clients and network devices.
The default port is 1812 The secret passcode for your RADIUS authentication
server The name/location of your backup RADIUS authentication server The port
on which your backup RADIUS authentication server communicates with clients
and network devices. The default port is 1812 The secret passcode for your
backup RADIUS authentication server
5. If you are using a Radius server to track usage for charging, set up the Radius Accounting Server:
SonicOS 7.1 Access Points Administration Guide 33 Settings
RADIUS ACCOUNTING SERVER SETTINGS
Option Server 1 IP Server 1 Port
Server 1 Secret Server 2 Server 2 Port
Server 2 Secret RADIUS CoA Support
Description
The name/location of your RADIUS accounting server
The port on which your RADIUS authentication server communicates with clients
and network devices.
The secret passcode for your RADIUS authentication server
The name/location of your backup RADIUS authentication server
The port on which your backup RADIUS authentication server communicates with
clients and network devices.
The secret passcode for your backup RADIUS authentication server
When enabled, the device acts as a RADIUS dynamic authorization server and
responds to RADIUS Change-of-Authorization and Disconnect messages sent by the
RADIUS server.
6. To send the NAS identifier to the RADIUS server, select the type from the
NAS Identifier Type dropdown menu:
l Not Included (default) l SonicPoint’s Name l SonicPoint’s MAC Address l SSID
When the SSID option is selected, both the RADIUS authentication message and
RADIUS
accounting message carry the access point SSID.
7. To send the NAS IP address to the RADIUS Server, enter the address in the
NAS IP Addr field. 8. Click OK.
ACL Enforcement
Each access point can support an Access Control List (ACL) to provide more
effective authentication control. The ACL feature works in tandem with the
wireless MAC Filter List currently available on SonicOS. Using the ACL
Enforcement feature, users are able to enable or disable the MAC Filter List,
set the Allow List, and set the Deny list.
To enable MAC Filter List enforcement:
1. Toggle the option to Enable MAC Filter List. When the MAC filter list is
enabled, the other settings are also enabled so you can set them.
2. In the Allow List, select an option from the drop-down menu. This
identified which MAC addresses you allow to have access. Choose Create MAC
Address Object Group if you want to create a new address object group made up
of those you want to have access. Refer to SonicOS Policies for information.
3. In the Deny List, select an option from the drop-down menu. This
identified which MAC addresses that you deny access to.
SonicOS 7.1 Access Points Administration Guide 34 Settings
Choose Create MAC Address Object Group if you want to create a new address
object group made up of those who should not have access. Refer to SonicOS
Policies for information. 4. Toggle the option to Enable MIC Failure ACL
Blacklist. 5. Set a MIC Failure Frequency Threshold based on number of times
per minute. The default is 3.
Remote MAC Address Access Control Settings
This option allows you to enforce radio wireless access control based on the
MAC-based authentication on the RADIUS Server. To allow wireless access
control:
1. Toggle the Enable Remote MAC Access Control option to enable it. 2. Click
Configure. 3. If not already configured, set up the RADIUS Server(s) as
described in Configuring Radius Server
Settings. 4. Click OK. NOTE: Remote MAC Address Access Control cannot be set
when IEEE 802.11i EAP is enabled.
5GHz/2.4GHz Radio Advanced Settings for Provisioning Profiles
These settings affect the operation of the radio bands. The
SonicPoint/SonicWave has two separate radios built in. Therefore, it can send
and receive on both bands at the same time. The 5GHz Radio Advanced screen has
the same options as the 2.4GHz Radio Advanced screen, plus other options. The
screens are similar across the different access point models. Differences are
noted in the procedure where necessary.
SonicOS 7.1 Access Points Administration Guide 35 Settings
To configure the 5GHz Radio /2.4GHz Radio Advanced setting:
1. Click 5GHz Radio Advanced or 2.4GHz Radio Advanced as needed. 2. Toggle
the option if you want to Hide SSID in Beacon. This allows the SSID to send
null SSID beacons in
place of advertising the wireless SSID name. Sending null SSID beacons forces
wireless clients to know the SSID to connect. This option is disabled by
default.
3. From the Schedule IDS Scan drop-down menu, select a schedule for the IDS
(Intrusion Detection Service) scan. Select a time when there are fewer demands
on the wireless network to minimize the inconvenience of dropped wireless
connections. You can create your own schedule by selecting Create new schedule
or disable the feature by selecting Disabled, the default. NOTE: IDS offers a
wide selection of intrusion detection features to protect the network against
wireless threats. This feature detects attacks against the WLAN Infrastructure
that consists of authorized access points, the RF medium, and the wired
network. An authorized or valid-AP is defined as an access point that belongs
to the WLAN infrastructure. The access point is either a SonicPoint, a
SonicWave, or a third-party access point.
4. From the Minimum Data Rate drop-down menu, select the speed at which the
data is transmitted and received. Best (default) automatically selects the
best rate available in your area, given interference and other factors.
5. If you are configuring a SonicPoint NDR: from the Minimum Data Rate drop-
down menu, select Best (default).
SonicOS 7.1 Access Points Administration Guide 36 Settings
The Minimum Data Rate setting determines which antenna the access point uses
to send and receive data. When Best is selected, the access point
automatically selects the antenna with the strongest, clearest signal.
6. From the Transmit Power drop-down menu, select the transmission power.
Transmission power effects the range of the SonicPoint.
l Full Power (default)
l Half (-3 dB)
l Quarter (-6 dB)
l Eighth (-9 dB)
l Minimum
7. In the Beacon Interval (milliseconds) field, enter the number of
milliseconds between sending wireless SSID beacons. The minimum interval is
100 milliseconds (default); the maximum is 1000 milliseconds.
8. In the DTIM Interval field, enter the DTIM interval in milliseconds. The
minimum number of frames is 1 (default); the maximum is 255. For 802.11 power-
save mode clients of incoming multicast packets, the DTIM Interval specifies
the number of beacon frames to wait before sending a DTIM (Delivery Traffic
Indication Message).
9. If you are configuring a SonicPointNDR: in the RTS Threshold (bytes)
field, enter the number of bytes of fragmented data you want the network to
allow. The fragmentation threshold limits the maximum frame size. Limiting
frame size reduces the time required to transmit the frame and, therefore,
reduces the probability that the frame is corrupted (at the cost of more data
overhead). Fragmented wireless frames increase reliability and throughput in
areas with RF interference or poor wireless coverage. Lower threshold numbers
produce more fragments. The minimum is 256 bytes, the maximum is 2346 bytes
(default).
10. In the RTS Threshold (bytes) field, enter the threshold for a packet
size, in bytes, at which a request to send (RTS) is sent before packet
transmission. Sending an RTS ensures that wireless collisions do not take
place in situations where clients are in range of the same access point, but
might not be in range of each other. The minimum threshold is 256 bytes, the
maximum is 2346 bytes (default).
11. In the Maximum Client Associations field, enter the maximum number of
clients you want each access point using this profile to support on this radio
at one time. The minimum number of clients is 1, the maximum number is 128,
and the default number is 32.
12. In the Station Inactivity Timeout (seconds) field, enter the maximum
length of wireless client inactivity before the access point ages out the
wireless client. The minimum period is 60 seconds, the maximum is 36000
seconds, and the default is 300 seconds.
13. If you are configuring the 2.4GHz Radio Advanced screen settings, define
the following settings which are specific to that window; otherwise skip to
the next step.
Options
Settings
SonicOS 7.1 Access Points Administration Guide 37 Settings
Preamble Length Protection Mode
Protection Rate
Protection Type Enable Short Slot Time Do not allow 802.11b Clients to Connect
Select from the drop-down menu:
l Long (default)
l Short Select from the drop-down menu:
l None
l Always
l Auto Select from the drop-down menu:
l 1 Mbps (default)
l 2 Mbps
l 5 Mbps
l 11 Mbps Select from the drop-down menu:
l CTS Only (default)
l RTS-CTS Select to allow clients to disassociate and reassociate more
quickly. Specifying this option increases throughput on the 802.11n/g wireless
band by shortening the time an access point waits before relaying packets to
the LAN. Select if you are using Turbo G mode and, therefore, are not allowing
802.11b clients to connect. Specifying this option limits wireless connections
to 802.11g and 802.11n clients only.
14. From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM
profile is to be associated with this profile:
l Disabled (default) l Create new WMM profile. l A previously configured WMM
profile
15. Toggle the option box to Enable WDS AP. It allows a wireless network to
be expanded using multiple access point without the traditional requirement
for a wired backbone to link them.
16. Select Enable Green AP to allow the access point radio to go into sleep
mode. This saves power when no clients are actively connected. The access
point immediately goes into full power mode when any client attempts to
connect to it. Green AP can be set on each radio independently, 5GHz Radio and
2.4GHz Radio.
