Introduction to the WatchGuard AP Device WatchGuard Training.

Introduction to the WatchGuard AP Introduction to the WatchGuard AP DeviceDevice

WatchGuard Training

WatchGuard AP 100 and AP 200WatchGuard AP 100 and AP 200

WatchGuard Training 22

AP Device in an XTM NetworkAP Device in an XTM Network

A WatchGuard AP device adds wireless access to any XTM device network.• Connect an AP device directly to an XTM device interface or to a switch

on the trusted or optional network.

• Use the Gateway Wireless Controller on the XTM device to configure and manage connected AP devices.


ORConnect the AP device directly to an XTM device interface

Connect the AP device to a switch on the trusted or optional network.

AP 100 and AP 200 Wireless Access PointsAP 100 and AP 200 Wireless Access Points

AP 100• Single dual-band radio

• 2.4 GHz / GHz switchable

• 2x2:2 MIMO 802.11 a/b/g/n

• Up to 300 Mbps

• 8 SSIDs

Power• AC Adapter

• 802.3af compliant PoE injector or switch


AP 200• Two single-band radios

• 2.4 GHz and 5 GHz

• 2x2:2 MIMO 802.11 a/b/g/n

• Up to 600 Mbps

• 8 SSIDs per radio

• Plenum rated

Requirements and LimitationsRequirements and Limitations

Requirements for an XTM device to manage an AP device:• The XTM device must use Fireware XTM OS v11.7.2 or later.

• The XTM device must be configured in mixed routing mode.

• The AP device must connect to a trusted or optional network. Limitations• You cannot use the Fireware XTM command line interface to manage

WatchGuard AP devices.

• You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.


AP Device Default SettingsAP Device Default Settings

AP device automatically uses DHCP to request a dynamic IP address.

If a DHCP server is not available, the AP device uses a default IP address.• IP Address: 192.168.1.1

• Subnet Mask: 255.255.255.0

• Default Gateway: 192.168.1.1 The AP device has its own web UI.• You can connect to the Access Point

web UI at https://192.168.1.1, or at the DHCP IP address.

• Default password: wgwap To deploy an AP device, you do not need to use the Access Point

web UI unless you need to assign a static IP address to the AP device.


https://192.168.1.1/

Deployment PlanningDeployment Planning


Deployment PlanningDeployment Planning

Before you add an AP device to your network, analyze your current environment and wireless requirements to determine:• What wireless modes you need to support (802.11a/b/g/n)

• What SSIDs and networks you want to create for wireless clients to connect to

• The best physical location for the AP device When you think about where to install your AP device, consider:• Potential sources of wireless noise and interference

• Factors that affect wireless signals, such as building construction and materials

• Where your wireless clients are likely to be located You can use a wireless site survey tool such as Ekahau

HeatMapper to measure wireless signal strength for wireless clients at different locations. • Measure before deployment as part of planning

• Measure after deployment to see the AP signal strength and range


Should You Enable VLAN Tagging?Should You Enable VLAN Tagging?

When you enable VLAN tagging, you associate a VLAN ID with each SSID.

VLAN tagging is not required, but there are several reasons you could want to enable VLAN tagging: You want to set different firewall policies for multiple SSIDs that connect to

the same network. For example, you can create different SSIDs for different groups of users and

then create different firewall policies for each SSID. In each policy, you use the VLAN ID associated with an SSID to make a policy apply to traffic for that SSID.

You want to separate traffic on the same physical network to different logical networks. VLAN tagging enables you to separately examine traffic for wireless clients

connected to each SSID. If you use a network analyzer, you can use VLAN tags to see the traffic for the VLAN ID associated with a specific SSID.

If you want to set up your AP device with one SSID for the trusted network and another SSID for the optional network, you can use a trusted VLAN and an optional VLAN to separate the traffic for the trusted and optional wireless clients.

VLAN configuration is covered in detail in a later section of this training


Deployment StepsDeployment Steps


Deployment OverviewDeployment Overview

To deploy any AP device on your network you must:1. Enable the Gateway Wireless Controller on the XTM device.2. Connect the AP device to your network.3. Pair the AP device with the XTM device.4. Configure the SSIDs you want to use.5. Configure the AP device settings.

If you enable VLAN tagging in the AP device SSIDs you must also:• Create a tagged VLAN for each SSID.

• Create an untagged VLAN for management of the AP device.


This training uses WatchGuard System Manager to show how to configure and monitor your AP device. You can also do these same tasks in Fireware XTM Web UI.

