12 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
set interfaces interface-range APs unit 0 family ethernet-switching native-vlan-
id 1
set vlans WiNet vlan-id 2
set vlans WiNet l3-interface vlan.2
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set vlans default vlan-id 1
set vlans default l3-interface vlan.1
set interfaces vlan unit 1 family inet address 192.168.1.1/24
#Security Zones and policies conguration. Please note that the vlan.0 interface
MUST be assigned to a zone
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone management interfaces vlan.1 host-inbound-traic
system-services dhcp
set security zones security-zone management interfaces vlan.1 host-inbound-traic
system-services ping
set security zones security-zone management interfaces vlan.1
#Note that ping is not required in the WiNet zone, as the keepalives are sent
only over the management vlan
set security zones security-zone trust interfaces vlan.2
#Note that no security policies are required for the management zone as no
through traic should be allowed from/to this zone.
#APs conguration.
set wlan access-point AP-1 mac-address 00:12:cf:c5:4a:40
set wlan access-point AP-1 access-point-options country US
set wlan access-point AP-1 radio 1 virtual-access-point 0 ssid WiNet
set wlan access-point AP-1 radio 1 virtual-access-point 0 vlan 2
set wlan access-point AP-1 radio 1 virtual-access-point 0 security none
set wlan access-point AP-1 radio 2 virtual-access-point 0 ssid WiNet
set wlan access-point AP-1 radio 2 virtual-access-point 0 vlan 2
set wlan access-point AP-1 radio 2 virtual-access-point 0 security none
#AP-2
#... All the other APs are congured the same way
MAC Authentication
Building on our previous scenario, we will now assume that some basic form of authentication is required. If the number
of devices in the network is small, and over the air confidentiality is not a requirement, MAC-based authentication
provides a simple access control method.
A local database of allowed and denied MAC addresses is created. Whenever a VAP is configured with MAC
authentication, the access point uses this database to determine if a particular association request will be granted.
Two mutually exclusive lists are provided—allow lists and deny lists. If the allow list is configured, any station with a
MAC address not on the list will be denied access. Similarly, if the deny list is configured, all stations will be allowed
with the exception of the ones present on the list.
#AP-1 conguration
set wlan access-point AP-1 mac-address 00:12:00:00:00:00
set wlan access-point AP-1 mac-address 00:12:00:00:00:01
…
set wlan access-point AP-1 access-point-options country US
set wlan access-point AP-1 mac-address 00:12:cf:c5:4a:40
set wlan access-point AP-1 access-point-options station-mac-lter allow-list mac-
address 00:16:cb:05:1e:af
set wlan access-point AP-1 radio 1 virtual-access-point 0 ssid WiNet
To Next Page
Loading...
Need help?
General
