Juniper AX411-W WLAN access point
Contents
1. address range low 192 168 2 2 address range high 192 168 2 254 router 192 168 2 1 N NN NN NY is used by the local portal so it must be excluded from set set set system services dhcp system services dhcp system services dhcp Interfaces and VLANs configuration previous examples pool 192 168 pool 192 168 pool 192 168 is 3 0 24 address range low 192 168 3 3 3 0 24 address range high 192 168 3 254 3 0 24 router 192 168 3 1 almost identical to the one shown in set interfaces set interfaces set interfaces trunk set interfaces default set interfaces interface range interface range interface range interface range interface range APs APs APs APs APs member ge 0 0 1 member range fe 0 0 2 to fe 0 0 3 unit 0 family ethernet switching port mode unit 0 family ethernet switching vlan members unit 0 family ethernet switching vlan members Copyright O 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point WifiNet set interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces ge 0 0 0 unit 0 family inet address 198 0 0 1 24 set interfaces ge 0 0 7 unit 0 family inet address 192 168 254 1 24 set interfaces vlan unit 1 family inet address 192 168 2 1 24 set interfaces vlan unit 2 family inet ad2. APs APs 1 0 24 1 0 24 1 0 24 2 0 24 2 0 24 2 0 24 services dhcp pool name server 4 2 2 2 is used by the management vlan services dhcp pool 192 168 services dhcp pool 192 168 services dhcp pool 192 168 is used by the WifiNet vlan services dhcp pool 192 168 services dhcp pool 192 168 services dhcp pool 192 168 address range low 192 168 1 2 address range high 192 168 1 254 router L922 068 Ll address range low 192 168 2 2 address range high 192 168 2 254 router 192 168 2 1 member ge 0 0 1 member range fe 0 0 2 to fe 0 0 3 unit 0 family ethernet switching port mode unit 0 family ethernet switching vlan members unit 0 family ethernet switching vlan members Copyright O 2011 Juniper Networks Inc 1 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point set interfaces interface range APs unit 0 family ethernet switching native vlan aiel dl set vlans WifiNet vlan id 2 set vlans WifiNet 13 interface vlan 2 set interfaces vlan unit 2 family inet address 192 168 2 1 24 set vlans default vlan id 1 set vlans default 13 interface vlan 1 set interfaces vlan unit 1 family inet address 192 168 1 1 24 Security Zones and policies configuration Please note that the vlan 0 interface MUST be assigned to a zone set security zones security zone untrust interfaces ge 0 0 0 0 set security zones security zone management interfaces vlan 1 host inbound traftic system services dhcp set secu
3. neighbors command displays information about the different neighboring access points detected gt show wlan access points AP 1 neighbors Access point neighbors information Access point AP 1 MAC Privacy WPA Band Channel SSID O02 533 C1663 b3ii8 a On On 2 4 2 2WIRE207 00 17 3f e5 Cc9 43 On Off 2 4 il belkin54g 00 25 bc f5 80 7e Off Off 2 4 6 hpsetup 00 0b 6b 86 d1 10 Off Off 2 4 6 autonet CEC4 00 0a f4 4a 0d 08 On Off 2 4 6 SST PR 1 00 0b 46 bd 7f b9 On Off 2 4 6 SST PR 1 00 18 f8 fd a6 5b On On 2 4 6 yellow Copyright O 2011 Juniper Networks Inc 21 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point 00 24 01 dc a2 7b On On 2 4 9 Mace Net 00 1e 52 7b 96 58 On On 2 4 7 Zippy s Network 00 ld 7e 6e 69 f On Off 2 4 7 DINEZ QUe rg AG Off Off 2 4 6 Leadermed 003143 1792997086 Off Off 2 4 6 linksys 00 16 b6 db 1le 7f On On 2 4 6 Crown Capital Advisors Use the show wlan access points AP virtual access points to display the list of configured VAPs and their traffic statistics gt show wlan access points AP 1 virtual access points Virtual access points information Access point name AP 1 Radiol VAPO SSID WifiNet MAC Address 00 12 CF C5 4A 40 VLAN ID 2 Traffic Statistics Input Bytes Output Bytes Input Packets Output Packets VAP1 SSID MAC Address VLAN ID Traffic Statistics Input Bytes Output Bytes Input Packets Output Packets Radio2 VAPO SSID MAC Addre
4. Appendix AX411 Wireless LAN Access Point Certification Listing Part Numbers Affected AX411 US AX411 E AX411 W AX411 JP AX411 IL AX411 SG AX411 KR AX411 CN AX411 TW Due to the fact that certain countries have imposed restrictions on the deployment of wireless technologies this document should be used to determine in which countries the AX411 has been certified for shipment In the table below select the AX411 wireless LAN access point model by SKU that needs to be ordered to support appropriate power and channel settings for a particular country listed as Yes Countries listed as No have not been certified at this time Refer to the Juniper price list for exact model number and ordering information For any additional questions please contact your Juniper Channel Partner or Account Representative REGION CODE COUNTRY SKU SUPPORTED AX411 SKU FCC US a TE O PEE E etnies ele ter te fa on cacti ahs eens Roe P RE Canada Yes AX411 US ETSI E e o VEIEN ETA E si ia aa PO E E Belgium Yes AX411 E Bulgaria Yes AX411 E Cyprus Yes AX411 E Czech Republic Yes AX411 E Denmark Yes AX411 E Estonia Yes AX41 E Finland Yes France Yes Germany Yes Greece Yes Hungary Yes Iceland Yes Ireland Yes Italy Yes Latvia Yes Liechtenstein Yes Lithuania Yes AX41 E Luxembourg Yes AX411 E Malta Yes AX411 E Copyright O 2011 Juniper Networks Inc 23 APP
5. En k oda e a REE eee eee di wad 5 Tables Supported RADIUS AttribUites uta A a et duds Raye anal aca wow aad han ddd es 7 2 Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Introduction Juniper Networks has introduced a wireless access point solution that is integrated into Juniper Networks SRX Series Service Gateways This new product line allows for a simple deployment of Wi Fi networks in the branch while leveraging the advanced capabilities of Juniper s services gateways for AP Management SRX Series for the branch includes the ability to provide advanced security services like unified threat management UTM intrusion prevention system IPS firewalling unified access control and VPNs Scope The purpose of this application note is to provide an overview of the different deployment scenarios for Juniper s Wi Fi solution for the branch This application note begins by detailing the capabilities of the Juniper Networks AX411 Wireless Access Point and how it is configured The final sections of this application note provide some typical deployment scenarios and their configurations Design Considerations SRX Series Services Gateways are used to monitor and configure the AX411 access points These devices support Power over Ethernet PoE and can be powered by SRX Series gateways that support PoE Alternatively an external power supply is provided with each a
