Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How To define a Guest and Corporate Wireless Network on a SRX Branch Device by using a single AX-411 AP

0

0

Article ID: KB23134 KB Last Updated: 27 Feb 2020Version: 2.0
Summary:
This article provides information on how to configure a Guest and Corporate Wireless client segment, which are connecting to the same AP.
Symptoms:
  • Single AX411 Access Point.

  • Configuring a Guest and Corporate Wireless segment, which are connecting to a single AX411 Access Point.

  • The SRX Branch device is used to manage the AX411.
Solution:
 To configure multiple wireless access levels to the same AP, It is good to connect to a separate SSID; which is distinguished by VLAN ID's.  Here, You would have to make use of a Routed VLAN Interface (RVI), which would distinguish one wireless segment from the other.

The following VLANs have to be created:
  • Guest VLAN
  • Corporate Wireless VLAN
  • Management VLAN


First, you create the VLAN interfaces. You have to use vlan.1000 for the Guest VLAN, vlan.1001 for the Corporate Wireless VLAN, and vlan.1002 for the Management VLAN.
root@SRX240H# show interfaces vlan 
unit 1000 {
    family inet {
        address 10.252.1.10/24;
    }
}
unit 1001 {
    family inet {
        address 10.252.2.1/24;
    }
}
unit 1002 {
    family inet {
        address 10.252.3.1/24;
    }
}
Next, the VLANs have to be configured. They will include the VLAN id, along with the L3 interface tied to the VLAN interface:
 
root@SRX240H# show vlans 
Wireless-mgnt {
    description Wireless-mgnt;
    vlan-id 5;
    l3-interface vlan.1002;
}
wifi-guest-1000 {
    vlan-id 1000;
    l3-interface vlan.1000;
}
wifi-corp-1001 {
    vlan-id 1001;
    l3-interface vlan.1001;
}
Now the physical interface has to be configured.  Assume that AX411 is connected through the ge-0/0/4 interface on a SRX-240. You can configure this physical interface with family ethernet-switching and it will be a trunk port.  

You can configure the wifi-private-1000 and wifi-public-1001 VLANs, as members of this trunk. The native VLAN ID 5 is also configured for this interface. This will tell the system to treat VLAN tag 5 as a native untagged VLAN.  
 
root@SRX240H# show interfaces 

ge-0/0/4 {
    description AX411_INT;
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ wifi-guest-1000 wifi-corp-1001 ];
            }
            native-vlan-id 5;
        }
    }
}

Note: If you place the AX-411 behind a switch, do not include the native VLAN as a VLAN member of the trunk. If you do, the return packet will return as a tagged packet; AX-411 will not recognize it and it will be dropped. For more information, refer to KB17419 - Native vlan-id and tagged behavior in EX Switches.

After configuring the VLAN interfaces, you can configure one VLAN per SSID. In this example, the Guest users are defined on the Guest SSID, which is on virtual-access-point 0, and Corporate users are defined on the Corp SSID, which is on virtual-access-point 1.
 
root@SRX240H# show wlan access-point ax411-ap 
description Office-WIFI;
mac-address xx:xx:xx:xx:xx:xx;                                  
access-point-options {
    country {
        US;
    }
}
radio 2 {
    virtual-access-point 0 {
        description Guest-Users;
        ssid Guest;
        vlan 1000;
        security {                      
            none;
        }
    }
}
    virtual-access-point 1 {
        description TestGuest;
        ssid Corp;
        vlan 1001;
        security {
            wpa-personal {
                wpa-version {
                    both;
                }
                cipher-suites {
                    tkip;
                }
                key "$ABC123"; ## SECRET-DATA
                }
            }
        }
  }


 
Modification History:
2020-02-27: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search