Sign Up

Users Mailing list

Sign up for news and firmware updates

Many organisations offer access to the Internet for their staff. This may be for business reasons, allowing the user to operate and carry out company functions.  There may also be a requirement to allow access to the internet for people who visit the company. As visitors are guests to the organisation, they are usually restricted and cannot access any of the company’s resources such as printers or stored files. This keeps the organisation's internal network private from the visitor and helps to maintain security. This is achieved by creating a separate wireless network which is isolated from the main network, in effect setting up multiple SSIDs which can’t access each other.

This setup guide demonstrates how to use Central AP Management to create a wireless network for internal users that utilises 802.1X authentication. In addition, a guest wireless network network will be configured with a VLAN used to separate it from the internal network.

This guide is written for firmware versions 3.8.4.x and later firmware, the features shown may not be present or may behave differently with prior firmware versions.


Managing VigorAP Access Points with a DrayTek Vigor Router

The Central AP Management facility available on DrayTek Vigor routers, allows the router to control multiple access points (number varies by model, check product specification) for configuration, monitoring and management such as firmware upgrades.

With Central AP Management, a single profile can be applied to a group of VigorAP Access Points, greatly reducing the time required to configure a number of access points on a network.


Article Sections

Click to jump to a specific section:

Before You Begin - Important details to consider before setting up this type of network configuration

    • Network Design
    • Using 802.1X Authentication
    • Moving Between VigorAP Access Points

VLAN Configuration - The changes required on the Vigor router to separate the Internal network from the new Guest network

RADIUS Server Setup - Configuring the DrayTek Vigor router to operate as a RADIUS server for use with WPA2/802.1X authentication

Central AP Management - Configure a number of VigorAP Access Points through a single profile

Before You Begin


When installing any new network configuration, planning the network design and considering the implications of those decisions, will aid with support and usage after the installation. The features available on DrayTek VigorAP access points such as 802.1X authentication, while beneficial in some uses and network types, may not be ideal to use in all scenarios.


As an example; this network design will utilise 802.1X authentication, which allows wireless clients to authenticate with a username and password. This can speed up the hand-off when moving between two access points, but setting up wireless clients to access this type of network  has additional steps compared to a Pre-Shared-Key (WPA2/PSK) security implementation.

When users connect to a DrayTek Vigor network with 802.1X authentication, their wireless client will need to be aware of these settings:

  • Phase 1 / EAP Method: PEAP
  • Phase 2: MS-CHAPv2
  • CA Certificate / Certificate Validation: Not enabled / Do Not Validate

Many wireless clients will be automatically aware of this but the variation between wireless clients may have implications for supporting a 802.1X authenticated wireless network, if unexpected users such as with a guest wireless network, will be connecting.

Because of this, this setup example utilises 802.1X authentication for the Internal wireless network, where devices are less likely to change and the configuration for each device type would be well known.

The Guest wireless network will be using a standard Pre-Shared-Key (WPA2/PSK) password implementation to simplify the connection process for guest users.


Network Design

This network design example will configure the DrayTek Vigor router and VigorAP access points to operate with two separate networks, with a Guest wireless network kept separate from the internal wired and wireless network.

The 2.4GHz and 5GHz wireless interfaces are configured with the same SSID and security settings to allow dual-band wireless clients to connect to either network.

Band Steering is enabled to guide clients which are 5GHz capable onto the 5GHz band where possible to ensure good usage of the 5GHz band.

Network SegmentIP RangeWireless Network NameWireless Security Method
Internal Network 192.168.1.0 / 24 Office WiFi Username & Password (802.1X)
Guest Network 192.168.2.0 / 24 Guests Password / Pre-Shared Key (PSK)

Using 802.1X Authentication

The Internal wireless network will use 802.1X authentication for username and password authentication and to allow the usage of the VigorAP Access Point's Fast Mobility features. This can speed up the re-authentication process when moving from one VigorAP to another; DrayTek VigorAP access points can use Pre-Authentication and PMK Caching to share details of authenticated clients. The result is that when a wireless client moves from one access point to another, the handshake process of WPA2/802.1X security needs to perform less steps to authenticate this client.

Using 802.1X authentication requires a RADIUS server to perform the authentication, which is available on the DrayTek Vigor router and will be used in this setup example for the VigorAP access points to provide RADIUS / 802.1X authentication.