Enable the Gateway Wireless ControllerEnable the Gateway Wireless Controller

To enable the Gateway Wireless Controller on the XTM device:1. In Policy Manager, select Network > Gateway Wireless Controller.2. Select the Enable the Gateway Wireless Controller check box.3. Type the passphrase you want to use for all your WatchGuard AP

devices after they are paired to the XTM device. Set the AP device location:

1. Click Settings.2. Select the location of your AP

device from the list of countries. This location is used to help

configure the wireless radio.

Save the configuration to the XTMdevice.


Connect the AP DeviceConnect the AP Device

Connect the AP device directly to an XTM device interface, or to a switch on the trusted or optional network.

If you want to connect the AP device directly to an XTM device interface, configure the XTM device interface:• Set the Interface Type

to Trusted or Optional.• Enable the DHCP Server.• Configure a pool of IP

addresses the XTM devicewill assign to the AP device and to wireless clients.

If you connect the AP deviceto a switch:• The AP device gets an IP

address from a DHCP server.• If your network does not

have a DHCP server,use the Access Point webUI to configure a static IPaddress on the AP device.


Pair the AP DevicePair the AP Device

When you first connect the AP device, it is an unpaired Access Point.

To pair the AP device to the XTM device:1. Select Network > Gateway Wireless Controller. 2. Select the Access Points tab.3. Click Refresh.4. Type the XTM device IP address and

configuration passphrase. The XTM device sends a local

discovery broadcast on the trusted and optional networks over UDP port 2529 every 30 seconds.

Unpaired AP devices send aresponse to the XTM device.



Unpaired AP devices appear in the Unpaired Access Points list. To pair an AP device to the XTM device:

1. Select an unpaired access point and click Pair.

2. Type the Pairing Passphrase. This must match the current

passphrase on the AP device. Default AP passphrase is wgwap.

The Edit Access Point dialog box opens automatically.

3. Edit the Access Point settings.Access Point configuration is covered in the next section of this training.



After you pair the AP device, the AP device is added to the Access Points list.

Because Policy Manager is an offline configuration tool, pairing is not complete until you save the configuration to the XTM device.

The first time you save the configuration to the XTM device after pairing:• The XTM device uses the pairing

passphrase to connect to the APdevice and update the configuration.

• The AP device restarts with the updated configuration.

• The XTM device tries toactivate the AP device.

The AP device is activated in the WatchGuard account where the XTM device was activated.

If automatic activation fails, the XTM device periodically tries again.

Activation status of the AP device does not affect AP device functionality.


ConfigurationConfiguration


ConfigurationConfiguration

In the Gateway Wireless Controller, you can configure:• AP devices

• SSIDs

• Gateway Wireless Controller settings


Configure the AP DeviceConfigure the AP Device

To configure AP devices, in Policy Manager, select the Network > Gateway Wireless Controller > Access Points tab.

You can add, edit or remove AP devices.• Add — manually add an AP

device that has not been paired

• Edit — edit an AP device configuration

• Remove — remove the AP device

Removes the AP device fromthe XTM device configuration

Resets the AP deviceto factory default settings


Configure the AP DeviceConfigure the AP Device

When you pair an AP device, the Edit Access Point dialog box opens automatically.

You can also select a configured AP device and click Edit. Configure AP device settings.• Change the AP device Name.

• Configure Network Settings (DHCP or Static IP address).

If you select Static, you must configure a static IP address.

• Enable logging to a syslogserver.

• Configure radio settings.


Configure the AP Device Radio SettingsConfigure the AP Device Radio Settings

For an AP 100, you can configure the radio Band to use.• AP 100 has one radio that can use either the 2.4 GHz or 5 GHz band.

• AP 200 has two radios. Radio 1 always uses the 2.4 GHz band, and Radio 2 always uses the 5 GHz band.

For each radio, configure the Wireless Mode.• The 2.4 GHz band supports

802.11B, G, and N.

• The 5 GHz band supports802.11 A and N.

For each radio, select theconfigured SSIDs to use (up to 8 per radio).• You can also assign the

AP device radio to an SSID when you create the SSID.


Radio Settings for an AP 200

Configure SSIDsConfigure SSIDs

The SSID is the network name that wireless clients see when they connect. • You can assign multiple SSIDs to a single AP device radio.

