Because we are a PCI compliant shop we have our current user-lan wifi network segment separated from the user-lan network segment so I can limit what areas of the internal network that they can get to to be able ot maintain PCI comlaince.
For our guest network, I also have a separate vlan where we also have some other conference room devices like the smart tv, apple tv, etc. that are plugging into the physical switch port on this vlan. Currently we have two retail wifi routers plugged into these 2 segments to provide bridging to each of the network segments (i.e plugged into the lan port on the wifi-routers with no routing functionality turned on the Belkin and Linksys routers). We are using Dell Power Connect switches in our offices.
We had recently purchased a Sophos AP30 to replace these two routers. After lots of trial and tribulations trying to get the AP30 to work on our existing UTM I finally came up with the magic sauce to make this work and since there is a lack of detailed documentation for the UTM AP## devices, I am posting this guide for people deploying these devices into a similar infrastructure network as ours.
If I am inaccurate in any part of my understanding of how these devices work, please feel free to correct me in follow up posts. I am guessing at the functionality based on my experience while setting this device up and due to the lack of detailed documentation.
The order in which you follow the steps below is important because of the way that the AP device gets it's configuration from the UTM.
For the example provided below:
AP Control/Config Network Segment=USERLAN (10.10.1.0/24)/VLAN = 100
USER-Lan Wifi network=USERWIFI(10.11.1.0/24)/VLAN = 110
GUEST Wifi network segment = GUESTWIFI(172.16.1.0/24)/VLAN 200
UTM ETH0.100 = USERLAN
UTM ETH0.110 = USERWIFI
UTM ETH0.200 = GUESTWIFI
1. When the device is first un-boxed, it has no configuration. By default it is setup to as a DHCP client on whatever network it is connected. This connection is then used to establish connection and register itself into the Pending Access Points list into the UTM Wireless Protection section. To be able to make this happen:
a) The switch port that the AP is connected to needs to be setup so that untagged traffic on the port is assigned to the same network segment on the UTM that will be used for the management interface connection.
b) This network segment needs to be added to Global Settings/Access Control/Allowed Interfaces list
c) At this point DO NOT setup and Wireless network yet. You will need to wait to do this until after you have setup the AP to communicate via tagged VLAN
2. Once connected, the access point will connect to the network and using DHCP, pull an IP address on the USERLAN network using un-tagged network communication to the UTM via the switch port. It is very important that the switch port that the AP is connected to is setup for untagged traffic to the USERLAN network. This will then make the AP appear in the Pending Access points list in the Wireless Protection/Access points section. Go ahead and click the Authorize option to move the AP into the Inactive Access Points list.
3. At this point click on the WQireless Protection and open the live log. The next several steps require verification before proceeding to each successive step
4. Go to the Wireless Settings/Access Points/Inactive Access Points and click on the edit button next to your inactive AP. Click on the Advanced settings and Enable both STP and VLAN tagging then enter your VLAN tag (100 in our example here). When you click save, watch the Live Log. You are looking for the new configuration to be pushed to the AP, then the the AP coming back online and then have an error about the VLAN not being available. It is at this point your will re-configure the switch port.
5. Because all three networks in our example networks are on VLANS on the UTM, I opted to change our Dell Switch port from
Access/Un-Tagged/VLAN 100 to Trunk/VLAN 100, 110, 200. The VLAN100 is used for the UTM control channel and the other 2 VLANS will be used when you setup the Wireless networks in Bridged to VLAN mode
6. Once you update the switch port, you should see the AP connect tot he UTM in the Wireless Live log and the AP should automatically move to the Active Access points list. You can now setup your Wireless networks.
7. Setup your Wireless networks and select the Client Traffic Bridged to VLAN option and assign the appropriate VLAN tag for each WIF segment.
Save and you should be done. Connect to each SSID and test.
I mistakenly didn't wait for verification that setting for the AP use VLAN tagging for the control channel actually be pushed to the AP before changing the Switch port and the setting never got pushed to the AP.
Another issue I had problems with is for the first 7-8 times through setup, I was setting up the wireless networks before I had connected the AP and gotten it into the active list. Because the Wireless Networks Bridge to VLAN option can ONLY be used when the AP is in Enable VLAN Tagging mode and the VLAN tagging mode could never be pushed to the AP in Switch Port tagged Traffic only mode, the config would never get pushed from the UTM to the AP and nothing would work.
Hope this helps others on the feature setup.
Scott
This thread was automatically locked due to age.