6. id default set interfaces ge 0 0 0 unit 0 family inet address 198 0 0 1 24 set interfaces ge 0 0 7 unit 0 family inet address 192 168 254 1 24 set interfaces vlan unit 1 family inet address 192 168 2 1 24 set interfaces vlan unit 2 family inet address 192 168 2 1 24 set interfaces vlan unit 3 family inet address 192 168 3 1 24 set vlans WifiNet vlan id 2 set vlans WifiNet 13 interface vlan 2 set vlans GuestNet vlan id 3 set vlans GuestNet 13 interface vlan 3 set vlans default vlan id 1 set vlans default 13 interface vlan 1 Security Zones It is required to allow DHCP traffic into each zone and PING into the management zone set security zones security zone untrust interfaces ge 0 0 0 0 set security zones security zone management interfaces vlan 1 host inbound traffic system services dhcp set security zones security zone management interfaces vlan 1 host inbound traffic system services ping set security zones security zone WifiNet interfaces vlan 2 host inbound traffic system services dhcp set security zones security zone GuestNet interfaces vlan 3 host inbound traffic system services dhcp The radius server is attached to the trust zone set security zones security zone trust address book address radius 192 168 254 2 32 set security zones security zone trust interfaces ge 0 0 7 0 Copyright O 2011 Juniper Networks Inc 15 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Security Policie
7. set wlan access point AP 1 radio 2 virtual access point 0 All other APs are similarly configured RADIUS Based MAC Authentication When the number of devices in the network is large the a RADIUS server can be used to centralize the database security none MAC database becomes difficult to maintain In these cases When using MAC based RADIUS authentication association requests trigger a RADIUS authentication request to be sent from the access point to the RADIUS server these requests can be forwarded by the SRX Series but they will neither be generated nor proxied by it OFFICE FP CorpNet SSID A single broadcast SSID is advertised Radius based MAC auth provides access control AP 1 00 de ad 10 75 00 T D Ga 0 0 0 0 Untrwst H qe unts Series 98 0 01 24 EE INTERNET e 00 de ad 10 76 00 ge 0 0 7 0 trust EET A A de ad 10 76 192 198 254 1 24 E AP 3 al 00 de ad 10 77 00 F Radius Server 192 168 254 2 Figure 6 RADIUS based MAC authentication This configuration almost identical to the one in our previous example specifies the MAC authentication type as RADIUS on a per VAP basis and specifies the RADIUS parameters set wlan access point AP 1 mac address 00 de ad 10 75 00 RADIUS configuration set wlan access point AP 1 set wlan access point AP 1 set wlan access point AP 1 authentication type radius set wlan access point AP 1 set wlan access point AP 1 set wlan access point AP 1 set wlan acc
8. the GuestNet WifiNet will do RADIUS based MAC authentication instead Firewall Auth The GuestNet zone will do Firewall Authentication and redirect the first HTTP requests to a local portal OFFICE gt AP 1 00 de ad 10 75 00 A A SRX ge 0 0 0 0 Series untrust 198 0 0 1 24 Tees FE CO INTERNET ge 0 0 7 0 trust a 00 de ad 10 76 00 192 198 254 1 24 Client gt j AP 3 00 de ad E m 0 77 00 nm Radius Server 192 168 254 2 CorpNet and GuestNet SSIDs Clients associated to CorpNet are tagged with VLAN tag 2 Clients associated to GuestNET are tagged with VLAN tag 3 Figure 8 Firewall authentication In this example both radios broadcast both SSIDs WifiNet and GuestNet simultaneously so clients can associate using either of the following protocols to any SSID 802 11a b g or n Enable the http connections to the vlan 3 interface where the captive portal will be used set set set set set set set set system system system system system system system system The 192 168 3 2 address DHCP pool the services web management http interface vlan 3 services dhcp name server 4 2 2 2 services dhcp pool 192 168 2 0 24 services dhcp pool 192 168 2 0 24 services dhcp pool 192 168 2 0 24 services dhcp pool 192 168 2 0 24 services dhcp pool 192 168 2 0 24 services dhcp pool 192 168 2 0 24 address range low 192 168 2 2 address range high 192 168 2 254 router 192 168 2 1
9. 40 access point AP 1 access point options country US access point AP 1 radio 1 virtual access point 0 ssid WifiNet access point AP 1 radio 1 virtual access point 0 security none access point AP 1 radio 2 virtual access point 0 ssid WifiNet access point AP 1 radio 2 virtual access point 0 security none mac address 00 12 cf c5 4b 40 access point options country US access point 2 2 2 radio 1 virtual access point 0 ssid WifiNet 2 2 AP access point AP access point AP access point AP radio 1 virtual access point 0 security none access point AP 2 radio 2 virtual access point 0 ssid WifiNet AP AP AP AP AP mac address 00 12 cf c5 4c 40 access point options country US access point 3 3 3 radio 1 virtual access point 0 ssid WifiNet 3 3 access point access point access point access point radio 1 virtual access point 0 security none radio 2 virtual access point 0 ssid WifiNet The AX411 access points use the concept of a Virtual Access Point VAP A VAP appears to the wireless client as a single independent access point advertising a single service set identifier SSID In our first configuration only a single SSID is advertised and this signifies that a single VAP on each radio is being used L3 Management Mode In this mode each access point is connected to a different L3 interface Since each interface belongs to a different subnet clients will get their addresses assigned from a pool based on the access point to whi
10. 411 set poe interface all DHCP Server config set system services dhcp name server 4 2 2 2 set system services dhcp pool 192 168 2 0 24 address range low 192 168 2 2 set system services dhcp pool 192 168 2 0 24 address range high 192 168 2 254 set system services dhcp pool 192 168 2 0 24 router 192 168 2 1 Interface and VLAN Configuration Note how interface ranges can be used to simplify the configuration when a large number of APs are used set interfaces interface range APs member ge 0 0 1 set interfaces interface range APs member fe 0 0 2 set interfaces interface range APs member fe 0 0 3 set interfaces interface range APs unit 0 family ethernet switching vlan members default set interfaces ge 0 0 0 unit 0 family inet address 198 0 0 1 24 Untrust Static IP set interfaces vlan unit 2 family inet address 192 168 2 1 24 set vlans default vlan id 2 set vlans default 13 interface vlan 2 Routing is trivial there is only a default route pointing to the Internet set routing options static route 0 0 0 0 0 next hop 10 0 1 1 NAT all traffic from the WifiNet to untrust Use the IP address of the egress interface as the new source set security nat source rule set Internet Access from zone WiFiNet set security nat source rule set Internet Access to zone untrust set security nat source rule set Internet Access rule nat all match source address 0 0 0 0 0 set security nat source rule set Internet Access rule nat all then source n
