sonicpoints ac 5.9.1 feature guide -...

| 1

SonicOS 5.9.1 BetaSonicPoint AC Feature Guide

2

Notes, Cautions, and Warnings

© 2014 Dell Inc.

Dell, the DELL logo, Dell SonicWALL, Reassembly-Free Deep Packet Inspection™, Dynamic Security for the Global Network™, Dell SonicWALL Clean VPN™, Dell SonicWALL Clean Wireless™, and all other Dell SonicWALL product and service names and slogans are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.

2014 – 11 P/N 232-xxxxxx-00 Rev. 00

NOTE: A NOTE indicates important information that helps you make better use of your system.

CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Table of Contents

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

SonicPoint > SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Before Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

SonicPoint Deployment Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SonicPoint Layer 3 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

What is SonicPoint Layer 3 Management? . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring SonicPoint Layer 3 Management . . . . . . . . . . . . . . . . . . . . . . . 18

SonicPoint Provisioning Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Provisioning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuring a SonicPoint Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

SonicPoint Auto Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Remote MAC Access Control for SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . 109

SonicPoint Management over SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring SonicPoint Management over SSL VPN . . . . . . . . . . . . . . . . 112

Chapter 3. Configuring Wi-Fi MultiMedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

SonicPoint > Wi-Fi Multimedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

WMM Access Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Assigning Traffic to Access Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Configuring Wi-Fi Multimedia Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 124

Deleting WMM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Chapter 4. Configuring Virtual Access Points . . . . . . . . . . . . . . . . . . . . . . . . . 127

SonicPoint > Virtual Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

SonicPoint VAP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Thinking Critically About VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

SonicPoint Virtual AP Configuration Task List . . . . . . . . . . . . . . . . . . . . . . 133

VAP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Remote MAC Access Control for VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

| 1

Chapter 5. Viewing Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

SonicPoint > Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 6. Configuring RF Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

SonicPoint > RF Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Understanding Radio Frequency Monitoring . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring the RF Monitoring Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Practical RF Monitoring Field Applications . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 7. Using RF Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

SonicPoint > RF Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

RF Analysis Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Using RF Analysis on SonicPoint(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Chapter 8. SonicPoint Intrusion Detection Services . . . . . . . . . . . . . . . . . . . . 193

SonicPoint > IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

IDS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Scanning Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Authorizing Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Logging of Intrusion Detection Services Events . . . . . . . . . . . . . . . . . . . . . 198

Chapter 9. Configuring Advanced IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

SonicPoint > Advanced IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Advanced IDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Enabling Advanced IDP on a SonicPoint Profile. . . . . . . . . . . . . . . . . . . . . 201

Configuring Advanced IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chapter 10. SonicPoint FairNet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

SonicPoint > FairNet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Understanding SonicPoint FairNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Configuring SonicPoint FairNet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

2 | SonicOS 5.9.1 Beta SonicPoint AC Feature Guide

Chapter 1

Introduction

IntroductionThe SonicOS 5.9.1 SonicPoint AC Feature Guide provides information about configuring Dell SonicWALL SonicPoints. SonicPoints are wireless access points designed to work with Dell SonicWALL network security appliances to provide secure wireless access to enterprise networks.

SonicPoint AC provides higher throughput in the 5-GHz band by providing more antennas, wider channels, more spatial streams, and other features that boost throughput and reliability. SonicPoint supports both the 5-GHz and 2.4-GHz radio bands.

SonicPoint has the following key technical components:

• Wider Channels—80 MHz and 160 MHz channel bandwidths

• Up to 8 Spatial Streams—Adding spatial streams increases throughput proportionally. Two streams doubles the throughput of a single stream. Eight streams increases the throughput eight times.

• Multi-User MIMO—Multiple Input Multiple Output spatial division multiplexing provides transmitting and receiving of multiple independent data streams simultaneously.

This document provides the following sections that describe that various features of SonicPoints:

SonicPoint Management

The Managing SonicPoints section has the following main subsections that provide detailed instructions for managing SonicPoints.

• “SonicPoint > SonicPoints” on page 7

• “SonicPoint Layer 3 Management” on page 17

• “SonicPoint Provisioning Profiles” on page 54

• “Remote MAC Access Control for SonicPoints” on page 109

• “SonicPoint Management over SSL VPN” on page 112

The SonicPoint > SonicPoints section provides information and tips for configuring, and managing SonicPoints. Items such as wiring considerations, channels, card tuning, Power over Ethernet (PoE), and Troubleshooting, are covered.

Introduction | 3

The SonicPoint Layer 3 Management section covers the concepts, benefits, and configuration procedures of Layer 3 Management to provide easy scalability of a wireless network.

The SonicPoint Provisioning Profiles section provides the configuration procedures for

• “Configuring a SonicPoint ACe, ACi, or N2 Profile” on page 57

• “Configuring a SonicPoint NDR Profile” on page 71

• “Configuring a SonicPoint N Profile” on page 85

SonicPoint AC provides higher throughput, making it better for wireless displays, HDTV, downloading large files, and campus and auditorium use.

Wi-Fi Multimedia

SonicPoint supports Wi-Fi Multimedia (WMM) to provide a better Quality of Service experience on bandwidth-intensive applications such as VoIP and multimedia traffic on wireless networks.

Virtual Access Points

A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP), so that a single AP appears as multiple discrete Access Points or VAPs. To wireless LAN clients, each VAP appears as an independent physical AP, when in actuality there is only one physical AP.

SonicPoint Statistics

The SonicPoint > Station Status page reports the statistics of each SonicPoint. The Station Status table lists entries for each wireless client connected to each SonicPoint. The sections of the Station Status table are divided by SonicPoint.

Radio Frequency Security

SonicPoint provides protection for Radio Frequency (RF) devices. RF technology used in wireless networking devices is a target for intruders. SonicPoint uses direct RF monitoring to detect threats without interrupting the current operation of your wireless or wired network.

Radio Frequency Analysis

Radio Frequency Analysis (RFA) is a feature that enables the network administrator to understand how wireless channels are utilized by the SonicPoints and other neighboring wireless access points.

Intrusion Detection Services

Intrusion Detection Services (IDS) enables the Dell SonicWALL network security appliance to recognize and take countermeasures against the most common types of illicit wireless activity. IDS reports on all access points that the firewall can find by scanning the 802.11a/b/g/n/ac radio bands on the SonicPoints.

Advanced Intrusion Detection and Prevention

Advanced Intrusion Detection and Prevention (IDP) monitors the radio spectrum for the presence of unauthorized access points (intrusion detection) and automatically takes countermeasures (intrusion prevention). When Advanced IDP is enabled on a SonicPoint, the SonicPoint radio functions as a dedicated IDP sensor.


SonicPoint FairNet

SonicPoint FairNet provides network administrators with a simple method to control the bandwidth of wireless clients and ensure the bandwidth is distributed fairly across all access points. Administrators can configure the SonicPoint FairNet bandwidth limits for all wireless clients, specific IP address ranges, or individual clients to provide fairness and network efficiency.

Introduction | 5

Chapter 2

Managing SonicPoints

SonicPoint > SonicPoints

Managing SonicPoints | 7

Dell SonicWALL SonicPoints are wireless access points specially engineered to work with Dell SonicWALL security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the management interface lets you manage the SonicPoints connected to your system.

Note SonicPoint-N Dual Radio is Wi-Fi Certified by the Wi-Fi Alliance and is designated by the Wi-Fi Certified logo.

The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance, and indicates that the product has undergone rigorous testing by the Wi-Fi Alliance and has demonstrated interoperability with other products, including those from other companies that bear the Wi-Fi CERTIFIED Logo.

In addition to describing the settings available for managing SonicPoints in SonicOS, This section contains a best practices guide for deploying SonicPoints in your network. See “SonicPoint Deployment Best Practices” on page 9.

Topics:

• “Before Managing SonicPoints” on page 8

• “SonicPoint Deployment Best Practices” on page 9

• “SonicPoint Layer 3 Management” on page 17

• “SonicPoint Provisioning Profiles” on page 54

• “Remote MAC Access Control for SonicPoints” on page 109

• “SonicPoint Management over SSL VPN” on page 112

Before Managing SonicPoints

Before you can manage SonicPoints in the Management Interface, you must first:

• Verify that the SonicPoint image is downloaded to your Dell SonicWALL security appliance. See “Updating SonicPoint Firmware” on page 103.

• Configure your SonicPoint Provisioning Profiles.

• Configure a Wireless zone.

• Assign profiles to wireless zones. This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone will use the first profile in the list.

• Assign an interface to the Wireless zone.

• Attach the SonicPoints to the interfaces in the Wireless zone.

• Test the SonicPoints.


SonicPoint Deployment Best Practices

The SonicPoint best practices includes information regarding the design, installation, deployment, and configuration issues for Dell SonicWALL’s SonicPoint wireless access points. The information covered allows you to properly deploy SonicPoints in environments of any size. This section also covers related external issues that are required for successful operation and deployment.

Note Dell SonicWALL cannot provide any direct technical support for any of the third-party Ethernet switches referenced in this section. The material is also subject to change without Dell SonicWALL’s knowledge when the switch manufacturer releases new models or firmware that may invalidate the information contained here.

Further information about SonicPoint best practices can be found in the SonicPoint Deployment Best Practices Guide at https://support.software.dell.com/.

Topics:

• “Prerequisites” on page 9

• “Wiring Considerations” on page 10

• “Site Survey and Planning” on page 10

• “Channels” on page 11

• “Wireless Card Tuning” on page 11

• “PoE” on page 12

• “Spanning-Tree” on page 13

• “VTP and GVRP” on page 13

• “Port-Aggregation” on page 13

• “Broadcast Throttling/Broadcast Storm” on page 13

• “Speed and Duplex” on page 13

• “Virtual Access Point Issues” on page 14

• “Troubleshooting” on page 14

• “Resetting the SonicPoint” on page 15

• “Switch Programming Tips” on page 15

Prerequisites

The following are required for a successful SonicPoint deployment:

• SonicOS requires public Internet access in order for the network security appliance to download and update the SonicPoint firmware images. If the device does not have public Internet access, you will need to obtain and download the SonicPoint firmware manually.

• One or more SonicWALL SonicPoint wireless access points.

• If you are using a PoE switch to power the SonicPoint, it must be one of the following:

– An 802.3at compliant Ethernet switch for SonicPoint AC/N2

– An 802.3af compliant Ethernet switch for other SonicPoint models

• Vendor-specific switch programming notes can be found towards the end of this section for HP, Cisco, Dell, and D-Link. If not, you will need to use the power adapter that ships with the SonicPoint or SonicWALL’s PoE Injector. See the SonicWALL Power over Ethernet (PoE) Injector User’s Guide:

http://www.sonicwall.com/downloads/SonicWALL_PoE_Injector_Users_Guide.pdf


https://support.software.dell.com/

http://www.sonicwall.com/downloads/SonicWALL_PoE_Injector_Users_Guide.pdf

• It is strongly recommended you obtain a support contract for your Dell SonicWALL network security appliance as well as the PoE switch. The contract will allow you to update to new versions if issues are found on the switch side or on the firewall side, or when new features are released.

• Be sure to conduct a full site survey before installation (see “Site Survey and Planning” on page 10).

• Check wiring and cable infrastructure to verify that end-to-end runs between SonicPoints and the Ethernet switches are CAT5, CAT5e, or CAT6.

• Check building codes for install points and work with building’s facilities staff, as some desired install points may violate regulations.

Tested Switches

Most Cisco switches work well; however SonicWALL does not recommend deploying SonicPoints using the “Cisco Express” switch line.

SonicWALL does not recommend deploying SonicPoints using Netgear PoE switches.

If you are using D-Link PoE switches, you will need to shut off all their proprietary broadcast control and storm control mechanisms, as they will interfere with the provisioning and acquisition mechanisms in the SonicPoint (see “PoE” on page 12 regarding this).

• Dell – make sure to configure STP for fast start on SonicPoint ports.

• Extreme – make sure to configure STP for fast start on SonicPoint ports.

• Foundry – make sure to configure STP for fast start on SonicPoint ports.

• HP ProCurve – make sure to configure STP for fast start on SonicPoint ports.

Wiring Considerations

Make sure wiring is CAT5, CAT5e, or CAT6 end to end.

Due to signaling limitations in 802.3af and 802.3at, Ethernet cable runs cannot go over 100 meters between the PoE switch and SonicPoint.

You will need to account for PoE power loss as the cable run becomes longer; this can be up to 16%. For longer cable runs, the port will require more power to be supplied.

Site Survey and Planning

Conduct a full site walk of all areas SonicPoints will be deployed in with a wireless spectrum scanner. Note any existing access points and the channels they are broadcasting on. SonicWALL currently recommends the following products to conduct full site surveys.

• Metageek inSSider (best for Android Phones due to portability)

• WiSpy

• Channelyzer

Blueprints of floor plans are helpful as you can mark the position of Access Points and the range of the wireless cell. Make multiple copies of these as the site-survey results may cause the original design not to be the best and a new start will be needed. Also, you see where walls, halls, and elevators are located, which can influence the signal. Areas in which users are located—and not located—can be seen. During the site survey, keep an eye open for electrical equipment that may cause interference (microwaves, CAT Scan equipment, etc.) In areas containing a lot of electrical equipment, also take a look at the cabling being used.

Survey three dimensionally, as wireless signals cross over to different floors.


Determine where you can locate access points based on power and cabling. Remember that you shouldn't place access points close to metal or concrete walls and you should put them as close to the ceiling as possible.

Use the wireless scanning tool to check signal strengths and noise. Signal-to-noise ratio should at least be 10dB (minimum requirements for 11 Mbps); however, 20dB is preferred. Both factors influence the quality of the service.

Relocate the access points and re-test, depending of the results of your survey.

Save settings and logs and note the location of the access point for future reference.

When using older SonicPoint models, if you find that certain areas, or all areas are saturated with existing overlapping 802.11b/g channels, you may wish to deploy SonicPoints using the 802.11a radio. This provides a much larger array of channels to broadcast on, although the range of 802.11a is limited, and the SonicPoint does not allow for the addition of external antennas.

When planning, make sure you note the distance of cable runs from where the SonicPoint will be mounted; this must be 100 meters or less. If you are not using PoE switches, you will also need to consider the power adapter or PoE injector for the SonicPoint. Make sure you are not creating an electrical or fire hazard.

Be wary of broadcasting your wireless signal into areas that you do not control; check for areas where people might be able to leach signal and tune the SonicPoints accordingly.

For light use, you can plan for 15-20 users for each SonicPoint. For business use, you should plan for 5-10 users for each SonicPoint.

Plan accordingly for roaming users – this will require tuning the power on each SonicPoint so that the signal overlap is minimal. Multiple SonicPoints broadcasting the same SSID in areas with significant overlap can cause ongoing client connectivity issues.

Use the scheduling feature in SonicOS to shut off SonicPoints when not in use – it’s recommended that you do not operate your SonicPoints during non-business-hours (off nights and weekends).

Channels

The default setting of SonicPoints is auto-channel. When this is set, at boot-up the SonicPoint will do a scan and check if there are other wireless devices transmitting. Then, it will try to find an unused channel and use this for transmission. Especially in larger deployments, this process can cause trouble. In large deployments, it is recommended to assign fixed channels to each SonicPoint. A diagram of the SonicPoints and their MAC addresses helps to avoid overlaps. It is recommended is to mark the location of the SonicPoints and MAC addresses on a floor-plan.

Wireless Card Tuning

If you are experiencing connectivity issues with laptops, check to see if the laptop has an Intel embedded wireless adapter. The following Intel chip sets are publicly known and acknowledged by Intel to have disconnect issues with third-party wireless access points:

• Intel PRO/Wireless 2100 Network Connection

• Intel PRO/Wireless 2100A Network Connection

• Intel PRO/Wireless 2200BG Network Connection

• Intel PRO/Wireless 2915ABG Network Connection

• Intel PRO/Wireless 3945ABG Network Connection


These wireless cards are provided to OEM laptop manufacturers and are often rebranded under the manufacturers name – for example, both Dell and IBM use the above wireless cards, but the drivers are branded under their own name.

To identify the adapter, go to Intel’s support site and do a search for Intel Network Connection ID Tool. Install and run this tool on any laptop experiencing frequent wireless disconnect issues. The tool will identify which Intel adapter is installed inside the laptop.

Once you have identified the Intel wireless adapter, go to Intel’s support site and download the newest software package for that adapter – it is recommended that you download and install the full Intel PRO/Set package and allow it to manage the wireless card, instead of Windows or any OEM provided wireless network card management program previously used.

Be sure to use the Intel wireless management utility and to disable Microsoft’s Wireless Zero Config management service – the Intel utility should control the card, not the OS.

In the Advanced section of the Intel wireless management utility, disable the power management by clearing the box next to Use default value, then move the slider under it to Highest. This instructs the wireless card to operate at full strength and not go into sleep mode. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

In the Advanced section of the Intel wireless management utility, adjust the roaming aggressiveness by clearing the checkbox next to Use default value, then move the slider under it to Lowest. This instructs the wireless card to stay stuck to the access point to which it’s associated as long as possible and only roam if the signal is significantly degraded. This is extremely helpful in environments with large numbers of access points broadcasting the same SSID. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

If you continue to have issues, you may also try adjusting the Preamble Mode on the wireless card. By default, the Intel wireless cards above are set to auto. All SonicWALL wireless products by default are set to use a Long preamble. To adjust the Intel wireless card’s preamble setting, go to the Advanced section and clear the checkbox next to Use default value, then select Long Tx Preamble from the drop-down menu below it. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

PoE

A SonicPoint using PoE at full power can draw up to 30 watts.

SonicPoints are set to Class 0 PD and uses from 0.44 W minimum to 12.95 W maximum power.

Note A mismatch in Class will cause confusion in the handshake and reboot the SonicPoint.

SonicPoint ACs (Type 1) can be set to Class 0, 1, 2, or 3 PD. SonicPoint ACs (Type 2) are set to Class 4 PD. The minimum and maximum power output values are as follows:

• Type 1, Class 0 PD uses 0.5 W minimum to 15.4 W maximum




• Type 2, Class 4 PD uses 15.4 W minimum to 30 W maximum

Full 802.3af and 802.3at compliance is required on any switch that supplies PoE to a SonicPoint. Do not operate SonicPoints on non-compliant switches as SonicWALL does not support them.

Turn off pre-802.3af-spec detection and pre-802.3at-spec detection as they may cause connectivity issues.


Long cable runs cause loss of power; 100 meter runs between the SonicPoint and the PoE switch may incur up to 16% power/signal degradation; because of this the PoE switch will need to supply more power to the port to keep the SonicPoint operational.

Ensure each port can get 10 Watts guaranteed if possible, and set the PoE priority to critical or high.

One thing to be particularly careful to plan for is that not all PoE switches can provide the full 15.4 watts of power to each of its PoE ports – the switch might have 24 watts, but it can’t actually have all ports with PoE devices attached without the addition of an external redundant power supply. You will need to work closely with the manufacturer of the PoE switch to ensure that enough power is supplied to the switch to power all of your PoE devices.

Spanning-Tree

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints.

If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device. If this is not possible, check with the switch manufacturer to determine if they allow for “fast spanning-tree detection,” which is a method that runs spanning-tree in a shortened time so as to not cause connectivity issues. Refer to “Sample Dell Switch Configuration (per interface)” on page 16 for programming samples on how to do this.

VTP and GVRP

Turn these trunking protocols off on ports connected directly to SonicPoints, as they have been known to cause issues with SonicPoints – especially the high-end Cisco Catalyst series switches.

Port-Aggregation

Many switches have port aggregation turned on by default, which causes a lot of issues. Port aggregation should be deactivated on ports connected directly to SonicPoints.

PAGP/Fast EtherChannel/EtherChannel should be turned off on ports going to SonicPoints.

LACP should be turned off on the ports going to SonicPoints.

Broadcast Throttling/Broadcast Storm

This feature is an issue on some switches, especially D-Link. Dell recommends that you disable the feature on a per-port basis if possible; if not, disable globally.

Speed and Duplex

At present, auto-negotiation of speed and duplex is the only option for SonicPoints.

Locking speed and duplex on the switch and rebooting the SonicPoint may help with connectivity issues.

Check the port for errors, as this is the best way to determine if there is a duplex issue (the port will also experience degraded throughput).


Virtual Access Point Issues

Only VLAN-supported SonicWALL platforms can offer VAP features for existing releases. Each SSID should be associated with the unique VLAN ID to segment traffic in different broadcast domains. SDP/SSPP protocol packets must be untagged before reaching a SonicWALL WLAN interface or SonicPoint.

The switch between the Dell SonicWALL network security appliance and the SonicPoint must be configured properly to allow both untagged SDP/SSPP traffic and tagged traffic with VLAN ID for each VAP SSID.

If at all possible assign each VAP to its own VLAN/Security Zone -- this will provide maximum security and although not explicitly required for PCI compliance, puts you solidly in the "green" zone.

Note If you use VLANs, do not use the parent interface and do not use the default VLAN.

Troubleshooting

When creating a Wireless zone and interface, make sure to configure the interface for the number of SonicPoints you wish to support. If you do not do this, the firewall will not create the necessary DHCP scope and will not acquire any SonicPoints added to the interface.

If you added SonicPoints and only a certain number were detected and acquired, check interface settings as noted above, as it might be set for too few SonicPoints.

If throughput seems sluggish, check to see how many SonicPoints you have on an interface – in large deployments it’s advisable to spread them across more than one. Try to limit the interfaces to a 4-to-1 oversubscription ratio. For example, if you have a 100Mbps, you can safely attach up to 20 SonicPoints to it and expect reasonable performance.

