Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Wi-Fi Mini Physical Interface Module (MPIM)

The Wi-Fi Mini-Physical Interface Module (Mini-PIM) for SRX Series Firewalls provides an integrated wireless access point (or wireless LAN) solution along with routing, switching, and security in a single device. The topics below describes the overview and configuration of Wi-Fi Mini-PIM on SRX Series Firewalls.

Wi-Fi Mini-Physical Interface Module Overview

Wi-Fi Mini-Physical Interface Module (Wi-Fi Mini-PIM) for SRX320, SRX340, SRX345, SRX380, and SRX550M provides an integrated wireless access point —or wireless LAN— along with routing, switching, and security in a single device. Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward compatible with 802.11a/b/g/n. You can use the three new models of the Wi-Fi Mini-PIM based on the regional wireless standard requirements;

  • SRX-MP-WLAN-US — The model based on USA’s wireless standard.

  • SRX-MP-WLAN-IL — The model based on Israel’s wireless standard.

  • SRX-MP-WLAN-WW — The model for other countries.

You cannot change the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models as they are fixed. The Wi-Fi Mini-PIM can coexist with other Mini-PIMs supported on the SRX Series Firewall.Table 1 provides a summary of the features supported on Mini-PIM.

Typical deployments for Wi-Fi Mini-PIM solution include:

  • Secure wireless LAN connectivity to endpoint devices of corporate users at remote branch offices. 802.11ac, WPA2, 802.1X, and SSID-to-VLAN mapping features provide secure Wireless LAN connectivity.

  • Direct network connectivity to the enterprise Internet of Things (IoT) devices. The security features on the SRX Series Firewalls secure the IoT devices.

See How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways for more information about how to install the Wi-Fi Mini-PIM.

Wireless LAN Interface in Chassis Cluster Mode

The Mini-PIM is also supported in chassis cluster mode to provide redundancy. Wireless users are connected to the active interface in redundancy group. To support chassis cluster mode for wireless LAN interface Mini-PIM, you need to configure chassis cluster setup with two wireless LAN interfaces wl-x/0/0 and wl-y/0/0, where x indicates the slot number which wireless LAN interface Mini-PIM plug in on the node 0 and Y indicates the slot number which wireless LAN interface Mini-PIM plug in on the node 1.

In chassis cluster mode, there is one wireless LAN interface active, the other wireless LAN interface is inactive. Wi-Fi client is associated to active wireless LAN interface.

Below are the list of events which trigger wireless LAN interface failover when:

  • wireless LAN interface is abnormal.

  • primary wireless LAN interface is down.

  • Redundant group which wireless LAN interface belongs to failover manually.

  • primary WLAN interface node is failed.

After wireless LAN interface failover, the original inactive wireless LAN interface is changed to active and the Wi-Fi client sessions are reconnected to the new primary wireless LAN interface.

With chassis cluster mode, WLAND process runs on both nodes. The WLAND on primary node pushes the WLAN configuration to PFE on two nodes, and then PFE forwards the configuration to local wireless LAN interface card so that two wireless LAN interface cards have the same configuration.

To monitor wireless LAN interface status, WLAND finds the wireless LAN interface to be abnormal, it can trigger redundant group failover. In Layer 3 mode, by default, wireless LAN interface activity monitor is configured for WLAN high availability using the commands set chassis cluster redundancy-group 1 interface-monitor wl-2/0/0 weight 255 and set chassis cluster redundancy-group 1 interface-monitor wl-7/0/0 weight 255.

The new primary wireless LAN interface is active and the abnormal wireless LAN interface card is restarted and goes to inactive state. The Wi-Fi client is reconnected to the active wireless LAN interface automatically since the configuration (radio, channel, bandwidth, ssid, and so on) on active WAP is same as the original wireless LAN interface.

Wireless LAN Interface in Layer 3 (L3) Mode

The interfaces are configured as subordinate interface of RETH using the command set interfaces wl-x/0/0 gigether-options redundant-parent reth-interface. You can add the RETH interface to one redundant group and set the priority for each node in the redundant group. Only one wireless LAN interface is active in the redundant group and the other one is inactive.

Wireless LAN Interface in Layer 2 (L2) Mode

You can build SRX Series Firewalls in chassis cluster mode with wireless LAN interface Mini-PIM. The peer wireless LAN interfaces are configured in the same VLAN and the wireless LAN interface on the primary node of redundant group zero is chosen as active interface by default. L2 mode (family ethernet-switching) of wireless LAN interface behave like any other L2 switching port (trunk port).

Features Supported on the Wi-Fi Mini-PIM

Table 1 lists the key features supported on the Wi-Fi Mini-PIM.

Table 1: Wi-Fi Mini-PIM Features

Feature

Description

2x2 MU-MIMO

Enables transmission of data to multiple clients simultaneously.

Dual radios

Both radios of 2.4 GHz and 5 GHz bands are simultaneously supported. The maximum supported speed is upto 1.2 Gbps.