This guide demonstrates how to connect Windows 7's built-in wireless client to a wireless network that uses 802.1X authentication:

Connecting a Windows PC to a wireless network with 802.1X / RADIUS security

Other operating systems and wireless clients are typically easier to connect and will prompt to check the network's certificate, which is linked to the DrayTek Vigor router's certificate for SSL & HTTPS management.


Moving Between VigorAP Access Points

When a wireless client moves between two VigorAP Access Points that have the same credentials, the act of disassociating from one access point and re-associating with the next is typically called "Roaming". This is controlled by the wireless client and will depend upon the "Roaming Aggressiveness" and behaviour of the wireless client's network driver / device.

With some wireless clients, the connection may remain with the now more distant VigorAP instead of moving to the closer VigorAP.

DrayTek VigorAP Access Points can help with this situation through the use of AP-Assisted Mobility, which intelligently disassociates wireless clients that have a low signal strength to one VigorAP and better signal strength with another VigorAP.

Using 802.1X does assist with the delay in moving between access points but this does not aid with the wireless client's behaviour of moving between access points.

VLAN Configuration

The VigorAP Access Points on the network must be connected to the router with a wired network connection to use VLAN tags required for a guest wireless network; wireless links such as WDS or Universal Repeater cannot pass VLAN tags that are required for a guest wireless network to operate.

Network Configuration

Network SegmentNetworkVLAN NameVLAN TagIP Range
Internal Network LAN1 VLAN0 Untagged 192.168.1.0 / 24
Guest Network LAN2 VLAN1 10 192.168.2.0 / 24

The wireless guest network is configured as a separate network on the DrayTek router using a VLAN tag of "10". This VLAN tag is not used by the internal network so the existing network setup will not be affected. The VigorAP Access Point's guest wireless network SSID would be configured to tag traffic on that SSID with the VLAN tag of "10", which would then be processed by the router as part of the guest network, keeping it separate from the internal network.

The VigorAP Access Point's management interface remains on the LAN1 subnet.


Configure VLANs on the DrayTek router

Access the DrayTek Vigor router's web interface and go to [LAN] > [VLAN] – on that page, tick Enable.

On the VLAN1 row, tick Enable in the VLAN Tag column and set the VID to 10, this means that any traffic received by the router with a VLAN tag of 10, will be assigned to the VLAN1 (Guest) network.

Tick the LAN Port VLAN settings as shown, with all LAN ports P1 to P6 being a member of both VLAN0 and VLAN1. This is to simplify the network configuration, any VigorAP will need to have access to the Internal (untagged) and Guest (VLAN tag 10) network segments; making each port a member of both VLANs effectively makes it operate as a "Trunk" port. The VigorAPs can then be connected to the router directly or through a switch.

If the router is a wireless model, make sure that the SSID entries are each a member of a VLAN, as shown in the example above, otherwise the router will not be able to save the setting changes.

Note - Network Configuration

If the VigorAP access points are connected to the router through a network switch, check whether the switch is Managed or Unmanaged.
An Unmanaged switch will typically be able to pass tagged and untagged packets with no configuration required.

A Managed switch may have default VLAN configuration settings that could cause the switch to drop packets with VLAN tags. It may be necessary to reconfigure the switch to pass through untagged and VLAN tagged packets. Check the managed switch's documentation for information. There are no specific settings recommended in this guide because of variation in usage of terms between manufacturers.

You may have noticed that P1,P2,P3,P4,P5,P6 are in both LAN1 and LAN2. The LAN that the router places traffic in depends on the tag received. If it recevies as a packet that has ID 10 then it treats it as LAN 2 and if it receives packets without a tag then it would treat it as LAN 1. For example if a simple PC is connected it wouldn't have the VID 10 tag and so would be allocated DHCP from LAN 1.

Click OK to apply the new VLAN configuration.


The router will prompt with this message if LAN2 / VLAN1 has not been configured previously:

The tickbox shown for "LAN 2" will enable the LAN2 subnet with it default IP settings of:

IP Address 192.168.2.1
Subnet Mask 255.255.255.0
DHCP Range 192.168.2.10 to
192.168.2.110

Clicking OK on this warning page will reboot the router to apply the setting changes.

If the LAN 2 IP settings need to be changed, they can be configured in the [LAN] > [General Setup] section once the router has restarted.


When the router has restarted, access the web interface and go to [LAN] > [General Setup].

This has the different LAN interfaces listed for the router, with the Inter-LAN Routing Table below it; which controls whether LAN interfaces can access each-other:


In this example, the Guest network which will use the LAN 2 interface, should not have access to the Internal / LAN 1 network, therefore the tickbox for LAN 2 to access LAN 1 is not checked in the Inter-LAN Routing table.