The throughput speed on SonicPoints can vary and is limited by the specifications found in the IEEE 802.11 standards: 802.11a/b/g/n/ac/af.

Make sure your security zone (the default WLAN, or your own custom wireless zone) has the right settings – they might be blocking traffic for various reasons.

If the SonicPoints are not being acquired, check the DHCP scopes; they might be off, or missing entirely.

Stuck in provisioning mode? Unplug, clear the profile configuration, reboot and plug back in.

In order for a SonicPoint to be discovered and provisioned, the Dell SonicWALL network security appliance must be connected to the Internet.

On older model SonicPoints, it is NOT advisable to use the same SSID for the 802.11bg and the 802.11a radios, as clients with tri-band cards may experience disconnect issues – name them separately.

If a SonicPoint cannot find a Dell SonicWALL network security appliance, it will automatically transition to Standalone Mode. In which case, if you have more than one SonicPoint, you may have issues as all of the SonicPoints will revert to the same default IP address of 192.168.1.20/24.

When troubleshooting wireless issues, logging, Syslog, and SNMP are your friends – SonicWALL’s Global Management System (GMS) package can centralize all of these for all of your SonicWALL devices, regardless of location. A free alternative is Kiwi’s Syslog Server, which can accept Syslog streams and SNMP traps from all Dell SonicWALL network security appliances. The most current version can be found here: http://www.kiwisyslog.com/


http://www.kiwisyslog.com/

Check the network cabling. Is shielded or unshielded cable being used?

Troubleshooting Older SonicPoints

If you have an older SonicPoint and it is consistently port flapping, or does not power up at all, or is stuck in reboot cycling, or stuck in provisioning, check to see if you are running a current version of the firmware, and that the Dell SonicWALL network security appliance has public internet access. You may need a newer SonicPoint.

Resetting the SonicPoint

The SonicPoint has a reset switch inside a small hole in the back of the unit, next to the console port. You can reset the SonicPoint at any time by pressing the reset switch with a straightened paperclip, a tooth pick, or other small, straight object.

The reset button resets the configuration of the mode the SonicPoint is operating in to the factory defaults. It does not reset the configuration for the other mode. Depending on the mode the SonicPoint is operating in, and the amount of time you press the reset button, the SonicPoint behaves in one of the following ways:

• Press the reset button for at least three seconds, and less than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint.

• Press the reset button for more than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint in SafeMode.

• Press the reset button for at least three seconds, and less than eight seconds with the SonicPoint operating in Stand-Alone Mode to reset the Stand-Alone Mode configuration to factory defaults and reboot the SonicPoint.

• Press the reset button for more than eight seconds with the SonicPoint operating in Stand-Alone Mode to reset the Stand-Alone Mode configuration to factory defaults and reboot the SonicPoint in SafeMode.

Switch Programming Tips

Topics:

• “Sample HP ProCurve Switch Commands (per-interface)” on page 15

• “Sample Dell Switch Configuration (per interface)” on page 16

• “Sample D-Link Switch Configuration” on page 16

Sample HP ProCurve Switch Commands (per-interface)

• name ‘link to SonicPoint X’

• no lacp

• no cdp

• power critical

• no power-pre-std-detect (note: global command)

• speed-duplex 100-half (note: only if you are seeing FCS errors)

• spanning-tree xx admin-edge-port (note: replace xx with port number)

• mdix-mode mdix


Sample Dell Switch Configuration (per interface)

• spanning-tree portfast

• no back-pressure

• no channel-group

• duplex half (note: only if you are seeing FCS errors)

• speed 100

• no flowcontrol

• no gvrp enable

• no lldp enable

• mdix on

• mdix auto

• no port storm-control broadcast enable

Sample D-Link Switch Configuration

The D-Link PoE switches do not have a CLI, so you will need to use their web GUI.

Note If you are using multicast in your environment, check with D-Link for the recommended firmware version.

Disable spanning-tree, broadcast storm control, LLDP and the Safeguard Engine on the switch before adding SonicPoints to the switch, as all may impact their successful provisioning, configuration, and functionality.


SonicPoint Layer 3 ManagementTopics:

• “What is SonicPoint Layer 3 Management?” on page 17

• “Configuring SonicPoint Layer 3 Management” on page 18

What is SonicPoint Layer 3 Management?

In previous releases, the Dell SonicWALL security appliance and the SonicPoints that it manages had to be in the same Layer 2 network, which limits the scalability of networks, especially enterprise networks.

SonicPoint Layer 3 Management provides a wireless solution that can be easily scaled from small to large while maintaining the centralized SonicOS network security protection and providing flexible policy control.

Note SonicPoint Layer 3 Management is not supported on the TZ series or on the NSA 240.

Topics:

• “Benefits” on page 17

• “Supported Platforms” on page 17

• “Layer 3 Management Protocols” on page 17

• “How Does SonicPoint Layer 3 Management Work?” on page 18

Benefits

SonicPoint Layer 3 Management offers the following benefits:

• Simplifies the management of multiple wireless networks. SonicPoints located at multiple locations are managed by a single Dell SonicWALL security appliance.

• Reduces the number of NetExtender licenses and sessions. All remote users are tunneled over a single NetExtender session.

Supported Platforms

SonicPoint Layer 3 Management is supported on all Dell SonicWALL security appliances that can provision SonicPoints.

Layer 3 Management Protocols

CAPWAP

The Controlling and Provisioning of Wireless Access Points (CAPWAP) protocol is a standard, interoperable protocol that enables an Access Controller (in our case, the Dell SonicWALL security appliance) to manage a collection of Wireless Termination Points (SonicPoints), independent of Layer 2 technology. CAPWAP is defined in RFC 5415:

http://www.ietf.org/rfc/rfc5415.txt

Dell SonicWALL CAPWAP supports both Layer 2 and Layer 3 management.


http://www.ietf.org/rfc/rfc5415.txt

SAMP

The SonicWALL Advanced Management Protocol (SAMP) suite consists of these three protocols:

• SonicWALL DHCP-based Discovery Protocol (SDDP) - SDDP enables the Dell SonicWALL security appliance and the SonicPoints to be discovered automatically across Layer 3 networks. The appliance acts as the DHCP sever and the SonicPoint acts as the DHCP client. Any routers or other network devices between the appliance and the SonicPoint must be configured to allow DHCP relay.

• SonicWALL Control and Provisioning Wireless Access Point (SCAPWAP) - SCAPWAP is a Dell SonicWALL extension of CAPWAP that is customized for Dell SonicWALL products. The Dell SonicWALL network security appliance gateway manages the SonicPoints using SCAPWAP, independent of Layer 2 and Layer 3 networks. The Dell SonicWALL security appliance and the SonicPoints must be configured to do mutual authentication using either a pre-shared key or a public key-based certificates.

• SonicWALL SSLVPN-based Management Protocol (SSMP) - SSMP is based on the Dell SonicWALL SSL VPN infrastructure and enables the SonicPoints to be managed over the internet by a Dell SonicWALL security appliance. In this case, a single NetExtender SSL VPN tunnel is established between the appliance and the SonicPoint. All of a user’s SonicPoint traffic to the appliance is tunneled over this single NetExtender session.

How Does SonicPoint Layer 3 Management Work?

SonicPoint Layer 3 Management provides a broader wireless solution for both local and remote networks and for both small and large deployments—all with centralized SonicOS network security protection and flexible policy control.

The following three SonicPoint deployment scenarios are supported:

• Local Layer 2 Management – When a Dell SonicWALL network security appliance and its SonicPoints are deployed in the same Layer 2 network, the existing Layer 2 discovery protocol, SDP, is used to manage the access points.

• Local Layer 3 Management – When SonicPoints are deployed outside of the Layer 2 network, but within the same Intranet as the Dell SonicWALL security appliance (for example when there is a third-party router between the Dell SonicWALL security appliance and the SonicPoints), Layer 3 management protocols can be used to manage the access points.

• Remote Layer 3 Management– When SonicPoints are deployed in a remote site across the Internet cloud, Layer 3 management can be used to manage the remote network access points. A single SSL VPN NetExtender tunnel is established between the SonicPoint and the remote the Dell SonicWALL security appliance. Each wireless client does not need to install and launch NetExtender to establish an SSL VPN tunnel. All the wireless clients share the same VPN tunnel. This reduces the number of NetExtender licenses required on the Dell SonicWALL security appliance. It also eliminates the need to establish individual tunnels for each SonicPoint.

Configuring SonicPoint Layer 3 Management

Topics:

• “Configuring Basic SonicPoint Layer 3 Management” on page 19

• “Configuring SonicPoint Virtual Access Points for Layer 3 Management” on page 32

• “Configuring Layer 3 Management over IPSec” on page 40


Configuring Basic SonicPoint Layer 3 Management

A basic SonicPoint Layer 3 Management scenario is shown in the graphic below. The SonicPoints are connected to a third-party router, which is connected over the LAN zone to the Dell SonicWALL security appliance.

Configuring SonicPoint Layer 3 Management requires configurations across several pages of the SonicOS management interface. Thus, to configure this scenario, the configuration is divided into the following steps:

1. “Configuring the Access Controller Interface” on page 20

2. “Configuring the DHCP Server” on page 22

3. “Configuring a DHCP Pool of Addresses” on page 24

4. “Configuring the WLAN Tunnel Interface” on page 26

5. “Adding a Route Policy” on page 29

6. “Configuring a Remote Router Connected to SonicPoints” on page 31


Configuring the Access Controller Interface

To configure an interface on a Dell SonicWALL security appliance that is connected to a third-party router:

Step 1 Navigate to the Network > Interfaces page.

Step 2 In the Interface Settings section, click the Configure icon for the X4 interface. The Edit Interface window appears.

Step 3 Select LAN from the Zone drop-down menu. More options appear.


Step 4 From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default value.

Step 5 In the IP Address field, enter the IP address of the interface. For example, 10.10.10.1. A default value of 0.0.0.0 is displayed.

Step 6 in the Subnet Mask field, enter the subnet mask for the interface. For example, 255.255.255.0 (this is the default value).

Step 7 Optionally, enter a comment in the Comment field. This comment will display in the Comment column of the Interface Settings table of Network > Interfaces.

Step 8 Select one or more types of web management for this interface:

• HTTPS – Enables remote management of the DELL SonicWALL through the HTTPS protocol.

Note If you select HTTPS, the Add rule to enable redirect from HTTP to HTTPS option is enabled automatically.

• Ping – Enables remote management of the DELL SonicWALL through the Ping protocol.

• SNMP – Enables remote management of the DELL SonicWALL through the SNMP protocol.

• SSH – Enables remote management of the DELL SonicWALL through the SSH protocol.

Note If you do not enable web management here, you must enable it on another interface. A warning message will appear if you leave the window without enabling at least one web management protocol.

Step 9 Optionally, select HTTPS for User Login to enable users with management rights to log in to the DELL SonicWALL.

Note The HTTP option is dimmed (unavailable).

Step 10 If you did not select HTTPS for Management, but did select HTTPS for User Login, to enable users logging in from HTTP to be redirected to HTTPS, select Add rule to enable redirect from HTTP to HTTPS.

Step 11 Click OK.

The X4 entry in the Interface Settings table is updated.


Configuring the DHCP Server

To configure a DHCP Option Object for CAPWAP and a DHCP pool of IP addresses for the SonicPoints behind a third-party router:

Step 1 Navigate to the Network > DHCP Server page.

Step 2 Click the Advanced button. The DHCP Advanced Settings window displays.

Step 3 Click the Add Option button. The Add DHCP Option Object dialog appears.

Step 4 In the Option Name field, enter a descriptive name for the DHCP option object, such as cap.

Step 5 From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List). The Option Array option becomes active, and the Option Type is set to IP Address.


Step 6 Select the Option Array option.

Note The Option Type drop-down menu is dimmed but displays IP Address.

Step 7 In the Option Value field, enter the IP address for the X4 interface you configured in “Configuring the Access Controller Interface” on page 20. For example, 10.10.10.1.

Step 8 Click OK. The new Option Object is displayed in the Option Objects section of the DHCP Advanced Settings window.

Step 9 Click OK.


Configuring a DHCP Pool of Addresses

To configure a DHCP pool of addresses for the SonicPoints behind the router:


Step 2 Under the DHCPv4 Server Lease Scopes table, click the Add Dynamic button. The Dynamic Range Configuration window appears.

Step 3 Select the Enable this DHCP Scope option. This is selected by default.


Step 4 Enter the appropriate IP addresses or values in the Range Start, Range End, Lease Time (minutes) (default is 1440 minutes), Default Gateway, and Subnet Mask boxes.

Step 5 Click the Advanced tab.

Step 6 In the DHCP Generic Option Group drop-down menu, select the DHCP Option Object you created in “Configuring the DHCP Server” on page 22.

Step 7 Select the Send Generic options always option.


Step 8 Click OK. The DHCPv4 Server Lease Scopes table is updated.

Configuring the WLAN Tunnel Interface

To configure a WLAN tunnel interface and assign it to the X4 interface:


Step 2 From the Add Interface drop-down menu, select WLAN Tunnel Interface. The Add WLAN Tunnel Interface window appears.


Step 3 From the Zone menu, select WLAN. The options change.

Step 4 Enter the Tunnel ID in the Tunnel ID field. The default is 0.

Step 5 From the Tunnel Source Interface drop-down menu, select the interface, such as X4 in this scenario.

Step 6 From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.

Step 7 In the IP Address field, enter the IP address for the WLAN tunnel interface. For example, 172.17.31.1.

Step 8 In the Subnet Mask box, enter the subnet mask. The default is 255.255.255.0.

Step 9 From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface. The default is 64 SonicPoints.

Step 10 (Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.

Step 11 If you did not specify a web management protocol in “Configuring the Access Controller Interface” on page 20, select one or more Management options: HTTPS, Ping, SNMP, SSH.



Step 12 If you did not specify a login protocol in “Configuring the Access Controller Interface” on page 20, optionally select HTTPS for User Login to enable users with management rights to log in to the SonicOS.




Step 14 Click OK. The Interface Settings table is updated.

Note A default DHCP IP address pool, such as 172.17.31.1/24, is automatically created for wireless clients.

Step 15 To verify, navigate to the Firewall > Access Rules page. You should see a Layer 3 Management option in the Access Rules table.


Adding a Route Policy

To configure a route policy that forwards all packets intended for a Layer 3 SonicPoint network to the default gateway:

Step 1 Navigate to the Network > Routing page.


Step 2 In the Route Policies table, click Add…. The Add Route Policy window displays.

Step 3 From the Source drop-down menu, select Any. This is the default.

Step 4 From the Destination drop-down menu, select the address object of the default gateway. The default is Any.

Step 5 From the Service drop-down menu, select a service object. The default is Any.

Step 6 From the Gateway drop-down menu, select an address object. The default is 0.0.0.0.

Step 7 From the Interface drop-down menu, select an interface. For this scenario, select X4.

Step 8 In the Metric field, enter 1. The minimum value is 1, the maximum is 254, and the default is 1.


A metric is a weighted cost assigned to static and dynamic routes. Lower metric costs are considered better and take precedence over higher costs. SonicOS adheres to Cisco-defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.

Step 9 Click OK. The Route Policies table is updated.

Configuring a Remote Router Connected to SonicPoints

To configure a third-party router that is connected to a Dell SonicWALL security interface at one end and to SonicPoints at the other end:

Step 1 For the interface on the remote router that is connected to the Dell SonicWALL security appliance, configure the IP address 10.10.10.2/24.

Step 2 For the interface on the remote router that is connected to the SonicPoint, configure the IP address 30.30.30.1/24.

Step 3 Configure a DHCP relay policy from the interface connected to the SonicPoint to the X4 interface on the Dell SonicWALL security appliance, which has the IP address 10.10.10.1.


Configuring SonicPoint Virtual Access Points for Layer 3 Management

This scenario extends the previous example, “Configuring Basic SonicPoint Layer 3 Management” on page 19, by adding Virtual Access Points (VAPs) for the SonicPoints.

To configure VAPs for SonicPoint Layer 3 Management, perform the following steps:

• “Configuring a WLAN Interface for VAPs” on page 33

• “Configuring a VAP Object” on page 36

• “Configuring a VAP Group” on page 38

• “Assigning a VAP Group to a SonicPoint” on page 39

Note For more information about VAPs and configuring them, see “SonicPoint > Virtual Access Point” on page 127.


Configuring a WLAN Interface for VAPs

To configure a WLAN interface for the VAPs:


Step 2 From the Add Interface drop-down menu, select Virtual Interface. The Add Interface dialog appears.


Step 3 From the Zone drop-down menu, select WLAN. More options appear.

Step 4 In the VLAN Tag field, enter 4. The default is 0. The VLAN Tag is used to identify the new VLAN.

Step 5 From the Parent Interface drop-down menu, select WT0.

Step 6 From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.

Step 7 In the IP Address field, enter the IP address for the WLAN. For example, 172.4.1.1. The default is 0.0.0.0.

Step 8 In the Subnet Mask field, enter the subnet mask. For example, 255.255.255.0. The default is 255.255.255.0.

Step 9 From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints for this interface. For this scenario, select 48 SonicPoints. The default is 64 SonicPoints.

Step 10 (Optional) In the Comment field, enter a descriptive comment. This comment is displayed in the Comment field.

Step 11 If you did not specify a web management protocol in “Configuring the Access Controller Interface” on page 20, select one or more Management options: HTTPS, Ping, SNMP, SSH.



Step 12 If you did not specify a login protocol in “Configuring the Access Controller Interface” on page 20, optionally select HTTPS for User Login to enable users with management rights to log in to the DELL SonicWALL.


Configuring a VAP Object

To configure a VAP object on a Dell SonicWALL network security appliance:

Step 1 Navigate to the SonicPoint > Virtual Access Point page.

Step 2 In the Virtual Access Points table, click Add. The Add/Edit Virtual Access Point window displays.

Step 3 In the Name field, enter a descriptive name for the VAP.

Step 4 in the SSID field, enter a SSID that represents the Layer 3 management network. For example, wirelessDev_L3_vap.


Step 5 From the VLAN ID drop-down menu, select the VLAN Tag ID that you configured in “Configuring a WLAN Interface for VAPs” on page 33. For example, 4.

Step 6 Select the Enable Virtual Access Point option. By default, this option is selected

Step 7 Click OK. The virtual access points table is updated.

Step 8 To add additional Virtual Access Points, repeat Step 2 through Step 7 for each additional VAP.


Configuring a VAP Group

To configure a VAP group:


Step 2 In the Virtual Access Points Groups table, click Add Group. The Add Virtual Access Point Group window displays.

Step 3 In the Virtual AP Group Name field, enter a name for the VAP group. For example, L3 VAP Group.


The Available Virtual AP Objects box should be populated with the VAP objects you created in “Configuring a VAP Object” on page 36.

Step 4 Move the VAP objects you want from the Available Virtual AP Objects box to the Member of Virtual AP Group box.

Step 5 Click OK. The Virtual Access Point Groups table is updated.

Assigning a VAP Group to a SonicPoint

To assign a VAP group to a SonicPoint that is connected to a third-party router:

Step 1 Navigate to the SonicPoint > SonicPoints page and scroll to the SonicPoint N Provisioning Profiles section.

Step 2 Click the Configure icon for the SonicPoint you want to configure. The Edit SonicPoint Profile dialog appears.

Step 3 Select the Enable SonicPoint option.

Step 4 From the 802.11n Radio Virtual AP Group drop-down menu, select the Virtual AP Group you created in “Configuring a VAP Group” on page 38. For example, L3 VAP Group.

Step 5 Click OK.


Configuring Layer 3 Management over IPSec

In this example, the central IPSec gateway acts as the SonicPoint WLAN controller. The SonicPoint is deployed under the VPN local LAN subnet of the remote IPSec gateway. SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on the central gateway. The DHCP over VPN feature must be configured on the remote IPSec gateway.

Note This example assumes that the VPN IPSec tunnel between the two Dell SonicWALL security appliances is established successfully.

To configure SonicPoint Layer 3 Management over IPSec, perform the following steps:

1. “Configuring the VPN Tunnel on the Central Gateway” on page 41

2. “Configuring the VPN Tunnel on the Remote Gateway” on page 44

3. “Configuring the CAPWAP DHCP Option Object on the Central Gateway” on page 48

4. “Configuring the DHCP Scope on the Central Gateway” on page 49

5. “Configuring the WT0 Interface on the Central Gateway” on page 52


Configuring the VPN Tunnel on the Central Gateway

To configure the VPN tunnel on the Central Gateway:

Step 1 Navigate to the VPN > Settings page.

Step 2 Under the VPN Policies table, click Add. The VPN Policy window displays.

Step 3 From the Policy Type drop-down menu, select Site to Site. This is the default.

Step 4 From the Authentication Method drop-down menu, select the method you want. For example, IKE using Preshared Secret. This is the default.

Step 5 In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Central Gateway.


Step 6 In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.77.

Step 7 If you are using IKE, configure the IKE authentication settings.

Step 8 Click the Network tab.

Step 9 Under Local Networks, select the Choose local network from list option.

Step 10 From the Choose local network from list drop-down menu, select X0 Subnet.

Step 11 Under Remote Networks, select the option you want and, if applicable, the network you want from the associate drop-down menu.


Step 13 Select the Allow SonicPoint N Layer 3 Management option.


Step 14 Click OK. The VPN Policies table is updated.

Step 15 Navigate to the VPN > DHCP over VPN page.

Step 16 From the DHCP over VPN drop-down menu, select Central Gateway. This is the default.

Step 17 Click the Configure button. The DHCP over VPN Configuration window displays.

Step 18 Select the following options:

• User Internal DHCP Server

• For Global VPN Client

• For Remote Firewall

Step 19 Click OK.


Configuring the VPN Tunnel on the Remote Gateway

To configure the VPN tunnel on the remote gateway:

Step 1 Navigate to the VPN > Settings page.

Step 2 Under the VPN Policies table, click Add. The VPN Policy window displays.

Step 3 From the Policy Type drop-down menu, select Site to Site. This is the default.

Step 4 From the Authentication Method drop-down menu, select the appropriate method for your network. For example, IKE using Preshared Secret. This is the default.

Step 5 In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Remote Gateway.

Step 6 In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.79.

Step 7 Click the Network tab.


Step 8 Under Local Networks, select the Choose local network from list option. This is the default.

Step 9 From the Choose local network from list drop-down menu, select X1 Subnet.

Step 10 Under Remote Networks, select the option you want and, if appropriate, the network from the associated drop-down menu. The default is Choose destination network from list.

Note If you have not created an address object for your remote gateway, you can do so by selecting Create new address object from one of the menus.

Step 11 Under Remote Networks, select Create new address object from the appropriate menu. The Add Address Object window displays.

Step 12 In the Name field, enter Remote Gateway X0 Subnet.

Step 13 From the Zone Assignment drop-down menu, select LAN. This is the default.

Step 14 From the Type drop-down menu, select Network. Another option appears.

Step 15 In the Network field, enter the IP address of the remote gateway. For example, 192.168.168.0.

Step 16 In the Netmask/Prefix Length field, enter the mask. For example, 255.255.255.0.

Step 17 Click OK.



Step 19 Select the Allow SonicPoint N Layer 3 Management option.

Step 20 Click OK. the VPN Policies table is updated.

Step 21 Navigate to the VPN > DHCP over VPN page.

Step 22 From the DHCP over VPN drop-down menu, select Remote Gateway.


Step 23 Click the Configure button. The DHCP over VPN Configuration window displays.

Step 24 From the DHCP lease bound to drop-down menu, select the interface that is connected to the SonicPoint. For example, Interface X4.

Step 25 (Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want it.

Step 26 In the Relay IP Address field, enter the IP address of the interface connected to the SonicPoint. For example 30.30.30.1.

Note If enabled, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central gateway’s address and must be reserved in the DHCP scope on the HDCP server.This address also can be used to manage this Dell SonicWALL remotely through the VPN tunnel from behind the Central Gateway.

Step 27 In the Remote Management IP Address field, enter the IP address that is used to manage this Dell SonicWALL security appliance remotely from behind the Central Gateway.

Note This IP address was configured in “Configuring the Access Controller Interface” on page 20, and must be reserved in the DHCP scope on the DHCP server. In the example it is 10.10.10.1.

Step 28 Select the Block traffic through tunnel when IP spoof detected option.

Step 29 Select the Obtain temporary lease from local DHCP server if tunnel is down option.

Step 30 In the Temporary Lease Time (minutes) field, leave the default value of 2.

Step 31 Click OK.


Configuring the CAPWAP DHCP Option Object on the Central Gateway

To configure the CAPWAP DHCP Option Object on the Central Gateway:


Step 2 In the DHCP Server Settings section, click Advanced. The DCHP Advanced Settings window displays.

Step 3 Click Add Option. The Add DHCP Option Object window displays.

Step 4 In the Option Name field, enter a descriptive name, such as capwap or CAPWAP DHCP.

Step 5 From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List).

Step 6 In the Option Value field, enter the IP address you want to use for the DHCP group. For example, 192.168.168.168.


Step 7 Click OK to add the DHCP Option Object.

Step 8 Click OK to close the DHCP Advanced Settings window and return to the Network > DHCP Server page.

Configuring the DHCP Scope on the Central Gateway

To configure the DHCP Scope on the Central Gateway:



Step 2 Click the Add Dynamic button. The Dynamic Range Configuration window displays.

Step 3 Select the Enable this DHCP Scope option. This is the default.

Step 4 In the Range Start field, enter the IP address at which to start the DHCP range. For example, 30.30.30.2.

Note The range values must be within the same subnet as the Default Gateway. For example, 30.30.30.2 to 30.30.30.100.

Step 5 In the Range End field, enter the IP address at which to end the DHCP range. For example, 30.30.30.100.

Step 6 In the Lease Time (minutes) field, use the default value, 1440.

Step 7 In the Default Gateway field, enter the IP address of the default gateway.

Note This value will be the IP address of the interface connected to the SonicPoint. For example, 30.30.30.1.

Step 8 In the Subnet Mask field, enter the subnet mask of the default gateway. For example, 255.255.255.0.



Step 10 In the DHCP Generic Options section, from the DHCP Generic Option Group drop-down menu, select the CAPWAP DHCP option.

Note The CAPWAP DHCP option was created in “Configuring the CAPWAP DHCP Option Object on the Central Gateway” on page 48.

Step 11 Select the Send Generic options always option. This is the default.

Step 12 Click OK. The DHCPv4 Server Lease Scopes table is updated.


Configuring the WT0 Interface on the Central Gateway

To configure the Wireless Tunnel interface (WT0) on the Central Gateway:


Step 2 From the Add Interface drop-down menu in the Interface Settings section, select Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface window is displayed.


Step 3 From the Zone drop-down menu, select WLAN. More options display.

Step 4 In the Tunnel Id field, select 0. This is the default.

Step 5 From the Tunnel Source Interface drop-down menu, select X0.

Step 6 From the Mode / IP Assignment drop-down menu, Static IP Mode. This is the default.

Step 7 In the IP Address field, select 172.17.31.1.

Step 8 In the Subnet Mask field, 255.255.255.0. This is the default.

Step 9 From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints allowed on your network. For example, 48 SonicPoints. The default is 64 SonicPoints.

Step 10 Optionally, enter a comment in the Comment field.



SonicPoint Provisioning Profiles Topics:

• “Provisioning Overview” on page 54

• “Configuring a SonicPoint Profile” on page 56

• “Managing SonicPoints” on page 102

• “SonicPoint Auto Provisioning” on page 106

Provisioning Overview

When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.

If the SonicPoint does locate, or is located by a peer SonicOS device, via the Dell SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings.


SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSIDs, and channels of operation.

Once you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. Then, when a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone.

SonicOS includes default SonicPoints profiles for SonicPoint N, SonicPoint NDR, and SonicPoint AC. You can modify these profiles or create new ones.

Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:

• Via manual configuration changes—Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.

• Via un-provisioning—Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.


Configuring a SonicPoint Profile

You can add any number of SonicPoint profiles. The SonicPoint profile configuration process varies slightly, depending on whether you are configuring a single-radio (SonicPoint N) or a Dual Radio (SonicPoint NDR and SonicPoint AC).

The following sections describe how to configure SonicPoint profiles:

• “Configuring a SonicPoint ACe, ACi, or N2 Profile” on page 57

• “Configuring a SonicPoint NDR Profile” on page 71

• “Configuring a SonicPoint N Profile” on page 85

Note You can use Auto Provisioning to automatically provision SonicPoint profiles. For information on how to enable automatic provisioning, see “SonicPoint Auto Provisioning” on page 106.


Configuring a SonicPoint ACe, ACi, or N2 Profile

Note SonicPoint AC requires POE+ (802.3at Type 2) which supplies 30 watts peak power.

You can add any number of SonicPoint AC profiles. The specifics of the configuration will vary slightly depending on which protocols you select. To configure a SonicPoint AC provisioning profile, perform the following tasks:

Step 1 Navigate to SonicPoint > SonicPoints page.

Step 2 To add a new SonicPoint AC profile, click the Add SonicPoint AC Profile button.orTo edit an existing AC profile, click the Configure icon on the same row as the profile you want to edit.

The Add/Edit SonicPoint N AC Profile dialog appears.

You configure the SonicPoint AC through options on these tabs:

• “General Tab” on page 72

• “Radio 0 Basic and Radio 1 Basic Tabs” on page 74

• “Radio 0 Advanced and Radio 1 Advanced Tabs” on page 81

• “Sensor Tab” on page 84


General Tab

The Add/Edit SonicPoint Profile General tab.

In the General tab, configure the desired settings:

• “SonicPoint Settings” on page 72

• “Virtual Access Point Settings” on page 73

• “Layer 3 SSL VPN Tunnel Setting” on page 74

SonicPoint Settings

Step 1 Check Enable SonicPoint to enable each SonicPoint AC automatically when it is provisioned with this profile. This option is selected by default.

Step 2 Optionally, check Retain Settings to have the SonicPoint ACs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, the Edit button becomes active and the Retain Settings window displays. To specify the settings to retain:


a. If you are editing an existing SonicPoint AC profile, click the Edit button. The Retain Settings window displays.

b. Do one of the following:

– Click the Retain All Settings checkbox; all the other options become dimmed.

– Click the checkboxes of the individual settings to be retained.

c. Click OK.

Step 3 Optionally, select Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default.

Step 4 Enter a prefix for the names of all SonicPoint ACs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint AC on a zone. When each SonicPoint AC is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint AC 126008.

Step 5 Select the country where you are operating the SonicPoint ACs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.

Step 6 From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security.

Virtual Access Point Settings

Step 1 Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint ACs to a VAP from the Radio 0 Basic Virtual AP Group and Radio 1 Basic Virtual AP Group drop-down menus. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see “SonicPoint > Virtual Access Point” on page 127.


Layer 3 SSL VPN Tunnel Setting

Step 1 In the SSL VPN Server field, enter the IP address of the SSL VPN server.

Step 2 In the User Name field, enter the User Name of the SSL VPN server.

Step 3 In the Password field, enter the Password for the SSL VPN server.

Step 4 In the Domain field, enter the domain that the SSL VPN server is located in.

Step 5 Click the Auto-Reconnect checkbox for the SonicPoint to auto-reconnect to the SSL VPN server.

Note To configure L3 SSL VPN, refer to “SonicPoint Layer 3 Management” on page 17 and to the SonicOS Administrator’s Guide.

Radio 0 Basic and Radio 1 Basic Tabs

The Radio 0 Basic and Radio 1 Basic tabs are similar and have only a few differences, which are noted in the steps.

Note The sections and options displayed on the Radio 0 Basic/1 tabs change depending on whether you selected a VAP group in the Radio 0 Basic/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected.


Step 1 Click the Radio 0 Basic or Radio 1 Basic tab.

Step 2 Configure the settings for the 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios:

• “Radio 0 Basic Settings and Radio 1 Basic Settings” on page 76

• “Wireless Security” on page 79

• “Virtual Access Point Encryption Settings” on page 80

• “ACL Enforcement” on page 80


Radio 0 Basic Settings and Radio 1 Basic Settings

Note The options change depending on the mode you select.

Step 1 Select Enable Radio to automatically enable the 802.11ac radio bands on all SonicPoint ACs provisioned with this profile. This option is selected by default.

• From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule.

Step 2 Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the following modes:

Radio 0 Basic Radio 1 Basic

5GHz 802.11n Only 2.4GHz 802.11n Only Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed 2.4GHz 802.11n/g/b Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

5GHz 802.11a Only Select this mode if only 802.11a clients access your wireless network.

2.4GHz 802.11g Only If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.

5GHz 802.11ac Only Allows only 802.11ac clients access to your wire-less network. Other clients are unable to connect under this restricted radio mode.

5GHz 802.11ac/n/a Mixed

Supports 802.11ac, 802.11a, and 802.11n (Radio 0) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.


Tip For 802.11n clients only, for optimal throughput speed solely, Dell SonicWALL recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.

Note The available 801.11n Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:• Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.• Does not support 802.11n, only the Channel option is displayed.

Step 3 Optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS), which allows wireless devices to share the same spectrum with existing radar systems within the 5 GHz band.

Note If you select this option, choose either Standard - 2MHz Channel or Wide - 40 MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels.

Note This option only appears on the Radio 0 Basic tab as the Radio 1 Basic does not have a wireless speed connection mode of at least 5 GHz.

Step 4 In the SSID field, enter a recognizable string for the SSID of each SonicPoint NDR using this profile. This is the name that will appear in clients’ lists of available wireless connections.

Note If all SonicPoint NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint NDR to another.

Step 5 If you selected a mode that

• Supports 802.11n, go to Step 7.

• Does not support 802.11n, select a channel from the Channel drop-down menu.

– Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels.


– Specific channel – You can select a single channel within the range of your regulatory domain. Selecting a specific channel also can help with avoiding interference with other wireless networks in the area.

Step 6 Go to Step 10.

Note When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed.

Step 7 For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio:

• Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting.

• Standard - 20 MHz Channel—Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options.

– Standard Channel—This drop-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity.

Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring:

• Wide - 40 MHz Channel—Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active:

– Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 5.

– Secondary Channel—Is set to Auto regardless of the setting of Primary Channel.

Step 8 Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns).

Radio 0: 802.11a Only Radio 1: 802.11g Only

Channel 36 (5180 MHz)Channel 40 (5200 MHz)Channel 44 (5220 MHz)Channel 48 (5240 MHz)Channel 149 (5745 MHz)Channel 153 (5765 MHz)Channel 157 (5785 MHz)Channel 161 (5805 MHz)

Channel 1 (2412 Mhz)Channel 2 (2417 MHz)Channel 3 (2422 MHz)Channel 4 (2427 MHz)Channel 5 (2432 MHz)Channel 6 (2437 MHz)Channel 7 (2442 MHz)Channel 8 (2447 MHz)Channel 8 (2452 MHz)Channel 10 (2457 MHz)Channel 11 (2462 MHz)

Radio 0 Same as for 802.11a in Step 5Radio 1 Same as for 802.11g in Step 5


Note This option is not available if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An access point identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long).

Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each access point. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference

Some outdoor deployments may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues.

Step 9 Select Enable Aggregation to enable 802.11n frame aggregation, which combines multiple data frames in a single transmission to reduce overhead and increase throughput.


Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of, as legacy systems will not be able to understand the new format of the larger packets.

Ensure the wireless client also can support aggregation to avoid compatibility issues.

Tip The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.

Step 10 The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.


Note Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.

Wireless Security

Note If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to “Virtual Access Point Encryption Settings” on page 97.

The options change depending on the authentication type you select.

The Wireless Security sections of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see “Wireless Security” on page 93.

Virtual Access Point Encryption Settings

Note This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab.

The Virtual Access Point Encryption Settings section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see “Virtual Access Point Encryption Settings” on page 97.

WEP Authentication Types WPA/WPA2 Authentication Types


ACL Enforcement

The ACL Enforcement section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see “ACL Enforcement” on page 98.


Radio 0 Advanced and Radio 1 Advanced Tabs

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time.

The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar.


The options on the Radio 0 Advanced and Radio 1 Advanced tabs are the same except that Radio 0 Advanced has the Fragmentation Threshold (bytes) field.

To configure the Radio 0 Advanced and Radio 1 Advanced setting:

Step 1 Select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID before connecting. By default, this option is unchecked.

Step 2 From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled, the default.

Note IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a Sonicpoint or a third party access point.

Step 3 From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best (default) automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate, from a minimum of 1 Mbps to a maximum of 54 Mbps.

Step 4 From the Transmit Power drop-down menu, select the transmission power. Transmission power effects the range of the SonicPoint.

• Full Power (default)

• Half (-3 dB)

• Quarter (-6 dB)

• Eighth (-9 dB)

• Minimum

Step 5 From the Antenna Diversity drop-down menu, select the method that determines which antenna the SonicPoint uses to send and receive data.

– Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.

– 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply.

– 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.

Step 6 In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending wireless SSID beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds.

Step 7 In the DTIM Interval field, enter the DTIM interval in milliseconds. The minimum number of frames is 1, the maximum is 255, and the default is 1.


For 802.11 power-save mode clients of incoming multicast packets, the Delivery Traffic Indication Message (DTIM) interval specifies the number of beacon frames to wait before sending a DTIM.

Step 8 In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. Fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes.

Step 9 In the RTS Threshold (bytes) field, enter the threshold for a packet size, in bytes, at which a request to send (RTS) will be sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but may not be in range of each other. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 byes.

Step 10 In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number of clients is 1, the maximum number is 128, and the default number is 32.

Step 11 In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity before Access Points age out the wireless client, in seconds. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default is 300 seconds.

Step 12 From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is to be associated with this profile:

• Disabled (default)

• Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile window displays. For information about configuring a WMM profile, see “Configuring Wi-Fi Multimedia Parameters” on page 124.

• Custom WLAN WMM profile

Step 13 Select Enable Short Slot Time to allow clients to disassociate and reassociate more quickly. Specifying this option increases throughput on the 802.11n/g wireless band by shortening the time an access point waits before relaying packets to the LAN. By default, this option is not selected.

Step 14 Select Does not allow Only 802.11b Clients to Connect if you are using Turbo G mode and, therefore, are not allowing 802.11b clients to connect. Specifying this option limits wireless connections to 802.11g clients only. By default, this option is not selected.

Step 15 Select Enable Green AP to allow the SonicPoint ACe/ACi/N2 radio to go into sleep mode. This saves power when no clients are actively connected to the SonicPoint. The SonicPoint will immediately go into full power mode when any client attempts to connect to it. Green AP can be set on each radio independently, Radio 0 (5GHz) and Radio 1 (2,4GHz).

Step 16 In the Green AP Timeout(s) field, enter the timeout value in seconds that the access point will wait while it has no active connections before it goes into sleep mode. The timeout values can range from 10 seconds to 600 seconds. The default value is 20 seconds.


Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode.

Note If this option is selected, Access Point or Virtual Access Point(s) functionality will be disabled automatically.

Step 1 Select Enable WIDF sensor to have the SonicPoint N operate as a dedicated WIDP sensor.

Step 2 From the drop-down menu, select the schedule for when the SonicPoint N operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPoint NDR Profile

You can add any number of SonicPoint NDR profiles. The specifics of the configuration will vary slightly depending on which protocols you select. To configure a SonicPoint NDR provisioning profile, perform the following tasks:

Step 1 Navigate to SonicPoint > SonicPoints page.

Step 2 To add a new SonicPoint NDR profile, click the Add SonicPoint NDR Profile button.orTo edit an existing NDR profile, click the Configure icon on the same row as the profile you want to edit.

The Add/Edit SonicPoint NDR Profile dialog appears.

You configure the SonicPoint NDR through options on these tabs:

• “General Tab” on page 72

• “Radio 0 Basic and Radio 1 Basic Tabs” on page 74

• “Radio 0 Advanced and Radio 1 Advanced Tabs” on page 81



General Tab

The Add/Edit SonicPoint Profile General tab.

In the General tab, configure the desired settings:



• “Layer 3 SSL VPN Tunnel Setting” on page 74

SonicPoint Settings

Step 1 Check Enable SonicPoint to enable each SonicPoint NDR automatically when it is provisioned with this profile. This option is selected by default.

Step 2 Optionally, check Retain Settings to have the SonicPoint NDRs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, the Edit button becomes active and the Retain Settings window displays. To specify the settings to retain:


a. If you are editing an existing SonicPoint NDR profile, click the Edit button. The Retain Settings window displays.




c. Click OK.


Step 4 Enter a prefix for the names of all SonicPoint NDRs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint NDR on a zone. When each SonicPoint NDR is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint NDR 126008.

Step 5 Select the country where you are operating the SonicPoint NDRs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.



Step 1 Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint NDRs to a VAP from the Radio 0 Basic Virtual AP Group and Radio 1 Basic Virtual AP Group drop-down menus. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see “SonicPoint > Virtual Access Point” on page 127.


Layer 3 SSL VPN Tunnel Setting






Note To configure L3 SSL VPN, refer to “SonicPoint Layer 3 Management” on page 17.

Radio 0 Basic and Radio 1 Basic Tabs

The Radio 0 Basic and Radio 1 Basic tabs are similar and have only a few differences, which are noted in the steps.

Note The sections and options displayed on the Radio 0 Basic/1 tabs change depending on whether you selected a VAP group in the Radio 0 Basic/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected.


Step 1 Click the Radio 0 Basic or Radio 1 Basic tab.

Step 2 Configure the settings for the 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios:

• “Radio 0 Basic Settings and Radio 1 Basic Settings” on page 76





Radio 0 Basic Settings and Radio 1 Basic Settings


Step 1 Select Enable Radio to automatically enable the 802.11n radio bands on all SonicPoint NDRs provisioned with this profile. This option is selected by default.




802.11a Mode802.11n Modes

Radio 0 Basic Radio 1 Basic

5GHz 802.11n Only 2.4GHz 802.11n Only Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed 2.4GHz 802.11n/g/b Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

5GHz 802.11a Only Select this mode if only 802.11a clients access your wireless network.

2.4GHz 802.11g Only If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.


Note The available 801.11n Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:• Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.• Does not support 802.11n, only the Channel option is displayed.

Step 3 Optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS), which allows wireless devices to share the same spectrum with existing radar systems within the 5 GHz band.

Note If you select this option, choose either Standard - 2MHz Channel or Wide - 40 MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels.

Note This option only appears on the Radio 0 Basic tab as the Radio 1 Basic does not have a wireless speed connection mode of at least 5 GHz.

Step 4 In the SSID field, enter a recognizable string for the SSID of each SonicPoint NDR using this profile. This is the name that will appear in clients’ lists of available wireless connections.

Note If all SonicPoint NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint NDR to another.






Radio 0: 802.11a Only Radio 1: 802.11g Only






Step 7 For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio:




Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring:



– Secondary Channel—Is set to Auto regardless of the setting of Primary Channel.






Radio 0 Same as for 802.11a in Step 5Radio 1 Same as for 802.11g in Step 5




Step 9 Select Enable Aggregation to enable 802.11n frame aggregation, which combines multiple data frames in a single transmission to reduce overhead and increase throughput.





Step 10 The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected.

Note Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.

Wireless Security



The options change depending on the authentication type you select.

The Wireless Security sections of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see “Wireless Security” on page 93.


