Question/Topic

UTM - Wireless: Configuring a Virtual Access Point (VAP) Profile for Wireless Corporate Users on TZ Series

Answer/Article
Article Applies To:
SonicWALL Security Appliance Platforms: Gen5 TZ Series (Built-in Wireless): TZ 100 Wireless, TZ 200 W, TZ 210 Wireless. Firmware/Software version: SonicOS Enhanced 5.6.0.0 or higher Services: Virtual Access Point (VAP) Please Note: To configure VAP on TZ 100, TZ 200, TZ 210 (via SonicPoint) refer KBID 5801 (SonicOS Enhnaced 5.6.3.0 or higher)

Feature/Application:
You can use a VAP for a set of users who are commonly in the office, on campius, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the networks Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS Internet Authentication Services.

Deployment Steps:
The following are required areas of configuration for VAP deployment: Step 1: Adding a Wireless LAN (WLAN) Sub-Interface for VAP Step 2: Adding a DHCP Scope for the VAP Sub-Interface Step 3: Adding a New Virtual Access Point - Profile Step 4: Adding a New Virtual Access Point Step 5: Virtual Access Point Group Step 6: Assign VAP Group to Internal Wireless Radio

Procedure: Step 1: Adding a Wireless LAN (WLAN) Sub-Interface for VAP

A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations. The WLAN subnet solution allows each VAP to have its own virtual separate subinterface, even though there is only a single 802.11 radio.

1. WLAN subnets are configured from the Network > Interfaces page.

2. Click on Add Interface... button

Zone: Select WLAN VLAN Tag: Enter a number e.g 100 Parent Interface: Select W0 IP Assignment: Static IP Address/Subnet Mask (Enter IP subnet for VAP) Management (optional): Select a method if you wish to access SonicWALL appliance from VAP subnet.

3. Click OK

Step 2: Adding a DHCP Scope for the VAP Sub-Interface

The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. Take care in making these settings manually, as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to connection issues due to lease exhaustion. The DHCP scope should be resized as each interface/subinterface is defined to ensure that adequate DHCP space remains for all subsequently defined interfaces. Failure to do so may cause the auto-creation of subsequent DHCP scopes to fail, requiring manual creation after performing the requisite scope resizing. 1. DHCP Server Scope is set from the Network > DHCP Server page. 2. Ensure Enable DHCP Server option is Checked 3. SonicWALL appliance will automatically add a DHCP scope when an Interface/Sub-Interface is created.

Step 3: Adding a New Virtual Access Point - Profile

A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. 1. Virtual Access Point Profiles are configured from the Wireless > Virtual Access Point page. 2. Scroll to the bottom of the page to Virutal Access Point Profiles section, click Add... button and choose an Authentication Type.

Step 4: Adding a New Virtual Access Point

The VAP Settings feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. 1. 2. 3. 4. 5. Virtual Access Points are configured from the Wireless > Virtual Access Point page. Under Virtual Access Points section, Click Add... button Enter the SSID Under Subnet Name: choose the appropriate WLAN sub-interfaces from the drop down list. Click OK

Step 5: Virtual Access Point Group

The Virtual Access Point Groups feature allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.

Step 6: Assign VAP Group to Internal Wireless Radio

After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group (scroll to the bottom of the page).

How to Test: From you wireless client computer, scan and connect to the SSID (e.g VAP-Demo-TZs) and enter the Preshared Key (e.g. if WPA is choosen). Once connected your wireless adapter will aquire an the IP address from the appropriate WLAN sub-interface.

Related Items
UTM - Wireless: Configuring a Virtual Access Point (VAP) Profile for Wireless Corporate Users using SonicPoints UTM: Troubleshooting Wireless related issues

KBID Date Modified

8470 10/25/2010

Date Created

10/25/2010