ZyXEL NWA-3500 User's Manual
Contents
1. NWA 3500 NWA 3550 User s Guide Appendix G Legal Information HU GZS gt FRR SLE REL RARES e RR RS SO UA is CR PEA eee Ad IBC E a a TE E 5250MHz 5350MHz Harr APR E L RRR tach BREA ES e ARREN HEMARA NZAEREN cui oP Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz and 5 GHz networks throughout the EC region and Switzerland with restrictions in France This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme a la norme NMB 003 du Canada Viewing Certifications 1 Go to http www zyxel com 2 Select your product on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proo2. Name SSID __VLANID___ Second Rx VLAN ID WY voss zyxevo1 fi J fo Guest SSID ZyXELO2 2 io SSID04 ZyXELO4 4 WN ssm zyxeLo5 bo fo WE sso zyxe 06 fe boo WN ssm zyxeL07 Po bo Ba ssm zyxeLo8 B fo SN sso zyxetog jf fo WHY sso zyxevt0 fo bo WW sson zyxeLn mo Do BA ssm zyxeL2 fe fo WN ssis zyxEL13 E bo B ssm zyxens ha bo B ssms zyxen5 hs Do RE sse zyxEL16 he boo Reset 6 Click Apply to save these settings Outgoing packets from clients in SSIDO3 are tagged with a VLAN ID of 3 and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSIDO3 NWA 3500 NWA 3550 User s Guide 21 1 21 1 1 Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point or you limit the amount of wireless traffic transmitted and received on it Because there is a hard upper limit on the AP s wireless bandwidth this can be a crucial function in areas crowded with wireless users Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity What You Need to Know About Load Balancing There are two kinds of load balancing available on the NWA Load bala
3. DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the NWA s SMT interface SMT Login Fail Someone has failed to log on to the NWA s SMT interface WEB Login Successfully Someone has logged on to the NWA s web configurator interface WEB Login Fail Someone has failed to log on to the NWA s web configurator interface ELNET Login Someone has logged on to the NWA via telnet Successfully ELNET Login Fail Someone has failed to log on to the NWA via telnet FTP Login Successfully Someone has logged on to the NWA via FTP FTP Login Fail Someone has failed to log on to the NWA via FTP Table 76 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable Blow non FI oOo A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench NWA 3500 NWA 3550 User s Guide Chapter 19 Log Screens Table 76 ICMP Notes continued TYPE CODE DESCRIPTION 0 A gateway may discard interne
4. SERVER optional Configure internal AUTH SERVER Configure internal AUTH optional Configure Layer 2 SERVER optional Isolation optional Configure Layer 2 y Configure Layer 2 Isolation optional Configure MAC Filter Isolation optional y optional y Configure MAC Filter Configure MAC Filter optional optional Y Y p Check your settings and test a NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 1 3 Further Reading Use these links to find more information on the steps Choosing 802 11 Mode see Section 8 4 1 on page 123 Choosing a wireless Channel ID see Section 8 4 1 on page 123 Selecting and configuring SSID profile s see Section 8 4 1 on page 123 and Section 9 4 on page 143 Configuring and activating WDS Security see Section 8 4 2 on page 126 e Editing Security Profile s see Section 10 4 on page 150 e Configuring an external RADIUS server see Section 11 4 on page 163 e Configuring and activating the internal AUTH SERVER see Section 11 4 on page 163 and Chapter 17 on page 199 Configuring Layer 2 Isolation see Section 12 4 1 on page 167 e Configuring MAC Filtering see Section Note on page 174 6 2 How to Configure Multiple Wireless Networks In this example you have been using your NWA as an access point for your office network See your Quick Star
5. Subnet Planning The following table is a summary for subnet planning on a network with a 24 bit network number Table 111 24 bit Network Number Subnet Planning NO P ORROWED SUBNET MASK NO SUBNETS Soper PER 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 255 255 255 252 30 64 7 255 255 255 254 31 128 1 376 NWA 3500 NWA 3550 User s Guide Appendix E IP Addresses and Subnetting The following table is a summary for subnet planning on a network with a 16 bit network number Table 112 16 bit Network Number Subnet Planning NOST Ee SUBNET MASK NO SUBNETS Sucre 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 i Configuring IP Addresses Where you obtain your network number depends on your particular situation If the ISP or your network administr
6. Registration Type This field displays how the managed APs are registered with the NWA e Manual displays if you add unmanaged APs to the NWA s list of managed APs manually e Always Accept displays if the NWA automatically manages any CAPWAP enabled AP that transmits a management request over the network Management Mode When the NWA is in AP controller mode this displays Controller On line This field displays the number of access points managed by the NWA that are currently active Off line This field displays the number of access points managed by the NWA that are not currently active turned off or otherwise unreachable on the network Un managed This field displays the number of access points on the network that are not managed by the NWA but are transmitting CAPWAP management requests 802 11a This field displays the number of wireless clients associated with APs managed by the NWA including the NWA itself using IEEE 802 1a 802 11b g This field displays the number of wireless clients associated with APs managed by the NWA including the NWA itself using IEEE 802 1b or IEEE 802 11g AP List Click this to see a list of the APs managed by the NWA AP Statistics Click this to see packet statistics related to each of the APs managed by the NWA Association List Click this to see information about each of the wireless clients connected to APs managed by the NWA SSID Information Click thi
7. zone Medium Blocks third party cookies that do not have a compact privacy policy co Blocks third party cookies that use personally identifiable information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing _ Block pop ups 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 336 NWA 3500 NWA 3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 2 Select Settings to open the Pop up Blocker Settings screen Figure 232 Internet Options Privacy Internet Options General Security Privacy Content Connections Programs Advanced Settings t Move the slider to select a privacy setting for the Internet zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable C3 information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing Block pop ups Settings 3 Type
8. Use new setting Select this if you want to change the local management password Old Password Type in your existing system password 1234 is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays an asterisk for each character you type Retype to Confirm Retype your new system password for confirmation Enable Admin on RADIUS Select this and configure the other fields in this section to have a RADIUS server authenticate management logins to the NWA Use old setting Select this to have a RADIUS server authenticate management logins to the NWA using the RADIUS username and password already configured on the device Use new setting Select this if you want to change the RADIUS username and password the NWA uses to authenticate management logon User Name Enter the username for this user account This name can be up to 31 ASCII characters long including spaces NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens Table 24 System gt Password LABEL DESCRIPTIONS Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type Spaces are allowed Note If you are using PEAP authentication this password field is limited to 14 ASCII characters in lengt
9. WPA2 PSK This adds a pre shared key on top of WPA2 standard WPA2 PSK MIX This commands the NWA to use either WPA PSK or WPA2 PSK depending on which security mode the wireless client uses Passphrase A passphrase functions like a password In WEP security mode it is further converted by the NWA into a complicated string that is referred to as the key This key is requested from all devices wishing to connect to a wireless network PSK The Pre Shared Key PSK is a password shared by a wireless access point and a client during a previous secure connection The key can then be used to establish a connection between the two parties Encryption Encryption is the process of converting data into unreadable text This secures information in network communications The intended recipient of the data can unlock it with a pre assigned key making the information readable only to him The NWA when used as a wireless client employs Temporal Key Integrity Protocol TKIP data encryption EAP Extensible Authentication Protocol EAP is a protocol used by a wireless client an access point and an authentication server to negotiate a connection The EAP methods employed by the NWA when in Wireless Client operating mode are Transport Layer Security TLS Protected Extensible Authentication Protocol PEAP Lightweight Extensible Authentication Protocol LEAP and Tunneled Transport Layer Security TTLS The authentication proto
10. 1 2 2 Bridge Repeater The NWA can act as a wireless network bridge and establish wireless links with other APs In the figure below the two NWAs A and B are connected to independent wired networks and have a bridge connection A can communicate with B at the same time A NWA in repeater mode C has no Ethernet connection When the NWA is in bridge mode you should enable STP to prevent bridge loops NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA When the NWA is in Bridge Repeater mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key See Section 8 4 2 on page 126 for more details Once the security settings of peer sides match one another the connection between devices is made At the time of writing WDS security is compatible with other ZyXEL access points only Refer to your other access point s documentation for details Figure 2 Bridge Application W WZ Ethernet 1 o Ethernet 2 Figure 3 Repeater Application Hi Ethernet 1 aS Hl a ejl B OQ Oo Ethernet 2 1 2 3 AP Bridge In AP Bridge mode the NWA supports both AP and bridge connection at the same time NWA 3500 NWA 3550 User s Guide 25 Chap
11. 30 NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 4 Click Apply 6 3 3 Set Up E mail Logs In this section you will configure the first of your four APs to send a log message to your e mail inbox whenever a rogue AP is discovered in your wireless network s coverage area 1 Click LOGS gt Log Settings The following screen appears Figure 54 Tutorial Log Settings A LERT_Access_Point_A myname myfirm com Syslog Logging B Local 1 Send Log m CE E a a a a e In this example your mail server s IP address is 192 168 1 25 Enter this IP address in the Mail Server field NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial e Enter a subject line for the alert e mails in the Mail Subject field Choose a subject that is eye catching and identifies the access point in this example ALERT_Access_Point_A e Enter the email address to which you want alerts to be sent myname myfirm com in this example e In the Send Immediate Alert section select the events you want to trigger immediate e mails Ensure that Rogue AP Detection is selected Click Apply 6 3 4 Configure Your Other Access Points Access point A is now configured to do the following e Scan for access points in its coverage area every ten minutes e Recognize friendly access points from a list e Send immediate alerts to your email account if it detects an access
12. Interface This column displays each interface of the NWA Status This field indicates whether or not the NWA is using the interface For each interface this field displays Up when the NWA is using the interface and Down when the NWA is not using the interface Rate For the LAN port this displays the port speed and duplex setting For the WLAN1 and WLAN2 interfaces it displays the downstream and upstream transmission rate or N A if the interface is not in use SSID Status This section is not available when the NWA is in AP controller management mode Interface This column displays each of the NWA s wireless interfaces WLAN1 and WLAN2 NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION SSID This field displays the SSID s currently used by each wireless module BSSID This field displays the MAC address of the wireless adaptor Security This field displays the type of wireless security used by each SSID VLAN This field displays the VLAN ID of each SSID in use or Disabled if the SSID does not use VLAN AP status This section is available only when the NWA is in AP controller management mode On line This field displays how many APs including the NWA in the managed AP list are active Off line This field displays how many APs including the NWA in the managed AP list are inactive Un Managed This field displays how many
13. Select this check box to use an external authentication server The NWA does not use the internal authentication server when this check box is enabled Active Select the check box to enable user authentication through an external authentication server This check box is not available when you select Internal RADIUS Server IP Address Enter the IP address of the external authentication server in dotted decimal notation This field is not available when you select Internal RADIUS Server Port Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so This field is not available when you select Internal Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external authentication server and the NWA The key must be the same on the external authentication server and your NWA The key is not sent over the network This field is not available when you select Internal Active Select the check box to enable user accounting through an external authentication server Accounting Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Accounting Server Port Enter the port number of the external accounting server The default port number is 1813 You need not change this value unless your
14. e Enter C s MAC address in the MAC Address field and enter File Server C in the Description field Figure 106 Layer 2 Isolation Example 1 Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Layer Isolation Configuration Profile Name i2isolationd1 Allow devices with these MAC addresses Set _MAC Address Description _ Set _ MAC Address 1 00 00 c5 00 00 66 File Server C E ooo 00 00 00 00 00 00 is C 3 00 00 00 00 00 00 oo 00 00 00 00 00 Example 2 Restricting Access to Client In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3 e Enter the server s and your NWA s MAC addresses in the MAC Address fields Enter File Server C in C s Description field and enter Access Point B in B s Description field Figure 107 Layer 2 Isolation Example 2 Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Layer 2 Isolation Configuration Profile Name i2isoletionO1 Allow devices with these MAC addresses Set MAC Address _ Description _ Set MAC Address_ Description K 00 00 c5 00 00 66 File Server C 00 00 00 00 00 00 00 00 c5 00 00 cc Access Paint B 18 00 00 00 00 00 00 3 00 00 00 00 00 00 00 00 00 00 00 09 NWA 3500 NWA 3550 User s Guide MAC Filter Screen 13 1
15. L2 Isolation L2Isolation04 MAC Filtering macfilter04 Layer 2 Isolation L2Isolation04 Screen Profile Name L 2 ISO_SERVER 2 Set 1 MAC Address 77 66 55 44 33 22 Description NET_SWITCH Set 2 MAC Address 99 88 77 66 55 44 Description SERVER_2 Set 3 MAC Address 66 55 44 33 22 11 Description GATEWAY MAC Filter macfilter04 Edit Screen Profile Name MacFilter_SERVER_2 Set 1 MAC Address 22 33 44 55 66 77 Description Bob 6 4 6 Checking your Settings and Testing the Configuration Use the following sections to ensure that your wireless networks are set up correctly 6 4 6 1 Checking Settings Take the following steps to check that the NWA is using the correct SSIDs MAC filters and layer 2 isolation profiles NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 1 Click WIRELESS gt Wireless Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated as shown in the following figure Figure 60 Tutorial SSID Profiles Activated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter WLAN Interface WLAN1 Operating Mode MBSSID x 802 11 Mode 802 11b g x Super Mode Choose Channel ID channel 2437 MHz x or Scan RTS CTS Threshold b3 346 256 2346 Fragmentation Threshold 2346 256 2346 Fragmentation threshold shall be an even number Output Pow
16. LOAD BALANCING and DCS Click MAINTENANCE to view information about your NWA or upgrade configuration and firmware files Maintenance features include Status Statistics Association List Channel Usage F W firmware Upload Configuration Backup Restore and Default and Restart NWA 3500 NWA 3550 User s Guide Status Screens The Status screen displays when you log into the NWA or click STATUS in the navigation menu Use the Status screens to look at the current status of the device system resources interfaces and SSID status The Status screen also provides detailed information about associated wireless clients channel usage logs and detected rogue APs NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens 3 1 The Status Screen Cluck Status The following screen displays The Status screen varies slightly depending on the NWA s management mode you configured in the MGMT MODE screen The NWA works as a standalone AP by default Figure 12 The Status Screen Standalone AP System Name Model Firmware Version System UP Time Current Date Time WLAN1 Operating Mode WLAN2 Operating Mode Managenent VLAN Ip LAN MAC WLAN1 MAC WLAN2 MAC SSID Status Interface SSID WLANL Z2yXELOS WLAN2 Z2yXELO4 System Status System Information NWA Series NWA3550 V3 70 AAM O b1 11 14 2008 01 30 31 01 30 28 2000 01 01 AP AP Disable 192 168 1 2 00 19 cb 89 7c ca 00 19 cb
17. Management VLAN ID VLAN Mapping Table fi O aha SID10 S SID11 ZyXEL10 ZyXEL11 z are index Name__ __ssid__ __VLANID__ _Second Rx VLAN ID_ WA voir sso zyxeLon ho b B Guest ssib zyxEL02 p boo WBN ssm zyxEL03 Bo bo B ssm zyxetos Mo fo WEN sswos zyxeLo5 5 bo Pe sswos zyxeLo6 e bo BA ssm zyxeLo7 p bo pe ssmos zyxeLos bo bo SSID09 ZyXELO9 f fo BA ssm zyxeL12 12 bo B ssis zyxEL 3 hs fo AMY ssm zyxet ha co WN ssis zyxeL 15 fis bo Be ssis zyxEL16 he bo Reset mange the NWA though the Ethernet switch 4 The NWA attempts to connect with a VLAN aware device You can now access and Note If you do not connect the NWA to a correctly configured VLAN aware device you will lock yourself out of the NWA If this happens you must reset the NWA to access it again 20 5 3 Configuring Microsoft s IAS Server Example Dynamic VLAN assignment can be used with the NWA Dynamic VLAN assignment allows network administrators to assign a specific VLAN configured on the NWA to an individual s Windows User Account When a wireless station is successfully authenticated to the network it is automatically placed into it s respective VLAN NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN ZyXEL uses the following standard RADIUS attributes ret
