SRX AX411 Access Point Configuration

On SRX CLI, you can also manage AX411 Wireless Access Point. Configuration isn’t very difficult but if you don’t have prior experience it may look like a bit cumbersome. Below I will try to show how you can configure one of these access points if you ave just got one of these devices. This post only covers Layer 2 mode setup. First of all I assume you have a branch SRX which has POE capabilities. I think the smallest one is SRX210 for this task. In my lab, I am connecting AX411 device to ge-0/0/1 interface of my SRX220 device.

ax411_access

First I make sure only this interface is POE enabled i.e disabling others

#set poe interface all disable
#set poe interface ge-0/0/1

We can see that only ge-0/0/1 is providing power after this config.

root@srx220> show poe interface    
Interface Admin status Oper status Max power Priority Power consumption Class
 ge-0/0/0 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/1 Enabled      Powered-up  15.4W     Low      7.1W                     3
 ge-0/0/2 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/3 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/4 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/5 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/6 Disabled     Disabled    15.4W     Low      0.0W                     0
 ge-0/0/7 Disabled     Disabled    15.4W     Low      0.0W                     0

Configure ge-0/0/1 (AX411 facing interface) with ethernet switching and assign the vlan15
You should create this vlan under [vlans] and assigned l3-interface to vlan.15 for this task

[edit interfaces]
root@srx220# show 
ge-0/0/0 {
    description "WAN port";
    unit 0 {
        family inet {
            address 192.168.1.2/24;
        }
    }
}
ge-0/0/1 {
    description AX411;
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan15;
            }
        }
    }
}
vlan {
    unit 15 {
        family inet {
            address 172.17.15.1/24;
        }
    }                                   
}

Enable DHCP since AX411 AP will receive its IP from SRX along with the clients

[edit]
root@srx220# show system services dhcp   
name-server {
    8.8.8.8;
}
pool 172.17.15.0/24 {
    address-range low 172.17.15.10 high 172.17.15.50;
    router {
        172.17.15.1;
    }
    propagate-settings vlan.15;
}

Configure security zones and make sure at least DHCP and ICMP are allowed on AX411 facing zone

[edit]
root@srx220# show security zones 
security-zone untrust {
    host-inbound-traffic {
        system-services {
            all;
        }
    }
    interfaces {
        ge-0/0/0.0;
    }
}
security-zone trust {
    interfaces {
        vlan.15 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}

Now without going further, plug in your AX411 AP and wait till status led lights steadily green. Ok good but which one of those 4 LEDs is the status. I took a photo for you and labeled them. If I am not mistaken these are the leds’ meanings.

AX411_leds
Note: Only radio1 will turn to blue when it is on and broadcasting.

If you have powered up the AP and haven’t created a configuration yet this is what you will get similarly. Bold written text ap28c0dad4b505 under Access-Point column is actually MAC address of your AP.

root@srx220> show wlan access-points    

Active access points information


Access-Point        Type   Interface    Radio-mode/Channel
ap28c0dad4b505      Ext    vlan.15      None, None

Now lets configure one of the radios and create one virtual access point.

[edit]
root@srx220# show wlan 
access-point AX411 {
    mac-address 28:c0:da:d4:b5:05;
    access-point-options {
        country {
            NL;
        }
    }
    radio 1 {
        radio-options {
            mode an;
            channel {
                number 44;
            }
        }
        virtual-access-point 0 {
            ssid AX411_juniper;
            security {
                wpa-personal {
                    wpa-version {
                        v2;
                    }
                    cipher-suites {
                        both;
                    }                   
                    key "$9$3gqDnCuOBESyKu0LxdVY2QF36p0cfaSrL7-MW8xN-bw"; ## SECRA
                }
            }
        }
    }
}

Now we are broadcasting our SSID AX411_juniper

If you check the access point once again, you will see that your configured access point name AX411 is assigned to the device

root@srx220# run show wlan access-points 

Active access points information

Access-Point        Type   Interface    Radio-mode/Channel
AX411               Ext    vlan.15      an/44, bgn/9

In order to provide connectivity for your clients make sure you have security policy from trust to untrust zone is created and NAT is also in place.

Now when I turned on my wireless interface on my tablet, I see that I am connected to AX411_juniper:) Here we go!

ax411_juniper

Let’s see how we check this on SRX.

root@srx220> show wlan access-points client-associations AX411 

Access point client associations information


Access point: AX411, VAP Radio1:vap0

Client MAC Address   Auth   Channel/Rate/RSSI   Packets Rx/Tx   Bytes Rx/Tx
d8:50:e6:11:62:80    Yes    44/135/-67          105/4           9418/458 

This MAC belongs to our client.

and also we can get more details on DHCP bindings

root@srx220> show system services dhcp binding 
IP address       Hardware address   Type     Lease expires at
172.17.15.10     28:c0:da:d4:b5:00  dynamic  2014-07-22 13:51:23 CEST    <<<<<

Now from client tablet, I initiate a connection towards rtoodtoo.net webserver and we can see that session is created from vlan.15 interface towards ge-0/0/0.0 WAN interface

root@srx220>show security flow session destination-prefix 91.203.212.8 destination-port 80    
Session ID: 14001, Policy name: default-policy-00/2, Timeout: 1798, Valid
  In: 172.17.15.11/55464 --> 91.203.212.8/80;tcp, If: vlan.15, Pkts: 11, Bytes:5
  Out: 91.203.212.8/80 --> 192.168.1.2/6714;tcp, If: ge-0/0/0.0, Pkts: 20, By8

Session ID: 14004, Policy name: default-policy-00/2, Timeout: 18, Valid
  In: 172.17.15.11/55465 --> 91.203.212.8/80;tcp, If: vlan.15, Pkts: 1, Bytes: 0
  Out: 91.203.212.8/80 --> 192.168.1.2/2899;tcp, If: ge-0/0/0.0, Pkts: 1, Byt0
Tags:

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


7 thoughts on “SRX AX411 Access Point Configuration”

  1. Good Post.
    Are you enabling both Radios? What I have noticed, if you have both 2.4Ghz and 5Ghz radios turned on, 2.4Ghz dies after few hours. Very annoying. Apparently only one works at a given time.

    1. Actually I haven’t enabled both as far as I remember. I will check once I get round to it though.

  2. I noticed the AX411 is end-of-life. Are there any APs that will be taking its place that will be manageable by the SRX?

      1. There is no AP that will replace AX411. What I hear is new branch SRX’s with builtin AP ( similar to what other vendors have) . New Branch will have faster chipset, more memory and much more.

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading