Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Wi-Fi Mini Physical Interface Module (MPIM)

 

The Wi-Fi Mini-Physical Interface Module (Mini-PIM) for SRX Series devices provides an integrated wireless access point (or wireless LAN) solution along with routing, switching, and security in a single device. The topics below describes the overview and configuration of Wi-Fi Mini-PIM on SRX series devices.

Wi-Fi Mini-Physical Interface Module Overview

Wi-Fi Mini-Physical Interface Module (Wi-Fi Mini-PIM) for SRX320, SRX340, SRX345, SRX380, and SRX550M provides an integrated wireless access point —or wireless LAN— along with routing, switching, and security in a single device. Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward compatible with 802.11a/b/g/n. You can use the three new models of the Wi-Fi Mini-PIM based on the regional wireless standard requirements;

  • SRX-MP-WAP-US — The model based on USA’s wireless standard.

  • SRX-MP-WAP-IL — The model based on Israel’s wireless standard.

  • SRX-MP-WAP-WW — The model for other countries.

You cannot change the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models as they are fixed. The Wi-Fi Mini-PIM can coexist with other Mini-PIMs supported on the SRX Series device.Table 1 provides a summary of the features supported on Mini-PIM.

Typical deployments for Wi-Fi Mini-PIM solution include:

  • Secure wireless LAN connectivity to endpoint devices of corporate users at remote branch offices. 802.11ac, WPA2, 802.1X, and SSID-to-VLAN mapping features provide secure Wireless LAN connectivity.

  • Direct network connectivity to the enterprise Internet of Things (IoT) devices. The security features on the SRX Series devices secure the IoT devices.

See How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways for more information about how to install the Wi-Fi Mini-PIM.

Features Supported on the Wi-Fi Mini-PIM

Table 1 lists the key features supported on the Wi-Fi Mini-PIM.

Table 1: Wi-Fi Mini-PIM Features

Feature

Description

2x2 MU-MIMO

Enables transmission of data to multiple clients simultaneously.

Dual radios

Both radios of 2.4 GHz and 5 GHz bands are simultaneously supported. The maximum supported speed is upto 1.2 Gbps.

Virtual access points (VAPs) and VLAN features

  • Allows you to segment the WLAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. A single access point is segregated into multiple individual VAPs, simulating multiple access points in a single system.

  • An access point supports multiple VLANs, which can be distributed across VAPs and radios.

  • You can configure up to eight VAPs per radio. You can map up to 16 extended service set identifiers (ESSIDs) to individual VLANs.

  • The VLANs from the Mini-PIM software map to VLANs on Junos OS.

Co-existence of interfaces

The Wi-Fi Mini-PIM coexists with 4G LTE, VDSL, T1, and serial interfaces.

Client authentication methods

Client authentication methods supported are Wi-Fi Protected Access (WPA) Enterprise (WPA2 standards) and Wi-Fi Protected Access (WPA) Personal (AES-CCMP cipher suits and WPA2 standards).

Configure Wi-Fi Mini-PIM

You can configure the radios and virtual access points on the Wi-Fi Mini-PIM. This topic contains sections that describe the basic Wi-Fi Mini-PIM configuration at the wireless interface level. For more information about how to install a Wi-Fi Mini-PIM see How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways.

The following sections describe how to configure the Wi-Fi Mini-PIM on your SRX Series device.

Configure Network Setting for the Wi-Fi Mini-PIM

Configure wl- interface

The interface name for the Mini-PIM is denoted as wl-x/0/0, where x is the slot on the SRX Series Services Gateway in which the Mini-PIM is installed. The wl- interface is created automatically when you insert the Mini-PIM into the slot on the SRX Series device. To configure the wireless LAN interface:

  1. Define an interface for the Wi-Fi Mini-PIM.
  2. Configure the DHCP address pool.
  3. Configure the wireless interface to be part of a zone, assign required security policies and commit the configuration.

Configure access point

To configure the access point associated with the wireless LAN interface wl-x/0/0:

  1. Configure the name of the wireless access point.
  2. Set the country code (applicable only for SRX-MP-WLAN-WW models of the Mini-PIM).Note

    If you do not set the country code for the SRX-MP-WLAN-WW models, the Mini-PIM considers the country code as US. The country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models are set and cannot be changed.

  3. Set the physical location (location of your hardware device, example: 1st-floor).
  4. Commit the configuration.

Configure Radios

Every access point has two radios—radio 1 operates at 5-GHz bandwidth and radio 2 operates at 2.4-GHz bandwidth. A VAP is configured based on the radio. You can configure up to eight VAPs per radio and map up to 16 ESSIDs to individual VLANs. Wi-Fi Mini-PIM supports both the radios (2.4 and 5 GHz) to work simultaneously. You can also disable a radio. Table 2 lists the modes supported on each radio.

