Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Interfaces User Guide for Security Devices Wi-Fi MPIM

Interfaces User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Interfaces User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Wi-Fi Mini Physical Interface Module (MPIM)

date_range 20-Dec-24
arrow_backward
arrow_forward

The Wi-Fi Mini-Physical Interface Module (Mini-PIM) for SRX Series Firewalls provides an integrated wireless access point (or wireless LAN) solution along with routing, switching, and security in a single device. The topics below describes the overview and configuration of Wi-Fi Mini-PIM on SRX Series Firewalls.

Wi-Fi Mini-Physical Interface Module Overview

Wi-Fi Mini-Physical Interface Module (Wi-Fi Mini-PIM) for SRX320, SRX340, SRX345, SRX380, and SRX550M provides an integrated wireless access point —or wireless LAN— along with routing, switching, and security in a single device. Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward compatible with 802.11a/b/g/n. You can use the three new models of the Wi-Fi Mini-PIM based on the regional wireless standard requirements;

  • SRX-MP-WLAN-US — The model based on USA’s wireless standard.

  • SRX-MP-WLAN-IL — The model based on Israel’s wireless standard.

  • SRX-MP-WLAN-WW — The model for other countries.

You cannot change the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models as they are fixed. The Wi-Fi Mini-PIM can coexist with other Mini-PIMs supported on the SRX Series Firewall.Table 1 provides a summary of the features supported on Mini-PIM.

Typical deployments for Wi-Fi Mini-PIM solution include:

  • Secure wireless LAN connectivity to endpoint devices of corporate users at remote branch offices. 802.11ac, WPA2, 802.1X, and SSID-to-VLAN mapping features provide secure Wireless LAN connectivity.

  • Direct network connectivity to the enterprise Internet of Things (IoT) devices. The security features on the SRX Series Firewalls secure the IoT devices.

See How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways for more information about how to install the Wi-Fi Mini-PIM.

Wireless LAN Interface in Chassis Cluster Mode

The Mini-PIM is also supported in chassis cluster mode to provide redundancy. Wireless users are connected to the active interface in redundancy group. To support chassis cluster mode for wireless LAN interface Mini-PIM, you need to configure chassis cluster setup with two wireless LAN interfaces wl-x/0/0 and wl-y/0/0, where x indicates the slot number which wireless LAN interface Mini-PIM plug in on the node 0 and Y indicates the slot number which wireless LAN interface Mini-PIM plug in on the node 1.

In chassis cluster mode, there is one wireless LAN interface active, the other wireless LAN interface is inactive. Wi-Fi client is associated to active wireless LAN interface.

Below are the list of events which trigger wireless LAN interface failover when:

  • wireless LAN interface is abnormal.

  • primary wireless LAN interface is down.

  • Redundant group which wireless LAN interface belongs to failover manually.

  • primary WLAN interface node is failed.

After wireless LAN interface failover, the original inactive wireless LAN interface is changed to active and the Wi-Fi client sessions are reconnected to the new primary wireless LAN interface.

With chassis cluster mode, WLAND process runs on both nodes. The WLAND on primary node pushes the WLAN configuration to PFE on two nodes, and then PFE forwards the configuration to local wireless LAN interface card so that two wireless LAN interface cards have the same configuration.

To monitor wireless LAN interface status, WLAND finds the wireless LAN interface to be abnormal, it can trigger redundant group failover. In Layer 3 mode, by default, wireless LAN interface activity monitor is configured for WLAN high availability using the commands set chassis cluster redundancy-group 1 interface-monitor wl-2/0/0 weight 255 and set chassis cluster redundancy-group 1 interface-monitor wl-7/0/0 weight 255.

The new primary wireless LAN interface is active and the abnormal wireless LAN interface card is restarted and goes to inactive state. The Wi-Fi client is reconnected to the active wireless LAN interface automatically since the configuration (radio, channel, bandwidth, ssid, and so on) on active WAP is same as the original wireless LAN interface.

Wireless LAN Interface in Layer 3 (L3) Mode

The interfaces are configured as subordinate interface of RETH using the command set interfaces wl-x/0/0 gigether-options redundant-parent reth-interface. You can add the RETH interface to one redundant group and set the priority for each node in the redundant group. Only one wireless LAN interface is active in the redundant group and the other one is inactive.

