SMG-700 User's Guide V1.00 (Nov 2004)
Contents
1. M 43 3 1 How to Configure Multiple Wireless Networks eeeeeeeseeieenee eese nnne nnns nnne nnns 43 ZyXEL NWA 3100 User s Guide LE Table of Contents 24414 Change the Operating Mou iii ii ibsn aee pt E en EAR RECUAS E RPRO GR ERROR HE Rv LEUR CA 44 3 1 2 Gonlgure the VolP MOIIER asi ces emer tter asa rdi debe A DIn RE rCU Ceu REALI RR UD si perine EE 46 3 1 2 1 Sat Up Security for the VolP Protec tcsscccsctescccaserseiiercarieduncsaniaidotanieieereniaas 47 9 12238 PC cee Iho VOTE POIS 16 snes eter er toD rH AERE EU Cp da c rains 49 KwcamenisdPIEuresti dii den 49 3 1 3 1 Set Up Security for tho Guest FrOfIlG uiuicci iacit iacere tmeei te ento cinere 50 3 1 3 2 Set up Layer 2 lsolati n RD 51 3 1 3 3 Activate ihe Eo ele PEORES aispesezonodkchrkodN ORE NS Ee EU EQ nE 24 3 1 4 Testing the Wireless Neb 1 i icio n ie ore a nr coi per ss eda RP eines 52 3 2 How to Set Up and Use Rogue AP Detection eeeeeeeseseeissse enean itta atn 52 9441 Set Up and Saved Friendly AP ISt 1 creare orrt tarte betae eere reta eeu pL toan narinaa 54 3 2 2 Activate Periodic Rogue AP Detection eese ene nnne nan rena nnn naa 56 Gu weeny M2 E a NES Rp 57 3 24 Conngure Your Other Access POWs scicccccsssnccewesssscecssessgeesssastavecesssen na ii aaan 58 ion MOSES SED aaia a a e vbi ee edd ela en aaa has 58 Part Il The Web Configurator2. eec 223 24 2 ZyXEL Device Access and LOGIN iussis en cineri ia o iE ELE r de DLE EE ELI MEX E pud d de 223 24 9 fteinet SOGDES EEN E O en aoa i cin Log ur HER pea FIR Lacie FAR rut uds 225 Part IV Appendices and Index eeeeeeeeeeeeeee 227 Appendix J Product SpeciTicatlares ases ep a EIE CTEEK EURO I LEE EERETEE FEE ERA ERA TELLE ERAS 229 Appendix B Setting up Your Computer s IP Adaress sssssssmHRA 233 Appendix C IP Address Assignment Conflicts esssssesee ee 245 Append D Wireless LANG ucc DREW Dee T FOEDE FOL SAY bOL ad EE ER Fk OR POPE E Ce A 249 Appendix E Indoor Installation Recommendations sssssseem Re 259 Appendix F Pop up Windows JavaScripts and Java Permissions ccccccccceeeeeeeeeeees 261 Appendix G IP Addresses and Subnetting ssssessssesseeee eee 267 Appendix H Text File Based Auto Configuration ccccccccccccccecceecceeeeeeeeeeseeeeeseseeeeeneeeess 275 Appendix d Deal RIGIFBREBOD ssnstinin EE ATA Ri ae it S YT ASi 283 Appendix J Customer SUPPO srcima aa E an P OD EH Raid 287 lj a E E A A 291 ZyXEL NWA 3100 User s Guide List of Figures List of Figures Figure T Aeeess Pon ADDERE 5 iori Ea ee a o aeuo Elder v d la c eR anes 32 Figure 2 AP Bridge Application Mem 33 Figure 3 BRIGG Applian e
3. 34 Figure Repeater AUDDOABO auena EE a A Aa 34 Fone o RUIE DI gt aE 35 Figure 6 LEDS m anaia ia a 37 Figure 7 Change Password Sereen usu oda epe aod ed ianei an ER PG TIE RR PT TENANE ASEE edad aaa ER BA KE dd 40 Figur 2 Replace Ceniicate SCP as wes aciscs asics stan anaana 40 Figure 9 The MAIN MENU Screen of the Web Configurator ccccsccccceeessscccceresseececereessneceeeeesneaees 41 Figure 10 Tatoral Example MBSSIB SetiD iisndsssectnd ortae vid debe bbxxE Ra eEEX EF P Pad EXR ES Ce ETE AAAI E ONKAAN 44 Figure 11 Tutorial Wireless LAN Before ionic coercet rore vet Lr rh e ke pc t tbv it doe ap pi 45 Figure TZ Tutorial Wireless LAN Change Mode icici ses e eir eie npe vibe prr tins o pe a obe E RE FE MR NN 45 Figure T3 Taunal WIRELESS 7 SIDE 1 uiros t ipod epo v te bte ebbe Ure De rcr atop nium bos Connie vp Md gR 46 Figure 14 Tutorial VolP SSID Profile EG e 47 Figure 19 TUtorial VolP SeCUmMy ersed prt ttin t Ear Ag asir nnen ENE EAN EENE EEEN Ra na ERR UR KE PB AM RE RE 48 Figure T6 Tutorial YolP SscHpncy Profle Edil usiscapeciet cer epe Hp tete PI E ETA 48 Figure 17 Tutorial VolP Secun Updated nie rbi ds i oe inn als aaa 49 Figure 18 Tutorial Activate VolP Profile 1 22 rermirerp rea e Eph dul aaia epp pad e dasa IU Eu paa DER RR PIN Kid I 49 Figure 19 Tutorial Guest Edil m 50 Figure 20 Tutorial Guest Security Prole Edit essiri 50 Figure 21 Tutorial Guest Securit
4. eeeeeeeeeeeeeeeeeees 61 Chapter 4 yr cibi MT M 63 LUESCU IEB S 1 Pe 63 EPAeiDsnppsBe ur hir 63 4 3 Configuring 2 RET TT T 64 kc Pese AR Time SeT I Eoo o 0o 0 0E 65 Chapter 5 Wireless Conllgur GlDELa en nandi ntt ti iblandit Ra lS Ra kA UL R RB RR EN RR RAN n 67 mL JE Ee i o ert 67 BOE BOSE dete tnnt niente uitiis ER 67 wur RR 68 abroad Le ECT 68 To DN I Eo pic Meme NM 69 Ba d d moo EE Bee ee 69 ToL TWMM OOS PrENIES E T eee emery eater eters ner Cnet 69 Tee pre 69 POE psc gio ET 70 53 31 ATC PEN from LAT to WLAN uai ci sovieoasi atencoaeaaieaadagiadosatonarheneiasueaxnauoamtnaleds 70 5 5 9 2 ATUSVWMM rom WLAN fo LAN iain ace cder pecunsduteesssiandiedaxtiaieenteaachuieeenices 71 SEE Type COT Sort TOS Pe M araa EN EENE AAA EEE EA N EA AN 71 zw mM CAN O ER 71 534 2 DSOP and PerdopBelavi scie i eO iiaea AASA 71 12 ZyXEL NWA 3100 User s Guide Table of Contents 5 2 5 T09 hype of Service and WMM DOS 1uiosseassisesace te Ye beer EEYpFrLA iS Y Pr FEx SM p PyL EE Rr dS 72 94 Spanning Tree Protocol STP PN NS 72 MIC Ec e 72 hema UIT WENN eT 73 54 3 MoW STP WAKE eie sotsv o UH vo iid oru ola neta dn a a Ee EM iE 73 UT B STP POM GUNS RTT LI LIE TM 73 03 Wireless Screen Overview suissiindstniunnai indenni aadu aaoi
5. ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID Table 30 Configuring SSID LABEL DESCRIPTION QoS Select the Quality of Service priority for this BSS s traffic Inthe pre configured VoIP SSID profile the QoS setting is VoIP This is not user configurable The VoIP setting is available only on the VoIP SSID profile and provides the highest level of QoS If you select WMM from the QoS list the priority of a data packet depends on the packet s VLAN or DSCP header See Section 5 3 1 on page 69 for more information on WMM and WMM priorities If a packet has no WMM value assigned to it it is assigned the default priority e Ifyou select ATC from the QoS list the ZyXEL Device automatically assigns priority based on packet size See Section 5 3 2 on page 69 for more information on ATC If you select ATC WMM from the QoS list the ZyXEL Device uses WMM on the wireless network and ATC on the wired network See Section 5 3 3 on page 70 for more information on ATC WMM If you select WMM VOICE WMM VIDEO WMM BEST EFFORT or WMM BACKGROUND the ZyXEL Device applies that QoS setting to all of that SSID s traffic Ifyou select NONE the ZyXEL Device applies no priority to traffic on this SSID Note When you configure an SSID profile s QoS settings the ZyXEL Device applies the same QoS setting to all of the profile s traffic L2 Isolation Select Enable from the drop down list box to acti
6. 123 11 4 Remote Management uar VIGW xsnusdnzximticekintoue intet qe Rad de ive iN e M RHOD ONERE AdDN d qukRUEN 123 11 1 1 Remote Management Limitations iae rtr t e a d esa da 124 Tihe or om Mei spicata pena ted ad zn cp Slates opa aai Mga todas oda 124 ufu w 124 ZyXEL NWA 3100 User s Guide Table of Contents TV TUNE ee E P NET EA E A E E MH 124 TEAG O T E E SE ALORA 125 TLS CONNGUIIIG VIG em 126 TI SMEs te a eai ce reve mat Geer re reer em err oe tree eM LO rere ree cma tque 128 TLE T Supported MIES ica sie locit atia Ur tse e eto A 129 iK III zc 129 TI ANDP NRBIS oiae a aaeeea E AN DEA aSa AR OUE E KE Hd br Lupa ELE pP Dir rbd 130 TA onm ONN atte E 130 Chapter 12 pop P ee ee Pe eee er re me nr ere sere werent 133 Teto aes TOV S f 133 12 1 1Advanages pa arci D eeuniadeenedatoeeserialaieeeaae 134 12 2 Solt signad COrtiiGalpS 112 5 reside tnddoc c endure ebd edv vibe dde vut dades kel i 134 12 3 Verifying e Oe ll algas a caspian paladar Duk Load da pa d nd add dd 134 12 3 1 Checking the Fingerprint of a Certificate on Your Computer sssss 134 124 COMIGUESNGH SUNNY es 135 AN CN MAD cs atc ca sa T 135 12 6 Certificate File FOonmmalS e 137 Tar lmporWng a SSIES enaa dila xa n o s
7. 75 ZyXEL NWA 3100 User s Guide List of Figures Figure 29 Budgng EXSRIISC 5 deret a pec SER Na peLUIS T PRULISS E RULES RP ZSES YHP TN RULES NUR A Apes pL LL a nb dRR 77 Figure 40 Bridge Loop Two Bridges Connected to Hub eeeeeee than nana ananas 77 Figure 41 Bridge Loop Bridge Connected to Wired LAN ecce ee erret ette 78 Figure 42 Wireless Bridge Ope o2 pn rrr ios br red adea da exea redo a up eR RR LU a a Re A 78 Figure 43 Wireless APTE ooicssieisdetuteleve beoe uv etr o PDPr ctio ext beo vp RARAN ENANS 80 Figure 44 EAP AUthGNNCSUGI m 82 Figure 45 WPA 2 PSK Authentication eia eias Lascia ennt ade rnb Er subiiunind EENAA KN EEANN EAREN KA 84 Figure 46 WPA 2 with RADIUS Application Example 5 terrere rer nn Pepe Eget br E mE COE FERRI IA ER Rr pR Ri dR 85 Figur CUNY deen e eel aa etnies at ennai pr lola or 87 Figure 4o Securty c AM NC 88 Figure 49 Security ISP t a a 89 Figure 50 Security 802 1x Static 64 bit 802 1x Static 128 bit 90 mo EXOGb e uv ADD 91 Figure 52 Socunty WPA2 or VEPA2 MIX 12 tecti ecnre e tuper ea rota detineri dir Eb vene pct pude 92 Figure 53 Security WPA PSK WPA2 PSK or WPA2 PSK MIX sssseeeee enne eene 94 Figuio 3 Re Luoureoue este qitnintem itp UM alto rt kei eee u i buie eo Mean EE 95 Figure 55 Multiple BSS with VLAN Example 222 torret rhet Ia EIS RR an Aa Aiaia 98 Figure 56 Wireless Multiple BSS aa ioisceotci ppt nid Eae
8. ZyXEL NWA 3100 User s Guide General Setup The chapter shows you the information on general setup 17 1 General Setup Menu 1 General Setup contains administrative and system related information shown next The System Name field is for identification purposes The Domain Name entry is what is propagated to the DHCP clients on the LAN While you must enter the host name System Name on each individual computer the domain name can be assigned from the ZyXEL Device via DHCP 17 1 1 Procedure To Configure Menu 1 Enter 1 in the Main Menu to open Menu 1 General Setup as shown next Figure 131 Menu 1 General Setup Menu 1 General Setup System Name NWA 3100 Domain Name First System DNS Server From DHCP IP Address N A Second System DNS Server None IP Address N A Third System DNS Server None IP Address N A Fill in the required fields Refer to the following table for more information about these fields Table 70 Menu 1 General Setup FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted Domain Name This is not a required field Leave this field blank or enter the domain name here if you know it ZyXEL NWA 3100 User s Guide Chapter 17 General Setup Table 70 Menu 1 General Setup FIELD
9. geben gt gt gt mr y i a oe N EN v 9 ett C Sd C oe a 2T V maa m m ett tall tmm a p o a p et te UAE ooo mmm 0 0L 9 LL ESS Laoreet 5 2 Wireless LAN Basics See the Wireless LANs Appendix for information on the following Wireless LAN Topologies Channel RTS CTS Fragmentation Threshold IEEE 802 1x RADIUS Types of Authentication WPA Security Parameters Summary ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration 5 3 Quality of Service This section discusses the Quality of Service QoS features available on the ZyXEL Device 5 3 1 WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service ensures quality of service in wireless networks It controls WLAN transmission priority on packets to be sent over the wireless network WMM Qos prioritizes wireless traffic according to the delivery requirements of the individual and applications WMM QoS is a part of the IEEE 802 11e QoS enhancement to certified Wi Fi wireless networks On APs without WMM Qos all traffic streams are given the same access priority to the wireless network If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity then the new traffic stream reduces the throughput of the other traffic streams The ZyXEL Device uses WMM QoS to prioritize traffic streams according to the VLAN or DSCP information in each packet s header The ZyX
10. LES You must remove any spaces from the certificate s filename before you can import the certificate Figure 87 Trusted CA Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS e PEM Base 64 encoded PKCS File Path Browse Apply Cancel The following table describes the labels in this screen Table 50 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the ZyXEL Device Cancel Click Cancel to quit and return to the Trusted CAs screen 12 12 Trusted CA Certificate Details Click CERTIFICATES Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Figure 88 Trusted CA Details Name Veri
11. 2 In VLAN Group ID Properties click the Members tab The IAS uses group memberships to determine which user accounts belong to which VLAN groups Click the Add button and configure the VLAN group details 3 Repeat the previous step to add each VLAN group required Figure 99 Add Group Members xi Geneial Members Member Of Managed By Members Name Active Directory Folder test 002 1x OK Cancel Apply 14 2 4 2 Configuring Remote Access Policies Once the VLAN Groups have been created the IAS Remote Access Policy needs to be defined This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group 1 Using the Remote Access Policy option on the Internet Authentication Service management interface create a new VLAN Policy for each VLAN Group defined in the previous section The order of the remote access policies is important The most specific policies should be placed at the top of the policy list and the most general at the bottom For example if the Day And Time Restriction policy is still present it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Right click Remote Access Policy and select New Remote Access Policy Enter a Policy friendly name that describes the policy Each Remote Access Policy will be matched to one VLAN Group An example
12. Game Controllers 3 Right click Local Area Connection and then click Properties ZyXEL NWA 3100 User s Guide 237 Appendix B Setting up Your Computer s IP Address Figure 168 Windows XP Control Panel Network Connections Properties s Network Connections Edit File View Favorites Tools Advanced Help Q sak Q d Search Folders E Address Network Connections LAN or High Speed Internet Network Tasks ocal Area Connection Create a new connection Disable Set up a home or small office network Stat amp Disable this network gras Repair device EN Repair this connection Bridge Connections i Rename this connection View status of this connection Change settings of this connection Create Shortcut Rename Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 169 Windows XP Local Area Connection Properties ction Properties General Authentication Advanced Connect using Hi Accton EN1207D TX PCI Fast Ethernet Adapter This connection uses the following items r2 E Client for Microsoft Networks vi I File and Printer Sharing for Microsoft Networks v ill QoS Packet Scheduler Internet Protocol TCP IP Description Transmission Control Protocol Interet Protocol The default wide area network protocol that provides communication acro
13. eeeeeeeeceeennnnne enn n 214 22 4 8 Example Xmodem Firmware Upload Using HyperTerminal 214 22 4 9 Uploading Configuration File Via Console Port seeene 215 22 4 10 Example Xmodem Configuration Upload Using HyperTerminal 215 Chapter 23 System Maintenance and Information esses nennen nnn 217 ZyXEL NWA 3100 User s Guide Table of Contents 23 1 Command Interpreler MOSS iussis pet po ato t ERE noD EE Wert A da E SUUM 217 PR Wall Rep up ns EVEN elle cc rp DT 218 25 1 2 Command Usage 2e eie eiidd ut cnnnesductsanaedues titur dd dde eed dd dvd dd ipia 218 23 1 3 Brute Force Password Guessing Protection essct 218 23 1 3 1 Configuring Brute Force Password Guessing Protection Example 218 43 2 Hic sind Date SOUS uses secans ratem ue pepe rv SEE FX A ERE bUP ARE EE be A PAESE EEU MPRA EE EtA 219 PAAR Resomia NE TIME qr a eE EEE ANEA S SNE 220 23 3 Remote Management SUID mee 220 FATA ONMI E EE 220 CAL y MM T A Dm 220 pos pl m 220 22 24 Remote Management BOWL iuret cierta rnc a a d n SHE E da nad 220 23 3 5 setas carminis H 222 PAPE NI S M 222 Chapter 24 Troubleshooting ciii ka ce esaa kp A eau A ehe Rok ng Una Du e TALI E E RE 223 24 1 Power Hardware Connections and LEDS
14. Chapter 24 Troubleshooting cannot access the Internet anymore had access to the Internet with the ZyXEL Device but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 37 2 Rebootthe ZyXEL Device 3 Ifthe problem continues contact your ISP The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 5 on page 37 If the ZyXEL Device is sending or receiving a lot of information try closing some programs that use the Internet especially peer to peer applications 2 Check the signal strength If the signal is weak try moving the ZyXEL Device closer to the AP if possible and look around to see if there are any devices that might be interfering with the wireless network microwaves other wireless networks and so on 3 Reboot the ZyXEL Device 4 Ifthe problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions e Check the settings for QoS If it is disabled you might consider activating it If it is enabled you might consider raising or lowering the priority for some applications ZyXEL NWA 3100 User s Guide PART IV Appendices and Index Product Specifications 229 Setting up Your Computer s IP Address 233 IP
15. Chapter 6 Wireless Security Configuration 6 7 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client and Meetinghouse Data Communications AEGIS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it The Funk Software s Odyssey client is bundled free at the time of writing with the client wireless adaptor s 6 8 Wireless Security Effectiveness The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device EAP Extensible Authentication Protocol is used for authentication and utilizes static WEP key exchange It requires interaction with a RADIUS Remote Authentication Dial In User Service server either on the WAN or your LAN to provide authentication service for wireless stations Table 19 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA Most Secure WPA2 If you do not enable any wireles
16. Corporate Headquarters Worldwide Support E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web Site www zyxel com www europe zyxel com FTP Site ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web Site www zyxel co cr FTP Site ftp zyxel co cr Regular Mail ZyXEL Costa Rica Plaza Roble Escaz Etapa El Patio Tercer Piso San Jos Costa Rica Czech Republic E mail info cz zyxel com Telephone 420 241 091 350 Fax 420 241 091 359 Web Site www zyxel cz Regular Mail ZyXEL Communications Czech s r o Modransk 621 143 01 Praha 4 Modrany Cesk Republika ZyXEL NWA 3100 User s Guide 287 Appendix J Customer Support Denmark Support E mail support zyxel dk Sales E mail sales zyxel dk Telephone 45 39 55 07 00 Fax 45 39 55 07 07 Web Site www zyxel dk Regular Mail ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark Finland Support E mail support zyxel fi Sales E mail sales zyxel fi Telephone 358 9 4780 8411 Fax 358 9 4780 8448 Web Site www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33
17. The following figure shows an example IP address in which the first three octets 192 168 1 are the network number and the fourth octet 16 is the host ID ZyXEL NWA 3100 User s Guide 267 Appendix G IP Addresses and Subnetting Figure 192 Network Number and Host ID 192 168 1 16 i TERAS i at i i i M mmmh i I L I L L I L I i I L I L L 7 U anm m m m m m m m 9 How much of the IP address is the network number and how much is the host ID varies according to the subnet mask Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal Table 92 Subnet Masks Hoole es OCTET OCTET t EN 168 1 IP Address Binary 11000000 10101000 00000001 00000010 Subnet Mask Binary 11111111 11111114 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention
18. Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on th system The system reboots automatically after a successful firmware upload For details on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit 22 4 2 Configuration File Upload You see the following screen when you telnet into menu 24 7 2 ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance Figure 153 Menu 24 7 2 System Maintenance Upload System Configuration File Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your system Then type root and SMT password as requested 3 Type put configurationfilename rom 0 where configurationfilename is the name of your system configuration file on your workstation which will be transferred to the rom 0 file on the system 4 The system reboots automatically after the upload system configuration file process is complete For details on FTP commands please consult the document
19. Appendix C IP Address Assignment Conflicts ZyXEL NWA 3100 User s Guide Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless stations A B C Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an Ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 180 Peer to Peer Communication in an Ad hoc Network A NC BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS is enabled wireless station A and B can access the wired network and communicate with each other When Intra BSS is disabled wireless station A and B can still access the wired network but cannot communicate with each other ZyXEL NWA 3100 User s Guide Appendix D Wireless LANs ESS Figure 181 Basic Service Set ri N Bonum i i DS P Y 1 BSS 1 H N 1 5 t
20. Blocks third party cookies that use personally identifiable LC information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing Block pop ups 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 187 Pop up Blocker Settings Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 192 168 1 1 Allowed sites Notifications and Filter Level Play a sound when a pop up is blocked Show Information Bar when 4 pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAG ZyXEL NWA 3100 User s Guide Appendix F Pop up Windows JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 188 Internet Options Security General Security Privacy
21. DESCRIPTION First Second Third System DNS Server Press SPACE BAR to select From DHCP User Defined or None and press ENTER These fields are not available on all models IP Address Enter the IP addresses of the DNS servers This field is available when you select User Defined in the field above When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel ZyXEL NWA 3100 User s Guide LAN Setup This chapter shows you how to configure the LAN on your ZyXEL Device 18 1 LAN Setup This section describes how to configure the Ethernet using Menu 3 LAN Setup From the main menu enter 3 to display menu 3 Figure 132 Menu 3 LAN Setup enu 3 LAN Setup 2 TCP IP Setup Enter Menu Selection Number 18 2 TCP IP Ethernet Setup Use menu 3 2 to configure your ZyXEL Device for TCP IP To edit menu 3 2 enter 3 from the main menu to display Menu 3 LAN Setup When menu 3 appears press 2 and press ENTER to display Menu 3 2 TCP IP Setup as shown next Figure 133 Menu 3 2 TCP IP Setup Menu 3 2 TCP IP Setup IP Address Assignment Static IP Address 192 168 1 2 IP Subnet Mask 255 255 255 0 Gateway IP Address 0 0 0 0 ZyXEL NWA 3100 User s Guide Chapter 18 LAN Setup Follow the instructions in the following table on how to configure the fields
22. file name extension Figure 80 Certificates on Your Computer ip VeriSign cer CA Certificates 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Figure 81 Certificate Details General Details Certification Path Show lt All gt Y Value Secure Server Certification Au Wednesday November 09 19 Friday January 08 2010 7 59 Secure Server Certification Au RSA 1000 Bits shal 4463 C531 D7CC C100 6794 612B B656 D3BF 8257 846F Edit Properties Copy to File 4 Usea secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may vary according to your situation Possible examples would be over the telephone or through an HTTPS connection 12 4 Configuration Summary This section summarizes how to manage certificates Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyXEL Devices CA signed certificates Use the Trusted CA screens to save CA certificates to the ZyXEL Device 12 5 My Certificates Click CERTIFICATES gt My Certificates to open the ZyXEL Device s summary list of certificates and certification requests Ce
23. 1 NONE The Voice over IP VoIP network will use the pre configured SSID profile so select VoIP SSID s radio button and click Edit The following screen displays ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Figure 14 Tutorial VoIP SSID Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter SSID VoIP SSID Example Hide Name SSID Enable Security security02 RADIUS i QoS VoIP L2 Isolation Disable Intra BSS Traffic blocking Disable MAC Filtering Disable Reset e Choose a new SSID for the VoIP network In this example enter VOIP_SSID_Example Note that although the SSID changes the SSID profile name VoIP_SSID remains the same as before Select Enable from the Hide Name SSID list box You want only authorized company employees to use this network so there is no need to broadcast the SSID to wireless clients scanning the area The standard network SSID04 is currently using the security01 profile so use a different profile for the VoIP network If you used the security01 profile anyone who could access the standard network could access the VoIP wireless network Select security02 from the Security field Leave all the other fields at their defaults and click Apply 3 1 2 1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network Click the Security ta
24. 4a Ifthe Name for example VLAN 20 is found the mapped VLAN ID is used 4b If the Name is not found in the mapping table the string in the Tunnel Private Group ID attribute is considered as a number ID format for example 2493 The range of the number ID Name string is between 1 and 4094 4c Ifa or b are not matched the ZyXEL Device uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station This VLAN ID is independent and hence different to the ID in the VLAN screen o 14 2 4 1 Configuring VLAN Groups To configure a VLAN group you must first define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group 1 Using the Active Directory Users and Computers administrative tool create the VLAN Groups that will be used for each VLAN ID One VLAN Group must be created for each VLAN defined on the ZyXEL Device The VLAN Groups must be created as Global Security groups Type a name for the VLAN Group that describes the VLAN Group s function Select the Global Group scope parameter check box Select the Security Group type parameter check box Click OK ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 98 New Global Security Group New Object Group xj 6 Create in Group name vua Group 1d Group name ore Windows 2000 IVLAN Group 10 r Group scope Group type C Domainlocal Securty Global C Distribution Universal ten
25. If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by logging in again The default time interval is 3600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device s default is 1800 seconds 30 minutes PMK Cache When a wireless client moves from o
26. SNMPv2c Power over Ethernet PoE Specifications You can use a power over Ethernet injector to power this device The injector must comply to IEEE 802 3af Table 84 Power over Ethernet Injector Specifications Power Output 15 4 Watts maximum Power Current 400 mA maximum ZyXEL NWA 3100 User s Guide Appendix A Product Specifications Table 85 Power over Ethernet Injector RJ 45 Port Pin Assignments RJ 45 SIGNAL PINNO ASSIGNMENT Output Transmit Data Output Transmit Data Receive Data Power Power Receive Data Power o NI om AJ oj N gt Power Power Adaptor Specifications Table 86 North American Plug Standards AC Power Adaptor Model MU18 2120150 A1 Input Power 100 240 Volts AC 50 60 Hz 0 6 A Output Power 12 Volts DC 1 5A Power Consumption 18 W Max Safety Standards UL CUL UL 60950 1 First Edition Table 87 European Plug Standards AC Power Adaptor Model MU18 2120150 C5 Input Power 100 240 Volts AC 50 60 Hz 0 6 A Output Power 12 Volts DC 1 5 A Power Consumption 18 W Max Safety Standards ITS GS CE EN 60950 1 Table 88 United Kingdom Plug Standards AC Power Adaptor Model MU18 2120150 B2 Input Power 100 240 Volts AC 50 60 Hz 0 6 A Output Power 12 Vo
27. See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the FTP prompt Figure 145 FTP Session Example 331 Pass 230 ftp gt 200 ftp gt 200 150 226 ftp 297 ftp gt Enter PASS command word Logged in bin Type I OK get rom 0 zyxel rom Port command okay Opening data connection for STOR ras File received OK 327680 bytes sent in 1 10Seconds 89Kbytes sec quit The following table describes some of the commands that you may see in third party FTP clients Table 77 General Commands for Third Party FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service administrator has enabled this option Normal The server requires a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Specify the default remote directory path Directory Initial Local Directory Specify the default local directory path 22 2 3 Backup Configuration Using TFTP The ZyXEL Device supports the up downloading of the firmware and the configuration file using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended ZyXEL
28. Some of the fields in the SMT will show a N A This symbol refers to an option that is Not Applicable Save your ENTER Save your configuration by pressing ENTER at the configuration message Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to the previous menu Exit the SMT Type 99 then press Type 99 at the main menu prompt and press ENTER to ENTER exit the SMT interface After you enter the password the SMT displays the main menu as shown next Figure 130 SMT Main Menu Copyright Getting Started L 33 General Setup LAN Setup c 1994 2006 ZyXEL Communications Corp NWA 3100 Main Menu Advanced Management 224 23 24 SNMP Configuration System Security System Maintenance 99 Exit Enter Menu Selection Number ZyXEL NWA 3100 User s Guide Chapter 16 Introducing the SMT 16 4 1 System Management Terminal Interface Summary Table 69 Main Menu Summary MENU TITLE DESCRIPTION 1 General Setup Use this menu to set up your general information 3 LAN Setup Use this menu to set up your LAN and WLAN connection 22 SNMP Configuration Use this menu to set up SNMP related parameters 23 System Password Use this menu to change your password 24 System Maintenance This menu provides system status diagnostics software upload etc 99 Exit Use this to exit the SMT
29. Step 1 pwTftpServer Set the IP address of the TFTP server Step 2 pwTftpFileName Set the file name for example devicecfg txt 276 ZyXEL NWA 3100 User s Guide Appendix H Text File Based Auto Configuration Table 105 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 3 pwTftpFileType Set to 3 text configuration file Step 4 pwTftpOpCommand Set to 2 download Verifying Your Configuration File Upload Via SNMP You can use SNMP management software to display the configuration file version currently on the device by using the following MIB Table 106 Displaying the File Version ITEM OBJECT ID DESCRIPTION 1 3 6 1 4 1 890 1 9 1 2 This displays the current configuration file version pwCfgVersion Troubleshooting Via SNMP If you have any difficulties with the configuration file upload you can try using the following MIB 10 to 20 seconds after using SNMP to have the AP download the configuration file Table 107 Displaying the File Version ITEM OBJECT ID DESCRIPTION pwTftpOpStatus 1 3 6 1 4 1 890 1 9 1 6 This displays the current operating status of the TFTP client Configuration File Format The text based configuration file must use the following format Figure 196 Configuration File Format ZYXEL PROWLAN VERSION 12 wcfg security 1 xxx wcfg security save wcfg ssid 1 xxx wcfg ssid save The first line must be 4 ZYXEL PR
30. System Information and Diagnosis 199 Firmware and Configuration File Maintenance 205 System Maintenance and Information 217 Troubleshooting 223 Introducing the SMT This chapter describes how to access the SMT and provides an overview of its menus 16 1 Connect to your ZyXEL Device Using Telnet The following procedure details how to telnet into your ZyXEL Device 1 In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 2 the default IP address and click OK 2 For your first login enter the default password 1234 As you type the password the screen displays an asterisk for each character you type Figure 128 Login Screen Password xxxx 3 After entering the password you will see the main menu Please note that 1f there is no activity for longer than five minutes default timeout period after you log in your ZyXEL Device will automatically log you out You will then have to telnet into the ZyXEL Device again You can use the web configurator or the CI commands to change the inactivity time out period 16 2 Changing the System Password Change the ZyXEL Device s default password by following the steps shown next 1 From the main menu enter 23 to display Menu 23 System Password as shown next 2 Type your existing system password in the Old Password field and press ENTER Figure 129 Menu 23 System Password Menu 23 System Pas
31. The following is an example TFTP command TFTP i host get rom 0 config rom where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyXEL Device IP address get transfers the file source on the ZyXEL Device rom 0 name of the configuration file on the ZyXEL Device to the file destination on the computer and renames it config rom The following table describes some of the fields that you may see in third party TFTP clients Table 78 General Commands for Third Party TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyXEL Device 192 168 1 2 is the ZyXEL Device s default IP address when shipped Send Fetch Use Send to upload the file to the ZyXEL Device and Fetch to back up the file on your computer Local File Enter the path and name of the firmware file bin extension or configuration file rom extension on your computer Remote File This is the filename on the ZyXEL Device The filename for the firmware is ras and for the configuration file is rom 0 Binary Transfer the file in binary mode Abort Stop transfer of the file ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance 22 2 5 Backup Via Console Port Back up configuration via console port by following the HyperTerminal procedure shown next Procedures using other serial communications programs
32. eese sese tenente ka nanus 123 Figura 74 SSH Communication EXamplo 12 oxeddck stacy sie aon Ro Pa tc daa a oon adt qa ea 124 Figure 79 Remote Management TONO ee 125 Figure 76 Remote Management FIP 22 isesasscesuterepest eot sents ctereawoss iaee an caavenes 126 Figure 77 Remote Management WANW essi os desk tt pk asi ptio ii a Et Heu Rd Raid Ea a aiaa 127 Figure 79 SNMP Management Model 1uistesc das P pe Ebr Pret rbrPPE RAO EH ENERO FER Pret bRPCH D EH HR rb Prat nds 128 Figure 79 Remote Management SNMP 5 2 rra na asad eens a cn aux ba dea Di i M road DU 131 Figure 80 Certificates on Your Computer eel eusesse ei tna tma kiki ntn nun ERR XX EI AR A E ntt a ARE nda 134 Figure G1 Ceriicate Delais Re 135 ZyXEL NWA 3100 User s Guide List of Figures Figure o2 My COE 51cm Gara pena dae nga a I ES AR EY REA NR KE E UR SR 136 Figure G3 p p nieder 138 Figure 84 Eee 105 u 139 zou SS My Corniiedio Delale c Sraedents ssaanadenasaauatd eeu wade sstusanboudeniia saad eeansnaareaneaveduaeasnodad eens 142 Figure Ot BRUGES oraaa balade OA mex iste pitt een upbeat idea ortu bula tete ku etr tulo vum aise 144 iuf AMDUru cEe Wu T M 146 Figure bS Trusted CA WR Map NFUP T 147 FRU 1 05 qb Ro 151 Figur MU Lug SONUS i firs Darse en asc EU d aad co E RU A n ped ae uu cn Mapa e me As 152 Foure 91 WIRELESS VLAN ise css cad crate dre SHARE usen intet Manat shies 159 Figure S2 RADIUS
33. gt Security screen displays Ensure that the Profile Name for entry 3 displays Guest Security and that the Security Mode is WPA PSK Figure 21 Tutorial Guest Security Updated Wireless SSID Security RADIUS Layer Isolation MAC Filter Profile Name security01 VoIP Securi 3 1 3 2 Set up Layer 2 Isolation Configure layer 2 isolation to control the specific devices you want the users on your guest network to access Click WIRELESS gt Layer 2 Isolation The following screen appears Figure 22 Tutorial Layer 2 Isolation Wireless SSID Security RADIUS Layer Isolation MAC Filter Layer 2 Isolation Configuration Allow devices with these MAC addresses MAC Address OO AAODAAOOAA AA 00 AA 00 AA O0 Set MAC Address 00 00 00 00 00 00 00 00 00 00 00 00 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Reset Enter the MAC addresses of the two network devices you want users on the guest network to be able to access the main network router 00 AA 00 AA 00 AA and the network printer AA 00 AA 00 AA 00 Click Apply 3 1 3 3 Activate the Guest Profile You need to activate the Guest SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the check box for the Guest SSID profile and click Apply ZyXEL NWA 3100 User s Guid
34. mm dd General Password Time Setting Time Server Address Current Time hh mm ss NN dr 1DE New Time hh mm ss p Hs 3 Current Date yyyy mm dd 2000 M NN New Date yyyy mm dd m m Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London x Daylight Saving Setup Daytime RFC 867 mm fO m D me o E Reset The following table describes the labels in this screen Table 7 Time Setting LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server sends when you turn on the ZyXEL Device Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Select None to enter the time and date manually Time Server Address Enter the IP address or the URL of your time server Check with your ISP network administrator if you are unsure of this information Current Time hh mm ss This field displays the time of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the time with the time server New Time hh mm ss This field display
35. the AP See Section 5 6 2 on page 76 for more details Unless specified the term security settings refers to the traffic between the wireless stations and the ZyXEL Device If you do not enable WDS security in AP Bridge mode traffic between APs is not encrypted 32 ZyXEL NWA 3100 User s Guide Chapter 1 Introducing the ZyXEL Device Figure 2 AP Bridge Application m O y M O ha 0 0 5 a Ig P X my oF in of sae a e gt is Y d d E x Pi E 4 s amp n A D PE i N aj Li a H 1 i f 4 i AN 1 3 f a J a A H SS 7 1 H a f o 7 A LE J k 2 v i ES lt gt e A n EN S Ki ae EN t A Pom ja ua m e t gt mm mous m 1 2 3 Bridge Repeater The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs In the figure below the two ZyXEL Devices A and B are connected to independent wired networks and have a bridge connection A can communicate with B at the same time A ZyXEL Device in repeater mode C has no Ethernet connection When the ZyXEL Device is in bridge mode you should enable STP to prevent bridge loops When the ZyXEL Device is in Bridge Repeater mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP When WDS security is enabled both
36. 00 a0 00 00 00 00 0 01 WPA First floor lobby D 00 00 20 00 00 00 02 2 WPA Second Floor Design DS o0 00 00 00 00 03 1201 4 WPA Coffee Shop WLAN The following table describes the labels in this screen Table 36 ROGUE AP Friendly AP LABEL DESCRIPTION Add Friendly AP Use this section to manually add a wireless access point to the list You must know the device s MAC address MAC Address Enter the MAC address of the AP you wish to add to the list Description Enter a short explanatory description identifying the AP with a maximum of 32 alphanumeric characters Spaces underscores and dashes are allowed Add Click this button to include the AP in the list Friendly AP List This is the list of safe wireless access points you have already configured This is the index number of the AP s entry in the list MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Security This field displays the type of wireless encryption the AP is currently using Description This is the description you entered when adding the AP to the list Delete Click this button to remove an AP s entry from the list 10 3 3
37. 1 Enter 24 to display Menu 24 System Maintenance 2 Enter 2 to display Menu 24 2 System Information and Console Port Speed 3 From this menu you have two choices as shown in the next figure Figure 138 Menu 24 2 System Information and Console Port Speed Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Pleas nter selection The ZyXEL Device has an internal console port for support personnel only Do not open the ZyXEL Device as it will void your warranty 21 2 1 System Information Enter 1 in menu 24 2 to display the screen shown next Figure 139 Menu 24 2 1 System Information Information Menu 24 2 1 System Maintenance Information Name NWA 3100 Routing BRIDGE ZyNOS F W Version V3 60 AAI 0 b1 05 25 2005 Country Code 255 LA Ethernet Address 00 A0 C5 F5 02 02 IP Address 192 168 1 2 IP Mask 255 255 255 0 DHCP None Press ESC or RETURN to Exit The following table describes the fields in this menu Table 74 Menu 24 2 1 System Maintenance Information FIELD DESCRIPTION Name Displays the system name of your ZyXEL Device This information can be changed in Menu 1 General Setup Routing Refers to the routing protocol used ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation ZyXEL
