manualshive.com logo in svg

Juniper AX411, Configuration And Deployment Manual, Page: 19 / 25

Share
Download
Juniper AX411 Configuration And Deployment Manual Download Page 19

Copyright © 2011, Juniper Networks, Inc.

 

19

APPLICATION NOTE - Configuring and deploying the AX411 Wireless Access Point 

permit firewall-authentication pass-through web-redirect

#The access profile configuration specifies the address and secret of the radius 

server

set access profile fw-auth authentication-order radius

set access profile fw-auth radius-server 192.168.254.2 port 1812

set access profile fw-auth radius-server 192.168.254.2 secret “$9$lI6v87wYojHm-

VHmfT/9evW”

#FW Auth settings

set access firewall-authentication pass-through default-profile fw-auth

set access firewall-authentication web-authentication default-profile fw-auth

set access firewall-authentication web-authentication banner success “Welcome to 

GuestNet”

#AP1 configuration

set wlan access-point AP-1 mac-address 00:12:cf:c5:4a:40

set wlan access-point AP-1 radio 1 virtual-access-point 0 ssid WifiNet

set wlan access-point AP-1 radio 1 virtual-access-point 0 vlan 2

set wlan access-point AP-1 radio 1 virtual-access-point 0 security mac-

authentication-type radius

set wlan access-point AP-1 radio 1 virtual-access-point 0 security none

set wlan access-point AP-1 radio 1 virtual-access-point 1 ssid GuestNet

set wlan access-point AP-1 radio 1 virtual-access-point 1 vlan 3

set wlan access-point AP-1 radio 1 virtual-access-point 1 security none

set wlan access-point AP-1 radio 2 virtual-access-point 0 ssid WifiNet

set wlan access-point AP-1 radio 2 virtual-access-point 0 vlan 2

set wlan access-point AP-1 radio 2 virtual-access-point 0 security mac-

authentication-type radius

set wlan access-point AP-1 radio 2 virtual-access-point 0 security none

set wlan access-point AP-1 radio 2 virtual-access-point 1 vlan 3

set wlan access-point AP-1 radio 2 virtual-access-point 1 security none

RADIuS-based VLAN Assignment

When using rAdIus authentication, it is possible to send a rAdIus attribute to instruct each access point to tag the 
traffic from the client with a VLAN tag. This allows segmentation of the network into multiple domains, while still 
broadcasting a single ssId. Network administrators can give users access to each domain, while users do not have to 
choose a particular ssId. 

In this example, we will use 802.1X authentication with rAdIus-based VLAN assignment. The rAdIus attributes used 
to signal which VLAN to use for a particular client are the following:

Tunnel-Type = 13 (VLAN Tunnels) 

Tunnel-Medium-Type = 6 (802 medium)

Tunnel-Private-Group-ID = <vlan id>

Summary of Contents for AX411

Page 1: ...APPLICATION NOTE Copyright 2011 Juniper Networks Inc 1 Configuring and Deploying the AX411 Wireless Access Point ...

Page 2: ...Networks Using VAPs 14 Creating a Guest Network Using Firewall Authentication 17 RADIUS Based VLAN Assignment 19 Administration and Monitoring 21 Monitoring 21 Firmware Upgrade 23 Summary 23 Appendix AX411 Wireless LAN Access Point Certification Listing 23 Part Numbers Affected 23 About Juniper Networks 25 Table of Figures Figure 1 L2 management mode 4 Figure 2 L3 management mode 5 Figure 3 L2 man...

Page 3: ...y SRX Series gateways that support PoE Alternatively an external power supply is provided with each access point that can be used when PoE is not available Hardware Requirements Juniper Networks SRX Series for the branch SRX100 line and SRX200 line of services gateways and the SRX650 Services Gateway Software Requirements Juniper Networks Junos operating system release 10 0 or later Description an...

Page 4: ...ach access point The advantage of using this approach is that access points can be connected to any port or given any IP address while still being correctly identified since MAC addresses are fixed Internet Control Message Protocol ICMP is used as a keepalive protocol between each access point and the SRX Series gateway If an access point detects a failure it automatically stops broadcasting any s...