Note This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab.

The Virtual Access Point Encryption Settings section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see “Virtual Access Point Encryption Settings” on page 97.

ACL Enforcement

The ACL Enforcement section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see “ACL Enforcement” on page 98.



Radio 0 Advanced and Radio 1 Advanced Tabs

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time.

The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar.


The options on the Radio 0 Advanced and Radio 1 Advanced tabs are the same except that Radio 0 Advanced has the Fragmentation Threshold (bytes) field.

To configure the Radio 0 Advanced and Radio 1 Advanced setting:



Note IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a Sonicpoint or a third party access point.




• Half (-3 dB)

• Quarter (-6 dB)

• Eighth (-9 dB)

• Minimum








Sensor Tab






Configuring a SonicPoint N Profile

You can add any number of SonicPoint N profiles. The specifics of the configuration will vary slightly depending on which 802.11 protocols you select. To configure a SonicPoint N provisioning profile, perform the following tasks:

Step 1 Navigate to the SonicPoint > SonicPoints page.

Step 2 To add a new SonicPoint N profile, click the Add SonicPoint N Profile button in the SonicPoint N Provisioning Profiles table. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you want to edit. The Add/Edit SonicPoint N Profile window displays.

You configure the SonicPoint N through options on these tabs:

• “Settings Tab” on page 86

• “802.11n Radio Tab” on page 88

• “Advanced Tab” on page 99



Settings Tab

The Settings tab has these sections:



• “Layer 3 SSL VPN Tunnel Settings” on page 87

SonicPoint Settings

Step 1 Select Enable SonicPoint to enable each SonicPoint N automatically when it is provisioned with this profile. This option is selected by default.

Step 2 Optionally, select Retain Settings to have the SonicPoint Ns provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default.

If you select this option, the Edit button becomes active. To specify the settings to retain:

a. Click the Edit button. The Retain Settings window displays.




c. Click OK.


Step 4 Optionally, select Enable LED (Ni/Ne) to turn SonicPoint N LEDs on/off. This option is not selected by default.


Note This option applies only to the SonicPoint N model that has controllable LED hardware support.

Step 5 Enter a prefix for the names of all SonicPoint Ns connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint N on a zone. When each SonicPoint N is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint N 126008.

Step 6 Select the country where you are operating the SonicPoint Ns from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under.



Step 1 Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint Ns to a VAP from the 802.11n Radio Virtual AP Group drop-down menu. This drop-down menu allows you to create a new VAP group. For more information on VAPs, see “SonicPoint > Virtual Access Point” on page 127.

Layer 3 SSL VPN Tunnel Settings






Note To configure L3 SSL VPN, click the link to SSL VPN > Client Settings. For information about Layer 3 SSL VPN, refer to the SonicOS Administrator’s Guide.


802.11n Radio Tab

Note The sections and options displayed on the 802.11n Radio tab change depending on whether you selected a VAP group in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab and the mode you select in the Mode drop-down menu.

Step 1 Click the 802.11n Radio tab.

Step 2 Configure the radio settings for the 802.11n radio:

• “802.11n Radio Settings” on page 89





802.11n Radio Settings


Step 1 Select Enable Radio option to automatically enable the 802.11n radio bands on all SonicPoints provisioned with this profile. This option is selected by default.



• 2.4GHz 802.11n Only—Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

• 2.4GHz 802.11n/g/b Mixed—Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.


• 2.4GHz 802.11g Only—If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.

• 5GHz 802.11n Only—Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

• 5GHz 802.11n/a Mixed—Supports 802.11n and 802.11a clients simultaneously. If your wireless network comprises both types of clients, select this mode.

• 5GHz 802.11a Only—Select this mode if only 802.11a clients access your wireless network.

802.11a/g Modes802.11n Modes


Note The available 801.11n Radio Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:• Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel.• Does not support 802.11n, only the Channel option is displayed. • Supports 802.11a, the Enable DFS Channels option is displayed.

Step 3 If you selected a mode that supports 802.11a, optionally select Enable DFS Channels checkbox. The Enable Dynamic Frequency Selection (DFS) option allows wireless devices to share spectrum with existing radar systems in the 5 GHz band.

Step 4 In the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections.

Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.








Step 7 For 802.11n only: from the Radio Band drop-down menu, select the band for the 802.11n radio:


802.11a 802.11g






Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 5.



– Secondary Channel—The configuration of this drop-down menu is controlled by your selection for the primary channel:

• If the primary channel is set to Auto, the secondary channel is also set to Auto.

• If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel.








Step 9 Enable Aggregation—Enables 802.11n frame aggregation, which combines multiple data frames in a single transmission to reduce overhead and increase throughput.






Step 10 The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHZ 802.11a Only or 2.4GHz 802.11g Only mode is selected. Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it.


Wireless Security


The options change depending on the authentication type you select. Dell SonicWALL recommends using WPA2 with AES for best security.

Step 1 Select the method of authentication for your wireless network from the Authentication Type drop-down menu:

Note The options available change with the type of configuration you select.

• WEP - Both (Open System & Shared Key)

• WEP - Open System – All options are dimmed; go to “ACL Enforcement” on page 98.

• WEP - Shared Key

Note For WEP - Both (Open System & Shared Key) and WEP - Shared Key, go to “WEP Configuration” on page 93.

• WPA - PSK

• WPA - EAP

• WPA2-PSK

• WPA2-EAP

• WPA2-AUTO-PSK

• WPA2-AUTO-EAP

Note For WPA and WPA2 options, go to “WPA or WPA2 Configuration” on page 95.

WEP Configuration

WEP (Wired Equivalent Privacy) is a standard for Wi-Fi wireless network security.

A WEP key is a security code system for Wi-Fi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.



WEP keys are chosen by a network administrator. When WEP security is enabled on a network, matching WEP keys must be set on Wi-Fi routers and each device connecting over Wi-Fi for them all to communicate with each other.

Step 1 Select the size of the encryption key from the WEP Key Mode drop-down menu:

• None – default for WEP - Both (Open System & Shared Key). If selected, the rest of the options in this section remain dimmed; go to “ACL Enforcement” on page 98

• 64 bit

• 128 bit

• 152 bit (default for WEP - Shared Key)

Step 2 From the Default Key drop-down menu, select the default key, which will be tried first when trying to authenticate a user:

• Key 1 (default)

• Key 2

• Key 3

• Key 4

Step 3 From the Key Entry drop-down menu, select whether the key is:

• Alphanumeric (default)

• Hexadecimal (0-9, A-F)

Step 4 In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys to be used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key.

Note The length of each key is based on the selected key type (alphanumeric or hexadecimal) and WEP strength (64, 128, or 152 bits)

• Key 1: First static WEP key associated with the key index.

• Key 2: Second static WEP key associated with the key index.

• Key 3: Third static WEP key associated with the key index.

• Key 4: Fourth static WEP key associated with the key index.

Step 5 Go to “ACL Enforcement” on page 98.


WPA or WPA2 Configuration

Note The options change depending on the authentication type selected.

Step 1 From the Cipher Type drop-down menu, select the cipher to encrypt your wireless data.

• AES (newer, more secure; default): AES (Advanced Encryption Standard) is a set of ciphers designed to prevent attacks on wireless networks. AES is available in block ciphers of either 128, 192 or 256 bits depending on the hardware you intend to use with it. In the networking field, AES is considered to be among the most secure of all commonly installed encryption packages.

• TKIP (older, more compatible): TKIP (Temporary Key Integrity Protocol) is not actually a cipher, but a set of security algorithms meant to improve the overall safety of WEP (wired equivalent privacy networks). WEP is widely known to have a host of serious security vulnerabilities. TKIP adds a few extra layers of protection to WEP.

• Auto: the appliance chooses the cipher type automatically.

Step 2 In the Group Key Interval field, enter the time period for which a Group Key is valid, that is, the time interval before the encryption key is changed automatically for added security. The default value is 86400 seconds (24 hours). Setting too low of a value can cause connection issues.

Step 3 For EAP authentication types, go to “RADIUS Server Settings” on page 96.

Step 4 For PSK authentication types only, enter a passphrase in the Passphrase field. This is the shared passphrase your network users must enter to gain network access when they connect with PSK-based authentication.

Note This option will be displayed only if you selected WPA-PSK, WPA2-PSK, or WPA2-AUTO-PSK for your authentication type.


PSK Authentication Type EAP Authentication Type


RADIUS Server Settings

Note This section displays only if you selected WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP for your authentication type. Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP-capable RADIUS server for key generation. An EAP-compliant RADIUS server provides 802.1X authentication. The RADIUS server must be configured to support this authentication and all communications with the SonicWALL.

Step 1 Click the Configure button in the Radius Server Settings section. The SonicPoint Radius Server Settings window appears.

Step 2 In the Radius Server Retries field, enter the number retries allowed for the Radius server.

Step 3 In the Retry Interval (seconds) field enter the time, in seconds, between retries.

Step 4 To configure the Radius Server Settings, see “WPA-EAP / WPA2-EAP Encryption Settings” on page 138.




Note This section displays only if a VAP was selected from the 802.11n Radio Virtual AP Group drop-down menu in the Virtual Access Point Settings section of the Settings tab.

Step 1 Click the Configure button. The Edit 802.11n Virtual Access Point WEP Key window displays.

Step 2 From the Key Entry Method radio buttons, select whether the key is:

• Alphanumeric (default)

• Hexadecimal (0-9, A-F)

Step 3 From the Default Key radio buttons, select the default key, which will be tried first when trying to authenticate a user:

• Key 1 (default)

• Key 2

• Key 3

• Key 4

Step 4 In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys to be used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key.

• Key 1: First static WEP key associated with the key index.

• Key 2: Second static WEP key associated with the key index.

• Key 3: Third static WEP key associated with the key index.

• Key 4: Fourth static WEP key associated with the key index.

Step 5 From the Key Type drop-down menus, select the size of each key:

• None (default)

• 64 bit

• 128 bit

• 152 bit


ACL Enforcement

Step 1 Select Enable Mac Filter List to enforce Access Control by allowing or denying traffic from specific devices.

Step 2 From the Allow List drop-down menu, select a MAC address group to automatically allow traffic from all devices with a MAC address in the group.

• Create new Mac Address Object Group… – the Add Address Object Group window displays

• All MAC Addresses

• Default SonicPoint ACL Allow Group

• Custom MAC Address Object Groups

Step 3 From the Deny List drop-down menu, select a MAC address group to automatically deny traffic from all devices with a MAC address in the group.

• Create new Mac Address Object Group…

• No MAC Addresses

• Default SonicPoint ACL Deny Group

• Custom MAC Address Object Groups

Note The Deny List is enforced before the Allow List.

Step 4 Select Enable MIC Failure ACL Blacklist to detect WPA TKIP MIC failure floods and automatically place the problematic wireless station(s) into a blacklist to stop the attack. As wireless clients generate the TKIP countermeasures, they will also be automatically moved into blacklist, so the other wireless stations within the same wireless LAN network will not be affected.

Note It is recommended that the Allow List be set to All MAC Addresses and the Deny List be set to Default SonicPoint ACL Deny Group.

Step 5 Enter the maximum number of MIC failures per minute in the MIC Failure Frequency Threshold field; default is 3.


Advanced Tab

In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance.




Note IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a SonicPoint or a third party access point.




• Half (-3 dB)

• Quarter (-6 dB)

• Eighth (-9 dB)

• Minimum



















Sensor Tab






Managing SonicPoints

This section contains the following subsections:

• “Modifying a SonicPoint Profile” on page 102

• “Updating SonicPoint Settings” on page 102

• “SonicPoint N Diagnostics Enhancement” on page 103

• “Updating SonicPoint Firmware” on page 103

• “Automatic Provisioning (SDP & SSPP)” on page 106

• “SonicPoint N and SonicPoint NDR States” on page 105

Modifying a SonicPoint Profile

To modify a SonicPoint Profile:


Step 2 Click the Edit icon for the SonicPoint N or SonicPoint NDR profile that you want to modify.

Step 3 In the SonicPoint Profile Settings dialog, edit the profile settings as you wish.

Step 4 Click OK.

Updating SonicPoint Settings

You can change the settings of any individual SonicPoint list on the Sonicpoint > SonicPoints page.

Topics:

• “Edit SonicPoint Settings” on page 102

• “Synchronize SonicPoints” on page 102

• “Enable and Disable Individual SonicPoints” on page 103

• “Disable All SonicPoints” on page 103

Edit SonicPoint Settings

To edit the settings of an individual SonicPoint:

Step 1 Under SonicPoint N, click the Edit icon in the same line as the SonicPoint you want to edit.

Step 2 In Edit SonicPoint window, make the changes you want. For instructions on configuring these settings, see “Configuring a SonicPoint N Profile” on page 85 or “Configuring a SonicPoint NDR Profile” on page 71.

Step 3 Click OK to apply these settings.

Synchronize SonicPoints

Click the Synchronize SonicPoints button at the top of the SonicPoint > SonicPoints page to issue a query directive from the firewall to the WLAN zone. All connected SonicPoints will report their current settings and statistics to SonicOS. SonicOS will also attempt to locate the presence of newly connected SonicPoints that have not yet registered with the firewall.


Enable and Disable Individual SonicPoints

You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page:

Step 1 Select the checkbox in the Enable column for the SonicPoint you want to enable or disable. Select the checkbox to enable the SonicPoint, clear the box to disable it.

Step 2 Click Accept to apply this setting to the SonicPoint.

Disable All SonicPoints

Click the Delete All button above or below the table.

SonicPoint N Diagnostics Enhancement

A SonicPoint can collect critical runtime data and save it into persistent storage in the global SonicPoint Peer List. If the SonicPoint experiences a failure, the diagnostic enhancement feature allows the Dell SonicWALL managing appliance to retrieve the log data when the SonicPoint reboots. Then, this log data is incorporated into the Tech Support Report (TSR).

To enable the SonicPoint-N diagnostic enhancement feature, follow the steps listed below:

Step 1 Navigate to the System > Diagnostics page.

Step 2 Select the SonicPoint N Diagnostics checkbox in the Tech Support Report section.

Step 3 Click Accept. You can then generate a TSR with information available for the SonicPoint-N Diagnostics by clicking the Download Report button.

Note You may need to re-synchronize your SonicPoint-N and Dell SonicWALL managing appliance to the latest SonicPoint Firmware in order to retrieve the latest SonicPoint-N Diagnostics.

Updating SonicPoint Firmware

Not all SonicOS Enhanced firmware contains an image of the SonicPoint firmware. To check, scroll to the bottom of the SonicPoint > SonicPoints page and look for the Download link.

If your Dell SonicWALL appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the Dell SonicWALL server when you connect a SonicPoint device.

If your Dell SonicWALL appliance does not have Internet access, or has access only through a proxy server, you must perform the following steps:

Step 1 Download the SonicPoint image from http://www.mySonicWALL.com to a local system with Internet access.

You can download the SonicPoint image from one of the following locations:

– On the same page where you can download the SonicOS firmware

– On the Download Center page, by selecting SonicPoint in the Type drop-down menu

Step 2 Load the SonicPoint image onto a local Web server that is reachable by your Dell SonicWALL appliance.


http://www.mysonicwall.com

You can change the file name of the SonicPoint image, but you should keep the extension intact (ex: .bin.sig).

Step 3 In the SonicOS user interface on your Dell SonicWALL appliance, in the navigation pane, click System and then click Administration.

Step 4 In the System > Administration screen, under Download URL, click the Manually specify SonicPoint image URL checkbox to enable it.

Step 5 In the text box, type the URL for the SonicPoint image file on your local Web server.

Note When typing the URL for the SonicPoint image file, do NOT include “http://” in the text box.

Step 6 Click Accept.


SonicPoint N and SonicPoint NDR States

SonicPoint N and SonicPoint NDR devices can function in and report the following states (in all states listed below, SonicPoint refers to both SonicPoint N and SonicPoint NDR devices):

• Initializing—The state when a SonicPoint starts up and advertises itself via SDP prior to it entering into an operational or stand-alone mode.

• Operational—Once the SonicPoint has peered with a SonicOS device and has its configuration validated, it will enter into a operational state, and will be ready for clients.

• Provisioning—If the SonicPoint configuration requires an update, the SonicOS device will engage an SSPP channel to update the SonicPoint. During this brief process it will enter the provisioning state.

• Safemode—Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP. The SonicPoint must then be rebooted to enter either a stand-alone, or some other functional state.

• Non-Responsive—If a SonicOS device loses communications with a previously peered SonicPoint, it will report its state as non-responsive. It will remain in this state until either communications are restored, or the SonicPoint is deleted from the SonicOS device’s table.

• Updating Firmware—If the SonicOS device detects that it has a firmware update available for a SonicPoint, it will use SSPP to update the SonicPoint’s firmware.

• Downloading Firmware—The Dell SonicWALL appliance is downloading new SonicPoint firmware from the configured URL, which can be customized by the administrator.

• Downloading Failed—The Dell SonicWALL appliance cannot download the SonicPoint firmware from the configured URL.

• Writing Firmware—While the SonicPoint is writing new firmware to its flash, the progress is displayed as a percentage in the SonicOS management interface in the SonicPoint status field.

• Over-Limit—By default, up to 2 SonicPoint devices can be attached to the Wireless zone interface. If more than 2 units are detected, the over-limit devices will report an over-limit state, and will not enter an operational mode. The number can be reduced from 2 as needed.

• Rebooting—After a firmware or configuration update, the SonicPoint will announce that it is about to reboot, and will then do so.

• Firmware failed—If a firmware update fails, the SonicPoint will report the failure, and will then reboot.

• Provision failed—In the unlikely event that a provision attempt from a SonicOS device fails, the SonicPoint will report the failure. So as not to enter into an endless loop, it can then be manually rebooted, manually reconfigured, or deleted and re-provisioned.

• Stand-alone Mode (not reported)—If a SonicPoint device cannot find or be found by a SonicOS device to peer with, it will enter a stand-alone mode of operation. This will engage the SonicPoint’s internal GUI (which is otherwise disabled) and will allow it to be configured as a conventional Access Point. If at any time it is placed on the same layer 2 segment as a SonicOS device that is sending Discovery packets, it will leave stand-alone mode, and will enter into a managed mode. The stand-alone configuration will be retained.


SonicPoint Auto Provisioning

Topics:

• “Automatic Provisioning (SDP & SSPP)” on page 106

• “Enabling Auto Provisioning” on page 107

• “Enabling SonicPoint Auto Provisioning for a WLAN Zone” on page 108

Automatic Provisioning (SDP & SSPP)

The Dell SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS. SDP is the foundation for the automatic provisioning of SonicPoint units via the following messages:

• Advertisement—SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed.

• Discovery—SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units.

• Configure Directive—A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode.

• Configure Acknowledgement—A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive.

• Keepalive—A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.

If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a firmware update is available), the Configure directive will engage a 3DES encrypted, reliable TCP based Dell SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process.


Enabling Auto Provisioning

SonicPoint Auto Provisioning can be enabled to automatically provision the following wireless SonicPoint provisioning profiles:

• SonicPoint

• SonicPoint N

• SonicPoint NDR

Initial configuration of a wireless SonicPoint is provisioned from a SonicPoint profile, which is attached to the wireless LAN managing zone. After a wireless SonicPoint is provisioned, the profile remains an offline configuration template that is not directly associated with any SonicPoint. So, modifying a profile does not automatically trigger a SonicPoint for reprovisioning.

Before SonicPoint Auto Provisioning was introduced, administrators had to manually delete all SonicPoints, and then synchronize new SonicPoints to the profile, which was time consuming. To simplify configuration and ease management overhead, SonicPoint Auto Provisioning was introduced.

Checkboxes to enable Auto Provisioning for each of the SonicPoint Provisioning Profiles are provided in the Network > Zones > Configure > Wireless configuration window. By default, the checkboxes for the SonicPoint Provisioning Profiles are not checked and Auto Provisioning is not enabled.

When the checkbox for a provisioning profile is checked and that profile is changed, all SonicPoint devices linked to that profile are reprovisioned and rebooted to the new operational state.


Enabling SonicPoint Auto Provisioning for a WLAN Zone

To enable SonicPoint Auto Provisioning:

Step 1 On the Dell SonicWALL Security Appliance, go to Network > Zones.

Step 2 Click the Edit icon for a WLAN (or any other wireless) SonicPoint profile. The Edit Zone window displays.

Step 3 Select the Wireless tab.

Step 4 Under Sonic Point Settings, select Auto Provisioning for each of the SonicPoint Provisioning Profiles that you want to be auto provisioned.

Step 5 Click OK.

The following warning message is displayed, informing you that all Sonic Point devices in the same zone will be auto provisioned.

Step 6 Click OK.

After you click OK, all linked SonicPoint N devices are reprovisioned and rebooted.


Remote MAC Access Control for SonicPointsThe Enable Remote MAC Access Control option has been added for SonicPoints.

Note Remote MAC Access Control is also supported for VAPs. See “Remote MAC Access Control for VAPs” on page 165.

To enable Remote MAC Access Control on a SonicPoint:

Step 1 Go to the SonicPoint > SonicPoints page.

Step 2 Click one of the following buttons:

• Add SonicPoint N Profile

• Add SonicPoint NDR Profile

• Add SonicPoint ACe/ACi/N2 Profile

The Add/Edit SonicPoint Profile dialog appears. The Remote MAC Address Access Control Settings panel appears at the bottom of the dialog.

SonicPoint N Profile Dialog


SonicPoint NDR and SonicPoint ACe/ACi/N2 Radio 0 Profile Dialog

SonicPoint NDR and SonicPoint ACe/ACi/N2 Radio 1 Profile Dialog


Step 3 For SonicPoint N, click the 802.11n Radio tab. For SonicPoint NDR or SonicPoint ACe/ACi/N2, click the Radio 0 or Radio 1 tab.

