SRX AX411 Access Point Configuration
On SRX CLI, you can also manage AX411 Wireless Access Point. Configuration isn’t very difficult but if you don’t have prior experience it may look like a bit cumbersome. Below I will try to show how you can configure one of these access points if you ave just got one of these devices. This post only covers Layer 2 mode setup. First of all I assume you have a branch SRX which has POE capabilities. I think the smallest one is SRX210 for this task. In my lab, I am connecting AX411 device to ge-0/0/1 interface of my SRX220 device.
First I make sure only this interface is POE enabled i.e disabling others
#set poe interface all disable #set poe interface ge-0/0/1
We can see that only ge-0/0/1 is providing power after this config.
root@srx220> show poe interface Interface Admin status Oper status Max power Priority Power consumption Class ge-0/0/0 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/1 Enabled Powered-up 15.4W Low 7.1W 3 ge-0/0/2 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/3 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/4 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/5 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/6 Disabled Disabled 15.4W Low 0.0W 0 ge-0/0/7 Disabled Disabled 15.4W Low 0.0W 0
Configure ge-0/0/1 (AX411 facing interface) with ethernet switching and assign the vlan15
You should create this vlan under [vlans] and assigned l3-interface to vlan.15 for this task
[edit interfaces]
root@srx220# show
ge-0/0/0 {
description "WAN port";
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
ge-0/0/1 {
description AX411;
unit 0 {
family ethernet-switching {
vlan {
members vlan15;
}
}
}
}
vlan {
unit 15 {
family inet {
address 172.17.15.1/24;
}
}
}
Enable DHCP since AX411 AP will receive its IP from SRX along with the clients
[edit]
root@srx220# show system services dhcp
name-server {
8.8.8.8;
}
pool 172.17.15.0/24 {
address-range low 172.17.15.10 high 172.17.15.50;
router {
172.17.15.1;
}
propagate-settings vlan.15;
}
Configure security zones and make sure at least DHCP and ICMP are allowed on AX411 facing zone
[edit]
root@srx220# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
interfaces {
vlan.15 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
Now without going further, plug in your AX411 AP and wait till status led lights steadily green. Ok good but which one of those 4 LEDs is the status. I took a photo for you and labeled them. If I am not mistaken these are the leds’ meanings.
Note: Only radio1 will turn to blue when it is on and broadcasting.
If you have powered up the AP and haven’t created a configuration yet this is what you will get similarly. Bold written text ap28c0dad4b505 under Access-Point column is actually MAC address of your AP.
root@srx220> show wlan access-points Active access points information Access-Point Type Interface Radio-mode/Channel ap28c0dad4b505 Ext vlan.15 None, None
Now lets configure one of the radios and create one virtual access point.
[edit]
root@srx220# show wlan
access-point AX411 {
mac-address 28:c0:da:d4:b5:05;
access-point-options {
country {
NL;
}
}
radio 1 {
radio-options {
mode an;
channel {
number 44;
}
}
virtual-access-point 0 {
ssid AX411_juniper;
security {
wpa-personal {
wpa-version {
v2;
}
cipher-suites {
both;
}
key "$9$3gqDnCuOBESyKu0LxdVY2QF36p0cfaSrL7-MW8xN-bw"; ## SECRA
}
}
}
}
}
Now we are broadcasting our SSID AX411_juniper
If you check the access point once again, you will see that your configured access point name AX411 is assigned to the device
root@srx220# run show wlan access-points Active access points information Access-Point Type Interface Radio-mode/Channel AX411 Ext vlan.15 an/44, bgn/9
In order to provide connectivity for your clients make sure you have security policy from trust to untrust zone is created and NAT is also in place.
Now when I turned on my wireless interface on my tablet, I see that I am connected to AX411_juniper:) Here we go!
Let’s see how we check this on SRX.
root@srx220> show wlan access-points client-associations AX411 Access point client associations information Access point: AX411, VAP Radio1:vap0 Client MAC Address Auth Channel/Rate/RSSI Packets Rx/Tx Bytes Rx/Tx d8:50:e6:11:62:80 Yes 44/135/-67 105/4 9418/458
This MAC belongs to our client.
and also we can get more details on DHCP bindings
root@srx220> show system services dhcp binding IP address Hardware address Type Lease expires at 172.17.15.10 28:c0:da:d4:b5:00 dynamic 2014-07-22 13:51:23 CEST <<<<<Now from client tablet, I initiate a connection towards rtoodtoo.net webserver and we can see that session is created from vlan.15 interface towards ge-0/0/0.0 WAN interface
root@srx220>show security flow session destination-prefix 91.203.212.8 destination-port 80 Session ID: 14001, Policy name: default-policy-00/2, Timeout: 1798, Valid In: 172.17.15.11/55464 --> 91.203.212.8/80;tcp, If: vlan.15, Pkts: 11, Bytes:5 Out: 91.203.212.8/80 --> 192.168.1.2/6714;tcp, If: ge-0/0/0.0, Pkts: 20, By8 Session ID: 14004, Policy name: default-policy-00/2, Timeout: 18, Valid In: 172.17.15.11/55465 --> 91.203.212.8/80;tcp, If: vlan.15, Pkts: 1, Bytes: 0 Out: 91.203.212.8/80 --> 192.168.1.2/2899;tcp, If: ge-0/0/0.0, Pkts: 1, Byt0Tags: ax411
Thank you!
your contributions are well received and appreciated
Thank you too Sean. I am glad to see that it is appreciated!
Good Post.
Are you enabling both Radios? What I have noticed, if you have both 2.4Ghz and 5Ghz radios turned on, 2.4Ghz dies after few hours. Very annoying. Apparently only one works at a given time.
Actually I haven’t enabled both as far as I remember. I will check once I get round to it though.
I noticed the AX411 is end-of-life. Are there any APs that will be taking its place that will be manageable by the SRX?
Shane,
I don’t have any info on that.
Genco.
There is no AP that will replace AX411. What I hear is new branch SRX’s with builtin AP ( similar to what other vendors have) . New Branch will have faster chipset, more memory and much more.