III. Wireless LAN
ExpiredCentral AP Management Setup Example - Office Wireless with 802.1X Authentication & Guest network
Click here to return to your search results
Many organisations offer access to the Internet for their staff. This may be for business reasons, allowing the user to operate and carry out company functions. There may also be a requirement to allow access to the internet for people who visit the company. As visitors are guests to the organisation, they are usually restricted and cannot access any of the company’s resources such as printers or stored files. This keeps the organisation's internal network private from the visitor and helps to maintain security. This is achieved by creating a separate wireless network which is isolated from the main network, in effect setting up multiple SSIDs which can’t access each other.
This setup guide demonstrates how to use Central AP Management to create a wireless network for internal users that utilises 802.1X authentication. In addition, a guest wireless network network will be configured with a VLAN used to separate it from the internal network.
This guide is written for firmware versions 3.8.4.x and later firmware, the features shown may not be present or may behave differently with prior firmware versions.
Managing VigorAP Access Points with a DrayTek Vigor Router
The Central AP Management facility available on DrayTek Vigor routers, allows the router to control multiple access points (number varies by model, check product specification) for configuration, monitoring and management such as firmware upgrades.
With Central AP Management, a single profile can be applied to a group of VigorAP Access Points, greatly reducing the time required to configure a number of access points on a network.
Article Sections
Click to jump to a specific section:
Before You Begin - Important details to consider before setting up this type of network configuration
-
- Network Design
- Using 802.1X Authentication
- Moving Between VigorAP Access Points
VLAN Configuration - The changes required on the Vigor router to separate the Internal network from the new Guest network
RADIUS Server Setup - Configuring the DrayTek Vigor router to operate as a RADIUS server for use with WPA2/802.1X authentication
Central AP Management - Configure a number of VigorAP Access Points through a single profile
Before You Begin
When installing any new network configuration, planning the network design and considering the implications of those decisions, will aid with support and usage after the installation. The features available on DrayTek VigorAP access points such as 802.1X authentication, while beneficial in some uses and network types, may not be ideal to use in all scenarios.
As an example; this network design will utilise 802.1X authentication, which allows wireless clients to authenticate with a username and password. This can speed up the hand-off when moving between two access points, but setting up wireless clients to access this type of network has additional steps compared to a Pre-Shared-Key (WPA2/PSK) security implementation.
When users connect to a DrayTek Vigor network with 802.1X authentication, their wireless client will need to be aware of these settings:
- Phase 1 / EAP Method: PEAP
- Phase 2: MS-CHAPv2
- CA Certificate / Certificate Validation: Not enabled / Do Not Validate
Many wireless clients will be automatically aware of this but the variation between wireless clients may have implications for supporting a 802.1X authenticated wireless network, if unexpected users such as with a guest wireless network, will be connecting.
Because of this, this setup example utilises 802.1X authentication for the Internal wireless network, where devices are less likely to change and the configuration for each device type would be well known.
The Guest wireless network will be using a standard Pre-Shared-Key (WPA2/PSK) password implementation to simplify the connection process for guest users.
Network Design
This network design example will configure the DrayTek Vigor router and VigorAP access points to operate with two separate networks, with a Guest wireless network kept separate from the internal wired and wireless network.
The 2.4GHz and 5GHz wireless interfaces are configured with the same SSID and security settings to allow dual-band wireless clients to connect to either network.
Band Steering is enabled to guide clients which are 5GHz capable onto the 5GHz band where possible to ensure good usage of the 5GHz band.
Network Segment | IP Range | Wireless Network Name | Wireless Security Method |
---|---|---|---|
Internal Network | 192.168.1.0 / 24 | Office WiFi | Username & Password (802.1X) |
Guest Network | 192.168.2.0 / 24 | Guests | Password / Pre-Shared Key (PSK) |
Using 802.1X Authentication
The Internal wireless network will use 802.1X authentication for username and password authentication and to allow the usage of the VigorAP Access Point's Fast Mobility features. This can speed up the re-authentication process when moving from one VigorAP to another; DrayTek VigorAP access points can use Pre-Authentication and PMK Caching to share details of authenticated clients. The result is that when a wireless client moves from one access point to another, the handshake process of WPA2/802.1X security needs to perform less steps to authenticate this client.
Using 802.1X authentication requires a RADIUS server to perform the authentication, which is available on the DrayTek Vigor router and will be used in this setup example for the VigorAP access points to provide RADIUS / 802.1X authentication.
This guide demonstrates how to connect Windows 7's built-in wireless client to a wireless network that uses 802.1X authentication:
Connecting a Windows PC to a wireless network with 802.1X / RADIUS security
Other operating systems and wireless clients are typically easier to connect and will prompt to check the network's certificate, which is linked to the DrayTek Vigor router's certificate for SSL & HTTPS management.