17. In the Green AP Timeout(s) field, enter the transition time, in seconds,
that the access point waits while it has no active connections before it goes
into sleep mode. The transition values can range from 20 seconds to 65535
seconds with a default value of 20 seconds.
SonicOS 7.1 Access Points Administration Guide 38 Settings
18. If configuring a SonicWave or SonicPoint ACe/ACi/N2 profile, select
Enable RSSI to enable a RSSI threshold. Clients with signal strengths below
the threshold are disassociated by the access point so that they are
associated to a closer access point. This option is not selected by default.
19. If Enable RSSI is selected, enter the threshold value as a negative
number into the RSSI Threshold (dBm) field. The default is -95 dBm. For more
information about RSSI thresholds, see Configuring the RSSI Threshold.
20. If configuring a SonicWave device, toggle the option to Enable Air Time
Fairness. This feature is disabled by default. If enabled, it steers the
traffic for devices that can use the 5GHz band to that band because it usually
has less traffic and less interference. If the signal strength or signal
conditions are better on the 2.4GHz band, traffic is steered to that band. The
intention is to use both bands in the most effective manner.
21. Under IEEE802.11r Settings, select Enable IEEE802.11r to enable secure,
fast roaming. If Enable IEEE802.11r is selected, you can select the other
options:
l Enable FT over DS enable fast transition over DS
l Enable IEEE802.11r Mix Mode enable fast transition in mixed mode For more
information about these options, see Configuring IEEE802.11r Settings for
Secure Fast Roaming.
22. Under IEEE802.11k Settings, select Enable Neighbor Report to enable
collection of information about neighboring access points. This option is not
selected by default. See Configuring IEEE802.11k Settings for Dynamic Radio
Management for more information.
23. Under IEEE802.11v Settings, select Enable BSS Transition Management to
enable the access point to request a voice client to transition to a specific
access point if the client sends a query to the access point. This option is
not selected by default. See Configuring IEEE802.11v Settings for Dynamic
Environment Management for more information.
24. Under IEEE802.11v Settings, select Enable WNM Sleep Mode to enable a non-
access point station to signal to an access point that it is sleeping for a
specified time. This option is not selected by default. See Configuring
IEEE802.11v Settings for Dynamic Environment Management for more information.
Configuring the RSSI Threshold
In areas large enough to require multiple access points to provide good WiFi
coverage across the whole area, you would expect a WiFi client to detect and
move to the closest access point. Unfortunately, many WiFi clients tend to
hang on to the original access point they associated with, rather than moving
to a nearby access point that would generally be a better choice for them.
This is referred to as sticky behavior and results in a low RSSI (Received
Signal Strength Indicator) and a high SNR (Signal-to-Noise Ratio). The farther
away from the original access point the client moves, the weaker its RSSI gets
and the worse its SNR gets. Retransmissions occur, dynamic rate-shifting
happens, and the client communicates at a much lower data-rate. A lower data-
rate consumes more air-time to transfer the same information, resulting in
higher channel utilization. Ideally, the client would roam to the closest
access point, and the resulting RF space would be better for everyone.
RSSI thresholds are supported. When the client reaches a certain RSSI level
from the perspective of the access point, the access point disassociates from
the client and the client then associates to a closer access point. The RSSI
threshold is configurable.
SonicOS 7.1 Access Points Administration Guide 39 Settings
RSSI measurements represent the relative quality of a received signal on a
device after any possible loss at the antenna and cable level. The higher the
RSSI value, the stronger the signal. When measured in negative numbers, the
number that is closer to zero usually means better signal. As an example, -50
dBm is a pretty good signal, -75 dBm is fairly reasonable, and -100 dBm is no
signal at all.
Configuring IEEE802.11r Settings for Secure Fast Roaming
Many deployed implementations of IEEE 802.11 WiFi have effective ranges of
only a few hundred meters, so, to maintain communications, devices in motion
need to hand-off from one access point to another. In an automotive
environment, this could easily result in a hand-off every five to ten seconds.
Hand-offs are already supported under the existing standard. The fundamental
architecture for hand-offs is identical for 802.11 with and without 802.11r:
the mobile device is entirely in charge of deciding when to hand-off and to
which access point it wishes to hand-off. In the early days of 802.11, hand-
off was a much simpler task for the mobile device. Only four messages were
required for the device to establish a connection with a new access point
(five if you count the optional “I’m leaving” message [deauthentication and
disassociation packet] the client could send to the old access point).
However, as additional features were added to the standard, including 802.11i
with 802.1X authentication and 802.11e or WMM with admission control requests,
the number of messages required went up dramatically. During the time these
additional messages are being exchanged, the mobile device’s traffic,
including that from voice calls, cannot proceed, and the loss experienced by
the user could amount to several seconds. Generally, the highest amount of
delay or loss that the edge network should introduce into a voice call is 50
ms.
802.11r undoes the added burden that security and quality of service added to
the hand-off process and restores it to the original four-message exchange. In
this way, hand-off problems are not eliminated, but at least are returned to
the status quo.
The primary application currently envisioned for the 802.11r standard is voice
over IP (VOIP) through mobile phones designed to work with wireless Internet
networks, instead of (or in addition to) standard cellular networks.
Configuring IEEE802.11k Settings for Dynamic Radio Management
The IEEE802.11k Settings section of the 5GHz or 2.4GHz Radio Advanced screen
provides the Enable Neighbor Report option. Enabling this option makes the
access point collect radio measurements, as defined by the IEEE802.11k
amendment to the 802.11 standard.
The Neighbor Report request is sent from a client to an access point. The
access point returns a Neighbor Report containing information about
neighboring access points that are known candidates for the client to
reassociate with (should the client choose to do so). Therefore, the Neighbor
Report request/report pair enables the client to collect information about the
neighboring access points of the access point it is currently associated to,
and this information might be used as identification of potential candidates
for a new point of attachment while roaming.
The benefits of the neighbor/request report are:
l Speeds up scanning Instead of the client engaging in time-consuming
scanning activity (either actively probing for access points or passively
listening to every channel for beacons), the client can instead
SonicOS 7.1 Access Points Administration Guide 40 Settings
narrow its list to the known available neighbors. This is especially useful in
high-density environments where multiple WLANs can be heard by the client
l Reduces client power consumption The time taken by scanning (especially
active scanning) also consumes battery power for the client. As the neighbor
report provides information before roaming, less power might be consumed
l More efficient use of WLAN air time Active scanning is not only time
consuming from the perspective of client resources (such as CPU, memory,
radio), it’s also air-time consuming. For example, a client that is not
neighbor-aware likely engages in so-called wild card probe requests (some
clients burst these). In this scenario, typically every access point that
hears the probe request generates a probe response. In other words, for a
single client, N number of access points generate N probe responses. If
multiple clients engage in wild card probing, then the RF environment can
quickly become polluted with management traffic simply because the clients are
not using neighbor request. This has a negative impact for the entire WLAN.
Configuring IEEE802.11v Settings for Dynamic Environment Management
802.11v refers to the IEEE802.11 Wireless Network Management (Amendment 8).
This is an amendment to the IEEE 802.11 standard to allow configuration of
client devices while connected to wireless networks. Stations that support WNM
(Wireless Network Management) can exchange information with each other (access
points and wireless clients) to improve their performance of the wireless
network. 802.11v allows client devices to exchange information about the
network topology, including information about the RF environment, making each
client network aware, facilitating overall improvement of the wireless
network.
Stations use WNM protocols to exchange operational data so that each station
is aware of the network conditions, allowing stations to be more cognizant of
the topology and state of the network. WNM protocols provide a means for
stations to be aware of the presence of collocated interference, and enable
stations to manage RF parameters based on network conditions.
In addition to providing information on network conditions, WNM also provides
a means to exchange location information, provide support for multiple BSSID
capability on the same wireless infrastructure, support efficient delivery of
group addressed frames, and enable a WNM-Sleep mode in which a STA can sleep
for long periods without receiving frames from the AP.
BSS Max idle period management has been supported by SonicWall SonicPoints.
SonicWave supports two more WNM services to improve the performance of
wireless network:
l Enable BSS transition management Enables an access point to request a
voice client to transition to a specific access point, or suggest a set of
preferred access points to a voice client, because of network load balancing
or BSS termination. This helps the voice client identify the best access point
to which that client should transition to as that client roams. The BSS
Transition capability can improve throughput, data rates and QoS for the voice
clients in a network by shifting (through transition) the individual voice
traffic loads to more appropriate points of association within the ESS.
802.11v BSS Transition Management Request is a suggestion given to the client.
The client can make its own decision whether to follow the suggestion or not.