In instances where communication should be allowed between the networks connecting through the router's multiple LAN interfaces, tick the check box in the Inter-LAN Routing table and click OK to apply the change.

RADIUS Server Setup

1. Using the Vigor Router as a RADIUS Server

DrayTek Vigor routers that support Central AP Management each support operating as a RADIUS server, which can be used as a central point both to manage and have VigorAP Access Points authenticate users through it, instead of requiring a separate server for RADIUS authentication. The user accounts are managed through the router's User Management section, which allows up to 198 user profiles.

The router's RADIUS server allows for RADIUS user authentication, which is used for Router > AP communication of user credentials, but also allows 802.1X user authentication, which is used for the router's own wireless and wired interface's 802.1X authentication. This is explained in greater detail here.

To enable the RADIUS server on the router, go to [Applications] > [RADIUS/TACACS+] and click on the Internal RADIUS tab:

 

  • Enable the server
  • Authentication Port - 1812, which is the default port used for RADIUS authentication
  • RADIUS Client Access List - tick Enable for an index
    • Shared Secret - Enter a password which will be used by both the RADIUS server (router) and client (access points).
    • Network Address - Enter a network / IP subnet range that would be allowed to authenticate with it, for instance if the devices are all within the 192.168.1.x network, enter 192.168.1.0 with a subnet mask of 255.255.255.0. To enable client access from a single device, use a /32 subnet mask, i.e. to allow only 192.168.1.64, enter 192.168.1.64 as the IP address and 255.255.255.255 as the subnet mask.
  • Authentication
    • Method - PAP/CHAP/MS-CHAP/MS-CHAPv2
    • 802.1X Method - tick Support 802.1X Method. This particular option only needs to be enabled if the router's WiFi or wired interfaces are using 802.1X authentication
  • If there are existing User Management accounts configured on the router, they can be moved into the Authentication List to allow those users to authenticate through RADIUS.

Make a note of the 802.1X method listed, which is:

  • Phase 1: PEAP
  • Phase 2: MS-CHAPv2

Some wireless 802.1X clients such as Android devices may provide a number of different options for authenticating with an 802.1X network, select these options for phase 1 and 2 to connect successfully.

Note - Shared Secret

The password set as the Shared Secret will be required when configuring the Central AP Management profile later in this guide

Click OK and the router will prompt to restart to apply the change and enable the RADIUS server:

Click OK again to reboot the router.


Configuring User Accounts for use with RADIUS

The individual user accounts used for RADIUS authentication are configured in the [User Management] > [User Profile] section. To configure an account, go to that section and click on an un-used account. The "admin" and "Dial-In User" accounts are used by the router and cannot be altered.

In this example, Profile 3 will be used, click on the 3. link modify that profile:

In the User Profile, there are three sections:

  1. Common Settings - The username and password for the account. Tick "Enable" to use the account
  2. Web login Setting - These settings can be ignored, they are only used when the router's firewall is configured to control access with User Management, which is not covered / used in this guide
  3. Internal Services - Tick the "Internal RADIUS" and "Local 802.1X" options for the user account

Click OK to save the profile and continue.


If there are user profiles already configured on the router that need to be set to allow usage with RADIUS authentication, this can be quickly set through the [System Maintenance] > [Internal Service User List], which lists the user accounts configured on the router with check-boxes for the services that can authenticate with those credentials. In this example, the existing user accounts are configured to allow RADIUS authentication.

When making changes, click OK to save and apply the changes made.

Central AP Management

Configuring VigorAP Access Points through a DrayTek Vigor Router

DrayTek VigorAP Access Points connected to the local network of a DrayTek Vigor router will detect automatically.

The VigorAP Access Points detected by the router are displayed in [Central Management] > [AP] > [Status]:

This displays the current settings of an access point with its primary SSID on the 2.4GHz and 5GHz interfaces, wireless channels used and the number of wireless clients connected.

Clicking on the Index number for an access point in this list will show additional details on the configuration of the access point.


To begin setting up the VigorAP Access Points, go to [Central Management] > [AP] > [WLAN Profile], which contains the profiles configured on the DrayTek Vigor router for use with VigorAP Access Points.

The "Default" profile will not be used in this example.

Click the check-box for an available profile and click Edit to continue:

Each wireless profile has three pages:

  1. Wireless Interface & Device Settings
  2. 2.4GHz SSID & Security Settings
  3. 5GHz SSID & Security Settings

On the first page of the profile, the following settings can be configured. A description of each setting is listed in the table below.