38. 22 Firmware and Configuration File Maintenance The following table is a summary Please note that the internal filename refers to the filename on the ZyXEL Device and the external filename refers to the filename not on the ZyXEL Device that is on your computer local network or FTP site and so the name but not the extension will vary After uploading new firmware see the ZyNOS F W Version field in Menu 24 2 1 System Maintenance Information to confirm that you have uploaded the correct firmware version Table 76 Filename Conventions INTERNAL EXTERNAL FILE TYPE NAME NAME DESCRIPTION Configuration File Rom 0 rom This is the configuration filename on the ZyXEL Device Uploading the rom 0 file replaces the entire ROM file system including your ZyXEL Device configurations system related data including the default password the error log and the trace log Firmware Ras bin This is the generic name for the ZyNOS firmware on the ZyXEL Device 22 2 Backup Configuration Option 5 from Menu 24 System Maintenance allows you to backup the current configuration to your computer Backup is highly recommended once your ZyXEL Device is functioning properly FTP is the preferred method although TFTP can also be used Please note that the terms download and upload are relative to the computer Download means to transfer from the ZyXEL Device to the computer while upload means from your c
39. 27 1110 0000 224 255 255 255 240 28 1111 0000 240 255 255 255 248 29 1111 1000 248 255 255 255 252 30 1111 1100 252 Subnetting 270 You can use subnetting to divide one network into multiple sub networks In the following example a network administrator creates two sub networks to isolate a group of servers from the rest of the company network for security reasons In this example the company network address is 192 168 1 0 The first three octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 2 2 or 254 possible hosts The following figure shows the company network before subnetting Figure 193 Subnetting Example Before Subnetting qQuUB EB EM EM EN EM EM EN NEED ONE NND ONN END NN EN n i 8 I A E Uu a i 1 Internet t a H Ol I li I li I i I I I li y 192 168 1 0 24 4 r 4 LE E Amo m um um m um Um Um Em Em um um You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the company network after subnetting There are now two sub networks A and B ZyXEL NWA 3100 User s Guide Appendix G IP Addresses and Subnetting Figure 194
40. 4 72 52 97 97 Fax 33 4 72 52 19 20 Web Site www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 0 Fax 49 2405 6909 99 Web Site www zyxel de Regular Mail ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany Hungary Support E mail support zyxel hu Sales E mail info zyxel hu Telephone 36 1 3361649 Fax 36 1 3259100 Web Site www zyxel hu Regular Mail ZyXEL Hungary 48 Zoldlomb Str H 1025 Budapest Hungary Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz 288 ZyXEL NWA 3100 User s Guide Appendix J Customer Support Telephone 7 3272 590 698 Fax 7 3272 590 689 Web Site www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan North America Support E mail support zyxel com Sales E mail sales zyxel com Telephone 1 800 255 4101 1 714 632 0882 Fax 1 714 632 0858 Web Site www us zyxel com FTP Site ftp us zyxel com Regular Mail ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A Norway e e e e Support E mail support zyxel no Sales E mail sales zyxel no Telephone 47 22 80 61 80 Fax 47 22 80 61 81 Web Site www zyxel no Regular Mail ZyXEL
41. Address Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 11 4 Configuring FTP You can upload and download the ZyXEL Device s firmware and configuration files using FTP please see the chapter on firmware and configuration file maintenance for details To use this feature your computer must have an FTP client To change your ZyXEL Device s FTP settings click REMOTE MGMT gt FTP The screen appears as shown ZyXEL NWA 3100 User s Guide 125 Chapter 11 Remote Management Figure 76 Remote Management FTP TELNET Server Port Server Access WLAN amp LAN Secured Client IP Address AIC Selected 0 0 0 0 FTP WWW SNMP Reset The following table describes the labels in this screen Table 40 Remote Management FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP Address A secured client is a
42. Community public Destination 0 0 0 0 Service Port fi 61 Service Access WLAN amp LAN gt Secured Client IP Address AIC Selected 0 0 0 0 Reset The following table describes the labels in this screen Table 44 Remote Management SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is public and allows all requests Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address t
43. Configuring Microsofts IAS Server Example sse 164 14 2 4 1 Configuring VLAN GTOUPS 145 erret dd et Ert SR RE Ra redd RR CB oet S RA d e aad 164 14 2 4 2 Configuring Remote Access Policies erneut nnn here aano rea aaa Era 165 14 7 5 Second Rx VLAN ID Example sicesactccccccaiteesvsaniupeadensadssverisessiadecigannenntetianecevsannnnusun 172 14 2 5 1 Second Rx VLAN Setup Example cccccssneeccsrssncecssaveesiencdassisvencnssdeeneneneaienne 172 Chapter 15 ctl M 175 15 1 Maintetante OVEIVIEW 175 12 2 SUSIE ISIS ORBI suiusupr sesiaude S 175 pu Se etl SIS aN 176 Tid ceri Nc 177 TO Ohan Vodo srin Le tadaddd eu RM pia Bk et onde Vo dan de Cupid qd 178 T8 FAS Upload SOTBBIN ccc reote die fofi e boo E etu ease te 178 TO CODO ONT S m 180 190 1 Backup C TIC BOE usen sepa ei to HAIR eo insan KAEA Eu KARMA AEAEE REA EE CEA EAA EAE 181 15 6 2 Reslore ConiigUralon t M 181 15 5 2 Back to Factonr DeiSalts 4st e Go PERS Ra FR LG Mo a c d a t 182 jvE 10 dele Em 183 Part Ill SMT and Troubleshooting 185 Chapter 16 lintroducmg mio SMT ee 187 16 1 Connect to your ZyXEL Device Using Telnet oorr en n ironinen 187 186 2 C hanging the System Password isnseidsax ein sd Les o tona ede das ER o t ND
44. Content Connections Programs Advanced Select a Web content zone to specify its security settings e Z o e Internet Local intranet Trusted sites Restricted sites Internet 4 This zone contains all Web sites you Gites haven t placed in other zones m Security level for this zone Move the slider to set the security level for this zone z Medium Safe browsing and still functional a Prompts before downloading potentially unsafe content Unsigned Activex controls will not be downloaded Appropriate for most Internet sites C Custom Level D Default Level OK Cancel Apply Click the Custom Level button Scroll down to Scripting ou kh WN Click OK to close the window Under Active scripting make sure that Enable is selected the default Under Scripting of Java applets make sure that Enable is selected the default ZyXEL NWA 3100 User s Guide Appendix F Pop up Windows JavaScripts and Java Permissions Figure 189 Security Settings Java Scripting Security Settings Settings Scripting amp Active scripting Q Promp 3 Allow paste operations via script Q Disable 9 Enable Q Prompt amp Scripting of Java applets Q Disable OQ Prompt Lene AuhSenkie Sin E b te custom settings Reset to Medium Reset ced Java Permissions Click the Custom Level button Scroll down to Microsoft VM Under Java permissions
45. Enter a password up to 128 alphanumeric characters as the key to be shared between the external accounting server and the ZyXEL Device The key must be the same on the external accounting server and your ZyXEL Device The key is not sent over the network Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh ZyXEL NWA 3100 User s Guide MBSSID and SSID This chapter describes how to configure and use your ZyXEL Device s MBSSID mode and configure SSID profiles 7 1 Wireless LAN Infrastructures See the Wireless LAN chapter for some basic WLAN scenarios and terminology 7 1 1 MBSSID Traditionally you needed to use different APs to configure different Basic Service Sets BSSs As well as the cost of buying extra APs there was also the possibility of channel interference The ZyXEL Device s MBSSID Multiple Basic Service Set IDentifier function allows you to use one access point to provide several BSSs simultaneously You can then assign varying levels of privilege to different SSIDs Wireless stations can use different BSSIDs to associate with the same AP 7 1 2 Notes on Multiple BSS A maximum of eight BSSs are allowed on one AP simultaneously You must use different WEP keys for different BSSs If two stations have different BSSIDs they are in different BSSs but have the same WEP keys they may hear each other s communications but not communica
46. FA FA BES The ZyXEL Device can detect the MAC addresses of APs automatically However it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually if possible For example an attacker s AP mimicking the correct SSID could be placed on the friendly AP list by accident if selected from the list of auto detected APs In this example you have spoken to the coffee shop s owner who has told you the correct MAC address of his AP In this example you will do the following things 1 Set up and save a friendly AP list Activate periodic Rogue AP Detection Set up e mail alerts Configure your other access points Test the setup a fh WN 3 2 1 Set Up and Save a Friendly AP list Take the following steps to set up and save a list of access points you want to allow in your network s coverage area 1 Onacomputer connected to the wired network F in the previous figure open your Internet browser and enter the URL of access point A 192 168 1 1 Login to the Web configurator and click ROGUE AP gt Friendly AP The following screen displays Figure 25 Tutorial Friendly AP Before Data Entry Configuration Friendly AP Rogue AP Add Friendly AP MAC Address Description Ln NN oso Friendly AP List MAC Address __SSID_____ Channel Security Description RENI 2 Fill in the MAC Address and Description fields as in the following ta
47. Figur 199 Iimtemet Opiions CLD A m 264 Figure 189 Security Settings Java SCMPUNG iis seiceeee inui eio trtum iio bd dieere o i dentea 265 Figure 190 Security Sellngs Java HAMM TNT 265 Poe TAa eo a aa a N NAN 266 Figure 192 Network Number and Host ID 12 cxtecsss ssced dees south told AN 268 Figure 193 Subnetting Example Before Subnetting eeeeseseseeesseeee eene nnn 270 Figure 194 Subnetting Example After Subnetting 122 uiceeciiieeee tete retta enorme nit tera secsesundcoaavsence 271 Figure 195 Text File Based Auto Configuration auus iacit tet ttt ea t E ERR E Fe ERE FEE EH E E aS Raus 275 Figure 199 Configuration File Foma 2iseaikintixd Ai Lia E innen nna TO EUR VET NE ENIM C EEPRLA MEER RUUE 277 Figure 197 WEP Configuration File EXeIfple 122 circuit conn eoe ebac iion rd oci aniden e binnan 278 Figure 198 802 1X Configuration File Example esee ieeeeeeui esee anna ennt nhanh anna nnt th a Rx nanna 279 Figure 199 WPA PSK Configuration File EXSImle 24 55 c rope n rHpUPdR t PPP HERE t pevd ec E Fete EE FREU Ceo dE teens 279 Figure 200 WPA Configuration FIG Example 1 urtica S ad etk a ERR EXER n EAs 280 Figure 201 wlan Configuration File Example MT 281 ZyXEL NWA 3100 User s Guide 23 List of Figures ZyXEL NWA 3100 User s Guide List of Tables List of Tables TOE T LEDS EET 37 Tabe 2 Tutorski Example TTT inini paden mmm 44 Table 3 Tutorial Rogue AP Example IMOrmaliON ssicriiim
48. Figure 66 Roaming Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Operating Mode Access Point E 802 11 Mode 802 11b g iv Super Mode Choose Channel ID Channel 06 2437MHz gt or RTS CTS Threshold 2346 958 2348 Fragmentation Threshold 2346 256 2348 Output Power s zl SSID Profile ssipos z Iv Roaming Active iv Enable Breathing LED e ing Tree Protocol STP Apply Reset Select the Roaming Active check box and click Apply ZyXEL NWA 3100 User s Guide IP Screen This chapter discusses how to configure IP on the ZyXEL Device 9 1 Factory Ethernet Defaults The Ethernet parameters of the ZyXEL Device are preset in the factory with the following values 1 IP address of 192 168 1 2 2 Subnet mask of 255 255 255 0 24 bits These parameters should work for the majority of installations 9 2 TCP IP Parameters 9 2 1 WAN IP Address Assignment Every computer on the Internet must have a unique IP address If your networks are isolated from the Internet only between your two branch offices for instance you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks Table 33 Private IP Address Ranges 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from
49. File received OK ftp 327680 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance More commands that you may find in third party FTP clients are listed earlier in this chapter 22 4 4 TFTP File Upload The ZyXEL Device also supports the up downloading of the firmware and the configuration file using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To transfer the firmware and the configuration file follow the procedure shown next 1 Use telnet from your computer to connect to the ZyXEL Device and log in Because TFTP does not have any security checks the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter the command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyXEL Device Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the ZyXEL Device an
50. Guide Wireless Configuration This chapter discusses how to configure the Wireless screens on the ZyXEL Device 5 1 Wireless LAN Overview This section introduces the wireless LAN WLAN and some basic scenarios 5 1 1 BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network and communicate with each other When Intra BSS traffic blocking is enabled wireless station A and B can still access the wired network but cannot communicate with each other Figure 35 Basic Service set z Se mom um am n ao A ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration 5 1 2 ESS An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate Figure 36 Extended Service Set Ethernet om oU AIO SN Ux iG E EAI TE pet Toner cer TS E En k E gt
51. Image Resizing x b Restore Defaults Cancel Apply ZyXEL NWA 3100 User s Guide IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub networks Introduction to IP Addresses One part of the IP address is the network number and the other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four parts written in dotted decimal notation for example 192 168 1 1 Each of these four parts is known as an octet An octet 1s an eight digit binary number for example 11000000 which is 192 in decimal notation Therefore each octet has a possible range of 00000000 to 11111111 in binary or 0 to 255 in decimal
52. Information screen displays Select Virtual LANs VLAN from the attribute value drop down list box Click OK ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 110 VLAN Attribute Setting for Tunnel Type Enumerable Attribute Information xj Attribute name Tunnel Type Attribute number g Attribute format Enumerator Attribute value Mirtual LANs VLAN Cancel 17 Return to the RADIUS Attribute Screen shown as Figure 107 on page 169 Click the Close button The completed Advanced tab configuration should resemble the following screen Figure 111 Completed Advanced Tab Allow VLAN Group 10 Prop 2 xl Setti I aix Policy name Did in Constraints IP Multilink Authentication Encryption Advanced Specty the condition Specily additional cormection attributes to be returnad to the Remote Access Server Parameters Service Type RADIUS Standard Framed Framed Protecat RADIUS Standard PPP Tunrel Medium T ype RADIUS Standard 802 includes all 802 rr Tunrel Pvl GroupiD RADIUS Standard 10 Tunrel T ype RADIUS Standard Virtual LANs VLAN Add Jn Il auser matches tt Grant remote C Dery remote e Access will be is overiidden c gt CTEEETN Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory Remember to place the most general Remote Access Policies a
53. JavaScripts and Java Permissions 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 185 Internet Options Privacy Internet Options p General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Internet RE zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable LJ information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing Block pop ups 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen 262 ZyXEL NWA 3100 User s Guide Appendix F Pop up Windows JavaScripts and Java Permissions Figure 186 Internet Options Privacy Internet Options PR Settings Move the slider to select a privacy setting for the Internet MER zone Medium Blocks third party cookies that do not have a compact privacy policy
54. LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible network loops STP aware bridges exchange Bridge Protocol Data Units BPDUs periodically When the bridged LAN topology changes a new spanning tree is constructed Once a stable network topology has been established all bridges listen for Hello BPDUs Bridge Protocol Data Units transmitted from the root bridge If a bridge does not get a Hello BPDU after a predefined interval Max Age the bridge assumes that the link to the root bridge is down This bridge then initiates negotiations with other bridges to reconfigure the network to re establish a valid network topology 5 4 4 STP Port States STP assigns five port states see next table to eliminate packet looping A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops Table 15 STP Port States PORT STATES DESCRIPTIONS Disabled STP is disabled default Blocking Only configuration and management BPDUs are received and processed ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Table 15 STP Port States PORT STATES DESCRIPTIONS Listening All BPDUs are received and processed Learning All BPDUs are received and processed Information frames are submitted to the learning process but not forwarded Forwardi
55. Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyXEL Device check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Details Click Details to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyXEL Device Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click this button to display the current validity status of the certificates 12 11 Importing a Trusted CA s Certificate Click CERTIFICATES Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen Follow the instructions in this screen to save a trusted certification authority s certificate to the ZyXEL Device see the following figure ZyXEL NWA 3100 User s Guide Chapter 12 Certificates
56. NWA 3100 User s Guide Chapter 21 System Information and Diagnosis Table 74 Menu 24 2 1 System Maintenance Information FIELD DESCRIPTION Country Code Refers to the country code of the firmware LAN Ethernet Address Refers to the Ethernet MAC Media Access Control of your ZyXEL Device IP Address This is the IP address of the ZyXEL Device in dotted decimal notation IP Mask This shows the subnet mask of the ZyXEL Device DHCP This field shows the DHCP setting of the ZyXEL Device When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen 21 2 2 Console Port Speed You can set up different port speeds for the console port through Menu 24 2 2 System Maintenance Console Port Speed Your ZyXEL Device supports 9600 default 19200 38400 57600 and 115200 bps console port speeds Press SPACE BAR and then ENTER to select the desired speed in menu 24 2 2 as shown in the following figure Figure 140 Menu 24 2 2 System Maintenance Change Console Port Speed Menu 24 2 2 System Maintenanc Change Console Port Speed Console Port Speed 9600 Press ENTER to Confirm or ESC to Cancel After you changed your ZyXEL Device s console port speed you must also make the same change to the console port speed parameter o
57. Point and Bridge Repeater operating modes for descriptions of the fields in this screen 5 6 4 MBSSID Mode Select MBSSID as the Operating Mode to display the screen Refer to Chapter 7 on page 97 for configuration and detailed information See Chapter 6 on page 81 for details on the security settings ZyXEL NWA 3100 User s Guide Wireless Security Configuration This chapter describes how to use the Security and RADIUS screens to configure wireless security on your ZyXEL Device 6 1 Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless stations access points and the wired network Wireless security methods available on the ZyXEL Device are data encryption wireless client authentication restricting access by MAC address and hiding the ZyXEL Device s identity 6 1 1 Encryption Use WPA 2 security if you have WPA 2 aware wireless clients and a RADIUS server WPA has user authentication and improved data encryption over WEP Use WPA 2 PSK if you have WPA 2 aware wireless clients but no RADIUS server e If you don t have WPA 2 aware wireless clients then use WEP key encrypting A higher bit key offers better security at a throughput trade off You can manually enter 64 bit 128 bit or 152 bit WEP keys 6 1 2 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices Allow Association or exclude th
58. Reset Click Reset to reload the previous configuration for this screen 4 3 Configuring Password Itis strongly recommended that you change your ZyXEL Device s password Click SYSTEM 7 Password The screen appears as shown If you forget your ZyXEL Device s password or IP address you will need to reset the device See the section on resetting the ZyXEL Device for details Figure 33 Password General Password Time Setting Old Password New Password pe Retype to Confirm E Reset The following table describes the labels in this screen Table 6 Password LABEL DESCRIPTIONS Old Password Type in your existing system password 1234 is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays an asterisk for each character you type Retype to Confirm Retype your new system password for confirmation Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen ZyXEL NWA 3100 User s Guide Chapter 4 System Screens 4 4 Configuring Time Setting To change your ZyXEL Device s time and date click SYSTEM gt Time Setting The screen appears as shown Use time zone this screen to configure the ZyXEL Device s time based on your local Figure 34 Time Setting Time Protocol Daylight Savings Start Date mm dd End Date
59. Sample Error and Information Messages seeeeeeeueseenn nere nnn tn anna enn th na na a aun 203 Figure 143 Menu 24 4 System Maintenance Diagnostic eese nennen nnne 203 Figure 144 Menu 24 5 Backup Configuration 3525 x 3 tiet rt GU eda pat e ti n ob bue ed 206 Foue TAS FIF SOS 1 0 EXIME gee eee Eee ereeer NNA 207 Figure 146 System Maintenance Backup Configuration sssesssseeeee 209 Figure 147 System Maintenance Starting Xmodem Download Screen sessessssss 209 Figure 148 Backup Configuration Example 2c oro ede PPP rO per nte o EE ri nisn Reit qoM EPOpI Uoc FER EDU a 209 Figure 149 Successful Backup Confirmation Screen nennen tena nn nnn 209 Figure 150 Menu 24 6 Restore Configuration eese seen eren nn th nana ninth a Rak RA RR Rau E44 210 Figure 151 Menu 24 7 System Maintenance Upload Firmware enn 211 Figure 152 Menu 24 7 1 System Maintenance Upload System Firmware sseeesss 211 Figure 153 Menu 24 7 2 System Maintenance Upload System Configuration File 212 Figure 154 FTP Session Example sssscicsisvancecciws vane ttd ke erbe a bett det bid a 212 Figure 155 Menu 24 7 1 as seen using the Console Port neret nna 214 Figure 156 Example modem Upload 1 pit iR pora SERE IN Ho REY RH UI a A E FR REM Rte Ives chest ape e t tpa 214 Figure 157 Menu 24 7 2 as seen using the Console Port nennen nannten
60. This field displays the MAC address of an associated wireless station Association Time This field displays the time a wireless station first associated with the ZyXEL Device Name SSID This field displays the SSID to which the wireless station is associated WDS Link This screen displays when bridge mode is activated on the ZyXEL Device Link No This field displays the index number of a bridge connection on the WDS MAC Address This field displays a remote bridge MAC address Link Time This field displays the WDS link up time Privacy This field displays whether traffic on the WDS is encrypted or not Refresh Click Refresh to reload the screen ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance 15 4 Channel Usage The Channel Usage screen shows whether a channel is used by another wireless network or not If a channel is being used you should select a channel removed from it by five channels to completely avoid overlap Click MAINTENANCE and then the Channel Usage tab to display the screen shown next Wait a moment while the ZyXEL Device compiles the information Figure 117 Channel Usage Status Association List Channel Usage FAW Upload Configuration Restart aaa NEIN MAC Address ae aca Network Mode ZyXEL_1237 00 13 49 00 00 01 23 h Infra ZyXEL 00 13 49 00 00 05 6 82 h Infra Wireless 00 A0 C5 00 07 77 6 425 Infra Wireless 00 A0 C5 5C AF 7A 11 25 h Infra A 3214 G3000 00 A0 C
61. This field is only available when you select Weekly in the Log Schedule field Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e mail Log Select the categories of logs that you want to record Send Immediate Alert Select the categories of alerts for which you want the ZyXEL Device to immediately send e mail alerts Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to reconfigure all the fields in this screen ZyXEL NWA 3100 User s Guide 155 Chapter 13 Log Screens 13 3 Example Log Messages This section provides descriptions of some example log messages Table 54 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time successful server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an
62. WWW SNMP TELNET NNMNMNMMquuacccccccccc ccc Server Port 23 Server Access WLAN amp LAN Y Secured Client IP Address AIL C Selected o 0 0 0 SSH Server Port 22 Server Access WLAN amp LAN Y Secured Client IP Address All C Selected 0 0 0 0 Apply Reset The following table describes the labels in this screen Table 39 Remote Management Telnet LABEL DESCRIPTION TELNET Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s through which a computer may access the ZyXEL Device Access using Telnet Secured A secured client is a trusted computer that is allowed to communicate with the Client IP ZyXEL Device using this service Address Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SSH Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s through which a computer may access the ZyXEL Device Access using SSH Secured A secured client is a trusted computer that is allowed to communicate with the Client IP ZyXEL Device using this service
63. Wireless Distribution System WDS is a wireless connection between two or more APs If you do not select the check box traffic between APs is not encrypted When you select the check box you are prompted to type a Pre Shared Key PSK The ZyXEL Device uses TKIP to encrypt traffic on the WDS between APs Note Other APs must use the same encryption method to enable WDS This is the index number of the bridge connection Active Select the check box to enable the bridge connection Otherwise clear the check box to disable it Remote Bridge MAC Address Type the MAC address of the peer device in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc PSK Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols See Table 16 on page 75 for information on the other labels in this screen ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration 5 6 3 AP Bridge Mode Select AP Bridge as the Operating Mode in the WIRELESS gt Wireless screen to have the ZyXEL Device function as a bridge and access point simultaneously See the section on applications for more information Figure 43 Wireless AP Bridge SSID Security RADIUS Layer Isolation AP Bridge 802 11b g Channe 06 2437MHz mi Remote Bridge MAC Address 1 00 00 00 00 00 00 2 See the tables describing the fields in the Access
64. a anaa E RES NP DNAsa 74 55 Lommgarng Wireless Songs Aidinsisinonemaesnd meee NEAS aera 74 200 1 Access POM eo sak ats ovt p b s ioi todo a 74 5 6 2 Bridge Repeater Mode citet ppp ai e ER BI Ee RD CERE ERE RE UR d RAE E e EAR Eiai a ira 76 910 3 APT BAGS no MM 80 55 NMBESIE MOJE i otsiitiidied ee pa Che tr eat M ete a prc a ROLE an c Ua ax 80 Chapter 6 Wireless Security ConfiguratlOhi 1iiuuiiseuease sk rts hah ko uk YXRRYRERER YR EXRKR Pa JR RF JRRRKEM RR M2 iR CR rna nA eR nnna 81 Al FUSS SGU VOR Wee 81 xw ECE EO M 81 a LA SUC JOE iiien EEA ER a FIN LEPN d ai rpI EPOD EE bhdE Rudd GEEA 81 wta Hide VOY ER 81 CLI WEP ENIT I IT e Em 81 A 0a DOVERIN TN 82 6 9 EAP Authentication DOVEIMIEW T ienn 82 GA VEN PM FIA aussie ina E Pari beet cm Ye CERA E D Ae a EK EU ER 82 0A 1 Meer cce M AE 83 x Maz vindi ea Reet crete MEET vies error Peter cere re ater Pree tceel Petter ere Tere ty tT ere 83 6 4 3 WPA Z PSK Application Example ai cc cccisssnencaicataseatiansnnscedeadsneacdeciauwensnauksiiranndedbenalends 84 0 5 WPAD23 with RADIUS Application Example scsicccsrsccuscccrciwmercscscsiceeerssielisteeicectinenarecueocsargs 84 CE SOA MOTOS r 85 9 7 Wireless Client WPA Supplican i erro ter FERE ERE at a E En ERA IIR 86 6 8 Wireless Security ETTODIIVOLIBSS iui ccied cerle ce etl rra ctl d nenas ainina atl d ora a ck bbb sra iaia ais 86 DO Conigung eM esha aaa lc
65. an IP address and type your information into the IP Address and Subnet Mask fields Figure 164 Windows 95 98 Me TCP IP Properties IP Address CPAP Popewies TE Bindings Advanced Netplos DNS Configuration Gateway WINS Configuration IP Address An IP address can be automatically assigned to this computer If your network does not automatically assign IP addresses ask your network administrator for an address and then type it in the space below Specify an IP address Imo recs ue ees xr Subnet Mess IV Detect connection to network media Cancel 3 Click the DNS Configuration tab f you do not know your DNS information select Disable DNS f you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in ZyXEL NWA 3100 User s Guide 235 Appendix B Setting up Your Computer s IP Address Figure 165 Windows 95 98 Me TCP IP Properties DNS Configuration TCP IP Properties 21 xl Bindings Advanced Netbios DNS Configuration Gateway WINS Configuration IP Address Domain Suffix Search Order P Cancel 4 Click the Gateway tab Ifyou do not know your gateway s IP address remove previously installed gateways f you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK
66. and New Zealand Plug Standards cc ccccceesseneeceeeseeeeeceeenseeceeeeetseeeeeeeennneces 231 Table 90 Comparison of EAP Authentication Types srt ren n rtt red a d ei rbd d ea hoa d eb nde 256 Table 91 Wireless Security Relational Matrix c c ccccsseseeeceeeeseeeeeeeeteneeeceetenneeceeensnneeeneatenseesentneees 257 Table 92 Subnet MASKS x 268 WADI 92 SURI NSRS M 269 Table 4 vo nass qr s o f t eeanaientne naan 269 Table 95 Alternative Subnet Mask Notation 2c ei eee centia beta curte pdt batte adi kenkia 269 ct 255 ATP TT 271 WAI rS ni M ee eedaeeneiatel ae ae 272 TRADI PS ADETE 272 ME NS E NUR 272 Table T00 Bight SUDNEIS eem 272 Table 101 24 bit Network Number Subnet Planning eeeeeeeceseee eene ennt tnnt nnn nnns 273 Table 102 16 bit Network Number Subnet Planning 55er rrr reae e repa ri eEba an eer Ere aee nh Rees 273 Table 405 Auto Conliguration Gy DAIGR ccircasccccsvrsaserccccicecscesecicestesnnts ainra aian ee El AEE SE 276 Table 104 Manual Configuration m iaaa saaa EEEa N EE RAEE EAEE 276 Table 109 iran Va SNMP mee N E N 276 Table 106 Displaying the File Versioni auissredesitnp aiat eset ats rc n RUP Lon oo a e a t in tS dad la e 277 Table 107 Displaying the File Version uisisdeondite prune Dena adi Shp antinsapaaetiadipdan
67. and unwanted learned addresses are flushed from the filtering database In RSTP the port states are Discarding Learning and Forwarding ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration 5 4 2 STP Terminology The root bridge is the base of the spanning tree Path cost is the cost of transmitting a frame onto a LAN through that port It 1s assigned according to the speed of the link to which a port is attached The slower the media the higher the cost see the following table Table 14 STP Path Costs LINK SPEED DEHUMMENDED E ERCHNENDED eyes Path Cost 4Mbps 250 100 to 1000 1 to 65535 Path Cost 10Mbps 100 50 to 600 1 to 65535 Path Cost 16Mbps 62 40 to 400 1 to 65535 Path Cost 100Mbps 19 10 to 60 1 to 65535 Path Cost 1Gbps 4 3 to 10 1 to 65535 Path Cost 10Gbps 2 1to5 1 to 65535 On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 5 4 3 How STP Works After a bridge determines the lowest cost spanning tree with STP it enables the root port and the ports that are the designated ports for connected
68. any SNMP get or set requirements with the wrong community password Note snmpEnableAuthenTraps OID 1 3 6 1 2 1 11 30 defined in RFC 1214 and RFC 1907 must be enabled on in order for the device to send authenticationFailure traps Use a MIB browser to enable or disable snmpEnableAuthenTraps Traps defined in the ZyXEL Private MIB whyReboot 1 3 6 1 4 1 890 1 5 13 0 1 This trap is sent with the reason for restarting before the system reboots warm start System reboot by user is added for an intentional reboot for example download new files CI command sys reboot If the system reboots because of fatal errors a code for the error is listed pwTFTPStatus 1 3 6 1 4 1 890 1 9 2 3 3 1 This trap is sent to indicate the status and result of a TFTP client session that has ended 11 7 SNMP Traps Some traps include an SNMP interface index The following table maps the SNMP interface indexes to the ZyXEL Device s physical ports Table 43 SNMP Interface Index to Physical Port Mapping INTERFACE TYPE PHYSICAL PORT enetO WLAN enet1 Ethernet port 11 7 1 Configuring SNMP To change your ZyXEL Device s SNMP settings click REMOTE MGMT gt SNMP The screen appears as shown ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management Figure 79 Remote Management SNMP TELNET FTP WWW SNMP SNMP Configuration Get Community public Set Community public
69. coda Era eas XKt ER E nae ss EAEE dar CTI A E a sans 98 Foure 57 b 101 Figurg 39 LODIg d SEP sioe i tpa a n ib o cc LU non HG ba dc o a A od Rd id 102 Figure 59 Layer 2 Isolation APpICATON M 106 Figure 60 Layer 2 Isolation Configuration Sree 222oieuiau ree erts rrta reae epe tapa eph stake obe a wr ne eL e RREEEETS 107 Figura 81 Layer 2 lsolation Example 2er sages aneiei eeka rta Rd ka FERA rta apa EEN eb RE sane ears Eid 108 Figure 62 Layer2 isolation Example 1 1 ssotenpdetu d dnt rb t Ne rbR P RR PIE p a kbPE T eit bR HI C bR d rb uiis 108 Figure 63 Laysr Z Isolation EXSIDIB E uiis aped didus ea aolet Fat a dao saa eon acd een do ER 109 Figure 64 MAG Address Filter em me 110 Figure 65 Roaming Example m 111 Figure Sb ROSNO aaa S RE EPOAISITRPo OLI S LORS ope SE Rata opL PA e p DAS aan ONS aI 112 zc X r IP pcm 114 Figure 60 Rogue AP Example e 118 Figure 69 Honeypot ADBEOE oie at ere spa Ear cca Eb ules IU Ruta EA Hol dedi Cpu NUR ER pana E Ub M lade Reid 119 Figure TO ROGUE AP sr UI NY es casi pisene en ubult ee putei ed astu ee ee Pr vtpvv tei tup pi tuer v v e E EH ERE EUG 120 Figure ROGUE AP Benily AF qussiecec su rasta YR ERCO 3S ERROR IEY RUHK EK da dS disi rH d rti Saad 121 Figure 72 ROGUE AP BOB EP Lo anna eias chaque eut pedir ERR ER e reU nn ERI shaded Ea MEDIE EEA EM eraasi 122 Figure 73 Secure and Insecure Remote Management
70. connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Table 24 Security WPA LABEL DESCRIPTION Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by logging in again The default time interval is 3600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automati
71. dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna 1s a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas For WLAN There are two types of antennas used for wireless LAN applications ZyXEL NWA 3100 User s Guide Appendix E Indoor Installation Recommendations Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus shaped like a donut which makes these antennas ideal for a room environment With a wide coverage area it is possible to make circular overlapping coverage areas with multiple access points Directional antennas concentrate the RF signal in a beam like a flashlight does with the light from its bulb The angle of the beam determines the width of the coverage pattern Angles typically range from 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point t
72. from the Configure list ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Figure 175 Macintosh OS X Network 60 Network eT E Show All Displays Network Startup Disk Location Automatic ry Show Built in Ethernet B PPPoE AppleTalk Proxies Configure Using DHCP m Domain Name Servers Optional IP Address 192 168 11 12 168 95 1 1 Provided by DHCP Server Subnet Mask 255 255 254 0 Router 192 168 10 11 Search Domains Optional DHCP Client ID Optional Ethernet Address 00 05 02 43 93 ff fa amp Click the lock to prevent further changes Example apple com earthlink net Appiy Now 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address ZyXEL NWA 3100 User s Guide IP Address Assignment Conflicts This appendix describes situations where IP address conflicts may occur Subscribers with duplicate IP addresses will not be able to acces
73. g x U gt r 5 E E Follow the instructions in the Quick Start Guide to set up your ZyXEL Device for configuration The ZyXEL Device should be connected to the VLAN aware switch In the above example the switch is using port 1 to connect to your computer and port 2 to connect to the ZyXEL Device Figure 93 on page 162 1 In the ZyXEL Device web configurator click VLAN to open the VLAN setup screen 2 Select the Enable VLAN Tagging check box and type a Management VLAN ID 10 in this example in the field provided 3 Click Apply Figure 97 VLAN Setup WIRELESS VLAN RADIUS VLAN M Enable VIRTUAL LAN Wireless VIRTUAL LAN Setup Management VLAN ID hg 1 4004 VLAN Mapping Table mm sso f VAND Second Rx VLAN ID DN ver ssi zyxeLm fi p BE Guest ssi zyxtLo2 p hp BS sspe zyxeLo3 EN h BM sso zyxeLo um b BS ssp zyxetos B NN BEND sspe zyxeLo6 Bo NN BEN ssow zyxeLo7 po NN BEND sspe zyxeLos b j N BS sso zyxeLo9 NN o BE sspe zyxeL10 fo hp BH sso zx n m NN B sso zyxel 2 E BN ssw zxun 13 NN BEN sou zen BY sss yxetts is b BEEN ssp zx fe o Reset 4 The ZyXEL Device attempts to connect with a VLAN aware device You can now access and mange the ZyXEL Device though the Ethernet switch If you do not connect the ZyXEL Device to a correctly configu
74. in this menu Table 71 Menu 3 2 TCP IP Setup FIELD DESCRIPTION IP Address Press SPACE BAR and then ENTER to select Dynamic to have the ZyXEL Assignment Device obtain an IP address from a DHCP server You must know the IP address assigned to the ZyXEL Device by the DHCP server to access the ZyXEL Device again Select Static to give the ZyXEL Device a fixed unique IP address Enter a subnet mask appropriate to your network and the gateway IP address if applicable IP Address Enter the LAN IP address of your ZyXEL Device in dotted decimal notation IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyXEL Device Gateway IP Address Type the IP address of the gateway The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination On the LAN the gateway must be a router on the same network segment as your ZyXEL Device When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel ZyXEL NWA 3100 User s Guide SNMP Configuration This chapter explains SNMP Configuration menu 22 See the web configurator chapter on SNMP for background information 19 1 SNMP Configuration To configure SNMP select option 22 fro
75. key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Figure 46 WPA 2 with RADIUS Application Example E v 0 a y CK x m JJ za 3 J o nN E Y 6 6 Security Modes The following table describes the security modes you can configure Table 18 Security Modes SECURITY MODE DESCRIPTION None Select this to have no data encryption WEP Select this to use WEP encryption 802 1x Only Select this to use 802 1x authentication with no data encryption 802 1x Static64 Select this to use 802 1x authentication with a static 64bit WEP key and an authentication server 802 1x Static128 Select this to use 802 1x authentication with a static 128bit WEP key and an authentication server WPA Select this to use WPA WPA PSK Select this to use WPA with a pre shared key WPA2 Select this to use WPA2 WPA2 MIX Select this to use either WPA2 or WPA depending on which security mode the wireless client uses WPA2 PSK Select this to use WPA2 with a pre shared key WPA2 PSK MIX Select this to use either WPA PSK or WPA2 PSK depending on which security mode the wireless client uses ZyXEL NWA 3100 User s Guide
76. key pair What is encrypted with one key can only be decrypted using the other Tim keeps the private key and makes the public key openly available Tim uses his private key to encrypt the message and sends it to Jenny Jenny receives the message and uses Tim s public key to decrypt it a kk WS DN Additionally Jenny uses her own private key to encrypt a message and Tim uses Jenny s public key to decrypt the message The ZyXEL Device uses certificates based on public key cryptology to authenticate users attempting to establish a connection not to encrypt the data that you send after establishing a connection The method used to secure the data that you send through an established connection depends on the type of connection For example a VPN tunnel might use the triple DES encryption algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked ZyXEL NWA 3100 User s Guide pas Chapter 12 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Cert