SonicOS 7.1 Access Points Administration Guide 41 Settings
BSS Transition Management uses these frame types: l Query A Query frame is
sent by the voice client that supports BSS Transition Management requesting a
BSS transition candidate list to its associated access point, if the
associated access point indicates that it supports the BSS transition
capability. l Request An access point that supports BSS Transition
Management responds to a BSS Transition Management Query frame with a BSS
Transition Management Request frame. l Response A Response frame is sent by
the voice client back to the access point, informing whether it accepts or
denies the transition.
l WNM-Sleep mode An extended power-save mode for non-access point stations
whereby a non-access point station need not listen for every delivery traffic
indication message (DTIM) Beacon frame, and does not perform group temporal
key/integrity group temporal key (GTK/IGTK) updates. WNM-Sleep mode enables a
non-access point station to signal to an access point that it is sleeping for
a specified time. This enables a non-access point station to reduce power
consumption and remain associated while the station has no traffic to send to
or receive from the access point. IMPORTANT: If the WNM-Sleep mode is enabled
and the station supports WNM-Sleep mode, update the station to avoid Key
Reinstallation Attack.
Sensor Settings for WIDP in Provisioning Profiles
In the Sensor tab, you can enable or disable the Wireless Intrusion Detection
and Prevention (WIDP) sensor. SonicWave appliances can function as both an
access point and as a sensor to detect any unauthorized access point connected
to a SonicWall network.
In earlier releases, access point or virtual access point functionality is
disabled if this option is selected.
SonicOS 7.1 Access Points Administration Guide 42 Settings
To configure the Sensor screen options: 1. Select Enable WIDP Sensor to have
the access point operate as a WIDP sensor. This option is not selected by
default. 2. From the drop-down menu, select the schedule for when the access
point operates as a WIDP sensor or select Create new Schedule… to specify a
different time. The default is Always on.
Mesh Network Settings for Provisioning Profiles
This features provides a scalable secure wireless network infrastructure
across large coverage areas. You can utilize this feature to deploy and manage
SonicWave access points. Topics:
l Setting Up a Mesh Network l Enabling a Multi-hop Mesh Network l
Active/Active Clustering Full Mesh
Setting Up a Mesh Network
To set up a Mesh network: 1. Enable Mesh in the SonicWave profile for your
firewall as described in Enabling a Multi-hop Mesh Network. 2. Connect each
SonicWave to this firewall using an Ethernet cable. 3. When a SonicWave’s
state becomes operational, disconnect the cable from that appliance. 4. Keep
one SonicWave connected to the firewall. 5. Move the disconnected SonicWave to
its designated location. 6. Power up all the SonicWaves. 7. To view the
network, navigate to DEVICE | Access Points > Topology View.
SonicOS 7.1 Access Points Administration Guide 43 Settings
Enabling a Multi-hop Mesh Network
To enable multi-hop mesh networks: 1. Navigate to the DEVICE | Access Points >
Settings page. 2. Click Access Point Provisioning Profiles. 3. Click the Edit
icon for the SonicWave profile. The Edit SonicWave Profile dialog displays. 4.
Click the Mesh Network tab.
5. To enable the radio band Mesh on the SonicWave, select Enable MESH. 6.
Choose the radio to be used for the mesh network:
l 5GHZ Radio l 2.4GHZ Radio 7. Enter the SSID for the WLAN network in MESH
SSID. 8. Enter the preshared key in MESH PSK. 9. Enter the threshold in MESH
RSSI Threshold. The default is set as -80. 10. Click OK.
Active/Active Clustering Full Mesh
An Active/Active Clustering Full-Mesh configuration is an enhancement to the
Active/Active Clustering configuration option and prevents any single point of
failure in the network. All firewall and other network devices are partnered
for complete redundancy. Full-Mesh ensures that there is no single point of
failure in your deployment, whether it is a device (security
appliance/switch/router) or a link. Every device is wired twice to the
connected devices. Active/Active Clustering with Full-Mesh provides the
highest level of availability possible with high performance; see the
following table.
IMPORTANT: The routers in the security appliance’s upstream network should be
preconfigured for Virtual Router Redundancy Protocol (VRRP). Full Mesh
deployments require that Port Redundancy is enabled and implemented.
SonicOS 7.1 Access Points Administration Guide 44 Settings
BENEFITS OF ACTIVE/ACTIVE CLUSTERING FULL MESH
No Single Point of Failure In an Active/Active Clustering Full-Mesh deployment, there is no single point
in the Core Network
of failure in the entire core network, not just for the security appliances. An
alternative path for a traffic flow is always available in case there are
simultaneous failures of switch, router, security appliance on a path, thus
providing the highest levels of availability.
Port Redundancy
Active/Active Clustering Full-Mesh utilizes port redundancy in addition to HA redundancy within each Cluster Node, and node level redundancy within the cluster. With port redundancy, a backup link takes over in a transparent manner if the primary port fails. This prevents the need for device level failover.
3G/4G/LTE WWAN Settings for Provisioning Profiles
NOTE: If you are not configuring a USB modem, you can skip this section. This
features provides another wireless WAN solution for firewall appliances that
use wireless access points like SonicWave devices. You can plug a USB modem
device into the SonicWave and it does the dial-up operation and connects to
the Internet. After connected, the SonicWave acts as a WWAN device for the
firewall and provides WAN access. When configuring the modem for the first
time, you can use the wizard to take advantage of the auto-discovery features
for this option.
Topics:
l Manually Configuring the 3G/4G/LTE WWAN Profile l Configuring Load Balancing
among Multiple USB Modems
Manually Configuring the 3G/4G/LTE WWAN Profile
You can manually configure the 3G/4G/LTE WWAN profile or manually make changes
by using the following procedure.
SonicOS 7.1 Access Points Administration Guide 45 Settings
To manually configure the modem as a WWAN: 1. Click 3G/4GLTE WWAN.
2. Toggle the option to Enable 3G/4G/LTE modem. 3. Select a VLAN interface
from the Bound to WAN VLAN Interface drop-down menu.
If no interfaces are listed in the drop-down menu, you need to define one.
Refer to NETWORK | System > Interfaces.
NOTE: When building a VLAN interface, set the zone to WAN zone and the parent
interface to the physical interface the access point is connected to. For 3G
USB modems, set the IP Assignment to Static and assign a private IP address to
it. Leave the Gateway and DNS server fields blank. For 4G and QMI modems, set
the IP Assignment to DHCP. 4. In the Connection Profile section, toggle the
option to Enable Connection Profile. NOTE: Some traditional 3G/4G modems need
connection profiles for dial-up. 5. In the Country field, select the country
where the access point is deployed. 6. Select the Service Provider from the
drop-down menu. 7. Select the Plan Type from the drop-down menu. Depending on
the selection, other fields are autopopulated. 8. Select a Connection Type
from the drop-down menu. These selections depend on available service
providers and plan types. 9. Dial Number should populate with the appropriate
figure depending on the Connection Type selected. 10. If needed, add the User
Name and Password to the appropriate fields. 11. Enter your APN. Each carrier
has a set of APNs (Access Point Names) for their networks. An APN is
considered the name of the gateway to access the WAN. This is specified by the
carrier. For example, two common APNs used by AT&T: l broadband (no longer
supports PPP)
SonicOS 7.1 Access Points Administration Guide 46 Settings
l 2gold (supports PPP) 12. After the screen settings are complete, click OK.
Configuring Load Balancing among Multiple USB Modems
When multiple SonicPoint/SonicWaves and multiple 3G/4G modems (at least two of
each) are available, load balancing can be performed among these multiple
pairs of SonicPoint/SonicWaves and modems. To configure load balancing using
multiple 3G/4G modems:
1. Assign a unique VLAN to each pair of SonicPoint/SonicWaves and 3G/4G
modems. 2. Add these VLAN interfaces to a load balancing group on the NETWORK
| System > Failover & LB page.
Bluetooth LE Settings for Provisioning Profiles
SonicWave series are equipped with Bluetooth Low Energy (BLE) functionality,
which is a subset of classic Bluetooth. BLE enables smart phones, tablets,
SonicWall mobile applications, and other devices, such as other SonicWaves, to
easily connect to the SonicWave access point, especially when in close
proximity to an appliance with iBeacon enabled. BLE also provides location
estimation. iBeacon is a protocol developed by Apple. Various vendors make
iBeacon-compatible BLE devices that broadcast their identifier to nearby
portable electronic devices. The technology enables smart phones, tablets, and
other devices to perform actions when in close proximity to an iBeacon. To
enable and configure Bluetooth Low Energy settings:
1. Navigate to DEVICE | Access Points > Settings page. 2. Click Access Point
Provisioning Profiles. 3. Click the Edit icon for SonicWave. The Edit
SonicWave Profile dialog displays. 4. Click Bluetooth LE.
5. To enable BLE advertisement, select Enable Advertisement. This option is
not selected by default. When this option is enabled, the Enable iBeacon
option becomes available. NOTE: Enabling BLE advertisement might affect or
interfere with the 2.4G radio frequencies.
6. To enable iBeacon so that BLE devices broadcast their identifiers, select
Enable iBeacon. This option is not selected by default. The subordinate fields
become available.