Table 2: Supported Modes on Wi-Fi Mini-PIM Radios

Radio

Supported Modes

Radio 1 (5.0 GHz)

  • an—802.11a and 802.11n clients operating on 5 GHz frequency can connect to the access point

  • acn—802.11a, 802.11n and 802.11ac clients operating on 5 GHz frequency can connect to the access point

Radio 2 (2.4 GHz)

  • gn—802.11g, 802.11b and 802.11n clients operating in 2.4 GHz frequency can connect to the access point. This is the default mode for this radio.

To configure the radio:

  1. Configure the radio mode. Radio 1 supports acn and an modes. Radio 2 supports only gn mode. Note that radio 1 operates at 5-GHz and radio 2 operates at 2.4-GHz.

    For radio 1:

    For radio 2:

  2. Configure the channel number. If you select auto, then the Mini-PIM chooses the channel automatically. By default, channel number is set to auto.
  3. Configure the channel bandwidth. The default channel bandwidth is 20 MHz for the 2.4 GHz radio and 40 MHz for the 5 GHz radio. You can only set 80 MHz as the channel bandwidth for 5 GHz radio and not for 2.4GHz
  4. Configure the transmit power. You can configure the transmit power on a per-radio basis. Note

    When you configure the transmit power, the Mini-PIM card will fix transmit power to the specified value set, in this case, the power by rate functionality does not work. So it is recommended not to set transmit power to a specified value. When you do not configure the transmit power (do not fix the transmit power to a specified value), the power by rate functionality works. If you configure the transmit power percentage to 100, then it chooses the option "auto", the behavior is similar to no transmit power configured and power by rate functionality will work.

  5. Commit the configuration.

Configure Virtual access Points (VAP)

VAPs allow segmentation of the wireless LAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. To configure the virtual access point:

  1. Configure the VAP settings.
  2. Configure either the WPA Enterprise or the WPA Personal authentication methods for the VAP.

    none—The data transferred between clients and the access point is not encrypted. Clients can associate with the access point without any authentication.

    wpa-enterprise—The device authenticates through an 802.1X-compliant RADIUS server.

    wpa-personal—The device uses preshared keys (PSKs) or a passphrase for authentication and encryption.

  3. Configure and specify the upload and download rate limits on the Wi-Fi Mini-PIM. The range for upload-limit and download-limit is from 256 Kbps to 1,048,576 Kbps.
  4. Specify the number maximum number of clients that can be connected to the VAP.
  5. Commit the configuration.

After completing the configuration successfully completed, you can view the parameters by using the show wlan access-points name detail command.

Configure VLANS

Configure VLANs based on VAP

(Optional) A single access point is segregated into multiple individual virtual access points (VAPs) simulating multiple access points in a single system. The access point supports multiple VLANs. To configure the VLAN ID based on the VAP:

  1. Configure the VLAN for the wireless LAN interface (wl- interface). Follow the below steps to configure VLAN ID based on the VAP :
  2. Set trunk mode on the wl- interface.
  3. Set trunk mode for the native VLAN of the wl- interface.
  4. Configure the access point for the wl- interface.
  5. Configure all VAP parameters including the radio mode, channel number, and VAP SSID, VAP VLAN ID on the Wi-Fi Mini-PIM.
  6. Commit the configuration.

Configure Multiple VLANs and SSIDs

You can configure 8 VAPs on each radio and each VAP is identified by the SSID. Up to 16 SSIDs can be configured on the Wi-Fi Mini-PIM. You can map a VLAN to each SSID or you can assign a single VLAN for multiple SSIDs The client connects to the VAP using the SSID and is associated to the VLAN that is mapped to the SSID.

You can configure multiple SSIDs to provide varied levels of access to different devices and users. Here is a sample configuration for three different types of users connecting to different VAPs. Each VAP is associated with a different VLAN.