18. When you enable WDS security also do the following e Select the type of security you want to use TKIP or AES to secure traffic on your WDS e Enter a pre shared key in the PSK field for each access point in your WDS Each access point can use a different pre shared key e Configure WDS security and the relevant PSK in each of your other access point s Note Other APs must use the same encryption method to enable WDS security TKIP ZyAIR Series Compatible Select this to enable Temporal Key Integrity Protocol TKIP security on your WDS This option is compatible with other ZyXEL access points including that support WDS security Use this if the other access points on your network support WDS security but do not have an AES option Note Check your other AP s documentation to make sure it supports WDS security Note At the time of writing this option is compatible with other ZyXEL NWA Series and G 3000 G 3000H access points only AES Select this to enable Advanced Encryption System AES security on your WDS AES provides superior security to TKIP Use AES if the other access points on your network support it for the WDS Note At the time of writing this option is compatible with other ZyXEL NWA Series access points only Index This is the index number of the bridge connection Active Select the check box to enable the bridge connection Otherwise clear the check box to disable it Re
19. Wireless Association List With the wireless association list you can see the list of the wireless stations that are currently using the NWA to access your wired network Logging and Tracing Built in message logging and packet tracing Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Auto Configuration Administrators can use text configuration files to configure the wireless LAN settings for multiple APs The AP can automatically get a configuration file from a TFTP server at start up or after renewing DHCP client information SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your NWA supports SNMP agent functionality which allows a manger station to manage and monitor the NWA through the network The NWA supports SNMP version one SNMPv1 and version two c SNMPv2c The NWA 3165 also supports version 3 SNMPv3 DFS DFS Dynamic Frequency Selection allows a wider choice of 802 11a wireless channels CAPWAP Control and Provisioning of Wireless Access Points The NWA can be managed via CAPWAP which allows multiple APs to be configured and managed by a single AP controller NWA 3500 NWA 3550 User s Guide 287 Chapter 25 Product Specifications T
20. e Also use the VLAN screen to set up wireless VLANs based on SSID Configure the fields in the above screens to use the settings in an SSID profile Refer to Section 8 3 on page 120 for pertinent information related to the screens in thsi chapter NWA 3500 NWA 3550 User s Guide Chapter 9 SSID Screen 9 4 The SSID Screen Use this screen to select the SSID profile you want to configure Click Wireless gt SSID to display the screen as shown Figure 89 Wireless gt SSID Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter ot ale lea eS SSID ZyXEL01 security01 radius01 VoIP Disable Disable WE Guest _ SSID ZyXELO2 security01 radius01 NONE 2isolation01 Disable SSIDO3 ZyXELO3 security01 radius01 NONE Disable Disable SSIDO4 ZyXELO4 security01 radius01 NONE Disable Disable SSIDO5 ZyXELO5 security01 radius01 NONE Disable Disable SSIDO6 ZyXELO6 security01 radius01 NONE Disable Disable SSIDO ZyXELO security01 radius01 NONE Disable Disable SSID08 ZyXELO8 security01 radius01 NONE Disable Disable SSsIDO9 ZyXELOS security01 radius01 NONE Disable Disable SSID10 ZyXEL10 security01 radius01 NONE Disable Disable SsiD11 ZyXEL11 security01 radius01 NONE Disable Disable SSID12 ZyXEL12 security01 radius01 NONE Disable Disable SSID13 ZyXEL13 security01 radius01 NONE Disable Disable SSID14 ZyXEL14 security01 radius01 NONE Disable Disab
21. oS E M 7 1 AF N Goya SS x AP2 A eating ee if N 4 T me N L BSS1 eC gss eS pn pret yA SN ESS Be 8 3 1 Operating Mode The NWA can run in four operating modes as follows e AP Access Point The NWA is wireless access point that allows wireless communication to other devices in the network Bridge Repeater The NWA acts as a wireless network bridge and establishes wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge mode The NWA can establish up to five wireless links with other APs e AP Bridge Mode The NWA functions as a bridge and access point simultaneously MBSSID Mode The Multiple Basic Service Set Identifier MBSSID mode allows you to use one access point to provide several BSSs simultaneously Refer to Chapter 1 on page 31 for illustrations of these wireless applications The following are terms used for the wireless screens NWA 3500 NWA 3550 User s Guide 424 Chapter 8 Wireless Configuration SSID The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID Normally the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area You can hide the SSID instead in which case the ZyXEL Device does not broadcast the SSID In addition you should change the defaul
22. s Guide 333 Appendix B Wireless LANs e Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus shaped like a donut which makes these antennas ideal for a room environment With a wide coverage area it is possible to make circular overlapping coverage areas with multiple access points Directional antennas concentrate the RF signal in a beam like a flashlight does with the light from its bulb The angle of the beam determines the width of the coverage pattern Angles typically range from 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area NWA 3500 NWA 3550 User s Guide Pop up Windows JavaScripts and Java Permissions In
23. It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Apply Click Apply to have the NWA use certificates to authenticate wireless clients Reset Click Reset to start configuring this screen afresh 17 5 The Trusted AP Screen Use this screen to specify APs as trusted Click AUTH SERVER gt Trusted AP The following screen displays NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server Figure 126 Trusted AP Screen Setting Trusted AP Trusted Users Active IPAddress_ Shared Secret r poso SCS m mo o mo o o Ea Reset The following table describes the labels in this screen Table 64 Trusted AP
24. Permanently Accept 2 39 a Organization ZyXEL Organization lm Ve Organizational unit XYZ200 raanizational unit XYZ cai P ue Jl alr o Wednesday 21 May 2008 06 42 35 am GMT Browser Identification a D until O Reject Plugins Prompt MDS digest 3F 9A 76 6E A9 F5 07 41 BE 4C 8B 8B A2 D3 F0 2F Performance Help Defaults v ok Cancel NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 4 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button NWA 3500 NWA 3550 User s Guide 367 Appendix D Importing Certificates NWA 3500 NWA 3550 User s Guide IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub networks Introduction to IP Addresses One part of the IP address is the network number and the
25. You need to activate the VoIP_SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the VoIP_SSID profile s Active checkbox and click Apply Figure 40 Tutorial Activate VoIP Profile ut Power 100 h Select SSID Profile Profile lindex Activel Profile VoIP_SSID E 551003 gt Guest_SSID Ls J SSIDO3 SS1D04 a L SSIDO3 SSIDO3 e a SSIDO3 M Enable Spanning Tree Protocol Your VoIP wireless network is now ready to use Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network Iv r 6 2 3 Configure the Guest Network When you are setting up the wireless network for guests to your office your primary concern is to keep your network secure while allowing access to certain resources such as a network printer or the Internet For this reason the pre configured Guest_SSID profile has layer 2 isolation and intra BSS traffic blocking enabled by default Layer 2 isolation means that a client accessing the network via the Guest_SSID profile can access only certain pre defined devices on the network see Section on page 166 and intra BSS traffic blocking means that the client cannot access other clients on the same wireless network see Section 8 4 on page 123 NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial Click WIRELESS gt SSID Sele
26. but should not access server 2 and wireless user Bob B needs to access server 2 but should not access server 1 Your NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial NWA is marked Z C is a workstation on your wired network D is your main network switch and E is the security gateway you use to connect to the Internet Figure 55 Tutorial Example Network A TJ L s C 7 6 4 2 Your Requirements 1 You want to set up a wireless network to allow only Alice to access Server 1 and the Internet 2 You want to set up a second wireless network to allow only Bob to access Server 2 and the Internet 6 4 3 Setup In this example you have already set up the NWA in MBSSID mode see Chapter 12 on page 165 It uses two SSID profiles simultaneously You have configured each SSID profile as shown in the following table Table 18 Tutorial SSID Profile Security Settings SSID Profile SERVER_1 SERVER_2 Name SSID SSID_S1 SSID_S2 Security Security Profile Security Profile security03 security04 WPA2 PSK WPA2 PSK Hide SSID Hide SSID Intra BSS traffic Enabled Enabled blocking Each SSID profile already uses a different pre shared key In this example you will configure access limitations for each SSID profile To do this you will take the following steps NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 1 Configure the SERVER_1 network s SSID profile to use s
27. e The Profile Edit gt Security screen see Section 10 2 on page 136 e The Profile Edit gt RADIUS screen see Section 11 2 on page 149 The Profile Edit gt Layer 2 Isolation screen see Section 12 2 on page 153 e The Profile Edit gt MAC Filter screen see Section 13 2 on page 158 5 7 1 The Radio Profile Screen Use this screen to configure radio profiles Radio profiles contain information about an AP s wireless settings and can be applied to APs managed by the NWA In AP Controller mode click Profile Edit gt Radio The following screen displays Figure 29 The Profile Edit gt Radio Screen Radio SSID Security RADIUS Layer 2 Isolation MAC Filter 802 11 Channel pea Profile Name l D radio01 802 11b g 6 e 2 radio02 802 11b g 6 e 3 radio03 802 11b g 6 e 4 radio04 802 11b g 6 e 5 radio05 802 11b g 6 e e radio06 802 11b g 6 e 7 radio07 802 11b g 6 e s8 radio08 802 11b g 6 e 9 radio09 802 11b g 6 e 10 radio10 802 11b g 6 e 11 radio11 802 11b g 6 12 radio12 802 11b g 6 el 13 radio13 802 11b g 6 rm radio14 802 11b g 6 l 15 radio15 802 11b g 6 l 16 radio16 802 11b g 6 Edit NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode The following table describes the labels in this screen Table 13 The Profile Edit gt Radio Screen LABEL DESCRIPTION Index This field displays the index number of each rad
28. gt Edit LABEL DESCRIPTION Index This is the index number of the MAC address MAC Address Enter the MAC addresses in XX XX XX XX XX XX format of the wireless station to be allowed or denied access to the NWA Description Type a name to identify this wireless station Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh Note To activate MAC filtering on an SSID profile select the correct filter from the Enable MAC Filtering drop down list box in the Wireless gt SSID gt Edit screen and click Apply 174 NWA 3500 NWA 3550 User s Guide IP Screen 14 1 Overview This chapter describes how you can configure the IP address of your NWA The Internet Protocol IP address identifies a device on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Figure 111 IP Setup Subnet Mask 255 255 255 0 ZyXEL Device IP Addres 192 168 1 2 L pm IP Address aca Cor 192 168 1 1 The figure above illustrates one possible setup of your NWA The gateway IP address is 192 168 1 1 and the IP address of the NWA is 192 168 1 2 default The gateway and the device must belong in the same subnet mask to be able to communicate with each other 14 2 What You Can Do in the IP Screen Use the IP Screen see Section 14 4 on page
29. or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions e This device may not cause harmful interference NWA 3500 NWA 3550 User s Guide 387 Appendix G Legal Information 388 e This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a partic
30. s Guide Chapter 25 Product Specifications Antenna Specifications SMA antenna connectors equipped by default with 2dBi omni antenna 60 When facing the front of the NWA the antenna on the right is used by wireless LAN adaptor WLAN1 and the antenna on the left is used by wireless LAN adaptor WLAN2 Output Power IEEE 802 11b g 17 dBm IEEE 802 11a 14 dBm Operating Environment Temperature 09 C 5 C Humidity 20 95 RH Storage Environment Temperature 40 C 609 C Humidity 5 95 RH Distance between the centers of wall mounting holes on the device s back 80 mm Screw size for wall mounting 6mm 8mm 0 24 0 31 head width Table 92 Firmware Specifications Default IP Address 192 168 1 2 Default Subnet Mask 255 255 255 0 24 bits Default Password 1234 Wireless LAN Standards IEEE 802 11a IEEE 802 11b IEEE 802 11g Wireless security WEP WPA 2 WPA 2 PSK IEEE 802 1x Layer 2 isolation Prevents wireless clients associated with your NWA from communicating with other wireless clients APs computers or routers in a network Multiple BSSID MBSSID MBSSID mode allows the NWA to operate up to 8 different wireless networks BSSs simultaneously each with independently configurable wireless and security settings Rogue AP detection Rogue AP detection detects and logs unknown access points APs operating
31. ssioos s E SSID03 x V Enable Spanning Tree Protocol STP Enable Roaming The STP and Roaming are common settings The changes are for both WLAN Interfaces Apply Reset This Select SSID Profile table allows you to activate or deactivate SSID profiles Your wireless network was previously using the SSIDO4 profile so select SSID04 in one of the Profile list boxes number 3 in this example Select the Active box for the entry and click Apply to activate the profile Your standard wireless network SSID04 is now accessible to your wireless clients as before You do not need to configure anything else for your standard network 6 2 2 Configure the VolP Network Next click WIRELESS gt SSID The following screen displays Note that the SSID04 SSID profile the standard network is using the securityO1 security profile You cannot change this security profile without changing the standard NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial network s parameters so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles Figure 35 Tutorial WIRELESS gt SSID Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter name SSD Secuiy napus aos seison rer VoIP_SSID ZyXEL01 security01 radius01 VoIP Disable Disable Guest_SS
32. t possibly know how many connections his NWA will have at any given moment As such he decides to put a limit the bandwidth that is available to his customers but not on the actual number of connections he allows This means anyone can connect to his wireless network as long as the NWA has the bandwidth to spare If too many people connect and the NWA hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP The following figure depicts an NWA with a hard bandwidth limit of 6 Megabits per second Mbps Bandwidth up to 6 Mbps is considered balanced More than that and it becomes overloaded the AP must then work harder to serve each client Figure 166 Load Balancing by Traffic Level Example 6 Mbps SS D 2 Mbps A The yellow Y green G and blue B laptops are each using approximately 2 Mbps Altogether they consume the AP s entire balanced bandwidth allotment When the red R laptop tries to make a connection the AP which does not want to overload itself denies it if an identical AP is in range that can take on the burden of the new connection Note If no other APs with matching settings are in range of the NWA then it will still accept the connection despite becoming overloaded NWA 3160 Series User s Guide Chapter 21 Load Balancing The requirements for load balancing are fairly straight forward and should be met in ord
33. 1 Overview This chapter describes how your NWA can use certificates as a means of authenticating wireless clients It gives background information about public key certificates and explains how to use them A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication Figure 129 Certificates Example Authentication ES lt Dosa ZNA A zZ In the figure above the NWA Z checks the identity of the notebook A using a certificate before granting it access to the network 18 2 What You Can Do in the Certificates Screen e Use the Certificates gt My Certificate see Chapter 18 on page 214 screens to view details of certificates storage space and settings This screen also allows you to import or create a new certificate e Use the Certificates gt Trusted CAs see Chapter 18 on page 219 screens to save CA certificates to the NWA This screen displays a summary list of certificates of the certification authorities that you have set the NWA to accept as trusted NWA 3500 NWA 3550 User s Guide 207 Chapter 18 Certificates 18 3 What You Need To Know 18 4 A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities Note that the NWA also trusts any valid certificate sig
34. 1 Set Up Security for the Guest Profile 10c ccccceesssccccesseneceseeenescees 78 Bape SE up Layar 2 leolalon sceon 80 6 2 3 3 Activate the Guest Profilo sccahianisnccsiisissine aaa 82 6 2 4 Testing ihe Wireless NelIWOrKS ncsciscsscsciscctscassirecissstenecssdussneeetastesh qecesanteneteasasmsvenienssanes 82 6 3 How to Set Up and Use Rogue AP Detection ssseeeseseesrrisseerrensrrrrneseeenrenerinnnsseenaeeernnaaaat 83 0 3 1 Set Up and Save a Friendiy AP liSl nrennineran n dnan 85 6 3 2 Activate Periodic Rogue AP Detection nu ss sssiisssiiinrsssisisirisssiisiiitsssisii nissin 88 Goo Sorp Emal LOE aa a eer eer Tarr re 89 6 0 4 Configure Your Other Access POiNIS cccccccscessvcsuusssnicesseancrsastesnsiweesinesmtesniesaresueres 90 OS TOS IRG SR UD aeiaai A a a a a 90 6 4 How to Use Multiple MAC Filters and L 2 Isolation Profiles cccccceeeeceeeeeeeeeesteeaeees 91 D4 SOCNONIO orsina AN A A A 91 04 2 Your FS AI VES rrini a a a aA a aaia aaa Eaa 92 SE SOU EE E E N E E oe ed es 92 6 4 4 Configure the SERVER 1 NeIWOIK sssiiiondsirenisiiiiiani isim nnna aa 93 6 4 5 Configure the SERVER _2 NeWOTK seccctsianceeisssnnacdesssnnsedinisiaaedieninsnntiouns ieia 96 6 4 6 Checking your Settings and Testing the Configuration eeeeeseeseeeeeeeereeeeerrnereenne 96 re ota T Checking Gees 1A G1 8 bo sonion 96 64 0 2 Testing the Configuration snsscirieciirndiue acsenaeone 98 6 5 How to Configure Management MOUS sscccc cesciscsachveteascssvea
35. 10 Wireless Security Screen The following table describes the labels in this screen Table 41 Wireless gt Security WEP LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose WEP in this field WEP Encryption Select Disable to allow wireless stations to communicate with the access points without any data encryption Select 64 bit WEP 128 bit WEP or 152 bit WEP to enable data encryption Authentication Method Select Auto Open System or Shared Key from the drop down list box The default setting is Auto ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding Ox is entered automatically Key 1 to Key 4 The WEP keys are used to encrypt data Both the NWA and the wireless stations must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP then enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F If you chose 152 bit WEP then enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F You must configure all four keys but only one key can be activated at any one time The default key is key 1 Apply Click Apply to save your changes Reset Click Reset