77. make sure that a safety level is selected 5 Click OK to close the window Figure 190 Security Settings Java A amp oxN2 Security Settings Settings Q Disable 9 Enable i Font download Q Disable 9 Enable Q Prompt 3 Microsoft VM E Java permissions Q Custom fisable Jav 9 High safety Q Low safety Reset custom settings Reset to Medium v Reset cad ZyXEL NWA 3100 User s Guide From Internet Explorer click Tools Internet Options and then the Security tab Appendix F Pop up Windows JavaScripts and Java Permissions JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 191 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling HTTP 1 1 settings Use HTTP 1 1 O Use HTTP 1 1 through proxy connections 29 Java Sun C v Use Java 2 v1 4 1 07 for applet requires restart Microsoft vv O Java console enabled requires restart O Java logging enabled JIT compiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Automatic
78. nta dob 187 16 3 SMT Menu Overview Exaile uoce ke pbi ctp rae eae Re RIS MEER DE RRRERTHU d Iu atlas 188 16 4 Navigating th SMT Internat 12 crrnero trente ttr tunisie statt Epor ttn pret ta ka rt a past ta d E pup Cd 188 16 4 1 System Management Terminal Interface Summary sene 190 Chapter 17 t il e 191 AEC ILE CU OM 191 17 1 1 Precedare To Configure Menn T iuscuutassunpenea ar btc RA S SU P4 SE o S Rite 191 Chapter 18 Bol EI im 193 Te PLAN ila E 193 12 2 TCPIUP UGG SER 1 eisiecci ext ES ETRP RAN e e IR REDE Eb ep Lp bed qu E bove di Hd RR det 193 ZyXEL NWA 3100 User s Guide Table of Contents Chapter 19 SNMP CONNAN OD LL acireiie velie E ERG n AY AGRO BIER ARE LYRA RA KIC A Rn REN AAE 195 1T SNMP COnN ied edite rd ad naan a eer Xe dua ir deena ca dab isto 195 Chapter 20 Sys POSSIMUS ato nen HIM adden MU Nd MD GF nu UN MM MA MUN DUI MUR UE 197 AMEN CNET uo 197 Chapter 21 System Information and Diagnosis ccccccccceceeeeeeeeeeeeeeeeee sees sees seesseesnesseeesneesneesneeeeeeees 199 P Ec i o Ecc e CT NET 199 valvulis e 200 21 2 1 System IMOnnaton RETO 201 21 28 Condo Port GBOBI srusio aE E E meii tn du 202 eae LOA TCO r A 202 ZN Ui EN I LOO e Pr TETTE 202 2s NINOS UNG cise iiaa eei eii aa e taa 20
79. pid n E 4 Safety rl ce E S 6 CONSE COVE POW PR A 9 El 1o ptpgl cH 11 stor ROWO qc 19 Hst of Tables MT M H 25 Part l Introduction E 29 Chapter 1 Introducing the ZyXEL DEVICE ciiin iunio not eisenii sneka oaaae kaia aiaks 31 1 1 Jotroducigg he ZyXEL DOVO uino beet a LR IR Doce a T 31 1 2 Applications Tor Die ZyXEL DOVICE uoi buia Petr p Ra OIN AR ER DUC EY EE Man MERERI EEGA 31 DANT PONI eea AA A E R 31 JU up dro IE aaa ASAE AL AA ES E EEE O AEEA e OED 32 1 2 3 Bridge i i ni A a i AA AA 33 E ETE asa a ea at aaa O E E T 35 1 29 Preconigured SSID PEOR sesiiecnsinu Hann QUERI rime 36 1 3 Ways to Manage tha ZyXEL DEVICE asucscure mssssceh t eos bctit deua cett due aiiin etta dure LEE kom e 36 1 4 Good Habits for Managing the ZyXEL Device iuis escena cttna htec auth ttn khan Rh 36 QE JE d e E E NEN 37 Chapter 2 Introducing the Web Configurator LleeeeLeeeeeeLeee eee cceeeeeeeeee nennen nnne nn nnn 39 2 1 Actessing the cuins ICM 39 za Pee TG Z AEE DO WIGS seann 40 2 2 1 Methods of Restoring Factory Doefaulls cic csicsccssscccservestercsuvveniedeeraennsdeisinnsavvenaes 41 2 9 Navigating the Web Configurator ou cs ia sede kept cis paa diua ear stata npa d aad ad 41 Chapter 3 puer mr
80. pre configured Guest SSID profile has layer 2 isolation and intra BSS traffic blocking enabled by default Layer 2 isolation means that a client accessing the network via the Guest SSID profile can access only certain pre defined devices on the network see Section 8 1 on page 105 and intra BSS traffic blocking means that the client cannot access other clients on the same wireless network see Section 5 1 1 on page 67 Click WIRELESS gt SSID Select Guest SSID s entry in the list and click Edit The following screen appears ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Figure 19 Tutorial Guest Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name Guest SSID SSID Guest SSID Example Hide Name SSID Disable v Security security03 v RADIUS Jradius01 a QoS NONE L2 Isolation Enable j Intra BSS Traffic blocking Enable MAC Filtering Disable gt Reset Choose a new SSID for the guest network In this example enter Guest SSID Example Note that although the SSID changes the SSID profile name Guest SSID remains the same as before Select Disable from the Hide Name SSID list box This makes it easier for guests to configure their own computers wireless clients to your network s settings The standard network SSID04 is already using the security01 profile and the VoIP network is using the security02 profile renamed VoIP Security so sel
81. s Guide Appendix H Text File Based Auto Configuration ZyXEL NWA 3100 User s Guide Legal Information Copyright Copyright O 2006 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions This device may not cause harmful interf
82. subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of the network number part the bits with a 1 value For example an 8 bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes ZyXEL NWA 3100 User s Guide Appendix G IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses The following examples show the binary and decimal notation for 8 bit 16 bit 24 bit and 29 bit subnet masks Table 93 Subnet Masks BINARY DECIMAL octet OCTET OCTET SCTE 8 bit mask 11111111 00000000 00000000 00000000 255 0 0 0 16 bit mask 11111111 11111111 00000000 00000000 255 255 0 0 24 bit mask 11111111 11111111 11111111 00000000 255 255 255 0 29 bit mask 11111111 11111111 11111111 11111000 255 255 255 248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones 1s the broadcast address for that network 192
83. tags all packets from an SSID with the VLAN ID you set in the Wireless VLAN screen When you use RADIUS VLAN your RADIUS server assigns VLAN IDs to a user or user group s traffic based on the configuration in the RADIUS VLAN screen When you use wireless VLAN and RADIUS VLAN together the ZyXEL Device first tries to assign VLAN IDs based on RADIUS VLAN configuration If a client s user name does not match an entry in the RADIUS VLAN screen the ZyXEL Device assigns a VLAN ID based on the settings in the Wireless VLAN screen See Section 14 2 4 on page 164 for more information ES To use RADIUS VLAN you must first select Enable VIRTUAL LAN and configure the Management VLAN ID in the VLAN gt WIRELESS VLAN screen 14 2 1 Wireless VLAN Click VLAN gt WIRELESS VLAN The following screen appears ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 91 WIRELESS VLAN RADIUS VLAN VIRTUAL LAN Setup Wireless VIRTUAL LAN Setup SSID VLAN ID Second Rx VLAN ID The following table describes the labels in this screen Table 58 WIRELESS VLAN FIELD DESCRIPTION Enable VIRTUAL LAN Select this box to enable VLAN tagging Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group At least one device in your network must belong to this VLAN group in order to manage the ZyXEL Device Note Mail and FTP servers must have the same management VLAN ID to communicate with the ZyXEL D
84. the output power of your rogue AP ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial ZyXEL NWA 3100 User s Guide PART II The Web Configurator System Screens 63 Wireless Configuration 67 Wireless Security Configuration 81 MBSSID and SSID 97 Other Wireless Configuration 105 IP Screen 113 Rogue AP 117 Remote Management 123 Certificates 133 Log Screens 151 VLAN 157 Maintenance 175 System Screens 4 1 System Overview This section provides information on general system setup 4 2 Configuring General Setup Click SYSTEM gt General Figure 32 System General Setup System Name Domain Name First DNS Server Third DNS Server General Password Time Setting Administrator Inactivity Timer fi 0 minutes 0 means no timeout System DNS Servers Second DNS Server NWA 31 00 From DHCP 0 0 0 0 From DHCP 0 0 0 0 From DHCP J 0 0 0 0 Reset The following table describes the labels in this screen Table 5 System General Setup LABEL DESCRIPTION General Setup System Name Type a descriptive name to identify the ZyXEL Device in the Ethernet network This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted Domain Name This is not a required field Leave this field blank or enter the domain name here if you know it Admin
85. the previous settings or replace them You can zip each configuration file You must use the store compression method and a zip file extension When zipping a configuration file you can also add password protection using the same password that you use to log into the AP wcfg Command Configuration File Examples 278 These example configuration files use the wc g command to configure security and SSID profiles Figure 197 WEP Configuration File Example ZYXEL PROWLAN VERSION 11 wcfg security 1 name Test wep wcfg security 1 security wep wcfg security 1 wep keysize 64 ascii wcfg security 1 wep keyl abcde wcfg security 1 wep key2 bcdef wcfg security 1 wep key3 cdefg wcfg security 1 wep key4 defgh wcfg security 1 wep keyindex 1 wcfg security save wcfg ssid 1 name ssid wep wcfg ssid 1 security Test wep wcfg ssid 1 12iolation disable wcfg ssid 1 macfilter disable wcfg ssid save ZyXEL NWA 3100 User s Guide Appendix H Text File Based Auto Configuration Figure 198 802 1X Configuration File Example ZYXEL PROWLAN I4 VERSION 12 wcfg security wcfg security wcfg security wcfg security wcfg security wcfg security name Test 8021x mode 8021x static128 wep keyl abcdefghijklm wep key2 bcdefghijklmn wep keyindex 1 reauthtime 1800 wcfg security 2 idletime 3600 wcfg security save wcfg radius wcfg radius wcfg radius wcfg radius wcfg ssid wcfg ssid wcfg ssid wcfg ssid wcfg ssid
86. the AP The ZyXEL Device supports EAP TLS EAP TTLS EAP MDS and PEAP with RADIUS Refer to the Types of EAP Authentication appendix for descriptions on the common types The following figure shows an overview of authentication when you specify a RADIUS server on your access point Figure 44 EAP Authentication um RADIUS Server N Wireless Station am 7 Ilill The details below provide a general description of how IEEE 802 1x EAP authentication works For an example list of EAP MDS authentication steps see the IEEE 802 1x appendix 1 The wireless station sends a start message to the ZyXEL Device 2 The ZyXEL Device sends a request identity message to the wireless station for identity information 3 The wireless station replies with identity information including username and password 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station 6 4 Introduction to WPA Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA 2 IEEE 802 111 is a wireless security standard that defines stronger encryption authentication and key management than WPA ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Key differences between WPA 2 and WEP are improved data encryption and user authentication 6 4 1 User Authentication WPA or WPA2 applies IEEE 802 1x and Extensible Authentication
87. the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Security This field displays the type of wireless encryption the AP is currently using Description If you want to move the AP s entry to the friendly AP list enter a short explanatory description identifying the AP before you click Add to Friendly AP List A maximum of 32 alphanumeric characters are allowed in this field Spaces underscores and dashes are allowed Add to Friendly AP List If you know that the AP described in an entry is not a threat select the Active check box enter a short description in the Description field and click this button to add the entry to the friendly AP list see Section 10 3 2 on page 120 When the ZyXEL Device next scans for rogue APs the selected AP does not appear in the rogue AP list Reset Click Reset to return all fields in this screen to their default values ZyXEL NWA 3100 User s Guide Remote Management This chapter provides information on the Remote Management screens 11 1 Remote Management Overview Remote management allows you to determine which services protocols can access which of the ZyXEL Device s interfaces 1f any from which computers The followin
88. the Open field Click OK At the e V prompt enter ping 192 168 1 10 substitute the IP address of a real device on your network that is not on the layer 2 isolation list If you receive a reply check the settings in the WIRELESS gt Layer 2 Isolation screen and ensure that layer 2 isolation 1s enabled in the Guest SSID profile screen 3 2 How to Set Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the ZyXEL Device A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network The example also shows how to set the ZyXEL Device to send out e mail alerts whenever it detects a rogue wireless access point See Chapter 10 on page 117 for background information on the rogue AP function and security considerations In this example you want to ensure that your company s data is not accessible to an attacker gaining entry to your wireless network through a rogue AP ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Your wireless network operates in an office building It consists of four access points all ZyXEL Devices and a variable number of wireless clients You also know that the coffee shop on the ground floor has a wireless network consisting of a single access point which can be detected and accessed from your floor of the building There are no other static wireless networks in your coverage area The followi
89. the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet Note All APs on the same subnet and the wireless stations must have the same SSID to allow roaming Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 5 6 2 Bridge Repeater Mode The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge mode The ZyXEL Device can establish up to five wireless links with other APs In the example below when both ZyXEL Devices are in Bridge Repeater mode they form a WDS Wireless Distribution System allowing the computers in LAN 1 to connect to the computers in LAN 2 ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Figure 39 Bridging Example Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device Bridge loops cause broadcast traffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following examples show two network topologies that can lead to this problem Iftwo or more ZyXEL Devices in bridge mode are connected to the same hub Figure 40 Bridge Loop Two Bridges Connected to Hub AP Bridge f your ZyXEL Device in bridge mode is connected to a wired LAN while communicating with another wireles
90. to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 Inthe Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gateway Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Internet Explorer 3 Outlook Express Y Paint B Command Prompt E Acrobat Reader 4 0 4 Tour Windows xP Windows Movie Maker All Programs gt Figure 166 Windows XP Start Menu Files and Settings Transfer W e My Documents fe My Recent Documents e My Pictures e My Music g My Computer g Control Panel ka Printers and Faxes Q9 Help and Support P og Off o Turn Off Computer untitled Paint 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 167 Windows XP Control Panel File Edit View Favorites amp Control Panel Tools Help Qe d JO Search Folders Ez Address J Control Panel Vg Control Panel A Windows Update B Switch to Category view See Also e x Add Hardware
91. to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using ZyXEL NWA 3100 User s Guide the MD5 algorithm Chapter 12 Certificates 12 10 Trusted CAs Table 48 My Certificate Details continued LABEL DESCRIPTION SHA Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example E
92. to identify itself The ZyXEL Device is the SSL server and must always authenticate itself to the SSL client the computer which requests the HTTPS connection with the ZyXEL Device Authenticate Select Authenticate Client Certificates optional to require the SSL client to Client Certificates authenticate itself with the ZyXEL Device by sending the ZyXEL Device a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device see the appendix on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyXEL Device for example 8443 then you must notify people who need to access the ZyXEL Device web configurator to use https ZyXEL Device IP Address 8443 as the URL Server Access Select a ZyXEL Device interface from Server Access on which incoming HTTPS access is allowed You can allow only secure web configurator access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface s Secured Client IP A secure client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address t
93. to use in your network in the Pre Shared Key field In this example the PSK is ThisismyWPA2 PSKpre sharedkey ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Click Apply The WIRELESS gt Security screen displays Ensure that the Profile Name for entry 2 displays VoIP Security and that the Security Mode is WPA2 PSK Figure 17 Tutorial VoIP Security Updated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index Profile Name d 1 SP tyt None o 2 VoIP Security WPA2 PSK g 3 securityU one 3 1 2 2 Activate the VoIP Profile You need to activate the VoIP SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the VoIP SSID profile and click Apply Figure 18 Tutorial Activate VoIP Profile ee on ld Select SSID Profile Index Profile Index Profile ssipo3 ssib03 ss D03 j ssiD03 gt Guest_SSID 551004 gt 551003 Your VoIP wireless network is now ready to use Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network 3 1 3 Configure the Guest Network When you are setting up the wireless network for guests to your office your primary concern is to keep your network secure while allowing access to certain resources such as a network printer or the Internet For this reason the
94. trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 11 5 Configuring WWW To change your ZyXEL Device s World Wide Web settings click REMOTE MGNT gt WWW You can set the ZyXEL Device to use HTTP or HTTPS HTTPS adds security for web configurator sessions Specify which interfaces allow web configurator access and from which IP address the access can come ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management Figure 77 Remote Management WWW TELNET FTP wwe SNMP Eu SS SSS SSS SSS Server Certificate auto generated self signed cert v See My Certificates I Authenticate Client Certificates See Trusted CAs Server Port 443 Server Access WLAN amp LAN Secured Client IP Address Al C Selected Server Port eo Server Access WLAN amp LAN Secured Client IP Address AIC Selected 0 0 0 0 Reset The following table describes the labels in this screen Table 41 Remote Management WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyXEL Device will use
95. wcfg ssid wcfg ssid 2 2 2 2 2 2 2 name radius rd 2 primary 172 23 3 4 1812 1234 enable 2 backup 172 23 3 5 1812 1234 enable save name ssid 8021x security Test 8021x radius radius rd qos 4 12isolation disable macfilter disable Save Figure 199 WPA PSK Configuration File Example ZYXEL PROWLAN VERSION 13 wcfg security wcfg security wcfg security wcfg security wcfg security name Test wpapsk mode wpapsk passphrase qwertyuiop reauthtime 1800 idletime 3600 CO CO CO CO CO wcfg security 3 groupkeytime 1800 wcfg security save wcfg ssid wcfg ssid wcfg ssid wcfg ssid wcfg ssid 3 3 3 3 3 name ssid wpapsk security Test wpapsk qos 4 12siolation disable macfilter disable wcfg ssid save ZyXEL NWA 3100 User s Guide 279 Appendix H Text File Based Auto Configuration Figure 200 WPA Configuration File Example ZYXEL PROWLAN 4VERSION 14 wcfg security 4 name Test wpa wcfg security 4 mode wpa wcfg security 4 reauthtime 1800 wcfg security 4 idletime 3600 wcfg security 4 groupkeytime 1800 wcfg security save wcfg radius 4 name radius rdl wcfg radius 4 primary 172 0 20 38 1812 20 enable wcfg radius 4 backup 172 0 20 39 1812 20 enable wcfg radius save wcfg ssid 4 name ssid wpa wcfg ssid 4 security Test wpa wcfg ssid 4 qos 4 wcfg ssid 4 12isolation disable wcfg ssid 4 macfilter disable wcfg ssid save wlan Command Configuration File Example T
96. 00 Down 0 00 00 00 00 00 00 Down 0 O0 No 00 00 00 00 00 00 Down 0 o0 No 00 00 00 00 00 00 Down 0 O No 00 00 00 00 00 00 Down oOo o0 System Up Time 0 35 12 Poll Interval s 5 sec Set Interval Stop The following table describes the labels in this screen Table 62 System Status Show Statistics LABEL DESCRIPTION Port This is the Ethernet or wireless port Status This shows the port speed and duplex setting if you are using Ethernet encapsulation for the Ethernet port Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to send and receive simultaneously while half duplex indicates that traffic can flow in only one direction at a time The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect This shows the transmission speed only for the wireless port TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions This is the number of collisions on this port Tx B s This shows the transmission speed in bytes per second on this port Rx B s This shows the reception speed in bytes per second on this port Up Time This is total amount of time the line has been up Bridge Link This is the index number of the bridge connection Active This shows whether t
97. 1 VLAN A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple logical networks Stations on a logical network can belong to one or more groups Only stations within the same group can talk to each other 14 1 1 Management VLAN ID BS The Management VLAN ID identifies the management VLAN A device must be a member of this management VLAN in order to access and manage the ZyXEL Device If a device is not a member of this VLAN then that device cannot manage the ZyXEL Device If no devices are in the management VLAN then no one will be able to access the ZyXEL Device and you will have to restore the default configuration file 14 1 2 VLAN Tagging The ZyXEL Device supports IEEE 802 1q VLAN tagging Tagged VLAN uses an explicit tag VLAN ID in the MAC header ofa frame to identify VLAN membership The ZyXEL Device can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames You must connect the ZyXEL Device to a VLAN aware device that is a member of the management VLAN in order to perform management See the Configuring Management VLAN example BEFORE you configure the VLAN screens ZyXEL NWA 3100 User s Guide Chapter 14 VLAN 14 2 Configuring VLAN The ZyXEL Device allows you to configure VLAN based on SSID profile wireless VLAN and or based on your RADIUS server RADIUS VLAN When you use wireless VLAN the ZyXEL Device
98. 157 If no devices are in the management VLAN then no one will be able to access the ZyXEL Device and you will have to restore the default configuration file 4 Select the SSID profile you want to configure SSID03 in this example and enter the VLAN ID number between 1 and 4094 ZyXEL NWA 3100 User s Guide Chapter 14 VLAN 5 Enter a Second Rx VLAN ID The following screen shows SSID03 tagged with a VLAN ID of 3 and a Second Rx VLAN ID of 4 Figure 113 Configuring SSID Second Rx VLAN ID Example RADIUS VLAN VIRTUAL LAN Setup v Wireless VIRTUAL LAN Setup 6 Click Apply to save these settings Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3 and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03 ZyXEL NWA 3100 User s Guide Chapter 14 VLAN ZyXEL NWA 3100 User s Guide Maintenance This chapter displays system information such as ZyNOS firmware port IP addresses and port traffic statistics 15 4 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your ZyXEL Device 15 2 System Status Screen Click MAINTENANCE to open the System Status screen where you can use to monitor your ZyXEL Device Note that these labels are READ ONLY and are meant to be used for diagnostic purposes Figure 114 System Status Status Association List Channel Usage FAW Upload Configu
99. 168 1 255 with a 24 bit subnet mask for example As these two IP addresses cannot be used for individual hosts calculate the maximum number of possible hosts in a network as follows Table 94 Maximum Host Numbers SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS 8bits 255 0 0 0 24 bits 242 16777214 16 bits 255 255 0 0 16 bits 216_2 65534 24 bits 255 255 255 0 8 bits 28 2 254 29 bits 255 255 255 248 3 bits 0925 6 Notation Since the mask 1s always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks using both notations Table 95 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION BINARY DECIMAL 255 255 255 0 24 0000 0000 0 255 255 255 128 25 1000 0000 128 ZyXEL NWA 3100 User s Guide Appendix G IP Addresses and Subnetting Table 95 Alternative Subnet Mask Notation continued sumerweek AUR T inner SERRE 255 255 255 192 26 1100 0000 192 255 255 255 224
100. 229 disclaimer 283 Distribution System 68 DS Field 71 DS field 71 DSCPs 71 dynamic WEP key exchange 255 ZyXEL NWA 3100 User s Guide Index E EAP 81 82 EAP authentication 254 EAP MD5 254 EAP TLS 255 EAP TTLS 255 e mail alerts 52 encryption 83 256 error log 202 error information messages sample 203 ESS 68 250 ESS IDentification 68 examples 43 Extended Service Set 68 250 Extended Service Set IDentification 76 99 F FCC interference statement 283 file version 277 filename conventions 205 firmware file 178 fragmentation threshold 252 friendly AP 54 55 friendly AP list 120 FTP 125 222 restrictions 222 FTP file transfer 211 G general setup 63 191 guest SSID profile 49 H hidden menus 189 hidden node 251 honeypot attack 118 host 64 humidity 229 HyperTerminal 209 IANA 274 Internet Assigned Numbers Authority see IANA IBSS 249 IEEE 802 1x 253 in band management 161 Independent Basic Service Set 178 249 Internet access 193 Internet Security Gateway 31 Internet telephony 35 IP Address 204 IP address 53 113 114 194 202 204 IPSec VPN capability 230 L LAN 177 layer 2 isolation 51 LEAP 255 LEDs 37 link type 200 log and trace 203 log descriptions 154 logs 151 MAC address 53 54 109 MAC address filter action 110 MAC filter 81 109 230 MAC service data unit 75 79 99 main menu 189 Management Information Base MIB 129 management VLAN 161
101. 23 also 3 When uploading the DEFAULT configuration file the console port speed will be reset to 9600 bps and the password to 1234 Do You Wish To Proceed Y N 2 After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar 3 Enter atgo to restart the ZyXEL Device 22 4 10 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Figure 158 Example Xmodem Upload Send File 2 Xi Folder C Product Filename C Product config rom Type the configuration file s location or click Browse to search for it Choose the Xmodem Protocol protocol Then click Send ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance After the configuration upload process has completed restart the ZyXEL Device by entering atgo ZyXEL NWA 3100 User s Guide System Maintenance and Information This chapter leads you through SMT menus 24 8 and 24 10 23 1 Command Interpreter Mode The Command Interpreter CI is a part of the main system firmware The CI provides much of the same functionality as the SMT while adding some low level setup and diagnostic functions Enter the CI from the SMT by selec
102. 255 192 0 18 16382 3 255 255 224 0 19 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 ZyXEL NWA 3100 User s Guide 273 Appendix G IP Addresses and Subnetting Table 102 16 bit Network Number Subnet Planning continued NO BORROWED NO HOSTS PER HOST BITS SUBNET MASK NO SUBNETS SUBNET 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask Ifthe ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 The Internet Assigned Number Authority LANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise You must also enable N
103. 3 Chapter 22 Firmware and Configuration File Maintenance eesseeesee esee esee ssesseee 205 221 Pilernams ONS ii illa essen ios VE HR PERE ER po E e t I Fi Eesti beet ERR PH d Parada geb gd 205 228 2 Bap se ODIQuUE EY ssiiaee pio iQ sepu c bote PMID PIU RI bi Ide nri pq EI UN M tere reer bMS 206 222 1 Backup Comiiguration Using FTP isset rct retta ode vd o dea eaa 206 22 2 2 Using the FTP command from the DOS Prompt sess 207 22 2 3 Backup Configuradon Using TE TP iius seco ttes tenure duse ine 207 22 2A Example TET COMMA iiic potet rr Ir A rr E PH ERES R ken 208 22 2 9 Backup Via Console POM insu v d rbPRIN S E ERERIE QA EM DS SERER EI M sie 209 22 0 Restore CONNGUPATION m 210 22 1 Restore Usma FIP assassin epos Lye Sesh de ca feb idle baa ebd ab paa dA d aide 210 22 4 Uploading Firmware and Configuration Files 2c beepectti korea EFEH EX RD Er Up eR REERUR MNA RE RUHA 210 I MITT Upload e N 211 224 2 Comiguration File Upload MD PIER 211 22 4 3 Using the FTP command from the DOS Prompt Example ssuss 212 AE TFTP PREO Eos stus oett Rn Rand don id ar ela c tal ie Ae T UE 213 2245 Example TF TP GCODB TIBIE sores ptu Y E EFIe RS Ro DETeE BEER MP E 213 22 1 6 Uploading Via Console POI rasessecan e past tec beer ctae pe reta 2e rendesen isa dup abe cupi ERREUR 213 22 4 7 Uploading Firmware File Via Console Port
104. 5 F5 02 06 11 22 Infra WEP Refresh The following table describes the labels in this screen Table 64 Channel Usage LABEL DESCRIPTION SSID This is the Service Set IDentification name of the AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network For our purposes we define an Infrastructure network as a wireless network that uses an AP and an Ad Hoc network also known as Independent Basic Service Set IBSS as one that doesn t See the Wireless Configuration and Roaming chapter for more information on basic service sets BSS and extended service sets ESS MAC Address This field displays the MAC address of the AP in an Infrastructure wireless network It is randomly generated so ignore it in an Ad Hoc wireless network Channel This is the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network Signal This field displays the strength of the AP s signal If you must choose a channel that s currently in use choose one with low signal strength for minimum interference Network Mode Network mode in this screen refers to your wireless LAN infrastructure refer to the Wireless LAN chapter and security setup Refresh Click Refresh to reload the screen 15 5 F W Upload Screen Find firmware at www zyxel com in a file that usually uses the system model na
105. APs MAC addresses and descriptions as displayed in the ROGUE AP gt Friendly AP screen to your computer File Path Enter the location of a previously saved friendly AP list to upload to the ZyXEL Device Alternatively click the Browse button to locate a list Browse Click this button to locate a previously saved list of friendly APs to upload to the ZyXEL Device Import Click this button to upload the previously saved list of friendly APs displayed in the File Path field to the ZyXEL Device Apply Click Apply to save your settings Reset Click Reset to return all fields in this screen to their previously saved values 10 3 2 Rogue AP Friendly AP The friendly AP list displays details of all the access points in your area that you know are not a threat If you have more than one AP in your network you need to configure this list to include your other APs If your wireless network overlaps with that of a neighbor for example you should also add these APs to the list as they do not compromise your own network s security If you do not add them to the friendly AP list these access points will appear in the Rogue AP list each time the ZyXEL Device scans ZyXEL NWA 3100 User s Guide Chapter 10 Rogue AP Figure 71 ROGUE AP gt Friendly AP Configuration Friendly AP Rogue AP Add Friendly AP ew SS ST I as Add Friendly AP List T Crammefsecarty Desertion
106. APs must use the same pre shared key See Section 5 6 2 on page 76 for more details Once the security settings of the two APs match one another the WDS connection is made BES If you do not enable WDS security in Bridge Repeater mode traffic between APs is not encrypted ZyXEL NWA 3100 User s Guide 33 Chapter 1 Introducing the ZyXEL Device Figure 3 Bridge Application Figure 4 Repeater Application ZyXEL NWA 3100 User s Guide Chapter 1 Introducing the ZyXEL Device 1 2 4 MBSSID A BSS Basic Service Set is the set of devices forming a single wireless network usually an access point and one or more wireless clients An SSID Service Set IDentifier is the name of a BSS In MBSSID Multiple BSS mode the ZyXEL Device provides multiple virtual APs each forming its own BSS and using its own individual SSID profile You can configure up to sixteen SSID profiles and have up to eight active at any one time You can assign different wireless and security settings to each SSID profile This allows you to compartmentalize groups of users set varying access privileges and prioritize network traffic to and from certain BSSs To the wireless clients in the network each SSID appears to be a different access point As in any wireless network clients can associate only with the SSIDs for which they have the correct security settings For example you might want to set up a wireless network in your offic
107. Address Assignment Conflicts 245 Wireless LANs 249 Indoor Installation Recommendations 259 Pop up Windows JavaScripts and Java Permissions 261 IP Addresses and Subnetting 267 Text File Based Auto Configuration 275 Legal Information 283 Customer Support 287 Index 291 227 P roduct Specifications The following tables summarize the ZyXEL Device s hardware and firmware features Table 82 Hardware Specifications Power Specification 12VDC 1A Reset button Returns all settings to their factory defaults Ethernet Port Auto negotiating 10 Mbps or 100 Mbps in either half duplex or full duplex mode Auto crossover Use either crossover or straight through Ethernet cables Power over Ethernet PoE IEEE 802 3af compliant Operation Temperature 0 50 C Storage Temperature 30 60 C Operation Humidity 10 90 non condensing Storage Humidity 5 95 non condensing Dimensions W x D x H 153 mm x 92 mm x 42 mm Distance between the centers of wall mounting holes on the device s back 60 mm Screw size for wall mounting 6mm 8mm 0 24 0 31 head width Table 83 Firmware Specifications FEATURE DESCRIPTION Wireless LAN Standards IEEE 802 11a IEEE 802 11b IEEE 802 119 Wireless security WEP WPA 2 WPA 2 PSK 802 1x Layer 2 isolation Prevents wireless clients associa
108. Communications A S Nils Hansens vei 13 0667 Oslo Norway Poland e e e E mail info pl zyxel com Telephone 48 22 333 8250 Fax 48 22 333 8251 Web Site www pl zyxel com Regular Mail ZyXEL Communications ul Okrzei 1A 03 715 Warszawa Poland Russia e Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web Site www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Support E mail support zyxel es Sales E mail sales zyxel es Telephone 34 902 195 420 Fax 34 913 005 345 ZyXEL NWA 3100 User s Guide Appendix J Customer Support Web Site www zyxel es Regular Mail ZyXEL Communications Arte 21 5 planta 28033 Madrid Spain Sweden Support E mail support zyxel se Sales E mail sales zyxel se Telephone 46 31 744 7700 Fax 46 31 744 7701 Web Site www zyxel se e Regular Mail ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web Site www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 444 1344 303044 08707 555779 UK only Fax 44 1344 303034 Web Site www zyxel c
109. D 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create eight subnets 000 001 010 011 100 101 110 and 111 The following table shows IP address last octet values for each subnet Table 100 Eight Subnets SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 272 ZyXEL NWA 3100 User s Guide Appendix G IP Addresses and Subnetting Table 100 Eight Subnets continued SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Subnet Planning The following table is a summary for subnet planning on a network with a 24 bit network number Table 101 24 bit Network Number Subnet Planning NO BORROWED SUBNET MASK NO SUBNETS NO HOSTS PER NET HOST BITS SUB 1 255 255 255 128 25 126 2 255 255 255 192 26 62 3 255 255 255 224 27 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 The following table is a summary for subnet planning on a network with a 16 bit network number Table 102 16 bit Network Number Subnet Planning Nostre SOWED SUBNET MASK NO SUBNETS NO HOSTS PER 1 255 255 128 0 17 32766 2 255
110. EL Device automatically determines the priority to use for an individual traffic stream This prevents reductions in data transmission for applications that are sensitive to latency delay and jitter variations in delay 5 3 1 1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the ZyXEL Device uses Table 8 WMM QoS Priorities PRIORITY LEVEL DESCRIPTION voice Typically used for traffic that is especially sensitive to jitter Use this priority WMM VOICE to reduce latency for improved voice quality video Typically used for traffic which has some tolerance for jitter but needs to be WMM VIDEO prioritized over other data traffic best effort Typically used for traffic from applications or devices that lack QoS WMM BEST EFFORT capabilities Use best effort priority for traffic that is less sensitive to latency g 7 but is affected by long delays such as Internet surfing background This is typically used for non critical traffic such as bulk transfers and print WMM_BACKGROUND jobs that are allowed but that should not affect other applications and users Use background priority for applications that do not have strict latency and throughput requirements 5 3 2 ATC Automatic Traffic Classifier ATC is a bandwidth management tool that prioritizes data packets sent across the network ATC assigns each packet a priority and then queues the packet accordingly Packets assig
111. ESS VLAN Gudiabetei ot oppor amas Ue Lem ta tros te alt durs 159 Table o9 RADIOS ELA cerca banana tesa etna ERRARE TOR rk ho venei b Ped se topped bbb uei r te utc ibas d ma EIU HM uS 161 Table 60 Standard eB NT Ci m 164 Table SS E duusiscdidiudetindimiec TEA abd EE ea ir EpL ERU ER MO Rl EN is CAM are bladi y ua 175 Table B2 Systemi Status Show SESUsfiCB lt ccccscsniecieucaboneeeicenasagsaeenicaeeni eicasalssieadaeuideomaibianeeieianns 176 Table 62 Association Wisk nc 177 Tohe 5 55 Di Mim P N tonal aati iets 178 Table Bo Firmware LWA E 179 Table O6 Restore C OBIIOUESUROEL seavsnirzsaanncorsssael onoxevasansnndsdegasasorsaeeaa Rp S KU LU RALFEW RRRCLAS VOLUN 181 Table 57 SMT Memis Ce ew assasubueasepeni unte pu di etos ve rd ctn NU ERA QA RAE RLUD NUMERI Ue FERA RR ER DIMERE RUN 188 Ttable 58 Main Menu Commande A 189 Table 69 Main Menu SUMME sls state reared ised cae a apa aN ASSAS aea ES EEES AEEA 190 Table 70 Menu 1 Gensral SOUP sirnani a EHI ute ni GRE ER MA IM AD EM MMME 191 Table 7 7 Menu 3 2 TOP Seu 11 cdi REED o FS aAa LEE EVER ERE Y ao FERE ER oa p EF RO ei 194 Table 72 Menu 22 SNMP CODIOUESUOTI sissies creda peRie tha a eR ee PAR iinr ERR rA a RUE REM a E ER rebua LEER pu EASE EG IIa 195 Table 73 Menu 24 1 System Maintenance Status sees enet tte kesun btt adn Eb b Ld d dub bk d dd das itd 200 Table 74 Menu 24 2 1 System Main
112. Enter the e mail address where the alert messages will be sent If this field is left blank alert messages will not be sent via e mail SMTP Authentication If you use SMTP authentication the mail receiver should be the owner of the SMTP account User NAME If your e mail account requires SMTP authentication enter the username here Password Enter the password associated with the above username Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily Weekly Hourly When Log is Full None If the Weekly or the Daily option is selected specify a time of day when the E mail should be sent If the Weekly option is selected then also specify which day of the week the E mail should be sent If the When Log is Full option is selected an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log
113. Figure 59 Layer 2 Isolation Application A a m m cc CN C Edi D t Internet MAC addresses that are not listed in the Allow devices with these MAC addresses table are blocked from communicating with the ZyXEL Device s wireless clients except for broadcast packets Layer 2 1solation does not check the traffic between wireless clients that are associated with the same AP Intra BSS Traffic allows wireless clients associated with the same AP to communicate with each other 8 2 Configuring Layer 2 Isolation If layer 2 isolation is enabled you need to know the MAC address of the wireless client AP computer or router that you want to allow to communicate with the ZyXEL Device s wireless clients To configure layer 2 isolation click WIRELESS Layer 2 Isolation The screen appears as shown next ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration Figure 60 Layer 2 Isolation Configuration Screen Wireless SSID Security RADIUS Layer Isolation MAC Filter Layer 2 Isolation Configuration Allow devices with these MAC addresses Set MAC Address Set MAC Address The following table describes the labels in this screen Table 31 Layer 2 Isolation Configuration LABEL DESCRIPTION Allow devices with These are the MAC address of a wireless client AP computer or router A these MAC wireless client ass
114. I EATE AEEA cid 67 Wireless Security Comi alt episi cepi d rerba Urb epa I eREEEPREU DIG EPA PITE ERN NU ERE DDTRE eo anne 81 MESSID NE army p CE es la a ela aa ees lentes ti nes 97 Other Wireless Configuration se th casustsinnccdetuatarapa dada ikine a aaia EEEa Enaaak aE EN 105 lieri 113 FRO QUE FF TF Remos Monig INSU CRITE 123 up An BG g 133 L5 SOEOSIS cha od ten apa creed ha diei oa des vnvuden ond iac eet des GEO Seb Te 151 VEAN T m 157 Ling T 175 SMT and Troubleshooting rasian 185 Mroducing ihe SMT serrian E 187 Genoa BOTE saa a ep Let FP ax PR Les eae 191 LIN T o m 193 lie cus 195 cyrccx cris M 197 System information and Diagnosis sassinoro aai 199 Firmware and Configuration File Maintenance ssesssee mmm 205 System Maintenance and InoerisWol ascen etudes ge ke pdeg ane e bu qa ar Le eaa REB PUN XR Eu LN RYE ERE T RARER EA 217 TOURIS NOON ernai ni aeaes ease iadadgaineaee 223 Appendices ANE MEEK ciscsccicasesisvctiwccciessectenecastedinenatiascecentecienuiascacisaarsuetstienustedasiertedienauranres 227 ZyXEL NWA 3100 User s Guide 9 Contents Overview ZyXEL NWA 3100 User s Guide Table of Contents Table of Contents About This Vs rs cnl toe m 3 rere dr
