APPLICATION NOTE Configuring and Deploying the AX411 Wireless Access Point Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Introduction Juniper Networks® has introduced a wireless access point solution that is integrated into Juniper Networks SRX Series Service Gateways. This new product line allows for a simple deployment of Wi-Fi networks in the branch while leveraging the advanced capabilities of Juniper’s services gateways for AP Management.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Operational Model The AX411 access points are managed from branch SRX Series Services Gateways, allowing for a simpler, centralized provisioning model. In particular, the following operations can be performed directly from the SRX Series gateways.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point L3 Management Mode In this mode, each access point is connected to a different subnet on the branch services gateway. Traffic between access points is routed and inspected by the branch device. DHCP Handles out addresses in multiple pools (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) OFFICE ge-0/0/3.0 192.168.3.1/24 ge-0/0/2.0 SRX Series INTERNET 192.168.2.1/24 Client ge-0/0/1.0 192.168.1.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point wlan { access-point { mac-address ; #This attribute is mandatory and can be found on rearlabel of AX411 description ; location ; external { system { console baudrate ; ports { ethernet { management-vlan ; untagged-vlan ; static { address ; g
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point The configuration is divided into three sections—the external, radio, and options sections. The external section is used to specify the basic access point parameters used to manage the device, including its address (when DHCP is not used), VLAN ID used for management traffic, and native VLAN ID (i.e., VLAN ID used for untagged traffic).
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point For completeness, security policies, Network Address Translation (NAT), and untrust interface configurations required to allow traffic from the access points to the Internet are included in this configuration To avoid unnecessary repetitions and unless explicitly noted, our next examples will omit these sections from the configuration. #Enable PoE if you will be using that to power the AX411.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #APs configuration. By default all traffic not assigned to a VLAN is send untagged. #Both radios are used (radio 1 in the 5hz band and radio 2 in the 2.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #Enable PoE if you will be using that to power the AX411. set poe interface all #DHCP Server config. set system services set system services set system services set system services set system services set system services set system services set system services set system services set system services A different pool per (AP) dhcp name-server 4.2.2.2 dhcp pool 192.168.1.0/24 dhcp pool 192.168.1.0/24 dhcp pool 192.168.1.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point set wlan set wlan set wlan set wlan set wlan #AP-3 set wlan set wlan set wlan set wlan set wlan access-point access-point access-point access-point access-point AP-2 AP-2 AP-2 AP-2 AP-2 mac-address 00:12:cf:c5:4b:40 access-point-options country US radio 1 virtual-access-point 0 ssid WifiNet radio 1 virtual-access-point 0 security none radio 2 virtual-access-point 0 ssid WifiNet access-point access-point access-point access-poi
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point set interfaces interface-range APs unit 0 family ethernet-switching native-vlanid 1 set vlans WifiNet vlan-id 2 set vlans WifiNet l3-interface vlan.2 set interfaces vlan unit 2 family inet address 192.168.2.1/24 set vlans default vlan-id 1 set vlans default l3-interface vlan.1 set interfaces vlan unit 1 family inet address 192.168.1.1/24 #Security Zones and policies configuration. Please note that the vlan.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point set wlan access-point AP-1 radio 1 virtual-access-point set wlan access-point AP-1 radio 1 virtual-access-point authentication-type local set wlan access-point AP-1 radio 1 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point authentication-type local set wlan access-point AP-1 radio 2 virtual-acc