11. Jl INPer APPLICATION NOTE NETWORKS CONFIGURING AND DEPLOYING THE Ax4 WIRELESS ACCESS POINT APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Table of Contents INTFOGUCHION ce vaccine iced A A AR AA RAS AAA ER aS i 3 SOPA a gives Gand erg ded dade eased ey eva a a a 3 Design Considera tios cansa zystns iaa si a ep cha de lala tatiana depend 9 3 HardWa are REGUIFEMENMNIES cia a A aaa is a gh coded apa sb aw dada GRA aoe 3 Software Requirements 2 0 ee ene nee nee e bene tee etn bebe ete eee e ebb bennett neeas 3 Description and Deployment SCONANO iii a a dada nda Muda aie 3 PX MRSA CIN A O NANO 3 Operational MODE ini a dou taeda eaten aaa ivas sae nee Ra auh a BON Wadd daa 4 L2ManasgementMoOde atencion id li dd dad agro 4 L3 Management Mode corria ir aid a ad a dd aaa 5 FANT SIN a a a aan aa A 5 RADIUS SUPDOFE avion aa o A da da ii A A AA de da Dd ai 7 D scription and Deployment SENOS Lai A A a dba died dla a 7 E2Management Mode cia A A a marae r OES 7 L3 ManagementMode tias whe a RRA la a teens cae AA ead bea ela ae ee 9 Segregating User and Management TaffiCl o ooo ooooo nn EE E n nent eee e eee teen eee RRT ERA MAG Authentication 4 c cece ear tawi oes a Wed edie Raed aa e pde ta REE EERO Ra ee ee RW Read dae 12 RADIUS Based MAC Authentication csse craras ici stir EST re PERSE REE Te RR TRE AR 13 Creating Multiple Wireless Networks Using VAPS 0 cc nen ene e eet ne ete enn
12. LICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Monaco Yes AX41 E Netherlands Yes AX411 E Norway Yes AX411 E Poland Yes AX411 E Portugal Yes AX411 E Saudi Arabia No AX411 E Slovak Republic Yes AX411 E Slovenia Yes AX411 E South Africa No AX411 E Spain Yes AX411 E Sweden Yes AX411 E Switzerland Yes AX411 E Ukraine No AX411 E United Kingdom Yes AX411 E World W Mexico No AX4T W_ Turkey No AX411 W Australia Yes AX411 W New Zealand Yes AX411 W Hong Kong Yes AX411 W India Yes AX411 W Philippines No AX411 W Malaysia Yes AX411 W Thailand Yes AX411 W Argentina No AX411 W Brazil Yes AX411 W Chile No AX411 W Columbia No AX411 W Panama No AX411 W Peru No AX411 W Venezuela No AX411 W TELEC JP a co Ret aes os ante e E al Israel IL No AX411 IL Singapore SG Yes AX411 SG Korea KR Yes AX411 KR China CN Yes AX411 CN Taiwan TW Yes AX411 TW 24 Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point About Juniper Networks Juniper Networks is in the business of network innovation From devices to data centers from consumers to cloud providers Juniper Networks delivers the software silicon and systems that transform the experience and economics of networking The company serves customers and partners w
13. PLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Administration and Monitoring Monitoring The branch SRX Series gateways also provide monitoring commands allowing users to obtain real time information of the status of access points and associated clients When an access point monitoring command is invoked the SRX Series connects to the appropriate access point and pulls the required status information This section shows a summary of the monitoring commands and their output The show wlan access points command shows a summary of active access points connected to the SRX Series gt show wlan access points Active access points information Access Point Type Interface Radio mode Channel AP 1 Ext vlan an 116 bgn 2 The show wlan access points lt ap name gt detail command shows general information about a particular access point gt show wlan access points AP 1 detail Active access point detail information Access Point AP 1 Type External Location Default Location Serial Number 849001007 Firmware Version O 2oS Access Interface vlan Packet Capture Disabled Ethernet Port MAC Address 00 12 CF C5 4A 40 IPv4 Address 5 1S EB 253 Radiol Status On MAC Address 00 12 CF C5 4A 40 Mode IEEE 802 1la n Channel 116 5580 MHz Radio2 Status 2 On MAC Address SOOM ICH CSKAARS O Mode IEEE 802 11b g n Channel 2 2417 MHz The show wlan access point lt ap name gt
14. Point DHCP configuration set system Pool used set system set system set system Pool used set system set system set system Pool used set system set system set system services dhcp name server 4 2 2 2 for the management network services dhcp pool 192 168 1 services dhcp pool 192 168 1 services dhcp pool 192 168 1 for WifiNet services dhcp pool services dhcp pool services dhcp pool for GuestNet services dhcp pool services dhcp pool services dhcp pool 0 24 0 24 0 24 19 5 11925 11925 168 2 168 2 168 2 0 24 0 24 0 24 11928 OZ 1192S MOSS us MOSS 0 24 0 24 0 24 address range low 192 168 1 2 address range high 192 168 1 254 router 192 168 1 1 address range low 192 168 2 2 address range high 192 168 2 254 router 192 168 2 1 address range low 192 168 3 2 address range high 192 168 3 254 router 192 168 3 1 Interfaces and VLANs set interfaces interface range APs member ge 0 0 1 set interfaces interface range APs member range fe 0 0 2 to fe 0 0 3 set interfaces interface range APs unit 0 family ethernet switching port mode trunk set interfaces interface range APs unit 0 family ethernet switching vlan members default set interfaces interface range APs unit 0 family ethernet switching vlan members WifiNet set interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan
15. at interface Security Zones and policies configuration Please note that the vlan 0 interface MUST be assigned to a zone set security zones security zone untrust interfaces ge 0 0 0 0 It is important to allow both DHCP and PING otherwise the SRX will not discover the APs set security zones security zone WifiNet interfaces vlan 2 host inbound traffic system services dhcp set security zones security zone WifiNet interfaces vlan 2 host inbound traffic system services ping set security policies from zone WifiNet to zone untrust policy allow internet access match source address any set security policies from zone WifiNet to zone untrust policy allow internet access match destination address any set security policies from zone WifiNet to zone untrust policy allow internet access match application any set security policies from zone WifiNet to zone untrust policy allow internet access then permit 8 Copyright O 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point APs configuration By default all traffic not assigned to a VLAN is send untagged Both radios are used radio 1 in the 5hz band and radio 2 in the 2 4Ghzs band and broadcast the same SSID AP 1 set wlan set wlan set wlan set wlan set wlan set wlan AP 2 set wlan set wlan set wlan set wlan set wlan AP 3 set wlan set wlan set wlan set wlan set wlan access point AP 1 mac address 00 12 cf c5 4a