• You can assign the same SSID to multiple AP device radios. To add an SSID, in the SSIDs tab,

click Add.• Specify the Network Name (SSID)

• Configure Settings Enable or disable SSID broadcast Enable MAC Access Control Enable VLAN tagging

– Specify VLAN ID

Add configured AP device radios as members of the SSID


Configure the SSID Security ModeConfigure the SSID Security Mode

To configure the SSID security mode, click the Security tab. AP devices support these security modes:• Disabled — no security/open system

• WPA/WPA2 (PSK) — pre-shared key

• WPA/WPA2 Enterprise — RADIUS


Configure Gateway Wireless Controller SettingsConfigure Gateway Wireless Controller Settings

Gateway Wireless Controller has settings that apply to all paired AP devices.

Select Network > Gateway Wireless Controller, and click Settings.• Update the WatchGuard AP

Passphrase that is used by all AP devices after they are paired.

• Enable or disable automatic firmwareupdates when new firmware is availableon the XTM device.

Default is enabled.

• Set the syslog server for all AP devices. All AP devices send log messages to

this syslog server unless you specify a different syslog server in the AP device configuration.

• Select the location of the AP devices. This enables the AP device to automatically

select a radio channel allowed in your region.WatchGuard Training 2424

Configure the MAC Access Control ListConfigure the MAC Access Control List

In the MAC Access Control tab, add the MAC addresses of wireless clients that you want to deny access to your AP device SSIDs.

For each SSID, you can decide whether to use the MAC Access Control list.


VLAN ConfigurationVLAN Configuration


VLAN Configuration OverviewVLAN Configuration Overview

If you want to enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an XTM device interface. • Enable VLANs before you connect and pair the AP device.

• The AP device uses tagged VLANs to identify traffic for each SSID, and an untagged VLAN for AP management connections.

• VLANs must be in the trusted or optional security zone. To configure VLANs on the XTM device:

1. Add one VLAN for each SSID.2. Add one VLAN for management connections to the AP device.3. Enable DHCP server or DHCP relay for each VLAN.4. Configure the XTM device VLAN interface to pass tagged traffic for the

VLANs for each SSID and untagged traffic for the AP management VLAN.


VLAN Configuration OptionsVLAN Configuration Options

VLAN Configuration• Connect the AP device directly to a VLAN interface on the XTM

device.

• Connect the AP device to the XTM device VLAN interface through a VLAN switch.

• Configure the same VLANs on the switch interfaces as you configured on the XTM device.


OR

VLAN

VLAN

VLAN

Connect the AP device directly to an XTM device VLAN interface

Connect the AP device to a VLAN switch.

VLAN Configuration ExampleVLAN Configuration Example

Example: You want to add two SSIDs to allow wireless connections to two different networks through the same AP device.• SSID Name: Trusted-W, for trusted wireless access

• SSID Name: Guest-W, for guest wireless access Create three VLANs; one for each SSID and one for AP

management.• Select Network > Configuration > VLAN.

• Add three VLANs, with DHCP enabled. For example: Trusted-VLAN (VLAN ID 10) — to use with SSID Trusted-W Optional-VLAN (VLAN ID 20) — to use with SSID Guest-W AP-Mgmt-VLAN — to use for management connections to the AP device


VLAN Configuration Example — VLAN DetailsVLAN Configuration Example — VLAN Details


VLAN ID 30

VLAN ID 20

VLAN ID 10

VLAN Configuration Example — VLAN InterfaceVLAN Configuration Example — VLAN Interface

Configure a VLAN interface on the XTM device.• In the Network Configuration dialog box, select the Interfaces tab.

• Select the interface you want to connect the AP device to, and click Configure.

• Set the Interface Type to VLAN, and configure it to: Send and receive tagged

traffic for the VLANs for each SSID (VLAN IDs 10 and 20).

Send and received untaggedtraffic for the VLAN for APmanagement connections(VLAN ID 30).

• Save the configuration to theXTM device to enable the VLAN interface.

• Connect the AP device to theVLAN interface.


VLAN Configuration Example — Configure SSIDsVLAN Configuration Example — Configure SSIDs

Enable VLAN tagging in the two SSIDs.• For this example:


SSID Trusted-W uses VLAN ID 10 SSID Guest-W uses VLAN ID 20

VLAN Configuration Example — Finish AP Device VLAN Configuration Example — Finish AP Device SetupSetup The rest of the AP device setup steps are the same as without

VLAN tagging enabled.• Connect the AP device to the VLAN interface

• Use Policy Manager to discover and pair the AP device.

• In the AP configuration, add the SSIDs you configured.

• Save the configuration to the XTM device.