Step 4 Select the Enable Remote MAC Access Control option.

Step 5 Click the Configure button. The Radius Server Settings appear.

Step 6 In the appropriate fields, enter the RADIUS server settings that you want. For information on configuring the RADIUS server settings, see the SonicOS Administrator’s Guide.

Step 7 Click OK.

Caution You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you do, you will get the following error message: Remote MAC address access control can not be set whenIEEE 802.11i EAP is enabled.


SonicPoint Management over SSL VPN As a part of SonicWALL Advanced Management Protocol (SAMP) suite, SonicWALL SSL VPN Based Management Protocol (SSMP) utilizes the SonicWALL SSL VPN solution to provide remote SonicPoint N management. SonicPoint N has integrated NetExtender client and supports SSL VPN remote access in the standalone models as the following figure shows.

SonicPoint is used as a managed bridge to work with the firewall as a secure wireless solution. The SonicPoint is configured and managed centrally by the SonicWALL Gateway. The SonicPoint retrieves the latest firmware and configuration information from the firewall and automatically configures itself.

SAMP manages SonicPoints at Layer 3, and SSMP provides the functionality for running the SonicPoint management protocol over SSL VPN.

Configuring SonicPoint Management over SSL VPN

This section contains the following subsections:

• “Creating a WLAN Tunnel Interface” on page 113

• “Configuring the SSL VPN Settings” on page 115

• “Creating a User for the SSL VPN Client” on page 117

• “SonicPoint Traffic Routing” on page 118

• “Provisioning SSL VPN Server Information to SonicPoint N” on page 118

• “Establishing an SSL VPN Tunnel to a Remote Network” on page 119


Creating a WLAN Tunnel Interface

To create a WLAN Tunnel Interface :

Step 1 Go to the Network > Interfaces page,

Step 2 From the Add Interface menu, select Add WLAN Tunnel Interface.


When you select Add WLAN Tunnel Interface, the Add WLAN Tunnel Interface dialog appears.

Step 3 In the Interface Settings fields, configure the WLAN Tunnel Interface values that you want.

a. Set the Zone field to WLAN.

b. Set the Tunnel Source Interface field to the interface that is used for the SSL VPN tunnel (such as X2).

c. Configure the other fields and options as you wish.

Step 4 Click OK.


Configuring the SSL VPN Settings

To configure the SSL VPN Settings:

Step 1 Go to the SSL VPN > Client Settings page.

Step 2 Click the configure button for the Default Device Profile for SonicPointN.

Step 3 Under Basic Settings, enter the Name and Description that you want for the SonicPoint N device.

Step 4 In the Zone IP V4 menu, select SSLVPN.

Step 5 In the Network Address IP V4 menu, select the network that you want.or Select Create new network to create a new network object, then select it.


Step 6 Click the Client Routes tab.

Step 7 In the Networks menu, select the subnet interface (that the WLAN Tunnel Interface has been bound to), and (using the arrows) add it to the Client Routes box.

Step 8 Select the SP L3 Settings tab.

Step 9 Select the WLAN Tunnel Interface that you want to bind to the remote SonicPoint N device.

Step 10 Click OK.


Creating a User for the SSL VPN Client

To create a user for an SSL VPN Client:

Step 1 Go to the Users > Local Users page.

Step 2 Click the Add User button or the Edit button for the user you want to edit. The Add/Edit User dialog appears.

Step 3 Click the Groups tab.

Step 4 Add SSL VPN Services to the Member of field.

Step 5 Click the VPN Access tab.

Step 6 Add the Subnet of the Interface that WLAN Tunnel interface has been bound to into the Access List. In this case, it is X2 Subnet.

Step 7 Click OK.


SonicPoint Traffic Routing

In addition to the route to the subnet of the WLAN Tunnel Interface (X2 Subnet), users can also add other routes under the Client Route tab of the SSL VPN Edit Device dialog.

Adding other routes will enable remote wireless clients to access internal networks via the SSL VPN tunnel of the SonicPoint and the SonicOS. The traffic to other destinations will be routed locally on the SonicPoint without tunneling to the SonicOS side.

Provisioning SSL VPN Server Information to SonicPoint N

To provision SSL VPN Server information to a SonicPoint N device:


Step 2 Click one of the following buttons:

• Add SonicPoint N Profile

• Add SonicPoint NDR Profile

• Add SonicPoint ACe/ACi/N2 Profile

Step 3 Under L3 SSLVPN Tunnel Settings, enter the SSL VPH Server, User Name, Password, and Domain.

Step 4 Select the Auto Reconnect option.

To push the settings to the SonicPoint device, connect the SonicPoint device to SSL VPN Server via a Layer 2 connection.


Establishing an SSL VPN Tunnel to a Remote Network

If the remote network site supports DHCP, set the SonicPoint to the factory default settings and connect it the network. The SonicPoint will get the IP address and the Gateway automatically from DHCP. The SSL VPN server information will be saved after factory default settings are in place. After the SonicPoint gets its DHCP lease, it will connect to the remote SonicWALL Gateway.

If the remote network site does not support DHCP, set the SonicPoint to the factory default settings and set the network parameters. Then the SonicPoint will automatically connect to remote SonicWALL Gateway.


Chapter 3

Configuring Wi-Fi MultiMedia

SonicPoint > Wi-Fi MultimediaSonicPoint access points support Wi-Fi Multimedia (WMM) to provide a better Quality of Service (QoS) experience on bandwidth-intensive applications such as VoIP and multimedia traffic on wireless networks. WMM is a Wi-Fi Alliance interoperability certification based on the IEEE 802.11e standard. It prioritizes traffic according to four Access Categories:

• Voice—highest priority

• Video—second priority

• Best effort—third priority (intended for applications like email and Internet surfing)

• Background—fourth priority (intended for applications that are not latency sensitive, such as printing)

Note WMM does not provide guaranteed throughput.

Topics:

• “WMM Access Categories” on page 121

• “Assigning Traffic to Access Categories” on page 123

• “Configuring Wi-Fi Multimedia Parameters” on page 124

• “Deleting WMM Profiles” on page 125

WMM Access Categories

Each Access Category has its own transmit queue. Traffic is assigned to the appropriate Access Category based on type of service (ToS) information that is provided by either the application or the firewall. Dell SonicWALL security appliances assign ToS either through access rules or VLAN tagging.

Configuring Wi-Fi MultiMedia | 121

The following table shows how the WMM Access Categories map to 802.1D user priorities.

WMM prioritizes traffic through a process known as Enhanced distributed channel access (EDCA). EDCA is a contention-based mechanism for governing access to the transmission channel among the four WMM Access Categories. EDCA requires uses a listen-then-talk method where clients must wait for a random “backoff” period of time to observe if any other devices are transmitting before they transmit. The backoff times are randomized to reduce the likelihood of collisions and to give all devices a fair chance. WMM prioritizes traffic by defining a different range of “backoff” periods for each Access Category. The WMM backoff periods are defined by two parameters:

• Arbitration Inter-Frame Space (AIFS) – The time interval between the wireless channel becomes idle and when the AC can begin negotiating access to the channel.

• Contention Window (CW) – The range of possible values for the random backoff periods. A range of time that specifies the random backoff period. The CW is defined by a minimum and maximum value:

– Minimum contention window size (CWMin) – The initial upper limit of the length of the CW. The AC will wait for a random time between 0 and CWMin before attempting to transmit. Higher priority AC with higher priority is assigned a shorter CWMin.

– Maximum contention window size (CWMax) – The upper limit of the CW. If a collision occurs, the AC doubles the size of the CW, up to the CWMax, and attempts to transmit again. The CWMax must be larger than the CWMin.

Higher priority ACs are generally given lower values for AIFS, CWMin, CWMax.

Note The unit of measure for AIFS, CWMin, and CWMax is multiples of the slot time for the 802.11 standard that is being used. For 802.11b, one slot is 20 microseconds. For 802.11a and 802.11g, one slot is 9 microseconds. The slot time for the 802.11n and the 802.11ac is 9 microseconds.

Priority

User Priority(Same as 802.1D user priority)

802.1D designation

WMM Access Category (AC)

WMM AC Designation (informative)

Lowest

Highest

1 BK AC_BK Background

2 – AC_BK Background

0 BE AC_BE Best Effort

3 EE AC_BE Best Effort

4 CL AC_VI Video

5 VI AC_VI Video

6 VO AC_VO Voice

7 NC AC_VO Voice


Separate WMM parameters are configured for Access Points (SonicPoints) and for wireless clients (such as smart phones or laptops). The following tables show the default WMM parameters for SonicPoints and wireless clients.

Assigning Traffic to Access Categories

Dell SonicWALL security appliances assign traffic to WMM Access Categories through two methods:

• Specifying DSCP through access rules

• Specifying a VLAN tag

Default WMM Parameters for SonicPoints


WMM AC Designation (informative) CWMin CWMax AIFS

AC_BE(0) Best Effort 4 6 3

AC_BK(1) Background 4 10 7

AC_VI(2) Video 3 4 1

AC_VO(3) Voice 2 3 1

Default WMM Parameters for Wireless Clients


WMM AC Designation (informative) CWMin CWMax AIFS

AC_BE(0) Best Effort 4 10 3

AC_BK(1) Background 4 10 7

AC_VI(2) Video 3 4 2

AC_VO(3) Voice 2 3 2


Configuring Wi-Fi Multimedia Parameters

By default, a single WMM profile is configured on the Dell SonicWALL security appliance with the parameters set to the values on the 802.11e standard. To customize the WMM configuration, perform the following tasks:

Step 1 Navigate to the SonicPoint > Wi-Fi Multimedia page.

Step 2 To modify the WMM profile, click the configure icon for that profile. Or to create a new WMM profile, click the Add button. The Add Wlan WMM Profile window displays.

Step 3 For a new WMM profile, enter a Profile Name. The default name is wmmDefault.

Step 4 The default WMM parameter values are auto-populated in the window. Modify the parameters to customize the WMM profile. For information about these categories, see “WMM Access Categories” on page 121.


Step 5 Click the Mapping tab to customize how the Access Categories are mapped to DSCP values.

Step 6 Click OK. The WMM Profiles table is updated.

Deleting WMM Profiles

To delete a single WMM Profile, click the Delete icon in the profile’s Configure column.

To delete some WMM Profiles, select the checkboxes of the profiles to delete, and then click the Delete button.

To delete all WMM Profiles, click the Delete All button. A pop-up message appears to confirm that all profiles are to be deleted.


Chapter 4

Configuring Virtual Access Points

SonicPoint > Virtual Access PointTopics:

• “SonicPoint VAP Overview” on page 127

• “Thinking Critically About VAPs” on page 130

• “SonicPoint Virtual AP Configuration Task List” on page 133

• “VAP Sample Configurations” on page 141

• “Remote MAC Access Control for VAPs” on page 165

SonicPoint VAP Overview

Topics:

• “What Is a Virtual Access Point?” on page 127

• “What Is an SSID?” on page 128

• “Wireless Roaming with ESSID” on page 129

• “What Is a BSSID?” on page 129

• “Benefits of Using Virtual APs” on page 129

• “Benefits of Using Virtual APs with VLANs” on page 129

• “Prerequisites” on page 130

• “Deployment Restrictions” on page 130

What Is a Virtual Access Point?

A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. Before the evolution of the Virtual AP feature support, wireless networks were relegated to a One-to-One relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. In other words, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients, and if the latter were required, they would had to have been provided by a separate,

Configuring Virtual Access Points | 127

distinctly configured Access Points. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID). This allows for segmenting wireless network services within a single radio frequency footprint of a single physical access point device.

VAPs allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously.

For more information on SonicOS Secure Wireless features, refer to the SonicWALL Secure Wireless Integrated Solutions Guide available at http://store.elsevier.com/.

What Is an SSID?

A Service Set IDentifier (SSID) is the name assigned to a wireless network. Wireless clients must use this same, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up to 32 bytes long. Multiple SonicPoints on a network can use the same SSIDs. You can configure up to 8 unique SSIDs on SonicPoints and assign different configuration settings to each SSID.

SonicPoints broadcast a beacon (announcements of availability of a wireless network) for every SSID configured. By default, the SSID is included within the beacon so that wireless clients can see the wireless networks. The option to suppress the SSID within the beacon is provided on a per-SSID (e.g. per-VAP or per-AP) basis to help conceal the presence of a wireless network, while still allowing clients to connect by manually specifying the SSID.


http://store.elsevier.com/

The following settings can be assigned to each VAP:

• Authentication method

• VLAN

• Maximum number of client associations using the SSID

• SSID Suppression

Wireless Roaming with ESSID

An ESSID (Extended Service Set IDentifier) is a collection of Access Points (or Virtual Access Points) sharing the same SSID. A typical wireless network comprises more than one AP for the purpose of covering geographic areas larger than can be serviced by a single AP. As clients move through the wireless network, the strength of their wireless connection decreases as they move away from one Access Point (AP1) and increases as they move toward another (AP2). Providing AP1 and AP2 are on the same ESSID (for example, ‘Dell SonicWALL’) and that the (V)APs share the same SSID and security configurations, the client will be able to roam from one to the other. This roaming process is controlled by the wireless client hardware and driver, so roaming behavior can differ from one client to the next, but it is generally dependent upon the signal strength of each AP within an ESSID.

What Is a BSSID?

A BSSID (Basic Service Set IDentifier) is the wireless equivalent of a MAC (Media Access Control) address, or a unique hardware address of an AP or VAP for the purposes of identification. Continuing the example of the roaming wireless client from the ESSID section above, as the client on the ‘Dell SonicWALL’ ESSID moves away from AP1 and toward AP2, the strength of the signal from the former will decrease while the latter increases. The client’s wireless card and driver constantly monitors these levels, differentiating between the (V)APs by their BSSID. When the card/driver’s criteria for roaming are met, the client will detach from the BSSID of AP1 and attach to the BSSID or AP2, all the while remaining connected the ‘Dell SonicWALL’ ESSID.

Benefits of Using Virtual APs

This section includes a list of benefits in using the Virtual AP feature:

• Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs. However, in the US and Europe, 802.11b networks can only support three usable (non-overlapping) channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be used for multiple purposes, Virtual APs conserve channels.

• Optimize SonicPoint LAN Infrastructure—Share the same SonicPoint LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs.

Benefits of Using Virtual APs with VLANs

Although the implementation of VAPs does not require the use of VLANs, VLAN use does provide practical traffic differentiation benefits. When not using VLANs, the traffic from each VAP is handled by a common interface on the Dell SonicWALL security appliance. This means


that all traffic from each VAP will belong to the same zone and same subnet (Footnote: a future version of SonicOS will allow for traffic from different VAPs to exist on different subnets within the same zone, providing a measure of traffic differentiation even without VLAN tagging). By tagging the traffic from each VAP with a unique VLAN ID, and by creating the corresponding subinterfaces on the Dell SonicWALL security appliance, it is possible to have each VAP occupy a unique subnet, and to assign each subinterface to its own zone.

This affords the following benefits:

• Each VAP can have its own security services settings (GAV, IPS, CFS, etc.).

• Traffic from each VAP can be easily controlled using Access Rules configured from the zone level.

• Separate Guest Services or Lightweight Hotspot Messaging (LHM) configurations can be applied to each, facilitating the presentation of multiple guest service providers with a common set of SonicPoint hardware.

• Bandwidth management and other Access Rule-based controls can easily be applied.

Prerequisites

• Each Dell SonicWALL SonicPoint must be explicitly enabled for Virtual Access Point support by selecting the Enable SonicPoint checkbox in one of the following dialogs on the SonicPoint > SonicPoints > page:

– Add SonicPoint N Profile

– Add SonicPoint NDR Profile

– Add SonicPoint ACe/ACi/N2 Profile

• SonicPoints must be linked to a wireless zone on your Dell SonicWALL network security appliance in order for provisioning of APs to take place.

• When using VAPs with VLANs, you must ensure that the physical SonicPoint discovery and provisioning packets remain untagged (unless being terminated natively into a VLAN subinterface on the Dell SonicWALL). You must also ensure that VAP packets that are VLAN tagged by the SonicPoint are delivered unaltered (neither un-encapsulated nor double-encapsulated) by any intermediate equipment, such as a VLAN capable switch, on the network.

Deployment Restrictions

When configuring your VAP setup, be aware the Maximum SonicPoint restrictions apply and differ based on your Dell SonicWALL security appliance. Review these restrictions in the “Custom VLAN Settings” on page 135.

Thinking Critically About VAPs

This section provides content to help determine what your VAP requirements are and how to apply these requirements to a useful VAP configuration.

Topics:

• “Determining Your VAP Needs” on page 131

• “A Sample Network” on page 131

• “Determining Security Configurations” on page 131

• “VAP Configuration Worksheet” on page 132


Determining Your VAP Needs

When deciding how to configure your VAPs, begin by considering your communication needs, particularly:

• How many different classes of wireless users do I need to support?

• How do I want to secure these different classes of wireless users?

• Does my wireless client have the required hardware and drivers to support the chosen security settings?

• What network resources do my wireless users need to communicate with?

• Do any of these wireless users need to communicate with other wireless users?

• What security services do I wish to apply to each of these classes or wireless users?

A Sample Network

The following is a sample VAP network configuration, describing separate VAPs:

• VAP #1, Corporate Wireless Users – A set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services.

• VAP#2, Legacy Wireless Devices – A collection of older wireless devices, such as printers, PDAs and handheld devices, that are only capable of WEP encryption.

• VAP#3, Visiting Partners – Business partners, clients, and affiliated who frequently visit the office, and who need access to a limited set of trusted network resources, as well as the Internet. These users are not located in the company’s Directory Services.

• VAP# 4, Guest Users – Visiting clients to whom you wish to provide access only to untrusted (for example, Internet) network resources. Some guest users will be provided a simple, temporary username and password for access.

• VAP#5, Frequent Guest Users – Same as Guest Users, however, these users will have more permanent guest accounts through a back-end database.

Determining Security Configurations

By understanding these requirements, you can then define the zones (and interfaces) and VAPs that will provide wireless services to these users:

• Corp Wireless – Highly trusted wireless zone. Employs WPA2-AUTO-EAP security.

• WEP & PSK – Moderate trust wireless zone. Comprises two virtual APs and subinterfaces, one for legacy WEP devices (for example, wireless printers, older handheld devices) and one for visiting clients who will use WPA-PSK security.

• Guest Services – Using the internal Guest Services user database.

• LHM – Lightweight Hotspot Messaging enabled zone, configured to use external LHM authentication-back-end server.


VAP Configuration Worksheet

The worksheet below provides some common VAP setup questions and solutions along with a space for you to record your own configurations.

For sample configurations, see “VAP Sample Configurations” on page 141.

Questions Examples Solutions

How many different types of users will I need to support?

Corporate wireless, guest access, visiting part-ners, wireless devices are all common user types, each requiring their own VAP

Plan out the number of different VAPs needed. Configure a zone and VLAN for each VAP needed

Your Configurations:

How many users will each VAP need to support?

A corporate campus has 100 employees, all of whom have wireless capabilities

The DHCP scope for the visitor zone is set to provide at least 100 addresses

A corporate campus often has a few dozen wire-less capable visitors

The DHCP scope for the visitor zone is set to provide at least 25 addresses


How do I want to secure different wire-less users?

A corporate user who has access to corporate LAN resources.

Configure WPA2-EAP

A guest user who is restricted to only Internet access

Enable Guest Services but configure no security settings

A legacy wireless printer on the corporate LAN Configure WEP and enable MAC address filtering


What network resources do my users need to communicate with?

A corporate user who needs access to the cor-porate LAN and all internal LAN resources, including other WLAN users.

Enable Interface Trust on your corporate zone.

A wireless guest who needs to access the Inter-net and should not be allowed to communicate with other WLAN users.

Disable Interface Trust on your guest zone.


What security services to I wish to apply to my users?

Corporate users who you want protected by the full Dell SonicWALL security suite.

Enable all Dell SonicWALL security ser-vices.

Guest users who you do not give a hoot about since they are not even on your LAN.

Disable all Dell SonicWALL security ser-vices.



SonicPoint Virtual AP Configuration Task List

A SonicPoint VAP deployment requires several steps to configure. The following section provides first a brief overview of the steps involved, and then a more in-depth examination of the parts that make up a successful VAP deployment. These sections describe VAP deployment requirements:

• “SonicPoint VAP Configuration Overview” on page 133

• “Network Zones” on page 134

• “VLAN Subinterfaces” on page 135

• “DHCP Server Scope” on page 135

• “Virtual Access Points Profiles” on page 136

• “Virtual Access Points” on page 139

• “Virtual Access Point Groups” on page 141

• “Sonic Point Provisioning Profiles” on page 141

Before configuring your SonicPoint VAPs, you should also consider reading:

• “VAP Sample Configurations” on page 141

SonicPoint VAP Configuration Overview


The following are required areas of configuration for VAP deployment:

1. Zone—The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of VLAN subinterfaces.

2. Interface (or VLAN Subinterface)—The Interface (X2, X3, etc...) represents the physical connection between your Dell SonicWALL network security appliance and your SonicPoint(s). Your individual zone settings are applied to these interfaces and then forwarded to your SonicPoints.

3. DHCP Server—The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully to ensure the available lease scope is not exhausted.

4. VAP Profile—The VAP Profile feature allows for creation of SonicPoint configuration profiles which can be easily applied to new SonicPoint Virtual Access Points as needed.

5. VAP Objects—The VAP Objects feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings.

6. VAP Groups—The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to your SonicPoint(s).

7. Assign VAP Group to SonicPoint Provisioning Profile Radio—The Provisioning Profile allows a VAP Group to be applied to new SonicPoints as they are provisioned.