Wireless LAN Interface in Layer 2 (L2) Mode

You can build SRX Series Firewalls in chassis cluster mode with wireless LAN interface Mini-PIM. The peer wireless LAN interfaces are configured in the same VLAN and the wireless LAN interface on the primary node of redundant group zero is chosen as active interface by default. L2 mode (family ethernet-switching) of wireless LAN interface behave like any other L2 switching port (trunk port).

Features Supported on the Wi-Fi Mini-PIM

Table 1 lists the key features supported on the Wi-Fi Mini-PIM.

Table 1: Wi-Fi Mini-PIM Features

Feature

Description

2x2 MU-MIMO

Enables transmission of data to multiple clients simultaneously.

Dual radios

Both radios of 2.4 GHz and 5 GHz bands are simultaneously supported. The maximum supported speed is upto 1.2 Gbps.

Virtual access points (VAPs) and VLAN features

  • Allows you to segment the WLAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. A single access point is segregated into multiple individual VAPs, simulating multiple access points in a single system.

  • An access point supports multiple VLANs, which can be distributed across VAPs and radios.

  • You can configure up to eight VAPs per radio. You can map up to 16 extended service set identifiers (ESSIDs) to individual VLANs.

  • The VLANs from the Mini-PIM software map to VLANs on Junos OS.

Co-existence of interfaces

The Wi-Fi Mini-PIM coexists with 4G LTE, VDSL, T1, and serial interfaces.

Client authentication methods

Client authentication methods supported are Wi-Fi Protected Access (WPA) Enterprise (WPA2 standards) and Wi-Fi Protected Access (WPA) Personal (AES-CCMP cipher suits and WPA2 standards).

Configure Wi-Fi Mini-PIM

You can configure the radios and virtual access points on the Wi-Fi Mini-PIM. This topic contains sections that describe the basic Wi-Fi Mini-PIM configuration at the wireless interface level. For more information about how to install a Wi-Fi Mini-PIM see How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways.

The following sections describe how to configure the Wi-Fi Mini-PIM on your SRX Series Firewall.

Configure Network Setting for the Wi-Fi Mini-PIM

Configure wl- interface

The interface name for the Mini-PIM is denoted as wl-x/0/0, where x is the slot on the SRX Series Services Gateway in which the Mini-PIM is installed. The wl- interface is created automatically when you insert the Mini-PIM into the slot on the SRX Series Firewall.

To configure the wireless LAN interface:

  1. Configure an IP address for the Wi-Fi interface:
    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces wl-x/0/0 unit unit-number family inet address address
  2. Configure the address pool.
    content_copy zoom_out_map
    [edit]
user@host# set access address-assignment pool pool-name family inet network ip-address 
user@host# set access address-assignment pool pool-name family inet range range-name low ip-address 
user@host# set access address-assignment pool pool-name family inet range range-name high ip-address 
user@host# set access address-assignment pool pool-name family inet dhcp-attributes router router ip-address

    The DHCP address pool and the Wi-FI interface must be in the same network.

  3. Enable the DHCP server on the interface.
    content_copy zoom_out_map
    [edit interfaces]
user@host# set system services dhcp-local-server group group interface wl-x/0/0

    The eth0 interface on the Mini-PIM enables the DHCP client. If the DHCP server is enabled on the wl interface, the server assigns an IP address to the eth0 interface. You can view the binding information by issuing the show dhcp server binding command.

  4. Assign the interface to a security zone.
    content_copy zoom_out_map
    [edit interfaces]
user@host# set security zones security-zone zone interface wl-x/0/0

Configure Access Point

To configure the access point associated with the wireless LAN interface wl-x/0/0:

  1. Configure the interface.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name interface wl-x/0/0

  2. Set the country code (applicable only for SRX-MP-WLAN-WW models of the Mini-PIM).

    Note:

    If you do not set the country code for the SRX-MP-WLAN-WW models, the Mini-PIM considers the country code as US. You cannot set the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name access-point-options country country-code

  3. Set the physical location (location of your hardware device, example: 1st-floor).

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name location location

  4. Commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit

Configure Radios

Every access point has two radios—radio 1 operates at 5-GHz bandwidth and radio 2 operates at 2.4-GHz bandwidth. A VAP is configured based on the radio. You can configure up to eight VAPs per radio and map up to 16 ESSIDs to individual VLANs. Wi-Fi Mini-PIM supports both the radios (2.4 and 5 GHz) to work simultaneously. You can also disable a radio. Table 2 lists the modes supported on each radio.

Changing the radio settings can cause the access point to stop and restart system processes. If this occurs, wireless clients that are connected to the access point temporarily lose connectivity. We recommend that you change radio settings when WLAN traffic is low.