16. authentication the access point uses this database to determine if a particular association request will be granted Two mutually exclusive lists are provided allow lists and deny lists If the allow list is configured any station witha MAC address not on the list will be denied access Similarly if the deny list is configured all stations will be allowed with the exception of the ones present on the list AP 1 configuration set wlan access point AP 1 mac address 00 12 00 00 00 00 set wlan access point AP 1 mac address 00 12 00 00 00 01 set wlan access point AP 1 access point options country US set wlan access point AP 1 mac address 00 12 cf c5 4a 40 set wlan access point AP 1 access point options station mac filter allow list mac address 00 16 cb 05 le af set wlan access point AP 1 radio 1 virtual access point 0 ssid WifiNet Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point set wlan access point AP 1 radio 1 set wlan access point AP 1 radio 1 authentication type local set wlan access point AP 1 radio 1 set wlan access point AP 1 radio 2 set wlan access point AP 1 radio 2 set wlan access point AP 1 radio 2 virtual access point virtual access point virtual access point virtual access point virtual access point virtual access point o oooo vlan 2 security mac security none ssid WifiNet vlan 2 security mac authentication type local
17. ccess firewall authentication pass through default profile fw auth set access firewall authentication web authentication default profile fw auth set access firewall authentication web authentication banner success Welcome to GuestNet AP1 configuration set wlan access point AP 1 mac address 00 12 cf c5 4a 40 set wlan access point AP 1 radio 1 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 1 virtual access point 0 vlan 2 set wlan access point AP 1 radio 1 virtual access point 0 security mac authentication type radius set wlan access point AP 1 radio 1 virtual access point 0 security none set wlan access point AP 1 radio 1 virtual access point 1 ssid GuestNet set wlan access point AP 1 radio 1 virtual access point 1 vlan 3 set wlan access point AP 1 radio 1 virtual access point 1 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 security mac authentication type radius set wlan access point AP 1 radio 2 virtual access point 0 security none set wlan access point AP 1 radio 2 virtual access point 1 vlan 3 set wlan access point AP 1 radio 2 virtual access point 1 security none RADIUS Based VLAN Assignment When using RADIUS authentication it is possible to send a RADIUS attribute to instruct each access point to tag the traffic from the client with a VLAN ta
18. ccess point that can be used when PoE is not available Hardware Requirements Juniper Networks SRX Series for the branch SRX100 line and SRX200 line of services gateways and the SRX650 Services Gateway Software Requirements Juniper Networks Junos operating system release 10 0 or later Description and Deployment Scenario AX41 Features The AX411 access point provides support for a wide range of features and protocols targeted for small to medium sized deployments in branch offices For larger deployments of more then 4 access points or where location services are desired the Juniper Networks WLA and WLC Product line are recommended The following table summarizes some of the most important characteristics of this product Table 1 AX411 Feature Summary Dual radio support Yes PHY protocols supported 802 1la 802 11b 802 118 and 802 11n 802 11h spectrum and transmit power management extensions Yes 802 11d specification for operation in additional regulatory domains Yes 802 1le quality of service enhancements Yes Number of virtual access points supported Up to 16 per radio 32 total Gigabit Ethernet ports 1 Console port 1 802 1q support Yes Authentication Local and RADIUS MAC authentication Yes HTTP redirect support Yes Access point clustering support Yes in Junos OS 10 1 and later Copyright O 2011 Juniper Networks Inc 3 APPLICATION NOTE Configuring and Deploying the AX411 Wir
19. ch they are associated DHCP Each interface handles out addresses from a different pool OFFICE l ge 0 0 0 0 trust Eo 192 168 1 1 24 AP 00 de ad 10 75 00 AR gt ae SRX ge 0 0 0 0 ge 0 0 0 0 trust Series untrust 192 168 2 1 24 o 198 0 0 1 24 APD INTERNET E A ayy 00 de ad 10 76 00 ge 0 0 0 0 192 168 3 1 24 AP 3 00 de ad 10 77 00 CorpNet SSID A single broadcast SSID is advertised Figure 4 L3 management mode example Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Enable PoE if you will be using set poe interface all DHCP Server config A different p set system services dhcp name se set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 set system services dhcp pool 19 Interface configurations set interfaces ge 0 0 1 unit 0 f set interfaces ge 0 0 2 unit 0 f set interfaces ge 0 0 3 unit 0 f Security Zones and policies con An intra zone policy is added t different APs set security zones security zone set security zones security zone set security zones security zone system services dhcp set security zones security zone set security zones security zone system services dhcp set secu
20. dress 192 168 2 1 24 set interfaces vlan unit 3 family inet address 192 168 3 1 24 set vlans WifiNet vlan id 2 set vlans WifiNet 13 interface vl set vlans GuestNet vlan id 3 set vlans GuestNet 13 interface set vlans default vlan id 1 set vlans default 13 interface v an 2 vlan 3 Tanri The address 192 168 3 2 is where the local captive portal listens for http requests set interfaces vlan unit 3 family inet address 192 168 3 2 24 web authentication http Security Zones configuration The host inbound http must be allowed for the local captive portal set security zones security zone service set security zones security zone set security zones security zone set security zones security zone system services dhcp set security zones security zone system services dhcp set security zones security zone system services ping set security zones security zone system services dhcp set security zones security zone system services http set security zones security zone 192 168 254 2 32 set security zones security zone untrust host inbound traffic system services any untrust host inbound traffic protocols all untrust interfaces ge 0 0 0 0 WifiNet interfaces vlan 2 host inbound traffic management interfaces vlan 1 host inbound traffic management interfaces vlan 1 host inbound traffic GuestNet interfaces vlan 3 host inbound traffic GuestNet interfaces vlan 3 host inbound traffic trust address book address rad