36. 104 2 Security BOZ TX ONIY seccccscsctcccetagesteceveeiscass onneen A E E 153 10 4 3 Security 802 1x Static 64 bit 802 1x Static 128 bit ee eceeeeeeeeeeeeeeeeteeeeeee 154 TA Sau VEFTY a anes eaneatenseameea aie 155 10 4 5 Se Curing WIRPAZ OF WPAZ MIX ssacseisvsavacarhvnidccstisonsvant nogusecsnondid acs tivodd aut vnddaadan ands 156 10 4 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX 0 cccsccccceesteceesessseesseesaeeees 158 10 Technical FROTER OIE oaccticisidectesissaartecdctoaecbebasauetuaniaam E E iTr AEREA 159 Chapter 11 RADIUS SETEC arsan Ea EAE E ERR AE ERSE 161 TEONE atc a es odd aha hin 8 tah ea ote a ed as areata 161 11 2 What You Gan Do inthe RADIUS Screen errenten enra a ra AAEE r EREA 161 TLS What You Need To KOW sccucccessscesseszesssusansddsesrtond cesatiunetarsaauacssiauianed AASA 162 TA TIE RADIUS SCOE priini a a aa aA E 163 Chapter 12 Layer ISGISUON SChOCI osrioranidaie iaaa 165 Te FOVET AIEN orrn E E AER 165 12 2 What You Can Do in the Layer 2 Isolation Screen ccccccceeeeeeeeeeeeceeceeeeeeeeeeeeeeeeeeeeees 166 12 3 What You Need TO KNOW scisicsciadecsckeiadaiaticncsiaintalatiaiedersachecoradsiannnieaiendeseainunmasnand 166 144 The Layer2 lbolation Se across aren sneer T 167 12 4 1 Configuring Layer 2 Isolation si cissciecaatotsste cadets a tinaastasssaneatethnoecdcdhthoadetabdaemaaeblh ened 167 120 Technical REECE orria niad ie e tient a Ei Ein E S EP aa 169 Chapter 13 MAC Fiter Sree s
37. 16 MAC Filter profiles each of which can hold up to 32 MAC addresses Click Wireless gt MAC Filter The screen displays as shown Figure 109 Wireless gt MAC Filter Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Index ProfileName _ FilterAction oj r macfilter01 Deny Association we 2 macfilter02 Deny Association e 3 macfilter03 Deny Association e 4 macfilter04 Deny Association e 5 macfilter05 Deny Association 6 macfilter06 Deny Association e 7 macfilter07 Deny Association e 8 macfilter08 Deny Association e 3 macfilter09 Deny Association w macfilter10 Deny Association e n macfilter11 Deny Association ej 2 macfilter12 Deny Association ej B macfilter13 Deny Association ej u macfilter14 Deny Association ie 6 macfilter15 Deny Association 6 macfilter16 Deny Association Eon 172 NWA 3500 NWA 3550 User s Guide Chapter 13 MAC Filter Screen The following table describes the labels in this screen Table 50 Wireless gt MAC Filter LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a MAC filter profile in the MAC Filter Configuration screen Edit Select an entry from the list and click Edit to configure settings for that profile 13 4 1 Configuring the MAC F
38. 2000 on page 293 e Windows Vista on page 297 e Mac OS X 10 3 and 10 4 on page 301 e Mac OS X 10 5 on page 304 e Linux Ubuntu 8 GNOME on page 308 e Linux openSUSE 10 3 KDE on page 313 Windows XP NT 2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 1 Click Start gt Control Panel Figure 186 Windows XP Start Menu Re Internet Explorer 5 My Documents Q Outlook Express W Paint Files and Settings Transfer W 2 My Recent Documents My Pictures D E BY Command Prompt j My Music et a Acrobat Reader 4 0 My Computer Tour Windows xP E Windows Movie Maker be Printers and Faxes Help and Support All Programs gt untitled Paint 2 Inthe Control Panel click the Network Connections icon Figure 187 Windows XP Control Panel Control Panel File Edit view Favorites Tools Help 7 J0 Search E Folders 33 G Control Panel Address gt Vg Control Panel gt Switch to Category view See Also 4 Windows Update Game Controllers NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 3 Right click Local Area Connection and then select Properties Figure 188 Windows XP Control Panel gt Network Conne
39. 3 What You Need To KNOW sacs icisisactis saleciuanemenibau E EEE 188 TOA The Telnet Serem rnanan AS 190 Ta EFIR SO OER sae cas ca N EA AA 191 TED mhe WN STEEN onn n Ea a pais 192 16 7 The SNMP SGEE asinn aan eis anes 194 18 8 Technical RSIS iis sirrcna A R iaiia 195 lcs ll E EAEI EN E EE EE E E EE E E AN ET 195 To SU Oe MIBE soisiiaiianee oiae AAEE aa a A KAE NOA EE S 196 16 0 0 SNMP TAPS arria SE 196 Chapter 17 Internal RADIUS Servet siainen iasa E AEO E E ANOS 199 TE OVENIEW sie cics cxcnnesanssenaynaaeereneipeas AEE 199 17 2 What You Can Do in the Internal Radius Server Screens eeceeceeeeeeeeeeeeeeeeeees 200 1a What VOU Need TO KNOW aiisrnriroo aaa a aada 200 17 4 Internal RADIUS Server Setting Screen ccccceeeeccceeeeeeeceeeeeneeeeeeeeeneeecaneeneeeaaaeaeneeees 200 17 5 The Tristed AP Seregi csessccsccaceaseiariaeisunpiennalacnoantatacennundeaseenacaasieehianasaiwmndaasacparennianen 202 17 0 The Trusted Users SCOE soraira aa E EELEE AE AAEE 204 1 2 TECHNICA RErENEE arenaria innie ESEE O NA a Ea a iA 205 Chapter 18 CerntiNCIteS csias aa aaie 207 WT Ry rrenen ia E E eea E Raae 207 18 2 What You Can Do in the Certificates Screen ccccccccseseeeeeseececeeceeeeeeseeseeesaeaeaeaeeesasnes 207 18 3 What You Need To KNOW soiraneiniinnenn annan 208 TAM Cona oT OTT a wlodian ined canine i dade asad ean iden ina 208 18 4 1 My Certificates Import Screen 22 212c cect eset eeeeeecaneeeeeeeeaneeeneenaneneeeecen
40. 328 WPA2 PSK 328 329 application example 331 WPA PSK 329 application example 331 NWA 3500 NWA 3550 User s Guide Index NWA 3500 NWA 3550 User s Guide
41. AP Apply Reset The following table describes the labels in this screen Table 8 The Management Mode Screen LABEL DESCRIPTION AP Controller Select this to manage other APs in Managed AP mode via this NWA As of writing the NWA can manage other ZyXEL APs only When you select this and click Apply you are logged out of the Web Configurator and have to log in again The screens vary from the default standalone mode to include the controller AP menus Standalone AP Select this to manage the NWA using its own web configurator neither managing nor managed by other devices Managed AP Select this to have the NWA managed by another NWA on your network When you do this the NWA can be configured ONLY by the management AP If you do not have an AP controller on your network and want to return the NWA to standalone mode you must use its physical RESET button NWA 3500 only All settings are returned to their default values Note When you set the NWA to Managed AP mode it becomes a DHCP client To discover its new IP address check the DHCP server on your network If your network has no DHCP server the NWA s IP address remains the same You can also check the Controller gt AP Lists screen of the AP controller on your network Auto AP Controller IP DCHP Server Option 43 setting required Check this is you want to send a request to be managed to any AP controller within bro
42. APs in managed AP mode are detected but in the un managed AP list WLAN Association This section is available only when the NWA is in AP controller management mode 802 11a This field displays how many IEEE 802 114 wireless clients connect to the NWA 802 11b g This field displays how many IEEE 802 11b g wireless clients connect to the NWA Redundancy This section is available only when the NWA is in AP controller management mode The redundancy feature should be also enabled and the NWA acts as the regular AP controller Redundancy This field displays the IP address of the backup AP controller Device Last ar This field displays whether the last synchronization with the Synchronization backup AP controller is successful ENABLED or failed Result DISABLED Last ae This field displays the last date and time when the NWA Syienionlcenon synchronized with the backup AP controller Alive Status This field displays the result NO RESPONSE or when querying for the backup AP controller status System Status AP List This link is available only when the NWA is in AP controller management mode Click this link to view the MAC address wireless settings and the number of the connected wireless clients for each wireless module on the AP s managed by the NWA AP Statistics This link is available only when the NWA is in AP controller management mode Click this link to view wireless
43. ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding 0x is entered automatically Key 1 to Key 4 If you chose 802 1x Static 64 then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 802 1x Static 128 bit then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by 0x for each key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations The preceding 0x is entered automatically You must configure all four keys but only one key can be activated at any one time The default key is key 1 NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen Table 43 Wireless gt Security 802 1x Static 64 bit 802 1x Static 128 bit LABEL DESCRIPTION ReAuthentication Specify how often wireless stations have to resend user names and Timer passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIU
44. Adding a Network Card Press Add to configure a new network card manually Configuring or Deleting Choose a network card to change or remove Then press Configure or Delete as desired AMD PCnet Fast 79C971 MAC 08 00 27 96 ed 3d Device Name eth etho Started automatically at boot IP address assigned using DHCP d Configure Abort NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 5 When the Network Card Setup window opens click the Address tab Figure 220 openSUSE 10 3 Network Card Setup YaST2 linux h20z Address Setup Select No Address Setup if you do not want any IP address for this device This is particularly useful for bonding ethernet devices Select Dynamic address if you do not have a static IP address assigned by the system administrator or your cable or DSL provider You can choose one of the dynamic address assignment method Select DHCP if you have a DHCP server running on your local network Network addresses are then obtained automatically from the server To automatically search for free IP and then assign it statically select Zeroconf To use Network Card Setup General onfiguration Name Ethernet D No IP Address for Bonding Devices _ Dynamic Address DHCP Statically assigned IP Address IP Address Subnet Mask
45. Aware Select Enable to have the NWA wait until all connected clients have disconnected before switching channels If you select Disable then the NWA switches channels immediately regardless of any client connections In this instance clients that are connected to the AP when it switches channels are dropped DCS Allow Channel List Select the range of non overlapping channel numbers for 2 4G only which you want the NWA to scan and subsequently use if available DCS DFS Channel Select Enable to allow the NWA to broadcast on unused radar Aware 5G only channels If you select Disable to turn the feature off See Section 8 4 on page 123 for more information on dynamic frequency Apply Click this to save your changes to the NWA Reset Click this to return this screen to its last saved settings NWA 3160 Series User s Guide Chapter 22 Dynamic Channel Selection NWA 3160 Series User s Guide Maintenance 23 1 Overview This chapter describes the maintenance screens It discusses how you can view the association list and channel usage upload new firmware manage configuration and restart your NWA without turning it off and on 23 2 What You Can Do in the Maintenance Screens The following is a list of the maintenance screens you can configure on the NWA Use the Status screen Section 23 4 on page 266 to monitor your NWA Note that these labels are READ ONLY and are meant to be us
46. CB 4A 85 41 6 46 Infra WEP 11841 00 00 AA 78 01 63 7 86 Infra ZLD_STH 00 17 42 08 69 25 7 28 Infra WPA PSK 00 13 49 13 13 66 9 22 Infra WPA PSK USG200_FieldTrial_01 00 13 49 AF A9 0F 11 62 Infra USG200_FieldTrial_02 06 13 49 AF A9 0F 11 68 Infra WPA PSK COE_6510_01 00 11 50 20 98 DA 11 36 Infra WPA PSK Refresh NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance The following table describes the labels in this screen Table 87 Maintenance gt Channel Usage LABEL DESCRIPTION SSID This is the Service Set IDentification name of the AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network For our purposes we define an Infrastructure network as a wireless network that uses an AP and an Ad Hoc network also known as Independent Basic Service Set IBSS as one that doesn t See the chapter on wireless configuration for more information on basic service sets BSS and extended service sets ESS MAC Address This field displays the MAC address of the AP in an Infrastructure wireless network It is randomly generated so ignore it in an Ad Hoc wireless network Channel This is the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network Signal This field displays the strength of the AP s signal If you must choose a channel tha
47. Hostname Cancel 6 Select Dynamic Address DHCP if you have a dynamic IP address Select Statically assigned IP Address if you have a static IP address Fill in the IP address Subnet mask and Hostname fields 7 Click Next to save the changes and close the Network Card Setup window NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 8 If you know your DNS server IP address es click the Hostname DNS tab in Network Settings and then enter the DNS server information in the fields provided Figure 221 openSUSE 10 3 Network Settings B YaST 2 linux h20z Enter the name for DNS domain that it belongs to Optionally enter the name server list and domain search list Note that the hostname is global it applies to all interfaces not just this one The domain is especially important if this computer is a mail server If you are using DHCP to get an IP address check whether to get a hostname via DHCP The hostname of your host which can be seen by issuing the hostname command will be set automatically by the DHCP client You may want to disable this option if you connect to different networks ber this computer and the Network Settings Global Options Overview Hostname DNS Routing A Hostname and Domain Name Hostname Domain Name linux h2oz J site _ Change Hostname via DH
48. In Folder a BAN Group 10 EF cunde VLAN Group 10 iF cunchy VLAN Gop 5 5 Check Names LAN Group 10 Cone 6 When the Permissions options screen displays select Grant remote access permission 6a Click Next to grant access based on group membership 6b Click the Edit Profile button Figure 155 Granting Permissions and User Profile Screens Add Remote Access Policy x Permissions Determine whelher io grant or deny emate access peimissiont E Add Remote Access Policy x You can uze a Remote Access Policy eilh Iser Profle group of users or 10 act as a fiter and dery Specify the user profile If a user matches the soccilied conditions Grant remote access permssion You can now specify the prolila for users who matched the condtion you have p x spectied Dery romots sosess permission Note Even though pou may have specfied thet users should be denied access Ihe profile can still be used if this policy s cordkions ars oveiidden on a per user basie lt Back Finish Cacal 7 The Edit Dial in Profile screen displays Click the Authentication tab and select the Extensible Authentication Protocol check box 7a Select an EAP type depending on your authentication needs from the drop down list box NWA 3500 NWA 3550 User s Guide 247 Chapter 20 VLAN 7b Clear the check boxes for all other authentication types listed below the drop down list box Figure 156 Authentication Tab
49. LAN ZyXEL Device NWA 3500 NWA 3550 User s Guide 187 Chapter 16 Remote Management Screens 16 2 What You Can Do in the Remote Management Screens e Use the Telnet screen see Section 16 4 on page 190 to configure through which interface s and from which IP address es you can use Telnet to manage the ZyXEL Device A Telnet connection is prioritized by the NWA over other remote management sessions Use the FTP screen see Section 16 5 on page 191 to configure through which interface s and from which IP address es you can use File Transfer Protocol FTP to manage the ZyXEL Device You can use FTP to upload the latest firmware for example e Use the WWW screen see Section 16 6 on page 192 to configure through which interface s and from which IP address es you can use the Web Browser to manage the ZyXEL Device Use the SNMP screen see Section 16 7 on page 194 to configure through which interface s and from which IP address es a network systems manager can access the ZyXEL Device 16 3 What You Need To Know 188 Telnet Telnet is short for Telecommunications Network which is a client side protocol that enables you to access a device over the network FTP File Transfer Protocol FTP allows you to upload or download a file or several files to and from a remote location using a client or the command console WWW The World Wide Web allows you to access files hosted in a remote server For example you
50. MAC addresses you entered 4 Click the MAC Filter tab When the MAC Filter screen appears select macfilterO3 s entry and click Edit Enter the MAC address of the device Alice uses to connect to the network in Index 1 s MAC Address field and enter her name in the Description field as shown in the following figure Change the Profile Name to MacFilter_SERVER_1 Select Allow Association from the Filter Action field and click Apply Figure 59 Tutorial MAC Filter Edit SERVER_1 Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter MAC Address Filter Profile Name MacFilter_SERVER_1 Filter Action Allow Association Index MAC Address__ _Description__ Index _ MAC Address__ Description _ al 1 22 33 44 55 66 alice BA fo0 00 00 00 00 00 ya 00 00 00 00 00 00 00 00 00 00 00 00 You have restricted access to the SERVER_1 network to only the networking device whose MAC address you entered The SERVER_1 network is now configured NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 4 5 Configure the SERVER_2 Network Next you will configure the SERVER_2 network that allows Bob to access secure server 2 and the Internet To do this repeat the procedure in Section 6 4 4 on page 93 substituting the following information Table 21 Tutorial SERVER_2 Network Information SSID Screen Index 4 Profile Name SERVER_2 SSID Edit SERVER_2 Screen
51. N type N type N type N type RP SMA N type N type female female female female plug female female Survival 216 216 216 180 216 216 Wind Speed km hr Temperatu 40 C 40 C 40 C 40 C 10 C 40 C 40 C re 80 C 80 C 80 C 80 C 55 C 80 C 80 C Humidity 95 at 95 at 95 at 95 at 95 at 95 at 95 at 25 C 55 C 55 C 55 C 55 C 55 C 55 C Weight 337 gw 107 gw 407g 1 6 kg 110g 206 g 640 gw NWA 3500 NWA 3550 User s Guide Chapter 25 Product Specifications Compatible ZyXEL Antenna Cables The following table shows you the cables you can use in the NWA to extend your connection to antennas at the time of writing Table 95 NWA Compatible Antenna Cables MODEL NAME PART NUMBER P N LENGTH LMR 400 91 005 075001G N PLUG to N PLUG for 6M 91 005 075002G N PLUG to N PLUG for 9M 91 005 075003G N PLUG to N PLUG for 12M 91 005 075004G N PLUG to N PLUG for 1M LMR 200 91 005 074001G N PLUG to RP SMA PLUG for 3M 91 005 074002G N PLUG to RP SMA PLUG for 6M 91 005 074003G N PLUG to RP SMA PLUG for 9M EXT 300 91 005 082001B Jumper Cable Surge Arrstor Power over Ethernet PoE Specifications You can use a power over Ethernet injector to power this device The injector must comply to IEEE 802 3af Table 96 Power over Ethernet Injector Specifications Power Output 15 4 Watts maximum Power Current 400 mA maximum
52. NWA 3550 User s Guide Chapter 6 Tutorial You already chose to use the securityO2 profile for this network so select the radio button for securityO2 and click Edit The following screen appears Figure 38 Tutorial VolP Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name VolP_Security Security Mode WPA2 PSK Pre Shared Key ThisismyWPA2 PSKpre sharedkey Idle Timeout 3600 in seconds Group Key Update Timer fi 800 in seconds Reset e Change the Name field to VoIP_Security to make it easier to remember and identify e In this example you do not have a RADIUS server for authentication so select WPA2 PSK in the Security Mode field WPA2 PSK provides strong security that anyone with a compatible wireless client can use once they know the pre shared key PSK Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyWPA2 PSKpre sharedkey Click Apply The WIRELESS gt Security screen displays Ensure that the Profile Name for entry 2 displays VoIP_Security and that the Security Mode is WPA2 PSK Figure 39 Tutorial VoIP Security Updated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter a index Profile Name security01 VolP_Security WPA2 PSK D NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 2 2 2 Activate the VoIP Profile