8. Assign WEP Key (for WEP encryption only)—The Assign WEP Key allows for a WEP Encryption Key to be applied to new SonicPoints as they are provisioned. WEP keys are configured per-SonicPoint, meaning that any WEP-enabled VAPs assigned to a SonicPoint must use the same set of WEP keys. Up to 4 keys can be defined per-SonicPoint, and WEP-enabled VAPs can use these 4 keys independently. WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint > SonicPoints page.

Network Zones

A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, you can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.

Network zones are configured from the Network > Zones page; for information about zones and how to configure them, refer to the SonicOS Administrator’s Guide.

Topics:

• “The Wireless Zone” on page 134

• “Custom Wireless Zone Settings” on page 135

The Wireless Zone

The Wireless zone type, of which the “WLAN Zone” is the default instance, provides support to Dell SonicWALL SonicPoints. When an interface or subinterface is assigned to a Wireless zone, the interface can discover and provision Layer 2 connected SonicPoints, and can also enforce security settings above the 802.11 layer, including WiFiSec Enforcement, SSL VPN redirection, Guest Services, Lightweight Hotspot Messaging and all licensed Deep Packet Inspection security services.


Note SonicPoints can only be managed using untagged, non-VLAN packets. When setting up your WLAN, ensure that packets sent to the SonicPoints are non VLAN tagged.

Custom Wireless Zone Settings

Although Dell SonicWALL provides a pre-configured Wireless zone, you also have the ability to create your own custom wireless zones. When using VAPs, several custom zones can be applied to a single, or multiple SonicPoint access points. For detailed information on configuring wireless zones, see the SonicOS Administrator’s Guide.

VLAN Subinterfaces

A Virtual Local Area Network (VLAN) allows you to split your physical network connections (X2, X3, etc...) into many virtual network connection, each carrying its own set of configurations. The VLAN solution allows each VAP to have its own separate subinterface on an actual physical interface.

VLAN subinterfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, WAN assignability (static addressing only), GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN subinterfaces at this time are VPN policy binding, WAN dynamic client support, and multicast support.

VLAN subinterfaces are configured from the Network > Interfaces page; see the SonicOS Administrator’s Guide.

Custom VLAN Settings

The table below lists configuration parameters and descriptions for VLAN subinterfaces:

DHCP Server Scope

The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.

Feature Description

Zone Select a zone to inherit zone settings from a predefined or custom user-defined zone.

VLAN Tag Specify the VLAN ID for this subinterface.

Parent Interface Select a physical parent interface (X2, X3, etc...) for the VLAN.

IP Configuration Create an IP address and Subnet Mask in accordance with your network configuration.

Sonic Point Limit Select the maximum number of SonicPoints to be used on this interface.

Management Protocols Select the protocols you wish to use when managing this interface.

Login Protocols Select the protocols you will make available to clients who access this subinterface.


The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. DHCP Server Scope is set from the Network > DHCP Server page.

The table below shows maximum allowed DHCP leases for Dell SonicWALL security appliances.

Virtual Access Points Profiles

A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the SonicPoint > Virtual Access Point page.

Topics:

• “Virtual Access Point Profile Settings” on page 137

• “WPA-PSK / WPA2-PSK Encryption Settings” on page 137

• “WPA-EAP / WPA2-EAP Encryption Settings” on page 138

• “Shared / Both (WEP) Encryption Settings” on page 138

Platform Maximum DHCP Leases

NSA 3500 1,024 leases

NSA 4500, E5500, E6500, E7500 4,096 leases


Virtual Access Point Profile Settings

The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings:

WPA-PSK / WPA2-PSK Encryption Settings

Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.

Feature Description

Name Choose a friendly name for this VAP Profile. Choose something descrip-tive and easy to remember as you will later apply this profile to new VAPs.

Type Set to SonicPoint by default. Retain this default setting if using Son-icPoints as VAPs (currently the only supported radio type)

Authentication Type Below is a list of available authentication types with descriptive features and uses for each:WEP • Lower security• For use with older legacy devices, PDAs, wireless printersWPA • Good security (uses TKIP)• For use with trusted corporate wireless clients• Transparent authentication with Windows log-in• No client software needed in most casesWPA2 • Best security (uses AES)• For use with trusted corporate wireless clients• Transparent authentication with Windows log-in• Client software install may be necessary in some cases• Supports 802.11i “Fast Roaming” feature• No backend authentication needed after first log-in (allows for faster roaming)WPA2-AUTO • Tries to connect using WPA2 security, if the client is not WPA2 capa-ble, the connection will default to WPA.

Unicast Cipher The unicast cipher will be automatically chosen based on the authentica-tion type.

Multicast Cipher The multicast cipher will be automatically chosen based on the authenti-cation type.

Maximum Clients Choose the maximum number of concurrent client connections permissi-ble for this virtual access point.

Feature Description

Pass Phrase The shared passphrase users will enter when connecting with PSK-based authentication.

Group Key Interval The time period for which a Group Key is valid. The default value is 86400 sec-onds. Setting to low of a value can cause connection issues.


WPA-EAP / WPA2-EAP Encryption Settings

Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution utilizes an external 802.1x/EAP-capable RADIUS server for key generation.

Shared / Both (WEP) Encryption Settings

WEP is provided for use with legacy devices that do not support the newer WPA/WPA2 encryption methods. This solution utilizes a shared key.

Feature Description

RADIUS Server 1 The IP address or fully qualified domain name (FQDN) of your RADIUS authenti-cation server.

RADIUS Server 1 Port The port on which your RADIUS authentication server communicates with clients and network devices. The default is 1812.

RADIUS Server 1 Secret The shared secret between the Dell SonicWALL and the RADIUS authentication server.

RADIUS Server 2 The IP address or fully qualified domain name (FQDN) of your backup RADIUS authentication server.

RADIUS Server 2 Port The port on which your backup RADIUS authentication server communicates with clients and network devices.. The default is 1812.

RADIUS Server 2 Secret The secret passcode for your backup RADIUS authentication server.

Group Key Interval The time period (in seconds) during which the WPA/WPA2 group key is enforced to be updated.

Feature Description

Encryption Key Select the key to use for WEP connections to this VAP. WEP encryption keys are configured in the SonicPoint > SonicPoints page under SonicPoint Provision-ing Profiles.


Virtual Access Points

The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. Virtual Access Points are configured from the SonicPoint > Virtual Access Point page.

Topics:

• “General VAP Settings” on page 140

• “Advanced VAP Settings” on page 140


General VAP Settings

Advanced VAP Settings

Advanced settings allows the administrator to configure authentication and encryption settings for this connection. Choose a Profile Name to inherit these settings from a user created profile. See “Virtual Access Points Profiles” on page 136, for complete authentication and encryption configuration information.

Feature Description

SSID Create a friendly name for your VAP.

VLAN ID When using platforms that support VLAN, you may optionally select a VLAN ID to associate this VAP with. Settings for this VAP will be inherited from the VLAN you select.

Enable Virtual Access Point

Enables this VAP.

Enable SSID Suppress Suppresses broadcasting of the SSID name and disables responses to probe requests. A Virtual Access Point Object can suppress SSID in beacon and Probe Response for SonicPoint or internal G radio. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients.


Virtual Access Point Groups

The Virtual Access Point Groups feature is available on Dell SonicWALL NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your SonicPoint(s). Virtual Access Point Groups are configured from the SonicPoint > Virtual Access Point page.

Sonic Point Provisioning Profiles

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSIDs, and channels of operation. For more information, see “SonicPoint Provisioning Profiles” on page 54.

VAP Sample Configurations

This section provides configuration examples based on real-world wireless needs.

Topics:

• “Configuring a VAP for Guest Access” on page 142

• “Configuring a VAP for Corporate LAN Access” on page 151

• “Deploying VAPs to a SonicPoint” on page 160


Configuring a VAP for Guest Access

You can use a Guest Access VAP for visiting clients to whom you wish to provide access only to untrusted (e.g. Internet) network resources. Guest users will be provided a simple, temporary username and password for access. More advanced configurations also offer more permanent guest accounts, verified through a back-end database.

Topics:

• “Configuring a Zone” on page 142

• “Creating a Wireless LAN (WLAN) Interface” on page 145

• “Creating a VLAN Subinterface on the WLAN” on page 146

• “Configuring DHCP IP Ranges” on page 147

• “Creating a SonicPoint VAP Profile” on page 148

• “Creating the SonicPoint VAP” on page 149

Configuring a Zone

In this section, you will create and configure a new wireless zone with guest login capabilities.

Step 1 Log into the management interface of your Dell SonicWALL network security appliance.

Step 2 Navigate to the Network > Zones page.

Step 3 Click the Add... button to add a new zone. The Add Zone window displays.

General Settings Tab

Step 4 In the General tab, enter a friendly name such as “VAP-Guest” in the Name field.

Step 5 Select Wireless from the Security Type drop-down menu.

Step 6 De-select the Allow Interface Trust checkbox to disallow communication between wireless guests.

Step 7 Click the Wireless tab.


Wireless Tab

Step 8 Check the Only allow traffic generated by a SonicPoint checkbox.

Step 9 Uncheck all other options in this tab.

Step 10 Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).

Step 11 Click on the Guest Services tab.


Guest Services Tab

Step 12 In the Guest Services tab, check the Enable Guest Services checkbox.

Note In the following example, Step 13 through Step 18 are optional, they only represent a typical guest VAP configuration using guest services. Step 13 and Step 18, however, are recommended.

Step 13 Check the Enable Dynamic Address Translation (DAT) checkbox to allow guest users full communication with addresses outside the local network.

Step 14 Check the Custom Authentication Page checkbox and click the Configure button to configure a custom header and footer for your guest login page. The Customize Login Page window displays.

Step 15 Click the OK button to save these changes.


Step 16 Check the Post Authentication Page checkbox and enter a URL to redirect wireless guests to after login.

Step 17 Check the Pass Networks checkbox to configure a website (such as your corporate site) that you wish to allow access to without logging in to guest services.

Step 18 Enter the maximum number of guests this VAP will support in the Max Guests field.


Your new zone now appears in the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.

Creating a Wireless LAN (WLAN) Interface

In this section you will configure one of your ports to act as a WLAN. If you already have a WLAN configured, skip to the “Creating a Wireless LAN (WLAN) Interface” on page 145.

Step 1 In the Network > Interfaces page, click the Configure icon corresponding to the interface you wish to use as a WLAN. The Edit Interface window displays.

Step 2 Select WLAN from the Zone drop-down list. More options appear.

Step 3 Enter the desired IP Address for this interface.


Step 4 In the SonicPoint Limit drop-down menu, select a limit for the number of SonicPoints. This defines the total number of SonicPoints your WLAN interface will support.

Note The maximum number of SonicPoints depends on your platform. Refer to the “Custom VLAN Settings” on page 135 to view the maximum number of SonicPoints for your platform.

Step 5 Click the OK button to save changes to this interface.

The WLAN interface will appear in the Interface Settings list on the Network > Interfaces page.

Creating a VLAN Subinterface on the WLAN

In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” on page 142.

Step 1 In the Network > Interfaces page, select the interface type from the Add Interface drop-down menu. The Add Interface window displays.

Step 2 In the Zone drop-down menu, select the zone you created in ““Configuring a Zone” on page 142”. In this case, we have chosen VAP-Guest.

Step 3 Enter a VLAN Tag for this interface. This number allows the SonicPoint(s) to identify which traffic belongs to the “VAP-Guest” VLAN. You should choose a number based on an organized scheme. In this case, we choose 200 as our tag for the VAP-Guest VLAN.

Step 4 In the Parent Interface drop-down menu, select the interface that your SonicPoint(s) are physically connected to. In this case, we are using X2, which is our WLAN interface.

Step 5 Enter the desired IP Address for this subinterface.

Step 6 Select a limit for the number of SonicPoints from the SonicPoint Limit drop-down menu. This defines the total number of SonicPoints your VLAN will support.

Step 7 Optionally, you may add a comment about this subinterface in the Comment field.

Step 8 Click the OK button to add this subinterface.

The VLAN subinterface now appears in the Interface Settings list.


Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. To view the maximum number of DHCP leases for your Dell SonicWALL security appliance, refer to the “DHCP Server Scope” on page 135.


Step 2 In the DHCPv4 Server Lease Scopes section, locate the interface you just created; in this example, it is the X2:V200 (virtual interface 200 on the physical X2 interface) interface.

Step 3 Click the Configure icon corresponding to the desired interface.

Note If the interface you created does not appear on the Network > DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your Dell SonicWALL. For more information on DHCP lease exhaustion, refer to the “DHCP Server Scope” on page 135.

The Dynamic Range Configuration window displays.


Step 4 Edit the Range Start and Range End fields to meet your deployment needs.


Your updated DHCP lease scope will appear in the DHCP Server Lease Scopes list.

Creating a SonicPoint VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs.

Note This procedure is optional, but will facilitate greater ease of use when configuring multiple VAPs.


Step 2 Click the Add... button in the Virtual Access Point Profiles section. The Add/Edit Virtual Access Point Profile window displays.

Step 3 Enter a Profile Name, such as Guest, for this VAP Profile.

Step 4 Choose an Authentication Type. For unsecured guest access, we chose Open, which is the default.

Step 5 Click the OK button to create this VAP Profile.


The SonicPoint Profile will appear in the Virtual Access Point Profiles list on the SonicPoint > Virtual Access Point page.

Creating the SonicPoint VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” on page 146.


Step 2 Click the Add... button in the Virtual Access Points section. The Add/Edit Virtual Access Point window displays.

Step 3 In the Name field, enter a friendly name for the VAP.

Step 4 In the SSID field, enter a SSID name for the SonicPoints using this profile. This name appears in wireless client lists when searching for available access points. In this case we chose VAP-Guest, the same name as the zone to which it will be associated.

Step 5 Select the VLAN ID you created in “VLAN Subinterfaces” on page 135 from the drop-down menu. In this case, we chose 200, the VLAN ID of our VAP-Guest VLAN.

Step 6 Check the Enable Virtual Access Point checkbox to enable this VAP on groups to which it is applied.

Step 7 Optionally, check the Enable SSID Suppress checkbox if you do not wish for your SSID to be seen by unauthorized wireless clients.This option is disabled by default.

This option suppresses broadcasting of the SSID name and disables responses to probe requests. A Virtual Access Point Object can suppress SSID in beacon and Probe Response for SonicPoint or internal G radio.


Step 8 Click the Advanced Tab to edit encryption settings.

Step 9 If you created a VAP Profile in the previous section, select that profile from the Profile Name list. We created and chose a guest profile, Guest, which uses Open as the authentication method.

Step 10 Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.


Now that you have successfully set up your Guest configuration, you can choose to add more custom VAPs, or to deploy this configuration to your SonicPoint(s) in the “Deploying VAPs to a SonicPoint” on page 160.

Tip Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously to all of your SonicPoints by following the steps in the “Deploying VAPs to a SonicPoint” on page 160.

Configuring a VAP for Corporate LAN Access

You can use a Corporate LAN VAP for a set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services.

Topics:

• “Configuring a Zone” on page 151

• “Creating a VLAN Subinterface on the WLAN” on page 154

• “Configuring DHCP IP Ranges” on page 155

• “Creating a SonicPoint VAP Profile” on page 156

• “Creating the SonicPoint VAP” on page 158

Configuring a Zone

In this section you will create and configure a new corporate wireless zone with Dell SonicWALL security services and enhanced WiFiSec/WPA2 wireless security.

Step 1 Log into the management interface of your Dell SonicWALL network security appliance.

Step 2 Navigate to the Network > Zones page.

Step 3 Click the Add... button to add a new zone. The Add Zone window displays.


General Settings Tab

Step 4 In the General tab, enter a friendly name such as VAP-Corporate, in the Name field.

Step 5 Select Wireless from the Security Type drop-down menu.

Step 6 Select the Allow Interface Trust checkbox to allow communication between corporate wireless users.

Step 7 Select checkboxes for all of the security services you would normally apply to wired corporate LAN users. For information about these security services.

Step 8 Click the Wireless tab.


Wireless Settings Tab

Step 9 Select the checkbox for SSL VPN Enforcement to enable WiFiSec security on this connection.

Step 10 In the SSL VPN server pull-down menu, select an address object representing the Dell SonicWALL SSL VPN appliance to which you wish to redirect wireless traffic or create a new one.

Step 11 In the SSL VPN service pull-down menu, select the service or group of services you want to allow for clients authenticated through the SSL VPN.

Step 12 Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menus (if applicable).

Step 13 Check the Only allow traffic generated by a SonicPoint checkbox.


Your new zone now appears in the Zones Settings list of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step.


Creating a VLAN Subinterface on the WLAN

In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” on page 151.

Step 1 In the Network > Interfaces page, select an interface type from the Add Interface drop-down menu. The Add Interface window displays.

Step 2 In the Zone drop-down menu, select the zone you created in ““Configuring a Zone” on page 151”. In this case, we have chosen VAP-Corporate. The options change.

Step 3 Enter a VLAN Tag for this interface. This number allows the SonicPoint(s) to identify which traffic belongs to the VAP-Corporate VLAN. You should choose a number based on an organized scheme. In this case, we choose 50 as our tag for the VAP-Corporate VLAN.

Step 4 In the Parent Interface drop-down menu, select the interface that your SonicPoint(s) are physically connected to. In this case, we are using X2, which is our WLAN interface.

Step 5 Enter the desired IP Address for this subinterface.

Step 6 In the SonicPoint Limit drop-down menu, select a limit for the number of SonicPoints. This defines the total number of SonicPoints your WLAN interface will support.

Step 7 Optionally, you may add a comment about this subinterface in the Comment field.


Step 8 Click the OK button to add this subinterface.

Your VLAN subinterface now appears in the Interface Settings list.

Configuring DHCP IP Ranges

Because the number of available DHCP leases vary based on your platform, the DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. To view the maximum number of DHCP leases for your Dell SonicWALL security appliance, refer to the “DHCP Server Scope” on page 135.


Step 2 In the DHCPv4 Server Lease Scopes section, locate the interface you just created, in our case this is the X2:V50 (virtual interface 50 on the physical X2 interface) interface.

Step 3 Click the Configure icon corresponding to the desired interface.

Note If the interface you created does not appear on the Network > DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your Dell SonicWALL. For more information on DHCP lease exhaustion, refer to the “DHCP Server Scope” on page 135.

The Dynamic Range Configuration window displays.

Step 4 Edit the Range Start and Range End fields to meet your deployment needs.


Your updated DHCP lease scope now appears in the DHCP Server Lease Scopes list.


Creating a SonicPoint VAP Profile

In this section, you will create and configure a new Virtual Access Point Profile. You can create VAP Profiles for each type of VAP, and use them to easily apply advanced settings to new VAPs. This procedure is optional, but will facilitate greater ease of use when configuring multiple VAPs.


Step 2 Click the Add... button in the Virtual Access Point Profiles section. The Add/Edit Virtual Access Point Profile window displays.

Step 3 Enter a Profile Name, such as Corporate-WPA2, for this VAP Profile.


Step 4 Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings. The options change.

Step 5 In the Maximum Clients field, enter the maximum number of clients each SonicPoint using this profile will support.

Step 6 In the Radius Server Settings section, enter your current RADIUS server information. This information will be used to support authenticated login to the VLAN. You must specify at least the following for one Radius server:

• Radius Server 1 – Enter the name or location of your primary Radius authentication server.

• Radius Server 1 Secret – Enter the passcode to access your primary Radius authentication server.

Step 7 Click the OK button to create this VAP Profile.


Your newly configured VAP profile is added to the Virtual Access Point Profiles list.

Creating the SonicPoint VAP

In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” on page 154.

General Tab


Step 2 Click the Add... button in the Virtual Access Points section.

Step 3 In the Name field, enter a friendly name for the VAP.

Step 4 In the SSID field, enter a SSID name for the SonicPoints using this profile. This name appears in wireless client lists when searching for available access points. In this case we chose VAP-Corporate, the same name as the zone to which it will be associated.

Step 5 Select the VLAN ID you created in “Creating a VLAN Subinterface on the WLAN” on page 154 from the drop-down list. In this case we chose 50, the VLAN ID of our VAP-Corporate VLAN.

Step 6 Check the Enable Virtual Access Point checkbox to enable this access point upon creation. This option is enabled by default.

Step 7 Optionally, check the Enable SSID Suppress checkbox if you do not wish for your SSID to be seen by unauthorized wireless clients. This option is disabled by default.

This option suppresses broadcasting of the SSID name and disables responses to probe requests. A Virtual Access Point Object can suppress SSID in beacon and Probe Response for SonicPoint or internal G radio.

Step 8 Click the Advanced Tab to edit encryption settings.


Advanced Tab (Authentication Settings)

Step 9 If you created a VAP Profile, select that profile from the Profile Name drop-down menu. We created and Corporate-WPA2 profile in “Creating a SonicPoint VAP Profile” on page 156, which uses WPA2-AUTO-EAP as the authentication method.

If you have not set up a VAP Profile, continue with Step 9 through Step 12. Otherwise, continue to “Create More / Deploy Current VAPs” on page 160.

Step 10 Select WPA2-AUTO-EAP from the Authentication Type drop-down menu. This will employ an automatic user authentication based on your current RADIUS server settings.

Step 11 In the Maximum Clients field, enter the maximum number of concurrent connections VAP will support.

Step 12 Click the OK button to add this VAP.

Your new VAP now appears in the Virtual Access Points list.


Create More / Deploy Current VAPs

Now that you have successfully set up a VLAN for Corporate LAN access, you can choose to add more custom VAPs, or to deploy this configuration to your SonicPoint(s) in “Deploying VAPs to a SonicPoint” on page 160.