Page 5: ...client to client traffic Yes Configuration complexity Simpler configuration since a single L3 interface is shared between all access points Complex as each access point is connected to a different L3 interface with each requiring the configuration of an IP address a DHCP server security zones and policies Roaming Client roaming is supported if MAC authentication or no authorization protocol is use...

Page 6: ... Access Point address gateway default gateway dot1x supplicant username username password password access point options country country where the AP is located This is used for regulatory purposes The AP will only transmit in the bands allowed by each country station mac filter Allow and deny list of mac addresses used for local mac authentication radio 1 2 quality of service QoS configuration opt...

Page 7: ...rs allow passing per user configuration options centrally managed by the RADIUS server The following table displays the list of RADIUS attributes that can be passed to the AX411 access point as specified in RFC 3580 Table 3 Supported RADIUS Attributes Attribute Name Value Type Defined In Session Timeout 27 integer RFC2865 Tunnel Type 64 integer RFC2868 Tunnel Medium Type 65 integer RFC2868 Tunnel ...

Page 8: ...68 2 1 24 set vlans default vlan id 2 set vlans default l3 interface vlan 2 Routing is trivial there is only a default route pointing to the Internet set routing options static route 0 0 0 0 0 next hop 10 0 1 1 NAT all traffic from the WifiNet to untrust Use the IP address of the egress interface as the new source set security nat source rule set Internet Access from zone WiFiNet set security nat ...

Page 9: ...ss point AP 3 mac address 00 12 cf c5 4c 40 set wlan access point AP 3 access point options country US set wlan access point AP 3 radio 1 virtual access point 0 ssid WifiNet set wlan access point AP 3 radio 1 virtual access point 0 security none set wlan access point AP 3 radio 2 virtual access point 0 ssid WifiNet The AX411 access points use the concept of a Virtual Access Point VAP A VAP appears...

Page 10: ...raffic system services dhcp set security zones security zone WifiNet interfaces fe 0 0 2 0 set security zones security zone WifiNet interfaces fe 0 0 2 0 host inbound traffic system services dhcp set security zones security zone WifiNet interfaces fe 0 0 3 0 set security zones security zone WifiNet interfaces fe 0 0 3 0 host inbound traffic system services dhcp set security policies from zone Wifi...

Page 11: ...r and management traffic INTERNET OFFICE vlan 1 management 10 0 0 1 24 vlan 2 trust 192 168 1 1 24 VLANID 2 Client AP 1 00 de ad 10 75 00 AP 2 00 de ad 10 76 00 AP 3 00 de ad 10 77 00 CorpNet SSID A single broadcast SSID is advertised SRX Series ge 0 0 0 0 untrust 198 0 0 1 24 DHCP Server config set system services dhcp pool name server 4 2 2 2 This pool is used by the management vlan set system s...

Page 12: ... point AP 1 radio 1 virtual access point 0 vlan 2 set wlan access point AP 1 radio 1 virtual access point 0 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 security none AP 2 All the other APs are configured the same way MAC Authentication ...

Page 13: ...warded by the SRX Series but they will neither be generated nor proxied by it Figure 6 RADIUS based MAC authentication This configuration almost identical to the one in our previous example specifies the MAC authentication type as RADIUS on a per VAP basis and specifies the RADIUS parameters INTERNET OFFICE SRX Series ge 0 0 0 0 untrust 198 0 0 1 24 ge 0 0 7 0 trust 192 198 254 1 24 Radius Server ...

Page 14: ...ption using Wi Fi Protected Access WPA and RADIUS authentication The Guest zone with a Guest SSID will be open but will only allow HTTP and Domain Name System DNS traffic to the Internet Two VAPs will be used each with a single SSID and each associated to a VLAN Traffic from clients associated to the WifiNet SSID will be tagged using VLAN tag 2 while traffic for the Guest network will be tagged wi...

Page 15: ...ing vlan members WifiNet set interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces ge 0 0 0 unit 0 family inet address 198 0 0 1 24 set interfaces ge 0 0 7 unit 0 family inet address 192 168 254 1 24 set interfaces vlan unit 1 family inet address 192 168 2 1 24 ...

Page 16: ...ntrust policy allow http dns then permit Allow radius traffic from the APs to the radius server set security policies from zone management to zone trust policy allow radius match source address any set security policies from zone management to zone trust policy allow radius match destination address radius set security policies from zone management to zone trust policy allow radius match applicati...