53. Name ayer 2 Isolation Configuration Allow devices with these MAC addresses index MAC Address ee eee 2 irr 00 00 00 00 00 00 e A 00 00 00 00 00 00 FEB ooon 00 00 00 00 00 00 19 00 00 00 00 00 00 BRB ftococ0 000000 o0 00 00 00 00 00 EY oorno fo0 00 00 00 00 00 BEB feo coco 000000 00 00 00 00 00 00 Ei r 00 00 00 00 00 00 BEB tose 00000000 00 00 00 00 00 00 EA oorno 00 00 00 00 00 00 EA ftococ0 000000 00 00 00 00 00 00 z 00 00 00 00 00 00 EI ftoooc0 000000 00 00 00 00 00 00 EI oorno 00 00 00 00 00 00 E to coco 000000 00 00 00 00 00 00 EJ oorno 00 00 00 00 00 00 P ooro 00 00 00 00 00 00 E hororo 00 00 00 00 00 00 EJ mooron 00 00 00 00 00 00 EJ ororo 00 00 00 00 00 00 EA feo ooc0 000000 00 00 00 00 00 00 EJ hororo 00 00 00 00 00 00 BREW fooc0 0700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4 morron 00 00 00 00 00 00 o coo 00 00 00 00 00 00 EJ foo00 00 00 00 00 Jo0 00 00 00 00 00 o M 00 00 00 00 00 00 E i 00 00 00 00 00 00 00 00 00 00 00 00 Ji2isolationO1 ii i Apply Reset The following table describes the labels in this screen Table 49 Wireless gt Layer 2 Isolation gt Edit LABEL DESCRIPTION Profile Name Type a name to identify this layer 2 isolation profile Allow devices with these MAC addresses These are the MAC address of a wireless client AP computer or router A wireless client associated with
54. Network Tools Devices Network tools ox Tool Edit Help Devices Ping Netstat Traceroute Port Scan Lookup Finger Whois Network device H Configure IP Information Protocol IP Address Netmask Prefix Broadcast Scope IPv4 10 0 2 15 255 255 255 0 10 0 2 255 IPv6 fe80 a00 27ff fe30 e16c 64 Link Interface Information Interface Statistics Hardware address 08 00 27 30 e1 6c S 684 6 KiB Multicast Enabled Transmitted packets 1425 MTU 1500 Transmission errors 0 Link speed not available Received bytes 219 5 KiB State Active Received packets 1426 Reception errors 0 Collisions 0 Linux openSUSE 10 3 KDE This section shows you how to configure your computer s TCP IP settings in the K Desktop Environment KDE using the openSUSE 10 3 Linux distribution The procedure screens and file locations may vary depending on your specific distribution release version and individual configuration The following screens use the default openSUSE 10 3 installation Note Make sure you are logged in as the root administrator Follow the steps below to configure your computer IP address in the KDE NWA 3500 NWA 3550 User s Guide 313 Appendix A Setting Up Your Computer s IP Address 1 Click K Menu gt Computer gt Administrator Settings YaST Figure 216 openSUSE 10 3 K Menu gt Computer Menu earc SN Applications A ey Ad
55. Object OA Trieted Pi ihlicher lt Show physical stores In the Completing the Certificate Import Wizard screen click Finish Figure 246 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Completing the Certificate Import Wizard You have successfully completed the Certificate Import wizard You have specified the following settings Certificate Store Selected Automatically determined by i Content Certificate NWA 3500 NWA 3550 User s Guide 347 Appendix D Importing Certificates 10 If you are presented with another Security Warning click Yes 11 Figure 247 Internet Explorer 7 Security Warning Security Warning You are about to install a certificate from a certification authority CA daiming to represent nsa2401 Windows cannot validate that the certificate is actually from nsa2401 You should confirm its origin by contacting nsa2401 The following number will assist you in this process Thumbprint sha 1 35D 1C9AC DBCOE654 FE327C71 464D 1548 242E5B93 Warning If you install this root certificate Windows will automatically trust any certificate issued by this CA Installing a certificate with an unconfirmed thumbprint is a security risk If you click Yes you acknowledge this risk Do you want to install this certificate Finally click OK when presented with the successful certificate installation message Figure 248 Internet Explorer 7 Certificate Impor
56. RADIUS server e Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks e Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network e Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication e Access Request Sent by an access point requesting authentication e Access Reject Sent by a RADIUS server rejecting access e Access Accept Sent by a RADIUS server allowing access NWA 3500 NWA 3550 User s Guide 325 Appendix B Wireless LANs e Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS m
57. SSID profiles 26 27 STP 131 STP how it works 132 STP Spanning Tree Protocol 286 STP path costs 132 STP port states 133 STP terminology 132 subnet 369 subnet mask 110 286 370 subnetting 373 syntax conventions 5 system name 112 system timeout 190 T tagged VLAN example 240 telnet 190 temperature 285 286 Temporal Key Integrity Protocol TKIP 329 text file based auto configuration 287 379 TFTP restrictions 189 time setting 116 time sensitive 23 trademarks 387 traffic security 23 use 23 V Virtual Local Area Network 235 VLAN 235 255 261 VoIP 23 27 145 VoIP SSID 27 W warranty 389 note 390 wcfg command 383 WDS 24 26 136 web configurator 23 35 37 WEP 23 WEP encryption 152 Wi Fi Multimedia QoS 137 Wi Fi Protected Access 23 328 wired network 23 24 wireless channel 283 wireless client WPA supplicants 330 Wireless Distribution System WDS 26 wireless Internet connection 24 wireless LAN 283 wireless security 27 147 283 324 WLAN interference 321 security parameters 332 WLAN interface 24 WMM 137 145 WMM priorities 138 WPA 23 328 key caching 330 pre authentication 330 user authentication 330 vs WPA PSK 329 wireless client supplicant 330 with RADIUS application example 330 NWA 3500 NWA 3550 User s Guide Index WPA2 23 328 user authentication 330 vs WPA2 PSK 329 wireless client supplicant 330 with RADIUS application example 330 WPA2 Pre Shared Key
58. Screen LABEL DESCRIPTION This field displays the trusted AP index number Active Select this check box to have the NWA use the IP Address and Shared Secret to authenticate a trusted AP IP Address Type the IP address of the trusted AP in dotted decimal notation Shared Secret Enter a password up to 31 alphanumeric characters no spaces as the key for encrypting communications between the AP and the NWA The key is not sent over the network This key must be the same on the AP and the NWA Both the NWA s IP address and this shared secret must also be configured in the external RADIUS server fields of the trusted AP Note The first trusted AP fields are for the NWA itself Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server 17 6 The Trusted Users Screen Use this screen to configure trusted user entries Click AUTH SERVER gt Trusted Users The following screen displays Figure 127 Trusted Users Screen Setting Trusted AP Trusted Users Active UserName Password o __ I a l a 4 td 3 En mm DOO OO s e O G r ih EI ee a r EE 4 OO zo a a Apply Reset The following table describes the labels in this screen Table 65
59. Settings Dial in Constraints IP Multilink Authentication Encryption Advanced Check the authentication methods which are allowed for this connection WV Extensible Authentication Protocol Select the EAP type which is acceptable for this policy i MD5 Challenge v I Microsoft Encrypted Authentication version 2 MS CHAP v2 T Microsoft Encrypted Authentication MS CHAP T Encrypted Authentization CHAP I Unenerypted Authentication PAP SPAP Unauthenticated Access Allow remote PPP clients to connect without negotiating any authentication nethod 8 Click the Encryption tab Select the Strongest encryption option This step is not required for EAP MD5 but is performed as a safeguard Figure 157 Encryption Tab Settings Edit Dial in Profile E Ei Fa Dialin Constraints IP Multilink Authentication Encryption Advanced NOTE These ermiypliun settings apply urily tu the Wirduws 2000 Ruutiniy and Remote Access Service Select the level s of encryption that should be allowed by this profile I No Encryption Tl Basic Tl Strong I Strongest Cancel Apply 9 Click the IP tab and select the Client may request an IP address check box for DHCP support 10 Click the Advanced tab The current default parameters returned to the NWA should be Service Type and Framed Protocol NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN e Click the Add button to ad
60. Table 97 Power over Ethernet Injector RJ 45 Port Pin Assignments RJ 45 SIGNAL PIN NO ASSIGNMENT Output Transmit Data Output Transmit Data Receive Data Power Power Receive Data Power l NI DD Wi A Uj N e Power NWA 3500 NWA 3550 User s Guide ART Appendices and Index Setting Up Your Computer s IP Address Wireless LANs 319 Pop up Windows JavaScripts and Java Permissions 335 Importing Certificates 343 IP Addresses and Subnetting 369 Text File Based Auto Configuration 379 Legal Information 387 Index 391 Setting Up Your Computer s IP Address Note Your specific ZyXEL device may not support all of the operating systems described in this appendix See the product specifications for more information about which operating systems are supported This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network Windows Vista XP 2000 Mac OS 9 OS X and all versions of UNIX LINUX include the software components you need to use TCP IP on your computer If you manually assign IP information instead of using a dynamic IP make sure that your network s computers have IP addresses that place them in the same subnet In this appendix you can set up an IP address for e Windows XP NT
61. Up to 20 Mbps before it becomes overloaded NWA 3160 Series User s Guide 257 Chapter 21 Load Balancing Table 82 Load Balancnig FIELD DESCRIPTION Dissociate station when overloaded Select this to kick connections to the AP when it becomes overloaded If you leave this unchecked then the AP simply delays the connection until it can afford the bandwidth it requires or it shunts the connection to another AP within its broadcast radius The kick priority is as follows e Idle Timeout Devices that have been idle the longest will be kicked first If none of the connected devices are idle then the priority shifts to signal strength e Signal Strength Devices with the weakest signal strength will be kicked first Note If you enable this function you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded NWA will be kicked continuously and never be allowed to connect Apply Click this to save your changes to the NWA Reset Click this to return this screen to its last saved settings 21 2 1 Disassociating and Delaying Connections When your AP becomes overloaded there are two basic responses it can take The first one is to delay a client connection This means that the AP withholds the connection until the data transfer
62. User s Guide Chapter 1 Introducing the NWA To the wireless clients in the network each SSID appears to be a different access point As in any wireless network clients can associate only with the SSIDs for which they have the correct security settings For example you might want to set up a wireless network in your office where Internet telephony Voice over IP or VoIP users have priority You also want a regular wireless network for standard users as well as a guest wireless network for visitors In the following figure VoIP_SSID users have Quality of Service QoS priority SSIDO3 is the wireless network for standard users and Guest_SSID is the wireless network for guest users In this example the guest user is forbidden access to the wired LAN behind the AP and can access only the Internet Figure 5 Multiple BSSs VoIP_SSID z SSID03 1 2 5 Pre Configured SSID Profiles The NWA has two pre configured SSID profiles 1 VoIP_SSID This profile is intended for use by wireless clients requiring the highest QoS Quality of Service level for VoIP Voice over IP telephony and other applications requiring low latency The QoS level of this profile is not user configurable See Chapter 8 on page 119 for more information on QoS NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA 2 Guest_SSID This profile is intended for use by visitors and others who require access to certain resources on the
63. User s Guide Chapter 14 IP Screen Table 52 IP Setup LABEL DESCRIPTION IP Subnet Mask Type the subnet mask Gateway IP Address Type the IP address of the gateway The gateway is an immediate neighbor of your NWA that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your NWA over the WAN the gateway must be the IP address of one of the remote nodes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 14 5 Technical Reference This section provides technical background information about the topics covered in this chapter 14 5 1 WAN IP Address Assignment Every computer on the Internet must have a unique IP address If your networks are isolated from the Internet only between your two branch offices for instance you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks Table 53 Private IP Address Ranges 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for you
64. WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The NWA s default is 1800 seconds 30 minutes PMK Cache When a wireless client moves from one AP s coverage area to another it performs an authentication procedure exchanging security information with the new AP Instead of re authenticating a client each time it returns to the AP s coverage area which can cause delays to time sensitive applications the AP and the client can store or cache and use information about their previous authentication Select Enable to allow PMK caching or Disable to switch this feature off Pre Pre authentication allows a wireless client to perform authentication Authentication with a different AP from the one to which it is currently connected before moving into the new AP s coverage area This speeds up roaming Select Enable to allow pre authentication or Disable to switch it off Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide 157 Chapter 10 Wireless Security Screen 10 4 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX Use this screen to set the selected profile to WPA PSK WPA2 PSK or WPA2 PSK MIX security mode Select WPA PSK WPA2 PSK or WPA2 PSK MIX in the Security Mode field to display t
65. all be completely indoors e Please select an antenna that conforms with your local radio regulations ZyXEL bears no responsibility whatsoever for cases of illegal installation Your product is marked with this symbol which is known as the WEEE mark WEEE Rew stands for Waste Electronics and Electrical Equipment It means that used electrical X and electronic products should not be mixed with general waste Used electrical and electronic equipment should be treated separately NWA 3500 NWA 3550 User s Guide Safety Warnings NWA 3500 NWA 3550 User s Guide Contents Overview Contents Overview WEG CTO RY esaa a 21 UREN IS De N sose a 23 introducing the Web Configurator sc cedssscinoucenas no vawens daotedercussemnewets errian einn inaina dika RAEES EKNE E 35 GAUS GOBONS secie tisini APE A R E ceuenadeewteds 39 Manaa moni M O es thea pe paste ncaa aan dopey eas pinned ana donss ledendapesiaus eee amanpe eee ae 47 Como AF MOTE scrasa aaa ane aiaa belie ieee bene 53 TUONA sienna Ea E 67 The Web Conngurator sassari aa aaa aaa a aiaia aa aA 107 SySlom SORSSING aras isiiicii nna a i E a 109 Wireless Coniguratllon seisin eiaei eiei Eaa EEE aE eer any Ter ap em Tem reer rS 119 SoD GOGB iseni enia E EC E E E S E 141 Wireless SUIT OORO asirian a iisdanseeaaianssanaadonsiaeanieds 147 PARIU S SSE E Ea 161 Layer 2 Isolation Sorgen scsrnasnicasniiai i a 165 MACFIE STOO ai A 171 lE E EE A ret A A I A E A E A EE A A E A ert cere 175
66. applications Make sure the NWA is installed in a position free of obstructions Check the signal strength If the signal is weak try moving your computer closer to the NWA if possible and look around to see if there are any devices that might be interfering with the wireless network microwaves other wireless networks and so on Reboot the NWA If the problem continues contact the network administrator or vendor or try the advanced suggestions NWA 3500 NWA 3550 User s Guide Chapter 24 Troubleshooting Advanced Suggestions e Check the settings for QoS If it is disabled you might consider activating it If it is enabled you might consider raising or lowering the priority for some applications 24 4 Wireless Router AP Troubleshooting cannot access the NWA or ping any computer from the WLAN 1 Make sure the wireless LAN is enabled on the NWA 2 Make sure the wireless adapter on the wireless client is working properly 3 Make sure the wireless adapter installed on your computer is IEEE 802 11 compatible and supports the same wireless standard as the NWA 4 Make sure your computer with a wireless adapter installed is within the transmission range of the NWA 5 Check that both the NWA and your wireless client are using the same wireless and wireless security settings 6 Make sure you allow the NWA to be remotely accessed through the WLAN interface Check your remote management settings NW
67. assumes that the link to the root bridge is down This bridge then initiates negotiations with other bridges to reconfigure the network to re establish a valid network topology NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration 8 5 1 4 STP Port States STP assigns five port states see next table to eliminate packet looping A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops Table 31 STP Port States PORT STATES DESCRIPTIONS Disabled STP is disabled default Blocking Only configuration and management BPDUs are received and processed Listening All BPDUs are received and processed Learning All BPDUs are received and processed Information frames are submitted to the learning process but not forwarded Forwarding All BPDUs are received and processed All information frames are received and forwarded When you choose 802 11a in Access Point mode the NWA uses DFS Dynamic Frequency Selection to give you a wider choice of wireless channels DFS allows you to use channels in the frequency range normally reserved for radar systems Radar uses radio signals to detect the location of objects for military meteorological or air traffic control purposes As long as your NWA detects no radar activity on the channel you select you can use the channel to communicate However a wireless LAN operating on the same frequ
68. at www us zyxel com for North American products NWA 3500 NWA 3550 User s Guide Index A access 24 access point 24 access privileges 26 address 110 address assignment 110 177 address filtering 23 administrator authentication on RADIUS 111 Advanced Encryption Standard See AES AES 329 alternative subnet mask notation 372 antenna 285 286 directional 334 gain 333 omni directional 334 AP 23 24 25 179 321 AP access point 122 AP Bridge 23 25 applications 23 Access Point 24 AP Bridge 26 Bridge Repeater 24 MBSSID 26 ATC 138 145 ATC WMM 145 ATM 138 authentication server 23 auto configuration 379 auto configuration status 382 B backup 272 Basic Service Set 120 see BSS bridge 24 25 Index Bridge Protocol Data Units BPDUs 132 Bridge Repeater 23 24 BSS 26 319 BSSID 23 C CA 224 327 CAPWAP 47 53 Certificate Authority See CA certificates 201 CA 224 thumbprint algorithms 225 thumbprints 225 verifying fingerprints 225 Certification Authority See CA certifications 387 notices 389 viewing 389 channel 24 122 321 interference 321 command interface 29 configuration 23 configuration file examples 383 format 381 configuration file rules 382 Control and Providioning of Wireless Access Points See CAPWAP copyright 387 CTS Clear to Send 322 D default 274 DFS 133 NWA 3500 NWA 3550 User s Guide Index dimensions 285 disclaimer 387 Di