Table 2: Supported Modes on Wi-Fi Mini-PIM Radios

Radio

Supported Modes

Radio 1 (5.0 GHz)

  • an—802.11a and 802.11n clients operating on 5 GHz frequency can connect to the access point

  • acn—802.11a, 802.11n and 802.11ac clients operating on 5 GHz frequency can connect to the access point

Radio 2 (2.4 GHz)

  • gn—802.11g, 802.11b and 802.11n clients operating in 2.4 GHz frequency can connect to the access point. This is the default mode for this radio.

  • g—802.11g clients operating in 2.4 GHz frequency can connect to the access point supported from Junos OS Release 20.4R1.

To configure the radio:

  1. Configure the radio mode. Radio 1 supports acn and an modes. Radio 2 supports only gn mode.

    content_copy zoom_out_map
    For radio 1:
[edit]
user@host# set wlan access-point name radio 1 radio-options mode [an|acn]
    content_copy zoom_out_map
    For radio 2:
[edit]
user@host# set wlan access-point name radio 2 radio-options mode gn

  2. Configure the channel number. If you select auto, then the Mini-PIM chooses the channel automatically. By default, channel number is set to auto.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] radio-options channel number [auto | channel-number]

  3. Configure the channel bandwidth. The default channel bandwidth is 20 MHz for the 2.4 GHz radio and 40 MHz for the 5 GHz radio. You can only set 80 MHz as the channel bandwidth for 5 GHz radio and not for 2.4GHz.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] radio-options channel bandwidth [20|40|80]

  4. Configure the transmit power. You can configure the transmit power on a per-radio basis.

    Note:

    When you configure the transmit power, the Mini-PIM card will fix transmit power to the specified value set, in this case, the power by rate functionality does not work. So it is recommended not to set transmit power to a specified value. When you do not configure the transmit power (do not fix the transmit power to a specified value), the power by rate functionality works. If you configure the transmit power percentage to 100, then it chooses the option "auto", the behavior is similar to no transmit power configured and power by rate functionality will work.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] radio-options transmit-power percent

  5. Commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit

    In countries where Dynamic Frequency Selection (DFS) is required, the Wi-Fi card performs appropriate checks for radar. DFS is enabled by default. If you set the channel number to auto, the access point selects the channel from the list of DFS and non-DFS channels. You can disable DFS by using the dfs-off option set wlan access-point name radio 1 radio-options dfs-off.

    Only the 5 GHz radio (radio 1) supports DFS.

    For more information on DFS, see Channels and Frequencies Supported on the Wi-Fi Mini-PIM.

Configure Virtual Access Points (VAP)

VAPs allow segmentation of the wireless LAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. To configure the VAP:

  1. Enter an ID and description for the VAP.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id description description

  2. Enter the SSID value.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id ssid ssid

  3. Configure one of the following security authentication methods for the VAP.

    • none—The data transferred between clients and the access point is not encrypted. Clients can associate with the access point without any authentication.

      content_copy zoom_out_map
      [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id security none

    • wpa-enterprise—The device authenticates through an 802.1X-compliant RADIUS server.

      content_copy zoom_out_map
      [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-enterprise cipher-suites ccmp 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-enterprise radius-server ip-address 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-enterprise radius-port port 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-enterprise radius-key secret-key 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-enterprise wpa-version v2

    • wpa-personal—The device uses preshared keys (PSKs) or a passphrase for authentication and encryption. Keys are stored on the device and on all wireless clients. You do not need to configure a separate authentication server.

      content_copy zoom_out_map
      [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-personal cipher-suites ccmp 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-personal key-type [ascii|hex] 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-personal key password 
user@host# set wlan access-point name radio [1|2] virtual-access-point id security wpa-personal wpa-version v2

  4. Configure and specify the upload and download rate limits on the Wi-Fi Mini-PIM. The range for upload-limit and download-limit is from 256 Kbps to 1,048,576 Kbps.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id upload-limit upload-limit-rate 
user@host# set wlan access-point name radio [1|2] virtual-access-point id download-limit download-limit-rate

  5. Specify the maximum number of clients that can be connected to the VAP.

    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio [1|2] virtual-access-point id maximum-stations number

  6. Commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit

After completing the configuration successfully, you can view the parameters by using the show wlan access-points name detail command.