Tip Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously to all of your SonicPoints by following the steps in “Deploying VAPs to a SonicPoint” on page 160.

Deploying VAPs to a SonicPoint

In the following section you will group and deploy your new VAPs, associating them with one or more SonicPoint Radios. Users will not be able to access your VAPs until you complete this process:

• “Grouping Multiple VAPs” on page 160

• “Creating a SonicPoint Provisioning Profile” on page 162

• “Associating a VAP Group with your SonicPoint” on page 164

Grouping Multiple VAPs

In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).


Step 2 In the Virtual Access Point Groups section, click the Add Group... button in the Virtual Access Point Group section. The Add Virtual Access Point Group window displays.

Step 3 Enter a friendly name in the Virtual AP Group Name field.

Step 4 Select the desired VAPs from the list and click the -> button to add them to the group. Optionally, click the Add All button to add all VAPs to a single group.

Step 5 Press the OK button to save changes and create the group.


Your newly created group is added to the Virtual Access Point Groups list.


Creating a SonicPoint Provisioning Profile

In this section, you will associate the group you created in the “Grouping Multiple VAPs” on page 160 with a SonicPoint by creating a provisioning profile. This profile will allow you to provision settings from a group of VAPs to all of your SonicPoints.

Note The SonicPoint Provisioning Profile will be used by the corresponding wireless zone.


Step 2 Click the Add SonicPoint N Profile button in the SonicPoint Provisioning Profiles section. The Add SonicPoint N Profile window displays.

Step 3 Click the Enable SonicPoint checkbox to enable this profile. This is enabled by default.

Step 4 In the Name Prefix field, enter a name to assist in identifying SonicPoints on this zone. Each provisioned SonicPoint N is named with this prefix followed by a unique number.


Step 5 Select a country from the Country Code drop-down menu.

Step 6 From the 802.11n Radio Virtual AP Group pull-down menu in the Virtual Access Point Settings section, select the group you created in the “Grouping Multiple VAPs” on page 160.

Step 7 To setup 802.11g WEP or 802.11a WEP/WPA encryption, or to enable MAC address filtering, click the 802.11n Radio tab.

Note If any of your VAPs use encryption, you must configure these settings before your SonicPoint VAPs will function.

Step 8 Click the OK button to save changes and create this SonicPoint Provisioning Profile.

Your newly created SonicPoint Provisioning Profile is added to the SonicPoint N Provisioning Profiles list.

Step 9 Click the Synchronize SonicPoints button at the top of the SonicPoint > SonicPoints page to issue a query directive from the firewall to the WLAN zone. All connected SonicPoints will report their current settings and statistics to SonicOS. SonicOS will also attempt to locate the presence of newly connected SonicPoints that have not yet registered with the firewall.

Step 10 Click OK.

After you click OK, the SonicPoint will reboot and the new settings will be pushed to the SonicPoint.


Associating a VAP Group with your SonicPoint

If you did not create a SonicPoint Provisioning Profile, you can provision your SonicPoint(s) manually. You may want to use this method if you have only one SonicPoint to provision. This section is not necessary if you have created and provisioned your SonicPoints using a SonicPoint Profile.


Step 2 In the SonicPointsNs section, click the Configure button next to the SonicPoint you wish to associate your Virtual APs with.

Step 3 In the Virtual Access Point Settings section, select the VAP group you created in “Grouping Multiple VAPs” on page 160 from the 802.11g (or 802.11a) Radio Virtual AP Group drop-down menu. In this case, we chose VAP as our Virtual AP Group.

Step 4 Click the OK button to associate this VAP Group with your SonicPoint.

Step 5 Click the Synchronize SonicPoints button at the top of the SonicPoint > SonicPoints page to issue a query directive from the firewall to the WLAN zone. All connected SonicPoints will report their current settings and statistics to SonicOS. SonicOS will also attempt to locate the presence of newly connected SonicPoints that have not yet registered with the firewall.

Your SonicPoint may take a moment to reboot before changes take place. After this process is complete, all of your VAP profiles will be available to wireless users through this SonicPoint.

Note If you are setting up guest services for the first time, be sure to make necessary configurations in the Users > Guest Services pages. For more information on configuring guest services, see the SonicOS Administrator’s Guide.


Remote MAC Access Control for VAPs

The Enable Remote MAC Access Control option has been added for VAPs.

Note Remote MAC Access Control is also supported for SonicPoints. See “Remote MAC Access Control for SonicPoints” on page 109.

To enable Remote MAC Access Control on a VAP:

Step 1 Go to the SonicPoint > Virtual Access Point page.

Step 2 In the Virtual Access Points panel, click the Add button. The Add/Edit Virtual Access Point dialog appears.


Step 4 Select the Enable Remote MAC Access Control option.


When you select the Enable Remote MAC Access Control option, the configured Radius Server Settings appear.

Step 5 In the appropriate fields, enter the RADIUS server settings that you want. For information on configuring the RADIUS server settings, see the SonicOS Administrator’s Guide.

Step 6 Click OK.

Caution You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you do, you will get the following error message: Remote MAC address access control can not be set whenIEEE 802.11i EAP is enabled.


Chapter 5

Viewing Station Status

SonicPoint > Station StatusTheSonicPoint > Station Status page displays the statistics for each SonicPoint.

The table lists entries for each wireless client connected to each SonicPoint.

By default, the page displays the first 50 entries found. Clicking the arrow icons navigates you to more pages when there are more than 50 entries.

Viewing Station Status | 167

The sections of the table are divided into sections by SonicPoint. Under each SonicPoint is a list of all the clients currently connected to it.

The Refresh button refreshes and updates the list in the table.

The View Style: SonicPoint: menu lists all of the SonicPoint devices on your network. When you select one of the SonicPoints, a new screen shows just the clients for that SonicPoint device.

The Station Status column headings display the following information:

• Station—The IP address of the SonicPoint address.

• MAC Address—The hardware address of the SonicPoint.


• Status—The status of the SonicPoint, such as Connected or Unavailable.

• Type—The type of SonicPoint device identified by the radio frequency, such as 2.4GHz.

• SSID—The service set identifier that identifies the network to which packets on the wireless network belong.

• AID—The Association ID number, assigned by the security appliance.

• Connect Rate—The speed at which connections are established.

• TxRate—The speed at which transmission packets are sent.

• Signal Strength—The percentage of strength of the radio signal.

• Statistics—The Statistics icon opens the Statistics Station window.

Station Statistics Window

Clicking the Statistics icon in the Statistics column of the table, on the row for the SonicPoint station that you want, displays the Station Statistics window that displays a detailed report for the selected SonicPoint station. The Station Statistics window displays Station Information, Radio Statistics, and Traffic Statistics.

The Station Information window displays the following information:

• Name—The name of the SonicPoint station.

• MAC Address—The hardware address of the SonicPoint station.

• IP Address—The IP address of the SonicPoint station.

• SonicPoint—The SonicPoint identifier.

• AID—The Association ID number, assigned by the firewall.


• Status—The state of the SonicPoint station:

– None

– Authenticated

– Associated

– Joined

– Connected

– Up

– Down

• Connect Rate—The speed at which connections are established.

• TxRate—The speed at which transmission packets are sent.

• Signal Strength—The percentage the total strength of the radio signal that is currently transmitting.

The Radio Statistics window displays the following information:

• Radio—The type of radio signal.

• SSID—The service set identifier that identifies the network to which packets on the wireless network belong.

• Channel—The type of channel in use on the radio, such as 802.11n 5GHz Mixed - AutoBand Auto (149|153) or 802.11n 2.4GHz Mixed - Standard Band.

• Associations—The total number of associations since power up.

• Dis-Associations—The total number of dis-associations.

• Re-Associations—The total number of re-associations.

• Authentications—Number of authentications.

• De-Authentications—Number of de-authentications.

• Discarded Packets—The total number of frames discarded. Discarded frames are generally a sign of network congestion.

The Traffic Statistics window displays the following information for Radio 0 and Radio 1:

• Good Packets—The total number of good packets received and transmitted.

• Bad Packets—The total number of bad packets received and transmitted.

• Good Bytes—The total number of good bytes received and transmitted.

• Management Packets—The total number of management packets received and transmitted.

• Control Packets —The total number of control packets received and transmitted.

• Data Packets—The total number of data packets received and transmitted.


SonicPoint N Statistics Window

Clicking the Statistics button displays the SonicPoint N Statistics window that displays a detailed report for the selected SonicPoint device. The SonicPoint N Statistics window displays SonicPoint N Information, Radio Statistics, and Traffic Statistics.


The SonicPoint N Information window displays the following information:

• Name—The name of the SonicPoint device.

• MAC Address—The hardware address of the SonicPoint device.

• IP Address—The IP address of the SonicPoint device.

• Interface—The firewall interface to which the SonicPoint device is connected, such as X1, X2, etc.

• Zone—The Zone to which the SonicPoint device is configured, such as WLAN.

• Status—The state of the station:

– Unknown

– SafeMode

– Unprovisioned

– Provisioning

– Operational

– Non-responsive

– Updating Firmware

– Downloading Firmware

– Initializing

– Over-Limit

– Rebooting

– Provision Failed

– Firmware Update Failed

– Scanning

– Manufacturing

– Disabled

– WIDP

– WIDP_Timeout

– Missing Firmware Image

– Writing Firmware

– Get Crash Log Failed

– Operational(Noise SafeMode)

– Getting Firmware

• Uptime—The time that the SonicPoint device has been running in days, hours, minutes, and seconds.


The Radio Statistics window displays the following information for Radio 0 and Radio 1:

• BSSID—The basic service set identifier address for the SonicPoint device.

• SSID / MSSID—The service set identifier or multiple service set identifier that identifies the network to which packets on the wireless network belong.

• Channel—The type of channel in use on the radio, such as 802.11n 5GHz Mixed - AutoBand Auto (149|153) or 802.11n 2.4GHz Mixed - Standard Band.

• Connected Stations—The total number of SonicPoint stations connected to the firewall.

• Associations—The total number of associations since power up.

• Dis-Associations—The total number of dis-associations.

• Re-Associations—The total number of re-associations.

• Authentications—Number of authentications.

• De-Authentications—Number of de-authentications.

• Discarded Packets—The total number of packets discarded. Discarded packets are generally a sign of network congestion.

The Traffic Statistics window displays the following information for Radio 0 and Radio 1:

• Good Packets—The total number of good packets received and transmitted.

• Bad Packets—The total number of bad packets received and transmitted.

• Good Bytes—The total number of good bytes received and transmitted.

• Management Packets—The total number of management packets received and transmitted.

• Control Packets —The total number of control packets received and transmitted.

• Data Packets—The total number of data packets received and transmitted.


Chapter 6

Configuring RF Monitoring

SonicPoint > RF MonitoringThis chapter details the Dell SonicWALL Radio Frequency (RF) Monitoring feature and provides configuration examples for easy deployment.

Topics:

• “Understanding Radio Frequency Monitoring” on page 175

• “Configuring the RF Monitoring Feature” on page 181

• “Practical RF Monitoring Field Applications” on page 184

Understanding Radio Frequency Monitoring

Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches.

In order to help secure your SonicPoint Wireless Access Point (AP) stations, Dell SonicWALL takes a closer look at these threats. By using direct RF monitoring, Dell SonicWALL helps detect threats without interrupting the current operation of your wireless or wired network.

Dell SonicWALL RF Monitoring provides real-time threat monitoring and management of SonicPoint radio frequency traffic. In addition to its real-time threat monitoring capabilities, Dell SonicWALL RF monitoring provides network administrators with a system for centralized collection of RF threats and traffic statistics; offering a way to easily manage RF capabilities directly from the Dell SonicWALL security appliance gateway.

Dell SonicWALL RF monitoring is:

• Real-Time - View logged information as it happens

• Transparent - No need to halt legitimate network traffic when managing threats

• Comprehensive - Provides detection of many types of RF threats.

For complete descriptions of the above types of RF Threat Detection, see the “Practical RF Monitoring Field Applications” on page 184.

Configuring RF Monitoring | 175

Management Interface Overview

The SonicPoint > RF Monitoring management interface provides a central location for selecting RF signature types, viewing discovered RF threat stations, and adding discovered threat stations to a watch list. This section describes the entities on the SonicPoint > RF Monitoring page.

Name Description

Action Items Provides the options to accept, cancel, refresh, and clear the RF Monitoring page. See “Action Items” on page 177.

RF Monitoring Summary Displays the SonicPoint RF Monitoring units, total RF threats, and measurement interval (using seconds as the unit of measurement). See “RF Monitoring Summary” on page 177

802.11 General Frame Setting Displays the amount of total general threats and the option to enable long duration. See “802.11 General Frame Setting” on page 177.

802.11 Management Frame Setting Configures your management frame settings and displays the number of threats for each setting. See “802.11 Manage-ment Frame Setting” on page 178.

802.11 Data Frame Setting Configures your data frame settings and displays the number of threats for each setting. See “802.11 Data Frame Set-ting” on page 179.

Discovered RF Threat Stations Lists all the discovered RF threat stations. See “Discovered RF Threat Stations” on page 180.


Action Items

RF Monitoring Summary

802.11 General Frame Setting

Name Description

Accept Button Accepts the latest configuration settings.

Cancel Button Cancels any changed RF Monitoring settings.

Refresh Button Refreshes the SonicPoint > RF Monitoring page.

Clear Button Clears all the configured settings and returns the page back to the default settings.

Name Description

SonicPoint RF Monitoring Units Displays the total number of SonicPoint appliances.

Total RF Threats Displays the total number of RF threats.

Measurement Interval (Seconds) Enter the desired measurement interval in seconds.

Name Description

Total General Threats Displays the total number of general threats.

Long Duration Wireless devices share airwaves by dividing the RF spectrum into 14 stag-gered channels. Each device reserves a channel for a specified (short) dura-tion and during the time that any one device has a channel reserved, other devices know not to broadcast on this channel. Long Duration attacks exploit this process by reserving many RF channels for very long durations, effec-tively stopping legitimate wireless traffic from finding an open broadcast chan-nel.


802.11 Management Frame Setting

Clicking the checkboxes enables/disables the following monitors, all of which are enabled by default:

Name Description

Total Management Threats Displays the total number of management threats.

Management Frame Flood This variation on the DoS attack attempts to flood wireless access points with management frames (such as association or authenti-cation requests) filling the management table with bogus requests.

Null Probe Response When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding.

Broadcasting De-authentication This DoS variation sends a flood of spoofed de-authentication frames to wireless clients, forcing them to constantly de-authenti-cate and subsequently re-authenticate with an access point.

Valid Station With Invalid SSID In this attack, a rouge access point attempts to broadcast a trusted station ID (ESSID). Although the BSSID is often invalid, the station can still appear to clients as though it is a trusted access point. The goal of this attack is often to gain authentication information from a trusted client.

Wellenreiter Detection Wellenreiter and NetStumbler are two popular software applica-tions used by attackers to retrieve information from surrounding wireless networks.

Ad-Hoc Station Detection Ad-Hoc stations are nodes which provide access to wireless cli-ents by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they may have the same SSID. This allows the Ad-Hoc station to intercept any wire-less traffic that connected clients send to or receive from the access point.


802.11 Data Frame Setting

Clicking the checkboxes enables/disables the following monitors.

Name Description

Total Data Threats Displays the total number of data threats.

Unassociated Station A wireless station attempts to authenticate prior to associating with an access point, the unassociated station can create a DoS by sending a flood of authentication requests to the access point while still unassociated. This option is disabled by default.

NetStumbler Detection Typically is used to locate both free Internet access as well as interesting networks. Netstumbler interfaces with a GPS receiver and mapping soft-ware to automatically map out locations of wireless networks. This option is enabled by default.

EAPOL Packet Flood Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication mechanisms. Since these packets, like other authentication request packets, are received openly by wireless access points, a flood of these packets can result in DoS to your wireless network. This option is enabled by default.

Weak WEP IV WEP security mechanism uses your WEP key along with a randomly cho-sen 24-bit number known as an Initialization Vector (IV) to encrypt data. Network attackers often target this type of encryption because some of the random IV numbers are weaker than others, making it easier to decrypt your WEP key. This option is enabled by default.


Discovered RF Threat Stations

Tip It is possible to find approximate locations of RF Threat devices by using logged threat statistics. For more practical tips and information on using the RF Management threat statistics, see the “Practical RF Monitoring Field Applications” on page 184

Name Description

Items Displays the total number of logged threats. Use the arrow buttons to navigate through pages if applicable.

View Style: Station Selects the type of stations displayed in the list of entries:• All Discovered Stations (default) • Only Stations in Watch List Group

MAC Address Sorts the entries by MAC Address. This is the physical address of the RF threat station.

Type Sorts the entries by the type of wireless signal received from the threat station.

Vendor Sorts the entries by vendor. This is the manufacturer of the threat station (deter-mined by MAC address).

RSSI Indicates the signal strength at which a particular SonicPoint is detecting an RF threat. This entry, along with the Sensor entry, can be helpful in triangulating the actual physical position of the RF threat device.

Rate Sorts the entries by transfer rate (Mbps) of the threat station.

Encrypt Sorts the entries by wireless signal encryption on the threat station, “None” or “Encrypted”.

RF Threat Sorts the entries by RF threat (occurs in the latest time).

Update Time Sorts the entries by the time this log record was created/updated.

Sensor Sorts the entries by the ID of the SonicPoint which recorded this threat. This entry, along with the “Rssi” entry, can be helpful in triangulating the actual physical posi-tion of the RF threat device.

Comment Displays a text box to add comments about the threat.

Configure Configures a watch list for discovered stations. Refer to the for configuration details.


Configuring the RF Monitoring Feature

This section includes procedures for configuring the RF Monitoring feature.

Topics:

• “Configuring RF Monitoring on SonicPoints” on page 181

• “Selecting RF Signature Types” on page 183

• “Adding a Threat Station to the Watch List” on page 184

• “Practical RF Monitoring Field Applications” on page 184.

Configuring RF Monitoring on SonicPoints

This section describes how to configure RF Monitoring on SonicPoint Ns. To configure SonicPoint AC or SonicPoint NDR, see “Configuring a SonicPoint NDR Profile” on page 71.

For RF Monitoring to be enforced, you must enable the RF Monitoring option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Monitoring enabled.


Step 2 From the View Style menu, select SonicPoint Ns.


Step 3 In the SonicPoint N Provisioning Profiles panel, click the Configure button corresponding to the SonicPoint Provisioning Profile that you want to configure.The Edit SonicPoint N Profile dialog appears.

Step 4 In the Settings tab, click the Enable RF Monitoring checkbox. This is enabled by default.

Step 5 Click OK.

Note To ensure all SonicPoints are updated with the RF Monitoring feature enabled, it is necessary to delete all current SonicPoints from the SonicPoint table and re-synchronize these SonicPoints using the profile you just created.

Your SonicPoints will now reboot with the RF Monitoring feature enabled. Be patient as the reboot process may take several minutes.


Selecting RF Signature Types

The RF Monitoring management interface allows you to select which types of RF threats your Dell SonicWALL monitors and logs.

Step 1 Navigate to SonicPoint > RF Monitoring in the Dell SonicWALL security appliance management interface. RF threat types are displayed in the 802.11 Management Frame Setting table, with a checkbox next to each.

Step 2 Click the checkbox next to the RF threat to enable/disable management of that threat. By default, all RF threats are checked as managed.

Tip For a complete list of RF Threat types and their descriptions, see “802.11 Management Frame Setting” on page 178.

Step 3 Click the Accept button at the top of the page to update the configuration.


Adding a Threat Station to the Watch List

The RF Monitoring Discovered Threat Stations “Watch List” feature allows you to create a watch list of threats to your wireless network. The watch list is used to filter results in the Discovered RF Threat Stations list.

To add a station to the watch list:

Step 1 In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations section.

Step 2 Click the Configure icon that corresponds to the threat station you wish to add to the watch list. A confirmation window will appear.

Step 3 Click OK to add the station to the watch list.

Step 4 If you have accidentally added a station to the watch list, or would otherwise like a station removed from the list, click the Delete icon that corresponds to the threat station you wish to remove.

Tip Once you have added one or more stations to the watch list, you can filter results to see only these stations in the real-time log by choosing Only Stations in Watch List Group from the View Type pull-down list.

Practical RF Monitoring Field Applications

This section provides an overview of practical uses for collected RF Monitoring data in detecting Wi-Fi threat sources. Practical RF Monitoring Field Applications are provided as general common-sense suggestions for using RF Monitoring data.

Topics:

• “Before Reading this Section” on page 185

• “Using Sensor ID to Determine RF Threat Location” on page 185

• “Using RSSI to Determine RF Threat Proximity” on page 186


Before Reading this Section

When using RF data to locate threats, keep in mind that wireless signals are affected by many factors. Before continuing, take note of the following:

• Signal strength is not always a good indicator of distance - Obstructions such as walls, wireless interference, device power output, and even ambient humidity and temperature can affect the signal strength of a wireless device.

• A MAC Address is not always permanent - While a MAC address is generally a good indicator of device type and manufacturer, this address is susceptible to change and can be spoofed. Likewise, originators of RF threats may have more than one hardware device at their disposal.

Using Sensor ID to Determine RF Threat Location

In the Discovered RF Threat Stations list, the Sensor field indicates which Sonic Point is detecting the particular threat. Using the sensor ID and MAC address of the SonicPoint allows you to easily determine the location of the SonicPoint that is detecting the threat.

Tip For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices.

Step 1 Navigate to the SonicPoint > RF Monitoring page in the SonicOS management interface.

Step 2 In the Discovered RF threat stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number.

Step 3 Navigate to SonicPoint > SonicPoints.