115. IP address of the ZyXEL Device is not known Use the web configurator to restore defaults refer to Chapter 15 on page 175 Transfer the configuration file to your ZyXEL Device using FTP See the section on SMT configuration for more information 2 3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen Click LOGOUT at any time to exit the web configurator Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated Figure 9 The MAIN MENU Screen of the Web Configurator ZyXEL ADVANCED SYSTEM WIRELESS IP ROGUE AP REMOTE MGNT MAIN MENU CERTIFICATES MAIN MENU LOGS VLAN MAINTENANCE Welcome to the ZyXEL embedded web configurator LOGOUT e Click Maintenance to access a range of maintenance submenus ZyXEL NWA 3100 User s Guide Chapter 2 Introducing the Web Configurator Click the links under ADVANCED to configure advanced features such as SYSTEM General Setup Password and Time Zone WIRELESS Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter IP ROGUE AP Configuration Friendly AP Rogue AP REMOTE MGNT Telnet FTP WWW and SNMP CERTIFICATES My Certificates Trusted CAs LOGS View Logs and Log Settings and VLAN Wireless VLAN and RADIUS VLAN Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware f
116. IP address of the NAS o NAS Port Type Type o physical per usi Senice Type Tyne of service user hat requested Tunnel ppe Tunneling piotacels to be used TrA Windows groups that user belongs to ignatna Ihe request aling the request l Add y the NAS onginstin 2 4 TheSelect Groups window displays Select a remote access policy and click the Add button The policy is added to the field below Only one VLAN Group should be associated with each policy 5 Click OK and Next in the next few screens to accept the group value ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 102 Adding VLAN Group Select Groups ax Look ix n Folder Doman Guests Ci Greup Policy Creator Owners DnsU pdateProxy E Fcuncry VLAN Group 10 Fconcr VLAN Giop 5 VLAN Group 10 lt d Check Names NLAN Group 19 Cnel 6 When the Permissions options screen displays select Grant remote access permission Click Next to grant access based on group membership Click the Edit Profile button Figure 103 Granting Permissions and User Profile Screens Add Remote Access Policy E AX Permissions Determine whelher Io grant or deny emate access permizsior x You can use a Remote Access Policy eil Iser Frofie group o users ex 10 act as a fiter and dery Specify the user profile If a user matches the soecilied conditions Grant temple access permission You can now specify the
117. IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s web configurator interface WEB Login Fail Someone has failed to log on to the router s web configurator interface TELNET Login Someone has logged on to the router via telnet Successfully TELNET Login Fail Someone has failed to log on to the router via telnet FTP Login Successfully Someone has logged on to the router via FTP FTP Login Fail Someone has failed to log on to the router via FTP Table 55 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable STANNO A a A packet that needed fragmentation was dropped because it was set to Don t Fragment DF Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network wN o Redirect datagrams for the Type of Service and Host ZyXEL NWA 3100 User s Gu
118. L Device Table 66 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the file you want to upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click Upload to begin the upload process D gt Do not turn off the ZyXEL Device while configuration file upload is in progress ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance After you see a restore configuration successful screen you must then wait one minute before logging into the ZyXEL Device again Figure 123 Configuration Upload Successful Restore Configuration successful The Device Is Rebooting Now Please Wait After the device finishes rebooting the login screen displays The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 124 Network Temporarily Disconnected d Local Area Connection Network cable unplugged If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address 192 168 1 2 See your Quick Start Guide for details on how to set up your computer s IP address If the upload was not
119. LANs based on SSID Configure the fields in the above screens to use the settings in an SSID profile Select an SSID profile in the WIRELESS gt SSID screen and click Edit to display the following screen Figure 58 Configuring SSID Wireless SSID Security RADIUS Layer Isolation MAC Filter Name SSID03 SSID ITA GTR Hide Name SSID Disable Security security01 v RADIUS radius01 QoS NONE L2 Isolation Disable x Intra BSS Traffic blocking Disable MAC Filtering Disable Reset The following table describes the labels in this screen Table 30 Configuring SSID LABEL DESCRIPTION Name Enter a name identifying this profile SSID When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Hide Name SSID Select Disable if you want the ZyXEL Device to broadcast this SSID a wireless client scanning for an AP will find this SSID Alternatively select Enable to have the ZyXEL Device hide this SSID a wireless client scanning for an AP will not find this SSID Select a security profile to use with this SSID profile See Section 6 9 on page 86 for more information RADIUS Select a RADIUS profile from the drop down list box if you have a RADIUS server configured If you do not need to use RADIUS authentication ignore this field See Section 6 11 on page 95 for more information Security
120. MAC Filter Apply Reset The following table describes the labels in this screen Table 22 Security 802 1x Only LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose 802 1x Only in this field ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by l
121. MP is only available if TCP IP is configured SNMP is only available if TCP IP is configured Figure 78 SNMP Management Model MANAGER Managed Device Managed Device Managed Device An SNMP managed network consists of two main types of component agents and a manager ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management An agent is a management software module that resides in a managed device the ZyXEL Device An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the n
122. MT Menu Overview 188 SNMP 128 230 community 195 configuration 195 manager 129 MIBs 129 traps 130 trusted host 195 Spanning Tree Protocol 72 see STP SSID 35 hide SSID 81 SSID profile 35 45 101 pre configured 35 46 49 STP 72 73 230 path costs 73 ZyXEL NWA 3100 User s Guide Index port states 73 terminology 73 subnet 267 subnet mask 194 202 268 subnetting 270 syntax conventions 4 system console port speed 202 diagnostic 203 log and trace 202 system information 201 System status 199 time and date 219 system information 200 system information and diagnosis 199 system maintenance 199 201 206 208 210 213 214 217 219 system name 63 system timeout 124 222 T tagged VLAN example 161 TCP IP 204 Telnet 124 telnet 220 telnet configuration 220 temperature 229 testing 52 text file based auto configuration 230 275 TFTP restrictions 222 TFTP file transfer 213 time and date setting 219 time setting 65 time zone 220 ToS 71 trace records 202 trademarks 283 tutorial 43 Type of Service 71 U upload firmware 210 user authentication 83 257 V Virtual Local Area Network see VLAN VLAN 157 configuring 158 management VLAN 157 RADIUS 158 160 wireless 158 159 VLAN tagging 157 VolP 35 44 46 49 103 W warranty 285 note 285 wcfg Command 278 WDS 76 Web 126 Web Configurator 39 41 WEP 255 WEP encryption 81 88 Wi Fi Multimedia QoS 69 wireless cli
123. Mapping Table Index DO O Name i 1 4094 zyxe ao araw n MES me anm qao aao arag araw n MES me me i ana qo aeo ZyXEL NWA 3100 User s Guide Chapter 14 VLAN The following table describes the labels in this screen Table 59 RADIUS VLAN LABEL DESCRIPTION Block station if Select this to have the ZyXEL Device forbid access to wireless clients when RADIUS server assign the VLAN attributes sent from the RADIUS server do not match a configured VLAN name error Name field When you select this check box only users with names configured in this screen can access the network through the ZyXEL Device VLAN Mapping Table Use this table to map names to VLAN IDs so that the RADIUS server can assign each user or user group a mapped VLAN ID See your RADIUS server documentation for more information on configuring VLAN ID attributes See Section 14 2 4 on page 164 for more information Index Select a check box to enable the VLAN mapping profile ID Type a VLAN ID Incoming traffic from the WLAN is authorized and assigned a VLAN ID before it is sent to the LAN Name Type a name to have the ZyXEL Device check for specific VLAN attributes on incoming messages from the RADIUS server Access accept packets sent by the RADIUS server contain VLAN related at
124. NWA 3100 802 11a b g Wireless Access Point User s Guide Version 3 60 10 2006 Edition 1 ZyXEL www zyxel com About This User s Guide About This User s Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator You should have at least a basic knowledge of TCP IP networking concepts and topology Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains information on setting up your network and configuring for Internet access Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw ZyXEL NWA 3100 User s Guide 3 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide lt gt Warnings tell you about things that could harm you or your device BES Notes tell you other important information for example other things y
125. NWA 3100 User s Guide 207 Chapter 22 Firmware and Configuration File Maintenance To use TFTP your computer must have both telnet and TFTP clients To backup the configuration file follow the procedure shown next 1 Use telnet from your computer to connect to the ZyXEL Device and log in Because TFTP does not have any security checks the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address 2 Putthe SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyXEL Device Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to transfer files between the ZyXEL Device and the computer The file name for the configuration file is rom 0 rom zero not capital o Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the ZyXEL Device to the computer and binary to set binary transfer mode 22 2 4 Example TFTP Command
126. OWLAN The second line must specify the file version The AP compares the file version with the version of the last configuration file that it downloaded If the version of the downloaded file is the same or smaller older the AP ignores the file If the version of the downloaded file is larger newer the AP uses the file Configuration File Rules You can only use the w1an and wc g commands in the configuration file The AP ignores other ZyNOS commands but continues to check the next command The AP ignores any improperly formatted commands and continues to check the next line 277 ZyXEL NWA 3100 User s Guide Appendix H Text File Based Auto Configuration Ifthere are any errors while processing the configuration file the AP generates a message with the line number and reason for the first error subsequent errors during the processing of an individual configuration file are not recorded You can use SNMP management software to display the message by using the following MIB Table 108 Displaying the Auto Configuration Status ITEM OBJECT ID DESCRIPTION pwAutoCfgMessage 1 3 6 1 4 1 890 1 9 1 9 Auto configuration status message string The commands will be executed line by line just like if you entered them in a console or Telnet CI session Be careful to ensure the integrity of the whole AP configuration If there are existing settings in the AP the newly loaded configuration file will either coexist with
127. Once the log entries are all used the log will wrap around and the old logs will be deleted Click a column heading to sort the entries A triangle indicates the direction of the sort order Figure 89 View Log View Log Log Settings Display All Logs Email Log Now Refresh Clear Log Time A Message Source Destination Notes T WLAN STA Association MACAddr 001302171185 2 mM Successful HTTP login 172 23 37 27 earainn Table 52 View Log The following table describes the labels in this screen LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category To view all logs select All Logs The number of categories shown in the drop down list box depends on the selection in the Log Settings page Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet ZyXEL NWA 3100 User s Guide K Chapter 13 Log Screens Table 52 View Log LABEL DESCRIPTION Notes This field displays additional information about the log entry Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page Refresh C
128. Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting Choose Channel ID Set the operating frequency channel depending on your particular region To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the ZyXEL Device automatically select a channel click Scan instead Scan Click this button to have the ZyXEL Device automatically select the wireless channel with the lowest interference RTS CTS Threshold The threshold number of bytes for enabling RTS CTS handshake Data with a frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 800 and 2346 Fragmentatio
129. Protocol EAP to authenticate wireless clients using an external RADIUS database If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key which only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 6 4 2 Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x In addition to TKIP WPA2 also uses Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption Temporal Key Integrity Protocol TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server It includes a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates th
130. QUFAANBAEie7uwS5 yBQdGxj dqzmLoOtYrB fvOm f5o301Eq7OSMBhOfDNF6M6BYAAO05krhJquaHGQS2 ITJdVO WLf5nds The following table describes the labels in this screen Table 48 My Certificate Details Default self signed certificate which signs the imported remote host certificates LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this certificate You may use any character not including spaces Property Select this check box to have the ZyXEL Device use this certificate to sign the trusted remote host certificates that you import to the ZyXEL Device This check box is only available with self signed certificates If this check box is already selected you cannot clear it in this screen you must select this check box in another self signed certificate s details screen This automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Table 48 My Certificate Details continued LABEL DESCRIPTION Certificate Path Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have im
131. RIES AVAILABLE PARAMETERS error 0 1 2 3 ZyXEL NWA 3100 User s Guide E Chapter 13 Log Screens Table 57 Log Categories and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS mten 0 1 Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Usethesys logs save command to store the settings in the ZyXEL Device you must do this in order to record logs 13 4 2 Displaying Logs 13 5 Log Command Example log categories Use the sys logs display command to show all of the logs in the ZyXEL Device s log Use the sys logs category display command to show the log settings for all of the Use the sys logs display log category command to show the logs in an individual ZyXEL Device log category Use the sys logs clear command to erase all of the ZyXEL Device s logs This example shows how to set the ZyXEL Device to record the error logs and alerts and then view the results ras ras ras ras Oo sys logs load sys logs category error 3 sys logs save sys logs display access time source destination notes message 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK ZyXEL NWA 3100 User s Guide VLAN This chapter discusses how to configure VLAN on the ZyXEL Device 14
132. RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path CRL Distribution Points This field displays how many directory servers with Lists of r
133. Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space ZyXEL NWA 3100 User s Guide Text File Based Auto Configuration This chapter describes how administrators can use text configuration files to configure the wireless LAN settings for multiple APs Text File Based Auto Configuration Overview You can use plain text configuration files to configure the wireless LAN settings on multiple APs The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information Figure 195 Text File Based Auto Configuration TFTP o AP 1cfg txt P1 AP 2 AP2cfg txt AP3cfg txt AP 4cfg txt ii AP 3 AP 4 Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download You can have a different configuration file for each AP You can also have multiple APs use the same configuration file ZyXEL NWA 3100 User s Guide 275 Appendix H Text File Based Auto Configuration BS If adjacent APs use the same configuration file you should leave out the channel setting since they could interfere with each other s wireless traffic Auto Con
134. Rogue AP List This list displays details of all IEEE 802 11a b g wireless access points within the ZyXEL Device s coverage area except for the ZyXEL Device itself and the access points included in the friendly AP list see Section 10 3 2 on page 120 You can set how often you want the ZyXEL Device to scan for rogue APs in the ROGUE AP 7 Configuration screen see Section 10 3 1 on page 119 Click ROGUE AP gt Rogue AP The following screen displays ZyXEL NWA 3100 User s Guide 121 Chapter 10 Rogue AP Figure 72 ROGUE AP Rogue AP Configuration Friendly AP Rogue AP Rogue AP List m AP List Pefresh Active MAC Address __SSID___ Channell Security Description _ 00 00 08 02 00 07 3 2 WPAPSK B 00 01 00 20 90 DA 65 11 WPAPSK Add To Friendly AP List Reset The following table describes the labels in this screen Table 37 ROGUE AP gt Rogue AP LABEL DESCRIPTION Rogue AP List This displays details of access points in the ZyXEL Device s coverage area that are not listed in the friendly AP list see Section 10 3 2 on page 120 Refresh Click this button to have the ZyXEL Device scan for rogue APs This is the index number of the AP s entry in the list Active Use this check box to select the APs you want to move to the friendly AP list see Section 10 3 2 on page 120 MAC Address This field displays
135. S EE RH TREE EIN UNE R M TAS REM 106 0 2 1 Layer 2 Isolation Examples P M 107 8 2 1 1 Layer 2 Isolation Example T iuuat nda tak nd ld t aa 108 elg Layer Boan EXIIDBIECE cuustetimeteteien teni enr vant PRU UOI n EePF den RE rriv nRE E HMS 108 compren MAC FINOT o 109 Dar T ODDO TRINNY aasar asiera een it nidis ERR d nac bna Rat ARRA CL du n ded 111 58 4 1 Requirement for ROOF iiccccceeekeceixsksescecectekvbez ive E pouce diee bia ei E Reve ed dE EpL TED pea dad 112 Chapter 9 lucri 113 9 1 Factory Ethemet DOIUITS uud orbe uid sake A Oda EE EEAF hue tb A MR ae tal Ria E EEEE EKA EN AR HETE ERA du 113 o2 OPT PaE inn cascsiadiecn cam icelan ease ae inet 113 9 2 1 WAN IF Address AsSIIHIO SEIL 5 nied dera sna rra Lr pad dei ont do ed YR nr x na 113 Eben pan agentes evene Mr EU UNE ERN 114 Chapter 10 PRS e E 117 10 1 Rogue AP iiM 117 10 2 Rogue Mmi eee bai a R lash ee 117 TOL T HODBUPOL tor acabo pat bebo ID Po RR E RUNDE at e vina a miM obe tun ERE Cetus aequ 118 10 3 Gonmigunng Regue AP DETSOEDE stia Pret ddr bt ates tra mad ear odas ates ad 119 T0551 Rogue AF COnTIDBEBEIDE 2 cca ees ai pad ei rh ba dax pEb ba dca Ereann Ernani ENEN Chido Kia 119 10 3 2 Rogue AP Engndly AP 12 ertet tort dd het tdv cxt didt ola d dedita 120 TOS 2 ORNS FP ASE e 121 Chapter 11 Remote rp A T
136. S Layer 2 Isolation MAC Filter 802 11 Mode iv Super Mode Choose Channel ID Channel 06 2437MHz gt or RTS CTS Threshold 4b 256 2346 Fragmentation Threshold JG 256 2345 Outnut Powe mM SSID Profile 551004 j Iv Enable Breathing LED Iv Enable Spanning Tree Protocol STP lv Roaming Active Apply Reset Select MBSSID from the Operating Mode drop down list box The screen displays as follows Figure 12 Tutorial Wireless LAN Change Mode Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Operating Mode MBSSID gt GU V M Super Mode e D j Choose Channel ID Channel 06 2437MHz v or RTS CTS Threshold 2345 256 2348 Fragmentation Threshold 346 256 2348 Output Power io Select SSID Profile Index Profile EIE VoIP SSID ssibo3 v 2g Guest_SSID SsiD03 gt T 7 ssipo3 ssiD03 ss D03 om 7 m Iv Enable Breathing LED Iv Enable Spanning Tree Protocol STP Roaming Active Apply Reset This Select SSID Profile table allows you to activate or deactivate SSID profiles Your wireless network was previously using the SSID04 profile so select SSID04 in one of the Profile list boxes number 3 in this example ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Select the Index box for the entry and click Apply to activate the profile Your standard w
137. SK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs an easier to use consistent single alphanumeric password 6 4 3 WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters including spaces and symbols 2 The AP checks each wireless client s password and only allows it to join the network if the password matches 3 The AP derives and distributes keys to the wireless clients 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them Figure 45 WPA 2 PSK Authentication PSK v e y AC DA H li is Ed J C Y A B 8 f 6 5 WPA 2 with RADIUS Application Example You need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a
138. Sign cer Property Check incoming certificates issued by this CA against a CRL Certificate Path Refresh Certificate Information Type Selfsigned X 509 Certificate Version V1 Serial Number 355880216084885406223240701 1527417280 Subject OU Secure Server Certification Authority O RSA Data Security Inc C US Issuer OU Secure Server Certification Authority O RSA Data Security Inc C US Signature Algorithm rsa pkcs1 md2 Valid From 1994 Nov 9th 00 00 00 GMT Valid To 2010 Jan 7th 23 59 59 GMT Key Algorithm rsaEncryption 1000 bits MD5 Fingerprint 74 7b 82 03 43 10 00 9e bb b3 ec 47 bf 85 a5 93 SHA1 Fingerprint 44 B3 c5 31 d7 cc c1 00 57 94 51 2b b6 56 d3 bf 82 57 84 6f Certificate in PEM Base 64 Encoded Format MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBOQA wXZzELMAKG A1UEBhMCVVMxIDAeBgNVBAOTF1JTOSBEYXRhIFNl1Y3VyaXRSLCBJbmMuMS4wLAYD VOOLEyVTZWNi1cmUgU2ZVydmVyIENlcnRpZmljYXRpb2 4gQOXVOaG9yaXR5MBAXDTKO MTEwOTAwMDAwMFOXDTEwMDEwNzIzNTkiOVowXzELMAKGA1UEBhMCVVMxIDAeBgNV BAoTF1JTQSBEYXRhIFNl1Y3VyaXRSLCBJbmMuMS4uyLAYDVQQOLEyVTZWNi1cmUgU2Vy diVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMAOGCSqGSIDb3DQEBAQUAA4GJ ADCBhQJ cAJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4AZFQDSYRAUCIT jwjiioII DhaGN1XpsSECrXZogZoFokvJSyVmIlZsi ePO4FZbYOHZXATCXY m3dM41CJVphI uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nGiwZz0j1333WyB57AgMBAAEwDOYJKOZI xl Export Apply Cancel The following table describes the labels in this screen Table 51
139. Subnetting Example After Subnetting 1 A LE I B D P E3 mo SN i I LE CS hs 5 H P T Internet a n B TM P i P i i i 9 192 168 1 0 25 4 W192 168 1 128 ue a mumumumumum um eom um um um um um um In a 25 bit subnet the host ID has 7 bits so each sub network has a maximum of 27 2 or 126 possible hosts a host ID of all zeroes is the subnet s address itself all ones is the subnet s broadcast address 192 168 1 0 with mask 255 255 255 128 is subnet A itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that can be assigned to an actual host for subnet A is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet a host ID of all zeroes is the subnet itself all ones is the subnet s broadcast address Table 96 Subnet 1 LAST OCTET BIT IP SUBNET MASK NETWORK NUMBER VALUE IP Address Decimal 192 168 1 0 IP A
140. TER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen ZyXEL NWA 3100 User s Guide System Password This chapter describes how to configure the ZyXEL Device s system password 20 1 System Password You can configure the system password in this menu Figure 135 Menu 23 System Password Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL You should change the default password If you forget your password you have to restore the default configuration file Refer to Section 16 2 on page 187 and Section 2 2 on page 40 ZyXEL NWA 3100 User s Guide Chapter 20 System Password ZyXEL NWA 3100 User s Guide System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24 1 to 24 4 These tools include updates on system status port status log and trace capabilities and upgrades for the system software This chapter describes how to use these tools in detail Type 24 in the main menu and press ENTER to open Menu 24 System Maintenance as shown in the following figure Figure 136 Menu 24 System Maintenance Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpret
141. Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Select this check box to have the ZyXEL Device check incoming certificates that Check incoming are issued by this certification authority against a Certificate Revocation List certificates issued CRL by this CA against a Clear this check box to have the ZyXEL Device not check incoming certificates CRL that are issued by this certification authority against a Certificate Revocation List CRL Certificate Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the end entity s own certificate The ZyXEL Device does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path ZyXEL NWA 3100 User s Guide 147 Chapter 12 Certificates Table 51 Trus
142. Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA 2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA 2 IEEE 802 111 is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA 2 and WEP are improved data encryption and user authentication Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x In addition to TKIP WPA2 also uses Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption Temporal Key Integrity Protocol TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server It includes a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryp
143. VLAN M 160 Figure 93 Management VLAN Configuration Example eeeeeeeeeeeeeeee enne nennen nnne nnnnns 162 Figure 94 VLAN Aware Sui Statice VLAN xsainieudnsxbemeteseberenstecitibe deep bean d Sq Eb d qas Eben d dat aieiaa ERES 162 Figure 99 VLAN Aware SIGN e 162 Figure 96 VLAN Aware Switch VLAN Status sssssessssseeeeeneeeeeennen nennen nennen enne 163 Figur Sr LAM SQUE etsi feine Iu e obti eu Fata ste tuletesn teu te enc anaes aa eee REUS 163 Figure 98 New Global Security GOUD dicssa akt ti addi 3 rante Ht a EUR ES KERN tg Hn ds 165 Figure 99 Add Group Members eT 165 Figure 100 New Remote Access Policy for VLAN Group eeseeseceeseeeece nensi tna 166 Figure 101 Specifying Windows Group Conditori usce poor ze od tici Ka Lo a aa Md eu Ebr de es 166 Figure T02 Adding VLAN SEGUE sscciedacapsenciduan saei e Ure mE ul M set tul Na 167 Figure 103 Granting Permissions and User Profile Screens eeeesssceesieeeeeesee enne tht nnttuae 167 Figure 104 Authentication Tab Settings sissseieisoius sseacacwss sameravisdsanatoun kennad kankre Ee aieia AANS Ni 168 Figure TOS Encrypton Tab Senge secre N qr tEP ITI e bn ae xi ee bes 168 Figure 106 Connection Attributos OOPBBEN uisa iure pa i ea Fa Fe DS aa nC acti M Fa aa a n 169 Figure 107 RADIUS Attribute Screen 22e ie e nn pcena dtd Epi bak Ex Rn n ERA RR emma vend 169 Figure 108 802 Attribute Sett
144. VLAN under Advanced Application 2 Click Static VLAN 3 Select the ACTIVE check box 4 Type a Name for the VLAN ID 5 Type a VLAN Group ID This should be the same as the management VLAN ID on the ZyXEL Device 6 Enable Tx Tagging on the port which you want to connect to the ZyXEL Device Disable Tx Tagging on the port you are using to connect to your computer 7 Under Control select Fixed to set the port as a member of the VLAN Figure 94 VLAN Aware Switch Static VLAN Static VLA VLAN Status ACTIVE iv Name MDI VLAN Group ID 10 Port Control Tagging 1 C Normal Fixed C Forbidden TxTagging 2 C Normal Fixed C Forbidden M TxTagging 8 Click Apply The following screen displays Figure 95 VLAN Aware Switch VID i e Jem qe de dr Active Name VID1 2 3 VLAN4 cth test Delete LEEEERLEEI 9 Click VLAN Status to display the following screen ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 96 VLAN Aware Switch VLAN Status OX AN SaN S VLAN Port Setting Static VLAN The Number Of VLAN 5 Port Number Index VID 2 6 8 10 12 14 16 18 20 22 24 26 82 ElapsedTime Status 1 s 7 9 1 12 15 17 19 21 23 25 8 TIA u flies 1 10 0 08 28 Static Uu TU 2 2 0 08 28 Static x drug gd VC RR P DR en Te LIPPE EE FELIPE 3 3 0 08 28 Static 4 4 Tp a T E E E 0 08 27 Static 213 3 z E u 7 E r 7 z 5 5 LE B ELLEAECL 0 08 27 Static zE
145. WEP Key Yes No Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes No WPA TKIP No Yes WPA PSK TKIP Yes No WPA2 AES No Yes WPA2 PSK AES Yes No ZyXEL NWA 3100 User s Guide 257 Appendix D Wireless LANs ZyXEL NWA 3100 User s Guide Indoor Installation Recommendations An antenna couples RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Positioning the antennas properly increases the range and coverage area of a wireless LAN Antenna Characteristics Frequency An antenna in the frequency of 2 4GHz IEEE 802 11b or SGHz IEEE 802 11a is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in
146. XEL Device If the problem continues contact the vendor cO WN 24 2 ZyXEL Device Access and Login e forgot the IP address for the ZyXEL Device ZyXEL NWA 3100 User s Guide 223 Chapter 24 Troubleshooting 1 The default IP address is 192 168 1 2 2 Ifyou changed the IP address and have forgotten it you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer To do this in most Windows computers click Start gt Run enter cmd and then enter ipconfig The IP address of the Default Gateway might be the IP address of the ZyXEL Device it depends on the network so enter this IP address in your Internet browser 3 Ifthis does not work you have to reset the device to its factory defaults See Section 2 2 on page 40 d forgot the password 1 The default password is 1234 2 Ifthis does not work you have to reset the device to its factory defaults See Section 2 2 on page 40 e cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 2 f you changed the IP address Section 9 3 on page 114 use the new IP address f you changed the IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device 2 Check the hardware connections and make sure the LEDs are behaving as exp
147. a Y s Msc xr o eo iil halle LH a a a The steps below describe the roaming process 1 Wireless station Y moves from the coverage area of access point AP 1 to that of access point AP 2 2 Wireless station Y scans and detects the signal of access point AP 2 3 Wireless station Y sends an association request to access point AP 2 ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration 4 5 Access point AP 2 acknowledges the presence of wireless station Y and relays this information to access point AP 1 through the wired LAN Access point AP 1 updates the new position of wireless station Y 8 4 1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas 1 2 3 4 5 All the access points must be on the same subnet and configured with the same ESSID If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station The adjacent access points should use different radio channels when their coverage areas overlap All access points must use the same port number to relay roaming information The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment To enable roaming on your ZyXEL Device click WIRELESS gt Wireless The screen appears as shown
148. a a aa Rte xpi rU eR Ua SU HUC de aM abla leita 86 es MRAM iix ae erc Pme 87 cx Rab cT um lU AED 88 6 9 3 Security 802 1x Static 64 bit 802 1x Static 128 bit sesssssssseeesee 89 0 9 4 lg e 91 6 9 5 secun WPAZ or VIPAGC IUS cues dea beet oi er abs rti re S pr ipe daa 92 6 9 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX sesseeneeeeeeenn enne 93 6 10 introduction t0 e EIE c M 95 DTI SONNEN RADIIS eibi exitu dun wie sed buona Win sw atid inde vn si FUCO EA pA HIDE AS DI OI Saad cans 95 Chapter 7 iei ED and SSID qm a a 97 7 1 Wireless LAN Uu 97 ZyXEL NWA 3100 User s Guide 13 Table of Contents Bee SID e P 97 zz Mots om TITS BOS sirus itv Ep EE na Ainiai POI SUE KL ERA CERRAR SUE UR MAN Pone p QUAS 97 FEET s BSS EXPE m 97 FTA Maltiple Bos witht VLAN Example 5o ete ata ra Ret a HE d n Exe cr i ood E ordei 97 1 1 0 Coniguring Multiple ee MER TU 98 Te UD e queued hiadaeteenss 100 Esse UM SID SOE TT RU TURN 100 per ap Gre Le PG as rere Bement re T 101 Chapter 8 Other Wireless ConhiguratioD me P 105 8 1 Layer Iaolaubn Intro IDE Laco kuppr dS bre o bL ER CH d RE E eg Ub do a ut SOR 105 ma Cong Layer Iob s ixpessmbeleissspixbeti
149. a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Table 45 My Certificates continued LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Details Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one or more features is configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates c
150. a threat those from neighboring networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points You can choose to scan for rogue APs manually or to have the ZyXEL Device scan automatically at pre defined intervals You can also set the ZyXEL Device to email you immediately when a rogue AP is detected see Chapter 13 on page 151 for information on how to set up email logs 10 3 1 Rogue AP Configuration Click ROGUE AP gt Configuration The following screen appears ZyXEL NWA 3100 User s Guide Chapter 10 Rogue AP Figure 70 ROGUE AP gt Configuration Configuration Friendly AP Rogue AP Active Rogue AP Period Detection No Period 0 min Friendly AP List Export File Path Browse Apply Reset The following table describes the labels in this screen Table 35 ROGUE AP gt Configuration LABEL DESCRIPTION Active Rogue AP Period Select Yes to turn rogue AP detection on You must also enter a time value Detection in the Period field Select No to turn rogue AP detection off Period min Enter the period you want the ZyXEL Device to wait between scanning for rogue APs between 10 and 60 minutes You must also select Yes in the Active Rogue AP Period Detection field Friendly AP List Export Click this button to save the current list of friendly
151. ached to the ZyXEL Device Figure 178 IP Address Conflicts Case C B IP 192 168 1 10 WAN IP 192 168 1 1 A IP 192 168 1 10 2 ru e E gt C e Creer CN Roue J Router You must set the ZyXEL Device to use different LAN and WAN IP addresses on different subnets if you enable DHCP server on the ZyXEL Device For example you set the WAN IP address to 192 59 1 1 and the LAN IP address to 10 59 1 1 Otherwise It is recommended the ZyXEL Device uses a public WAN IP address Case D Two or more subscribers have the same IP address By converting all private IP addresses to the WAN IP address the ZyXEL Device allows subscribers with different network configurations to access the Internet However there are situations where two or more subscribers are using the same private IP address This may happen when a subscriber is configured to use a static or fixed IP address that is the same as the IP address the ZyXEL Device DHCP server assigns to another subscriber acting as a DHCP client In this case the subscribers are not able to access the Internet ZyXEL NWA 3100 User s Guide Appendix C IP Address Assignment Conflicts Figure 179 IP Address Conflicts Case D B IP 192 168 1 10 A IP 192 168 1 10 ee EN N Internet Router Jj This problem can be solved by adding a VLAN enabled switch or set the computers to obtain IP addresses dynamically ZyXEL NWA 3100 User s Guide 247
152. addresses not listed will be allowed to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router MAC Address Enter the MAC addresses in XX XX XX XX XX XX format of the wireless station to be allowed or denied access to the ZyXEL Device Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh AS To activate MAC filtering on a profile select Enable from the Enable MAC Filtering drop down list box in the WIRELESS gt SSID gt Edit screen and click Apply 110 ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration 8 4 Configuring Roaming A wireless station is a device with an IEEE 802 11a b g compliant wireless interface An access point AP acts as a bridge between the wireless and wired networks An AP creates its own wireless coverage area A wireless station can associate with a particular access point only if it is within the access point s coverage area Ina network environment with multiple access points wireless stations are able to switch from one access point to another as they move between the coverage areas This is known as roaming As the wireless station moves from place to place it is responsible for choosing the most appropriate access point depending on the signal strength network utilization or other factors The roaming feature on the a
153. ancel 23 2 1 Resetting the Time The ZyXEL Device resets the time in three instances 1 Onleaving menu 24 10 after making changes 2 When the ZyXEL Device starts up if there is a timeserver configured in menu 24 10 3 24 hour intervals after starting 23 3 Remote Management Setup 23 3 1 Telnet You can configure your ZyXEL Device for remote Telnet access to the SMT or command line interface 23 3 2 FTP You can upload and download ZyXEL Device firmware and configuration files using FTP To use this feature your computer must have an FTP client 23 3 3 Web You can use the ZyXEL Device s embedded web configurator for configuration and file management See the online help for details 23 3 4 Remote Management Setup Remote management setup is for managing Telnet FTP and Web services You can customize the service port access interface and the secured client IP address to enhance security and flexibility You can manage your ZyXEL Device from a remote location via Internet WLAN only the LAN only All LAN and WLAN or Disable neither ZyXEL NWA 3100 User s Guide Chapter 23 System Maintenance and Information LES If you enable remote management of a service but have applied a filter to block the service then you will not be able to remotely manage the service Enter 11 from menu 24 to display Menu 24 11 Remote Management Control shown next Figure 162 Menu 24 11 Remote Management Cont
154. any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by Ox for each key If you chose 802 1x Static 128 bit then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by Ox for each key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations The preceding Ox is entered automatically You must configure all four keys but only one key can be activated at any one time The default key is key 1 ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Table 23 Security 802 1x Static 64 bit 802 1x Static 128 bit LABEL DESCRIPTION Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may
155. ar the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished 7 Inthe Internet Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es Ifyou know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Figure 171 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings assigned automatically if pour network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings btain an IP address automatically Use the following IP address Obtain DNS server address automatically C Use the following DNS server addresses 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Star
156. ation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit To transfer the firmware and the configuration file follow these examples 22 4 3 Using the FTP command from the DOS Prompt Example Launch the FTP client on your computer Enter open and the IP address of your ZyXEL Device Press ENTER when prompted for a username Enter root and your SMT password as requested The default is 1234 Enter bin to set transfer mode to binary o0 wh Use put to transfer files from the computer to the ZyXEL Device for example put firmware bin ras transfers the firmware on your computer firmware bin to the ZyXEL Device and renames it ras Similarly put config rom rom 0 transfers the configuration file on your computer config rom to the ZyXEL Device and renames it rom 0 Likewise get rom 0 config rom transfers the configuration file on the ZyXEL Device to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the FTP prompt Figure 154 FTP Session Example 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put firmware bin ras 200 Port command okay 150 Opening data connection for STOR ras 226
