APPLICATION NOTE CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT Copyright © 2009, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Introduction Juniper Networks® has introduced a wireless access point solution that is integrated into Juniper Networks SRX Series Service Gateways. This new product line allows for a simple deployment of Wi-Fi networks in the branch while leveraging the advanced capabilities of Juniper’s services gateways.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Operational Model The AX411 access points are managed from branch SRX Series Services Gateways, allowing for a simpler, centralized provisioning model. In particular, the following operations can be performed directly from the SRX Series gateways. • Configuration management: The entire configuration is centralized at the branch gateway and pushed to the different access points.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point L3 Management Mode In this mode, each access point is connected to a different subnet on the branch services gateway. Traffic between access points is routed and inspected by the branch device. DHCP Handles out addresses in multiple pools (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) OFFICE ge-0/0/3.0 192.168.3.1/24 ge-0/0/2.0 SRX Series INTERNET 192.168.2.1/24 Client ge-0/0/1.0 192.168.1.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point wlan { access-point { mac-address ; #This attribute is mandatory description ; location ; external { system { console baudrate ; ports { ethernet { management-vlan ; untagged-vlan ; static { address ; gateway ; }
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point The configuration is divided into three sections—the external, radio, and options sections. The external section is used to specify the basic access point parameters used to manage the device, including its address (when DHCP is not used), VLAN ID used for management traffic, and native VLAN ID (i.e., VLAN ID used for untagged traffic).
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point For completeness, security policies, Network Address Translation (NAT), and untrust interface configurations required to allow traffic from the access points to the Internet are included in this configuration To avoid unnecessary repetitions and unless explicitly noted, our next examples will omit these sections from the configuration.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #APs configuration. By default all traffic not assigned to a VLAN is send untagged. #Both radios are used (radio 1 in the 5hz band and radio 2 in the 2.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #DHCP Server config. set system services set system services set system services set system services set system services set system services set system services set system services set system services set system services A different pool per interface is used dhcp name-server 4.2.2.2 dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 dhcp pool 192.168.1.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point set wlan set wlan set wlan set wlan #AP-3 set wlan set wlan set wlan set wlan set wlan access-point access-point access-point access-point AP-2 AP-2 AP-2 AP-2 access-point-options country radio 1 virtual-access-point radio 1 virtual-access-point radio 2 virtual-access-point US 0 ssid CorpNet 0 security none 0 ssid CorpNet access-point access-point access-point access-point access-point AP-3 AP-3 AP-3 AP-3 AP-3 mac-address 0
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point id 1 set vlans CorpNet vlan-id 2 set vlans CorpNet l3-interface vlan.2 set interfaces vlan unit 2 family inet address 192.168.2.1/24 set vlans default vlan-id 1 set vlans default l3-interface vlan.1 set interfaces vlan unit 1 family inet address 192.168.1.1/24 #Security Zones and policies configuration. Please note that the vlan.0 interface MUST be assigned to a zone set security zones security-zone untrust interfaces ge-0/0/0.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point set wlan access-point AP-1 radio 1 virtual-access-point set wlan access-point AP-1 radio 1 virtual-access-point authentication-type local set wlan access-point AP-1 radio 1 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point set wlan access-point AP-1 radio 2 virtual-access-point authentication-type local set wlan access-point AP-1 radio 2 virtual-acc
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point The access request message contains the following attributes, which can be used by the RADIUS server to grant or deny access to clients (in particular, note the access point MAC, IP address, and SSID info). User-Name = “00-12-00-00-00-00” User-Password = “NOPASSWORD” NAS-IP-Address = 192.168.1.3 Called-Station-Id = “00-DE-AD-10-75-00:CorpNet” Calling-Station-Id = “00-12-00-00-00-00” NAS-Port-Type = Wireless-802.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #DHCP configuration set system services dhcp name-server 4.2.2.2 #Pool used for the management network set system services dhcp pool 192.168.1.0/24 set system services dhcp pool 192.168.1.0/24 set system services dhcp pool 192.168.1.0/24 #Pool used for CorpNet set system services dhcp pool 192.168.2.0/24 set system services dhcp pool 192.168.2.0/24 set system services dhcp pool 192.168.2.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point #Security Policies set security policies from-zone match source-address any set security policies from-zone match destination-address any set security policies from-zone match application any set security policies from-zone permit set security policies from-zone count set security policies from-zone match source-address any set security policies from-zone match destination-address any set security policies from-zone match applicat
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Creating a Guest Network Using Firewall Authentication In our final example, we will use firewall authentication to authenticate users trying to access a guest network. New users will be redirected to a local portal running in the SRX Series where they will be authenticated. The user database can be local or, as in the previous examples, RADIUS authentication can be used.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point CorpNet set interfaces interface-range APs unit 0 family ethernet-switching vlan members GuestNet set interfaces interface-range APs unit 0 family ethernet-switching native-vlanid default set interfaces ge-0/0/0 unit 0 family inet address 198.0.0.1/24 set interfaces ge-0/0/7 unit 0 family inet address 192.168.254.1/24 set interfaces vlan unit 1 family inet address 192.168.1.1/24 set interfaces vlan unit 2 family inet address 192.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point permit firewall-authentication pass-through web-redirect #The access profile configuration specifies the address and secret of the radius server set access profile fw-auth authentication-order radius set access profile fw-auth radius-server 192.168.254.2 port 1812 set access profile fw-auth radius-server 192.168.254.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point CorpNet SSID A single SSID is transmitted by both radios. Clients are assigned to a different VLAN by the radius server VLAN Each VLAN is mapped to a different zone and has different access priviledges OFFICE AP-1 00:de:ad:10:75:00 SRX Series AP-2 00:de:ad:10:76:00 Client ge-0/0/0.0 (untrust) 198.0.0.1/24 INTERNET ge-0/0/7.0 (trust) 192.198.254.1/24 AP-3 00:de:ad:10:77:00 Radius Server 192.168.254.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Administration and Monitoring Monitoring The branch SRX Series gateways also provide monitoring commands, allowing users to obtain real-time information of the status of access points and associated clients. When an access point monitoring command is invoked, the SRX Series connects to the appropriate access point and pulls the required status information. This section shows a summary of the monitoring commands and their output.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point 00:24:01:dc:a2:7b 00:1e:52:7b:96:58 00:1d:7e:6e:69:ff 00:0c:41:f6:11:28 00:12:17:29:70:d7 00:16:b6:db:1e:7f Advisors On On On Off Off On On On Off Off Off On 2.4 2.4 2.4 2.4 2.4 2.4 7 6 6 9 7 6 Mace Net Zippy’s Network blitz Leadermed linksys Crown Capital Use the “show wlan access-points AP-1 virtual-access-points” to display the list of configured VAPs and their traffic statistics.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point Firmware Upgrade The output of the “show wlan access-point detail” can be used to display the active firmware version running on a particular access point. To upgrade the firmware, load the new firmware image into the SRX Series gateway flash and use the “request wlan access-point firmware upgrade [all|file] file ” command to upgrade the firmware of a single or multiple access points.