Virtual access points (VAPs) and VLAN features

  • Allows you to segment the WLAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. A single access point is segregated into multiple individual VAPs, simulating multiple access points in a single system.

  • An access point supports multiple VLANs, which can be distributed across VAPs and radios.

  • You can configure up to eight VAPs per radio. You can map up to 16 extended service set identifiers (ESSIDs) to individual VLANs.

  • The VLANs from the Mini-PIM software map to VLANs on Junos OS.

Co-existence of interfaces

The Wi-Fi Mini-PIM coexists with 4G LTE, VDSL, T1, and serial interfaces.

Client authentication methods

Client authentication methods supported are Wi-Fi Protected Access (WPA) Enterprise (WPA2 standards) and Wi-Fi Protected Access (WPA) Personal (AES-CCMP cipher suits and WPA2 standards).

Configure Wi-Fi Mini-PIM

You can configure the radios and virtual access points on the Wi-Fi Mini-PIM. This topic contains sections that describe the basic Wi-Fi Mini-PIM configuration at the wireless interface level. For more information about how to install a Wi-Fi Mini-PIM see How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways.

The following sections describe how to configure the Wi-Fi Mini-PIM on your SRX Series Firewall.

Configure Network Setting for the Wi-Fi Mini-PIM

Configure wl- interface

The interface name for the Mini-PIM is denoted as wl-x/0/0, where x is the slot on the SRX Series Services Gateway in which the Mini-PIM is installed. The wl- interface is created automatically when you insert the Mini-PIM into the slot on the SRX Series Firewall.

To configure the wireless LAN interface:

  1. Configure an IP address for the Wi-Fi interface:
  2. Configure the address pool.

    The DHCP address pool and the Wi-FI interface must be in the same network.

  3. Enable the DHCP server on the interface.

    The eth0 interface on the Mini-PIM enables the DHCP client. If the DHCP server is enabled on the wl interface, the server assigns an IP address to the eth0 interface. You can view the binding information by issuing the show dhcp server binding command.

  4. Assign the interface to a security zone.

Configure Access Point

To configure the access point associated with the wireless LAN interface wl-x/0/0:

  1. Configure the interface.

  2. Set the country code (applicable only for SRX-MP-WLAN-WW models of the Mini-PIM).

    Note:

    If you do not set the country code for the SRX-MP-WLAN-WW models, the Mini-PIM considers the country code as US. You cannot set the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models.

  3. Set the physical location (location of your hardware device, example: 1st-floor).

  4. Commit the configuration.

Configure Radios

Every access point has two radios—radio 1 operates at 5-GHz bandwidth and radio 2 operates at 2.4-GHz bandwidth. A VAP is configured based on the radio. You can configure up to eight VAPs per radio and map up to 16 ESSIDs to individual VLANs. Wi-Fi Mini-PIM supports both the radios (2.4 and 5 GHz) to work simultaneously. You can also disable a radio. Table 2 lists the modes supported on each radio.

Changing the radio settings can cause the access point to stop and restart system processes. If this occurs, wireless clients that are connected to the access point temporarily lose connectivity. We recommend that you change radio settings when WLAN traffic is low.

Table 2: Supported Modes on Wi-Fi Mini-PIM Radios

Radio

Supported Modes

Radio 1 (5.0 GHz)

  • an—802.11a and 802.11n clients operating on 5 GHz frequency can connect to the access point

  • acn—802.11a, 802.11n and 802.11ac clients operating on 5 GHz frequency can connect to the access point

Radio 2 (2.4 GHz)

  • gn—802.11g, 802.11b and 802.11n clients operating in 2.4 GHz frequency can connect to the access point. This is the default mode for this radio.

  • g—802.11g clients operating in 2.4 GHz frequency can connect to the access point supported from Junos OS Release 20.4R1.

To configure the radio:

  1. Configure the radio mode. Radio 1 supports acn and an modes. Radio 2 supports only gn mode.

  2. Configure the channel number. If you select auto, then the Mini-PIM chooses the channel automatically. By default, channel number is set to auto.

  3. Configure the channel bandwidth. The default channel bandwidth is 20 MHz for the 2.4 GHz radio and 40 MHz for the 5 GHz radio. You can only set 80 MHz as the channel bandwidth for 5 GHz radio and not for 2.4GHz.

  4. Configure the transmit power. You can configure the transmit power on a per-radio basis.

    Note:

    When you configure the transmit power, the Mini-PIM card will fix transmit power to the specified value set, in this case, the power by rate functionality does not work. So it is recommended not to set transmit power to a specified value. When you do not configure the transmit power (do not fix the transmit power to a specified value), the power by rate functionality works. If you configure the transmit power percentage to 100, then it chooses the option "auto", the behavior is similar to no transmit power configured and power by rate functionality will work.