157. b ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Figure 15 Tutorial VoIP Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter a index Profile Name Security Mode a 1 p itv MPA PSH security02 security04 fo 5 security05 None 6 security06 None fo 7 security07 None fo 8 security08 None fT 39 security09 None wo security10 None feo n security11 None fe 2 security12 None fe 2B security13 None sj u security14 None fo 5 security15 None 6 security16 None You already chose to use the security02 profile for this network so select the radio button for security02 and click Edit The following screen appears Figure 16 Tutorial VoIP Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name VolP_Security Security Mode WPA2 PSK Pre Shared Key ThisismyWPA2 PSKpre sharedkey Idle Timeout 3600 in seconds Group Key Update Timer fi 800 in seconds Reset Change the Name field to VoIP Security to make it easier to remember and identify n this example you do not have a RADIUS server for authentication so select WPA2 PSK in the Security Mode field WPA2 PSK provides strong security that anyone with a compatible wireless client can use once they know the pre shared key PSK Enter the PSK you want
158. ble Click Add after you enter the details of each AP to include it in the list Table 4 Tutorial Friendly AP Information MAC ADDRESS DESCRIPTION 00 AA 00 AA 00 AA My Access Point A AA 00 AA 00 AA 00 My Access Point B ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Table 4 Tutorial Friendly AP Information MAC ADDRESS DESCRIPTION A0 0A A0 0A A0 0A My Access Point C 0A A0 0A A0 0A A0 AF AF AF FA FA FA My Access Point _D_ Coffee Shop Access Point _1_ You can add APs that are not part of your network to the friendly AP list as long as you know that they do not pose a threat to your network s security The Friendly AP screen now appears as follows Figure 26 Tutorial Friendly AP After Data Entry Configuration Friendly AP Rogue AP MAC Address Description S Ad Friendly AP List MAC Address __SSID___ ChannellSecurity _Description h oo aa 00 aa 00 aa N A N A N A My Access Point A_ A aa 00 aa 00 aa 00 N A N A N A My Access Point B G ES a0 0a a0 0a a0 0a N A N A N A My Access Point C_ D oa o0 02 20 02 a0 N A N A N A My Access Point D E af af af fa fa fa N A MA wa Coffee Shop Access Point Gy 3 Next you will save the list of friendly APs in order to provide a backup and upload it to your other access points Click the Configuration tab The fo
159. cally changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device default is 1800 seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 6 9 5 Security WPA2 or WPA2 MIX Select WPA2 or WPA2 MIX in the Security Mode field to display the following screen Figure 52 Security WPA2 or WPA2 MIX Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name security02 Security Mode WPA2 MIX ReAuthentication Timer 1800 inseconds Idle Timeout 3600 in seconds Group Key Update Timer 1800 in seconds PMK Cache Enable Pre Authentication Disable v Apply Reset The following table describes the labels not previously discussed Table 25 Security WPA2 or WPA2 MIX LABEL DESCRIPTIONS Name Type a name to identify this security profile Security Mode Choose WPA2 or WPA2 MIX in this field ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Table 25 Security WPA2 or WPA2 MIX LABEL DESCRIPTIONS ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note
160. cate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As Screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name and or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority Cancel Click Cancel to quit and return to the Trusted CAs screen ZyXEL NWA 3100 User s Guide Chapter 12 Certificates ZyXEL NWA 3100 User s Guide Log Screens This chapter contains information about configuring general log settings and viewing the ZyXEL Device s logs Refer to the appendix for example log message explanations 13 1 Configuring View Log The web configurator allows you to look at all of the ZyXEL Device s logs in one location Click LOGS gt View Log Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Figure 90 on page 152 Options include logs about system maintenance system errors and access control You can view logs and alert messages in this page
161. ccess points allows the access points to relay information about the wireless stations to each other When a wireless station moves from a coverage area to another it scans and uses the channel of a new access point which then informs the other access points on the LAN about the change An example is shown in Figure 65 on page 111 With roaming a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas Wireless stations can still associate with other APs even if you disable roaming Enabling roaming ensures correct traffic forwarding bridge tables are updated and maximum AP efficiency The AP deletes records of wireless stations that associate with other APs Non ZyXEL APs may not be able to perform this 802 1x authentication information is not exchanged at the time of writing Figure 65 Roaming Example NS one pae nann M ae rre s fN 2 s A S j CO 2 i H 2 t H i 1 1 H t i i i 1 1 LH 1 i AP 1 H AP 2 i E 1 H H 1 H x 1 Li r 4 i 4d 1 Jp rT i m x p T e i ES pU C ha d s N 2 EN x E lt Ne Y e E Na en a
162. certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as EAP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authentication EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it 1s not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic WEP is enabled BES EAP MD5 cannot be used with dynamic WEP key exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical ZyXEL NWA 3100 User s Guide 255 Appendix D Wireless LANs The following table is a comparison of the features of authentication types Table 90 Comparison of EAP Authentication
163. cing the SMT Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below Table 68 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to ENTER To move forward to a submenu type in the number of the another menu desired submenu and press ENTER Move up to a ESC Press ESC to move back to the previous menu previous menu Move to a hidden menu Press SPACE BAR to change No to Yes then press ENTER Fields beginning with Edit lead to hidden menus and have a default setting of No Press SPACE BAR once to change No to Yes then press ENTER to go to the hidden menu Move the cursor ENTER or UP DOWN arrow keys Within a menu press ENTER to move to the next field You can also use the UP DOWN arrow keys to move to the previous and the next field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields or ChangeMe All fields with the symbol lt gt must be filled in order to be able to save the new configuration All fields with ChangeMe must not be left blank in order to be able to save the new configuration N A fields N A
164. config type lt on off gt means that you must specify the type of netbios filter and whether to turn it on or off 23 1 2 Command Usage A list of valid commands can be found by typing help or at the command prompt Always type the full command Type exit to return to the SMT main menu when finished 23 1 3 Brute Force Password Guessing Protection The following describes the commands for enabling disabling and configuring the brute force password guessing protection mechanism for the password Table 79 Brute Force Password Guessing Protection Commands COMMAND DESCRIPTION Sys pwderrtm This command displays the brute force guessing password protection settings Sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default Sys pwderrtm N This command sets the password protection to block all access attempts for N a number from 1 to 60 minutes after the third time an incorrect password is entered 23 1 3 1 Configuring Brute Force Password Guessing Protection Example Sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered ZyXEL NWA 3100 User s Guide Chapter 23 System Maintenance and Information 23 2 Time and Date Setting The ZyXEL Device keeps track of the time and date There is also a softwar
165. configure up to four RADIUS server profiles Each profile also has one backup authentication server and a backup accounting server These profiles can be assigned to an SSID profile in the SSID configuration screen To set up your ZyXEL Device s RADIUS server settings click WIRELESS gt RADIUS The screen appears as shown Figure 54 RADIUS Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Index E Profile Name rediust Active Active RADIUS Server IP Address o 0 0 0 0 0 0 0 RADIUS Server Port fieie fie m m Hem SE Active Active p pe The following table describes the labels in this screen Table 27 RADIUS LABEL DESCRIPTION Index Select the RADIUS profile you want to configure from the drop down list box Profile Name Type a name for the RADIUS profile associated with the Index number above Primary Configure the fields below to have user authentication and accounting through external servers ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Table 27 RADIUS LABEL DESCRIPTION Backup If the ZyXEL Device cannot communicate with the Primary accounting server you can have the ZyXEL Device use a Backup RADIUS server Make sure the Active check boxes are selected if you want to use backup servers The ZyXEL Device will attempt to communicate three times before usi
166. ct the attribute and clic Add RADIUS attributes Login T CP Port RADIUS Standard TCP pott to which user should be connected Reply Message RADIUS Standard Message to be displayed lo user when authentica Service Type RADIUS Standard Type of service user has requested Tunnel Assignment ID RADIUS Standard Tunnel to which a session is to be assigned Tunnel ClentAuthtD RADIUS Standard Name used by the tunnel initiator during the authen Tunnel ClentEndpt RADIUS Standard IP address of the initiator end of the tunnel Tunnel Modium T ype RADIUS Standard Trareport medium lo use when crealing a tunnel fo Tunnel Password RADIUS Standard Password for authenticating to a remote server Tunnel Prefeience RADIUS Standard Relative preference assigned to each tunnel when Tunnel Pvt Group I1D RADIUS Standard Group ID fer a partcular tunneled session Tunnel Gerver amp uth ID RADIUS Standard Name used by the tumel terminator during the auth Tunnel Server F ndp RADIUS Standard IP address of the server end of the tunnel Tunnel Type RADIUS Standard Tunneling protocols to be used Vendor Spectic RADIUS Standard Used to support proprietary NAS features CiscoAY Pair Cisco Cisco AY Pair VSA Ignore Liser Dialin Properties Micrsoft Ignere the users dial in properties USR ACCM Type U S Robotics l Description not available USR AT Callnput Filter U S Reboties Description not available USR AT Call Output Filter U S Rebotics Description
167. ctory default certificate The factory default certificate is common to all ZyXEL Devices that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyXEL Device s MAC address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the ZyXEL Device uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as
168. d File to display the following screen Figure 156 Example Xmodem Upload Send File L2 Xj Folder C Product Filename C Product firmware birl Type the firmware file s location or click Browse to look for it Browse Choose the Xmodem protocol Protocol Then click Send After the firmware upload process has completed the ZyXEL Device will automatically restart ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance 22 4 9 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions shown in the next screen Figure 157 Menu 24 7 2 as seen using the Console Port Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the system Warning 1 Proceeding with the upload will erase the current configuration file 2 The system s console port speed Menu 24 2 2 may change when it is restarted please adjust your terminal s speed accordingly The password may change menu
169. d the computer The file name for the firmware is ras and the configuration file is rom 0 rom zero not capital o Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transfer from the ZyXEL Device to the computer put the other way around and binary to set binary transfer mode 22 4 5 Example TFTP Command The following is an example TFTP command TFTP i host put firmware bin ras where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyXEL Device s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the ZyXEL Device Commands that you may see in third party TFTP clients are listed earlier in this chapter 22 4 6 Uploading Via Console Port FTP or TFTP are the preferred methods for uploading firmware to your ZyXEL Device However in the event of your network being down uploading files is only possible with a direct connection to your ZyXEL Device via the console port Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster Any serial communications program should w
170. ddress Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 1 192 168 1 0 Broadcast Address Highest Host ID 192 168 1 62 192 168 1 63 ZyXEL NWA 3100 User s Guide 271 Appendix G IP Addresses and Subnetting Table 97 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Table 98 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 99 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host I
171. ddress When you select this option fill in the fields below IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Note If you change the ZyXEL Device s IP address you must use the new IP address if you want to access the web configurator again IP Subnet Mask Type the subnet mask Gateway IP Address Type the IP address of the gateway The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyXEL Device over the WAN the gateway must be the IP address of one of the remote nodes ZyXEL NWA 3100 User s Guide Chapter 9 IP Screen Table 34 IP Setup LABEL DESCRIPTION Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh ZyXEL NWA 3100 User s Guide 115 Chapter 9 IP Screen ZyXEL NWA 3100 User s Guide Rogue AP This chapter discusses rogue wireless access points APs and how to configure the ZyXEL Device s rogue AP detection feature 10 1 Rogue AP Introduction A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network Rogue APs are not under the control of the network s administrators and can open up holes in a network s security Attackers can take advantage of arogue AP s weaker or non existen
172. der to control which priority level is given to traffic the device sending the traffic must set the DSCP value in the header If the DSCP value is not specified then the traffic is treated as best effort This means the wireless clients and the devices with which they are communicating must both set the DSCP value in order to make the best use of WMM QoS A Voice over IP VoIP device for example may allow you to define the DSCP value The following table lists which WMM QoS priority level the ZyXEL Device uses for specific DSCP values Table 13 ToS and IEEE 802 1d to WMM QoS Priority Level Mapping DSCP VALUE WMM QOS PRIORITY LEVEL 224 192 voice 160 128 video 96 04 besteffort 64 32 background A The ZyXEL Device also uses best effort for any DSCP value for which another WMM QoS priority is not specified 255 158 or 37 for example 5 4 Spanning Tree Protocol STP STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other STP compliant bridges in your network to ensure that only one route exists between any two stations on the network 5 4 1 Rapid STP The ZyXEL Device uses IEEE 802 1 w RSTP Rapid Spanning Tree Protocol that allow faster convergence of the spanning tree while also being backwards compatible with STP only aware bridges Using RSTP topology change information does not have to propagate to the root bridge
173. displays a name given to a security profile in the Security configuration screen Security Mode This field displays the security mode this security profile uses Edit ae an entry from the list and click Edit to configure security settings for that profile The next screen varies according to the Security Mode you select 6 9 1 Security WEP Select WEP in the Security Mode field to display the following screen ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Figure 48 Security WEP Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name fsecurity02 Security Mode WEP M WEP Encryption 64 bit WEP v Authentication Method Auto hed 64 bit WEP Enter 5 ASCII characters or 10 hexadecimal characters 0 9 A F for each Key 1 4 128 bit WEP Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 152 bit WEP Enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F for each Key 1 4 ASCII C Hex Key1 C Key2 C Key3 C Key4 Apply Reset The following table describes the labels in this screen Table 21 Security WEP LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose WEP in this field WEP Encryption Select Disable to allow wireless stations to communicate with the access points without any data encryption Select 64 bit WEP 128 bit WEP or 152 bi
174. ds are all user configurable 1 3 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device Web Configurator This is recommended for everyday management of the ZyXEL Device using a supported web browser Command Line Interface Line commands are mostly used for troubleshooting by service engineers SMT System Management Terminal is a text based configuration menu that you can use to configure your device Use Telnet to access the SMT FTP for firmware upgrades and configuration backup and restore SNMP The device can be monitored by an SNMP manager See the SNMP chapter in this User s Guide 1 4 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage it more effectively e Change the password often Use a password that s not easy to guess and that consists of different types of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the ZyXEL Device to its factory default settings If you backed up an earlier configuration file you won t have to totally re configure the ZyXEL Device you can simply restore your last configuration ZyXEL NWA 3100 User
175. dt tio udo dl ur nit 138 prr e ei ee dl Lec M 139 120 My Cermicate etal e 141 A T E E ae DUM TRUE NUR 144 12 11 importing a Trusted CAs COOPHTIGRIUS a icsecsisinasepaiendeatenieretamiecemsnaneentuaecnte 145 12 12 Trusted CA Cerise Detalls reti eto PR ERU A FQ Data pd d d aac annie 146 Chapter 13 LOD SEEE Ae M M OT M 151 jEWESCUIUHUDEI dt oper UT 151 13 2 Configuring LOG us de a 152 1523 Example Log NIBSSOUDE riii aean E oodd ia E ako es can op a c 154 Qr dope ik Le e nr pn ree ce erneet re tretnee tert terre erent rer eer ret pretrre cert eee rr Tree 155 13 4 1 Configuring What You Want the ZyXEL Device to Log eese 155 TALDI LODE caste su cls mastic soa c NUR 156 13 5 Log Command EXAMPlE serrio etd ubt It cube dde Lk td dub tid dv Vbi d ddr uud 156 Chapter 14 Lig e E 157 po EUN em UIN NT NIENTE 157 143 1 Mansgsrmega VLAN ID 2ductssnie de EE PEN dk EP NI gaR KR oq Gg d E EHE D a EE FU ONDE RERO PY ERR da SERI 157 LaMAUE C TOT aua A eno noi 157 Ph C OBHCRUBBGE VLAN Laid nian xii teodadastenpadadd blat ced oneal pd aln bd bdd eia padedi ay 158 14 21 VARGAS VLAN 158 ZyXEL NWA 3100 User s Guide 15 Table of Contents psa rep c3 P dainean 160 14 2 3 Configuring Management VLAN Example eieeeeeeeeee esses entente itn hnnaa 161 14 2 4
176. e 51 Chapter 3 Tutorial Figure 23 Tutorial Activate Guest Profile Output Power 100 Select SSID Profile Index Profile Index Profile VoIP SSID ssipos gt 6 m 551003 ssiD04 ssipo3 Your Guest wireless network is now ready to use 3 1 4 Testing the Wireless Networks To make sure that the three networks are correctly configured do the following On a computer with a wireless client scan for access points You should see the Guest SSID network but not the VoIP SSID network If you can see the VoIP SSID network go to its SSID Edit screen and make sure Hide Name SSID is set to Enable Whether or not you see the standard network s SSID SSID04 depends on whether hide SSID is enabled Try to access each network using the correct security settings and then using incorrect security settings such as the WPA PSK for another active network If the behavior is different from expected for example if you can access the VoIP wireless network using the security settings for the Guest SSID wireless network check that the SSID profile is set to use the correct security profile and that the settings of the security profile are correct Access the Guest SSID network and try to access other resources than those specified in the Layer 2 Isolation screen You can use the ping utility to do this Click Start gt Run and enter cmd in
177. e This field displays the name used to identify this certificate The ZyXEL Device has an automatically generated self signed certificate by default The factory default certificate is common to all ZyXEL Device s that use certificates You can replace the certificate when you log into the ZyXEL Device see Chapter 4 on page 49 or you can use the Certificates configuration screen see Chapter 12 on page 133 ZyXEL NWA 3100 User s Guide 221 Chapter 23 System Maintenance and Information Table 81 Menu 24 11 Remote Management Control FIELD DESCRIPTION Authenticate Client Select Yes by pressing SPACE BAR The internal RADIUS server uses one Certificates of the certificates listed in the My Certificates screen to authenticate each wireless client The exact certificate used depends on the certificate information configured on the wireless client Once you have filled in this menu press ENTER to save your configuration or press ESC to cancel 23 3 5 Remote Management Limitations Remote management over LAN or WAN will not work when 1 You have disabled that service in menu 24 11 2 TheIP address in the Secured Client IP field menu 24 11 does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately 3 There is already another remote management session with an equal or higher priority running You may only have one remote managemen
178. e automatically select a channel click Scan instead Scan Click this button to have the ZyXEL Device automatically scan for and select the channel with the least interference RTS CTS Request To Send The threshold number of bytes for enabling RTS CTS Threshold handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 256 and 2346 Fragmentation The threshold number of bytes for the fragmentation boundary for directed Threshold messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2346 Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power of the ZyXEL Device to reduce interference with other APs Select one of the following 100 Full Power 50 25 12 5 or Minimum See the product specifications for more information on your ZyXEL Device s output power ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Table 16 Wireless Access Point LABEL DESCRIPTION SSID Profile The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating to the acce
179. e encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically WPA2 AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC TKIP makes it much more difficult to decode data on a Wi Fi network than WEP making it difficult for an intruder to break into the network ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials The common password approach makes WPA P
180. e mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyXEL Device Menu 24 10 allows you to update the time and date settings of your ZyXEL Device The updated time is then displayed in the ZyXEL Device error logs 1 Select menu 24 in the main menu to open Menu 24 System Maintenance 2 Then enter 10 to go to Menu 24 10 System Maintenance Time and Date Setting to update the time and date settings of your ZyXEL Device as shown in the following screen Figure 161 Menu 24 10 System Maintenance Time and Date Setting Menu 24 10 System Maintenance Time and Date Setting Time Protocol NTP RFC 1305 Time Server Address 128 105 39 21 Current Time 05 47 19 New Time hh mm ss 05s 47 sl Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start Date mm dd Qd 0I End Date mm dd 01 O1 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle The following table describes the fields in this menu Table 80 System Maintenance Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your time server sends when you turn on the ZyXEL Device Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main differences betwe
181. e where Internet telephony Voice over IP or VoIP users have priority You also want a regular wireless network for standard users as well as a guest wireless network for visitors In the following figure VoIP SSID users have Quality of Service QoS priority SSID03 is the wireless network for standard users and Guest SSID is the wireless network for guest users In this example the guest user is forbidden access to the wired LAN behind the AP and can access only the Internet Figure 5 Multiple BSSs LAN Internet 50 m m m t ZyXEL NWA 3100 User s Guide 35 Chapter 1 Introducing the ZyXEL Device 1 2 5 Pre Configured SSID Profiles The ZyXEL Device has two pre configured SSID profiles 1 VoIP SSID This profile is intended for use by wireless clients requiring the highest QoS Quality of Service level for VoIP Voice over IP telephony and other applications requiring low latency The QoS level of this profile is not user configurable See Section 5 3 1 on page 69 for more information on QoS 2 Guest_SSID This profile is intended for use by visitors and others who require access to certain resources on the network an Internet gateway or a network printer for example but must not have access to the rest of the network Layer 2 isolation is enabled see Section 8 1 on page 105 and QoS is set to NONE Intra BSS traffic blocking is also enabled see Section 5 1 1 on page 67 These fiel
182. ect the security03 profile from the Security field Leave all the other fields at their defaults and click Apply 3 1 3 1 Set Up Security for the Guest Profile Now you need to configure the security settings to use on the guest wireless network Click the Security tab You already chose to use the security03 profile for this network so select security03 s entry in the list and click Edit The following screen appears Figure 20 Tutorial Guest Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name Guest_Security Security Mode WPA PSK Pre Shared Key hisismyGuestWPApre shared key ReAuthentication Timer 1800 inseconds Idle Timeout 3600 in seconds Group Key Update Timer 1800 in seconds Reset e Change the Name field to Guest_Security to make it easier to remember and identify ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Select WPA PSK in the Security Mode field WPA PSK provides strong security that is supported by most wireless clients Even though your Guest SSID clients do not have access to sensitive information on the network you should not leave the network without security An attacker could still cause damage to the network or intercept unsecured communications Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyGuestWPApre sharedkey Click Apply The WIRELESS
183. ected See the Quick Start Guide and Section 1 5 on page 37 3 Make sure your Internet browser does not block pop up windows and has JavaScripts and Java enabled See Section 24 1 on page 223 4 Make sure your computer is in the same subnet as the ZyXEL Device If you know that there are routers between your computer and the ZyXEL Device skip this step Ifthere is no DHCP server on your network make sure your computer s IP address is in the same subnet as the ZyXEL Device 5 Reset the device to its factory defaults and try to access the ZyXEL Device with the default IP address See your Quick Start Guide 6 Ifthe problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions Try to access the ZyXEL Device using another service such as Telnet If you can access the ZyXEL Device check the remote management settings to find out why the ZyXEL Device does not respond to HTTP f your computer is connected to the WAN port or is connected wirelessly use a computer that is connected to a LAN ETHERNET port ZyXEL NWA 3100 User s Guide Chapter 24 Troubleshooting e can see the Login screen but cannot log in to the ZyXEL Device 1 Make sure you have entered the user name and password correctly The default password is 1234 This fields are case sensitive so make sure Caps Lock is not on 2 Youcannot log in to the web configurator while someone
184. edium 1100 ATC_Low You should activate ATC on the ZyXEL Device if your wireless network includes networking devices that do not support WMM QoS or if you want to prioritize traffic but do not want to configure WMM QoS settings 5 3 3 ATC WMM The ZyXEL Device can use a mapping mechanism to use both ATC and WMM QoS The ATC WMM function prioritizes all packets transmitted onto the wireless network using WMM Qos and prioritizes all packets transmitted onto the wired network using ATC See Section 7 2 2 on page 101 for details of how to configure ATC WMM Use the ATC WMM function if you want to do the following enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already have one see Section 5 3 3 1 on page 70 automatically prioritize all packets going from your wireless network to the wired network see Section 5 3 3 2 on page 71 5 3 3 1 ATC WMM from LAN to WLAN ATC WMM from LAN the wired Local Area Network to WLAN the Wireless Local Area Network allows WMM prioritization of packets that do not already have WMM QoS priorities assigned The ZyXEL Device automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration The following table shows how priorities are assigned for packets coming from the LAN to the WLAN Table 11 ATC WMM Priorit
185. een Table 47 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name number to the subject information when it issues a certificate It is recommended that each certificate have unique subject information ZyXEL NWA 3100 User s Guide is mandatory The certification authority may add fields such as a serial Chapter 12 Certificates Table 47 My Certificate Create continued LABEL DESCRIPTION Common Name Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address can be up to 31 ASCII characters The domain name or e mail address is for identification purposes only and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You may use any character including spaces but the ZyXEL Device drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You may use any characte
186. el 06 2437MHz gt or RTS CTS Threshold 256 2346 Fragmentation Threshold 256 2348 Output Power 100 SSID Profile 55ID03 Y Iv Enable Breathing LED Iv Enable Spanning Tree Protocol STP Roaming Active Apply Reset The following table describes the general wireless LAN labels in this screen Table 16 Wireless Access Point LABEL DESCRIPTION Operating Mode Select Access Point from the drop down list 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting Choose Set the operating frequency channel depending on your particular region Channel ID To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the ZyXEL Devic
187. em from accessing the AP Deny Association 6 1 3 Hide Identity If you hide the SSID then the ZyXEL Device cannot be seen when a wireless client scans for local APs The trade off for the extra security of hiding the ZyXEL Device may be inconvenience for some valid WLAN clients 6 1 4 WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access points must use the same WEP key ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Your ZyXEL Device allows you to configure up to four 64 bit 128 bit or 152 bit WEP keys but only one key can be enabled at any one time 6 2 802 1x Overview The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication can be done using an external RADIUS server 6 3 EAP Authentication Overview EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEES802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server or
188. en them are the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 NTP RFC 1305 is similar to Time RFC 868 None The default enter the time manually Time Server Address Enter the IP address or domain name of your time server Check with your ISP network administrator if you are unsure of this information Current Time This field displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays an updated date only when you re enter this menu ZyXEL NWA 3100 User s Guide Chapter 23 System Maintenance and Information Table 80 System Maintenance Time and Date Setting FIELD DESCRIPTION New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Time GMT Daylight Saving If you use daylight savings time then choose Yes Start Date If using daylight savings time enter the month and day that it starts on End Date If using daylight savings time enter the month and day that it ends on Once you have filled in this menu press ENTER at the message Press ENTER to Confirm or ESC to Cancel to save your configuration or press ESC to c
189. ency channel depending on your particular region To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the ZyXEL Device automatically select a channel click Scan instead RTS CTS Threshold Request To Send The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 256 and 2346 Fragmentation Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2346 Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power of the ZyXEL Device to reduce interference with other APs Select from 100 Full Power 50 25 12 5 and Minimum See the product specifications for more information on your ZyXEL Device s output power Enable WDS Security Select the check box to enable WDS on your ZyXEL Device A
190. ent WPA supplicants 86 wireless LAN topologies 249 wireless security 35 81 WLAN interference 251 security parameters 257 wlan command 280 WMM 103 WPA 82 WPA with RADIUS Application 84 WPA WPA2 256 WPA2 PSK 48 WPA PSK 51 Z ZyNOS 206 ZyNOS F W Version 206 ZyXEL NWA 3100 User s Guide
191. er Mode cO 10 014 CO F2 ES 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number 21 1 System Status The first selection System Status gives you information on the status and statistics of the ports as shown next System Status is a tool that can be used to monitor your ZyXEL Device Specifically it gives you information on your Ethernet and Wireless LAN status and the number of packets sent and received To get to System Status type 24 to go to Menu 24 System Maintenance From this menu type 1 System Status There are two commands in Menu 24 1 System Maintenance Status Entering 9 resets the counters pressing ESC takes you back to the previous screen The following table describes the fields present in Menu 24 1 System Maintenance Status which are read only and meant for diagnostic purposes ZyXEL NWA 3100 User s Guide Chapter 21 System Information and Diagnosis Figure 137 Menu 24 1 System Maintenance Status System up Time Menu 24 1 System Maintenance Status OL 55 55 Sat Jan 01 200 Port Status TxPkts RxPkts Cols Tx B s Rx B s Up Tim Ethernet 100M Full 5802 2001 0 303 128 1 54 WLAN 54M 3811 74 0 64 0 15554 Port Ethernet Address IP Address IP Mask DHCP Ethernet 00 13 49 2A 2A F5 192 168 1 2 25542554 255 0 None WLAN 00 13 49 2A 2A F5 12552537 ZyNOS F W Ver
192. erence This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation ZyXEL NWA 3100 User s Guide Appendix Legal Information If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help fa FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter e For operation within 5 15 5 25 GHz frequency range it is restr
193. es are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of Authentication This appendix discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP The type of authentication you use depends on the RADIUS server or the AP Consult your network administrator for more information EAP MD5 Message Digest Algorithm 5 MDS authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless station The wireless station proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text However MD5 authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication ser
194. ess If you typed 1 to Ping Host now type the address of the computer you want to ping ZyXEL NWA 3100 User s Guide Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files using the SMT screens 22 1 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password and TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyXEL Device s settings they can be saved back to your computer under a filename of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the ZyXEL Device ftp gt get rom 0 config cfg This is a sample FTP session saving the current configuration to the computer file config cfg If your T FTP client does not allow you to have a destination filename different than the source you will need to rename them as the ZyXEL Device only recognizes rom 0 and ras Be sure you keep unaltered copies of both files for later use ZyXEL NWA 3100 User s Guide Chapter
195. et connection Blinking The ZyXEL Device has a 100 Mbps Ethernet connection and is sending receiving data Off The ZyXEL Device does not have an Ethernet connection 4 POWER Green On The ZyXEL Device is receiving power via the POWER Socket Red On The ZyXEL Device is receiving power via the ETHERNET port using Power over Ethernet PoE Off The ZyXEL Device is not receiving power ZyXEL NWA 3100 User s Guide Introducing the Web Configurator This chapter describes how to access the ZyXEL Device s web configurator and provides an overview of its screens 2 1 Accessing the Web Configurator 1 C Make sure your hardware is properly connected and prepare your computer or computer network to connect to the ZyXEL Device refer to the Quick Start Guide Launch your web browser Type 192 168 1 2 as the URL default Type 1234 default as the password and click Login In some versions the default password appears automatically if this 1s the case click Login You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm then click Apply Alternatively click Ignore LES If you do not change the password the following screen appears every time you login ZyXEL NWA 3100 User s Guide Chapter 2 Introducing the Web Configurator Figure 7 Change Password Screen Use this scree
196. ets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If the RTS CTS value is greater than the Fragmentation Threshold value see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughpu
197. etwork Address Translation NAT on the ZyXEL Device Once you have decided on the network number pick an IP address for your ZyXEL Device that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses 274 Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses
198. evice See Section 14 2 3 on page 161 for more information VLAN Mapping Table Use this table to have the ZyXEL Device assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the ZyXEL Device Index This is the index number of the SSID profile Name This is the name of the SSID profile SSID This is the SSID the profile uses ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Table 58 WIRELESS VLAN FIELD DESCRIPTION VLAN ID Enter a VLAN ID number from 1 to 4094 Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the ZyXEL Device Different SSID profiles can use the same or different VLAN IDs This allows you to split wireless stations into groups using similar VLAN IDs Second Rx VLAN ID Enter a number from 1 to 4094 but different from the VLAN ID Traffic received from the LAN that is tagged with this VLAN ID is sent to all SSIDs with this VLAN ID configured in the VLAN ID or Second Rx VLAN ID fields See Section 14 2 5 on page 172 for more information Apply Click this to save your changes to the ZyXEL Device Reset Click this to return this screen to its last saved settings 14 2 2 RADIUS VLAN Click VLAN gt RADIUS VLAN The following screen appears Figure 92 RADIUS VLAN Wireless VLAN RADIUS VLAN RADIUS VIRTUAL LAN Setup Block station if RADIUS server assign VLAN name error VLAN
199. evoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 12 3 on page 134 for how to verify a remote host s certificate before you import it into the ZyXEL Device ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Table 51 Trusted CA Details continued LABEL DESCRIPTION SHA Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 12 3 on page 134 for how to verify a remote host s certificate before you import it into the ZyXEL Device Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certifi
200. ext object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events 11 6 1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC 1213 and RFC 1215 as well as the proprietary ZyXEL private MIB The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance 11 6 2 SNMP Traps The ZyXEL Device can send the following traps to the SNMP manager Table 42 SNMP Traps TRAP NAME QEJECEIBENTIEIER S DESCRIPTION OID Generic Traps coldStart 1 3 6 1 6 3 1 1 5 1 This trap is sent after booting power on This trap is defined in RFC 1215 warmsStart 1 3 6 1 6 3 1 1 5 2 This trap is sent after booting software reboot This trap is defined in RFC 1215 linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management Table 42 SNMP Traps TRAP NAME OBJECT IDENTIFIER OID DESCRIPTION authenticationFailure defined in RFC 1215 1 3 6 1 6 3 1 1 5 5 The device sends this trap when it receives