Configure VLANS

Configure VLANs based on VAP

(Optional) A single access point is segregated into multiple individual virtual access points (VAPs) simulating multiple access points in a single system. The access point supports multiple VLANs. To configure the VLAN ID based on the VAP:

  1. Configure the VLAN for the wireless LAN interface (wl- interface). Follow the below steps to configure VLAN ID based on the VAP :
    content_copy zoom_out_map
    [edit]
user@host# set vlans vlan-name vlan-id vlan-id 
user@host# set vlans vlan-name vlan-id-list vid-list 
user@host# set interfaces wl-x/0/0 unit unit-number family ethernet-switching vlan members all
  2. Set trunk mode on the wl- interface.
    content_copy zoom_out_map
    [edit]
user@host# set interfaces wl-x/0/0 unit unit-number family ethernet-switching interface-mode trunk
  3. Set the native VLAN of the wl- interface.
    content_copy zoom_out_map
    [edit]
user@host# set interfaces wl-x/0/0 native-vlan-id vlan-id

    When you configure native vlan, the wl- interface will add a tag when it receives an untagged packet and takes no action when it receives a tagged native-vlan-id packet.

  4. Configure the access point for the wl- interface.
    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name interface wl-x/0/0​
  5. Configure all VAP parameters including the radio mode, channel number, and VAP SSID, VAP VLAN ID on the Wi-Fi Mini-PIM.
    content_copy zoom_out_map
    [edit]
user@host# set wlan access-point name radio (1| 2) radio-options mode (an| gn | acn) 
user@host# set wlan access-point name radio (1| 2) radio-options channel number  (auto | channel-number) 
user@host# set wlan access-point name radio (1| 2) virtual-access-point id ssid ssid 
user@host# set wlan access-point name radio (1| 2) virtual-access-point id vlan vlan-id
  6. Commit the configuration.

Configure WPA enterprise authentication

(Optional) Wi-Fi protected access (WPA) enterprise is Wi-Fi alliance standard that uses RADIUS server authentication with AES-CCMP cipher suite. With this mode you can use high security encryption along with a centrally managed user authentication. Only the WPA2 standard is supported. To configure the WPA enterprise authentication:

  1. Configure the address book and assign a security zone.

    content_copy zoom_out_map
    [edit]
user@host# set security address-book book-name address address-name ip-prefix 
user@host# set security address-book book-name attach zone trust  
user@host# set security address-book book-name attach zone dot1x

  2. Configure security source rule-set from trust zone to the WPA authentication.

    content_copy zoom_out_map
    [edit]
user@host# set security nat source rule-set rule-set-name from zone trust 
user@host# set security nat source rule-set   rule-set-name to zone dot1x

  3. Configure the security source to match the source and destination address.

    content_copy zoom_out_map
    [edit]
user@host# set security nat source rule-set  rule-set-name rule rule-name match source-address ip-address 
user@host# set security nat source rule-set rule-set-name rule rule-name match destination-address ip-address

  4. Configure the UDP protocol and security source on the interface.

    content_copy zoom_out_map
    [edit]
user@host# set security nat source rule-set rule-set-name rule rule-name match protocol udp 
user@host# set security nat source rule-set rule-set-name rule rule-name then source-nat interface

  5. Assign the security policies to the source and destination address.

    content_copy zoom_out_map
    [edit]
user@host# set security policies from-zone trust to-zone dot1x policy internet-access match source-address ip-address  
user@host# set security policies from-zone trust to-zone dot1x policy internet-access match destination-address ip-address  
user@host# set security policies from-zone trust to-zone dot1x policy internet-access match application any  
user@host# set security policies from-zone trust to-zone dot1x policy internet-access then permit

  6. Commit the configuration.

After completing the configuration successfully completed, you can view the parameters by using the show wlan access-points name virtual-access-points command.

Configure Multiple VLANs and SSIDs

You can configure 8 VAPs on each radio and each VAP is identified by the SSID. Up to 16 SSIDs can be configured on the Wi-Fi Mini-PIM. You can map a VLAN to each SSID or you can assign a single VLAN for multiple SSIDs The client connects to the VAP using the SSID and is associated to the VLAN that is mapped to the SSID.

You can configure multiple SSIDs to provide varied levels of access to different devices and users. Here is a sample configuration for three different types of users connecting to different VAPs. Each VAP is associated with a different VLAN.

Interface

VLAN ID

Address pool

VAP

SSID

Address pool

wl-2/0/0.0

100

junosDHCPPool

192.168.2.0/24

wl-2/0/0.10

10

junosDHCPPool1

VAP1

VAP-10

192.168.10.0/24

wl-2/0/0.20

20

junosDHCPPool2

VAP2

VAP-20

192.168.20.0/24

wl-2/0/0.30

30

junosDHCPPool3

VAP3

VAP-30

192.168.30.0/24

  1. Configure the interface to be part of the security zone.
    content_copy zoom_out_map
    user@host# set interfaces wl-2/0/0 unit 0 vlan-id 100
user@host# set interfaces wl-2/0/0 unit 0 family inet address 192.168.2.1/24
  2. Configure a security zone.
    content_copy zoom_out_map
    user@host# set wlan access-point name interface wl-2/0/0
user@host# set wlan access-point name access-point-options country US
user@host# set wlan access-point name location California
  3. Enable the DHCP server on the interface and configure the address pool for the Wi-Fi interface:
    content_copy zoom_out_map
    user@host# set wlan access-point name radio 1 radio-options mode acn
user@host# set wlan access-point name radio 1 radio-options channel number auto
user@host# set wlan access-point name radio 1 radio-options channel bandwidth 40
  4. Configure flexible VLAN tagging on the Wi-Fi interface:
    content_copy zoom_out_map
    user@host# set wlan access-point name radio 2 radio-options mode gn
user@host# set wlan access-point name radio 2 radio-options channel number auto
user@host# set wlan access-point name radio 2 radio-options channel bandwidth 40
  5. Configure the VLANs
    content_copy zoom_out_map
    user@host# set wlan access-point name radio 1 virtual-access-point 1 description VAP1
user@host# set wlan access-point name radio 1 virtual-access-point 1 ssid VAP-10
user@host# set wlan access-point name radio 1 virtual-access-point 1 vlan 10
user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal cipher-suites ccmp
user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal key-type ascii
user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal key ascii-string
user@host# set wlan access-point name radio 1 virtual-access-point 1 security wpa-personal wpa-version v2
user@host# set wlan access-point name radio 1 virtual-access-point 1 upload-limit 1000
user@host# set wlan access-point name radio 1 virtual-access-point 1 download-limit 1000
user@host# set wlan access-point name radio 1 virtual-access-point 1 maximum-stations 70
  6. Repeat steps 2 through 5 for the wl-2/0/0.10, wl-2/0/0.20, and wl-2/0/0.30 interfaces.
  7. Configure the access point settings:
    content_copy zoom_out_map
    user@host# set wlan access-point name radio 1 virtual-access-point 2 description VAP2
user@host# set wlan access-point name radio 1 virtual-access-point 2 ssid VAP-20
user@host# set wlan access-point name radio 1 virtual-access-point 2 vlan 20
user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal cipher-suites ccmp
user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal key-type ascii
user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal key ascii-string
user@host# set wlan access-point name radio 1 virtual-access-point 2 security wpa-personal wpa-version v2
user@host# set wlan access-point name radio 1 virtual-access-point 2 upload-limit 1000
user@host# set wlan access-point name radio 1 virtual-access-point 2 download-limit 1000
user@host# set wlan access-point name radio 1 virtual-access-point 2 maximum-stations 80
  8. Configure the radio settings:

    For radio 1:

    content_copy zoom_out_map
    user@host# set wlan access-point name radio 2 virtual-access-point 3 description VAP3
user@host# set wlan access-point name radio 2 virtual-access-point 3 ssid VAP-30
user@host# set wlan access-point name radio 2 virtual-access-point 3 vlan 30
user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal cipher-suites ccmp
user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal key-type ascii
user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal key ascii-string
user@host# set wlan access-point name radio 2 virtual-access-point 3 security wpa-personal wpa-version v2
user@host# set wlan access-point name radio 2 virtual-access-point 3 upload-limit 1000
user@host# set wlan access-point name radio 2 virtual-access-point 3 download-limit 1000
user@host# set wlan access-point name radio 2 virtual-access-point 3 maximum-stations 70

    For radio 2:

    content_copy zoom_out_map
    user@host# commit
  9. Configure the VAPs.