69. be trusted NWA 3500 NWA 3550 User s Guide 357 Appendix D Importing Certificates 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 268 Opera 9 Security information amaw lz Security information for 172 20 37 202 a Secure site The connection to 172 20 37 202 is secure Certificate summary Holder 172 20 37 202 ZyXEL Issuer 172 20 37 202 ZyXEL Expires 05 21 2011 Encryption protocol TLS v1 0 256 bit AES 1024 bit DHE_RSA SHA Installing a Stand Alone Certificate File in Opera 1 Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you Open Opera and click Tools gt Preferences Figure 269 Opera 9 Tools Menu Mail and chat accounts Delete private data Notes Ctrl Alt E Transfers Ctrl Alt T Ctrl Alt H Ctrl Alt Preferences Ctril F12 NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 2 In Preferences click Advanced gt Security gt Manage certificates Figure 270 Opera 9 Preferences Preferences Choose a master password to protect personal certificates Browsing Notifications Set master password Content Fonts Downloads Programs Every time needed Ask for password
70. button to upload the previously saved list of friendly APs displayed in the File Path field to the NWA Apply Click Apply to save your settings Reset Click Reset to return all fields in this screen to their previously saved values NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection 15 3 2 Friendly AP Screen Use this screen to specify APs as trusted Click Rogue AP gt Friendly AP The following screen appears Figure 116 Rogue AP gt Friendly AP Configuration Friendly AP Rogue AP Add Friendly AP MAC Address p Ee E a l Friendly AP List TE Last aa Seay con The following table describes the labels in this screen Table 55 Rogue AP gt Friendly AP LABEL DESCRIPTION Add Friendly AP Use this section to manually add a wireless access point to the list You must know the device s MAC address MAC Address Enter the MAC address of the AP you wish to add to the list Description Enter a short explanatory description identifying the AP with a maximum of 32 alphanumeric characters Spaces underscores _ and dashes are allowed Add Click this button to include the AP in the list Friendly AP List This is the list of safe wireless access points you have already configured Index This is the index number of the AP s entry in the list MAC Address This field displays the Media Access Control MAC addre
71. can be assigned to an actual host for subnet A is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 374 NWA 3500 NWA 3550 User s Guide Appendix E IP Addresses and Subnetting Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet a host ID of all zeroes is the subnet itself all ones is the subnet s broadcast address Table 106 Subnet 1 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address Decimal 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 1 192 168 1 0 Broadcast Address Highest Host ID 192 168 1 62 192 168 1 63 Table 107 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11
72. certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen Section 18 4 3 on page 214 and then send it to the certification authority Create a certification request and enroll for a certificate immediately online Select Create a certification request and enroll for a certificate immediately online to have the NWA generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop down list boxes and enter the certification authority s server address You also need to fill in the Reference Number and Key if the certification authority requires them Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or UR
73. fills up If you select None no log messages are sent Day for Sending Log This field is only available when you select Weekly in the Log Schedule field Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e mail Log Select the categories of logs that you want to record Send Immediate Alert Select the categories of alerts for which you want the NWA to immediately send e mail alerts Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to reconfigure all the fields in this screen NWA 3500 NWA 3550 User s Guide ED Chapter 19 Log Screens 19 6 Technical Reference 19 6 1 This section provides some technical background information about the topics covered in this chapter Example Log Messages This section provides descriptions of some example log messages Table 75 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The NWA has adjusted its time based on information from successful the time server Time calibration failed The NWA failed to get information from the time server
74. following e From the Configure IPv4 list select Manually e In the IP Address field type your IP address e In the Subnet Mask field type your subnet mask e In the Router field type the IP address of your device Figure 202 Mac OS X 10 4 Network Preferences gt Ethernet ean Network a Show all Q Location Automatic E Show Built in Ethernet we TCP IP PPPoE AppleTalk Proxies Ethernet Configure IPv4 l Manually Hd IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Router 0 0 0 0 DNS Servers Search Domains Optional IPv6 Address Configure IPv6 M z Click the lock to prevent further changes Assist me Apply Now NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address Click Apply Now and close the window Verifying Settings Check your TCP IP properties by clicking Applications gt Utilities gt Network Utilities and then selecting the appropriate Network Interface from the Info tab Figure 203 Mac OS X 10 4 Network Utility 8 a e Network Utility info Netstat AppleTalk Ping Lookup Port Scan gterface for information Hardware Address 00 16 cb 8b 50 2e IP Address es 118 169 44 203 Link Speed 100 Mb Link Status Active Vendor Marvell Model Yukon Gigabit Adapter 88E8053 Mac OS X 10 5 The screens in this section are from Mac OS X 10 5 Click Apple gt System Preferences F
75. if it is not active You can enable or disable VLAN or change the management VLAN ID in the VLAN gt Wireless VLAN screen Rogue AP Detection This field is available only when the NWA is in AP controller management mode This field displays whether rogue AP detection is turned on Enable or not Disable IP This field displays the current IP address of the NWA on the network LAN MAC This displays the MAC Media Access Control address of the NWA on the LAN Every network device has a unique MAC address which identifies it across the network Your NWA features dual wireless module and has two MAC addresses The MAC address of the first wireless module WLAN1 is used on the LAN WLAN1 MAC This field is not available when the NWA is in AP controller management mode This displays the MAC address of the first wireless module WLAN2 MAC This field is not available when the NWA is in AP controller management mode This displays the MAC address of the second wireless module NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION Registration Type This field is available only when the NWA is in AP controller management mode This displays Manual when an access point in managed AP mode needs to register to the NWA manually or Always Accept when the NWA automatically adds any detected access point in managed AP mod
76. if this happens NWA 3500 NWA 3550 User s Guide Chapter 2 Introducing the Web Configurator 2 2 Resetting the NWA This replaces the current configuration file with the factory default configuration file This means that you will lose all the settings you previously configured The password will be reset to 1234 2 2 1 Methods of Restoring Factory Defaults You can erase the current configuration and restore factory defaults in the following ways e Use the RESET button to upload the default configuration file Hold this button in for about 10 seconds the lights will begin to blink Use this method for cases when the password or IP address of the NWA is not known This applies to the NWA 3500 only e Use the web configurator to restore defaults refer to Section 23 8 3 on page 274 e Transfer the configuration file to your NWA using FTP See the section on SMT configuration for more information 2 3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen Note The Status screen shown in this section applies to the Standalone AP management mode only e Click LOGOUT at any time to exit the web configurator NWA 3500 NWA 3550 User s Guide Chapter 2 Introducing the Web Configurator e Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated Figure 11 The Status Screen of th
77. in the area Internal RADIUS server PEAP 32 entry Trusted AP list 128 entry Trusted Users list VLAN 802 1Q VLAN tagging STP Spanning Tree Protocol RSTP Rapid R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to STP interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service allows you to prioritize wireless traffic Certificates The NWA can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs Certificates provide a way to exchange public keys for use in authentication NWA 3500 NWA 3550 User s Guide Chapter 25 Product Specifications SSL Passthrough SSL Secure Sockets Layer uses a public key to encrypt data that s transmitted over an SSL connection Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to obtain confidential user information such as credit card numbers By convention URLs that require an SSL connection start with https instead of http The NWA allows SSL connections to take place through the NWA MAC Address Filter Your NWA checks the MAC address of the wireless station against a list of allowed or denied MAC addresses
78. mode channel ID number and packet specific statistics on the AP s managed by the NWA NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION Show Statistics This link is not available when the NWA is in AP controller management mode Click this link to view port status and packet specific statistics See Section 23 4 1 on page 266 Association List Click this to see a list of wireless clients currently associated to each of the NWA s wireless modules See Section 23 5 on page 268 Channel Usage This link is not available when the NWA is in AP controller management mode Click this to see which wireless channels are currently in use in the local area See Section 23 6 on page 269 SSID Information This link is available only when the NWA is in AP controller management mode Click this link to view the security mode and the number of the connected wireless clients for the active SSID s on the NWA Logs Click this to see a list of logs produced by the NWA See Section 19 6 on page 232 Rogue AP List Click this to see a list of unauthorized access points in the local area See Section 15 3 3 on page 184 3 1 1 AP List Click the AP List link the Status screen when the NWA is in AP controller management mode Figure 14 Status gt AP List AP LOCAL NWA3550 802 11 Channel AP Description Model R
79. network an Internet gateway or a network printer for example but must not have access to the rest of the network Layer 2 isolation is enabled see Section on page 166 and QoS is set to NONE Intra BSS traffic blocking is also enabled see Section 9 4 1 on page 144 These fields are all user configurable 1 2 6 Configuring Dual WLAN Adaptors The NWA is equipped with dual wireless adaptors This means you can configure two different wireless networks to operate simultaneously In the following example the NWA Z uses WLAN1 in Access Point mode to allow IEEE 802 11b and IEEE 802 11g clients to access the wired network and WLAN2 in AP Bridge mode to allow an IEEE 802 11a AP to communicate with the wired network Figure 6 Dual WLAN Adaptors Example m cs x ge T TS S S 7 N zZ Pi i E N e j z I o l l lt a yo SS D i yyy 7 z A io P WLANI WLAN2 _ _ A 802 11b g 802 11b g Access Point Bridge 1 3 CAPWAP The NWA supports CAPWAP Control And Provisioning of Wireless Access Points This is ZyXEL s implementation of the IETF s Internet Engineering Task Force CAPWAP protocol NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA ZyXEL s CAPWAP allows a single access point to manage up to eight other access points The managed APs receive all their configuration information from the controller AP The CAPWAP dataflow is protected by D
80. of security to groups of users The NWA controls network access with MAC address filtering rogue AP detection layer 2 isolation and an internal authentication server It also provides a high level of network traffic security supporting IEEE 802 1x Wi Fi Protected Access WPA WPA2 and WEP data encryption At the time of writing this guide covers the following models Table 2 Models Covered NWA 3500 NWA 3550 Your NWA is easy to install configure and use The embedded Web based configurator enables simple straightforward management and maintenance See the Quick Start Guide for instructions on how to make hardware connections 1 2 Applications for the NWA The NWA can be configured to use the following WLAN operating modes NWA 3500 NWA 3550 User s Guide 23 Chapter 1 Introducing the NWA e Access Point AP Bridge Repeater AP Bridge e MBSSID Applications for each operating mode are shown below Note A different channel should be configured for each WLAN interface to reduce the effects of radio interference 1 2 1 Access Point The NWA is an ideal access solution for wireless Internet connection A typical Internet access application for your NWA is shown as follows Clients A B and C can access the wired network through the NWAs Figure 1 Access Point Application Ethernet 7 s Z N 7 N y AP l 3 WD g amp gt SZ 7 ae UII 7 7
81. of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This field displays additional information about the log entry Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to clear all the logs 19 5 The Log Settings Screen Use this screen to configure where and when the NWA will send the logs and which logs and or immediate alerts to send NWA 3500 NWA 3550 User s Guide Chapter 19 Log Screens Click Logs gt Log Settings The following screen displays Figure 141 Logs gt Log Settings Address Info Syslog Logging Send Log m AAAA I A 4 The following table describes the labels in this screen Table 74 Logs gt Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you want to be in the subject line of the log e mail message that the NWA sends Send Log to Logs are sent to the e mail address specified in this field If this field is left blank logs will not be sent via e mail NWA 3500 NWA 3550 User s Guide Chapter 19 Log S
82. order to use the web configurator you need to allow e Web browser pop up windows from your device e JavaScripts enabled by default e Java permissions enabled by default Note Internet Explorer 6 screens are used here Screens for other Internet Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 230 Pop up Blocker Mail and News Pop up Blocker Manage Add ons Synchronize Windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab NWA 3500 NWA 3550 User s Guide 335 Appendix C Pop up Windows JavaScripts and Java Permissions 1 In Internet Explorer select Tools Internet Options Privacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 231 Internet Options Privacy Internet Options PIR p General Security Privacy Content Connections Programs Advanced Settings t Move the slider to select a privacy setting for the Internet
83. other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four parts written in dotted decimal notation for example 192 168 1 1 Each of these four parts is known as an octet An octet is an eight digit binary number for example 11000000 which is 192 in decimal notation Therefore each octet has a possible range of 00000000 to 11111111 in binary or 0 to 255 in decimal NWA 3500 NWA 3550 User s Guide Appendix E IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets 192 168 1 are the network number and the fourth octet 16 is the host ID Figure 286 Network Number and Host ID 192 168 1 16 i miini d i A at i p I af I mmmh ff i I I I i I I I I I I I I I I pt 4 a SB Eee eee ee eee How much of the IP address is the network number and how much is the host ID varies according to the subnet mask Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID us
84. point not on the list Now you need to configure the other wireless access points on your network to do the same things For each access point take the following steps 1 From a computer on the wired network enter the access point s IP address and login to its Web configurator See Table 16 on page 84 for the example IP addresses 2 Import the friendly AP list Click ROGUE AP gt Configuration gt Browse Find the Flist file where you previously saved it on the network and click Open 3 Click Import Check the ROGUE AP gt Friendly AP screen to ensure that the friendly AP list has been correctly uploaded 4 Activate periodic rogue AP detection See Section 6 3 2 on page 88 5 Set up e mail logs as in Section 6 3 3 on page 89 but change the Mail Subject field so you can tell which AP the alerts come from ALERT_Access_Point_B etc 6 3 5 Test the Setup Next test your setup to ensure it is correctly configured NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial e Log into each AP s Web configurator and click ROGUE AP gt Rogue AP Click Refresh If any of the MAC addresses from Table 17 on page 86 appear in the list the friendly AP function may be incorrectly configured check the ROGUE AP gt Friendly AP screen If any entries appear in the rogue AP list that are not in Table 17 on page 86 write down the AP s MAC address for future reference and check your e mail inbox If you have rec
85. purpose of the MIBs is to let administrators collect statistical data and monitor status and performance SNMP Traps SNMP traps are messages sent by the agents of each managed device to the SNMP manager These messages inform the administrator of events in data networks handled by the device The NWA can send the following traps to the SNMP manager Table 61 SNMP Traps TRAP NAME Colao as DESCRIPTION Generic Traps coldStart 1 3 6 1 6 3 1 1 5 1 This trap is sent after booting power on This trap is defined in RFC 1215 warmStart 1 3 6 1 6 3 1 1 5 2 This trap is sent after booting software reboot This trap is defined in RFC 1215 linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens Table 61 SNMP Traps TRAP NAME OBJECT IDENTIFIER OID DESCRIPTION authenticationFailure defined in RFC 1215 1 3 6 1 6 3 1 1 5 5 The device sends this trap when it receives any SNMP get or set requirements with the wrong community password Note snmpEnableAuthenTraps OID 1 3 6 1 2 1 11 30 defined in RFC 1214 and RFC 1907 must be enabled on in order for the device to send authenticationFailure traps Use a MIB browser to enable or disable snmpEnableAuthentTraps Traps defined in the ZyXEL Private MI
86. subnet as shown in the following figure Figure 18 CAPWAP and DHCP Option 43 SUBNET 1 seen Pe etal SUBNET 2 7 x 7 7 s s N F DHCP N N j SERVER r OPTION43 A CAPWAP I TRAFFIC I bs l P i l AP I CONTROLLER i STATIC IP F MANAGED 7 XN 4 N AP 7 N 7 N DYNAMIC r N z Sa P 7 A i o 4 1 4 Notes on CAPWAP This section lists some additional features of ZyXEL s implementation of the CAPWAP protocol e When the AP controller uses its internal RADIUS server managed APs also use the AP controller s authentication server to authenticate wireless clients e Only one AP controller can exist in any single broadcast domain e If a managed AP s link to the AP controller is broken the managed AP continues to use the wireless settings with which it was last provided 4 2 The Management Mode Screen Use this screen to configure the NWA as a CAPWAP controller AP or CAPWAP managed AP or to use it in its default standalone mode NWA 3500 NWA 3550 User s Guide Chapter 4 Management Mode Click MGNT MODE in the NWA s navigation menu The following screen displays Figure 19 The Management Mode Screen MGNT Mode fits tl AP Controller C Managed AP required Primary AP Controller IP Controller IP Standalone AP Auto AP Controller IP DCHP Server Option 43 setting Manual AP Controller IP Secondary
