How it Works
Juniper
Loading...
AX411
User Manual
25 pgs747.28 Kb0
Table of contents
Loading...

Juniper AX411 User Manual

CONFIGURING AND DEPLOYING THE AX411
APPLICATION NOTE
WIRELESS ACCESS POINT
Copyright © 2011, Juniper Networks, Inc. 1
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
Table of Contents
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Description and Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
AX411 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Operational Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
L2 Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
L3 Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
RADIUS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
L2 Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
L3 Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
RADIUS-Based MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Creating Multiple Wireless Networks Using VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Creating a Guest Network Using Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
RADIUS-Based VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Administration and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Part Numbers Affected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table of Figures
Figure 7: Using multiple VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List of Tables
Table 1: AX411 Feature Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Table 3: Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
2 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point

Introduction

Juniper Networks® has introduced a wireless access point solution that is integrated into Juniper Networks SRX
Series Service Gateways. This new product line allows for a simple deployment of Wi-Fi networks in the branch while
leveraging the advanced capabilities of Juniper ’s services gateways for AP Management. SRX Series for the branch
includes the ability to provide advanced security services like unified threat management (UTM), intrusion prevention
system (IPS), firewalling, unified access control, and VPNs.

Scope

The purpose of this application note is to provide an overview of the different deployment scenarios for Juniper ’s
Wi-Fi solution for the branch. This application note begins by detailing the capabilities of the Juniper Networks
AX411 Wireless Access Point and how it is configured. The final sections of this application note provide some typical
deployment scenarios and their configurations.

Design Considerations

SRX Series Services Gateways are used to monitor and configure the AX411 access points. These devices support
Power over Ethernet (PoE) and can be powered by SRX Series gateways that support PoE. Alternatively, an external
power supply is provided with each access point that can be used when PoE is not available.

Hardware Requirements

• Juniper Networks SRX Series for the branch (SRX100 line and SRX200 line of services gateways, and the SRX650
Services Gateway)
Soware Requirements
• Juniper Networks Junos® operating system release 10.0 or later

Description and Deployment Scenario

AX411 Features

The AX411 access point provides support for a wide range of features and protocols targeted for small to medium
sized deployments in branch offices. For larger deployments of more then 4 access points, or where location services
are desired, the Juniper Networks WLA and WLC Product line are recommended. The following table summarizes some
of the most important characteristics of this product.
Table 1: AX411 Feature Summary
FEATU RE DETAI LS
Dual radio support Yes
PHY protocols supported 802.11a, 802.11b, 802.11g, and 802.11n
802.11h spectrum and transmit power management extensions Yes
802.11d specification for operation in additional regulatory domains Yes
802.11e quality of service enhancements Yes
Number of virtual access points supported Up to 16 per radio (32 total)
Gigabit Ethernet ports 1
Console port 1
802.1q support Yes
Authentication Local and RADIUS
MAC authentication Yes
HTTP redirect support Yes
Access point clustering support Yes, in Junos OS 10.1 and later.
Copyright © 2011, Juniper Networks, Inc. 3
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point

Operational Model

The AX411 access points are managed from branch SRX Series Services Gateways, allowing for a simpler, centralized
provisioning model. In particular, the following operations can be performed directly from the SRX Series gateways.
• Configuration management: The entire configuration for all AX411s are performed within JunOS at the branch
gateway and pushed to the access points using a secure connection to the AX411 device. The Junos OS infrastructure
is used to provide configuration backup and restore, auditing, scripting, role-based authentication, etc.
• Monitoring: Access points are monitored from the services gateway, including the ability to obtain device and
wireless network information from the command-line interface (CLI), J-Web Software, or SNMP.
• Device maintenance: Device maintenance support includes firmware upgrades.
When an access point is connected to a branch gateway for the first time, it requests an IP address using the Dynamic
Host Configuration Protocol (DHCP). After obtaining an IP address, a registration protocol is used to exchange
configuration and status information between the devices.
The SRX Series gateway uses the media access control (MAC) address received in the registration messages to identify
each access point. The advantage of using this approach is that access points can be connected to any port or given
any IP address while still being correctly identified since MAC addresses are fixed.
Internet Control Message Protocol (ICMP) is used as a “keepalive” protocol between each access point and the SRX
Series gateway. If an access point detects a failure, it automatically stops broadcasting any service set identifier (SSID)
that it has configured, thus allowing the client stations to associate to a different access point and circumvent the failure.
Access points can be managed in two different modes.
• Layer 2 management mode
• Layer 3 management mode