Moving Between VigorAP Access Points
When a wireless client moves between two VigorAP Access Points that have the same credentials, the act of disassociating from one access point and re-associating with the next is typically called "Roaming". This is controlled by the wireless client and will depend upon the "Roaming Aggressiveness" and behaviour of the wireless client's network driver / device.
With some wireless clients, the connection may remain with the now more distant VigorAP instead of moving to the closer VigorAP.
DrayTek VigorAP Access Points can help with this situation through the use of AP-Assisted Mobility, which intelligently disassociates wireless clients that have a low signal strength to one VigorAP and better signal strength with another VigorAP.
Using 802.1X does assist with the delay in moving between access points but this does not aid with the wireless client's behaviour of moving between access points.
VLAN Configuration
The VigorAP Access Points on the network must be connected to the router with a wired network connection to use VLAN tags required for a guest wireless network; wireless links such as WDS or Universal Repeater cannot pass VLAN tags that are required for a guest wireless network to operate.
Network Configuration
Network Segment | Network | VLAN Name | VLAN Tag | IP Range |
---|---|---|---|---|
Internal Network | LAN1 | VLAN0 | Untagged | 192.168.1.0 / 24 |
Guest Network | LAN2 | VLAN1 | 10 | 192.168.2.0 / 24 |
The wireless guest network is configured as a separate network on the DrayTek router using a VLAN tag of "10". This VLAN tag is not used by the internal network so the existing network setup will not be affected. The VigorAP Access Point's guest wireless network SSID would be configured to tag traffic on that SSID with the VLAN tag of "10", which would then be processed by the router as part of the guest network, keeping it separate from the internal network.
The VigorAP Access Point's management interface remains on the LAN1 subnet.
Configure VLANs on the DrayTek router
Access the DrayTek Vigor router's web interface and go to [LAN] > [VLAN] – on that page, tick Enable.
On the VLAN1 row, tick Enable in the VLAN Tag column and set the VID to 10, this means that any traffic received by the router with a VLAN tag of 10, will be assigned to the VLAN1 (Guest) network.
Tick the LAN Port VLAN settings as shown, with all LAN ports P1 to P6 being a member of both VLAN0 and VLAN1. This is to simplify the network configuration, any VigorAP will need to have access to the Internal (untagged) and Guest (VLAN tag 10) network segments; making each port a member of both VLANs effectively makes it operate as a "Trunk" port. The VigorAPs can then be connected to the router directly or through a switch.
If the router is a wireless model, make sure that the SSID entries are each a member of a VLAN, as shown in the example above, otherwise the router will not be able to save the setting changes.
Note - Network Configuration
If the VigorAP access points are connected to the router through a network switch, check whether the switch is Managed or Unmanaged.
An Unmanaged switch will typically be able to pass tagged and untagged packets with no configuration required.
A Managed switch may have default VLAN configuration settings that could cause the switch to drop packets with VLAN tags. It may be necessary to reconfigure the switch to pass through untagged and VLAN tagged packets. Check the managed switch's documentation for information. There are no specific settings recommended in this guide because of variation in usage of terms between manufacturers.
You may have noticed that P1,P2,P3,P4,P5,P6 are in both LAN1 and LAN2. The LAN that the router places traffic in depends on the tag received. If it recevies as a packet that has ID 10 then it treats it as LAN 2 and if it receives packets without a tag then it would treat it as LAN 1. For example if a simple PC is connected it wouldn't have the VID 10 tag and so would be allocated DHCP from LAN 1.
Click OK to apply the new VLAN configuration.
The router will prompt with this message if LAN2 / VLAN1 has not been configured previously:
The tickbox shown for "LAN 2" will enable the LAN2 subnet with it default IP settings of:
IP Address | 192.168.2.1 |
Subnet Mask | 255.255.255.0 |
DHCP Range | 192.168.2.10 to 192.168.2.110 |
Clicking OK on this warning page will reboot the router to apply the setting changes.
If the LAN 2 IP settings need to be changed, they can be configured in the [LAN] > [General Setup] section once the router has restarted.
When the router has restarted, access the web interface and go to [LAN] > [General Setup].
This has the different LAN interfaces listed for the router, with the Inter-LAN Routing Table below it; which controls whether LAN interfaces can access each-other:
In this example, the Guest network which will use the LAN 2 interface, should not have access to the Internal / LAN 1 network, therefore the tickbox for LAN 2 to access LAN 1 is not checked in the Inter-LAN Routing table.