87. that they do not pose a threat to your network s security Table 17 Tutorial Friendly AP Information MAC ADDRESS DESCRIPTION 00 AA 00 AA 00 AA My Access Point _A_ AA 00 AA 00 AA 00 My Access Point _B_ A0 0A A0 0A A0 0A My Access Point _C_ 0A A0 0A A0 0A A0 My Access Point _D_ AF AF AF FA FA FA Coffee Shop Access Point _1_ The Friendly AP screen now appears as follows Figure 49 Tutorial Friendly AP After Data Entry Configuration Friendly AP Rogue AP Add Friendly AP S MACAddress _ Description Add Friendly AP List a een Hoo aa 00 aa 00 aN 4 00 02 My Access Poit A F Baan aa 00 aa 00 N A N A N A 4 00 02 My Access Point B_ G f ao oa a0 0a a0 0a N A N A 4 00 02 My Access Point C_ a Hoa a0 0a a0 0a a0 N A N A 4 00 00 My Access Point D_ a af af af fa fa fa N A WA WA paon fes Shop Access a NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 3 Next you will save the list of friendly APs in order to provide a backup and upload it to your other access points Click the Configuration tab The following screen appears Figure 50 Tutorial Configuration Friendly AP Rogue AP Configuration Enable fio fo 4 Click Export If a window similar to the following appears click Save Figure 51 Tutorial Warning File Download NWA 3500 NWA 3550 User s
88. the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 NWA 3500 NWA 3550 User s Guide 337 Appendix C Pop up Windows JavaScripts and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites Figure 233 Pop up Blocker Settings Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 192 168 1 1 Allowed sites Notifications and Filter Level Play a sound when a pop up is blocked Show Information Bar when a pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAQ 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed NWA 3500 NWA 3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 234 Internet Options Security General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings Z 0 Internet Local intranet Trusted sites Restricted sites Internet 4 T
89. the MAC address of the unmanaged AP Model This displays the model name and 802 11 mode of the unmanaged AP Description This displays the description of the unmanaged AP Add Select the unmanaged AP from the list and click this to include the unmanaged AP in the NWA s managed AP list Automatic Refresh Interval Enter how often you want the NWA to update this screen Refresh Click this to update this screen immediately NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 4 1 The AP Lists Edit Screen Use this screen to change the description or radio profile of an AP managed by the NWA Click Edit in the CONTROLLER gt AP Lists screen The following screen displays Figure 25 The Controller gt AP Configuration Screen AP Configuration Model NWA 3500 MAC Address00 13 49 DF 42 A8 Description JAP 001349DF 4248 M Enable Breathing LED WLAN1 Radio Profile radio09 z WLAN2 Radio Profile radio07 z Apply Reset The following table describes the labels in this screen Figure 26 The Controller gt AP Configuration Screen LABEL DESCRIPTION Model This is the model number of the managed AP MAC Address This is the MAC address of the managed AP Description Enter a short description of this access point up to 32 English keyboard characters Enable Breathing LED This field displays only if the managed AP supports this feature Select
90. the NWA uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the NWA calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the NWA calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management compu
91. then set your device to use one of them But with Dynamic Channel Selection the NWA does this automatically 22 2 The DCS Screen Use this screen to configure your Dynamic Channel Selection options Click DCS in the navigation menu The following screen appears Figure 171 Load Balancing DCS Dynamic Channel Selection DCS Dynamic Channel Selection Enable DCS Time Interval 10 DCS Sensitivity Level High DCS Client Aware Disable Y fEnzble AP will not change channel when active client traffic on AP DCS Allow Channel List 2 4G only 16 11 DCS DFS Channel Aware 5G only Disable Y dfEnzble DCS will not select DFS channel for recommend channel The following table describes the labels in this screen Table 83 Load Balancnig FIELD DESCRIPTION Dynamic Channel Select this to either Enable or Disable dynamic channel Selection selection DCS Time Interval Enter a number of minutes This regulates how often the NWA surveys the other APs within its broadcast radius If the channel on which it is currently broadcasting suddenly comes into use by another AP the NWA will then dynamically select the next available empty channel DCS Sensitivity Level Select the NWA s sensitivity level toward other channels Options are High Medium and Low NWA 3160 Series User s Guide Chapter 22 Dynamic Channel Selection Table 83 Load Balancnig FIELD DESCRIPTION DCS Client
92. this website not recommended 3 Inthe Address Bar click Certificate Error gt View certificates Figure 240 Internet Explorer 7 Certificate Error v E Certificate Error wy Certificate Invalid The security certificate presented by this website has errors This problem may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage About certificate errors View certificates NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 4 Inthe Certificate dialog box click Install Certificate Figure 241 Internet Explorer 7 Certificate Certificate General Details Certification Path Certificate Information This CA Root certificate is not trusted To enable trust install this certificate in the Trusted Root Certification Authorities store Issued to nsa2401 Issued by nsa2401 Valid from 5 20 2008 to 5 20 2011 5 In the Certificate Import Wizard click Next Figure 242 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from your disk to a certificate store A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secu
93. to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen 10 4 2 Security 802 1x Only Use this screen to set the selected profile to 802 1x Only security mode Select 802 1x Only in the Security Mode field to display the following screen Figure 95 Wireless gt Security 802 1x Only Wireless Profile Name Security Mode 8021 x Only gt ReAuthentication Timer 0 seconds 0 means no Refuthentication Idle Timeout 3600 seconds SSID Security RADIUS Layer 2 Isolation MAC Filter securityO1 Apply Reset The following table describes the labels in this screen Table 42 Wireless gt Security 802 1x Only LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose 802 1x Only in this field ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the
94. transmission rate of your NWA might be reduced Select 802 11a NWA 3160 only to allow only IEEE 802 11a compliant WLAN devices to associate with the NWA Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting Choose Channel ID Set the operating frequency channel depending on your particular region To manually set the NWA to use a channel select a channel from the drop down list box RTS CTS Threshold Request To Send The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to its smallest value 256 turns on the RTS CTS handshake Enter a value between 256 and 2346 Fragmentation The threshold number of bytes for the fragmentation boundary Threshold for directed messages It is the maximum data fragment size that can be sent Enter an even number between 256 and 2346 Beacon Interva When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon This value can be set from 30ms to 1000ms A high value helps sa
95. 0 User s Guide Chapter 3 Status Screens 3 1 3 SSID Information Click the SSID Information link the Status screen when the NWA is in AP controller management mode Figure 16 Status gt SSID Information SSID Security Mode Stations ZyXEL03 No Security 0 ZyXEL02 No Security 0 ZyXELO4 No Security 0 The following table describes the labels in this screen Table 7 Status gt SSID Information LABEL DESCRIPTION SSID Security Mode This is the wireless security mode used by each SSID Stations This is the number of the wireless clients currently associated to each SSID NWA 3500 NWA 3550 User s Guide Management Mode This chapter discusses the MGNT MODE Management Mode screen This screen determines whether the NWA is used in its default standalone AP mode or as part of a CAPWAP Control And Provisioning of Wireless Access Points network 4 1 About CAPWAP The NWA supports CAPWAP Control And Provisioning of Wireless Access Points This is ZyXEL s implementation of the IETF s Internet Engineering Task Force CAPWAP protocol RFC 4118 The CAPWAP dataflow is protected by DTLS Datagram Transport Layer Security The following figure illustrates a CAPWAP wireless network You U configure the AP controller C which then automatically updates the configurations of the managed APs M1 M4 Figure 17 CAPWAP Network Example U i DHCP SERVER A 1
96. 000000 Subnet Address Lowest Host ID 192 168 1 65 192 168 1 64 Broadcast Address Highest Host ID 192 168 1 126 192 168 1 127 Table 108 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 129 192 168 1 128 Broadcast Address Highest Host ID 192 168 1 190 192 168 1 191 Table 109 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 NWA 3500 NWA 3550 User s Guide 375 Appendix E IP Addresses and Subnetting Table 109 Subnet 4 continued IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address Lowest Host ID 192 168 1 193 192 168 1 192 Broadcast Address Highest Host ID 192 168 1 254 192 168 1 255 Example Eight Subnets Similarly use a 27 bit mask to create eight subnets 000 001 010 011 100 101 110 and 111 The following table shows IP address last octet values for each subnet Table 110 Eight Subnets suser SUBNET Jrinstanoress LAST eg BROABOSS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255
97. 10 Proj Spectfy the condition Access Server Parameters Sevice Type Framed Protccal Tunrel Medium T ype Tunrel Pvl GroupiD Tunrel T ype Add e Il auser matches tt Grant remote C Deny remote Access will be is ovenidden c Setti wc 2x Policy name Did in Constraints IP Multilink Authentication Encryption Advanced Specily additional corneotion attributes to be tumed to the Remote 4 EditProtie ted _Fenove eat 2 xi RADIUS Standard Framed RADIUS Standard PPP RADIUS Standard 802 includes al 802 rr RADIUS Standard 10 RADIUS Standard Virtual LANs VLAN wa __ Note Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 20 5 4 Second Rx VLAN ID Example In this example the NWA is configured to tag packets from SSIDO1 with VLAN ID 1 and tag packets from SSIDO2 with VLAN ID 2 VLAN 1 and VLAN 2 have access to a server S and the Internet as shown in the following figure Figure 164 Second Rx VLAN ID Example SSID01 VLAN ID 1 Second Rx VLAN ID 2 A Internet Y SSID02 VLAN ID 2 Second Rx VLAN ID 0 Packets sent from the server S back to the switch are
98. 176 to configure the IP address of your NWA NWA 3500 NWA 3550 User s Guide 175 Chapter 14 IP Screen 14 3 What You Need To Know About IP The Ethernet parameters of the NWA are preset in the factory with the following values IP address of 192 168 1 2 Subnet mask of 255 255 255 0 24 bits These parameters should work for the majority of installations 14 4 The IP Screen Use this screen to configure the IP address for your NWA Click IP to display the 176 following screen Figure 112 IP Setup IP IP Address IP Subnet Mask C Get automatically from DHCP Use fixed IP address Gateway IP Address fi92 168 1 2 255 255 255 0 0 0 0 0 Apply Reset The following table describes the labels in this screen Table 52 IP Setup LABEL DESCRIPTION IP Address Assignment Get automatically from DHCP Select this option if your NWA is using a dynamically assigned IP address from a DHCP server each time Note You must know the IP address assigned to the NWA by the DHCP server to access the NWA again Use fixed IP address Select this option if your NWA is using a static IP address When you select this option fill in the fields below IP Address Enter the IP address of your NWA in dotted decimal notation Note If you change the NWA s IP address you must use the new IP address if you want to access the web configurator again NWA 3500 NWA 3550
99. 1P 192 168 1 31 oe AP eer 2 168 127 Apply Reset 2 Select Managed AP and enter the IP addresses of the NWA primary and secondary controller AP recommended Click Apply Note DCHP Server Option 43 enables your managed AP to send a request to be managed to controller APs that are within range even if the controller AP belongs to another network 3 You are logged out of the Web Configurator and the screen shows a message that the device is rebooting You lose access to the Web Configurator You must now add the NWA managed APs to the controller s managed AP list NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 5 6 Configuring the Managed Access Points List At this point you have 3 NWA managed APs B C and D that can now be managed by the primary controller AP First in the Web Configurator of your primary controller AP A go to Controller gt Configuration Figure 67 Tutorial Registration Type AP Lists Configuration Redundancy Controller Setting Pre Shared Key 12345678 8 32 characters Registration ae Manual Always Accept Apply Reset If the Registration Type is set to Manual the controller AP add managed APs to a queue in the Un Managed Access Points List in the Controller gt AP Lists screen If the Registration Type is set to Always Accept the controller AP immediately adds the AP to the Managed Access Points List in the Controller gt AP Lists scr
100. 2 E O l Active I Active Accounting Server IP booo booo Accounting Server Port fist 3 fi 813 E O Apply Reset The following table describes the labels in this screen Table 47 Wireless gt RADIUS LABEL DESCRIPTION Index Select the RADIUS profile you want to configure from the drop down list box Profile Name Type a name for the RADIUS profile associated with the Index number above Primary Configure the fields below to set up user authentication and accounting Backup If the NWA cannot communicate with the Primary accounting server you can have the NWA use a Backup RADIUS server Make sure the Active check boxes are selected if you want to use backup servers The NWA will attempt to communicate three times before using the Backup servers Requests can be issued from the client interface to use the backup server The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen RADIUS Option NWA 3500 NWA 3550 User s Guide Chapter 11 RADIUS Screen Table 47 Wireless gt RADIUS LABEL DESCRIPTION Internal Select this check box to use the NWA s internal authentication server The Active RADIUS Server IP Address RADIUS Server Port and Share Secret fields are not available when you use the internal authentication server External
101. 220 Chonnal Usage GCE an ansainenernvamaiaeeiunaneceninanenseeinaade 269 Bot FAN OpEd STEET krenan AAEE aA DATA EAA OEE TA EAA REEN 270 29 0 Coniiguraton SCrOGN cissscccteissredeyivanteactiseataesiasdvenediad A A N vancaduavpanunadevyesee 272 220 BIUR CONT AO a nolan han wana oa nnaaaaeatael eee 272 20 2 bese Cong aion senna eames amore 273 23 000 BACK to Factory DGTAUNG ciscccevergussccvss esssecsnasssiccassebsrcens cessieennaseunccnad seuacenes conarrendi 274 oe eS FUE ONO EANNA ITOR EA IE A kansas TEN E A EAO A TANE T 274 Part Ill Troubleshooting and Specifications cccccceeeeeeeeeeeeeees 277 Chapter 24 PROUD S OTN E E PE E E T EE E E T EA 279 24 1 Power and Hardware Connections a cccisincaicisscccassceaianes tosavenue h AAEE NAE iiaii 279 20 2 NWA ACCESS ond LOGI scciscorassssackasaes ivensasqurvenskasaiyibnesaie A EE 279 Pa REA SEE E a aa ote toca a ea msc aig ato oe datas i edad also Ean inns ecard ce N IE 281 24 4 Wireless Router AP Troubleshooting sc sincssnssscncsanananiecssakansnnedananannecsanased ntedadeanietadanaeaniede 283 Chapter 25 Product Specifications scrisese aa E AAAS Aaa KANENN 285 Part IV Appendices and IndeX cccceeeeeeeeeeeeeeeeeeeeeneeeeeesenaeeeeeeseees 291 Appendix A Setting Up Your Computer s IP Address cccccccceecceeeceeeeeeeeeeeeeeeeeeeeeeeeeens 293 Appendix B Wireless LANS cccccccccsssssseccecececcaesesesceeceeecesceessaeesceeeeeesessuseaseceseesessus
102. 255 0 8 bits 28 2 254 29 bits 255 255 255 2 3 bits 23 2 6 48 Notation 372 Since the mask is always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks using both notations Table 105 Alternative Subnet Mask Notation SUBNET ALTERNATIVE LAST OCTET LAST OCTET MASK NOTATION BINARY DECIMAL 255 255 255 0 24 0000 0000 0 255 255 255 12 25 1000 0000 128 8 255 255 255 19 26 1100 0000 192 2 255 255 255 22 27 1110 0000 224 4 255 255 255 24 28 1111 0000 240 0 255 255 255 24 29 1111 1000 248 8 255 255 255 25 30 1111 1100 252 2 NWA 3500 NWA 3550 User s Guide Appendix E IP Addresses and Subnetting Subnetting You can use subnetting to divide one network into multiple sub networks In the following example a network administrator creates two sub networks to isolate a group of servers from the rest of the company network for security reasons In this example the company network address is 192 168 1 0 The first thre
103. 4 60 ac ZyXEL01_13708 3 B E Add To Friendly AP List Reset The following table describes the labels in this screen Table 56 Rogue AP gt Rogue AP LABEL DESCRIPTION Rogue AP List This displays details of access points in the NWA s coverage area that are not listed in the friendly AP list see Section 15 3 2 on page 183 Refresh Click this button to have the NWA scan for rogue APs Index This is the index number of the AP s entry in the list Select Use this check box to select the APs you want to move to the friendly AP list see Section 15 3 2 on page 183 MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Radio Mode This is the 802 11 Mode of the AP Security This field displays the type of wireless encryption the AP is currently using Last Seen This field displays the last time the NWA scanned for the AP NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection Table 56 Rogue AP gt Rogue AP LABEL DESCRIPTION Description If you want to move the AP s entry to the friendly AP list enter a short explanatory description i
104. 89 7c ca 00 19 cb 89 7c cb BSSID 00 19 cb 89 7cica 00 19 cb 89 7c cb Automatic Refresh Interval None z Refresh Memory E me cpu Cd WLAN1 Associations 0 128 WLAN2 Associations ari 0 128 Interface Status Interface Status Rate LAN Up 100M Full WLANL Up Cch 54M WLAN2 Up Ch36 54M Security LAN None Disabled None Disabled Show Statistics Association list Channel Usage Loss Rogue AP List Figure 13 The Status Screen AP Controller System Information Automatic Refresh Interval None z Refresh System UP Time Current Date Time System Name NWA Series Flash LZ 2 4MB saa Mises Memory an em Firmware Version V3 70 AAM O b1 11 14 2008 cpu 0 00 02 32 00 02 29 2000 01 01 E Management VLAN Disable Rogue AP Detection Disable On line 1 IP 192 168 1 2 Off line LAN MAC 00 19 cb 89 7cica Un Managed Registration Type Manual Management Mode Controller 802 11a 802 11b g o System Status AP List AP Statistics Association List SSID Information Loss Rogue AP List The following table describes the labels in this screen Table 4 The Status Screen LABEL DESCRIPTION Automatic Refresh Enter how often you want the NWA to update this screen Interval Refresh Click this to update this screen immediately NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens Table 4 The Status Screen L