Step 4 In the SonicPoint Ns table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.

Step 5 Record the MAC address for this SonicPoint and use it to find the physical location of the SonicPoint.

The RF threat is likely to be in the location that is served by this SonicPoint.


Using RSSI to Determine RF Threat Proximity

This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” on page 185. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat.

The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat. A higher Rssi number generally means the threat is closer to the SonicPoint.

Tip It is important to remember that walls serve as barriers for wireless signals. While a very weak Rssi signal may mean the RF threat is located very far from the SonicPoint, it may also indicate a threat located near, but outside the room or building.

Step 1 Navigate to the SonicPoint > RF Monitoring page in the SonicOS management interface.

Step 2 In the Discovered RF threat stations table, locate the Sensor and Rssi for the SonicPoint that is detecting the targeted RF threat and record these numbers.


Step 4 In the SonicPoint Ns table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.

Step 5 Record the MAC address for this SonicPoint and use it to find the physical location of the SonicPoint.

A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat.


Chapter 7

Using RF Analysis

SonicPoint > RF AnalysisThis section describes how to use the RF Analysis feature in Dell SonicWALL SonicOS to help best utilize the wireless bandwidth with SonicPoint appliances.

Topics:

• “RF Analysis Overview” on page 187

• “Using RF Analysis on SonicPoint(s)” on page 188

RF Analysis Overview

RF Analysis (RFA) is a feature that helps wireless network administrator understand how wireless channels are utilized by the managed SonicPoints, SonicPoint-Ns and all other neighboring wireless access points.

Note Dell SonicWALL RFA can analyze third-party access points and include these statistics in RFA data as long as at least one SonicPoint access point is present and managed through the Dell SonicWALL appliance.

Topics:

• “Why RF Analysis?” on page 187

• “The RF Environment” on page 188

Why RF Analysis?

Deploying and maintaining wireless infrastructure can be a daunting task for the network administrator. Wireless issues, such as low performance and poor connectivity are issues that wireless network administrators often face, but ironically, these issues can usually be resolved by simply analyzing and properly tuning radio settings.

Using RF Analysis | 187

RFA is a tool that brings awareness to these potential wireless issues. The two main issues which RFA deals with are overloaded channels, and AP interference with adjacent channels. RFA calculates an RF Score for each operational SonicPoint and displays the data in a way that allows you to identify access points operating in poor RF environment.

The RF Environment

The IEEE 802.11maintains that devices use ISM 2.4 GHz and 5GHz bands, with most of the current deployed wireless devices using the 2.4 GHz band. Because each channel occupies 20MHz wide spectrum, only three channels out of the 11 available are not overlapping. In the United States, channel 1, 6, and 11 are non-overlapping. In most cases, these are the three channels used when deploying a large number of SonicPoints.

The whole 2.4GHz band is segmented into three separate channels 1, 6, and 11. To achieve this ideal scenario, two factors are necessary: channel allocation and power adjustment. In most scenarios, it’s best to assign neighboring SonicPoint appliances to different channels. SonicPoint transmit power should also be watched carefully, as it needs to be strong enough for nearby clients to connect, but not so powerful that causes interference to other SonicPoints operating within the same channel.

Using RF Analysis on SonicPoint(s)

RFA uses scores, graphs, and numbers to assist users to discover and identify potential or existing wireless problems.

Although the best case scenario is to have the smallest number of APs working in the same channel at any given time, in the real world it is difficult to maintain that especially when deploying large amount of APs. Also, since the ISM band is free to the public, there may be other devices operating that are out of immediate control of the network administrator.

SonicPoint Manual Channel Selection


Topics:

• “Channel Utilization Graphs and Information” on page 189

• “Making Sense of the RF Score” on page 190

• “Viewing Overloaded Channels” on page 191

• “RFA Highly Interfered Channels” on page 192

Channel Utilization Graphs and Information

Searching a way to show how channel is utilized for all connected SonicPoints resulted in displaying channel utilization graphs as shown below.

There are two color bars for each channel. The number on the top of each color bar indicates the number of SonicPoints that detects the particular issue in that channel. SonicPoints perform an IDS scan on all available channels upon boot-up and RFA analyzes these scan results to decide on issues for each channel.

For example: if there are 10 SonicPoints connected, and 6 of these decide that channel 11 is overloaded, the number on the top of purple color bar will be 6; if 8 SonicPoints decide that channel 6 is highly interfered, the number on the top of the cyan color bar will be 8. Zero will be shown for channels no issues.


Note Channels 12, 13, 14 are shown, but in some countries these channels are not used. These channels are still monitored however, because it is possible for a wireless cracker to set up a wireless jammer in channel 12, 13, or 14 and launch deny of service attack to lower channels.

Making Sense of the RF Score

RF Score is a calculated number on a scale of 1-10 which is used to represent the overall condition for a channel. The higher the score, the better the RF environment is. Low scores indicate that attention is needed.

Dell SonicWALL wireless driver report signal strength in RSSI, this number is used in the below equation to get a raw score on a scale of 1 to 100.

Preliminary RF Score Formula:

• rfaScore100 = 100-((rssiTotal-50)*7/10)) simplified: rfaScore100 = -0.7*rssiTotal + 135;

A final score is based on this rfaScore100:

• If the RFA score is greater than 96, it is reported as 10.

• If the RFA score is less than 15, it is reported as 1.

• All other scores are divided by 10 to fall into the 1-10 scale.

In the SonicOS interface, the RF Score is displayed for the channel that is being used by the SonicPoints.

Note This feature depends on the knowledge of what channel SonicPoint is operating in. If the channel number is unknown, RF Score is going to be not available.


Viewing Overloaded Channels

RFA will give a warning when it detects more than four active APs in the same channel. As shown below, no matter how strong their signal strength is, RFA will mark the channel as overloaded.

Information about each discovered AP includes: SSID, MAC, signal strength, and channel. Two values are shown for signal strength: dBm and percentage value.


RFA Highly Interfered Channels

Not only APs working in the same channel will create interference, APs working in adjacent channels (channel number less than 5 apart) will also interfere with each other.

RFA will give a warning when it detects that around a certain SonicPoint, there are more than five active APs in the channels that are less than five apart. No matter how strong their signal strength is, RFA will mark the channel as highly interfered.

Information about each discovered AP includes: SSID, MAC, signal strength, and channel. Two values are shown for signal strength: dBm and percentage value.


Chapter 8

SonicPoint Intrusion Detection Services

SonicPoint > IDSThe following sections describe SonicPoint Intrusion Detection Services (IDS):

• “IDS Overview” on page 193

• “Scanning Access Points” on page 196

• “Authorizing Access Points” on page 197

• “Logging of Intrusion Detection Services Events” on page 198

IDS Overview

Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates an easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.

Intrusion Detection Services (IDS) greatly increase the security capabilities of the Dell SonicWALL security appliance because it enables the appliance to recognize and take countermeasures against the most common types of illicit wireless activity. IDS reports on all access points the Dell SonicWALL security appliance can find by scanning the 802.11a/b/g/n/ac/af radio bands on the SonicPoints.

SonicPoint Intrusion Detection Services | 193

The SonicPoint > IDS page reports on all access points detected by the Dell SonicWALL security appliance and its associated SonicPoints, and provides the ability to authorize legitimate access points.


The table below describes the entities that are displayed on the SonicPoint > IDS page.

Table Column or Entity Description

Entity

Page Navigation Allows you to quickly navigate to the next or previous page. You can enter a value to pass large entries. For example, if you have 10 pages, you can enter 7 in the Item text field to view page 7.

Refresh button Refreshes the screen to display the most current list of access points in your network.

Scan All... button Initiates a scan all operation to identify

Discovered Access Points Table

View Style: SonicPoint: Drop-down menu If you have more than one SonicPoint, you can select an indi-vidual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that Son-icPoint. Select All SonicPoints to display scan results from all SonicPoints.

SonicPoint Available when All SonicPoints is selected in the View Style drop-down.The SonicPoint that detected the access point.

MAC Address (BSSID) The MAC address of the radio interface of the detected access point.

SSID The radio SSID of the access point

Type The range of radio bands used by the access point, 2.4 GHz or 5 GHz.

Channel The radio channel used by the access point

Authentication The authentication type.

Cipher The cipher mode.

Manufacturer The manufacturer of the access point

Signal Strength The strength of the detected radio signal

Max Rate The fastest allowable data rate for the access point radio, typi-cally 54 Mbps

Authorize When the Edit icon is clicked, the access point is added to the address object group of authorized access points.


Scanning Access Points

Topics:

• “Active Scanning and Scanning All” on page 196

• “Scanning SonicPoint by SonicPoint” on page 196

Active Scanning and Scanning All

Active scanning occurs when the security appliance starts up. You can also scan access point at any time by clicking Scan All... on the SonicPoint > IDS page. When the security appliance performs a scan, the wireless clients will be interrupted for a few seconds. The scan will effect traffic in the following ways:

• Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.

• Persistent connections (protocols such as FTP) are impaired or severed.

Caution Clicking Scan All will cause all active wireless clients to be disconnected while the scan is performed. If service interruption is a concern, it is recommended that you do not click Scan Now while the Dell SonicWALL security appliance is in Access Point mode. Wait until there are no clients active or a short interruption in service is acceptable.

Scanning SonicPoint by SonicPoint

You can also scan on a SonicPoint by SonicPoint basis, as follows:

Step 1 Select the SonicPoint to view in the SonicPoint: pull-down menu.

Step 2 Scroll to the bottom of the Discovered Access Points section.

Step 3 At the lower-right, select the type of scan from the --Perform SonicPoint Scan -- pull-down menu.

Depending on which SonicPoint model you are using, the following options can be displayed.

• Scan Both Radios

• Scan 802.11a Radio (5GHz)

• Scan 802.11g Radio (2.4GHZ)

• Scan 802.11n Radio (5GHz)

• Scan 802.11n Radio (2.4GHZ)

• Scan 802.11ac Radio (5GHz)


Authorizing Access Points

Access Points that the security appliance detects are regarded as rogue access points until the security appliance is configured to authorize them for operation. To authorize an access point, perform the following steps:

Step 1 Click the Edit icon in the Authorize column for the access point you want to authorize. A pop-up warning message is displayed.

Step 2 Click OK.

Step 3 You can verify that authorization was successful by checking that the address object was created. Navigate to the Firewall > Address Objects page.

Step 4 Click the Configure icon for All Authorized Access Points.

Step 5 Verify that the access point’s MAC address has been added.

Step 6 Click OK.


Logging of Intrusion Detection Services Events

To enable logging and notification of IDS events, perform the following steps:

Step 1 Navigate to the Log > Log Settings page.

Step 2 Click on the triangle icon in the Wireless row in the table to expand it

Step 3 Click on the triangle icon for WLAN IDS.

Step 4 Modify the alert settings for any of the following WLAN IDS log categories:

• WLAN Probe Check

• WLAN Association Flood

• Rogue AP Found


Chapter 9

Configuring Advanced IDP

SonicPoint > Advanced IDPThe following sections describe Advanced IDP:

• “Advanced IDP Overview” on page 200

• “Enabling Advanced IDP on a SonicPoint Profile” on page 201

• “Configuring Advanced IDP” on page 204

Configuring Advanced IDP | 199

Advanced IDP Overview

Advanced Intrusion Detection and Prevention (IDP) is used to monitor the radio spectrum for presence of unauthorized access points (intrusion detection) and to automatically take countermeasures (intrusion prevention). When Advanced IDP is enabled on a SonicPoint, the SonicPoint radio functions as a dedicated IDP sensor.

Advanced IDP configuration is a two-part process that consists of enabling Advanced IDP and configuring Advanced IDP.

Caution When Advanced IDP is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients are disconnected.


Enabling Advanced IDP on a SonicPoint Profile

To enable Advanced IDP scanning on a SonicPoint profile:


Step 2 From the View Style menu, select SonicPoint Ns.


Step 3 Click the Configure icon for the appropriate SonicPoint profile. The Edit SonicPoint AC Profile dialog appears with the General tab selected.


Step 4 Click on the Sensor tab.

Note The Sensor tab is the same for both SonicPoint N and SonicPoint NDR profiles.

Step 5 Select the Enable WIDP Sensor checkbox. The pull-down menu becomes active.

Step 6 From the pull-down menu, select the appropriate schedule for IDP scanning, or select Create new schedule to create a custom schedule.

Caution Remember that when Advanced IDP scanning is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients are disconnected.

Step 7 Click OK.


Configuring Advanced IDP

To configure Advanced IDP:

Step 1 Go to the SonicPoint > Advanced IDP page.

Step 2 Select the Enable Wireless Intrusion Detection and Prevention checkbox. This option is not selected by default. The other options become active.

Step 3 For Authorized Access Points, select the Address Object Group that authorized Access Points will be assigned to. By default, this is set to All Authorized Access Points.

Step 4 For Rogue Access Points, select the Address Object Group that unauthorized Access Points will be assigned to. By default, this is set to All Rogue Access Points.


Step 5 Select one of the following two options to determine which APs are considered rogue (only one can be enabled at a time):

• Add any unauthorized AP into Rogue AP list automatically assigns all detected unauthorized APs—regardless if they are connected to your network—to the Rogue list.

• Add connected unauthorized AP into Rogue AP list assigns unauthorized APs to the Rogue list only if they are connected to your network. The following options determine how IDP detects connected rogue APs; both can be selected:

– Enable ARP cache search to detect connected rogue AP – Advanced IDP searches the ARP cache for clients’ MAC addresses. When one is found and the AP it is connected to is not authorized, the AP is classified as rogue.

– Enable active probe to detect connected rogue AP – The SonicPoint will connect to the suspect AP and send probe to all LAN, DMZ and WLAN interfaces of the firewall. If the firewall receives any of these probes, the AP is classified as rogue.

Step 6 Select Add evil twin into Rogue AP list to add APs to the rogue list when they are not in the authorized list, but have the same SSID as a managed SonicPoint.

Step 7 Select Block traffic from rogue AP and its associated clients to drop all incoming traffic that has a source IP address that matches the rogue list. From the Rogue Device IP addresses pull-down menu, either:

• Select All Rogue Devices (default) or an address object group you’ve created.

• Create a new address object group by selecting Create New IP Address Object Group. The Add Address Object Group window displays.

Step 8 Select Disassociate rogue AP and its clients to send de-authentication messages to clients of a rogue AP to stop communication between them.


Chapter 10

SonicPoint FairNet

SonicPoint > FairNetThis chapter details the Dell SonicWALL FairNet feature and provides configuration examples for easy deployment.

Topics:

• “Understanding SonicPoint FairNet” on page 207

• “Configuring SonicPoint FairNet” on page 211

Understanding SonicPoint FairNet

Topics:

• “What is SonicPoint FairNet?” on page 207

• “Deployment Considerations” on page 208

• “Features in SonicPoint FairNet” on page 208

• “Management Interface Overview” on page 209

What is SonicPoint FairNet?

The SonicPoint FairNet feature provides an easy-to-use method for network administrators to control the bandwidth of associated wireless clients and make sure it is distributed fairly between them. Administrators can configure the SonicPoint FairNet bandwidth limits for all wireless clients, specific IP address ranges, or individual clients to provide fairness and network efficiency.

SonicPoint FairNet | 207

The illustration below is an example of a typical SonicPoint FairNet topology:

Deployment Considerations

Consider the following when deploying the SonicPoint FairNet feature:

• You must have a laptop or PC with a IEEE802.11a/b/g/n/ac/af wireless network interface controller.

Features in SonicPoint FairNet

The following features are included in SonicPoint FairNet:

• Distributed Coordination Function—The Distributed Coordination Function (DCF) provides timing fairness for each client to access a medium with equal opportunity. However it can not guarantee the per-station data traffic fairness among all wireless clients. The SonicPoint FairNet feature is implemented on top of the existing 802.11 DCF to guarantee fair bandwidth among wireless clients regardless of the number and direction of flows.

• Traffic Control—The traffic control feature decides if packets are queued or dropped (e.g. if the queue has reached some length limit, or if the traffic exceeds some rate limit). It can also decide in which order packets are sent (for example, to give priority to certain owns) and it can delay the sending of packets (for example, to limit the rate of outbound traffic). Once traffic control has released a packet for sending, the device driver picks it up and emits it on the network.


Management Interface Overview

This section describes the functions of the SonicPoint FairNet management interface.

Name Description

Accept Button Applies the latest configuration settings.

Cancel Button Cancels any changed configuration settings.

Enable FairNet Checkbox Enables the SonicPoint FairNet feature.

FairNet Policies Check-box

Selects or deselects all the policies in the FairNet Polices table. Individual poli-cies can also be selected in the policies list.

Direction Column Displays the direction for each policy. The directions include:• Uplink • Downlink • Both

Start IP Column Displays the start point for the IP address range.

End IP Column Displays the end point for the IP address range.

Min Rate (kbps) Column The minimum bandwidth that clients are guaranteed. Minimum rate is 1Kbps.

Max Rate (kbps) Column The maximum bandwidth that clients are allowed. Maximum rate is 54000 Kbps.

Interface Column Displays the interface that the SonicPoint FairNet policy applies to.This is the interface on the managing firewall that the SonicPoint appliance is connected to.

Enable Checkbox Enables the selected SonicPoint FairNet policy.

Configure Button Edits existing SonicPoint FairNet policies. Displays the Edit Fairnet Policy window (see “Add / Edit FairNet Policy” on page 210).

Add… Button Adds a SonicPoint FairNet policy for an IP address or range of addresses. Dis-plays the Add Fairnet Policy window (see “Add / Edit FairNet Policy” on page 210).

Delete Button Deletes the selected SonicPoint FairNet policies.


Add / Edit FairNet Policy

Name Description

Enable Policy check-box

Enables the FairNet policy. This option is checked by default.

Direction pull-down menu

Select whether the bandwidth limits for the policy apply to clients uploading content, downloading content, or in both directions.• Both Directions (this is the default) • Downlink (AP to Client) • Uplink (Client to AP)

Start IP text field Enter the starting IP address that the FairNet policy applies to. The IP address must be on a subnet that is configured for a WLAN interface.

End IP text field Enter the ending IP address that the FairNet policy applies to. The IP address must be on a subnet that is configured for a WLAN interface.

Min Rate(kbps) text field

Enter the minimum bandwidth that clients are guaranteed.

Max Rate(kbps) text field

Enter the maximum bandwidth that clients are guaranteed.

Interface pull-down menu

Selects the interface that the SonicPoint FairNet policy is applied to.Note: This is the interface on the managing firewall to which the SonicPoint

appliance is connected.

OK button Adds your policy to the FairNet Policies list and closes the Add/Edit FairNet Policy window.

Cancel button Cancels the information entered and closes the Add/Edit FairNet Policy window.


Configuring SonicPoint FairNet

This section contains an example FairNet configuration. To configure FairNet to provide more bandwidth in both directions, perform the following steps:

Step 1 Navigate to the SonicPoint > FairNet page.

Step 2 Click the Add... button.

Step 3 Make sure the Enable Policy checkbox is selected. This checkbox is enabled by default.

Step 4 From the Direction pull-down menu, select Both Directions to apply the policy to clients uploading content and downloading content. This is the default value.

Step 5 Click the Start IP text-box, then enter the starting IP address (for example, 172.16.29.100) for the FairNet policy.

Step 6 Click the End IP text-box, then enter the ending IP address (for example, 172.16.29.110) for the FairNet policy.


Tip The IP address range must be on a subnet that is configured for a WLAN interface.

Step 7 In the Min Rate(kbps) field, enter the minimum bandwidth (for example, 1000 Kbps) for the FairNet policy.

Step 8 In the Max Rate(kbps) field, enter the maximum bandwidth (for example, 2000 Kbps) for the FairNet policy.

Step 9 From the Interface pull-down menu, select the interface (for example, X2) to which the SonicPoint appliance is connected.

Step 10 Click the OK button. The policy is added to the FairNet Policies table.

Step 11 Select the Enable Fairnet checkbox.

Step 12 Click the Accept button.

Your Dell SonicWALL FairNet policy is now configured.


Index

Aaccess points

SonicPoints 7AES (Advanced Encryption Standard) 95BBSSID (Basic Service Set Identifier) 195Cchannels 195DDelivery Traffic Indication Message (DTIM) 70, 83, 100Dynamic Frequency Selection (DFS) 63, 77EEAPoL 59, 73, 87Extensible Authentication Protocol (EAP) 96, 138Fframe aggregation 65, 79, 91Gguard interval 65, 78, 91IIDS 193

rogue access points 193IDS (Intrusion Detection Service) 69, 82, 99intrusion detection system, see IDSMMAC Access Control 165MIMO 65, 79, 92Pport flapping 15Pre-Shared Key (PSK) 137Rrogue access points 193SSDP 106Short Guard Interval 64, 78, 91signals

measuring strength 195SonicPoints 7

auto provisioning 106before managing 8IDS 193Management over SSL VPN 112provisioning profiles 55, 141

Remote MAC Access Control 109SonicPoint AC, configuring 57

SonicWALL discovery protocol, see SDPSonicWALL simple provisioning protocol, see SSPPSSID (Service Set Identifier) 195SSPP 106station status 167TTKIP (Temporary Key Integrity Protocol) 95VVirtual Access Point Profile 136WWatch List 184WEP 94WEP (Wired Equivalent Privacy) 93Wi-Fi Certified 8wireless

IDS 193SonicPoints 7

wireless encryption protocol, see WEPWireless IDS (Intrusion Detection Service)

authorizing access points 197Wireless Intrusion Detection and Prevention (WIDP) 71, 84, 101wireless zones 8Zzone

SonicPoints 8wireless 8

| 1

sonicpoints ac 5.9.1 feature guide -...

Documents