In instances where communication should be allowed between the networks connecting through the router's multiple LAN interfaces, tick the check box in the Inter-LAN Routing table and click OK to apply the change.
RADIUS Server Setup
1. Using the Vigor Router as a RADIUS Server
DrayTek Vigor routers that support Central AP Management each support operating as a RADIUS server, which can be used as a central point both to manage and have VigorAP Access Points authenticate users through it, instead of requiring a separate server for RADIUS authentication. The user accounts are managed through the router's User Management section, which allows up to 198 user profiles.
The router's RADIUS server allows for RADIUS user authentication, which is used for Router > AP communication of user credentials, but also allows 802.1X user authentication, which is used for the router's own wireless and wired interface's 802.1X authentication. This is explained in greater detail here.
To enable the RADIUS server on the router, go to [Applications] > [RADIUS/TACACS+] and click on the Internal RADIUS tab:
- Enable the server
- Authentication Port - 1812, which is the default port used for RADIUS authentication
- RADIUS Client Access List - tick Enable for an index
- Shared Secret - Enter a password which will be used by both the RADIUS server (router) and client (access points).
- Network Address - Enter a network / IP subnet range that would be allowed to authenticate with it, for instance if the devices are all within the 192.168.1.x network, enter 192.168.1.0 with a subnet mask of 255.255.255.0. To enable client access from a single device, use a /32 subnet mask, i.e. to allow only 192.168.1.64, enter 192.168.1.64 as the IP address and 255.255.255.255 as the subnet mask.
- Authentication
- Method - PAP/CHAP/MS-CHAP/MS-CHAPv2
- 802.1X Method - tick Support 802.1X Method. This particular option only needs to be enabled if the router's WiFi or wired interfaces are using 802.1X authentication
- If there are existing User Management accounts configured on the router, they can be moved into the Authentication List to allow those users to authenticate through RADIUS.
Make a note of the 802.1X method listed, which is:
- Phase 1: PEAP
- Phase 2: MS-CHAPv2
Some wireless 802.1X clients such as Android devices may provide a number of different options for authenticating with an 802.1X network, select these options for phase 1 and 2 to connect successfully.
Note - Shared Secret
The password set as the Shared Secret will be required when configuring the Central AP Management profile later in this guide
Click OK and the router will prompt to restart to apply the change and enable the RADIUS server:
Click OK again to reboot the router.
Configuring User Accounts for use with RADIUS
The individual user accounts used for RADIUS authentication are configured in the [User Management] > [User Profile] section. To configure an account, go to that section and click on an un-used account. The "admin" and "Dial-In User" accounts are used by the router and cannot be altered.
In this example, Profile 3 will be used, click on the 3. link modify that profile:
In the User Profile, there are three sections:
- Common Settings - The username and password for the account. Tick "Enable" to use the account
- Web login Setting - These settings can be ignored, they are only used when the router's firewall is configured to control access with User Management, which is not covered / used in this guide
- Internal Services - Tick the "Internal RADIUS" and "Local 802.1X" options for the user account
Click OK to save the profile and continue.
If there are user profiles already configured on the router that need to be set to allow usage with RADIUS authentication, this can be quickly set through the [System Maintenance] > [Internal Service User List], which lists the user accounts configured on the router with check-boxes for the services that can authenticate with those credentials. In this example, the existing user accounts are configured to allow RADIUS authentication.
When making changes, click OK to save and apply the changes made.
Central AP Management
Configuring VigorAP Access Points through a DrayTek Vigor Router
DrayTek VigorAP Access Points connected to the local network of a DrayTek Vigor router will detect automatically.
The VigorAP Access Points detected by the router are displayed in [Central Management] > [AP] > [Status]:
This displays the current settings of an access point with its primary SSID on the 2.4GHz and 5GHz interfaces, wireless channels used and the number of wireless clients connected.
Clicking on the Index number for an access point in this list will show additional details on the configuration of the access point.
To begin setting up the VigorAP Access Points, go to [Central Management] > [AP] > [WLAN Profile], which contains the profiles configured on the DrayTek Vigor router for use with VigorAP Access Points.
The "Default" profile will not be used in this example.
Click the check-box for an available profile and click Edit to continue:
Each wireless profile has three pages:
- Wireless Interface & Device Settings
- 2.4GHz SSID & Security Settings
- 5GHz SSID & Security Settings
On the first page of the profile, the following settings can be configured. A description of each setting is listed in the table below.