105. A 3500 NWA 3550 User s Guide Chapter 24 Troubleshooting NWA 3500 NWA 3550 User s Guide Product Specifications The following tables summarize the NWA s hardware and firmware features Table 90 NWA 3550 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions 256 W x 246 D x 82 H mm Weight 2000 g Power PoE draw 48V 20W at least Ethernet Port Auto negotiating 10 Mbps or 100 Mbps in either half duplex or full duplex mode Auto crossover Use either crossover or straight through Ethernet cables Power over Ethernet PoE IEEE 802 3af compliant Antenna Specifications Two external antenna connectors N Type Output Power IEEE 802 11b g 17 dBm IEEE 802 11a 14 dBm Operating Environment Temperature 309 C 550 C Humidity 20 95 RH Storage Environment Temperature 400 C 609 C Humidity 5 95 RH Table 91 NWA 3500 Hardware Specifications Dimensions 212 5 W x 138 5 D x 52mm H mm Power Specification 12 VDC 1A Reset button Returns all settings to their factory defaults Ethernet Port Auto negotiating 10 Mbps or 100 Mbps in either half duplex or full duplex mode Auto crossover Use either crossover or straight through Ethernet cables Power over Ethernet PoE IEEE 802 3af compliant Console Port One MIL C 5015 style RS 232 console port NWA 3500 NWA 3550 User
106. ABEL DESCRIPTION System Information System Name This field displays the NWA system name It is used for identification You can change this in the System gt General screen s System Name field Model This field displays the NWA s exact model name Firmware Version This field displays the current version of the firmware inside the device It also shows the date the firmware version was created You can change the firmware version by uploading new firmware in Maintenance gt F W Upload System Up Time This field displays the elapsed time since the NWA was turned on Current Date Time This field displays the date and time configured on the NWA You can change this in the System gt Time Setting screen WLAN1 Operating Mode This field is not available when the NWA is in AP controller management mode This field displays the current operating mode of the first wireless module AP Bridge Repeater AP Bridge or MBSSID You can change the operating mode in the Wireless gt Wireless screen WLAN2 Operating Mode This field is not available when the NWA is in AP controller management mode This field displays the current operating mode of the second wireless module AP Bridge Repeater AP Bridge or MBSSID You can change the operating mode in the Wireless gt Wireless screen Management VLAN This field displays the management VLAN ID if VLAN is active or Disabled
107. AN on an Ethernet switch By default the port on the NWA is a member of the management VLAN VLAN ID 1 The following procedure shows you how to configure a tagged VLAN Note Use the out of band management port or console port to configure the switch if you misconfigure the management VLAN and lock yourself out from performing in band management NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN On an Ethernet switch create a VLAN that has the same management VLAN ID as the NWA The following figure has the NWA connected to port 2 of the switch and your computer connected to port 1 The management VLAN ID is ten Figure 145 Management VLAN Configuration Example MMD 10 O LJ SS Port 1 Perform the following steps in the switch web configurator 1 Click VLAN under Advanced Application 2 Click Static VLAN Select the ACTIVE check box Type a Name for the VLAN ID Type a VLAN Group ID This should be the same as the management VLAN ID on the NWA Enable Transmitted Packets Tx Tagging on the port which you want to connect to the NWA Disable Tx Tagging on the port you are using to connect to your computer Under Control select Fixed to set the port as a member of the VLAN Figure 146 VLAN Aware Switch Static VLAN ED Statie VLAN ng VLAN Status ACTIVE Vv Name VIDI VLAN Group ID 10 Port Control Tagging 1 C Normal Fixed C Forbidden I Tx Tagging 2 Normal Fixed C Forbidden M Tx T
108. All gt ne Value Secure Server Certification Au Wednesday November 09 19 Friday January 08 2010 7 59 Secure Server Certification Au RSA 1000 Bits h 4463 C531 D7CC C100 6794 612B B656 D3BF 8257 846F Edit Properties Copy to File NWA 3500 NWA 3550 User s Guide 225 Chapter 18 Certificates 4 Usea secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may vary according to your situation Possible examples would be over the telephone or through an HTTPS connection NWA 3500 NWA 3550 User s Guide Log Screens 19 1 Overview This chapter provides information on viewing and generating logs on your NWA Logs are files that contain recorded network activity over a set period They are used by administrators to monitor the health of the computer system s they are managing Logs enable administrators to effectively monitor events errors progress etc so that when network problems or system failures occur the cause or origin can be traced Logs are also essential for auditing and keeping track of changes made by users Figure 139 Accessing Logs in the Network B A l aS E ee St Ao ee U pea 7 7 C The figure above illustrates three ways to access logs The user U can access logs directly from the NWA A via the Web configurator Logs can also be lo
109. B whyReboot 1 3 6 1 4 1 890 1 5 1 3 0 1 This trap is sent with the reason for restarting before the system reboots warm start System reboot by user is added for an intentional reboot for example download new files CI command sys reboot If the system reboots because of fatal errors a code for the error is listed pwTFTPStatus 1 3 6 1 4 1 890 1 9 2 3 3 1 This trap is sent to indicate the status and result of a TFTP client session that has ended Some traps include an SNMP interface index The following table maps the SNMP interface indexes to the NWA s physical and virtual ports Table 62 SNMP Interface Index to Physical and Virtual Port Mapping TYPE INTERFACE PORT Physical enetO Wireless LAN adaptor WLAN1 enet1 Ethernet port LAN enet2 Wireless LAN adaptor WLAN2 Virtual enet3 enet9 WLAN1 in MBSSID mode eneti0 enet16 WLAN2 in MBSSID mode enet17 enet21 WLAN1 in WDS mode enet22 enet26 WLAN2 in WDS mode NWA 3500 NWA 3550 User s Guide 197 Chapter 16 Remote Management Screens NWA 3500 NWA 3550 User s Guide Internal RADIUS Server 17 1 Overview This chapter describes how the NWA can use its internal RADIUS server to authenticate wireless clients Remote Authentication Dial In User Service RADIUS is a protocol that enables you to control access to a network by authenticating user credentials The followi
110. CP _ Write Hostname to etc hosts X Change etc resolv conf manually Name Servers and Domain Search List Name Server 1 Domain Search 10 0 2 3 Name Server 2 Name Server 3 _ Update DNS data via DHCP 9 Click Finish to save your settings and close the window NWA 3500 NWA 3550 User s Guide 317 Appendix A Setting Up Your Computer s IP Address Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP IP properties From the Options sub menu select Show Connection Information Figure 222 openSUSE 10 3 KNetwork Manager i Disable Wireless amp KNetworkManager o Wired Devices d Switch to Offline Mode X Wired Network T Show Connection Information E1 Dial Up Connections Configure 4 Options When the Connection Status KNetwork Manager window opens click the Statistics tab to see if your connection is working properly Figure 223 openSUSE Connection Status KNetwork Manager Connection Status KNetworkManager a Device h Addresse Received Transmitted Bytes 2317441 841875 MBytes 2 2 0 8 Packets 3621 3140 Errors 0 0 Dropped 0 0 KBytes s 0 0 0 0 NWA 3500 NWA 3550 User s Guide Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration The simplest WLAN configurati
111. CRIPTION Security Mode This field displays the security mode this security profile uses Edit Select an entry from the list and click Edit to configure security settings for that profile After selecting the security profile you want to edit the following screen appears Enter the name you want to call this security profile in the Profile Name field Figure 93 Security Profile Name Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode None gt Apply Reset The next screen varies according to the Security Mode you select 10 4 1 Security WEP Use this screen to set the selected profile to Wired Equivalent Privacy WEP security mode Select WEP in the Security Mode field to display the following screen Figure 94 Wireless gt Security WEP Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode WEP X WEP Encryption 64 bit WEP Authentication Method Auto 64 bit WEP Enter 5 ASCII characters or 10 hexadecimal characters 0 9 A F for each Key 1 4 128 bit WEP Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 152 bit WEP Enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F for each Key 1 4 ASCII C Hex C Key1 C Key2 C Key3 C Key4 Apply Reset NWA 3500 NWA 3550 User s Guide 151 Chapter
112. Channel 036 5180MHz2 gt Configuration Index Active Profile Index Active Profile 1 D 5 a 2 E J 3 T E 7 E E E 6 8 NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration The following table describes the labels in this screen Table 29 Wireless MBSSID LABEL DESCRIPTION Operating Mode Select MBSSID in this field to display the screen as shown Select SSID Profile An SSID profile is the set of parameters relating to one of the NWA s BSSs The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating with the access point AP must have the same SSID Note If you are configuring the NWA from a computer connected to the wireless LAN and you change the NWA s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the NWA s new settings Index This is the index number of the SSID profile Active Select the check box to enable an SSID profile Profile Select the profile s of the SSIDs you want to use in your wireless network You can have up to eight BSSs running on the NWA simultaneously one of which is always the pre configured VoIP_SSID profile and another of which is always the pre configured Guest_SSID profile Configure SSID profiles in the SSID screen See Table 27 on
113. EctMTaw MF AgRmF jdG9yeSBE ZUZhavxO IENLenRpZm1jYXRIMF wwDOYJKoZ IhvcNAQEBBOAD SwAwS AJBANB1YebOCBx9tjUJVL2VoIFv1WUBrQM6 13 TF AWQOHKOtSF ywildFNnXX5SL qXf X1LYHF goO8Mnc 6c JGUGGhaSpUAusMCAWE AdaN7 MHKWDGYDVROPAQEABAQDAGKK NCAGALUGEQOZMBeBFUZHY3 Rvcn1LAYXVOby5nZW4uY2VydDASBGNVHRMBAQAECDAG AQH AGEBMDEGA1UAJ OOqNCgGCCsGaQUFCAICBggr BgEF BOcDAQYIKwYBBQUHAWQG CCSGAQUFBwMCMA0GCSqGS Ib3 DOEBBQUAAOEAk 6Zai UJL WZKiE h6UmGIYT gG DOyeDwt MOzydO2 Rn3 aDLGI9IQJt ZwIrDSnjPGv3ORTAZrewlT2VOKA9F ASg NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates The following table describes the labels in this screen Table 69 Certificates gt My Certificate Details signed certificate which signs the imported remote host certificates LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this certificate You may use any character not including spaces Property Select this check box to have the NWA use this certificate to sign the Default self trusted remote host certificates that you import to the NWA This check box is only available with self signed certificates If this check box is already selected you cannot clear it in this screen you must select this check box in another self signed certificate s details screen This automatically clears the check box in the details screen of the certificate that was previo
114. FRoguUS AP DAOIN srine diniin S 179 Remote Management Serem a cccitciuadscsacetdusecazanaciasceaseadauseadnatuds esaagdaunitativanenaada arden eaaas 187 mtemal RADIUS Server devisssacesssisseretecssue ides aiii D i A a 199 CONO TEE iona staan Ge 1 saaa eebevace props samen esa Manes ees us eaa o a aes 207 stops yo haga eee ee ete E fone a EE E E teeremr T E rt cerrtrr E E E errr 227 VEAN conrei hran eE E N ei 235 Load BIIN ai 255 Deere Chamel SOIBCION enkaa a 261 Mantenan soricina iini rina E a 265 Troubleshooting and Specifications cccecceeceeeeeseeeeeeeeeeesseeeeneeeeeeeeeeeseeseceeeeeeeeenseeeens 277 TOULI NOOU eris E 279 Product Spent MONS amirinin eSa E AAA A Ea AEE aA EEA E AA Oa Ea 285 Appendices and AUEK einai aE RE T aak 291 NWA 3500 NWA 3550 User s Guide 9 Contents Overview NWA 3500 NWA 3550 User s Guide Table of Contents Table of Contents About TUS Users Cle soi icessiccteinciasiaiiss miseiciis tests acisvaviotscescsstivwnatscdeteaimamntnsiea honda nsannabansebiees 3 Document Convo NNO OS canann A 5 Safety WarnihgS acisna ak aAa ai E Ea a R Raaka 7 CGOntents OVOrViOW ooa 9 Tabbo CONO ounen aa N 11 Part l VRP ra siniessina scarce cacincsccaaena sccmacanncencicceenecccusseenscccssavess cenmenncns 21 Chapter 1 Introducing the NWA oisinnean aeri ASES RAS EEk SAEK HEERA 23 Co eD TONNA aa A E ere treater Pe 23 12 Applications Tor thie NWA ansionaan A E E ANE RE 23 Te TACCO SS FONI a
115. Guide Appendix C Pop up Windows JavaScripts and Java Permissions 5 Click OK to close the window Figure 236 Security Settings Java Security Settings Settings Disable Enable 23 Font download Disable Enable a Prompt 5 Microsoft YM E Java permissions Custom Qora Jay High safety Low safety Reset to Medium x Reset cm Reset custom settings JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for lt applet gt under Java Sun is selected NWA 3500 NWA 3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 3 Click OK to close the window Figure 237 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling E HTTP 1 1 settings Use HTTP 1 1 aH Use HTTP 1 1 through proxy connections SCE nar 21 41 07 ao oar wT ee Use Java 2 1 4 1_0 for A Use Java 2 v1 41 _07 for lt epped equites restai requires restart B Microsotry O Java console enabled requires restart O Java logging enabled JIT compiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Aut
116. Guide Chapter 6 Tutorial 5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network In this example save it on the network file server E in Figure 47 on page 84 The default filename is Flist Figure 52 Tutorial Save Friendly AP list i Save in 1E My Computer e eE Ej 3 Floppy 4 MA Win2K_HD C History i Gis Ero Desktop zjx My Documents Sea My ger Mao My Network P File name Fist x Save as type Microsoft Word Document 7 Cancel 6 3 2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your NWAs 1 Inthe ROGUE AP gt Configuration screen select Enable from the Rogue AP Period Detection field Figure 53 Tutorial Periodic Rogue AP Detection Configuration Friendly AP Rogue AP Rogue AP Period Detection Enable v Period D minutes Expiration Time 30 minutes Friendly AP List Export File Path Browse Import Apply Reset 2 Inthe Period field enter how often you want the NWA to scan for rogue APs You can have the NWA scan anywhere from once every ten minutes to once every hour In this example enter 10 3 In the Expiration Time field enter how long an AP s entry can remain in the list before the NWA discards it from the list when the AP is no longer active In this example enter
117. Help Tasks Network and Sharing Center View computers and devices Connect to a network i D aranna tian ar network 4 Aa h Manage network connections TWPC99111 Internet Diagnose ana repair This computer a gt Not connected 5 Right click Local Area Connection and then select Properties Figure 195 Windows Vista Network and Sharing Center LAN or High Sesecd Internet M w focal Collapse group Left Arrow Conne x g eNe Expand all groups Collapse all groups Disable Status Diagnose Bridge Connections Create Shortcut Delete Rename Note During this procedure click Continue whenever Windows displays a screen saying that it needs your permission to continue 298 NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 6 Select Internet Protocol Version 4 TCP IPv4 and then select Properties Figure 196 Windows Vista Local Area Connection Properties Networking Connect using Py Intel R PRO 1000 MT Desktop Connection This connection uses the following items M o Client for Microsoft Networks Mf Network Monitor3 Driver M 5 File and Printer Sharing for Microsoft Networks T Intemnet Protacel Vession 6 TCP IP ye e Internet Protocol Version 4 TCP IPA W a Linki ayer opology Discovery Mapper 170 Driver M Link Layer Topology Discovery Responder e z gt Uninstall Properties 2 Descrip
118. History Security Enable Fraud Protection NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 3 Inthe Certificates Manager click Authorities gt Import Figure 271 Opera 9 Certificate manager Certificate manager Certificate authorities AAA Certificate Serv Actalis Root CA AddTrust Class 1 CA Root AddTrust External CA Root AddTrust Public CA Root AddTrust Qualified CA Root Baltimore CyberTrust Code Signing Root Baltimore CyberTrust Mobile Root Baltimore CyberTrust Root Certum CA Certum CA Level I Certum CA Level II Certum CA Level IIT Certum CA Level IV Class 1 Public Primary Certification Authority Class 1 Public Primary Certification Authority G2 c 1998 VeriSig Class 2 Public Primary Certification Authority Class 2 Public Primary Certification Authority G2 c 1998 VeriSig v 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 272 Opera 9 Import certificate Import certificate Look in B Desktop q E My Computer my Documents Desktop My Network Places FE ca cer NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 5 Inthe Install authority certificate dialog box click Install Figure 273 Opera 9 Install authority certificate Install authority certificate Install this certificate authority s certificate chain in the database 172 20 37 202 6
119. ID ZyXELO2 security01 radius01 NONE 2isolation01 Disable DEI ss ZyXEL03 security01 radius01 NONE Disable Disable OEN o n radius01 NONE Disable Disable DE SSD ZyXEL0S security 1 radius01 NONE Disable Disable DEJ ssivos ZyXELO6 security01 radius01 NONE Disable Disable DEA sso ZyXELO7 security01 radius01 NONE Disable Disable DEJ ssivos ZyXELO8 security08 radius01 NONE Disable Disable DEJ ssp ZyXELO9 security01 radius01 NONE Disable Disable DEJ sso ZyXEL10 security01 radius01 NONE Disable Disable OEE ssn ZyXEL11 security01 radius01 NONE Disable Disable DEA ssiviz ZyXEL12 security 1 radius01 NONE Disable Disable DEJ ssp ZyXEL13 security 1 radius01 NONE Disable Disable DEI ssp ZyXEL14 security01 radius01 NONE Disable Disable DEJ ssivis ZyXEL15 security01 radius01 NONE Disable Disable DEJ ssivis ZyXEL16 security01 radius01 NONE Disable Disable The Voice over IP VoIP network will use the pre configured SSID profile so select VoIP_SSID s radio button and click Edit The following screen displays Figure 36 Tutorial VolP SSID Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter VolIP_SSID_Example Enable security02 RADIUS radius01 QoS VoIP L2 Isolation Disable Intra BSS Traffic blocking Disable gt MAC Filtering Disable Reset NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial e Choose a new SSID for the VoI