201. f your communication software 21 3 Log and Trace Your ZyXEL Device provides error logs and trace records that are stored locally 21 3 1 Viewing Error Log The first place you should look for clues when something goes wrong is the error log Follow the procedures to view the local error trace log 1 Type 24 in the main menu to display Menu 24 System Maintenance 2 From menu 24 type 3 to display Menu 24 3 System Maintenance Log and Trace ZyXEL NWA 3100 User s Guide Chapter 21 System Information and Diagnosis Figure 141 Menu 24 3 System Maintenance Log and Trace Menu 24 3 System Maintenance Log and Trace 1 View Error Log Pleas nter selection 3 Enter 1 from Menu 24 3 System Maintenance Log and Trace and press ENTER twice to display the error log in the system After the ZyXEL Device finishes displaying the error log you will have the option to clear it Samples of typical error and information messages are presented in the next figure Figure 142 Sample Error and Information Messages 56 Sat Jan 00 00 00 2000 PP05 ERROR Wireless LAN init fail code 1 57 Sat Jan 00 00 01 2000 PINI INFO Last errorlog repeat 1 Times 58 Sat Jan 00 00 01 2000 PINI INFO main init completed 59 Sat Jan 1 00 00 02 2000 PPO05 WARN SNMP TRAP 3 link up 60 Sat Jan 1 00 00 30 2000 PSSV WARN SNMP TRAP 0 cold start 61 Sat Jan 00 01 38 2000 PINI INFO SMT Session Be
202. figuration by DHCP BS A DHCP response can use options 66 and 67 to assign a TFTP server IP address and a filename If the AP is configured as a DHCP client these settings can be used to perform auto configuration Table 103 Auto Configuration by DHCP COMMAND DESCRIPTION wcfg autocfg dhcp enable Turn configuration of TFTP server IP address and disable filename through DHCP on or off If this feature is enabled and the DHCP response provides a TFTP server IP address and a filename the AP will try to download the file from the specified TFTP server The AP then uses the file to configure wireless LAN settings Not all DHCP servers allow you to specify options 66 and 67 Manual Configuration Use the following command to manually configure a TFTP server IP address and a file name for the AP to use for auto provisioning whenever the AP starts up See Section 23 1 on page 217 for how to access the Command Interpreter CT Table 104 Manual Configuration COMMAND DESCRIPTION wcfg autocfg server IP Specify the TFTP server IP address and file name from filename which the AP is to download a configuration file whenever the AP starts up Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP Use the following procedure to have the AP download the configuration file Table 105 Configuration via SNMP STEPS MIB VARIABLE VALUE
203. g figure shows secure and insecure management of the ZyXEL Device HTTPS and SSH access are secure HTTP and Telnet access are not secure Figure 73 Secure and Insecure Remote Management Telnet You may manage your ZyXEL Device from a remote location via Table 38 Remote Management Overview e WLAN ALL LAN and WLAN LAN only Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows 1 Console port 2 SSH 3 Telnet 4 HTTPS and HTTP ZyXEL NWA 3100 User s Guide 123 Chapter 11 Remote Management 11 1 1 Remote Management Limitations Remote management does not work when 1 You have not enabled that service on the interface in the corresponding remote management screen 2 TheIP address in the Secured Client IP field does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately 3 There is already another remote management session with an equal or higher priority running You may only have one remote management session running at one time 4 A filter is applied through the SMT or the commands to b
204. ght cause electrocution If the power adaptor or cord is damaged remove it from the power outlet Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning Antenna Warning This device meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s If you wall mount your device make sure that no electrical lines gas or water pipes will be damaged The PoE Power over Ethernet devices that supply or receive power and their connected Ethernet cables must all be completely indoors Fuse Warning Replace a fuse only with a fuse of the same type and rating This product is recyclable Dispose of it properly ZyXEL NWA 3100 User s Guide Safety Warnings ZyXEL NWA 3100 User s Guide Safety Warnings ZyXEL NWA 3100 User s Guide Contents Overview Contents Overview cits Un 102 Mee crm 29 Iritrogdueing ihe ZyXEL ee cuisson lex EGORROOL RU VWROULEQURRH OU ERUODENUARORU RI ARRA Ha GG CN AGAR E 31 introducing the Web Configurator er 39 ee E E E E 43 The Web Configurator KA aeiia 61 ecco ansni E 63 CES C ODROUEGBOL udi eai sa enera ai n ru e rri Da EQU
205. gin 62 Sat Jan 00 06 44 2000 PINI INFO SMT Session End 63 Sat Jan 1 00 11 13 2000 PINI INFO SMT Session Begin Clear Error Log y n 21 4 Diagnostic The diagnostic facility allows you to test the different aspects of your ZyXEL Device to determine if it is working properly Menu 24 4 allows you to choose among various types of diagnostic tests to evaluate your system as shown in the following figure Figure 143 Menu 24 4 System Maintenance Diagnostic Menu 24 4 System Maintenance Diagnostic TGCRZTP 1 Ping Host 2 DHCP Release 3 DHCP Renewal System 11 Reboot System Enter Menu Selection Number Host IP Address N A Follow the procedure next to get to display this menu 1 From the main menu type 24 to open Menu 24 System Maintenance ZyXEL NWA 3100 User s Guide 203 Chapter 21 System Information and Diagnosis 2 From this menu type 4 Diagnostic to open Menu 24 4 System Maintenance Diagnostic The following table describes the diagnostic tests available in menu 24 4 for your ZyXEL Device and the connections Table 75 Menu 24 4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working DHCP Release Release the IP address assigned by the DHCP server DHCP Renewal Get a new IP address from the DHCP server Reboot System Reboot the ZyXEL Device Host IP Addr
206. hat you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh ZyXEL NWA 3100 User s Guide 131 Chapter 11 Remote Management 132 ZyXEL NWA 3100 User s Guide Certificates This chapter gives background information about public key certificates and explains how to use them 12 1 Certificates Overview The ZyXEL Device can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public
207. hat you specify to access the ZyXEL Device using this service WWW Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management Table 41 Remote Management WWW LABEL DESCRIPTION Server Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 11 6 SNMP Simple Network Management Protocol SNMP is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your ZyXEL Device supports SNMP agent functionality which allows a manager station to manage and monitor the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 and version two SNMPv2c The next figure illustrates an SNMP management operation SN
208. he antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area ZyXEL NWA 3100 User s Guide Pop up Windows JavaScripts and Java Permissions In order to use the web configurator you need to allow Web browser pop up windows from your device JavaScripts enabled by default Java permissions enabled by default LES Internet Explorer 6 screens are used here Screens for other Internet Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 184 Pop up Blocker Mail and News Pop up Blocker Manage Add ons Synchronize Windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy ZyXEL NWA 3100 User s Guide Appendix F Pop up Windows
209. he bridge connection is activated or not Remote Bridge MAC This is the MAC address of the peer device in bridge mode Address ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance Table 62 System Status Show Statistics LABEL DESCRIPTION Status This shows the current status of the bridge connection which can be Up or Down TxPkts This is the number of transmitted packets on the wireless bridge RxPkts This is the number of received packets on the wireless bridge System Up Time This is the total time the ZyXEL Device has been on Poll Interval s Enter the time interval for refreshing statistics Set Interval Click this button to apply the new poll interval you entered above Stop Click this button to stop refreshing statistics 15 3 Association List View the wireless stations that are currently associated with the ZyXEL Device in the Association List screen Click MAINTENANCE and then the Association List tab to display the screen as shown next Figure 116 Association List Status Association List Channel Usage F W Upload Configuration Restart EE MAC Address Association Time__ __ Name SSiD _ Singal Lv Refresh The following table describes the labels in this screen Table 63 Association List LABEL DESCRIPTION Stations This is the index number of an associated wireless station MAC Address
210. heck box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can delete it now Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL Device Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click Refresh to display the current validity status of the certificates 12 6 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The ZyXEL Device currently allows the importation of a PKS 7 file that contains a
211. his example configuration file uses the wlan command to configure the AP to use the security and SSID profiles from the wc g command configuration file examples and general wireless settings You could actually combine all of this chapter s example configuration files into a single configuration file Remember that the commands are applied in order So for example you would place the commands that create security and SSID profiles before the commands that tell the AP to use those profiles ZyXEL NWA 3100 User s Guide Appendix H Text File Based Auto Configuration Figure 201 wlan Configuration File Example ZYXEL PROWLAN fVERSION 15 wcfg ssid 1 name ssid wep wcfg ssid 1 wcfg ssid 2 wcfg ssid 2 wcfg ssid 2 wcfg ssid 3 name ssid wpapsk wcfg ssid 3 wcfg ssid 4 4 Ww wW wW wW Ww w security name ssid 8021x security Test 8021x radius radius rd lest wep security Test wpapsk name ssid wpa2psk cfg ssid security cfg ssid save Test wpa2psk line starting with is comment change to channel 8 lan chid 8 change operating mode gt AP mode then select ssid wep as running WLAN profile lan opmode 0 lan ssidprofile ssid wep change operating mode gt MBSSID mode then select ssid wpapsk ssid wpa2psk as running WLAN profiles lan opmode 3 lan ssidprofile ssid wpapsk ssid wpa2psk set output power level to 50 lan output power 2 ZyXEL NWA 3100 User
212. ht BSSs running on the ZyXEL Device simultaneously one of which is always the pre configured VoIP SSID profile and another of which is always the pre configured Guest SSID profile Configure SSID profiles in the SSID screen Enable Breathing LED Select this check box to enable the Breathing LED also known as the ZyAIR LED The blue ZyAIR LED is on when the ZyXEL Device is on and blinks or breathes when data is being transmitted to from its wireless stations Clear the check box to turn this LED off even when the ZyXEL Device is on and data is being transmitted received Enable Spanning Tree R STP detects and breaks network loops and provides backup links between Control STP Switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select the check box to activate STP on the ZyXEL Device Roaming Active Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another Select this checkbox to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet Note All APs on the same subnet and the wireless stations must have the same SSID to allow roaming Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 7 2 SSID When the Z
213. ice s list of certificates of trusted certification authorities ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Table 47 My Certificate Create continued LABEL DESCRIPTION Request When you select Create a certification request and enroll for a certificate Authentication immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol Just fill in the Key field if your certification authority uses the SECP enrollment protocol Key Type the key that the certification authority gave you Apply Click Apply to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates screen After you click Apply in the My Certificate Create screen you see a screen that tells you the ZyXEL Device is generating the self signed certificate or certification request After the ZyXEL Device successfully enrolls a certificate or generates a certification request or a self signed certificate you see a screen with a Return button that takes you back to the My Certificates screen If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful you see a screen with a Return button
214. ices with these MAC addresses Set MAC Address MAC Address Ea 00 00 c5 00 00 66 7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 T 2 6 NS Set EN EN E 9 00 00 00 00 00 00 jo0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Apply Reset 8 2 1 2 Layer 2 Isolation Example 2 In the following example wireless clients 1 and 2 can communicate with B and C but not 3 Configure more than one MAC address Enter the server s and your ZyXEL Device s MAC addresses in the Allow devices with these MAC addresses fields ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration Figure 63 Layer 2 Isolation Example 2 Wireless SSID Security RADIUS Isolati MAC Filter Roaming Local User Database Layer 2 Isolation Configuration 00 00 00 00 00 00 00 00 00 00 00 00 ESN 00 00 00 00 00 00 00 00 00 00 00 00 8 3 Configuring MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices Allow Association or exclude up to 32 devices from accessing the ZyXEL Device Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC address Is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of each device to co
215. icted to indoor environment JEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons TEX AKT BDR FE IBC PETERET EE PTR TN AS ZEA RS JEET vu ERRE EAEE ER St BS gt EACUS CS E aa TPE AE JF EEBURERE IERUSA WUE ERTER AERE e MAMAE EEREN EL UR BIRR ERA 22 BTR BARAER BUB TS Re I HEU TS EL fil Ei SE pA HER LS EUR SUSPECTED E a TE ur T TE 5250MHz 5350MHz JEU PTS E ACER Vitr fd URS ABE 7 ARREN TEN UE FS BS SRE RF ENEH e Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz and 5 GHz networks throughout the EC region and Switzerland with restrictions in Fra
216. ide Chapter 13 Log Screens Table 55 ICMP Notes continued TYPE CODE DESCRIPTION 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 56 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname This message is sent by the RAS when this syslog is src srclP srcPort generated The messages and notes are defined in this dst dstIP dstPort appendix s other charts msg msg note lt note gt 13 4 Log Commands This section provides some general examples of how to use the log commands The items that display with your device may vary but the basic function should be the same Go to the command interpreter interface Section 23 1 on page 217 explains how to access and use the commands 13 4 1 Configuring What You Want the ZyXEL Device to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record Use sys logs category followed by a log category and a parameter to decide what to record Table 57 Log Categories and Available Settings LOG CATEGO
217. ificate Revocation List The ZyXEL Device can check a peer s certificate against a directory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure 12 1 1 Advantages of Certificates Certificates offer the following benefits The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 12 2 Self signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates 12 3 Verifying a Certificate Before you import a trusted CA certificate into the ZyXEL Device you should verify that you have the actual certificate This is especially important since the ZyXEL Device also trusts any valid certificate signed by any of the imported trusted CA certificates 12 3 1 Checking the Fingerprint of a Certificate on Your Computer A certificate s fingerprints are message digests calculated using the MD5 or SHA algorithms The following procedure describes how to check a certificate s fingerprint to verify that you have the actual certificate 1 Browse to where you have the certificate saved on your computer 2 Make sure that the certificate has a cer or crt
218. iles gt Menu 24 7 System Maintenance Upload Firmware allows you to upgrade the firmware and the configuration file WARNING PLEASE WAIT A FEW MINUTES FOR RESTART AFTER FIRMWARE OR CONFIGURATION FILE UPLOAD INTERRUPTING THE UPLOAD PROCESS MAY PERMANENTLY DAMAGE YOUR DEVICE ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance Figure 151 Menu 24 7 System Maintenance Upload Firmware Menu 24 7 System Maintenance Upload Firmware 1 Upload System Firmware 2 Upload System Configuration File Enter Menu Selection Number The configuration data system related data the error log and the trace log are all stored in the configuration file Please be aware that uploading the configuration file replaces everything contained within 22 4 1 Firmware Upload FTP is the preferred method for uploading the firmware and configuration To use this feature your computer must have an FTP client When you telnet into the ZyXEL Device you will see the following screens for uploading firmware and the configuration file using FTP Figure 152 Menu 24 7 1 System Maintenance Upload System Firmware Menu 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below 1 2a Launch the FTP client on your workstation Type open and the IP address of your system Then type root and SMT password as requested
219. iles Maintenance features include Status Statistics Association List Channel Usage F W firmware Upload Configuration Backup Restore and Default and Restart ZyXEL NWA 3100 User s Guide Tutorial This chapter provides step by step guidelines showing how to configure your ZyXEL Device for some example scenarios The first example shows how to create multiple wireless networks and the second example shows how to use the rogue AP detection feature 3 1 How to Configure Multiple Wireless Networks In this example you have been using your ZyXEL Device as an access point for your office network See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode Now your network is expanding and you want to make use of the MBSSID feature see Section 7 1 on page 97 to provide multiple wireless networks Each wireless network will cater for a different type of user You want to make three wireless networks one standard office wireless network with all the same settings you already have another wireless network with high Quality of Service QoS settings for Voice over IP users and a guest network that allows visitors to your office to access only the Internet and the network printer To do this you will take the following steps 1 Change the operating mode from Access Point to MBSSID and reactivate the standard network 2 Configure a wireless network for Voice over IP users 3 Configure a
220. in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Table 46 My Certificate Import LABEL DESCRIPTION Apply Click Apply to save the certificate on the ZyXEL Device Cancel Click Cancel to quit and return to the My Certificates screen 12 8 Creating a Certificate Click CERTIFICATES gt My Certificates and then Create to open the My Certificate Create screen Use this screen to have the ZyXEL Device create a self signed certificate enroll a certificate with a certification authority or generate a certification request see the following figure Figure 84 My Certificate Create Common Name C E Mail Organization Country Key Length CA Certificate Key Certificate Name Subject Information Host IP Address C Host Domain Name IJ Organizational Unit Create a self signed certificate C Create a certification request and save it locally for later manual enrollment C Create a certification request and enroll for a certificate immediately online Enrollment Protocol CA Server Address Request Authentication 0 0 0 0 m n 1024 v bits See Trusted CAs Reference Number m Cancel The following table describes the labels in this scr
221. ing for Tunnel Medium Type eeeeeeessceeessseseeene eee enne 170 Figure 109 VLAN ID Attribute Setting for Tunnel Pvt Group ID ssssm 170 Figure 110 VLAN Attribute Setting for Tunnel Type iced kir tendaekben prone oet tente FEpEE tre ip ppPEPr PE pEM INE QR ERMER 171 Figure 111 Completed Advanced Tab iussi reverti ttd ko osiadania espe ese Ri E bL d di DE ae 171 Figure 112 Second Rx VLAN ID Example 1 nde assets ell dedicat x naa ak Ed ic nl us dk Ea ids 172 Figure 113 Configuring SSID Second Rx VLAN ID Example 1255 eorr rere rrr nera ra nnne akt an 173 gs TTA ay Sti UNS MM 175 Figure 115 Systemi Status Show Statistics Lu aooxcen ett kin tk a tt FERRE tun RR RR LI E Hl ad 176 Figure 116 ASSOCIATION LIST c R 177 Fe TI C WU ccs el uo A 178 FONS TO FNNO UDOT raan NNR ARa 179 Figure 1T19 Firmware Upload In PrOGGSS cccctasccsccc es iesuzuuuuc citta susc cese tuwuee ete pou ate p inie aie a den ER 179 Figure 120 Network Temporarily Disconnected uuu cerent rien nata cic ida E Rb a ERR ri RR 180 Faure ck Ui 28s cRal c A TREO IL m 180 Figuie T22 LOBO BUDE 5 5 0x90 RU L eR DU Rt UG Gite Ut ree A ER DD c d Lon uda t t 181 Figure 123 Configuration Upload Successful cccccccccceeeeecccceeeeeeeceeeeneeeceneeeneeeaacaeeneeeaceaeneeeaeeeaeneees 182 Figure 124 Network Temporarily DISCOlImgOEOd 1 eere ie rra ui tror ttu eorr taa pe
222. ion before restoring the previous backup configuration please do not attempt to restore unless you have a backup configuration stored on disk To restore configuration using FTP or TFTP is the same as uploading the configuration file please refer to the following sections on FTP and TFTP file transfer for more details The ZyXEL Device restarts automatically after the file transfer is complete 22 3 1 Restore Using FTP For details about backup using T FTP please refer to earlier sections on FTP and TFTP file upload in this chapter Figure 150 Menu 24 6 Restore Configuration Menu 24 6 Restore Configuration To transfer the firmware and the configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put backupfilename rom 0 where backupfilename is the name of your backup configuration file on your workstation and rom spt is the Remote file name on the router This restores the configuration to your router 4 The system reboots automatically after a successful file transfer For details on FTP commands please consult the documentation of your FTP client program For details on restoring using TFTP note that you must remain in the menu to back up using TFTP please see your router manual Press ENTER to Exit 22 4 Uploading Firmware and Configuration F
223. ireless network SSID04 is now accessible to your wireless clients as before You do not need to configure anything else for your standard network 3 1 2 Configure the VoIP Network Next click WIRELESS gt SSID The following screen displays Note that the SSID04 SSID profile the standard network is using the security01 security profile You cannot change this security profile without changing the standard network s parameters so when you set up security for the VoIP SSID and Guest SSID profiles you will need to set different security profiles Figure 13 Tutorial WIRELESS SSID Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Name SSID _ _ Security RADIUS QoS VolP_SSID ZyXELO1 security01 radius 1 VoIP Guest_SSID ZyXELO2 security01 radius 1 NONE SSID03 XELO3 security01 radius 1 NONE SSIDUA ZyXELO4 security01 radiust 1 WPA2 PSK SSID0S ZyXELO5 security01 radius01 NONE SSIDO6 ZyXELOG security01 radius 1 NONE SSID07 ZyXELO7 security01 radius 1 NONE SSID08 ZyXEL0S security01 radius01 NONE SSID0S ZyXELOS security01 radius 1 NONE SSID10 ZyXEL 10 security01 radius 1 NONE SSID11 ZyXEL 11 security01 radius 1 NONE SSID12 ZyXEL12 security01 radius 1 NONE SSID13 ZyXEL 13 security01 radius 1 NONE SSID14 ZyXEL14 security 1 radius01 NONE SSID15 ZyXEL 15 security01 radius 1 NONE SSID16 ZyXEL 16 security01 radius
224. irisrisaieunnnnianinin 53 Table 4 Tutorial Friend AP INOrmatiOn uiisscieesi tir prt t t ERRAT ro REL I ERXERPyIT ER SUMER aAA 54 Table 3 avelem Gonadal SED 1 5 e scie EE LO RETI QU emcee c beD e oA Pu REM MEE peewee 63 Table G PASS WON e 64 Toe TESTON crease acta oto des Gan piden certe ledtendida bte iab tis pads Api i nd eR Mepono uabua tines 65 Tate XD EEsEI 1 Ae c nna oe i es 69 Table 9 Typical Packet SIZES A 70 Table 10 Automatic Traffic Classifier Priorities uius escena cona hr dota koh ka khi dI Ea kh hh Cea inniinn 70 Table 11 ATC WMM Priority Assignment LAN to WLAN seem 1 Table 12 ATC WMM Priority Assignment WLAN to LAN eseem meme 71 Table 13 ToS and IEEE 802 1d to WMM QoS Priority Level Mapping ccsssccceeeesecnceeeeecneneeeeeeee 72 Table 14 SIP Path COSE A 73 TUGT SIF POr OE Dor 73 Table 1a Wireless Acess PONU srania A T9 Table 17 Wireless Bdgo Repeler uucikecoeuerdeidkdiridten i d p REP Rte Ead od a dde o d edad 79 Table TO Secunty DICIS arcsec aaa oia gna R indu BUR I TORTE Da BO ERROR RED 85 Table 19 Wireless Security EOVOlS sseccccsssenc reseau cce esee bct sabes coc Puer ee Ur detur s bcr das rre cui EE 86 Wa ZU CORTES We 87 Table 4E e npud et 88 D 22 Socunty BOL AK OMY ciscencstccseantasvtedvetetsteedueesnirnivaveenieitaedicresiutsiarediuermnadaietar
225. is using the SMT or Telnet to access the ZyXEL Device Log out of the ZyXEL Device in the other session or ask the person who is logged in to log out o Disconnect and re connect the power adaptor or cord to the ZyXEL Device 4 If this does not work you have to reset the device to its factory defaults See Section 2 2 on page 40 d cannot access the SMT See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser e cannot use FTP to upload download the configuration file cannot use FTP to upload new firmware See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser 24 3 Internet Access e cannot access the Internet 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 24 1 on page 223 2 Make sure you entered your ISP account information correctly These fields are case sensitive so make sure Caps Lock is not on 3 If you are trying to access the Internet wirelessly make sure the wireless settings on the wireless client are the same as the settings on the AP 4 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 5 Ifthe problem continues contact your ISP ZyXEL NWA 3100 User s Guide 225
226. istrator Inactivity Timer Type how many minutes a management session either via the web configurator or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how System DNS Servers ZyXEL NWA 3100 User s Guide long it has been left idle not recommended Chapter 4 System Screens Table 5 System General Setup LABEL DESCRIPTION First DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server Second DNS Server information and the ZyXEL Device s Ethernet IP address The field to the Third DNS Server right displays the read only DNS server IP address that the DHCP assigns Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it The default setting is None Apply Click Apply to save your changes
227. lick Refresh to renew the log screen Clear Log Click Clear Log to clear all the logs 13 2 Configuring Log Settings To change your ZyXEL Device s log settings click LOGS gt Log Settings The screen appears as shown Use the Log Settings screen to configure to where and when the ZyXEL Device is to send the logs and which logs and or immediate alerts it is to send An alert is a type of log that warrants more serious attention Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts are displayed in red and logs are displayed in black Figure 90 Log Settings Address Info Syslog Logging a Send Log None hd Sunday hdl m EXE XE SE SEE 4 152 ZyXEL NWA 3100 User s Guide Chapter 13 Log Screens The following table describes the labels in this screen Table 53 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you want to be in the subject line of the log e mail message that the ZyXEL Device sends Send Log to Logs are sent to the e mail address specified in this field If this field is left blank logs will not be sent via e mail Send Alerts to
228. llowing screen appears Figure 27 Tutorial Configuration Configuration Friendly AP Configuration Yes fi min Rogue AP Active Rogue AP Period Detection Period Friendly AP List Export i Browse Import Apply Reset 4 Click Export If a window similar to the following appears click Save ZyXEL NWA 3100 User s Guide Ea Chapter 3 Tutorial Figure 28 Tutorial Warning File Download xj 3 Some files can harm your computer If the file information below looks suspicious or you do not fully trust the source do not open or save this file File name Flist doc File type Microsoft Word Document From 192 168 1 1 Would you like to open the file or save it to your computer More Info Cancel IV Always ask before opening this type of file 5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network In this example save it on the network file server E in Figure 24 on page 53 The default filename is Flist Figure 29 Tutorial Save Friendly AP list Save in B My Computer e E3 Im Floppy A E Win2K HD C History Bi camp Desktop My Documents File name Fist m My Network P Save as type Microsoft Word Document Cancel 3 2 2 Activate Periodic Rogue AP Detection Take
229. lock a Telnet FTP or Web service 11 1 2 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling You can change the timeout period in the System screen 11 2 SSH You can use SSH Secure SHell to securely access the ZyXEL Device s SMT or command line interface Specify which interfaces allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the ZyXEL Device for a management session Figure 74 SSH Communication Example LAN WAN om I SC intone j lt gt 2 j va A Configure SSH in the REMOTE MGNT gt TELNET screen see Section 11 3 on page 124 11 3 Telnet You can use Telnet to access the ZyXEL Device s SMT or command line interface Specify which interfaces allow Telnet access and from which IP address the access can come Click REMOTE MGNT gt TELNET to display the screen as shown ZyXEL NWA 3100 User s Guide Chapter 11 Remote Management Figure 75 Remote Management Telnet TELNET FTP
230. lts DC 1 5 A Power Consumption 18 W Max Safety Standards ITS GS BS EN 60950 1 Table 89 Australia and New Zealand Plug Standards AC Power Adaptor Model MU18 2120150 A3 Input Power 100 240 Volts AC 50 60 Hz 0 6 A Output Power 12 Volts DC 1 5 A Power Consumption 18 W Max Safety Standards EN 60950 2000 ZyXEL NWA 3100 User s Guide Appendix A Product Specifications 232 ZyXEL NWA 3100 User s Guide Setting up Your Computer s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP IP installed Windows 95 98 Me NT 2000 XP Macintosh OS 7 and later operating systems and all versions of UNIX LINUX include the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device s LAN port Windows 95 98 Me Click Start Settings Control Panel and double click the Network icon to open the Network window ZyXEL NWA 3100 U
231. m the main menu to open Menu 22 SNMP Configuration as shown next The community for Get Set and Trap fields is SNMP terminology for password Figure 134 Menu 22 SNMP Configuration Menu 22 SNMP Configuration SNMP Get Community public Set Community public Trusted Host 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel The following table describes the SNMP configuration parameters Table 72 Menu 22 SNMP Configuration FIELD DESCRIPTION SNMP Get Community Type the Get Community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set Community which is the password for incoming Set requests from the management station Trusted Host If you enter a trusted host your ZyXEL Device will only respond to SNMP messages from this address A blank default field means your ZyXEL Device will respond to all SNMP messages it receives regardless of source Trap Community Type the trap community which is the password sent with each trap to the SNMP manager ZyXEL NWA 3100 User s Guide Chapter 19 SNMP Configuration Table 72 Menu 22 SNMP Configuration FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to When you have completed this menu press ENTER at the prompt Press EN
232. managing the device good habits 36 using FTP See FTP using Telnet See command interface using the command interface See command interface max age 73 MBSSID 35 43 45 MSDU 75 79 99 multiple wireless networks 43 ZyXEL NWA 3100 User s Guide Index N NAT 274 Network Address Translation see NAT O operating mode 44 P packets 200 password 64 187 195 path cost 73 PEAP 255 per hop behavior 71 72 ping 204 PoE 230 power output 230 PoE specifications 230 Power over Ethernet see PoE power specification 229 Pre Shared Key see PSK priorities 69 private IP address 113 product registration 285 PSK 48 Q QoS 44 103 Quick Start Guide 39 R RADIUS 48 253 shared secret key 254 RADIUS message types 253 RADIUS messages 253 Rapid STP 72 ras 201 rate receiving 200 transmitting 200 ReAuthentication Time 89 90 91 93 94 registration product 285 related documentation 3 remote management Telnet 124 remote management limitations 124 222 remote management setup 220 remote node 200 required fields 189 RESET button 229 restore 181 restore configuration 210 roaming 111 requirements 112 rogue AP 43 52 117 118 119 120 121 rogue AP list 121 root bridge 73 RTS Request To Send 252 RTS threshold 251 252 RTS CTS handshake 75 79 99 S safety warnings 6 security 47 50 security parameters 257 Service Set 76 99 Service Set Identifier see SSID S
233. may be Allow VLAN 10 Policy Click Next Figure 100 New Remote Access Policy for VLAN Group x Policy Name Specify a friendly name tor the pelicy A Remote Access Poicy iz a set of actions which can he apnled to a group of users meeting ceitain condilions Analogous te es you can apply to ncoming mail in an a mail application you can spacty a cet cf condiliore that must be matched for the Remote Access Policy to apply You can then specify actions to be taken when the condtions are met Policy Iriendly name Alow WLAN 10 Pelicy cres 2 The Conditions window displays Select Add to add a condition for this policy to act on 3 In the Select Attribute screen click Windows Groups and the Add button Figure 101 Specifying Windows Group Condition Add Remote Access Policy d x Conditions Determine t e conditions io match Sect te condire toma dd Condkens Select the type cf alinbute to add ard then click the Add bulton Atinbuts tyoss Descrption Caled Stationl d Phone number died by user Laling S taioe Id Phone umber trom which call orignsted Chent Fiiendly N ame Friendy name for the RADIUS cient 145 only ChentIPAddess P addrase of RADIUS chert IAS only ClentN endor Manufacturer of RADIUS pice or N amp S NAS onl DayAnd TimeReene Tims penod ard days of weak dunng which usi Framed Frolacol The piotocel to be used NAS Icenther Stnng idenlihang the MAS NAS IF Ackiresz
234. me with a bin extension for example NWA 3100 bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot See the Firmware and Configuration File Maintenance chapter for upgrading firmware using FTP TFTP commands ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance Click MAINTENANCE gt F W Upload Follow the instructions in this screen to upload firmware to your ZyXEL Device Figure 118 Firmware Upload Status Association List Channel Usage FAW Upload Configuration Restart To upgrade the internal device firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure File Path Browse Upload The following table describes the labels in this screen Table 65 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes lt gt Do not turn off the ZyXEL Device while firmwa
235. n Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter a value between 256 and 2346 Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power to reduce interference with other APs Select one of the following 100 Full Power 50 25 12 5 or Minimum See the product specifications for more information on your ZyXEL Device s output power Select SSID Profile An SSID profile is the set of parameters relating to one of the ZyXEL Device s BSSs The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating with the access point AP must have the same SSID Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Index Select the check box to activate an SSID profile ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID Table 28 Wireless Multiple BSS LABEL DESCRIPTION Profile Select the profile s of the SSIDs you want to use in your wireless network You can have up to eig
236. n the wireless network is keeping track of how much time each wireless station is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by logging in again The default time interval is 3600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device s default is 1800 seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration 6 10 Introduction to RADIUS RADIUS is based on a client sever model that supports authentication and accounting where the access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity 6 11 Configuring RADIUS Use RADIUS if you want to authenticate wireless users using an external server You can
237. n to change the password New Password __ Retype to pr aX Confirm 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device s MAC address that will be specific to this device Figure 8 Replace Certificate Screen Replace Factory Default Certificate The factory default certificate is common to all NWA models Click Apply to create a certificate using your NWA s MAC address that will be specific to this device You should now see the MAIN MENU screen LES The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyXEL Device if this happens 2 2 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator you will need to use the RESET button This replaces the current configuration file with the factory default configuration file This means that you will lose all the settings you previously configured The password will be reset to 1234 ZyXEL NWA 3100 User s Guide Chapter 2 Introducing the Web Configurator 2 2 1 Methods of Restoring Factory Defaults You can erase the current configuration and restore factory defaults in three ways Use the RESET button to upload the default configuration file Hold this button in for about 10 seconds the lights will begin to blink Use this method for cases when the password or
238. nce This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme a la norme NMB 003 du Canada ZyXEL NWA 3100 User s Guide Appendix Legal Information Viewing Certifications 1 Go to http www zyxel com 2 Select your product on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all
239. ne AP s coverage area to another it performs an authentication procedure exchanging security information with the new AP Instead of re authenticating a client each time it returns to the AP s coverage area which can cause delays to time sensitive applications the AP and the client can store or cache and use information about their previous authentication Select Enable to allow PMK caching or Disable to switch this feature off Pre Authentication Pre authentication allows a wireless client to perform authentication with a different AP from the one to which it is currently connected before moving into the new AP s coverage area This speeds up roaming Select Enable to allow pre authentication or Disable to switch it off Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 6 9 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX Select WPA PSK WPA2 PSK or WPA2 PSK MIX in the Security Mode field to display the following screen ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Figure 53 Security WPA PSK WPA2 PSK or WPA2 PSK MIX Wireless SSID Name Security Mode Pre Shared Key Idle Timeout ReAuthentication Timer Group Key Update Timer Security RADIUS Layer Isolation MAC Filter security02 WPA2 PSK MIX 1800 in seconds 3500 in seconds 1800 in seconds Apply Reset The foll
240. ned a high priority are processed more quickly than those with low priority if there is congestion allowing time sensitive applications to flow more smoothly Time sensitive applications include both those that require a low level of latency and a low level of jitter such as Voice over IP or Internet gaming and those for which jitter alone is a problem such as Internet radio or streaming video ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration ATC assigns priority based on packet size since time sensitive applications such as Internet telephony Voice over IP or VoIP tend to have smaller packet sizes than non time sensitive applications such as FTP File Transfer Protocol The following table shows some common applications their time sensitivity and their typical data packet sizes Note that the figures given are merely examples sizes may differ according to application and circumstances Table 9 Typical Packet Sizes AERC AMEN SENSITIVITY BYTES a Voice over IP SIP High lt 250 Online Gaming High 60 90 Web browsing http Medium 300 600 FTP Low 1500 When ATC is activated the device sends traffic with smaller packets before traffic with larger packets if the network is congested ATC assigns priority to packets as shown in the following table Table 10 Automatic Traffic Classifier Priorities PACKET SIZE BYTES ATC PRIORITY 1 250 ATC_High 250 1100 ATC_M