7. Complete the fields:
SonicOS 7.1 Access Points Administration Guide 47 Settings
l UUID Enter the 36-characters of the UUID. For example: 51b9d455-6a32-426c-
b5cc-524181c24df3
l Major Enter the significant identity in the same geographical group. The
range is 0 to 65535; the default is 0.
l Minor Enter the secondary identity in the same geographical group. The
range is 0 65535; the default is 0.
TIP: Use different UUIDs to distinguish different geographical groups and
major and minor options to distinguish areas within the geographical group.
For example, you deploy several SonicWave appliances with BLE in one building,
and you set the same UUID for these SonicWave appliances. The SonicWave
appliances on the same floor have the same Major number, but have different
Minor numbers in different places on the same floor. In this way, your mobile
device is close to a SonicWave appliance and its location. 8. Click OK.
Deleting Access Point Profiles
NOTE: You cannot delete the predefined profiles; you can only delete those you
add. You can delete individual profiles or groups of profiles from the Access
Point Provisioning Profiles section on the DEVICE | Access Points > Settings
page:
l Delete a single access point profile by: 1. Hover on the access point
profile and click Delete. A confirmation message appears. 2. Click OK.
l Delete one or more access point profiles by: 1. Select the checkbox next to
the name(s) of the access points to be deleted. 2. Click Delete icon . A
confirmation message appears. 3. Click OK.
Product Specific Configuration Notes
SonicPoint configuration process varies slightly depending on whether you are
configuring a single-radio (SonicPointN) or a dual radio (SonicWave,
SonicPoint AC and SonicPoint NDR) devices.
Managing Access Point Objects
The SonicPoint/SonicWave Access Point Objects section displays the settings
for connected access points, and provides icons to edit them or perform other
actions. The table displays the configured values for the access points,
including:
SonicOS 7.1 Access Points Administration Guide 48 Settings
Column # Name Enable Interface Network Settings Status 5GHz Radio
5GHz Radio Channel 2.4GHz Radio
2.4GHz Radio Channel 3G/4G/LTE
Description
Row reference number Name of access point Selected if the access point is
enabled Firewall interface number and zone to which the access point is
connected Access point IP address, MAC address, and management designation
Operational, Non-responsive, or other access point states Access point SSID
(MSSID) name for this radio, frequency and 802.11 protocols Band setting,
channels, and state of radio such as enabled and active Access point SSID
(MSSID) name for this radio, frequency and 802.11 protocols Band setting,
channels, and state of radio such as enabled and active Enabled/disabled state
of 3G, 4G, or LTE and binding information
Topics:
l Deleting Access Point Objects l Rebooting Access Point Objects l Modifying
Access Point Objects
Deleting Access Point Objects
You can delete individual access points or groups of access points from the
Access Point Objects tab on the DEVICE | Access Points > Settings page:
l Delete a single object by: 1. Hover on the and click Delete icon. A
confirmation message appears. 2. Click OK.
l Delete one or more objects by: 1. Select the checkbox next to the objects to
be deleted. 2. Click on Delete icon. A confirmation message appears. 3. Click
OK.
Rebooting Access Point Objects
You can reboot individual access points or groups of access points from the
Access Point Objects section on the DEVICE | Access Points > Settings page:
SonicOS 7.1 Access Points Administration Guide 49 Settings
l Reboot a single object by: 1. Check the checkbox next to the name of the
access point to be rebooted. 2. Click Reboot. A confirmation message displays.
3. Select the type of reboot: l reboot (default) Reboots to the configured
profile settings. l reboot to factory default Reboots to factory default
settings. CAUTION: Selecting this option overwrites the access point profiles
with factory default values. 4. Click OK.
Modifying Access Point Objects
An access point object can be modified from the DEVICE | Access Points >
Settings page. 1. Hover on the object which you want to modify and click the
Edit icon. 2. Changes the settings you want to modify. 3. Click OK to save the
new settings. NOTE: New SonicPoint/SonicWave access points are added
automatically when network appliance performs an auto-discovery process.
SonicOS 7.1 Access Points Administration Guide 50 Settings
4
Firmware Management
The DEVICE | Access Points > Firmware Management page provides a way to obtain the latest SonicPoint/SonicWave firmware and update an access point with it.
Topics:
l About Firmware Management l Obtaining the Latest SonicWall Firmware l
Downloading Firmware from a Specific URL l Uploading Firmware to an Access
Point
About Firmware Management
The Firmware Management table displays the status of the current access point firmware images, and provides buttons to obtain new firmware and upload it to the access points.
Column
Description
SonicOS 7.1 Access Points Administration Guide 51 Firmware Management
Firmware Image Version
Status Build Date Action
Displays the type of access point for the firmware image.
Displays the firmware version supported by the firewall that the access point
needs to match. When a new version of AP firmware is available and supported
by the firewall, then the Version entry displays it and the access point is
automatically updated to it after connecting. Initially, all firmware status
is Never Download. If a different firmware image is uploaded to the firewall
buffer, it changes to a check mark indicating Ready.
Displays the date that the uploaded firmware was created.
Mouse-over provides two icons:
l Upload Firmware Click to upload the downloaded firmware to the firewall
buffer. As previously described for Version, a new, supported AP firmware is
automatically pushed to the access point. To push the firmware to an access
point that is already in operational status, you must use an internal setting.
Contact SonicWall Support for information about using internal settings.
l Reset Firmware Click to remove the downloaded firmware image from the
buffer.
The Download URL section of the page provides a way to download access point firmware images from a specific location over HTTP. This allows you to load alternate firmware, such as a version provided by SonicWall Support that is not yet officially released.
Obtaining the Latest SonicWall Firmware
To obtain the latest firmware version from SonicWall:
1. Navigate to DEVICE | Access Points > Firmware Management page. 2. In the
Firmware Management table, hover on the desired access point and click the
Upload Firmware
icon.
3. In the Upload Firmware dialog box, click the
software.SonicWall.com link.
SonicOS 7.1 Access Points Administration Guide 52 Firmware Management
4. The file, for example sw_firmware.sig, is saved to your default location,
such as your Downloads folder.
Downloading Firmware from a Specific URL
You can manually specify a URL location and download a firmware image from it
for use on your access point. To specify a URL for the image:
1. Navigate to DEVICE | Access Points > Firmware Management. 2. Scroll to the
Download URL section. 3. Toggle the option for the type of image to be
downloaded. A field becomes available.
4. Enter the URL of the image’s location in the field. Specify the server
name or IP, the path, and the file name. The file name should have a .sig
extension. For example: 192.168.168.10/imagepath/sonicpoint.bin.sig.
5. Click Accept. The file is saved to the firewall buffer.
SonicOS 7.1 Access Points Administration Guide 53 Firmware Management
Uploading Firmware to an Access Point
You can upload any locally saved firmware image file to an access point. The
saved file can be an official SonicWall firmware version, or a firmware image
downloaded from a manually specified URL. To upload a firmware image to an
access point:
1. Do one of the following to obtain the firmware image and save it on your
local workstation: l Download an official SonicWall version as described in
Obtaining the Latest SonicWall Firmware. This procedure leaves you in the
Upload Firmware dialog after saving the image file to your local computer. l
Download a firmware image from a manually specified URL as described in
Downloading Firmware from a Specific URL.
2. If you want to upload a firmware image, click Upload Firmware under Action
in the row for the desired access point type to open the Upload Firmware
dialog box. If you downloaded the image file using the link to
software.SonicWall.com, the dialog is already
open.
3. In the Upload Firmware dialog, click Browse, navigate to the saved image
and select it. The Upload Firmware dialog now displays the firmware image
name.
4. In the Upload Firmware dialog, click Upload. The firmware image is
uploaded to the buffer on your security appliance. While uploading, the Status
indicates the percentage of the upload. When the upload completes, the Version
column displays the new firmware version. If the access point is connected,
the firmware version is automatically pushed to it and the Status changes to a
check mark, indicating that the firmware image is Ready, and the Build Date
shows the date that the image was created. The access point is now running the
new firmware.
5. To clear the downloaded firmware from the buffer, click Reset Firmware.
The Status indicator and Build Date return to the default display.
SonicOS 7.1 Access Points Administration Guide 54 Firmware Management
5
Floor Plan View
On the DEVICE | Access Points > Floor Plan View page, the SonicOS user
interface allows a more visual approach to managing large numbers of SonicWave
and SonicPoint devices. You can also track physical location and real-time
status. The Floor Plan View feature is an add-on to the existing wireless
access point management suite in SonicOS. It provides a real-time picture of
the actual wireless radio environment and improves your ability to estimate
the wireless coverage of new deployments. The FPMV also provides a single
point console to check access point statistics, monitor access point real-time
status, configure access points, remove access points and even show the access
point RF coverage from the consolidated the context menu. The following is a
sample of a typical floor plan view.