    VAP1:

    content_copy zoom_out_map
    user@host>  show wlan access-points

    VAP2:

    content_copy zoom_out_map
    Active access points information

Access-Point   Type   Interface    Radio-mode/Channel
i03-22-ap      Int    wl-1/0/0     gn/2, an/157

    VAP3:

    content_copy zoom_out_map
    user@host>  show wlan access-point i03-22-ap detail
  10. Commit the configuration.
    content_copy zoom_out_map
    Active access point detail information
Access Point        : wap3
Type                : Internal
Location            : First Floor, Building 8
Serial Number       : 850001809
Firmware Version    : 10.1.3.8
Alternate Version   : 10.1.3.7
Country             : US
Access Interface    : wl-1/0/0
Packet Capture      : Disabled
Ethernet Port:
MAC Address         : 00:14:13:12:10:11
IPv4 Address        : 192.168.1.5
Radio1:
Status              : On
MAC Address         : 00:1F:12:E0:84:20
Mode                : IEEE 802.11a/n
Channel             : 124 (5620 MHz)
Radio2:
Status              : On
MAC Address         : 00:1F:12:E0:84:30
Mode                : IEEE 802.11g/n
Channel             : 3 (2422 MHz)

Verification

Display information about the parameters configured on the Wi-Fi Mini-PIM.

  • To display the details of all the access points configured on the Mini-PIM:

    content_copy zoom_out_map
    user@host# show wlan access-points
    content_copy zoom_out_map
    Active access points information
Access-Point Type Interface Radio-mode/Channel/Bandwidth
wap3 Int wl-2/0/0 acn/120/40, gn/11/20

  • To display the status of the specific access point.

    content_copy zoom_out_map
    user@host# show wlan access-points ap-name
detail
    content_copy zoom_out_map
    show wlan access-points wap3 detail
 
Active access point detail information
 
Access Point          : wap3
Description           : juniper_name:srx345-rocket_1_interface:wl-3/0/0
Type                  : Internal
Location              : Floor_srx345-rocket_1
Firmware Version      : v1.2.9
Alternate Version     : v1.5.5-1-g62e9ba0
Country               : US
Access Interface      : wl-3/0/0 
System Time           : Wed Dec 28 16:13:04 UTC 2022 
Packet Capture        : Off
Ethernet Port:
    MAC Address       : 72:19:2a:56:a2:0c
Radio1:            
    Status            : On
    MAC Address       : 94:f7:ad:2c:08:41
    Temperature       : 49
    Mode              : IEEE 802.11a/n/ac
    Channel           : 153
    Bandwidth         : 40
    Transmit Power    : 100
Radio2:            
    Status            : On
    MAC Address       : 94:f7:ad:2c:08:42
    Temperature       : 48
    Mode              : IEEE 802.11g/n
    Channel           : 6
    Bandwidth         : 40
    Transmit Power    : 100

  • To display the details about the clients connected to the access point.

    content_copy zoom_out_map
    user@host# show wlan access-points ap-name
client-associations
    content_copy zoom_out_map
    Access point client associations information
Access point: wap3
VAP Client MAC Address Auth Packets Rx/Tx
Bytes Rx/Tx
Radio1:5g_vap1 00:00:5e:00:53:a3 NO 3/0
510/0

  • To display details about the virtual access points.

    content_copy zoom_out_map
    user@host# run show wlan access-points ap-name virtual-access-points all
    content_copy zoom_out_map
    Virtual access points information

Access point name: wap3
Radio1:
VAP0:
    SSID                    : srx345-rocket_vap_5G_1
    Description             : srx345-rocket_vap_5G
    MAC Address             : 94:f7:ad:2c:08:41
    Maximum Station         : 127
    Broadcast SSID          : Enable
    Station Isolation       : Disable
    Upload Limit            : Disable
    Download Limit          : Disable
    VLAN ID                 : 100
    Station MAC Filter      : Disable
    Traffic Statistics:
      Input Bytes           : 0
      Output Bytes          : 0
      Input Packets         : 0
      Output Packets        : 0
Radio2:
  VAP0:
    SSID                    : srx345-rocket_vap_2.4G_1
    Description             : srx345-rocket_vap_2dot4G
    MAC Address             : 94:f7:ad:2c:08:42
    Maximum Station         : 127
    Broadcast SSID          : Enable
    Station Isolation       : Disable
    Upload Limit            : Disable
    Download Limit          : Disable
    VLAN ID                 : 100
    Station MAC Filter      : Disable
    Traffic Statistics:
      Input Bytes           : 0
      Output Bytes          : 0
      Input Packets         : 0
      Output Packets        : 0

See Also

  • wlan
arrow_backward PREVIOUS LTE Mini Physical Interface Modules (LTE Mini-PIM)
NEXT arrow_forward Configuring 1-Port Clear Channel DS3/E3 GPIM
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top