241. network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless station and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point requesting authentication ZyXEL NWA 3100 User s Guide 253 Appendix D Wireless LANs Access Reject Sent by a RADIUS server rejecting access Access Accept Sent by a RADIUS server allowing access Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messag
242. nfigure this screen To change your ZyXEL Device s MAC filter settings click WIRELESS gt MAC Filter The screen appears as shown ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration Figure 64 MAC Address Filter Wireless SSID Security RADIUS Layer Isolation MAC Filter Filter Action Allow Association Set MACAddress Set MAC Address ES 00 00 00 00 00 00 EB 00 00 00 00 00 00 EM 00 00 00 00 00 00 EN o0 00 00 00 00 00 EN 00 00 00 00 00 00 EB o0 00 00 00 00 00 EN 00 00 00 00 00 00 EB 00 00 00 00 00 00 nM 00 00 00 00 00 00 EN 00 00 00 00 00 00 00 00 00 00 00 00 ES o0 00 00 00 00 00 EN 00 00 00 00 00 00 EB 00 00 00 00 00 00 EN 00 00 00 00 00 00 EB o0 00 00 00 00 00 EN 00 00 00 00 00 00 ESB 00 00 00 00 00 00 EN 00 00 00 00 00 00 o0 00 00 00 00 00 ESN 00 00 00 00 00 00 ES o0 00 00 00 00 00 EB 00 00 00 00 00 00 EB o0 00 00 00 00 00 EN 00 00 00 00 00 00 o0 00 00 00 00 00 EN 00 00 00 00 00 00 at o0 00 00 00 00 00 Apply Reset The following table describes the labels in this screen Table 32 MAC Address Filter LABEL DESCRIPTION Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC
243. ng All BPDUs are received and processed All information frames are received and forwarded 5 5 Wireless Screen Overview The following is a list of the screens you can configure on the ZyXEL Device Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter 1 a kh WS ND Configure the ZyXEL Device to operate in AP AP Bridge Bridge Repeater or MBSSID mode in the Wireless screen You can also select an SSID Profile in the Wireless screen Use the SSID screens to view and edit SSID profiles Use the Security screen to configure wireless profiles Use the RADIUS screen to configure RADIUS authentication and accounting settings Use the Layer 2 Isolation screen to prevent wireless clients associated with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network Use the MAC Filter screen to allow or restrict access to your wireless network based on a client s MAC address 5 6 Configuring Wireless Settings Click WIRELESS gt Wireless The screen varies depending upon the operating mode you select 5 6 1 Access Point Mode Select Access Point as the Operating Mode to display the screen as shown next ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Figure 38 Wireless Access Point Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Operating Mode Access Point bd 802 11 Mode 80211b g Super Mode Choose Channel ID Chann
244. ng diagram shows the wireless networks in your area Your access points are marked A B C and D You also have a network mail file server marked E and a computer marked F connected to the wired network The coffee shop s access point is marked 1 Figure 24 Tutorial Wireless Network Example mmm In the figure the solid circle represents the range of your wireless network and the dashed circle represents the extent of the coffee shop s wireless network Note that the two networks overlap This means that one or more of your APs can detect the AP 1 in the other wireless network When configuring the rogue AP feature on your ZyXEL Devices in this example you will need to use the information in the following table You need the IP addresses of your APs to access their Web configurators and you need the MAC address of each AP to configure the friendly AP list You need the IP address of the mail server to set up e mail alerts Table 3 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point A 192 168 1 1 00 AA 00 AA 00 AA Access Point B 192 168 1 2 AA 00 AA 00 AA 00 Access Point C 192 168 1 3 A0 0A A0 0A A0 0A Access Point D 192 168 1 4 0A A0 0A A0 0A A0 ZyXEL NWA 3100 User s Guide 53 Chapter 3 Tutorial Table 3 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS File Mail Server E 192 168 1 25 N A Access Point 1 UNKNOWN AF AF AF FA
245. ng the Backup servers Requests can be issued from the client interface to use the backup server The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen Active Select the check box to enable user authentication through an external authentication server RADIUS Server IP Address Enter the IP address of the external authentication server in dotted decimal notation RADIUS Server Port Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on the external authentication server and your ZyXEL Device The key is not sent over the network Active Select the check box to enable user accounting through an external authentication server Accounting Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Accounting Server Port Enter the port number of the external accounting server The default port number is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Share Secret
246. not available USR AT Input Fiker U S Robotics Description not available sl Add Clese 12 The Enumerable Attribute Information screen displays Select the 802 value from the Attribute value drop down list box Click OK ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 108 802 Attribute Setting for Tunnel Medium Type ax Attribute name Tunnel Medium Type Altribute number 65 Attribute Format Enumerator Attribute value 802 includes all 802 media plus Ethemet canonical format Cancel 13 Return to the RADIUS Attribute Screen shown as Figure 107 on page 169 Select Tunnel Pvt Group ID Click Add 14 The Attribute Information screen displays Inthe Enter the attribute value in field select String and type a number in the range 1 to 4094 or a Name for this policy This Name should match a name in the VLAN mapping table on the ZyXEL Device Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the ZyXEL Device VLAN table Click OK Figure 109 VLAN ID Attribute Setting for Tunnel Pvt Group ID FES Attribute name Tunnel Pyt Group ID Attribute number 81 Attribute format OctetStiing Enter the attribute valuein Sting C Hexadecimal fi 0 Cancel 15 Return to the RADIUS Attribute Screen shown as Figure 107 on page 169 Select Tunnel Type Click Add 16 The Enumerable Attribute
247. ntn 215 Figure 158 Example Xmodem Upload Lisci icscsbns eerte iark EPI FEE bossa aun niad CREE Cela AA iA MEA SEA MARG AME teats 215 Figure 158 Menu 24 System Moalronariee 1 ctevevavecdvervaascesdvisevcederevenecadervuanedduvuauncede ERU pide ruga 217 EUER Lebeeugruo D eet Creme 218 Figure 161 Menu 24 10 System Maintenance Time and Date Setting ssssssess 219 Figure 162 Menu 24 11 Remote Management Control L 2ieeeesisceiessieeese enne ette mn tinte tuat a4 221 Figure 163 Windows 95 98 Me Network Configuration ssssseeeeeenemnn 234 Figure 164 Windows 95 S8 Me TGPHP Properties IP Address 1 eerte bites 235 Figure 165 Windows 95 98 Me TCP IP Properties DNS Configuration eeeeeeees 236 Figure 166 Windows XP Start Men 222 xe pati edet et ke pina aad dc ERA dic na RR V baa 237 Figure 167 Windows XP Control Patel 2 roo potett epe r tuia terr utae ioo bo arinena Epor diu Ero ed dau Era p rco n YU MGE 237 22 ZyXEL NWA 3100 User s Guide List of Figures Figure 168 Windows XP Control Panel Network Connections Properties ussuess 238 Figure 169 Windows XP Local Area Connection Properties sssssse nme 238 Figure 170 Windows XP Advanced TCP IP Settings uses erret that Eh ta deerat dia ba sdxS ER tpa ad des Eb uie 239 Figure 171 Windows XP Internet Protocol TCP IP Properties ccccssscceeeessssceeeest
248. o uk FTP Site ftp zyxel co uk Regular Mail ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK is the prefix number you dial to make an international telephone call ZyXEL NWA 3100 User s Guide Index A Access Point see AP access privileges 35 address assignment 113 alerts 52 alternative subnet mask notation 269 antenna directional 260 omni directional 260 antenna gain 259 AP 117 251 AP detection 43 52 applications 31 ATC 69 103 ATC WMM 103 auto configuration 275 auto configuration status 278 Automatic Traffic Classifier see ATC B backup 181 206 Basic Service Set 67 see BSS Bridge Protocol Data Units BPDUs 73 BSS 35 67 249 C CA 255 Certificate Authority see CA certificates thumbprint algorithms 134 thumbprints 134 verifying fingerprints 134 certifications 283 notices 284 viewing 285 Index channel 251 interference 251 Cl commands valid 218 Class of Service see CoS collision 200 command interpreter 217 community 195 configuration file examples 278 format 277 rules 277 contact information 287 copyright 283 CoS 71 CPU load 200 CTS Clear to Send 252 customer support 287 D defaults 182 DHCP 202 diagnostic 203 diagnostic tools 199 differentiated services 71 DiffServ 71 DiffServ Code Point DSCP 71 DiffServ Code Points 71 DiffServ marking rule 72 dimensions
249. ociated with the ZyXEL Device can communicate with another addresses wireless client AP computer or router only if the MAC addresses of those devices are listed in this table Set This is the index number of the MAC address MAC Address Type the MAC addresses of the wireless client AP computer or router that you want to allow the associated wireless clients to have access to in these address fields Type the MAC address in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 8 2 1 Layer 2 Isolation Examples The following section shows you example layer 2 isolation configurations on the ZyXEL Device A BS When configuring remember to enable layer 2 isolation in the WIRELESS gt SSID gt Edit screen of the relevant SSID profile ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration Figure 61 Layer 2 Isolation Example 00 00 c5 00 00 66 00 00 c5 00 00 cc B H 7 8 2 1 1 Layer 2 Isolation Example 1 In the following example wireless clients 1 and 2 can communicate with C but not B or 3 Enter C s MAC address in the Allow devices with these MAC addresses field Figure 62 Layer 2 Isolation Example 1 Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Layer 2 Isolation Configuration Allow dev
250. ogging in again The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 6 9 3 Security 802 1 x Static 64 bit 802 1x Static 128 bit Select 802 1x Static 64 or 802 1x Static 128 in the Security Mode field to display the following screen ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Figure 50 Security 802 1x Static 64 bit 802 1x Static 128 bit Key1 C Key2 C Key3 C Key4 Idle Timeout Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name security02 Security Mode 8021x Staticl28 v Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 ReAuthentication Timer 1800 in seconds ASCII C Hex AAN p e 3500 in seconds Apply Reset The following table describes the labels in this screen Table 23 Security 802 1x Static 64 bit 802 1x Static 128 bit LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose 802 1x Static 64 or 802 1x Static 128 in this field ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding 0x is entered automatically Key 1 to Key 4 If you chose 802 1x Static 64 then enter
251. omputer to the ZyXEL Device 22 2 1 Backup Configuration Using FTP Enter 5 in Menu 24 System Maintenance to get the following screen Figure 144 Menu 24 5 Backup Configuration Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Locate the rom 0 file 4 Type get rom 0 to back up the current router configuration to your workstation For details on FTP commands please consult the documentation of your FTP client program For details on backup using TFTP note that you must remain in the menu to back up using TFTP please see your router manual Press ENTER to Exit ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance 22 2 2 Using the FTP command from the DOS Prompt o0 0 Nx Launch the FTP client on your computer Enter open and the IP address of your ZyXEL Device Press ENTER when prompted for a username Enter root and your SMT password as requested The default is 1234 Enter bin to set transfer mode to binary Use get to transfer files from the ZyXEL Device to the computer for example get rom 0 config rom transfers the configuration file on the ZyXEL Device to your computer and renames it config rom
252. on Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The ZyXEL Device uses rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Some certification authorities may use ras pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used
253. ons on how to make hardware connections 1 2 Applications for the ZyXEL Device The ZyXEL Device can be configured to use the following WLAN operating modes 1 AP 2 AP Bridge 3 Bridge Repeater 4 MBSSID Applications for each operating mode are shown below 1 2 1 Access Point The ZyXEL Device is an ideal access solution for wireless Internet connection A typical Internet access application for your ZyXEL Device is shown as follows Stations A B and C can access the wired network through the ZyXEL Devices ZyXEL NWA 3100 User s Guide 31 Chapter 1 Introducing the ZyXEL Device Figure 1 Access Point Application UE E EX nm gay ame mea E sni M wan m i NEL XQ ul AP 1 er EN Pad S FN AP 2 v N r s t r L IEEE 1 1 i i NE i s BSS2 D D 1 1 i 1 X A KS i ua r d EN B J P tu ss a ost N P d BSS 1 X d x T B eu Cc Pg int Ul Oe Ww LOU ee ee ae io eed MAN Seven um t hw mmm mmm 1 2 2 AP Bridge In AP Bridge mode the ZyXEL Device supports both AP and bridge connection at the same time In the figure below A and B use X as an AP to access the wired network while X and Y communicate in bridge mode When the ZyXEL Device is in AP Bridge mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and
254. ork fine however you must use the Xmodem protocol to perform the download upload ZyXEL NWA 3100 User s Guide 213 Chapter 22 Firmware and Configuration File Maintenance LES The ZyXEL Device has an internal console port for support personnel only Do not open the ZyXEL Device as it will void your warranty 22 4 7 Uploading Firmware File Via Console Port Select 1 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 1 System Maintenance Upload System Firmware then follow the instructions as shown in the following screen Figure 155 Menu 24 7 1 as seen using the Console Port Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 Enter y at the prompt below to go into debug mode 2 Enter atur after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to restart the router Warning Proceeding with the upload will erase the current system firmware Do You Wish To Proceed Y N After the Starting Xmodem upload message appears activate the Xmodem protocol on your computer Follow the procedure as shown previously for the HyperTerminal program The procedure for other serial communications programs should be similar 22 4 8 Example Xmodem Firmware Upload Using HyperTerminal Click Transfer then Sen
255. other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended that the unit be insured when shipped Any returned products without proof of purchase or those with an out dated warranty will be repaired or replaced at the discretion of ZyXEL and the customer will be billed for parts and labor All repaired or replaced products will be shipped by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products ZyXEL NWA 3100 User s Guide Appendix Legal Information ZyXEL NWA 3100 User s Guide Customer Support Please have the following information ready when you contact customer support Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it
256. ou may need to configure or helpful tips or recommendations Syntax Conventions The NWA 3100 may be referred to as the ZyXEL Device the device the product or the system in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e g is a Shorthand for for instance and i e means that is or in other words ZyXEL NWA 3100 User s Guide Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer No
257. ou want alerts to be sent myname g myfirm com in this example ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial n the Send Immediate Alert section select the events you want to trigger immediate e mails Ensure that Rogue AP is selected Click Apply 3 2 4 Configure Your Other Access Points Access point A is now configured to do the following Scan for access points in its coverage area every ten minutes Recognize friendly access points from a list Send immediate alerts to your email account if it detects an access point not on the list Now you need to configure the other wireless access points on your network to do the same things For each access point take the following steps 1 From a computer on the wired network enter the access point s IP address and login to its Web configurator See Table 3 on page 53 for the example IP addresses 2 Import the friendly AP list Click ROGUE AP gt Configuration gt Browse Find the Flist file where you previously saved it on the network and click Open 3 Click Import Check the ROGUE AP gt Friendly AP screen to ensure that the friendly AP list has been correctly uploaded 4 Activate periodic rogue AP detection See Section 3 2 2 on page 56 5 Setup e mail logs as in Section 3 2 3 on page 57 but change the Mail Subject field so you can tell which AP the alerts come from ALERT Access Point B etc 3 2 5 Test the Setup Next test your setup
258. owing table describes the labels not previously discussed Table 26 Security WPA PSK WPA2 PSK or WPA2 PSK MIX LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose WPA PSK WPA2 PSK or WPA2 PSK MIX in this field Pre Shared Key The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller whe
259. ported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The ZyXEL Device does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the certificate Information Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated by the ZyXEL Device Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Comm
260. prolila for users who matched the condkions you have Dery remota access permission ae Note Even though pou may have specified thet users should be denied access he profile can still be used if this poicy s conditions ars ovairidden on a per user basie lt Back Finish Cancel 7 The Edit Dial in Profile screen displays Click the Authentication tab and select the Extensible Authentication Protocol check box Select an EAP type depending on your authentication needs from the drop down list box Clear the check boxes for all other authentication types listed below the drop down list box ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 104 Authentication Tab Settings Dial in Constraints IP Multilink Authentication Encryption Advanced Check the authentication methods which are allowed for this connection v Extensible Authentization Protocol Select the EAP type which is acceptable for this policy MD5 Challenge z Microsoft Encrypted Authentication version 2 MS CHAP v2 Microsoft Encrypted Authentication MS CHAP Encrypted Authentization CHAP Unenerypted Authentication PAP SPAP Unauthenticated Access Allow remote PPP clients to connect without negotiating any authentication method Cancel Apply 8 Click the Encryption tab Select the Strongest encryption option This step is not
261. prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number of delays caused by logging in again The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 6 9 4 Security WPA Select WPA in the Security Mode field to display the following screen Figure 51 Security WPA Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name security02 Security Mode WPA gt ReAuthentication Timer i800 in seconds Idle Timeout 3600 in seconds Group Key Update Timer i900 in seconds Apply Reset The following table describes the labels in this screen Table 24 Security WPA LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose WPA in this field ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay
262. r including spaces but the ZyXEL Device drops trailing spaces Country Type up to 127 characters to identify the nation where the certificate owner is located You may use any character including spaces but the ZyXEL Device drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen Section 12 9 on page 141 and then send it to the certification authority Create a certification request and enroll for a certificate immediately online Select Create a certification req
263. ration Restart System Name NWA 3100 ZyNOS Firmware Version V3 60 08 18 2006 IP Address 172 23 37 252 DHCP None IP Subnet Mask 255 255 255 0 Show Statistics The following table describes the labels in this screen Table 61 System Status LABEL DESCRIPTION System Name This is the System Name you can configure in the SYSTEM gt General screen It is for identification purposes ZyNOS Firmware This is the ZyNOS Firmware version and date created ZyNOS is ZyXEL s Version proprietary Network Operating System design IP Address This is the Ethernet port IP address IP Subnet Mask This is the Ethernet port subnet mask DHCP This is the Ethernet port DHCP role Client or None Show Statistics Click Show Statistics to see router performance statistics such as number of packets sent and number of packets received for each port ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance 15 2 1 System Statistics Read only information here includes port status packet specific statistics and bridge link status Also provided are system up time and poll interval s The Poll Interval field is configurable Figure 115 System Status Show Statistics Rx Up Los Ss Ss eS ENEUTEN 100wFUul 1963 1251 1226 838 0 33 35 WLAN EZ 0 35 07 ice o o vals Link active Remote Bridge MAC TxPkts Address 00 00 00 00 00
264. re upload is in progress After you see the Firmware Upload in Process screen wait two minutes before logging into the ZyXEL Device again Figure 119 Firmware Upload In Process Firmware Upload In Process Warning Please wait for the device to finish restarting SYS LED is on steady This should take about two minutes To access the device after a successful firmware upload you need to log in again Check you new firmware version in the system status menu The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance Figure 120 Network Temporarily Disconnected d Local Area Connection Network cable unplugged After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 121 Firmware Upload Error Firmware upload error The uploaded file was not accepted by the router Please teturn to the previous page and select a valid upgrade file Click Help for more information Return 15 6 Configuration Screen See Chapter 22 on page 205 for information on how to transfer configuration files using FTP TFTP commands Click MAINTENANCE gt Configuration Information
265. red VLAN aware device you will lock yourself out of the ZyXEL Device If this happens you must reset the ZyXEL Device to access it again ZyXEL NWA 3100 User s Guide Chapter 14 VLAN 14 2 4 Configuring Microsoft s IAS Server Example Dynamic VLAN assignment can be used with the ZyXEL Device Dynamic VLAN assignment allows network administrators to assign a specific VLAN configured on the ZyXEL Device to an individual s Windows User Account When a wireless station is successfully authenticated to the network it is automatically placed into it s respective VLAN ZyXEL uses the following standard RADIUS attributes returned from Microsoft s IAS RADIUS service to place the wireless station into the correct VLAN Table 60 Standard RADIUS Attributes ATTRIBUTE NAME TYPE VALUE Tunnel Type 064 13 decimal VLAN Tunnel Medium Type 065 6 decimal 802 Tunnel Private Group ID 081 vlan name string either the Name you enter in the ZyXEL Device s VLAN gt RADIUS VLAN screen or the number See Figure 109 on page 170 The following occurs under Dynamic VLAN Assignment 1 When you configure your wireless credentials the ZyXEL Device sends the information to the IAS server using RADIUS protocol 2 Authentication by the RADIUS server is successful The RADIUS server sends three attributes related to this feature 4 The ZyXEL Device compares these attributes with the VLAN screen mapping table
266. related to factory defaults backup configuration and restoring configuration appears as shown next ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance Figure 122 Configuration Status Association List Channel Usage FAW Upload Configuration Restart Backup Configuration Click Backup to save the current configuration of your system to your computer Backup Restore Configuration To restore a previously saved configuration file to your system browse to the location of the configuration file and click Upload File Path Browse Upload Back to Factory Defaults Click Reset to clear all user entered configuration information and return to factory defaults After resetting the Password will be 1234 This device can be reached by IP address 192 168 1 2 Reset 15 6 1 Backup Configuration Backup configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the ZyXEL Device s current configuration to your computer 15 6 2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXE
267. required for EAP MDS but is performed as a safeguard Figure 105 Encryption Tab Settings Diakin Constraints IP Multilink Authentication Encryption Advanced NOTE These ericiypliuri sellirius apply uri lu the Wirduws 2000 Ruutiniy and Remote Access Service Select the level s of encryption that should be allowed by this profile No Encryption Basic Strong I Strongest Cancel Apply 9 Click the IP tab and select the Client may request an IP address check box for DHCP support 10 Click the Advanced tab The current default parameters returned to the ZyXEL Device should be Service Type and Framed Protocol Click the Add button to add an additional three RADIUS VLAN attributes required for 802 1X Dynamic VLAN Assignment ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Edit Dial in Profile Diakin Constraints IP Multilink Authentication Encryption Advanced Specify additional connection attributes to be returned to the Remote Access Server Parameters Service T ype RADIUS Standard Framed Framed Protocol RADIUS Standard PPP te te 11 The RADIUS Attribute screen displays From the list three RADIUS attributes will be added Tunnel Medium Type Tunnel Pvt Group ID Tunnel Type Click the Add button Select Tunnel Medium Type Click the Add button Figure 107 RADIUS Attribute Screen Mii 9 To add an attrbute to the Profile sele
268. ribes the labels in this screen Table 29 SSID LABEL DESCRIPTION Index This field displays the index number of each SSID profile Name This field displays the identification name of each SSID profile on the ZyXEL Device SSID This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates which security profile is currently associated with each SSID profile See Section 6 9 on page 86 for more information RADIUS This field displays which RADIUS profile is currently associated with each SSID profile if you have a RADIUS server configured QoS This field displays the Quality of Service setting for this profile Edit Click the radio button next to the profile you want to configure and click Edit to go to the SSID configuration screen 7 2 2 Configuring SSID Each SSID profile references the settings configured in the following screens WIRELESS gt Security one of the security profiles WIRELESS gt RADIUS one of the RADIUS profiles WIRELESS gt MAC Filter the MAC filter list if activated in the SSID profile WIRELESS gt Layer 2 Isolation the layer 2 isolation list if activated in the SSID profile ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID Also use the VLAN screen to set up wireless V
269. rol Menu 24 11 Remote Management Control TELNET Server Port 23 Access ALL Secure Client IP 0 0 0 0 FTP Server Port 21 Access ALL Secure Client IP 0 0 0 0 HTTPS Server Certificate auto generated self signed cert Authenticate Client Certificates No Port 443 Access ALL Secure Client IP 0 0 0 0 HTTP Server Port 80 Access ALL Secure Client IP 0 0 0 0 SNMP Service Port 161 Access ALL Secure Client IP 0 0 0 0 Press ENTER to Confirm or ESC to Cancel The following table describes the fields in this menu Table 81 Menu 24 11 Remote Management Control FIELD DESCRIPTION TELNET Server Each of these read only labels denotes a server or service that you may use to FTP Server remotely manage the ZyXEL Device HTTPS Server HTTP Server SNMP Service Port This field shows the port number for the remote management service You can change the port number for a service if needed but you must use the same port number to use that service for remote management Access Select the access interface if any by pressing the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the ZyXEL Device Enter an IP address to restrict access to a client with a matching IP address Certificat
270. rs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or wireless gateway but out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other ZyXEL NWA 3100 User s Guide 251 Appendix D Wireless LANs BS Figure 183 RTS CTS liebe d CTS Range it ath O nn om pent RR ARI ER RR je ma aene P mra Station AP E oss iia k i H Data E Mcr Pi Ce r m DC Ke HN Stations A and B do not N 7 pee Station A gt hear each other They Station B m t m can hear the AP When station sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both s
271. rtificates display in black and certification requests display in gray See the following figure ZyXEL NWA 3100 User s Guide 135 Chapter 12 Certificates Figure 82 My Certificates My Certificates Trusted CAs PKI Storage Space in Use ox 100 Replace Factory Default Certificate Factory Default Certificate Name auto_generated_self_signed_cert The factory default certificate is common to all NWA models Click Replace to create a certificate using your NWA s MAC address that will be specific to this device Certificates Setting Type __Subject___ Issuer__ Valid From Valid To auto_generated_self_signed_cert CN NWA3100 CN NWA 3100 2000 Jan 1st 2030 Jan 1st SELF Factory Default Factory Default n cene Certificate Certificate 00 00 00 GMT 00 00 00 GMT Details Create Import Delete Refresh The following table describes the labels in this screen Table 45 My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyXEL Device has the fa
272. s Guide Chapter 1 Introducing the ZyXEL Device 1 5 LEDs Figure 6 LEDs ZyXEL Table 1 LEDs LABEL LED COLOR STATUS DESCRIPTION 1 SYS Green On The ZyXEL Device is in AP Bridge or Bridge Repeater mode and has successfully established a Wireless Distribution System WDS connection Red Flashing The ZyXEL Device is starting up Off Either The ZyXEL Device is in Access Point or MBSSID mode and is functioning normally The ZyXEL Device is in AP Bridge or Bridge Repeater mode and has not established a Wireless Distribution System WDS connection or The ZyXEL Device is not receiving power ZyXEL NWA 3100 User s Guide Chapter 1 Introducing the ZyXEL Device Table 14 LEDs continued LABEL LED COLOR STATUS DESCRIPTION 2 ZyAIR Blue On The ZyXEL Device is receiving power You can turn the ZyAIR LED off and on using the Web configurator See Section 5 6 1 on page 74 Blinking The ZyXEL Device is receiving power and transmitting data to or receiving data from its wireless stations Off Either The ZyXEL Device is not receiving power or The ZyAIR LED has been disabled See Section 5 6 1 on page 74 for how to enable the ZyAIR LED 3 ETHN Green On The ZyXEL Device has a 10 Mbps Ethernet connection Blinking The ZyXEL Device has a 10 Mbps Ethernet connection and is sending or receiving data Yellow On The ZyXEL Device has a 100 Mbps Ethern
273. s bridge that is also connected to the same wired LAN ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Figure 41 Bridge Loop Bridge Connected to Wired LAN Ethernet To prevent bridge loops ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN To have the ZyXEL Device act as a wireless bridge only click WIRELESS gt Wireless and select Bridge Repeater as the Operating Mode Figure 42 Wireless Bridge Repeater Bridge Repeater 802 11b g Channel 06 2437MHz Li Remote Bridge MAC Address ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration The following table describes the bridge labels in this screen Table 17 Wireless Bridge Repeater LABEL DESCRIPTIONS Operating Mode Select Bridge Repeater in this field 802 11 mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Choose Channel ID Set the operating frequ
274. s of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation
275. s security on your ZyXEL Device your network is accessible to any wireless networking device within range 6 9 Configuring Security BS The following screens are configurable only in Access Point AP Bridge and MBSSID operating modes only Use the Security screen to create secure profiles A security profile is a group of configuration settings which can be assigned to an SSID profile in the SSID configuration screen You can configure up to 16 security profiles ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration To change your ZyXEL Device s wireless security settings click WIRELESS gt Security Figure 47 Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter index ETT NN Security Mode EHNEN security01 None fof 2 security02 WPA 3 security03 None e a4 security04 None e 5 security05 None 6 security06 None oj 7 security07 None EHEren security08 None 9 security09 None w security10 None o mn security11 None o 2 security12 None n security13 None o u security14 None To 6 security15 None w security16 None Edit The following table describes the labels in this screen Table 20 Security LABEL DESCRIPTION Index This is the index number of the security profile address Profile Name This field
276. s the Internet Case A The ZyXEL Device is using the same LAN and WAN IP addresses The following figure shows an example where the ZyXEL Device is using a WAN IP address that is the same as the IP address of a computer on the LAN Figure 176 IP Address Conflicts Case A IP 10 50 1 1 WAN IP 10 59 1 1 d y o JJ You must set the ZyXEL Device to use different LAN and WAN IP addresses on different subnets if you enable DHCP server on the ZyXEL Device For example you set the WAN IP address to 192 59 1 1 and the LAN IP address to 10 59 1 1 Otherwise It is recommended the ZyXEL Device use a public WAN IP address Case B The ZyXEL Device LAN IP address conflicts with the DHCP client IP address In the following figure the ZyXEL Device is acting as a DHCP server The ZyXEL Device assigns an IP address which is the same as its LAN port IP address to a DHCP client attached to the LAN ZyXEL NWA 3100 User s Guide Appendix C IP Address Assignment Conflicts Figure 177 P Address Conflicts Case B IP 10 59 1 1 LAN IP 10 59 1 1 f A Gene T j _ e To solve this problem make sure the ZyXEL Device LAN IP address is not in the DHCP IP address pool Case C The Subscriber IP address is the same as the IP address of a network device The following figure depicts an example where the subscriber IP address is the same as the IP address of a network device not att
277. s the last updated time from the time server When you select None in the Time Protocol field enter the new time in this field and then click Apply Current Date yyyy mm dd This field displays the date of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the date with ZyXEL NWA 3100 User s Guide the time server Chapter 4 System Screens Table 7 Time Setting LABEL DESCRIPTION New Date yyyy mm dd This field displays the last updated date from the time server When you select None in the Time Protocol field enter the new date in this field and then click Apply Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Select this option if you use daylight savings time Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Start Date mm dd Enter the month and day that your daylight savings time starts on if you selected Daylight Savings End Date mm dd Enter the month and day that your daylight savings time ends on if you selected Daylight Savings Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen ZyXEL NWA 3100 User s
278. s use the protocol to obtain confidential user information such as credit card numbers By convention URLs that require an SSL connection start with https instead of http The ZyXEL Device allows SSL connections to take place through the ZyXEL Device MAC Address Filter Your ZyXEL Device checks the MAC address of the wireless station against a list of allowed or denied MAC addresses Wireless Association List With the wireless association list you can see the list of the wireless stations that are currently using the ZyXEL Device to access your wired network Logging and Tracing Built in message logging and packet tracing Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Auto Configuration Administrators can use text configuration files to configure the wireless LAN settings for multiple APs The AP can automatically get a configuration file from a TFTP server at start up or after renewing DHCP client information SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your ZyXEL Device supports SNMP agent functionality which allows a manger station to manage and monitor the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 and version two c
279. ser s Guide 233 Appendix B Setting up Your Computer s IP Address 3Com EtherLink 10 100 PCI TX NIC 3C905B TX Dial Up Adapter USB Fast Ethernet Adapter Y TCP IP gt 3Com EtherLink 10 100 PCI T NIC 3C9 Installing Components The Network window Configuration tab displays a list of installed components You need a network adapter the TCP IP protocol and Client for Microsoft Networks If you need the adapter 1 Inthe Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 Inthe Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select Microsoft from the list of manufacturers 4 Select Client for Microsoft Networks from the list of network clients and then click OK 5 Restart your computer so the changes you made take effect ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Configuring 1 Inthe Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab f your IP address is dynamic select Obtain an IP address automatically Ifyou have a static IP address select Specify
280. should be similar 1 Display menu 24 5 and enter y at the following screen Figure 146 System Maintenance Backup Configuration Ready to backup Configuration via Xmodem Do you want to continue y n 2 The following screen indicates that the Xmodem download has started Figure 147 System Maintenance Starting Xmodem Download Screen You can enter ctrl x to terminate operation any time Starting XMODEM download 3 Run the HyperTerminal program by clicking Transfer then Receive File as shown in the following screen Figure 148 Backup Configuration Example Receive File 21x Place received file in the following folder c Product Type a location for storing the configuration file or click Browse Use receiving protocol to look for one modem Choose the Xmodem protocol Cancel Then click Receive 4 After a successful backup you will see the following screen Press any key to return to the SMT menu Figure 149 Successful Backup Confirmation Screen Backup Configuration completed OK Hit any key to continue ZyXEL NWA 3100 User s Guide Chapter 22 Firmware and Configuration File Maintenance 22 3 Restore Configuration Menu 24 6 System Maintenance Restore Configuration allows you to restore the configuration via FTP or TFTP to your ZyXEL Device The preferred method is FTP Note that this function erases the current configurat
281. single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form ZyXEL NWA 3100 User s Guide Chapter 12 Certificates 12 7 Importing a Certificate BS Click CERTIFICATES gt My Certificates and then Import to open the My Certificate Import screen Follow the instructions in this screen to save an existing certificate to the ZyXEL Device You can import only a certificate that matches a corresponding certification request that was generated by the ZyXEL Device The certificate you import replaces the corresponding request in the My Certificates screen You must remove any spaces from the certificate s filename before you can import it Figure 83 My Certificate Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS 7 e PEM Base 64 encoded PKCS 7 For my certificate importation to be successful a certification request corresponding to the imported certificate must already exist on NWA After the importation the certification request will automatically be deleted File Path Browse Apply Cancel The following table describes the labels in this screen Table 46 My Certificate Import LABEL DESCRIPTION File Path Type
282. sion V3 60 AAI 1 09 05 2006 Name NWA 3100 Press Command COMMANDS 9 Reset Counters ESC Exit The following table describes the fields present in this menu Table 73 Menu 24 1 System Maintenance Status FIELD DESCRIPTION Port This is the port type Port types are Ethernet and WLAN Status This shows the status of the remote node TxPkts This is the number of transmitted packets to this remote node RxPkts This is the number of received packets from this remote node Cols This is the number of collisions on this connection Tx B s This shows the transmission rate in bytes per second Rx B s This shows the receiving rate in bytes per second Up Time This is the time this channel has been connected to the current remote node Ethernet Address This shows the MAC address of the port IP Address This shows the IP address of the network device connected to the port IP Mask This shows the subnet mask of the network device connected to the port DHCP This shows the DHCP setting None or Client for the port System Up Time This is the time the ZyXEL Device is up and running from the last reboot ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation Name This displays the device name 21 2 System Information To get to the System Information ZyXEL NWA 3100 User s Guide Chapter 21 System Information and Diagnosis