SonicOS 7.1 Access Points Administration Guide 55 Floor Plan View
Topics: l Managing the Floor Plans l Managing Access Points
Managing the Floor Plans
The Floor Plan View feature has a number of ways to view, add, and edit floor
plans. The most common are described in this section. Topics:
l Selecting a Floor Plan l Creating a Floor Plan l Editing a Floor Plan l Set
Measuring Scale
Selecting a Floor Plan
Navigate to DEVICE | Access Points > Floor Plan View page and click (Floorplan
List) icon in the upper left corner and select the floor plan you would like
to display.
Creating a Floor Plan
There are several ways you can create a new Floor Plan. The first method of
creating a new floor plan:
1. Navigate to DEVICE | Access Points > Floor Plan View page. 2. Click the
(Floorplan List) icon in the upper right corner. The Floorplans dialog
appears. 3. Click the + icon in the right corner. Another Floorplans dialog is
displayed.
SonicOS 7.1 Access Points Administration Guide 56 Floor Plan View
4. Fill in the fields describing the plan. 5. Click OK. A second method of
adding a new Floorplan: 1. Navigate to DEVICE | Access Points > Floor Plan
View page. 2. Click + Create Floorplan in the upper right corner. The Add New
Floorplan dialog appears. 3. Fill in the fields describing the plan. 4. Click
OK. The third method of creating a new Floorplan is as follows: 1. Navigate to
DEVICE | Access Points > Floor Plan View page. 2. Click +Add New in the middle
area of the page. The Add New Floorplan dialog appears. 3. Fill in the fields
describing the plan. 4. Click OK.
Editing a Floor Plan
To edit a floor plan: 1. Navigate to DEVICE | Access Points > Floor Plan View
page. 2. Click Edit Current Ploorplan. The Edit Floor Plan dialog displays or
if you have not yet created a Floorplan, the Add New Floorplan dialog
displays.
SonicOS 7.1 Access Points Administration Guide 57 Floor Plan View
3. Change the fields as necessary. 4. Click OK. To edit a Floor Plan in the
list: 1. Navigate to DEVICE | Access Points > Floor Plan View page.
2. Click (Floorplan List) icon. 3. Select the check box of the Floor Plan
which you want to edit and click Edit icon. The Edit Floor Plan
dialog is displayed. 4. Change the fields as needed. 5. Click OK. To edit the
current Floor Plan: 1. Navigate to DEVICE | Access Points > Floor Plan View
page. 2. Click Edit Current Floorplan at the top right of the page. 3. The
Edit Floorplan dialog displays. If you have not yet created a Floorplan, the
Add New Floorplan
dialog displays. 4. Change the fields as needed. 5. Click OK.
Managing Access Points
Access Point status is displayed with color:
The individual access points can be managed on the Floor Plan View page.
SonicOS 7.1 Access Points Administration Guide 58 Floor Plan View
Topics: l Available Devices l Added Access Points l Removing Access Points l
Export Image
Available Devices
The access points that are available for deployment are shown in the Devices
Available list. The list typically appears in the upper right corner. You can
close it by clicking on the X in the corner. To show the list, click DEVICE |
Access Points > Floor Plan View > Floor Plan Info.
You can drag-and-drop these access points to the floor plan and place them
where you want them. Be sure to SAVE PLAN when done.
NOTE: Access points that have already been added to a floor plan appear as
devices in the Floorplan List.
Added Access Points
The access points that have been deployed are shown by clicking the Floorplan
List in the top right corner of DEVICE | Access Points > Floor Plan View in
the information bar. You can close it by clicking on the X in the corner.
Several ways you can add access points to a floor plan:
1. Drag-and-drop existing access points to various floor plans. 2. Click +Add
New in the center of the Floor Plan View. 3. Click +Create Floorplan in the
Information bar at the top of the page. 4. In Floorplan List click the “+”
icon on the Floorplans dialog.. You can alos delete access points from the
floor plan. NOTE: Access points that have already been added to a floor plan
appear as devices in the Floorplan List.
SonicOS 7.1 Access Points Administration Guide 59 Floor Plan View
Removing Access Points
To remove all access points: 1. Navigate to DEVICE |Access Points > Floor Plan
View. 2. Click More. 3. Select Remove All Added Access Points of the Current
FloorPlan.
Export Image
To export the floor plan images: 1. Navigate to DEVICE | Access Points > Floor
Plan View page. 2. Click on More option. 3. Select Export As Image and choose
the image format. 4. Save the file where you can access it later.
Context Menu
You can use your mouse to activate various context menus: l When you mouse
over an active access point on the floor plan, a pop-up displays access point
information, including status, SSID, client number, and up time.
By clicking on the access point, the context menu displays, including Edit
this Access Point, Show Access Point Statistics, Monitor Access Point Status,
Show/Hide RF Coverage, Remove from Plan, Deleted Access Point
SonicOS 7.1 Access Points Administration Guide 60 Floor Plan View
6
Station Status
The DEVICE | Access Points > Station Status page reports on the statistics of
each access point.
The table lists entries for each wireless client connected to each access
point. The sections of the table are divided by Access Point. Under each
access point displays the list of all clients currently connected to it. Use
the Search feature to locate specific access points. When you mouse-over any
specific access point, two options appear that can be clicked for more
information, including Statistics of the that access point, and Monitor that
access point. When you mouse-over a station, Statistics of that station can
also be clicked for expansion. Use the View Style filtering mechanism to
narrow access point types, or the default to search all access point types.
Click Access Point Bandwidth to reveal a dialog with statistical information
about your access point’s bandwidth usage. Click Refresh to update statistical
information, or OK to close the dialog.
SonicOS 7.1 Access Points Administration Guide 61 Station Status
Click Refresh in the top right corner to refresh the list.
SonicOS 7.1 Access Points Administration Guide 62 Station Status
7
Intrusion Detection Services
Rogue devices have emerged as one of the most serious and insidious threats to
wireless security. In general terms, a device is considered rogue when it has
not been authorized for use on the network. The convenience, afford-ability
and availability of non-secure access points, and the ease with which they can
be added to a network creates an easy environment for introducing rogue
devices. The real threat emerges in a number of different ways:
l Unintentional and unwitting connections to the rogue device l Transmission
of sensitive data over non-secure channels l Unwanted access to LAN resources
While this doesn’t represent a deficiency in the security of a specific
wireless device, it is a weakness to the overall security of wireless
networks. Intrusion Detection Services (IDS) greatly increase the security
capabilities of the firewall because it helps the appliance recognize and take
countermeasures against the most common types of illicit wireless activity.
IDS reports on all access points the firewall can find by scanning the
802.11a, 802.11g, and 802.11n radio bands on the access points. The DEVICE |
Access Points > IDS page reports on all devices detected by the firewall and
its associated access points, and provides the ability to authorize legitimate
devices.
The following table describes the Discovered Access Point Table and entities
that are displayed on the IDS page.
SonicOS 7.1 Access Points Administration Guide 63 Intrusion Detection Services
Table Column or Entity Description
Entity
Search
Use the Search feature to locate specific access points.
View Style: Access Point
If you have more than one access point, you can select an individual access point from the Access Point drop-down menu or All Access Points if you want to see all of them.
Scan All
Initiates an operation to call all access points and identify connected devices.
Refresh
Refreshes the screen to display the most current list of access points in your network.
Discovered Access Points Table
Access Point
The access point name: shows only when All SonicPoints is selected in the View Style: Access Point drop-down menu.
MAC Address (BSSID)
The MAC address of the radio interface of the detected access point.
SSID
The radio SSID of the device.
Type
The radio band being used by the device: 2.4 GHz or 5 GHz.
Channel
The radio channel used by the device.
Authentication
The authentication type.
Cipher
The cipher mode.
Vendor
The vendor of the access point.
Signal Strength
The strength of the detected radio signal.
Max Rate
The fastest allowable data rate for the access point radio.
Authorize
When the Edit icon is clicked, the device is added to the address object group of authorized devices.
Topics:
l Scanning Access Points l Authorizing Access Points
Scanning Access Points
Active scanning occurs when the security appliance starts up. When you request
a scan after start-up, the wireless clients are interrupted for a few seconds.
The scan can effect traffic in the following ways:
l Non-persistent, stateless protocols (such as HTTP) should not exhibit any
ill-effects.
l Persistent connections (protocols such as FTP) are impaired or severed.
l WiFiSec connections should automatically re-establish and resume with no
noticeable interruption to the client.
SonicOS 7.1 Access Points Administration Guide 64 Intrusion Detection Services
CAUTION: Clicking Scan All causes all active wireless clients to be
disconnected while the scan is performed. If service interruption is a
concern, you should not request a scan while the SonicWall security appliance
is in Access Point mode. Wait until no clients are active or a short
interruption in service is acceptable. To perform a scan: 1. Navigate to the
DEVICE | Access Points > IDS page. 2. In the View Style: Access Point drop-
down menu (at the top of the table), select All Access Points to
scan all devices or choose a specific access point to scan only one device. 3.