  5. Commit the configuration.

    In countries where Dynamic Frequency Selection (DFS) is required, the Wi-Fi card performs appropriate checks for radar. DFS is enabled by default. If you set the channel number to auto, the access point selects the channel from the list of DFS and non-DFS channels. You can disable DFS by using the dfs-off option set wlan access-point name radio 1 radio-options dfs-off.

    Only the 5 GHz radio (radio 1) supports DFS.

    For more information on DFS, see Channels and Frequencies Supported on the Wi-Fi Mini-PIM.

Configure Virtual Access Points (VAP)

VAPs allow segmentation of the wireless LAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. To configure the VAP:

  1. Enter an ID and description for the VAP.

  2. Enter the SSID value.

  3. Configure one of the following security authentication methods for the VAP.

    • none—The data transferred between clients and the access point is not encrypted. Clients can associate with the access point without any authentication.

    • wpa-enterprise—The device authenticates through an 802.1X-compliant RADIUS server.

    • wpa-personal—The device uses preshared keys (PSKs) or a passphrase for authentication and encryption. Keys are stored on the device and on all wireless clients. You do not need to configure a separate authentication server.

  4. Configure and specify the upload and download rate limits on the Wi-Fi Mini-PIM. The range for upload-limit and download-limit is from 256 Kbps to 1,048,576 Kbps.

  5. Specify the maximum number of clients that can be connected to the VAP.

  6. Commit the configuration.

After completing the configuration successfully, you can view the parameters by using the show wlan access-points name detail command.

Configure VLANS

Configure VLANs based on VAP

(Optional) A single access point is segregated into multiple individual virtual access points (VAPs) simulating multiple access points in a single system. The access point supports multiple VLANs. To configure the VLAN ID based on the VAP:

  1. Configure the VLAN for the wireless LAN interface (wl- interface). Follow the below steps to configure VLAN ID based on the VAP :
  2. Set trunk mode on the wl- interface.
  3. Set the native VLAN of the wl- interface.

    When you configure native vlan, the wl- interface will add a tag when it receives an untagged packet and takes no action when it receives a tagged native-vlan-id packet.

  4. Configure the access point for the wl- interface.
  5. Configure all VAP parameters including the radio mode, channel number, and VAP SSID, VAP VLAN ID on the Wi-Fi Mini-PIM.
  6. Commit the configuration.

Configure WPA enterprise authentication

(Optional) Wi-Fi protected access (WPA) enterprise is Wi-Fi alliance standard that uses RADIUS server authentication with AES-CCMP cipher suite. With this mode you can use high security encryption along with a centrally managed user authentication. Only the WPA2 standard is supported. To configure the WPA enterprise authentication:

  1. Configure the address book and assign a security zone.

  2. Configure security source rule-set from trust zone to the WPA authentication.

  3. Configure the security source to match the source and destination address.

  4. Configure the UDP protocol and security source on the interface.

  5. Assign the security policies to the source and destination address.

  6. Commit the configuration.

After completing the configuration successfully completed, you can view the parameters by using the show wlan access-points name virtual-access-points command.

Configure Multiple VLANs and SSIDs

You can configure 8 VAPs on each radio and each VAP is identified by the SSID. Up to 16 SSIDs can be configured on the Wi-Fi Mini-PIM. You can map a VLAN to each SSID or you can assign a single VLAN for multiple SSIDs The client connects to the VAP using the SSID and is associated to the VLAN that is mapped to the SSID.

You can configure multiple SSIDs to provide varied levels of access to different devices and users. Here is a sample configuration for three different types of users connecting to different VAPs. Each VAP is associated with a different VLAN.

Interface

VLAN ID

Address pool

VAP

SSID

Address pool

wl-2/0/0.0

100

junosDHCPPool

192.168.2.0/24

wl-2/0/0.10

10

junosDHCPPool1

VAP1

VAP-10

192.168.10.0/24

wl-2/0/0.20

20

junosDHCPPool2

VAP2

VAP-20

192.168.20.0/24

wl-2/0/0.30

30

junosDHCPPool3

VAP3

VAP-30

192.168.30.0/24
  1. Configure the interface to be part of the security zone.
  2. Configure a security zone.
  3. Enable the DHCP server on the interface and configure the address pool for the Wi-Fi interface:
  4. Configure flexible VLAN tagging on the Wi-Fi interface:
  5. Configure the VLANs
  6. Repeat steps 2 through 5 for the wl-2/0/0.10, wl-2/0/0.20, and wl-2/0/0.30 interfaces.
  7. Configure the access point settings:
  8. Configure the radio settings:

    For radio 1:

    For radio 2:

  9. Configure the VAPs.

    VAP1:

    VAP2:

    VAP3:

  10. Commit the configuration.

Verification

Display information about the parameters configured on the Wi-Fi Mini-PIM.

  • To display the details of all the access points configured on the Mini-PIM:

  • To display the status of the specific access point.

  • To display the details about the clients connected to the access point.

  • To display details about the virtual access points.

See Also

  • wlan