283. snneeeeeetsnaeees 240 Figure 172 Macintosh OS 8 9 Apple MODI ue erret tor ER EVEN E RE FR DEPr tt Febr en io lu eet pe ERE ER A DPI aR 241 Figure 173 Maciriosh OS 8 9 TUBIS iscccecedecsecee eunacauuur nni tnu a EEEa 241 Figure 174 Macintosh Os X Apple Menu 1iiisseese sito nina Etre lk EHE ERR EXE NR rii RUE tinaa R ERR ES RF a a keR ERE EK EVER Led nA 242 gi mde EST Mn m a 243 Figure T7919 Address Conflicie Case A od eei odore laden Moi ete dod cn nud dod et uitio d Gd ER ae 245 Figure 177 IP Address Conflicts Case Basses sais e err e khoa kso ra eda E i Kd a E an a cd 246 Figure 178 IP Address Conflicts Casp C iiussscnsiseseecenisusecensi ster rd ntur dorina iena Ford peo pL HP EEEE 246 Figure T7919 Address Cones Case D 1 eceesiiusut co IS nu ESUARRO ESTAS ROLRESM RUM GL ESVER NE ERUVE HR HER a R2 SA d 247 Figure 180 Peer to Peer Communication in an Ad hoc Network eeeeseeesennnne 249 Figure 191 Basie Service Sel inssin 250 Figure 182 Infrastructure WLAN cass apa pocta rri e pane Rd b s c Ep ER e RE sb sei a d ad 251 gs TORDO GT eer m cT 252 Figure T84 Popup BIOCNBE 3c ren IER HERR LEE ERA EE Sex ERE SERRA ER eH ER EAE FEE eI HM SR do Rd rada 261 Figure 185 Intemet Options PS Lees intente bud ctc Lada gei edt n Rd t a M CIR ER HK RU C AR KE 262 Figure 186 Internet Options ede 263 Figure Tey Popup Blocker Sonne jen ium naka na dado e apta p aw a td e a D dad 263
284. ss diverse interconnected networks C Show icon in notification area when connected 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP f you have a dynamic IP address click Obtain an IP address automatically f you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Figure 170 Windows XP Advanced TCP IP Settings Advanced TCP IP Settings PR IP Settings DNS WINS Options IP addresses IP address Subnet mask DHCP Enabled Default gateways Gateway Metric Add Automatic metric 6 Ifyou do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK Do one or more of the following if you want to configure additional IP addresses n the IP Settings tab in IP addresses click Add n TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops cle
285. ss point AP must have the same SSID Select an SSID Profile from the drop down list box Configure SSID profiles in the SSID screen see Section 7 2 on page 100 for information on configuring SSID Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Enable Breathing LED Select this check box to enable the breathing LED also known as the ZyAIR LED The blue ZyAIR LED is on when the ZyXEL Device is receiving power and blinks or breathes when data is being transmitted to and from its wireless stations Clear the check box to turn this LED off even when the ZyXEL Device is on and data is being transmitted and received Enable Spanning Tree Control STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select the check box to activate STP on the ZyXEL Device Roaming Active Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another Select this checkbox to enable roaming on
286. successful the following screen will appear Click Return to go back to the Configuration screen Figure 125 Configuration Upload Error Restore configuration error The configuration flle was not accepted by the router Please return to the previous page and seloct a valid confiquration file Click Help for more information Return 15 6 3 Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the ZyXEL Device to its factory defaults as shown on the screen The following warning screen will appear ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance Figure 126 Reset Warning Message You can also press the RESET button to reset your ZyXEL Device to its factory default settings Refer to Section 2 2 on page 40 for more information 15 7 Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off Click MAINTENANCE Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 127 Restart Screen Status Association List Channel Usage FAW Upload Configuration System Restart ZyXEL NWA 3100 User s Guide Chapter 15 Maintenance ZyXEL NWA 3100 User s Guide PART III SMT and Troubleshooting Introducing the SMT 187 General Setup 191 LAN Setup 193 SNMP Configuration 195 System Password 197
287. sword Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL ZyXEL NWA 3100 User s Guide Chapter 16 Introducing the SMT 3 Type your new system password in the New Password field up to 30 characters and press ENTER 4 Re type your new system password in the Retype to confirm field for confirmation and press ENTER Note that as you type a password the screen displays an asterisk for each character you type 16 3 SMT Menu Overview Example The following table gives you an overview of your ZyXEL Device s various SMT menus Table 67 SMT Menus Overview MENUS SUB MENUS 1 General Setup 3 LAN Setup 3 2 TCP IP Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 24 1 System Status 24 2 System Information and 24 2 1 System Information Console Port Speed 24 2 2 Console Port Speed 24 3 Log and Trace 24 3 1 View Error Log 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 10 Time and Date Setting 24 11 Remote Management Setup 16 4 Navigating the SMT Interface The SMT System Management Terminal is the interface that you use to configure your ZyXEL Device ZyXEL NWA 3100 User s Guide Chapter 16 Introdu
288. t All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Figure 172 Macintosh OS 8 9 Apple Menu About This Computer File Edit View Window Special D Apple System Profiler E Calculator Chooser Control Panels i Favorites Key Caps GR Network Browser G Recent Applications ij Recent Documents cif Remote Access Status Scrapbook 49 Sherlock 2 3 Speakable Items Stickies Text Help ADSL Control and Status Appearance Apple Menu Options AppleTalk ColorSync Control Strip Date amp Time DialAssist Energy Saver Extensions Manager File Exchange File Sharing General Controls Internet Keyboard Keychain Access Launcher Location Manager Memory Modem Monitors Mouse Multiple Users Numbers QuickTime Settings Remote Access Software Update Sound Speech Startup Disk USB Printer Sharing 2 Select Ethernet built in from the Connect via list Figure 173 Macintosh OS 8 9 TCP IP Ei TCP IP Comect via Ethernet Setup Config
289. t security to gain access to the network or set up their own rogue APs in order to capture information from wireless clients If a scan reveals a rogue AP you can use commercially available software to physically locate it Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker In this case any AP detected can be classified as rogue 10 2 Rogue AP Examples In the following example a corporate network s security is compromised by a rogue AP R set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly A The company s legitimate wireless network the dashed ellipse B is well secured but the rogue AP uses inferior security that is easily broken by an attacker X running readily available encryption cracking software In this example the attacker now has access to the company network including sensitive data stored on the file server C ZyXEL NWA 3100 User s Guide Chapter 10 Rogue AP Figure 68 Rogue AP Example a Internet B ER E s 7 10 2 1 Honeypot Attack Rogue APs need not be connected to the legitimate network to pose a severe security threat In the following example an attacker X is stationed in a vehicle outside a company building using a rogue access point equipped with a powerful antenna By mimicking a legitimate company network AP the attacker tries to capt
290. t WEP to enable data encryption Authentication Select Auto Open System or Shared Key from the drop down list box Method The default setting is Auto ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding Ox is entered automatically Key 1 to The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless Key 4 stations must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP then enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F If you chose 152 bit WEP then enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F You must configure all four keys but only one key can be activated at any one time The default key is key 1 Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 6 9 2 Security 802 1x Only Select 802 1x Only in the Security Mode field to display the following screen ZyXEL NWA 3100 User s Guide Chapter 6 Wireless Security Configuration Figure 49 Security 802 1x Only Wireless SSID Name security02 Security Mode 8021x Only gt ReAuthentication Timer i900 in seconds Idle Timeout 3600 in seconds Security RADIUS Layer 2 Isolation
291. t of Tables Table 39 Remote Management TOI 2uscessecsvrinpeci itr p tes ro tio oda ss oa t i en d ada da sla da dtd 125 Table 40 Remote Management P TE 25 5 taaecks chute dk ko pad eei a secancecanccpnadeddssepadanaesennddecanenimalecdssagediuadendas 126 Table 41 Remote Management VV aucune receta curte bac anaien aani naaa Ea dq dde aba le 127 TM eae SNMP TES Los od od Ed ede Lat e OP EE e redet oo ea d eae aa a bl a ub i e t a 129 Table 43 SNMP Interface Index to Physical Port Mapping eene nnne nnn nnn nnns 130 Table 44 Remote Management SNMP 1er niat uaa stt taro tE etra ui nEEp gau a SERE purae aaa seniors 131 IESU T Pt npe c ur 136 Table dB My Coriicate IR secede hurd ee rM FS DEAN UD AN EEMdE 138 Tabor My rT Liu eto o Rp aa to ed d en o ped rds 139 Table 48 My Certificate Detalls soieisinismainii ierann UU anda ia iaaa beh sudan leprae Tied 142 Table 49 THISIGA CAS 145 Table SU Triste Emi rc 146 Table So md CA Dale eec I 147 WABI SZ VION LG sroin i concadeiis ta oti shes EALE aa a S a ai 151 TS o Esp ip ri E mmm ter 153 Table 54 System Maintenance LOS e t 154 i us fM ds c qe 154 TN O5 SIS pis ea cea aes ets tina D b rep hae Oda wip Meer IE LOpC FIR E NM boc RENE AF I UR Eb E tt 155 Table 57 Log Categories and Available Settings ieeeseseiieeeen esent tnnt nana a a dans 155 Table Se WIREL
292. t performance instead of providing a remedy Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference 282 ZyXEL NWA 3100 User s Guide Appendix D Wireless LANs If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size LES The ZyXEL Device may be prone to RF Radio Frequency interference from other 2 4 GHz devices such as microwave ovens wireless phones Bluetooth enabled devices and other wireless LANs IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a
293. t session running at one time 23 4 System Timeout There is a system timeout of five minutes 300 seconds for Telnet web FTP connections Your ZyXEL Device will automatically log you out if you do nothing in this timeout period except when it is continuously updating the status in menu 24 1 or when sys stdio has been changed on the command line ZyXEL NWA 3100 User s Guide Troubleshooting This chapter offers some suggestions to solve problems you might encounter The potential problems are divided into the following categories Power Hardware Connections and LEDs ZyXEL Device Access and Login Internet Access 24 1 Power Hardware Connections and LEDs P The ZyXEL Device does not turn on None of the LEDs turn on Make sure you are using the power adaptor or cord included with the ZyXEL Device Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power source is turned on Disconnect and re connect the power adaptor or cord to the ZyXEL Device If the problem continues contact the vendor Ma AO e One of the LEDs does not behave as expected Make sure you understand the normal behavior of the LED See Section 1 5 on page 37 Check the hardware connections See the Quick Start Guide Inspect your cables for damage Contact the vendor to replace any damaged cables Disconnect and re connect the power adaptor to the Zy
294. t the bottom of the list and the most specific at the top of the list ZyXEL NWA 3100 User s Guide Chapter 14 VLAN 14 2 5 Second Rx VLAN ID Example In this example the ZyXEL Device is configured to tag packets from SSID01 with VLAN ID 1 and tag packets from SSID02 with VLAN ID 2 VLAN 1 and VLAN 2 have access to a server S and the Internet as shown in the following figure Figure 112 Second Rx VLAN ID Example SSID01 A VLAN ID 1 Second Rx VLAN ID 2 s bs N N UN Internet ss SSIDO2 i 1 VLAN ID 2 a Second Rx VLAN ID 0 Packets sent from the server S back to the switch are tagged with a VLAN ID incoming VLAN ID These incoming VLAN packets are forwarded to the ZyXEL Device The ZyXEL Device compares the VLAN ID in the packet header with each SSID s configured VLAN ID and second Rx VLAN ID settings In this example SSID01 s second Rx VLAN ID is set to 2 All incoming packets tagged with VLAN ID 2 are forwarded to SSID02 and also to SSID01 However SSID02 has no second Rx VLAN ID configured and the ZyXEL Device forwards only packets tagged with VLAN ID 2 to it 14 2 5 1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the ZyXEL Device 1 Log into the Web Configurator 2 Click VLAN gt Wireless VLAN 3 If VLAN is not already enabled click Enable Virtual LAN and set up the Management VLAN ID see Section 14 1 1 on page
295. te with each other MBSSID should not replace but rather be used in conjunction with 802 1x security 7 1 3 Multiple BSS Example Refer to the applications section for more information 7 1 4 Multiple BSS with VLAN Example In this example VLAN 2 includes the computers in BSS1 and LAN 1 Computers in BSS2 and LAN 2 belong to VLAN 2 Users in BSSI are limited to accessing the resources on LAN 1 and similarly users in BSS2 may only access resources on LAN 2 VLAN 2 is the management VLAN The switch adds PVID Port VLAN IDentity tags to incoming frames that don t already have tags on switch ports where PVID is enabled ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID Figure 55 Multiple BSS with VLAN Example SU BSS4 7 BSS2 7 1 5 Configuring Multiple BSSs Click WIRELESS gt Wireless and select MBSSID in the Operating Mode drop down list box to display the screen as shown Figure 56 Wireless Multiple BSS SSID Security RADIUS Layer 2 Isolation MBSSID z B02 11b g x Channel 06 2437MHz 2346 2346 ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID The following table describes the labels in this screen Table 28 Wireless Multiple BSS LABEL DESCRIPTION Operating Mode Select MBSSID in this field to display the screen as shown 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g
296. tebook computer 1 m Server DSLAM Firewall NC CN N mmn N SS T N zs zo ens o Ne tux ea E SS I Telephone Switch Router NEN Se gt SE ZyXEL NWA 3100 User s Guide a Safety Warnings Safety Warnings D gt For your safety be sure to read and follow all warning notices and instructions e e e e e e e e e e Do NOT use this device near water for example in a wet basement or near a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device ONLY qualified service personnel should service or disassemble this device Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the device where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it mi
297. ted CA Details continued LABEL DESCRIPTION Certificate These read only fields display detailed information about the certificate Information Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities may use ras pkcs1 md5
298. ted with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network Multiple BSSID MBSSID MBSSID mode allows the ZyXEL Device to operate up to 8 different wireless networks BSSs simultaneously each with independently configurable wireless and security settings Rogue AP detection Rogue AP detection detects and logs unknown access points APs operating in the area VLAN 802 1Q VLAN tagging ZyXEL NWA 3100 User s Guide Appendix A Product Specifications Table 83 Firmware Specifications FEATURE DESCRIPTION STP Spanning Tree Protocol RSTP Rapid STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service allows you to prioritize wireless traffic Certificates The ZyXEL Device can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs Certificates provide a way to exchange public keys for use in authentication SSL Passthrough SSL Secure Sockets Layer uses a public key to encrypt data that s transmitted over an SSL connection Both Netscape Navigator and Internet Explorer support SSL and many Web site
299. tehioaaaeian Hp did RR batted 277 Table 108 Displaying the Auto Configuration Status snccccscccsscccscicsisecsqavinetasndesnestertiaussssuw aeontentdeensreaden 278 ZyXEL NWA 3100 User s Guide List of Tables ZyXEL NWA 3100 User s Guide PART I Introduction Introducing the ZyXEL Device 31 Introducing the Web Configurator 39 Tutorial 43 Introducing the ZyXEL Device This chapter introduces the main applications and features of the ZyXEL Device It also introduces the ways you can manage the ZyXEL Device 1 1 Introducing the ZyXEL Device Your ZyXEL Device extends the range of your existing wired network without additional wiring providing easy network access to mobile users Itis highly versatile supporting up to eight BSSIDs simultaneously The Quality of Service QoS features allow you to prioritize time sensitive or highly important applications such as VoIP Multiple security profiles allow you to easily assign different types of security to groups of users The ZyXEL Device controls network access with MAC address filtering rogue AP detection and layer 2 isolation It also provides a high level of network traffic security supporting IEEE 802 1x Wi Fi Protected Access WPA WPA2 and WEP data encryption Your ZyXEL Device is easy to install configure and use The embedded Web based configurator enables simple straightforward management and maintenance See the Quick Start Guide for instructi
300. tenance Information ssssssssssssssemem 201 Table 75 Menu 24 4 System Maintenance Menu Diagnostic eese 204 Table 79 Filename Conventions MMR 206 Table 77 General Commands for Third Party FTP Clients eeeseeeisieseeeeeae ernannt han tha 207 Table 78 General Commands for Third Party TFTP Clients 2 cccssencccseeseneeceeessnnceceeessnceseeanneneee 208 Table 79 Brute Force Password Guessing Protection Commands see 218 Table 80 System Maintenance Time and Date Setting ssssseeeeenn 219 Table 81 Menu 24 11 Remote Management Control eeeescceseee eren t annt n te aa datae d Yann nude 221 ZyXEL NWA 3100 User s Guide List of Tables Tabte Hardware SEC ANOS 4c irpo tt Repeat a PE ot o o Ra bod 229 Tabe O3 FICA DOCUIT GNE cicceeerxed eek QU FEIER AIME rU PEN FAM OB CES PAZ ERU ARE Ue UaE EN HAV ETUR REESE TASA EAA 229 Table 84 Power over Ethernet Injector Specifications ccccccseessenecesesseneeceeussnnneceserseneeceuussenneceeensennees 230 Table 85 Power over Ethernet Injector RJ 45 Port Pin Assignments sss 231 Table 86 North American Flug Standards aer dacciieveenerideacstlseenhadeaes a 231 Ttable Sf European Plug Slandarde d 231 Table 88 United Kingdom Plug Standards 12s esie rabia tk aea RS RR pax R9 khen REA eai ERN Men EE ERRARE RUE Sad 231 Table 89 Australia
301. tet Eee td edu eoa prre du pud 182 ZyXEL NWA 3100 User s Guide 21 List of Figures Figure T25 Coniigurakon Upload EPIO ciii dac ni rate adt M Eabb a da t Rt da t 182 Figure 126 Reset Warning Message m 183 Figure 127 Restan o e s s nini a ar EEN A A EN S A vencenernadeleyi sens 183 mS To LOG TO e 187 Figure 129 Men 23 System Fass Word casiGentemvend nap ESNS NAU ANNAR 187 Figure 130 SMT Main II 189 Figure 131 LM EC EV je 191 i A4 QU ERN Ei eT 193 Figuie 129 Manu de TOPP SEUD uu eiesditeo gd e dile o Pee err c a o un Le Moe e DR toc 193 Figure 134 Menu 22 SNMP Configuration eeieseeeee cenare thnnnar needed enna Rau ee ARA EX arn A Rua nee 195 Figure 135 Menu 23 System Password 12 ease o rettet prenne tior od utut tope db sceau prenne surdi peo pL LER SA PULL MM edd 197 Figure 136 Menu 24 System MIFIEODIBFIQU uxiacsssseic ptt y nO EEEERN IL A FORE SEV NE MEL EX KGI d EA RR 199 Figure 137 Menu 24 1 System Maintenance Status 1 uceekeemasexbetticankkkt tia dek het o nU ben p ede FERE eR ORKREER 200 Figure 138 Menu 24 2 System Information and Console Port Speed uu eee eee eee etree eee 201 Figure 139 Menu 24 2 1 System Information Information sssssseeeen 201 Figure 140 Menu 24 2 2 System Maintenance Change Console Port Speed siseses 202 Figure 141 Menu 24 3 System Maintenance Log and Trace eese nennen nnne 203 Figure 142
302. that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information 1s correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online 12 9 My Certificate Details Click CERTIFICATES gt My Certificates to open the My Certificates screen Figure 82 on page 136 Click the details button to open the My Certificate Details screen You can use this screen to view in depth certificate information and change the certificate s name In the case of a self signed certificate you can set it to be the one that the ZyXEL Device uses to sign the trusted remote host certificates that you import to the ZyXEL Device ZyXEL NWA 3100 User s Guide Chapter 12 Certificates Figure 85 My Certificate Details auto generated self signed cert Certificate Path Certificate Information Certificate in PEM Base 64 Encoded Format MIIBgTCCASugAwIBAgIEOGi1ICcDANBgkqhkiGSwOBAQUFADAgMRAwHAYDVQODExVO lVOECMzEwMCAwMDEZzNDK3Nzg4NTUVvHhcNMD AwMTAXxMDAwMDAwWhcNMzAwMTAxMDAw MDA wWjAgMR4uHAYDVQODExVOVOECtMzEvuMCAwMDEZNDKk3Nzg4NTUwXDANBgkqhkiG SwOBAQEFAANLADBIAKEA nXIildYrRZ6JHhz2AZUi1mAdu2dwgHceLIE3frtglcEH 19QUvt5pWODqXcQmWUTSO0EsApPJpy3jrgQMDlTd206wIDAQABoO00wSz AOBgNVHOSB QAEBAMCAqQwJOYDVRORBBAwHIEaMDAxMzQSNzc4ODUi1QGFi1dG8uZ2VuLmNlcnQw EgYDVROTAQEABAgwBgEB wIBATANBgkghkiG9wOBA
303. the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses ZyXEL NWA 3100 User s Guide 113 Chapter 9 IP Screen BS Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 9 3 Configuring IP Click IP to display the screen shown next Figure 67 IP Setup IP C Get automatically from DHCP Use fixed IP address IP Address 192 168 1 2 IP Subnet Mask 255 255 255 0 Gateway IP Address 0 0 0 0 Apply Reset The following table describes the labels in this screen Table 34 IP Setup LABEL DESCRIPTION IP Address Assignment Get automatically from DHCP Select this option if your ZyXEL Device is using a dynamically assigned IP address from a DHCP server each time Note You must know the IP address assigned to the ZyXEL Device by the DHCP server to access the ZyXEL Device again Use fixed IP address Select this option if your ZyXEL Device is using a static IP a
304. the following steps to activate rogue AP detection on the first of your ZyXEL Devices 1 Inthe ROGUE AP gt Configuration screen select Yes from the Activate Rogue AP Period Detection field Figure 30 Tutorial Periodic Rogue AP Detection Configuration Friendly AP Rogue AP Active Rogue AP Period Detection Period Friendly AP List Export File Path Browse Import Apply Reset ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial 2 Inthe Period min field enter how often you want the ZyXEL Device to scan for rogue APs You can have the ZyXEL Device scan anywhere from once every ten minutes to once every hour In this example enter 10 3 Click Apply 3 2 3 Set Up E mail Logs In this section you will configure the first of your four APs to send a log message to your e mail inbox whenever a rogue AP is discovered in your wireless network s coverage area 1 Click LOGS gt Log Settings The following screen appears Figure 31 Tutorial Log Settings 192 168 1 25 ALERT_Access_Point_A Syslog Logging L Send Log im m m m m mm In this example your mail server s IP address is 192 168 1 25 Enter this IP address in the Mail Server field Enter a subject line for the alert e mails in the Mail Subject field Choose a subject that 1s eye catching and identifies the access point in this example ALERT Access Point A Enter the email address to which y
305. tieduudteasdueteeeneds 89 Table 23 Security 802 1x Static 64 bit 802 1x Static 128 bit eee eee eecceeccece cece eee eeeeeeeeencnaeeeeeeeeeenees 90 Table 24 SOC VERI Suessattetulsiitte bn dieta n am each a aeehamehads 91 Table 25 Security WPAZ OF WPAZMIX snccssccsusnsiseduconordaadaneniveadionrssigessnmndyssuetonnsitasuaresiagebneasiacunnaess 92 Table 26 Security WPA PSK WPA2 PSK or WPA2 PSK MIX sssesseeeeenm eene ennemis 94 teble 27 cis M 95 Table 28 Vlrelpss Rowe BSS pod otro e t E bm de don o b ole boda i ad 99 Tbe 29 SIDE cationis p RR ani eka dn AS 101 Table 30 Comigunng SSID 102 Table 31 Layer 2 Isolation Configurator ci cecctasdcnndesusecinacduasconasdunasstinastadesiandacaescasadudancannadeadasianatuaccaana 107 Table 32 MAC Address FRISE snickeri tnu N RAT EQ ML Ur eae 110 Table 33 Frivate IF Address Rangos quesiti bre rti dic Pet REFER Gd RR a ed prd CO 113 THE ONR SENP sieaa a r a TIR 114 Table 35 ROGUE AP ded cic e 120 Table 30 ROGUE AF gt FIORI AP Hm 121 Table Sr ROGUE AF gt Rogue AP cuooaa se REFER ERROR AT CENSERE FERES Ser Red UpPe pP IN Sei Y PPpH Iq urn Ide E RUN 122 Table 38 Remote Management OVerview isseseseiiseseseii dnte etta d inh nta ha dnb sk ha dette kh dress hd dE ud 123 ZyXEL NWA 3100 User s Guide 25 Lis
306. ting menu 24 8 See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 159 Menu 24 System Maintenance Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode co 10 015 CQ Pho ES 10 Time and Date Setting 11 Remote Management Setup Enter Menu Selection Number ZyXEL NWA 3100 User s Guide 217 Chapter 23 System Maintenance and Information Figure 160 Valid Cl Commands Copyright c 1994 2005 ZyXEL Communications Corp NWA 3100 Valid commands are Sys exit device ether config wlan ip ppp bridge hdap bm certificates radius 8021x wcfg rogueAP NWA 3100 23 1 1 Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets lt gt The optional fields in a command are enclosed in square brackets e The symbol means or For example sys filter netbios
307. tion key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically WPA2 AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet 1s dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC TKIP makes it much more difficult to decode data on a Wi Fi network than WEP making it difficult for an intruder to break into the network ZyXEL NWA 3100 User s Guide Appendix D Wireless LANs The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials The common password approach makes WPA PSK susceptible to brute force password guessing attacks b
308. to ensure it is correctly configured Log into each AP s Web configurator and click ROGUE AP gt Rogue AP Click Refresh If any of the MAC addresses from Table 4 on page 54 appear in the list the friendly AP function may be incorrectly configured check the ROGUE AP gt Friendly AP screen If any entries appear in the rogue AP list that are not in Table 4 on page 54 write down the AP s MAC address for future reference and check your e mail inbox If you have received arogue AP alert email alerts are correctly configured on that ZyXEL Device e f you have another access point that is not used in your network make a note of its MAC address and set it up next to each of your ZyXEL Devices in turn while the network is running Either wait for at least ten minutes to ensure the ZyXEL Device performs a scan in that time or login to the ZyXEL Device s Web configurator and click ROGUE AP gt Rogue AP gt Refresh to have the ZyXEL Device perform a scan immediately Check the ROGUE AP gt Rogue AP screen You should see an entry in the list with the same MAC address as your rogue AP Check the LOGS gt View Logs screen You should see a Rogue AP Detection entry in red text including the MAC address of your rogue AP ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Check your e mail You should have received at least one e mail alert your other ZyXEL Devices may also have sent alerts depending on their proximity and
309. tributes The configured Name fields are checked against these attributes If a configured Name field matches these attributes the corresponding VLAN ID is added to packets sent from this user to the LAN If the VLAN related attributes sent by the RADIUS server do not match a configured Name field a wireless station is assigned the wireless VLAN ID associated with its SSID unless the Block station if RADIUS server assign VLAN error check box is selected Apply Click Apply to save your changes to the ZyXEL Device Reset Click Reset to begin configuring this screen afresh 14 2 3 Configuring Management VLAN Example This section shows you how to create a VLAN on an Ethernet switch By default the port on the ZyXEL Device is a member of the management VLAN VLAN ID 1 The following procedure shows you how to configure a tagged VLAN LES If you misconfigure the management VLAN and lock yourself out from performing in band management you will need to reset the ZyXEL Device On an Ethernet switch create a VLAN that has the same management VLAN ID as the ZyXEL Device The following figure has the ZyXEL Device connected to port 2 of the switch and your computer connected to port 1 The management VLAN ID is ten ZyXEL NWA 3100 User s Guide Chapter 14 VLAN Figure 93 Management VLAN Configuration Example MVD 10 Por 1 Perform the following steps in the switch web configurator 1 Click
310. ts differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 5 3 4 2 DSCP and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following figure illustrates the DS field DSCP is backward compatible with the three precedence bits in the ToS octet so that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping ZyXEL NWA 3100 User s Guide Chapter 5 Wireless Configuration Figure 37 DiffServ Differentiated Service Field DSCP Unused 6 bit 2 bit The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different priorities of forwarding Resources can then be allocated according to the DSCP values and the configured policies 5 3 5 ToS Type of Service and WMM QoS The DSCP value of outgoing packets is between 0 and 255 0 is the default priority WMM QoS checks the DSCP value in the header of data packets It gives the traffic a priority according to this number In or
311. u 1 ri 1 1 A H 2 2 Fr 4 C s o TR EN E B E i aan dann mmm An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate ZyXEL NWA 3100 User s Guide Appendix D Wireless LANs Figure 182 Infrastructure WLAN Ji S XX AP 1 Fy AP2 Ae 2 X i i P i f jT 7 a D BSS2 E o opasteaen b d se Wireless Station B PH Station C E Mean wee PI sean mem um e ar arn 1 e mmus m scar e v n ae gt ays pS re 2 UIN WEE oe A C NO co 2322555 iud WA 2 7 77 Channel A channel is the radio frequency ies used by IEEE 802 11a b g wireless devices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Interference occu
312. uest and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop down list boxes and enter the certification authority s server address You also need to fill in the Reference Number and Key if the certification authority requires them Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the certification authority s certificate from the CA Certificate drop down list box You must have the certification authority s certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the ZyXEL Dev
313. ure Using DHCP Server 3 For dynamically assigned settings select Using DHCP Server from the Configure list DHCP Client ID IP Address s will be supplied by server 7 Subnet mask lt will be supplied by server gt Router address lt will be supplied by server gt Name server addr lt will be supplied by server gt Search comans 4 For statically assigned settings do the following From the Configure box select Manually ZyXEL NWA 3100 User s Guide Appendix B Setting up Your Computer s IP Address Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 174 Macintosh OS X Apple Menu CE Grab File Edit Capt About This Mac Get Mac OS X Software System Preferences Dock gt Location gt 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP
314. ure usernames passwords and other sensitive information from unsuspecting clients A and B who attempt to connect This is known as a honeypot attack If a rogue AP in this scenario has sufficient power and is broadcasting the correct SSID Service Set IDentifier clients have no way of knowing that they are not associating with a legitimate company AP The attacker can forward network traffic from associated clients to a legitimate AP creating the impression of normal service This is a variety of man in the middle attack This scenario can also be part of a wireless denial of service DoS attack in which associated wireless clients are deprived of network access Other opportunities for the attacker include the introduction of malware malicious software into the network ZyXEL NWA 3100 User s Guide Chapter 10 Rogue AP Figure 69 Honeypot Attack E m ww X rem E B SU lt gt lt UR NU e 4 x 8 Py x At T e 2 M se j 4 b M e US 2 E L on Nus 2 Internet a ry Q SZ wn d P SSB a 4 10 3 Configuring Rogue AP Detection You can configure the ZyXEL Device to detect rogue IEEE 802 11a 5 GHz and IEEE 802 11b g 2 4 GHz APs If you have more than one AP in your wireless network you must also configure the list of friendly APs Friendly APs are the other wireless access points in your network as well as any others that you know are not
315. ut it s still an improvement over WEP as it employs an easier to use consistent single alphanumeric password User Authentication WPA or WPA2 applies IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Table 91 Wireless Security Relational Matrix METHOD KEY OE ROD ON MANUAL KEY ENABLE IEEE 802 1X MANAGEMENT PROTOCOL Open None No No Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic
316. vate layer 2 isolation Enable MAC Filtering Select Enable from the drop down list box to activate MAC address filtering Intra BSS Traffic Select Enable from the drop down list box to prevent wireless clients in this blocking profile s BSS from communicating with one another Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID ZyXEL NWA 3100 User s Guide Other Wireless Configuration This chapter describes how to configure the Layer 2 Isolation and MAC Filter screens on your ZyXEL Device 8 1 Layer 2 Isolation Introduction Layer 2 isolation is used to prevent wireless clients associated with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network In the following example layer 2 isolation is enabled on the ZyXEL Device Z in the figure to allow a guest wireless client A to access the main network router B the router providing Internet access C and the network printer D while preventing the client from accessing other computers and servers on the network The client can communicate with other wireless clients only if Intra BSS Traffic blocking is disabled In the Wireless configuration screen Intra BSS Traffic Blocking is activated when you enable layer 2 isolation ZyXEL NWA 3100 User s Guide Chapter 8 Other Wireless Configuration
317. ver as MDS authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption ZyXEL NWA 3100 User s Guide Appendix D Wireless LANs EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless stations for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side
318. wireless network for guests to your office The following figure shows the multiple networks you want to set up Your ZyXEL Device is marked Z the main network router is marked A and your network printer is marked B ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Figure 10 Tutorial Example MBSSID Setup m Internet gt i w ll VolP SSID The standard network SSID04 has access to all resources The VoIP network VoIP SSID has access to all resources and a high Quality of Service QoS setting see Section 5 3 on page 69 for information on QoS The guest network Guest SSID has access to the Internet and the network printer only and a low QoS setting To configure these settings you need to know the MAC Media Access Control addresses of the devices you want to allow users of the guest network to access The following table shows the addresses used in this example Table 2 Tutorial Example Information Network router A MAC address 00 AA 00 AA 00 AA Network printer B MAC address AA 00 AA 00 AA 00 3 1 1 Change the Operating Mode Log in to the ZyXEL Device see Section 2 1 on page 39 Click WIRELESS gt Wireless The Wireless screen appears In this example the ZyXEL Device is set to Access Point operating mode and is currently using the SSID04 profile ZyXEL NWA 3100 User s Guide Chapter 3 Tutorial Figure 11 Tutorial Wireless LAN Before Wireless SSID Security RADIU
319. xport Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that signs the imported trusted remote host certificates Cancel Click Cancel to quit and return to the My Certificates screen Click CERTIFICATES Trusted CAs to open the Trusted CAs screen This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certification authorities See the following figure Figure 86 Trusted CAs My Certificates Trusted CAs PKI Storage Space in Use on 100 Trusted CA Certificates EUNTCHETTNUUETTTERTT Issuer Details Import Delete Refresh ZyXEL NWA 3100 User s Guide Chapter 12 Certificates The following table describes the labels in this screen Table 49 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device s PKI storage space that is Space in Use currently in use When you are using 80 or les
320. y Updated sencsnnenienenisne AnA E 51 Figure 22 Tutorial Layer 2 ISolallalt uiuere rear eive i dare nai Eee dioe Ur LL Vix E c td 51 Figure 23 Tutorial Activate Guest Profile eiie erorhrode e Eapa d i Ka ma bee Era e n npa d RU ERR MI aana aa 52 Figure 24 Tutorial Wireless Network Example ica ccen epe tob e tope cn SEPT e t Hb aun YE PERPE ERR ERUUEA 53 Figure 25 Tutorial Friendly AP Before Data Entry 15 tte eerte anpra hr tb erp ad appo LESER xs 54 Figure 26 Tutorial Friendly AP After Data Entry eese eese thanh nata nuni th an kd haha 55 Figure 27 Tutorial Configuration sssrini sosisini ainidi naei a ia ARAR N R 55 zc 9 Toona N cR ET 56 Figure 29 Tutorial Save Friendly AF IS Lucie emere n ctt te P e tbt Ea oE c Oo br Foi tov duct Fo DP ER RP PEURRR MR DREA 56 Figure 30 Tutorial Periodic Rogue AP Detection iui isceec ceceseee ertet euer eevr o iinan pO Ede 56 Figure 31 Tutorial Log SOUCIS sssrinin epe i ERR PARARE C casa eda Rete nu RRERE CEU turp t aS E Re D E REX CER CO Ev 57 Figure 22 Sysiem Sonera so 63 aliro da SONG E tsi EA E ay as es ales dis asa en oe as E 64 Figure d4 Time SUNG ee IT 65 Figure 39 Basie Seice SEU sicciccausateisrcincessntiecndccenens canst eE N E E R E EE 67 Figure 3b Extended Service SEE aisesscini ebasci vi He eet WISH E SRS 68 Figure 37 DiffServ Differentiated Service Field 2e reri trer e pc rente Hb ER EPI s r EP RU ER PEPN ERREA T2 Figure 36 Wireless Access Lr eM
321. y Assignment LAN to WLAN PACKET SIZE BYTES 3 ATC VALUE M WMM VALUE 1 250 ATC_High WMM_VIDEO 250 1100 ATC_Medium WMM_BEST_EFFORT 1100 ATC_Low WMM_BACKGROUND 5 3 3 2 ATC WMM from WLAN to LAN ATC WMM from WLAN to LAN automatically prioritizes assigns an ATC value to all packets coming from the WLAN Packets are assigned an ATC value based on their WMM value not their size The following table shows how priorities are assigned for packets coming from the WLAN to the LAN when using ATC WMM Table 12 ATC WMM Priority Assignment WLAN to LAN WMM VALUE gt ATC VALUE WMM_VOICE ATC_High WMM_VIDEO ATC High WMM BEST EFFORT ATC Medium WMM BACKGROUND ATC Low NONE ATC Medium 5 3 4 Type Of Service ToS Network traffic can be classified by setting the ToS Type Of Service values at the data source for example at the ZyXEL Device so a server can decide the best method of delivery that is the least cost fastest route and so on 5 3 4 1 DiffServ DiffServ is a class of service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packe
322. yXEL Device is set to Access Point AP Bridge or MBSSID mode you need to choose the SSID profile s you want to use in your wireless network see Section 5 5 on page 74 for more information on operating modes Use the WIRELESS gt SSID screen to see information about the SSID profiles on the ZyXEL Device and use the WIRELESS gt SSID gt Edit screen to configure the SSID profiles 7 2 1 The SSID Screen Click WIRELESS gt SSID to display the screen as shown ZyXEL NWA 3100 User s Guide Chapter 7 MBSSID and SSID Figure 57 SSID Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index Name SSID___ Security RADIUS QoS PEI ver ssp ZyXELO1 security01 radius01 VoIP EJEB ces ssi ZyXEL02 security01 radius01 NONE EE sso ZyXELO3 security01 radius 1 NONE KEEN ssp ZyXELO4 security01 radius01 NONE EN sso ZyXELOS security01 radius 1 NONE PIEJ sspe ZyxELO6 security 1 radius01 NONE EM ss ZyXELO7 security01 radius01 NONE PEJ sso ZyXELOB security01 radius01 NONE KEEN ssp ZyXELOS security01 radius01 NONE BEI sso ZyXEL10 security01 radius 1 NONE GEA sson ZyXEL11 security01 radius01 NONE ER sspe ZyXEL12 security01 radius 1 NONE BGEA ssm ZyXEL13 security01 radius01 NONE EOE ssp ZyXEL14 security01 radius 1 NONE WE ssi zyxEk5 securityo radius01 NONE EJEJ sspe ZyXEL16 security01 radius01 NONE 3 The following table desc
Download Pdf Manuals
Related Search