At the top of the table:
l If you are scanning all access points, click Scan All. l If you are scanning
only one access point, select the access point from the View Style: Access
Point drop-down menu and then perform the scan. .
4. Confirm that you want to perform the scan.
Authorizing Access Points
Access Points that the security appliance detects are regarded as rogue access
points until the security appliance is configured to authorize them for
operation. To authorize an access point:
1. Navigate to the DEVICE | Access Points > IDS page. 2. Click the Edit icon
in the Authorize column for the access point you want to authorize. A
confirmation
dialog is displayed.
3. Click OK. 4. Verify that authorization was successful by checking that the
access point’s MAC address was added.
(Refer to the SonicOS System Setup for more information).
SonicOS 7.1 Access Points Administration Guide 65 Intrusion Detection Services
8
Advanced IDP
Advanced Intrusion Detection and Prevention (IDP), or Wireless Intrusion
Detection and Prevention (WIDP), located at DEVICE | Access Points > Advanced
IDP, monitors the radio spectrum for presence of unauthorized devices
(intrusion detection) and to take countermeasures automatically (intrusion
prevention) according to administrator settings. When Advanced IDP is enabled
on an access point, the radio functions as a dedicated IDP sensor.
CAUTION: When Advanced IDP is enabled on a SonicWall access point radio, its
access point functions are disabled and any wireless clients are disconnected.
SonicOS Wireless Intrusion Detection and Prevention is based on SonicPoint and
SonicWave access points cooperating with a SonicWall gateways. This feature
turns your access points into dedicated WIDP sensors that detect unauthorized
access points connected to a SonicWall network. This includes detection of
KRACK Man-inthe-Middle access points. CAUTION: A SonicPoint N configured as a
WIDP sensor cannot function as an access point. When an access point is
identified as a rogue access point, its MAC address is added to the All Rogue
Access Points address object group. Topics: l Enabling Wireless IDP on a
Profile l Configuring Wireless IDP Settings l Viewing KRACK Sniffer Packets
SonicOS 7.1 Access Points Administration Guide 66 Advanced IDP
Enabling Wireless IDP on a Profile
You can enable wireless intrusion detection and prevention on an access point
profile, including setting a schedule for scanning. For more information about
access point profiles, refer to Creating/Modifying Provisioning Profiles of
Access Points > Settings page. To enable Wireless IDP scanning on an access
point profile:
1. Navigate to SonicPoint/SonicWave Provisioning Profiles section of the
DEVICE | Access Points > Settings page.
2. Click the Edit icon for the appropriate profile. 3. Click Sensor.
TIP: The Sensor screen is the same for all SonicPoint or SonicWave profiles.
4. Select Enable WIDP Sensor. The drop-down menu becomes active.
5. In the drop-down menu, select the appropriate schedule for IDP scanning,
or select Create new schedule to create a custom schedule CAUTION: When
Advanced IDP scanning is enabled on a SonicPoint/SonicWave radio, its access
point functions are disabled and any wireless clients are disconnected.
6. Click OK.
SonicOS 7.1 Access Points Administration Guide 67 Advanced IDP
Configuring Wireless IDP Settings
To configure Wireless IDP settings: 1. Navigate to the DEVICE | Access Points
Advanced IDP page.
2. Select Enable Wireless Intrusion Detection and Prevention to enable the appliance to search for rogue access points, including KRACK Man-in-the-Middle access points. This option is not selected by default, so when selected, the other options become active. NOTE: All detected access points are displayed in the Discovered Access Points table on the DEVICE | Access Points > IDS page, and you can authorize any allowed access points.
3. For Authorized Access Points, select the Address Object Group to which authorized Access Points are assigned. By default, this is set to All Authorized Access Points. NOTE: For SonicPoint Ns, no access point mode Virtual Access Point (VAP) is created. One station mode VAP is created, which is used to do IDS scans, and to connect to and send probes to unsecured access points.
4. For Rogue Access Points, select the Address Object Group to which unauthorized Access Points are assigned. By default, this is set to All Rogue Access Points.
SonicOS 7.1 Access Points Administration Guide 68 Advanced IDP
5. Select one of the following two options to determine which access points
are considered rogue (only one can be enabled at a time): l Add any
unauthorized AP into Rogue AP list automatically assigns all detected
unauthorized access points–regardless if they are connected to your network–to
the Rogue list. l Add connected unauthorized AP into Rogue AP list assigns
unauthorized devices to the Rogue list only if they are connected to your
network. The following options determine how IDP detects connected rogue
devices; both can be selected: l Enable ARP cache search to detect connected
rogue AP Advanced IDP searches the ARP cache for clients’ MAC addresses.
When one is found and the AP it is connected to is not authorized, the AP is
classified as rogue. l Enable active probe to detect connected rogue AP The
SonicPoint/SonicWave connects to the suspect device and sends probes to all
LAN, DMZ and WLAN interfaces of the firewall. If the firewall receives any of
these probes, the AP is classified as rogue.
6. Select Add evil twin into Rogue AP list to add devices to the rogue list
when they are not in the authorized list, but have the same SSID as a managed
access point.
7. Select Block traffic from rogue AP and its associated clients to drop all
incoming traffic that has a source IP address that matches the rogue list.
From the Rogue Device IP addresses drop-down menu, either: l Select All Rogue
Devices (default) or an address object group you have created. l Create a new
address object group by selecting Create New IP Address Object Group. The Add
Address Object Group window displays.
8. Select Disassociate rogue AP and its clients to send de-authentication
messages to clients of a rogue device to stop communication between them.
9. Select Disassociate Client from KRACK MITM AP to enable the KRACK
prevention function. When enabled, the SonicWave periodically checks for KRACK
Man-in-the-Middle access points and actively disassociates the client from the
KRACK MITM access point when it detects a client associated to it.
10. Click Accept to save your changes.
Viewing KRACK Sniffer Packets
When the Enable Wireless Intrusion Detection and Prevention option is enabled,
the SonicWave periodically scans the wireless environment looking for a KRACK
Man-in-the-Middle access point and any clients interacting with it. KRACK is
the acronym for Key Reinstallation Attack.
The KRACK MITM attack clones the real access point on a different channel with
the same MAC address as the real access point. When a KRACK MITM access point
is detected, the SonicWave opens a monitoring interface on the same channel as
the KRACK MITM, and sniffs the packets on the channel for a period of time. If
a wireless client is associated with the MITM access point and the
Disassociate Client from KRACK MITM AP option is enabled, the client is
disassociated from the MITM access point. Log messages are reported in the
MONITOR | Logs > System Logs page when any of the following events occur:
SonicOS 7.1 Access Points Administration Guide 69 Advanced IDP
l KRACK MITM access point is detected l Client is detected communicating with
the MITM access point l Client is disassociated from the MITM access point
Because the sniffing is done during the KRACK detection process, the captured
packets are saved in the buffer of the SonicWave. The following image shows
the KRACK sniffer results from SonicWaves.
To analyze the KRACK process, click Download icon for a SonicWave to export
the packet data to the file krackSniffer_[SonicWave name].cap, where
[SonicWave name] is the name of the SonicWave. Then open the file and view it
using Wireshark or another PCAP analyzer tool.
SonicOS 7.1 Access Points Administration Guide 70 Advanced IDP
9
Packet Capture
The DEVICE | Access Points > Packet Capture feature provides an in-depth type
of wireless troubleshooting that you can use to gather wireless data from a
client site or network and output the data into a readable Packet Capture
(PCAP) file. This feature is supported for most SonicWave access points.
SonicWave radios can also be configured to capture 802.11 frames into a PCAP
file for download.
NOTE: Because the antenna of the scan radio is 1×1, some data frames cannot be
captured by the scan radio because of hardware restrictions. The Packet
Capture page shows the status of the SonicWave, the number of packets
captured, and the size of the packet buffer. At the right, hover on the
SonicWave to configure the capture settings for each SonicWave.
To capture the data for one of configured SonicWave radios, click Download for
that row on the Packet Capture page. The capture file is named with the
format, “wirelessCapture_[SW name].cap,” where SW name is the SonicWave name.
WiresharkTM can be used to read the file. Using the Edit feature, you can
configure the Mode, Radio Band and Standard Channel Capture Radio Settings in
the Edit SonicWave Capture Settings dialog, allowing you to capture wireless
packets in a specific channel. You can configure up to five source and
destination MAC addresses. Click Edit icon for the SonicWave you want to
configure.
SonicOS 7.1 Access Points Administration Guide 71 Packet Capture
SonicWave Capture Radio Settings
1. From the Mode drop-down menu, select the capture radio channel for the
appropriate SonicWave. 2. Select an appropriate radio frequency band from the
Radio Band drop-down menu. 3. Indicate the standard allowable frequency
channel associated with the selected radio band from the
Standard Channel drop-down menu.
SonicOS 7.1 Access Points Administration Guide 72 Packet Capture
SonicWave 802.11 Packet Capture Settings
1. Click Enable Packet Capture to begin capturing wireless packets for this
specific SonicWave.
2. To continue capturing packets after the buffer fills up, select Wrap
Capture Buffer Once Full. Selecting this option causes packet capture to start
writing captured packets at the beginning of the buffer again after the buffer
fills.
SonicWave Packet Capture Filter Settings
1. For Source AC Address(es), enter the MAC address(es) of your wireless
adapter(s). Enter a dash between each pair of characters. You can enter up to
five addresses. For example: 00-12-34-56-78-AB
2. For Destination MAC Address(es), enter the destination MAC address(es) of
your wireless adapter(s). Enter a dash between each pair of characters. You
can enter up to five addresses.
3. Enter the BSSID. A BSSID (Basic Service Set IDentifier) is the wireless
equivalent of a MAC (Media Access Control) address, or a unique hardware
address of an access point or VAP for the purposes of identification. The
client on the SonicWall ESSID moves away from AP1 and toward AP2, the strength
of the signal from the former decreases while the latter increases. The
client’s wireless card and driver constantly monitors these levels,
differentiating between the (V)APs by their BSSID. When the card/driver’s
criteria for roaming are met, the client detaches from the BSSID of AP1 and
attaches to the BSSID or AP2, all the while remaining connected the SonicWall
ESSID.
4. Enter the ESSID. An ESSID (Extended Service Set IDentifier) is a
collection of access points (or Virtual Access Points) sharing the same SSID.
A typical wireless network comprises more than one access point for the
purpose of covering geographic areas larger than can be serviced by a single
access point. As clients move through the wireless network, the strength of
their wireless connection decreases as they move away from one access point
(AP1) and increases as they move toward another (AP2). Providing AP1 and AP2
are on the same ESSID (for example, SonicWall) and that the (V)APs share the
same SSID and security configurations, the client can roam from one to the
other. This roaming process is controlled by the wireless client hardware and
driver, so roaming behavior can differ from one client to the next, but it is
generally dependent upon the signal strength of each access point within an
ESSID.
5. Select Enable Bidirectional Address Matching to match IP addresses
specified in the MAC source and/or destination fields against both the source
and/or destination fields in each packet.
6. Your SonicWave broadcasts a beacon (announcements of availability of a
wireless network) for every SSID configured. By default, the SSID is included
within the beacon so that wireless clients can see the wireless networks. The
option to suppress the SSID within the beacon is provided on a per-SSID (for
example, per-VAP or per-AP) basis to help conceal the presence of a wireless
network, while still allowing clients to connect by manually specifying the
SSID. You can disable this feature by clicking Exclude Beacon.
7. Exclude Probe Request suppresses broadcasting of the SSID name and
disables responses to probe requests. Click this option if you do not wish for
your SSID to be seen by unauthorized wireless clients.
SonicOS 7.1 Access Points Administration Guide 73 Packet Capture
8. When a wireless client sends out a probe request, the attacker sends back
a response with a Null SSID. This response causes many popular wireless cards
and devices to stop responding. You can disable this by clicking Exclude Probe
Response.
9. Click Exclude Control to remove general control of the wireless client.
10. Your SonicWave tracks individual data packets that traverse all your
SonicWall firewall appliances.
Packets can be either monitored or mirrored. The monitored packets contain
both data and addressing information. You can disable this tracking by
enabling Exclude Data.
SonicOS 7.1 Access Points Administration Guide 74 Packet Capture
10
Virtual Access Points
NOTE: Virtual access points are supported when using wireless access points
along with SonicWall SonicPoint appliances. A Virtual Access Point (VAP) is a
multiplexed representation of a single physical access point–it presents
itself as multiple discrete access points. To wireless LAN clients, each
virtual access point appears to be an independent physical access point, when
actually only one physical access point exists. VAPs allow you to control
wireless user access and security settings by setting up multiple custom
configurations on a single physical interface. Each of these custom
configurations acts as a separate (virtual) access point and can be grouped
and enforced on a single internal wireless radio. The SonicWall VAP feature is
in compliance with the IEEE 802.11 standard for the media access control (MAC)
protocol layer that includes a unique Basic Service Set Identifier (BSSID) and
Service Set Identified (SSID). This segments the wireless network services
within a single radio frequency footprint on a single physical access point.
VAPs allow you to control wireless user access and security settings by
setting up multiple custom configurations on a single physical interface. Each
of these custom configurations acts as a separate (virtual) access point, and
can be grouped and enforced on single or multiple physical access points
simultaneously.
SonicOS 7.1 Access Points Administration Guide 75 Virtual Access Points
VIRTUAL ACCESS POINT CONFIGURATION
VAPs afford the following benefits: l Each VAP can have its own security
services settings (for example, GAV, IPS, CFS, and so on). l Traffic from each
VAP can be easily controlled using access rules configured from the zone
level. l Separate Guest Services or Lightweight Hotspot Messaging (LHM)
configurations can be applied to each, facilitating the presentation of
multiple guest service providers with a common set of access points. l
Bandwidth management and other access rule-based controls can easily be
applied.
Topics: l Before Configuring VAPs l Access Point VAP Configuration Task List l
Virtual Access Point Groups l Virtual Access Point Objects l Virtual Access
Point Profiles
SonicOS 7.1 Access Points Administration Guide 76 Virtual Access Points
Before Configuring VAPs
Before configuring your virtual access points, you need to have in
understanding of what your options are and what you can do.
Topics: l Determining Your VAP Needs l Determining Security Configurations l
Sample Network Definitions l Prerequisites l VAP Configuration Worksheet
Determining Your VAP Needs
When deciding how to configure your VAPs, begin by considering your
communication needs, particularly: l How many different classes of wireless
users do I need to support? l How do I want to secure these different classes
of wireless users? l Do my wireless client have the required hardware and
drivers to support the chosen security settings? l What network resources do
my wireless users need to communicate with? l Do any of these wireless users
need to communicate with other wireless users? l What security services do I
wish to apply to each of these classes or wireless users?
Determining Security Configurations
After understanding your security requirements, you can then define the zones
(and interfaces) and VAPs that provide the most effective wireless services to
these users. The following are examples of ways you can define certain types
of users.
l Corp Wireless Highly trusted wireless zone. Employs WPA2-AUTO-EAP
security. WiFiSec (WPA) Enforced.
l WEP & PSK Moderate trust wireless zone. Comprises two virtual APs and
subinterfaces, one for legacy WEP devices (for example, wireless printers,
older hand-held devices) and one for visiting clients who use WPA-PSK
security.
l Guest Services Using the internal Guest Services user database. l LHM
Lightweight Hotspot Messaging enabled zone, configured to use external LHM
authentication-
back-end server.
SonicOS 7.1 Access Points Administration Guide 77 Virtual Access Points
Sample Network Definitions
The following list shows one possible way you and configure your virtual
access points to ensure proper access: l VAP #1, Corporate Wireless Users A
set of users who are commonly in the office, and to whom should be given full
access to all network resources, providing that the connection is
authenticated and secure. These users already belong to the network’s
Directory Service, Microsoft Active Directory, which provides an EAP interface
through IAS Internet Authentication Services. l VAP#2, Legacy Wireless
Devices A collection of older wireless devices, such as printers, PDAs and
hand-held devices, that are only capable of WEP encryption. l VAP#3, Visiting
Partners Business partners, clients, and affiliated who frequently visit the
office, and who need access to a limited set of trusted network resources, as
well as the Internet. These users are not located in the company’s Directory
Services. l VAP# 4, Guest Users Visiting clients to whom you wish to provide
access only to untrusted (for example, Internet) network resources. Some guest
users are provided a simple, temporary username and password for access. l
VAP#5, Frequent Guest Users Same as Guest Users, however, these users have
more permanent guest accounts through a back-end database.
Prerequisites
Before configuring your virtual access points, be aware of the following: l
Each SonicWall access point must be explicitly enabled for virtual access
point support. To verify, navigate to the DEVICE | Access Points > Settings
page. Then click the Edit icon for the Access Point Provisioning Profiles >
General Settings: Enable option to enable VAP.
SonicOS 7.1 Access Points Administration Guide 78 Virtual Access Points
l Access points must be linked to a WLAN zone on your SonicWall network
security appliance to provision the access points.
l When using VAPs with VLANs, you must ensure that the physical access point
discovery and provisioning packets remain untagged (unless being terminated
natively into a VLAN subinterface on the firewall).
l You must also ensure that VAP packets that are VLAN tagged by the access
point are delivered unaltered (neither un-encapsulated nor double-
encapsulated) by any intermediate equipment, such as a VLAN capable switch, on
the network.
l Be aware that maximum access point restrictions apply and differ based on
your SonicWall security appliance.
VAP Configuration Worksheet
The following table provides some common VAP setup questions and solutions along with a space for you to record your own configurations.
VAP CONFIGURATION WORKSHEET
Questions
Examples
Solutions
How many different types of users do I need to support?
Corporate wireless, guest access, Plan out the number of different VAPs
visiting partners, wireless devices are needed. Configure a zone and VLAN for
all common user types, each
each VAP needed
requiring their own VAP
How many users does each VAP need to support?
A corporate campus has 100 employees, all of whom have wireless capabilities
The DHCP scope for the visitor zone is set to provide at least 100 addresses
A corporate campus often has a few The DHCP scope for the visitor zone is
dozen wireless capable visitors
set to provide at least 25 addresses
How do I want to secure A corporate user who has access to Configure WPA3-EAP different wireless users? corporate LAN resources.
A guest user who is restricted to only Enable Guest Services but configure no
Internet access
security settings
A legacy wireless printer on the corporate LAN
Configure WEP and enable MAC address filtering
What network resources do my users need to communicate with?
A corporate user who needs access to the corporate LAN and all internal LAN resources, including other WLAN users.
Enable Interface Trust on your corporate zone.
A wireless guest who needs to access Internet and should not be allowed to communicate with other WLAN users.
Disable Interface Trust on your guest zone.
SonicOS 7.1 Access Points Administration Guide 79 Virtual Access Points
What security services do I Corporate users who you want wish to apply to my
users? protected by the full SonicWall
security suite.
Guest users who you do not care about because they are not even on your LAN.
Enable all SonicWall security services. Disable all SonicWall security services.
Access Point VAP Configuration Task List
An access point VAP deployment requires several steps to configure. The
following section provides a brief overview of the steps involved.
1. Network Zone The zone is the backbone of your VAP configuration. Each
zone you create has its own security and access control settings and you can
create and apply multiple zones to a single physical interface by way of VLAN
subinterfaces. For more information on network zones, refer to the section on
OBJECT | Match Objects > Zones in SonicOS System Setup.
2. Interface (or VLAN Subinterface) The Interface (X2, X3, and so on)
represents the physical connection between your SonicWall network security
appliance and your physical access points. Your individual zone settings are
applied to these interfaces and then forwarded to your access points. For more
information on wireless interfaces, refer to the section on NETWORK | System >
Interfaces in SonicOS System Setup.
3. DHCP Server The DHCP server assigns leased IP addresses to users within
specified ranges, known as Scopes. The default ranges for DHCP scopes are
often excessive for the needs of most access points, for instance, a scope of
200 addresses for an interface that only uses 30. Because of this, DHCP ranges
must be set carefully in order to ensure the available lease scope is not
exhausted. For more information on setting up the DHCP server, refer to the
section on NETWORK | System > DHCP Server in SonicOS System Setup.
4. Virtual Access Point Profiles The Virtual Access Point Profile feature
allows for creation of access point configuration profiles which can be easily
applied to new virtual access points as needed. Refer to Virtual Access Point
Profiles for more information.
5. Virtual Access Point Objects The Virtual Access Point Objects feature
allows for setup of general VAP settings. SSID and VLAN ID are configured
through VAP Settings. Refer to Virtual Access Point Objects for more
information.
6. Virtual Access Point Groups The Virtual Access Point Groups feature
allows grouping of multiple virtual access point objects to be simultaneously
applied to your access points.
7. Assign Virtual Access Group to Access Point Provisioning Profile Radio
The Provisioning Profile allows a VAP Group to be applied to new access points
as they are provisioned.
8. Assign WEP Key (for WEP encryption only) The Assign WEP Key allows for a
WEP Encryption Key to be applied to new access points as they are provisioned.
WEP keys are configured per-access point, meaning that any WEP-enabled virtual
access points assigned to a physical access point must use the same set of WEP
keys. Up to 4 keys can be defined, and WEP-enabled VAPs can use these 4 keys
SonicOS 7.1 Access Points Administration Guide 80 Virtual Access Points
independently. WEP keys are configured on individual physical access points or
on Access Point Profiles from the DEVICE | Access Points > Settings page.
Virtual Access Point Groups
The Virtual Access Point Groups feature is available on SonicWall SonicPoint
appliances. It allows for grouping of multiple VAP objects to be
simultaneously applied to your access points. Virtual Access Point Groups are
configured from the DEVICE | Access Points > Virtual Access Point page.
To add a virtual access point group: 1. Navigate to the DEVICE | Access Points
Virtual Access Point page. 2. Select +Add if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile.
3. Enter the Virtual AP Group Name in the field provided. 4. Select the objects you want to add from the Available Virtual AP Objects list and click the Right Arrow
to move it to the Member of Virtual AP Group list. 5. Select an object and use the Left Arrow to remove objects from the group. 6. Click Accept to save your settings.
Virtual Access Point Objects
The Virtual Access Point Objects page allows you to add new virtual access points and setup the General VAP settings, including the Name, SSID and VLAN ID. You can also configure Advanced settings. Virtual access point objects are configured on the second tab of the DEVICE | Access Points > Virtual Access Point page.
SonicOS 7.1 Access Points Administration Guide 81 Virtual Access Points
To configure an existing virtual access point object, click the Edit icon for
that virtual access point. To add a new virtual access point object, click
+Add.
Topics: l General Tab l Advanced Tab
General Tab
Configure virtual access point objects General settings on the DEVICE | Access
Points > Virtual Access Point page. Click the Edit icon for previously
configured virtual access point objects. Or, to add a new virtual access point
object, click +Add from the top right of the page. The Edit or Add Virtual
Access Point screen appears. The first settings can be found on the General
tab.
Set the following options on the General tab.
VIRTUAL ACCESS POINT GENERAL SETTINGS
Feature Name SSID
Description
Create a friendly name for your VAP.
Enter an SSID name for the access points using this VAP. This name appears in
wireless client lists when searching for available access points.
SonicOS 7.1 Access Points Administration Guide 82 Virtual Access Points
VLAN ID
Enable Virtual Access Point Enable SSID Suppress
When using platforms that support VLAN, you can optionally select a VLAN ID to
associate this VAP with. Settings for this VAP are inherited from the VLAN you
select.
Enables this VAP. This option is selected by default.
Suppresses broadcasting of the SSID name and disables responses to probe
requests. Check this option if you do not wish for your SSID to be seen by
unauthorized wireless clients. This option is not selected by default.
Advanced Tab
Configure virtual access point objects Advanced settings on the DEVICE |
Access Points > Virtual Access Point page.
Click the Edit icon for previously configured virtual access point objects.
Or, to add a new virtual access point object, click +Add from the top right of
the page. The Edit or Add Virtual Access Point screen appears. After
configuring the General settings, additional settings can be found on the
Advanced tab.
Advanced settings allows you to configure authentication and encryption
settings for a specific virtual access point. Choose a Profile Name to inherit
these settings from a user-created profile. As the Advanced tab of the
Add/Edit Virtual Access Point window is the same as Add/Edit Virtual Access
Point Profile window, see Virtual Access Point Profiles for complete
authentication and encryption configuration information.
SonicOS 7.1 Access Points Administration Guide 83 Virtual Access Points
Virtual Access Point Profiles
A Virtual Access Point Profile allows you to preconfigure and save access
point settings in a profile. Virtual Access Point Profiles allows settings to
be easily applied to new virtual access points. Virtual Access Point Profiles
are configured from the Virtual Access Point Profiles section of the DEVICE |
Access Points > Virtual Access Point page.
To configure an existing VAP profile: 1. Click the Edit icon for that profile.
To add a new VAP profile: 1. Click +Add: NOTE: Options displayed change
depending on your selection of other options.
SonicOS 7.1 Access Points Administration Guide 84 Virtual Access Points
Topics: l Virtual Access Point Schedule Settings l Virtual Access Point
Profile Settings l Remote MAC Address Access Control Settings l ACL
Enforcement l IEEE802.11R Settings l IEEE802.11K Settings l IEEE802.11V
Settings
SonicOS 7.1 Access Points Administration Guide 85 Virtual Access Points
Virtual Access Point Schedule Settings
Each Virtual Access Point can have its own schedule associated with it and by
extension each profile
References
- MySonicWall
- SonicWall Community | Technology and Support
- MySonicWall
- sonicwall.com/pes
- MySonicWall
- sonicwall.com/legal
- sonicwall.com/legal/end-user-product-agreements/
- sonicwall.com/support
- sonicwall.com/support/contact-support
- sonicwall.com/support/technical-documentation/
- sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Administration%20Guide&version=7.1
- sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Getting%20Started%20Guide
- sonicwall.com/support/technical-documentation/?q=sonicos%20api&language=English
- sonicwall.com/support/technical-documentation/sonicos-7-1-api
- sonicwall.com/support/technical-documentation/sonicos-7-1-monitor
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>