L2 Management Mode

The default and most common mode is to connect all access points to the same L2 network. A single routed VLAN
interface (RVI) is configured per VLAN, which is used as the default gateway for the VLAN. This RVI is then added to a
security zone. Access point to access point traffic can be forwarded at L2. The gateway can do so at line rate, without
the need to inspect such traffic. Traffic from wireless nodes connected to the access point will be inspected by the
SRX security gateway. In this configuration the SRX acts as a DHCP server for the VLAN, and both APs and wireless
endpoints obtain their IP address from this DHCP scope.
DHCP
Handles out addresses in the 192.168.1.0/24
OFFICE
SRX
Series
INTERNET
Client
vlan.0
192.168.1.1/24
Ports
All access point facing ports are connected to interfaces in switching mode and associated to the default vlan

Figure 1: L2 management mode

4 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point

L3 Management Mode

In this mode, each access point is connected to a different subnet on the branch services gateway. Traffic between
access points is routed and inspected by the branch device.
DHCP
Handles out addresses in multiple pools (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24)
OFFICE
ge-0/0/3.0
192.168.3.1/24
SRX
Series
INTERNET
Client
ge-0/0/2.0
192.168.2.1/24
ge-0/0/1.0
192.168.1.1/24
Ports
All access point facing ports are connected to interfaces in switching mode and associated to the default vlan

Figure 2: L3 management mode

Analogous to these, customer traffic can be forwarded using either one of these modes on a per access point basis, i.e.,
any given access point can be connected to the gateway either in L2 or L3 mode. With this in mind, it is important to
understand the different tradeoffs between these modes.
Table 2: L2 vs. L3 Forwarding Mode
FEATU RE L2 MODE L3 MODE
Access point to access point communication (and client to client communication when clients are in
Done in hardware at line rate but without any security inspection.
Firewall and UTM services are available, but at the expense of forwarding performance.
dierent access points)
Firewall authentication Not supported for L2 switched trac. Yes
Client to client isolation Not always possible (proxy-arp can be
Yes used to force all client to client trac to be sent to the gateway, where security policies can be enforced).
QoS Not supported for client to client trac. Yes
Configuration complexity Simpler configuration, since a single L3
interface is shared between all access points.
Complex, as each access point is
connected to a dierent L3 interface, with
each requiring the configuration of an IP
address, a DHCP server, security zones,
and policies.
Roaming Client roaming is supported, if MAC
authentication or no authorization protocol is used. If authentication is used,
Roaming will require clients to send a
new DHCP request in order to obtain a
new IP address. clients will have to log in every time they associate to a new access point.
Configuration
The configuration is found under [wlan] hierarchy. In Junos OS release 10.0, each access point has to be configured
individually. Junos OS 10.1 includes the ability to group access points into clusters, where all access points share the
same configuration. Access points in a cluster exchange both configuration and operational information and do not
require operators to make changes to each individual access point. The clustering feature will be discussed in a future
version of this document.
Copyright © 2011, Juniper Networks, Inc. 5
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
wlan { access-point <AP name> { mac-address <ap mac address>; #This attribute is mandatory and can be found on rear­label of AX411 description <AP description>; location <AP location>; external { system { console baudrate <console baudrate>; ports { ethernet { management-vlan <vlan-id>; untagged-vlan <vlan-id>; static { address <Access Point address>; gateway <default gateway>; } } } } dot1x-supplicant { username <username>; password <password>; } } access-point options { country <country where the AP is located>; #This is used for regulatory purposes. #The AP will only transmit in the bands allowed by each country
station-mac-lter { #Allow and deny list of mac addresses, used for local mac authentication } } radio <1|2> { quality-of-service { #QoS conguration options } radio-options { #Phy layer conguration options, such as transmit power, channel, mode, etc } virtual-access-point <0..15> { #virtual-access-point conguration options including SSID, security #and http redirect options } } } }
6 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
The configuration is divided into three sections—the external, radio, and options sections.
The external section is used to specify the basic access point parameters used to manage the device, including its
address (when DHCP is not used), VLAN ID used for management traffic, and native VLAN ID (i.e., VLAN ID used for
untagged traffic).
In order to comply with the different regulatory domains, each access point must be configured with the name of the
country where it is being deployed. This is done under the access point options, and it is used to determine the range of
channels and maximum transmit power allowed in that domain.
Finally, all radio, client authentication, and SSID options are configured under the radio section. The following
deployment scenarios will show some typical configurations, and they will be used to introduce some of the
configuration options available.