21. eee ene 14 Creating a Guest Network Using Firewall Authentication 0 0 0 0 cnet cent eee e nee nee 17 RADIUS Based VEAN ASS MENE sidad kee deta a a a ld Bau Medal ti ad ela 19 AdminiStratliomana MONRO GINS 2 art 21 MONTOTIN Sec ccd ic col a ia EE K akg Bae A di A AE a ded ee doa Redan iS 21 Fiimware Uperadden eor seden ad danita alt sacas a add aladas 23 SUMMA Gui ia a A A A a ios 23 Appendix AX411 Wireless LAN Access Point Certification Listing oooooococcoroccncr n eet e eee e eens 23 Part Numbers Affected micosis carted TAR A Tea A did a dida 23 ADOUE UMS SEIN SWOIKS cart ita terna dro Aui aha dada ol tac n aaa das 25 Table of Figures Figure ZN ae e MENO erica A A AA aia 4 Fig re 2 L3 ManagementMoOdE veais a A oa a a la a it ic a 5 Figure 3 L2 management Mode Example 7 Figure 4 L3 management modeexamMpl sicccics cia a a a a a a daa aia 9 Figure 5 Segregating user and management traffic oooooccoooooor cen eee nent teen eee teenie eens Figure 6 RADIUS based MAC authentication 0 een een tent eben eet e eee e bene eens 13 Figure 7 Using multiple VAPS siciliano tadas ada pebei GENRE a ERNE oe aS eae eee Qa 14 Figure 8 Firewall authentigathonie sirio racic te ned adadisenada ee emcee Woden ee aad ale aad eed lA 17 Figure 9 RADIUS based VLANaSSISNMENE ra a A ae ea Me dodge a eae 20 List of Tables TADS TE AXAN Feature SUMMA eenei sveacs epee A aa 3 Table 2 L2vs L3 Forwarding Mode soon ii ida eee tai mana
22. eless Access Point Operational Model The AX411 access points are managed from branch SRX Series Services Gateways allowing for a simpler centralized provisioning model In particular the following operations can be performed directly from the SRX Series gateways Configuration management The entire configuration for all AX411s are performed within JunOS at the branch gateway and pushed to the access points using a secure connection to the AX411 device The Junos OS infrastructure is used to provide configuration backup and restore auditing scripting role based authentication etc Monitoring Access points are monitored from the services gateway including the ability to obtain device and wireless network information from the command line interface CLI J Web Software or SNMP Device maintenance Device maintenance support includes firmware upgrades When an access point is connected to a branch gateway for the first time it requests an IP address using the Dynamic Host Configuration Protocol DHCP After obtaining an IP address a registration protocol is used to exchange configuration and status information between the devices The SRX Series gateway uses the media access control MAC address received in the registration messages to identify each access point The advantage of using this approach is that access points can be connected to any port or given any IP address while still being correctly identified since MAC addresses a
23. erfaces ge 0 0 1 0 WifiNet interfaces ge 0 0 1 0 host inbound traffic WifiNet interfaces fe 0 0 2 0 WifiNet interfaces fe 0 0 2 0 host inbound traffic WifiNet interfaces fe 0 0 3 0 WifiNet interfaces fe 0 0 3 0 host inbound traffic WifiNet to zone WifiNet policy permit egress traffic WifiNet to zone WifiNet policy permit egress traffic WifiNet to zone WifiNet policy permit egress traffic WifiNet to zone WifiNet policy permit egress traffic WifiNet to zone untrust policy allow internet WifiNet to zone untrust policy allow internet any WifiNet to zone untrust policy allow internet WifiNet to zone untrust policy allow internet is identical to the one in our previous example ddress 00 12 cf c5 4a 40 s point options country US 1 virtual access point 0 ssid WifiNet virtual access point security none il 0 2 virtual access point 0 ssid WifiNet 2 virtual access point 0 security none Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point set wlan set wlan set wlan set wlan set wlan AP 3 set wlan set wlan set wlan set wlan set wlan access point access point access point access point access point access point access point access point access point access point Segregating User and Management Traffic mac address 00 12 cf c5 4b 40 access point options country US radio 1 virtual access point radio 1 virtual access point radio 2 virtual acce
24. erfaces interface range APs unit 0 family ethernet switching vlan members default set interfaces interface range APs unit 0 family ethernet switching vlan members WifiNet set interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces vlan unit 1 family inet address 192 168 2 1 24 set interfaces vlan unit 2 family inet address 192 168 2 1 24 set interfaces vlan unit 3 family inet address 192 168 3 1 24 set wlan access point AP 1 mac address 00 12 cf c5 4a 40 set wlan access point AP 1 radio 1 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 1 virtual access point vlan 3 set wlan access point AP 1 radio 1 virtual access point security dotlx radius server 192 168 254 2 set wlan access point AP 1 radio 1 virtual access point security dotlx radius key juniper set wlan access point AP 1 radio 2 virtual access point ssid WifiNet set wlan access point AP 1 radio 2 virtual access point vlan 3 set wlan access point AP 1 radio 2 virtual access point security dotlx radius server 192 168 254 2 set wlan access point AP 1 radio 2 virtual access point security dotlx radius key juniper By default users will be placed in vlan 3 GuestNet unless the RADIUS server assigns the VLAN ID 2 in which case the user will access the WifiNet 20 Copyright 2011 Juniper Networks Inc AP
25. escription and Deployment Scenarios We will start by configuring basic access point management access for both L2 and L3 modes These configurations will be used as the starting point in subsequent scenarios L2 Management Mode In this mode all access points are connected to the SRX Series for the branch by means of an Ethernet switched network either using an external switch or the ports on the SRX Series gateway configured for switching A single L3 interface is used to provide connectivity to all of the access points This interface also serves as the default gateway for the wireless clients DHCP Handles out addresses in the 192 168 1 0 24 OFFICE 00 de ad 10 75 00 A T E SRX ge 0 0 0 0 Series untrust o o e E INTERNET AP 2 Y do rad TA vian Trust 00 de ad 10 76 00 192168 11 24 FF 00 de ad 10 77 00 CorpNet SSID A single broadcast SSID is advertised Figure 3 L2 management mode example Copyright 2011 Juniper Networks Inc 7 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point For completeness security policies Network Address Translation NAT and untrust interface configurations required to allow traffic from the access points to the Internet are included in this configuration To avoid unnecessary repetitions and unless explicitly noted our next examples will omit these sections from the configuration Enable PoE if you will be using that to power the AX
26. ess point AP 1 authentication type radius set wlan access point AP 1 radio radio radio radio radio radio radio radio ei NN NP virtual access point virtual access point virtual access point virtual access point virtual access point virtual access point virtual access point virtual access point ssid WifiNet vlan 2 security mac security none ssid WifiNet vlan 2 security mac security none Copyright O 2011 Juniper Networks Inc 13 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point The access request message contains the following attributes which can be used by the RADIUS server to grant or deny access to clients in particular note the access point MAC IP address and SSID info User Name 00 12 00 00 00 00 User Password NOPASSWORD NAS IP Address 192 168 2 3 Called Station Id 00 DE AD 10 75 00 WifiNet Calling Station Id 00 12 00 00 00 00 NAS Port Type Wireless 802 11 Connect Info CONNECT 11Mbps 802 11b When using RADIUS authentication it is important to remember that the RADIUS requests originated from the management address of each access point must be permitted by the firewall policies Creating Multiple Wireless Networks Using VAPs A requirement for many organizations is to segment their networks so a more granular access control can be enforced In this example we will separate the network into two differe