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point The access request message contains the following attributes, which can be used by the RADIUS server to grant or deny access to clients (in particular, note the access point MAC, IP address, and SSID info). User-Name = “00-12-00-00-00-00” User-Password = “NOPASSWORD” NAS-IP-Address = 192.168.2.3 Called-Station-Id = “00-DE-AD-10-75-00:WifiNet” Calling-Station-Id = “00-12-00-00-00-00” NAS-Port-Type = Wireless-802.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #DHCP configuration set system services dhcp name-server 4.2.2.2 #Pool used for the management network set system services dhcp pool 192.168.1.0/24 set system services dhcp pool 192.168.1.0/24 set system services dhcp pool 192.168.1.0/24 #Pool used for WifiNet set system services dhcp pool 192.168.2.0/24 set system services dhcp pool 192.168.2.0/24 set system services dhcp pool 192.168.2.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #Security Policies set security policies from-zone source-address any set security policies from-zone destination-address any set security policies from-zone application any set security policies from-zone permit set security policies from-zone count set security policies from-zone match source-address any set security policies from-zone match destination-address any set security policies from-zone match application junos-http set
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Creating a Guest Network Using Firewall Authentication In our final example, we will use firewall authentication to authenticate users trying to access a guest network. New users will be redirected to a local portal running in the SRX Series where they will be authenticated. The user database can be local or, as in the previous examples, RADIUS authentication can be used.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point WifiNet set interfaces interface-range APs unit 0 family ethernet-switching vlan members GuestNet set interfaces interface-range APs unit 0 family ethernet-switching native-vlanid default set interfaces ge-0/0/0 unit 0 family inet address 198.0.0.1/24 set interfaces ge-0/0/7 unit 0 family inet address 192.168.254.1/24 set interfaces vlan unit 1 family inet address 192.168.2.1/24 set interfaces vlan unit 2 family inet address 192.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point permit firewall-authentication pass-through web-redirect #The access profile configuration specifies the address and secret of the radius server set access profile fw-auth authentication-order radius set access profile fw-auth radius-server 192.168.254.2 port 1812 set access profile fw-auth radius-server 192.168.254.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point CorpNet SSID A single SSID is transmitted by both radios. Clients are assigned to a different VLAN by the radius server VLAN Each VLAN is mapped to a different zone and has different access priviledges OFFICE AP-1 00:de:ad:10:75:00 SRX Series AP-2 00:de:ad:10:76:00 Client ge-0/0/0.0 (untrust) 198.0.0.1/24 INTERNET ge-0/0/7.0 (trust) 192.198.254.1/24 AP-3 00:de:ad:10:77:00 Radius Server 192.168.254.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Administration and Monitoring Monitoring The branch SRX Series gateways also provide monitoring commands, allowing users to obtain real-time information of the status of access points and associated clients. When an access point monitoring command is invoked, the SRX Series connects to the appropriate access point and pulls the required status information. This section shows a summary of the monitoring commands and their output.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point 00:24:01:dc:a2:7b 00:1e:52:7b:96:58 00:1d:7e:6e:69:ff 00:0c:41:f6:11:28 00:12:17:29:70:d7 00:16:b6:db:1e:7f Advisors On On On Off Off On On On Off Off Off On 2.4 2.4 2.4 2.4 2.4 2.4 7 6 6 9 7 6 Mace Net Zippy’s Network blitz Leadermed linksys Crown Capital Use the “show wlan access-points AP-1 virtual-access-points” to display the list of configured VAPs and their traffic statistics.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Firmware Upgrade The output of the “show wlan access-point detail” can be used to display the active firmware version running on a particular access point. To upgrade the firmware, load the new firmware image into the SRX Series gateway flash and use the “request wlan access-point firmware upgrade [all|file] file ” command to upgrade the firmware of a single or multiple access points.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Monaco Yes AX411-E Netherlands Yes AX411-E Norway Yes AX411-E Poland Yes AX411-E Portugal Yes AX411-E Saudi Arabia No AX411-E Slovak Republic Yes AX411-E Slovenia Yes AX411-E South Africa No AX411-E Spain Yes AX411-E Sweden Yes AX411-E Switzerland Yes AX411-E Ukraine No AX411-E United Kingdom Yes AX411-E Mexico No AX411-W Turkey No AX411-W Australia Yes AX411-W New Zealand Yes A
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net.