RADIUS Support

One or more (for redundancy purposes) RADIUS servers can be used to authenticate users. When a user is granted
access, the RADIUS protocol provides a mechanism to pass user-specific parameters to the access point. These
parameters allow passing per-user configuration options, centrally managed by the RADIUS server.
The following table displays the list of RADIUS attributes that can be passed to the AX411 access point, as specified in
RFC 3580.
Table 3: Supported RADIUS Attributes
ATTRI BUTE NAME VALUE TY PE DEF INED I N
Session-Timeout 27 integer RFC2865
Tunnel-Type 64 integer RFC2868
Tunnel-Medium-Type 65 integer RFC2868
Tunnel-Private-Group-ID 81 integer RFC2868
WISPR-Max-Bandwidth-Down 7 integer VSA (14122)
WISPR-Max-Bandwidth-Up 8 integer VSA (14122)

Description and Deployment Scenarios

We will start by configuring basic access point management access for both L2 and L3 modes. These configurations
will be used as the starting point in subsequent scenarios.

L2 Management Mode

In this mode, all access points are connected to the SRX Series for the branch by means of an Ethernet switched
network, either using an external switch or the ports on the SRX Series gateway configured for switching. A single L3
interface is used to provide connectivity to all of the access points. This interface also serves as the default gateway for
the wireless clients.
DHCP
Handles out addresses in the 192.168.1.0/24
OFFICE
AP-1
Client
CorpNet SSID
A single broadcast SSID is advertised

Figure 3: L2 management mode example

00:de:ad:10:75:00
AP-2 00:de:ad:10:76:00
AP-3 00:de:ad:10:77:00
SRX
Series
vlan.1 (Trust)
192.168.1.1/24
ge-0/0/0.0 (untrust)
198.0.0.1/24
INTERNET
Copyright © 2011, Juniper Networks, Inc. 7
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
For completeness, security policies, Network Address Translation (NAT), and untrust interface configurations
required to allow traffic from the access points to the Internet are included in this configuration To avoid unnecessary
repetitions and unless explicitly noted, our next examples will omit these sections from the configuration.
#Enable PoE if you will be using that to power the AX411. set poe interface all
#DHCP Server cong set system services dhcp name-server 4.2.2.2 set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2 set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254 set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
#Interface and VLAN Conguration #Note how interface-ranges can be used to simplify the conguration when a large number of APs are used set interfaces interface-range APs member ge-0/0/1 set interfaces interface-range APs member fe-0/0/2 set interfaces interface-range APs member fe-0/0/3 set interfaces interface-range APs unit 0 family ethernet-switching vlan members default set interfaces ge-0/0/0 unit 0 family inet address 198.0.0.1/24 # Untrust Static IP set interfaces vlan unit 2 family inet address 192.168.2.1/24 set vlans default vlan-id 2 set vlans default l3-interface vlan.2
#Routing is trivial, there is only a default route pointing to the Internet set routing-options static route 0.0.0.0/0 next-hop 10.0.1.1
#NAT all traic from the WiNet to untrust. Use the IP address of the egress interface as the new source. set security nat source rule-set Internet-Access from zone WiFiNet set security nat source rule-set Internet-Access to zone untrust set security nat source rule-set Internet-Access rule nat-all match source­address 0.0.0.0/0 set security nat source rule-set Internet-Access rule nat-all then source-nat interface
#Security Zones and policies conguration. Please note that the vlan.0 interface MUST be assigned to a zone set security zones security-zone untrust interfaces ge-0/0/0.0 #It is important to allow both DHCP and PING otherwise the SRX will not discover the APs set security zones security-zone WiNet interfaces vlan.2 host-inbound-traic system-services dhcp set security zones security-zone WiNet interfaces vlan.2 host-inbound-traic system-services ping set security policies from-zone WiNet to-zone untrust policy allow-internet­access match source-address any set security policies from-zone WiNet to-zone untrust policy allow-internet­access match destination-address any set security policies from-zone WiNet to-zone untrust policy allow-internet­access match application any set security policies from-zone WiNet to-zone untrust policy allow-internet­access then permit
8 Copyright © 2011, Juniper Networks, Inc.
Loading...
+ 17 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use