Option | Setting | Description |
---|---|---|
Device Settings | ||
Profile Name | Office Wireless | An identifier for the profile. This is only used by the router and does not appear on VigorAPs |
Administrator | admin | The username applied onto the VigorAP for management |
Password | *set a secure password* | The password applied onto the VigorAP for management |
2.4GHz / 5GHz WLAN General Settings | ||
Wireless LAN | Enable | Enable or Disable the wireless interface |
Limit Client | Off | Limit the number of clients to the specified amount |
Operation Mode | AP | Access Point or Universal Repeater mode |
2.4G / 5G Mode | Mixed | Sets the allowed 802.11 types that can connect to the AP |
2.4G / 5G Channel | 6 & 48 | The wireless channel that the AP will operate on |
Airtime Fairness | Disable | Enable or Disable Airtime Fairness |
Band Steering | Enable | 2.4GHz Only - guides dual band wireless clients to 5GHz band |
Roaming | Enable | Requires WPA2/802.1X security, enables Fast Handoff |
WMM | Disable | Enable or Disable Wireless Multi Media |
Tx Power | 100% | Control TX Power of VigorAP's wireless radio |
With the settings configured, click the Next button to continue which will prompt for the 2.4GHz SSID and Security settings.
Configure SSID1, which will be using 802.1X / RADIUS authentication:
Option | Setting |
---|---|
SSID (wireless network name that will be broadcast) | Office WiFi |
VLAN | 0 |
Encryption | WPA2/802.1X |
WPA Algorithm | AES |
WPA Pass Phrase | *unavailable with 802.1X security* |
WPA Key Renewal Interval | 3600 |
There are additional settings further down the page for configuring Access Control Lists and Bandwidth Management settings, these are not essential for the setup of a wireless network and will not be covered in this guide.
Click on the RADIUS Server link to configure the server details that the VigorAP access points will be authenticating with, this will pop-up a new window to configure:
Option | Setting | Description |
---|---|---|
Type | External Server | The External Server option refers to the access point contacting an external RADIUS server. If this option is set to "Internal Server", the VigorAP will use its own RADIUS user account list |
IP Address | 192.168.1.1 | The IP address of the router operating as the RADIUS server |
Port | 1812 | This is the default port used for RADIUS authentication |
Shared Secret | *set a secure password* | The password that was configured in the RADIUS Server Setup section |
Session Timeout | 3600 | The time in seconds that the VigorAP's connection will remain active with the RADIUS server |
Note that the Shared Secret shown is only an example, this will be the Shared Secret that is configured in the router's Internal RADIUS Server configuration.
Click OK to close that pop-up and continue.
Click on SSID2 to configure the Guest wireless network on the 2.4GHz interface, this network will be using a normal pre-shared key:
Option | Setting |
---|---|
SSID (wireless network name that will be broadcast) | Guests |
VLAN | 10 |
Encryption | WPA2/PSK |
WPA Algorithm | AES |
WPA Pass Phrase (password) | *set a secure password* |
WPA Key Renewal Interval | 3600 |
With the 2.4GHz settings configured, click the Next button to configure the 5GHz SSID & Security settings.
The 5GHz SSID & Security settings are configured with the same settings as the 2.4GHz interface, check the table below for reference:
Option | SSID 1 Setting | SSID 2 Setting |
---|---|---|
SSID (wireless network name that will be broadcast) | Office WiFi | Guests |
VLAN | 0 | 10 |
Encryption | WPA2/802.1X | WPA2/PSK |
WPA Algorithm | AES | AES |
WPA Pass Phrase (password) | *unavailable with 802.1X security* | *set a secure password* |
WPA Key Renewal Interval | 3600 | 3600 |
When configuring 5GHz SSID1, click the RADIUS Server link to configure the RADIUS server settings for the 5GHz wireless interface. The settings are the same as the ones configured for the 2.4GHz SSID1 RADIUS Server settings.
Note that the Shared Secret shown is only an example, this will be the Shared Secret that is configured in the router's Internal RADIUS Server configuration.
Click Finish to complete the WLAN Profile configuration, which will return to the list of profiles:
Click the check-box for the profile to apply and click Apply To Device. This will pop-up a window to select which VigorAP Access Points to apply the profile to. Select the access points from the left and click [>>] for each VigorAP that will have the profile applied, then click OK. The router will then apply the WLAN Profile to the Access Points.
Once the configuration has been applied, each VigorAP Access Point will restart with the new configuration. This should be visible after roughly a minute in the [Central Management] > [AP] > [Status] section, with the new SSID settings visible:
Click on an Index number for one of the VigorAP Access Points to view the list of settings:
The wireless network will now be ready for use, with the "Guests" network able to access the Internet without any access to internal network resources.
How do you rate this article?
- First Published: 08/02/2017
- Last Updated: 22/04/2021