VLAN Configuration Example — Connecting to a VLAN Configuration Example — Connecting to a SwitchSwitch The VLAN configuration on the XTM device is the same, whether

you connect the AP device directly to the XTM device or to a VLAN switch.

To connect the AP device to a switch, configure the same VLANs on the switch ports that connect to the AP device and the XTM device.


Other VLAN Configuration OptionsOther VLAN Configuration Options

The flexibility of the VLAN configuration and routing on your XTM device, managed switch, and AP device enable you to deploy the AP device with VLANs in many other network configurations:• Separate XTM interfaces for each VLAN on the switch

• VLAN segmentation with Branch Office VPN

• VLAN segmentation for separate gateways


MonitoringMonitoring


Monitor AP Devices and Wireless ClientsMonitor AP Devices and Wireless Clients

Monitor AP devices and connected wireless clients in:• Firebox System Manager on the Gateway Wireless Controller tab.

Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients.

• Fireware XTM Web UI on the System Status > Gateway Wireless Controller page.

Select the Access Points tab to monitor paired AP devices. Select the Wireless Clients tab to monitor connected wireless clients.


Monitor AP DevicesMonitor AP Devices

Access Points tab shows:• AP device status

• SSIDs

• IP address

• Radio band and channel

• Uptime Select an AP device to:• Do a Site Survey to

detect other wireless access points

• See Log Messages on the AP device

• Reboot the AP device


AP Device Status — OnlineAP Device Status — Online


After you deploy an AP device, check the device status. If the XTM device can log in to the AP device, and the AP device is

fully configured, the Access Point status is Online.

AP Device Status — OfflineAP Device Status — Offline

If the XTM device cannot contact the AP device, the device status is Offline.

When an AP device reboots, the status is Offline during the reboot.• The AP device reboots after each configuration change.


AP Device Status — Passphrase MismatchAP Device Status — Passphrase Mismatch

If the Pairing Passphrase on the XTM device does not match the passphrase on the AP device, AP device status is Passphrase mismatch.

To resolve this, edit the Access Point configuration in Policy Manager and change the Pairing Passphrase to match the passphrase on the AP device.

The default AP devicepassphrase is wgwap.


Monitoring — Connected Wireless ClientsMonitoring — Connected Wireless Clients

Select the Wireless Clients tab to see a list of connected wireless clients.


Wireless HotspotWireless Hotspot


Enable a Wireless Hotspot / Captive PortalEnable a Wireless Hotspot / Captive Portal

You can configure your WatchGuard AP device SSID as a wireless hotspot.

With hotspot functionality enabled, when wireless clients connect to your SSID and try to browse to a web site, the hotspot welcome page appears.

Users must accept the terms and conditions before they can browse the web through your AP device.


Enable a Hotspot / Captive PortalEnable a Hotspot / Captive Portal

In Policy Manager select Setup > Authentication > Hotspot. Enable the hotspot for the VLAN

or physical interface your APdevice uses: • If you use VLANs, select the

VLAN interface for the SSID.

• If you do not use VLANs and the AP device is directly connected to an XTM device interface, select the XTM device interface your AP device is connected to.

Configure the settings for yourhotspot welcome page.


Monitor Hotspot ConnectionsMonitor Hotspot Connections

To see the list of connected hotspot clients in Firebox System Manager select the Authentication List tab.

Click Hotspot Clients.

The connected hotspot clients also appear in the Wireless Clients tab on the Gateway Wireless Controller tab.


Documentation and ResourcesDocumentation and Resources

Product Documentation• WatchGuard AP — You can view and download the most current

documentation for the WatchGuard AP device on the WatchGuard AP Product Documentation page at http://www.watchguard.com/help/documentation/ap.asp

• WatchGuard XTM —For detailed information about WatchGuard AP pairing, management, and configuration with your XTM device, see the Wireless AP Device Setup section of the Fireware XTM Web UI or WSM Help at http://www.watchguard.com/help/documentation/xtm.asp

Knowledge Base• You can view and search the knowledge base for information on

specific WatchGuard product issues at http://customers.watchguard.com

WatchGuard User Forum• An interactive online user forum moderated by senior support

engineers. Go to the WatchGuard forum at http://www.watchguard.com/forum


http://www.watchguard.com/help/documentation/ap.asp

http://www.watchguard.com/help/documentation/xtm.asp

http://customers.watchguard.com/

http://www.watchguard.com/forum

Thank You!Thank You!


Introduction to the WatchGuard AP Device WatchGuard Training.

Documents

Transcript of Introduction to the WatchGuard AP Device WatchGuard Training.