OptionSettingDescription
Device Settings    
Profile Name Office Wireless An identifier for the profile. This is only used by the router and does not appear on VigorAPs
Administrator admin The username applied onto the VigorAP for management
Password *set a secure password* The password applied onto the VigorAP for management
2.4GHz / 5GHz WLAN General Settings    
Wireless LAN Enable Enable or Disable the wireless interface
Limit Client Off Limit the number of clients to the specified amount
Operation Mode AP Access Point or Universal Repeater mode
2.4G / 5G Mode Mixed Sets the allowed 802.11 types that can connect to the AP
2.4G / 5G Channel 6 & 48 The wireless channel that the AP will operate on
Airtime Fairness Disable Enable or Disable Airtime Fairness
Band Steering Enable 2.4GHz Only - guides dual band wireless clients to 5GHz band
Roaming Enable Requires WPA2/802.1X security, enables Fast Handoff
WMM Disable Enable or Disable Wireless Multi Media
Tx Power 100% Control TX Power of VigorAP's wireless radio

With the settings configured, click the Next button to continue which will prompt for the 2.4GHz SSID and Security settings.


Configure SSID1, which will be using 802.1X / RADIUS authentication:

OptionSetting
SSID (wireless network name that will be broadcast) Office WiFi
VLAN 0
Encryption WPA2/802.1X
WPA Algorithm AES
WPA Pass Phrase *unavailable with 802.1X security*
WPA Key Renewal Interval 3600

There are additional settings further down the page for configuring Access Control Lists and Bandwidth Management settings, these are not essential for the setup of a wireless network and will not be covered in this guide.

Click on the RADIUS Server link to configure the server details that the VigorAP access points will be authenticating with, this will pop-up a new window to configure:

OptionSettingDescription
Type External Server The External Server option refers to the access point contacting an external RADIUS server. If this option is set to "Internal Server", the VigorAP will use its own RADIUS user account list
IP Address 192.168.1.1 The IP address of the router operating as the RADIUS server
Port 1812 This is the default port used for RADIUS authentication
Shared Secret *set a secure password* The password that was configured in the RADIUS Server Setup section
Session Timeout 3600 The time in seconds that the VigorAP's connection will remain active with the RADIUS server

Note that the Shared Secret shown is only an example, this will be the Shared Secret that is configured in the router's Internal RADIUS Server configuration.

Click OK to close that pop-up and continue.


Click on SSID2 to configure the Guest wireless network on the 2.4GHz interface, this network will be using a normal pre-shared key:

OptionSetting
SSID (wireless network name that will be broadcast) Guests
VLAN 10
Encryption WPA2/PSK
WPA Algorithm AES
WPA Pass Phrase (password) *set a secure password*
WPA Key Renewal Interval 3600

With the 2.4GHz settings configured, click the Next button to configure the 5GHz SSID & Security settings.


The 5GHz SSID & Security settings are configured with the same settings as the 2.4GHz interface, check the table below for reference:

OptionSSID 1 SettingSSID 2 Setting
SSID (wireless network name that will be broadcast) Office WiFi Guests
VLAN 0 10
Encryption WPA2/802.1X WPA2/PSK
WPA Algorithm AES AES
WPA Pass Phrase (password) *unavailable with 802.1X security* *set a secure password*
WPA Key Renewal Interval 3600 3600

When configuring 5GHz SSID1, click the RADIUS Server link to configure the RADIUS server settings for the 5GHz wireless interface. The settings are the same as the ones configured for the 2.4GHz SSID1 RADIUS Server settings.

Note that the Shared Secret shown is only an example, this will be the Shared Secret that is configured in the router's Internal RADIUS Server configuration.

Click Finish to complete the WLAN Profile configuration, which will return to the list of profiles:

Click the check-box for the profile to apply and click Apply To Device. This will pop-up a window to select which VigorAP Access Points to apply the profile to. Select the access points from the left and click [>>] for each VigorAP that will have the profile applied, then click OK. The router will then apply the WLAN Profile to the Access Points.

Once the configuration has been applied, each VigorAP Access Point will restart with the new configuration. This should be visible after roughly a minute in the [Central Management] > [AP] > [Status] section, with the new SSID settings visible:

Click on an Index number for one of the VigorAP Access Points to view the list of settings:

The wireless network will now be ready for use, with the "Guests" network able to access the Internet without any access to internal network resources.