Interface

VLAN ID

Address pool

VAP

SSID

Address pool

wl-2/0/0.0

100

junosDHCPPool

192.168.2.0/24

wl-2/0/0.10

10

junosDHCPPool1

VAP1

VAP-10

192.168.10.0/24

wl-2/0/0.20

20

junosDHCPPool2

VAP2

VAP-20

192.168.20.0/24

wl-2/0/0.30

30

junosDHCPPool3

VAP3

VAP-30

192.168.30.0/24

  1. Configure the interface to be part of the security zone.
    user@host# set security zones security-zone trust interfaces wl-2/0/0.0
  2. Configure a security zone.
    user@host# set security zones security-zone trust host-inbound-traffic system-services dhcp
  3. Enable the DHCP server on the interface and configure the address pool for the Wi-Fi interface:
    user@host# set system services dhcp-local-server group jdhcp-group interface wl-2/0/0.0
    user@host# set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
    user@host# set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
    user@host# set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
    user@host# set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
  4. Configure flexible VLAN tagging on the Wi-Fi interface:
    user@host# set interfaces wl-2/0/0 flexible-vlan-tagging
    user@host# set interfaces wl-2/0/0 native-vlan-id 100
  5. Configure the VLANs
    user@host# set interfaces wl-2/0/0 unit 0 vlan-id 100
    user@host# set interfaces wl-2/0/0 unit 0 family inet address 192.168.2.1/24
  6. Repeat steps 2 through 5 for the wl-2/0/0.10, wl-2/0/0.20, and wl-2/0/0.30 interfaces.
  7. Configure the access point settings:
    user@host# set wlan access-point name interface wl-2/0/0
    user@host# set wlan access-point name access-point-options country US
    user@host# set wlan access-point name location California
  8. Configure the radio settings:

    For radio 1:

    user@host# set wlan access-point name radio 1 radio-options mode acn
    user@host# set wlan access-point name radio 1 radio-options channel number auto
    user@host# set wlan access-point name radio 1 radio-options channel bandwidth 40

    For radio 2:

    user@host# set wlan access-point name radio 2 radio-options mode gn
    user@host# set wlan access-point name radio 2 radio-options channel number auto
    user@host# set wlan access-point name radio 2 radio-options channel bandwidth 40
  9. Configure the VAPs.

    VAP1:

    user@host# set wlan access-point name radio 1 virtual-access-point 1 description VAP1
    user@host# set wlan access-point name radio 1 virtual-access-point 1 ssid VAP-10
    user@host# set wlan access-point name radio 1 virtual-access-point 1 vlan 10
    user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal cipher-suites ccmp
    user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal key-type ascii
    user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal key ascii-string
    user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal wpa-version v2
    user@host# set wlan access-point name radio 1 virtual-access-point 1 upload-limit 1000
    user@host# set wlan access-point name radio 1 virtual-access-point 1 download-limit 1000
    user@host# set wlan access-point name radio 1 virtual-access-point 1 maximum-stations 70

    VAP2:

    user@host# set wlan access-point name radio 1 virtual-access-point 2 description VAP2
    user@host# set wlan access-point name radio 1 virtual-access-point 2 ssid VAP-20
    user@host# set wlan access-point name radio 1 virtual-access-point 2 vlan 20
    user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal cipher-suites ccmp
    user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal key-type ascii
    user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal key ascii-string
    user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal wpa-version v2
    user@host# set wlan access-point name radio 1 virtual-access-point 2 upload-limit 1000
    user@host# set wlan access-point name radio 1 virtual-access-point 2 download-limit 1000
    user@host# set wlan access-point name radio 1 virtual-access-point 2 maximum-stations 80

    VAP3:

    user@host# set wlan access-point name radio 2 virtual-access-point 3 description VAP3
    user@host# set wlan access-point name radio 2 virtual-access-point 3 ssid VAP-30
    user@host# set wlan access-point name radio 2 virtual-access-point 3 vlan 30
    user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal cipher-suites ccmp
    user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal key-type ascii
    user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal key ascii-string
    user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal wpa-version v2
    user@host# set wlan access-point name radio 2 virtual-access-point 3 upload-limit 1000
    user@host# set wlan access-point name radio 2 virtual-access-point 3 download-limit 1000
    user@host# set wlan access-point name radio 2 virtual-access-point 3 maximum-stations 70
  10. Commit the configuration.
    user@host# commit

Configure WPA enterprise authentication

(Optional) Wi-Fi protected access (WPA) enterprise is Wi-Fi alliance standard that uses RADIUS server authentication with AES-CCMP cipher suite. With this mode you can use high security encryption along with a centrally managed user authentication. Only the WPA2 standard is supported. To configure the WPA enterprise authentication:

  1. Configure the address book and assign a security zone.
  2. Configure security source rule-set from trust zone to the WPA authentication.
  3. Configure the security source to match the source and destination address.
  4. Configure the UDP protocol and security source on the interface.
  5. Assign the security policies to the source and destination address.
  6. Commit the configuration.

After completing the configuration successfully completed, you can view the parameters by using the show wlan access-points name virtual-access-points command.

Verification

Purpose

Display information about the parameters configured on the Wi-Fi Mini-PIM.

Action

  • To display the details of all the access points configured on the Mini-PIM:

  • To display the status of the specific access point.

See also