27. g This allows segmentation of the network into multiple domains while still broadcasting a single SSID Network administrators can give users access to each domain while users do not have to choose a particular SSID In this example we will use 802 1X authentication with RADIUS based VLAN assignment The RADIUS attributes used to signal which VLAN to use for a particular client are the following Tunnel Type 13 VLAN Tunnels Tunnel Medium Type 6 802 medium Tunnel Private Group ID lt vlan id gt Copyright 2011 Juniper Networks Inc 19 APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point CorpNet SSID A single SSID is transmitted by both radios Clients a VLAN by re assigned to a different the radius server VLAN Each VLAN is mapped to a different zone and has different access priviledges set interfaces set interfaces OFFICE Client Figure 9 interface range interface range LEE AP 1 00 de ad 10 75 00 SRX ge 0 0 0 0 Series untrust 198 0 0 1 24 ge 0 0 7 0 trust 192 198 254 1 24 AP 3 00 de ad 10 77 00 a Radius Server 192 168 254 2 Radius Server It authenticates the user and returns the VLAN tag used for that client APD INTERNET 00 de ad 10 76 00 RADIUS based VLAN assignment APs APs member ge 0 0 1 member range fe 0 0 2 to fe 0 0 3 set interfaces interface range APs unit 0 family ethernet switching port mode trunk set int
28. ion Not always possible proxy arp can be Yes used to force all client to client traffic to be sent to the gateway where security policies can be enforced QoS Not supported for client to client traffic Yes Configuration complexity Simpler configuration since a single L3 interface is shared between all access points Complex as each access point is connected to a different L3 interface with each requiring the configuration of an IP address a DHCP server security zones and policies Roaming Configuration Client roaming is supported if MAC authentication or no authorization protocol is used If authentication is used clients will have to log in every time they associate to a new access point Roaming will require clients to send a new DHCP request in order to obtain a new IP address The configuration is found under wlan hierarchy In Junos OS release 10 0 each access point has to be configured individually Junos OS 10 1 includes the ability to group access points into clusters where all access points share the same configuration Access points in a cluster exchange both configuration and operational information and do not require operators to make changes to each individual access point The clustering feature will be discussed in a future version of this document Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point wlan acces
29. is not used VLAN ID used for management traffic and native VLAN ID i e VLAN ID used for untagged traffic In order to comply with the different regulatory domains each access point must be configured with the name of the country where it is being deployed This is done under the access point options and it is used to determine the range of channels and maximum transmit power allowed in that domain Finally all radio client authentication and SSID options are configured under the radio section The following deployment scenarios will show some typical configurations and they will be used to introduce some of the configuration options available RADIUS Support One or more for redundancy purposes RADIUS servers can be used to authenticate users When a user is granted access the RADIUS protocol provides a mechanism to pass user specific parameters to the access point These parameters allow passing per user configuration options centrally managed by the RADIUS server The following table displays the list of RADIUS attributes that can be passed to the AX411 access point as specified in RFC 3580 Table 3 Supported RADIUS Attributes ATTRIBUTE NAME VALUE TYPE DEFINED IN Session Timeout 27 integer RFC2865 Tunnel Type 64 integer RFC2868 Tunnel Medium Type 65 integer RFC2868 Tunnel Private Group ID 81 integer RFC2868 WISPR Max Bandwidth Down E integer VSA 14122 WISPR Max Bandwidth Up 8 integer VSA 14122 D
30. ius trust interfaces ge 0 0 7 0 The Security policies configuration is identical to the one in our previous example with the exception of t he GuestNet gt Untrust policy that has firewall auth enabled which as shown below set security policies from zone match source address any set security policies from zone match destination address any set security policies from zone match application junos http set security policies from zone match application junos dns udp set security policies from zone GuestNet GuestNet GuestNet GuestNet GuestNet to zone to zone to zone to zone to zone untrust untrust untrust untrust untrust permit firewall authentication pass through access profile set security policies from zone GuestNet to zone untrust policy allow egress policy allow egress policy allow egress policy allow egress policy allow egress then fw auth policy allow egress then Copyright O 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point permit firewall authentication pass through web redirect The access profile configuration specifies the address and secret of the radius server set access profile fw auth authentication order radius set access profile fw auth radius server 192 168 254 2 port 1812 set access profile fw auth radius server 192 168 254 2 secret 9 116v87wYojHm VHmfT 9evwW FW Auth settings set a
31. n access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio radius radius server 192 168 254 set wlan access point AP 1 radio radius radius key juniper set wlan access point AP 1 radio radius session key refresh rate ddress 00 12 cf c5 4a 40 1 virtual access point 1 virtual access point 1 virtual access point 2 virtual access point 2 virtual access point 2 virtual access point AD 2 virtual access point 2 virtual access point 60 DO O OO qD policy allow http dns policy allow http dns policy allow http dns policy allow http dns policy allow radius policy allow radius policy allow radius policy allow radius then ssid GuestNet vlan 3 security none ssid WifiNet vlan 2 security wpa enterprise security wpa enterprise security wpa enterprise Copyright O 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Creating a Guest Network Using Firewall Authentication In our final example we will use firewall authentication to authenticate users trying to access a guest network New users will be redirected to a local portal running in the SRX Series where they will be authenticated The user database can be local or as in the previous examples RADIUS authentication can be used Firewall authentication will only be used in