Page 17: ... ge 0 0 0 0 untrust 198 0 0 1 24 Enable the http connections to the vlan 3 interface where the captive portal will be used set system services web management http interface vlan 3 set system services dhcp name server 4 2 2 2 set system services dhcp pool 192 168 2 0 24 address range low 192 168 2 2 set system services dhcp pool 192 168 2 0 24 address range high 192 168 2 254 set system services dh...

Page 18: ...e 0 0 0 0 set security zones security zone WifiNet interfaces vlan 2 host inbound traffic system services dhcp set security zones security zone management interfaces vlan 1 host inbound traffic system services dhcp set security zones security zone management interfaces vlan 1 host inbound traffic system services ping set security zones security zone GuestNet interfaces vlan 3 host inbound traffic ...

Page 19: ...access point AP 1 radio 1 virtual access point 1 ssid GuestNet set wlan access point AP 1 radio 1 virtual access point 1 vlan 3 set wlan access point AP 1 radio 1 virtual access point 1 security none set wlan access point AP 1 radio 2 virtual access point 0 ssid WifiNet set wlan access point AP 1 radio 2 virtual access point 0 vlan 2 set wlan access point AP 1 radio 2 virtual access point 0 securi...

Page 20: ... interfaces interface range APs unit 0 family ethernet switching vlan members GuestNet set interfaces interface range APs unit 0 family ethernet switching native vlan id default set interfaces vlan unit 1 family inet address 192 168 2 1 24 set interfaces vlan unit 2 family inet address 192 168 2 1 24 set interfaces vlan unit 3 family inet address 192 168 3 1 24 set wlan access point AP 1 mac addre...

Page 21: ...mation about a particular access point show wlan access points AP 1 detail Active access point detail information Access Point AP 1 Type External Location Default Location Serial Number 849001007 Firmware Version 10 1 2 3 Access Interface vlan Packet Capture Disabled Ethernet Port MAC Address 00 12 CF C5 4A 40 IPv4 Address 192 168 2 3 Radio1 Status On MAC Address 00 12 CF C5 4A 40 Mode IEEE 802 11...

Page 22: ... VAP0 SSID WifiNet MAC Address 00 12 CF C5 4A 40 VLAN ID 2 Traffic Statistics Input Bytes 24114 Output Bytes 72798 Input Packets 87 Output Packets 401 VAP1 SSID GuestNet MAC Address 00 12 CF C5 4A 41 VLAN ID 3 Traffic Statistics Input Bytes 1113907 Output Bytes 10631368 Input Packets 8805 Output Packets 9169 Radio2 VAP0 SSID WifiNet MAC Address 00 12 CF C5 4A 50 VLAN ID 2 Traffic Statistics Input ...

Page 23: ...411 TW Due to the fact that certain countries have imposed restrictions on the deployment of wireless technologies this document should be used to determine in which countries the AX411 has been certified for shipment In the table below select the AX411 wireless LAN access point model by SKU that needs to be ordered to support appropriate power and channel settings for a particular country listed ...

Page 24: ...411 E Switzerland Yes AX411 E Ukraine No AX411 E United Kingdom Yes AX411 E World W Mexico No AX411 W Turkey No AX411 W Australia Yes AX411 W New Zealand Yes AX411 W Hong Kong Yes AX411 W India Yes AX411 W Philippines No AX411 W Malaysia Yes AX411 W Thailand Yes AX411 W Argentina No AX411 W Brazil Yes AX411 W Chile No AX411 W Columbia No AX411 W Panama No AX411 W Peru No AX411 W Venezuela No AX411...

Page 25: ...d Airside Business Park Swords County Dublin Ireland Phone 35 31 8903 600 EMEA Sales 00800 4586 4737 Fax 35 31 8903 601 APAC Headquarters Juniper Networks Hong Kong 26 F Cityplaza One 1111 King s Road Taikoo Shing Hong Kong Phone 852 2332 3636 Fax 852 2574 7803 Corporate and Sales Headquarters Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale CA 94089 USA Phone 888 JUNIPER 888 586 4737 or ...

Reviews:

No comments