32. nt zones The Corporate zone with a WifiNet SSID will enforce encryption using Wi Fi Protected Access WPA and RADIUS authentication The Guest zone with a Guest SSID will be open but will only allow HTTP and Domain Name System DNS traffic to the Internet Two VAPs will be used each with a single SSID and each associated to a VLAN Traffic from clients associated to the WifiNet SSID will be tagged using VLAN tag 2 while traffic for the Guest network will be tagged with VLAN tag 3 In order to provide a better channel management each radio will be transmitting a single SSID Radio 1 will be transmitting in the 2 4 Ghz band advertising the GuestNet SSID while radio 2 will be transmitting in the 5 Ghz band advertising the WifiNet SSID Please note that it is also possible to configure both radios to advertise both SSIDs simultaneously if needed as previously noted each radio can advertise up to 16 SSIDs simultaneously OFFICE A A AP 1 00 de ad 10 75 00 A A SRX ge 0 0 0 0 i untrust Series 198 0 0 24 M6 INTERNET ET EEE AET A A de ad 10 76 192 198 254 1 24 Id ha a AP 3 00 de ad 10 77 00 a Radius Server 192 168 254 2 CorpNet and GuestNet SSIDs Clients associated to CorpNet are tagged with VLAN tag 2 Clients associated to GuestNET are tagged with VLAN tag 3 Figure 7 Using multiple VAPs Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access
33. orldwide Additional information can be found at www juniper net Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions Juniper Networks Inc Juniper Networks Hong Kong Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26 F Cityplaza One Airside Business Park representative at 1 866 298 6428 or Sunnyvale CA 94089 USA 1111 King s Road Swords County Dublin Ireland A authorized reseller Phone 888 JUNIPER 888 586 4737 Taikoo Shing Hong Kong Phone 35 31 8903 600 or 408 745 2000 Phone 852 2332 3636 EMEA Sales 00800 4586 4737 Fax 408 745 2100 Fax 852 2574 7803 Fax 35 31 8903 601 www juniper net Copyright 2011 Juniper Networks Inc All rights reserved Juniper Networks the Juniper Networks logo Junos NetScreen and ScreenOS are registered trademarks of Juniper Networks Inc in the United States and other countries All other trademarks service marks registered marks or registered service marks are the property of their respective owners Juniper Networks assumes no responsibility for any inaccuracies in this document Juniper Networks reserves the right to change modify transfer or otherwise revise this publication without notice 3500173 001 EN Dec 201 Printed on recycled paper Copyright O 2011 Juniper Networks Inc 25
34. pyright O 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point L3 Management Mode In this mode each access point is connected to a different subnet on the branch services gateway Traffic between access points is routed and inspected by the branch device DHCP Hanales out addresses in multiple pools 192 168 1 0 24 192 168 2 0 24 192 168 3 0 24 OFFICE RA l ge 0 0 3 0 fe 192 168 3 1 24 A A SRX l ge 0 0 2 0 Series MA fed E INTERNET A T Client A A RE ge 0 0 1 0 192 168 11 24 Ports All access point facing ports are connected to interfaces in switching mode and associated to the default vlan Figure 2 L3 management mode Analogous to these customer traffic can be forwarded using either one of these modes on a per access point basis i e any given access point can be connected to the gateway either in L2 or L3 mode With this in mind it is important to understand the different tradeoffs between these modes Table 2 L2 vs L3 Forwarding Mode FEATURE Access point to access point communication and client to client communication when clients are in different access points L2 MODE Done in hardware at line rate but without any security inspection L3 MODE Firewall and UTM services are available but at the expense of forwarding performance Firewall authentication Not supported for L2 switched traffic Yes Client to client isolat
35. re fixed Internet Control Message Protocol ICMP is used as a keepalive protocol between each access point and the SRX Series gateway If an access point detects a failure it automatically stops broadcasting any service set identifier SSID that it has configured thus allowing the client stations to associate to a different access point and circumvent the failure Access points can be managed in two different modes Layer 2 management mode Layer 3 management mode L2 Management Mode The default and most common mode is to connect all access points to the same L2 network A single routed VLAN interface RVI is configured per VLAN which is used as the default gateway for the VLAN This RVI is then added to a security zone Access point to access point traffic can be forwarded at L2 The gateway can do so at line rate without the need to inspect such traffic Traffic from wireless nodes connected to the access point will be inspected by the SRX security gateway In this configuration the SRX acts as a DHCP server for the VLAN and both APs and wireless endpoints obtain their IP address from this DHCP scope DHCP Handles out addresses in the 192 168 1 0 24 OFFICE gt SRX Series Y E M0 INTERNET vlan O N ass a 192 168 1 1 24 Client gt M Ports All access point facing ports are connected to interfaces in switching mode and associated to the default vlan Figure 1 L2 management mode 4 Co
36. rity zones security zone set security zones security zone system services dhcp set security policies from zone match source address any set security policies from zone match destination address any set security policies from zone match application any set security policies from zone then permit set security policies from zone access match source address any set security policies from zone access match destination address set security policies from zone access match application any set security policies from zone access then permit APs configuration The APs config set wlan access point AP 1 mac a set wlan access point AP 1 acces set wlan access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio set wlan access point AP 1 radio AP 2 that to power the AX411 ool per AP interface is used rver 4 2 2 2 2 168 1 0 24 address range low 192 168 1 2 2 168 1 0 24 address range high 192 168 1 254 2m oSm IT 0 2U R router LOD Noe les 2 168 2 0 24 address range low 192 168 2 2 2 168 2 0 24 address range high 192 168 2 254 2 168 2 0 24 router 192 168 2 1 2 168 3 0 24 address range low 192 168 3 2 2 168 3 0 24 address range high 192 168 3 254 2 168 3 0 24 router 192 168 3 1 WWW NO NM NY AR amily inet address 192 168 1 1 24 amily inet address 192 168 2 1 24 amily inet address 192 168 3 1 24 figuration o allow traffic between clients connected to untrust interfaces ge 0 0 0 0 WifiNet int
37. rity zones security zone management interfaces vlan 1 host inbound traffic system services ping set security zones security zone management interfaces vlan 1 Note that ping is not required in the WifiNet zone as the keepalives are sent only over the management vlan set security zones security zone trust interfaces vlan 2 Note that no security policies are required for the management zone as no through traffic should be allowed from to this zone APs configuration set wlan access point AP 1 mac address 00 12 cf c5 4a 40 set wlan access point AP 1 access point options country US set wlan access point AP 1 radio 1 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 1 virtual access point 0 vlan 2 set wlan access point AP 1 radio 1 virtual access point 0 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 security none AP 2 All the other APs are configured the same way MAC Authentication Building on our previous scenario we will now assume that some basic form of authentication is required If the number of devices in the network is small and over the air confidentiality is not a requirement MAC based authentication provides a simple access control method A local database of allowed and denied MAC addresses is created Whenever a VAP is configured with MAC
38. s set security policies from zone source address any set security policies from zone destination address any set security policies from zone application any set security policies from zone permit set security policies from zone count set security policies from zone match source address any set security policies from zone match destination address any set security policies from zone match application junos http set security policies from zone match application junos dns udp set security policies from zone then permit Allow radius traffic from the AP set security policies from zone match source address any set security policies from zone match destination address radius set security policies from zone match application junos radius set security policies from zone permit WifiNet to zone untrust policy permit traffic match WifiNet to zone untrust policy permit traffic match WifiNet to zone untrust policy permit traffic match WifiNet to zone untrust policy permit traffic then WifiNet to zone untrust policy permit traffic then GuestNet to zone untrust policy allow http dns GuestNet to zone untrust GuestNet to zone untrust GuestNet to zone untrust GuestNet to zone untrust s to the radius server management to zone trust management to zone trust management to zone trust management to zone trust AP 1 configuration all the APs are identically configured set wlan access point AP 1 mac a set wla
39. s point lt AP name gt mac address lt ap mac address gt This attribute is mandatory and can be found on rear label of AX411 description lt AP description gt location lt AP location gt external system console baudrate lt console baudrate gt ports ethernet management vlan lt vlan id gt untagged vlan lt vlan id gt Sikati CEA address lt Access Point address gt gateway lt default gateway gt dot1x supplicant username lt username gt password lt password gt access point options country lt country where the AP is located gt This is used for regulatory purposes The AP will only transmit in the bands allowed by each country station mac filter Allow and deny list of mac addresses used for local mac authentication radio lt 1 2 gt quality of service 00S configuration options radio options Phy layer configuration options such as transmit power channel mode etc virtual access point lt 0 15 gt virtual access point configuration options including SSID security and http redirect options Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point The configuration is divided into three sections the external radio and options sections The external section is used to specify the basic access point parameters used to manage the device including its address when DHCP
40. ss VLAN ID Traffic Statistics Input Bytes Output Bytes Input Packets Output Packets 24114 72798 87 401 GuestNet 00 12 CF C5 4A 41 3 1113907 10631368 8805 9169 WifiNet 00 12 CF C5 4A 50 2 12013733 1100232 10917 6138 The show wlan access points AP 1 client associations displays the list of configured VAPs and their traffic statistics gt show wlan access points AP 1 client associations Access point client associations information Access point AP 1 VAP Client MAC Address Auth Packets Rx Tx Bytes Rx Tx Radio2 VAP1 00 16 cb 05 le af Yes 176 83 22662 18684 22 Copyright 2011 Juniper Networks Inc APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Firmware Upgrade The output of the show wlan access point lt AP name gt detail can be used to display the active firmware version running on a particular access point To upgrade the firmware load the new firmware image into the SRX Series gateway flash and use the request wlan access point firmware upgrade all file file lt path to the firmware file gt command to upgrade the firmware of a single or multiple access points Summary Juniper networks AX411 offers simplified WLAN access to branch offices providing dual band dual radio 802 11n and supporting PoE The AX411 also provides end to end throughput integrating with the branch SRX Series gateways while leveraging all their security functions
41. ss point 0 ssid WifiNet 0 security none 0 ssid WifiNet mac address 00 12 cf c5 4c 40 access point options country US radio 1 virtual access point 0 ssid WifiNet radio 1 virtual access point 0 security none radio 2 virtual access point 0 ssid WifiNet In this example VLAN tags are used to separate management traffic from user traffic This configuration can be applied to both L2 and L3 deployment modes From this example on only the L2 mode will be shown as it is the most popular method but it should be apparent from our previous example how to configure each scenario in L3 mode OFFICE Client FP AP 1 A raj O eiad I YES A IAN oO Sad I AP 3 00 de ad CorpNet SSID A single broadcast SSID is advertised 0 75 00 0 76 00 0 77 00 SRX Series ge 0 0 0 0 untrust 198 0 0 1 24 INTERNET vlan 1 management 10 0 0 1 24 vlan 2 trust 192 168 1 1 24 VLANID 2 Figure 5 Segregating user and management traffic DHCP Server config set system This pool set system set system set system This pool set system set system set system Interface Since all trunk set interfaces default set interfaces WifiNet interface range interface range interface range interface range interface range and VLAN Configuration ports connected to an AP will have identical configs we will make use of an interface ranges set interfaces set interfaces set interfaces APs APs APs
Download Pdf Manuals
Related Search