120. ID identifies the management VLAN A device must be a member of this management VLAN in order to access and manage the NWA If a device is not a member of this VLAN then that device cannot manage the NWA Note If no devices are in the management VLAN then you will be able to access the NWA only through the console port not through the network NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 20 4 Wireless VLAN Screen Use this screen to enable and configure your Wireless Virtual LAN setup Click VLAN gt Wireless VLAN The following screen appears Figure 143 VLAN gt Wireless VLAN RADIUS VLAN VIRTUAL LAN Setup M Wireless VIRTUAL LAN Setup SSID lt ndex LAN ID Second Rx VLAN ID 6 T a E Sioa Sioa a ia a _ T i Sia T T E NWA 3500 NWA 3550 User s Guide 237 Chapter 20 VLAN The following table describes the labels in this screen Table 79 VLAN gt Wireless VLAN FIELD DESCRIPTION Enable VIRTUAL LAN Select this box to enable VLAN tagging Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group At least one device in your network must belong to this VLAN group in order to manage the NWA Note Mail and FTP servers must have the same management VLAN ID to communicate with the NWA See Section 20 5 2 on page 240 for more in
121. L of the certification authority server NWA 3500 NWA 3550 User s Guide Ea Chapter 18 Certificates 18 4 3 Table 68 Certificates gt My Certificate Create continued LABEL DESCRIPTION CA Certificate Select the certification authority s certificate from the CA Certificate drop down list box You must have the certification authority s certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the NWA s list of certificates of trusted certification authorities Request When you select Create a certification request and enroll for a Authentication certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol Just fill in the Key field if your certification authority uses the SECP enrollment protocol Key Type the key that the certification authority gave you Apply Click Apply to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates screen After you click Apply in the My Certificate Create screen you see a screen that tells you the NWA is generating the self signed certificate or certification request After the NWA successfull
122. NWA 3500 NWA 3550 802 11a g Dual Radio Wireless Business AP 802 11a g Dual Radio Outdoor WLAN Business AP hens J MN Default Login Details me IP Address _ http 192 168 1 2 Password 1234 Firmware Version 3 7 Edition 1 1 2009 ZyXEL www zyxel com Copyright 2009 ZyXEL Communications Corporation About This User s Guide About This User s Guide Intended Audience This manual is intended for people who want to configure the NWA using the web configurator You should have at least a basic knowledge of TCP IP networking concepts and topology Related Documentation e Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains information on setting up your network and configuring for Internet access Note It is recommended you use the web configurator to configure the NWA e Support Disc Refer to the included CD for support documents e ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User s Guide Feedback Help us help you Send all User s Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw NWA 3500 NWA 3550 User s Guide 3 A
123. Next click OK Figure 274 Opera 9 Install authority certificate Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates Open Opera and click Tools gt Preferences Figure 275 Opera 9 Tools Menu Mail and chat accounts Delete private data Notes Ctri Alt Transfers Ctrl Alt T Ctrl Alt H Links Ctrl Alt L Advanced gt Quick preferences F12 gt Appearance Preferences Shift F12 Ctrl F12 X 2 In Preferences Advanced gt Security gt Manage certificates Figure 276 Opera 9 Preferences Preferences Choose a master password to protect personal certificates Browsing Notifications Set master password Content Fonts Ask for password Downloads Programs Every time needed History te Enable Fraud Protection Manage certificates Toolbars Shortcuts Voice NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 3 In the Certificates manager select the Authorities tab select the certificate that you want to remove and then click Delete Figure 277 Opera 9 Certificate manager Certificate manager Certif
124. Overview This chapter discusses how you can use the Wireless gt MAC Filter screen The MAC filter function allows you to configure the NWA to grant access to devices Allow Association or exclude devices from accessing the NWA Deny Association Figure 108 MAC Filtering e A wu gt MAC Address MAC Address s y AABB CC 11 22 33 ZZYY XX 3322 11 I on S T a gt ag ZyXEL Device In the figure above wireless client U is able to connect to the Internet because its MAC address is in the allowed association list specified in the NWA The MAC address of client A is either denied association or is not in the list of allowed wireless clients specified in the NWA 13 2 What You Can Do in the MAC Filter Screen Use the Wireless gt MAC Filter screen see Section 13 4 on page 172 to specify which wireless station is allowed or denied access to the ZyXEL Device NWA 3500 NWA 3550 User s Guide 171 Chapter 13 MAC Filter Screen 13 3 What You Should Know About MAC Filter Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of each device to configure MAC filtering on the NWA 13 4 The MAC Filter Screen The MAC filter profile is a user configured list of MAC addresses Each SSID profile can reference one MAC filter profile The NWA provides
125. P CN S TRUST Qualifie OODF NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 3 The next time you visit the web site click the padlock in the address bar to open the KDE SSL Information window to view the web page s security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings gt Configure Konqueror Figure 284 Konqueror 3 5 Settings Menu Settings Fa Hide Menubar Ctrl M Toolbars 3 Full Screen Mode Ctrl Shift F Load View Profile Save View Profile Web Browsing Configure View Profiles Configure Extensions Configure Spell Checking Configure Shortcuts s Configure Toolbars 2 Configure Konqueror 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 285 Konqueror 3 5 Configure Configure Konqueror Configure SSL manage certificates and other cryptography settings Cookies Sst Openssl Your Certificates Authenticatio Peer SSL Certificates L signers w Organization Common Name Kp ort Cache 172 20 37 202 Remove Ry ican Verify Proxy Stylesheets la ZyX a Valid from amp Valid until Saturday 21 May 2011 06 42 35 am GMT r Cache Policy
126. P network In this example enter VOIP_SSID_Example Note that although the SSID changes the SSID profile name VoIP_SSID remains the same as before e Select Enable from the Hide Name SSID list box You want only authorized company employees to use this network so there is no need to broadcast the SSID to wireless clients scanning the area e The standard network SSIDO4 is currently using the security01 profile so use a different profile for the VoIP network If you used the securityO1 profile anyone who could access the standard network could access the VoIP wireless network Select securityO2 from the Security field Leave all the other fields at their defaults and click Apply 6 2 2 1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network Click the Security tab Figure 37 Tutorial VolP Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter index Profile Name Security Mode S 1 p itv MPA Pk security02 None securityu None security04 None fo 5 security05 None e 6 security06 None e 7 security07 None 8 security08 None 9 security09 None w security10 None leo n security11 None fo 2 security12 None fe B security13 None fo u security14 None fe 5 security15 None To 6 security16 None NWA 3500
127. PA ZyXELO4 A rr Click the lock to prevent further changes Apply 4 From the Configure list select Using DHCP for dynamically assigned settings 5 For statically assigned settings do the following e From the Configure list select Manually e In the IP Address field enter your IP address e In the Subnet Mask field enter your subnet mask NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address e In the Router field enter the IP address of your NWA Figure 207 Mac OS X 10 5 Network Preferences gt Ethernet 000 Location Automatic E e Internal Modem QS Not Connected Status Not Connected The cable for Ethernet is connected but PPPoE Q your computer does not have an IP address Not Connected Ethernet f FireWire ws Not Connected 2 Subnet Mask AirPort A or a Router DNS Server Search Domains 802 1X WPA ZyXELO4 a a Click the lock to prevent further changes 6 Click Apply and close the window NWA 3500 NWA 3550 User s Guide 307 Appendix A Setting Up Your Computer s IP Address Verifying Settings Check your TCP IP properties by clicking Applications gt Utilities gt Network Utilities and then selecting the appropriate Network interface from the Info tab Figure 208 Mac OS X 10 5 Network Utility 000 Network Utility Netstat AppleTalk Ping Lookup Traceroute Whois Finger PortScan Please sole
128. Path Costs ui sPeeD BAARUEENPE BEAGE Rane Path Cost 4Mbps 250 100 to 1000 1 to 65535 Path Cost 10Mbps 100 50 to 600 1 to 65535 Path Cost 16Mbps 62 40 to 400 1 to 65535 Path Cost 100Mbps 19 10 to 60 1 to 65535 Path Cost 1Gbps 3 to 10 1 to 65535 Path Cost 10Gbps 2 1to5 1 to 65535 On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 8 5 1 3 How STP Works After a bridge determines the lowest cost spanning tree with STP it enables the root port and the ports that are the designated ports for connected LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible network loops STP aware bridges exchange Bridge Protocol Data Units BPDUs periodically When the bridged LAN topology changes a new spanning tree is constructed Once a stable network topology has been established all bridges listen for Hello BPDUs Bridge Protocol Data Units transmitted from the root bridge If a bridge does not get a Hello BPDU after a predefined interval Max Age the bridge
129. Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate Figure 226 Infrastructure WLAN Ethernet new ey 7 wie Channel A channel is the radio frequency ies used by IEEE 802 11a b g wireless devices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or NWA 3500 NWA 3550 User s Gu
130. Ps B Note A managed AP may potentially be turned off if it is within range of its controller AP while the controller AP updates its settings The managed AP retains the last settings acquired from the controller AP and is automatically updated once it is detected again by the controller AP 5 3 Controller AP Status Screen When the NWA is in AP controller mode the Status screen displays some unique fields in the System Information AP Status WLAN Association and System Status sections The System Status links take you to screens that provide information on the access points managed by the NWA Click Status The following screen displays NWA 3500 NWA 3550 User s Guide 55 Chapter 5 Controller AP Mode Figure 23 AP Controller the Status Screen Automatic Refresh Interval None iv System Information System Name NWA Series Flash a 2 4MB na met Memory me Firmware Version V3 70 AAN O b1 11 14 2008 cpu es System UP Time 01 15 24 Current Date Time 01 15 21 2000 01 01 Management VLAN Disable Rogue AP Detection Disable On line IP 192 168 1 2 Sin LAN MAC 00 13 49 31 63 04 Jo Registration Type Manual Management Mode Controller WLAN Association 802 11a o 802 11b g is S Status AP List AP statistice Association tist SSID Information LOGS regue ar ust The following table describes the new labels in this screen Table 9 AP Controller the Status Screen LABEL DESCRIPTION
131. Refresh The following table describes the labels in this screen Table 70 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the NWA s PKI storage space that is Space in Use currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Trusted CA Certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable
132. Reset The following table describes the labels in this screen Table 11 The Controller gt Configuration Screen LABEL DESCRIPTION Pre Shared Key This is the security key used to encrypt communications between the NWA and its managed APs This key is used to encrypt DTLS Datagram Transport Layer Security transmissions Enter 8 32 English keyboard characters The proprietary AutoPSK protocol transfers the DTLS key from the NWA to the managed APs automatically Registration Type This controls whether the NWA manages all CAPWAP enabled APs that transmit management request packets or requires the user to select which such APs to manage e Select Manual to choose which APs to manage select the APs you want to manage in the Controller gt AP Lists screen e Select Always Accept to manage any AP on your network that transmits a CAPWAP request for management Apply Click this to save the changes in this screen Reset Click this to return the fields in this screen to their previously saved values NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 6 Redundancy Screen Use this screen to set the controller AP as a primary or secondary controller If you set your NWA as a primary controller AP you can have a secondary controller AP to serve as a backup All configurations are synchronized between the NWA and the secondary controller AP When
133. S profile from the drop down list box if you have a RADIUS server configured If you do not need to use RADIUS authentication ignore this field See Section 11 4 on page 163 for more information NWA 3500 NWA 3550 User s Guide Chapter 9 SSID Screen Table 38 Wireless gt SSID gt Edi LABEL DESCRIPTION QoS Select the Quality of Service priority for this BSS s traffic e In the pre configured VoIP_SSID profile the QoS setting is VoIP This is not user configurable The VoIP setting is available only on the VoIP_SSID profile and provides the highest level of QoS e If you select WMM from the QoS list the priority of a data packet depends on the packet s IEEE 802 1q or DSCP header See Section 8 5 6 on page 137 for more information on WMM and WMM priorities If a packet has no WMM value assigned to it it is assigned the default priority e If you select ATC from the QoS list the NWA automatically assigns priority based on packet size See Section 8 5 7 on page 138 for more information on ATC e If you select ATC WMM from the QoS list the NWA uses WMM on the wireless network and ATC on the wired network See Section 8 5 8 on page 139 for more information on ATC WMM e If you select WMM_VOICE WMM_VIDEO WMM_BEST_EFFORT or WMM_BACKGROUND the NWA applies that QoS setting to all of that SSID s traffic Lo select NONE the NWA applies no priority to traffic on this ID Note When you conf
134. S server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 10 4 4 Security WPA Use this screen to set the selected profile to Wi Fi Protected Access WPA security mode Select WPA in the Security Mode field to display the following screen Figure 97 Wireless gt Security WPA Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode WPA gt ReAuthentication Timer fo seconds 0 means no Refuthentication Idle Timeout 3600 seconds Group Key Update Timer 1800 seconds Apply Reset The following table describes the labels in this screen Table 44 Wireless gt Security WPA LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose WPA in this field NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen Table 44 Wireless gt Security WPA LABEL DESCRIPTION ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to st
135. Secured Client A secured client is a trusted computer that is allowed to communicate IP Address with the NWA using this service Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 16 6 The WWW Screen You can choose to configure your NWA via the World Wide Web WWW using a Web browser Th is lets you specify which IP addresses or computers are able to communicate with and access the NWA To change your NWA s WWW settings click REMOTE MGNT gt WWW The following screen shows Figure 122 Remote MGNT gt WWW TELNET Server Port Server Port Server Access WLAN amp LAN Secured Client IP Address All Selected 0 0 0 0 HTTPS Server Certificate auto_genersted_self_signed_cert See My Certificates F Authenticate Client Certificates See Trusted CAs Server Access WLAN amp LAN Secured Client IP Address AUC Selected fo 0 0 0 FTP www SNMP 443 Reset NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens The following table describes the labels in this screen Table 59 Remote MGNT gt WWW LABEL DESCRIPTION WWW Server Port You may cha
136. TLS Datagram Transport Layer Security At the time of writing the following ZyXEL AP models can be CAPWAP managed APs e NWA 3160 e NWA 3163 e NWA 3500 e NWA 3550 e NWA 8500 The following figure illustrates a CAPWAP wireless network The user U configures the controller AP C which then automatically updates the configurations of the managed APs M1 M4 Figure 7 CAPWAP Network Example fil C M1 M2 M3 M4 3 1 4 Ways to Manage the NWA Use any of the following methods to manage the NWA e Web Configurator This is recommended for everyday management of the NWA using a Supported web browser e Command Line Interface Line commands are mostly used for troubleshooting by service engineers NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA e SMT System Management Terminal is a text based configuration menu that you can use to configure your device Use Telnet to access the SMT e FTP File Transfer Protocol for firmware upgrades and configuration backup and restore e SNMP The device can be monitored by an SNMP manager See the SNMP chapter Section 16 7 on page 194 in this User s Guide 1 5 Configuring Your NWA s Security Features Your NWA comes with a variety of security features This section summarizes these features and provides links to sections in the User s Guide to configure security settings on your NWA Follow the suggestions below to improve security on you
137. TO UUS e e E a i en ree omen a aren 40 BAA AP LIST E E E E E E 44 SEL A I E r AEEA EENEN OASTEA 45 ae evel ML o a 46 Chapter 4 Management Bie cic eieeriren ice nee eee 47 KITAP CAP VUAP i sisscedierns seated tacceeshtl N AN 47 4 1 1 CAPWAP Discovery and Management i cc sissscsccessssnnacesssnnnnneressnnneacectsnantneresannnaneecssnd 48 LTA CAPINEP aid DAGP arrira siinne E Aa iana Ciautebaueeuiazs 48 41 CAPWAP and IP SS aie eect lh stented anasa aaia E aieia aaaea 48 ETANO On CAP WAR aaa a asd eae 49 4 2 The Management Mode ChE ccsicscdanssnsnrzziesesnneasansansondsaannpnaddanesnnnsssssadanbedsauniannsrsaiinontsaie 49 Chapter 5 contol AR MOIE cis cessanasdiaizcescasvsaasindadancadalucstsusisbuidaiaieissa tai siussasadeasatisiaiaasaindsaveuadveliianscsan 53 STO PIEN bas holes heute dah ceslhsti ck pia dona a We nein lSti eee ed salad a 53 5 1 1 What You Can Do in AP Controller Mode oi ccciic cccccsecceccceeseseecccseaseeesccestesessccereeneeeeee 53 S L2 What You Need to KANON can cairns caticarenaa Simrad aeann aan FEER E NEENA NE mene 53 Eo BENE TWN B siaN 54 5 2 Controller AP Navigation Menu sussssienissssiiiniisssaciii iinn Ta 54 5 3 Controller AP Status Sereen sae ccacsicd soa cadeah seonadedes Samatcataislanncedethisbeatadiaadanpdadadaaspaadadaaapieadandannecis 55 MAP List SOGE sernai s senteedse E E devesoetei E 57 SAA The AF Loe Egil SCS aniani 59 peg Sa 9 aU ela EO ereerere ter eer etter Cr er tetera nt tnr er ctr pt rrr emer ert tere err
138. Trusted Users LABEL DESCRIPTION This field displays the trusted user index number Active Select this to have the NWA authenticate wireless clients with the same user name and password activated on their wireless utilities User Name Enter the user name for this user account This name can be up to 31 alphanumeric characters long including spaces The wireless client s utility must use this name as its login name Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type The password on the wireless client s utility must be the same as this password Note If you are using PEAP authentication this password field is limited to 14 ASCII characters in length Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server 17 7 Technical Reference This section provides some technical background information about the topics covered in this chapter A trusted AP is an AP that uses the NWA s internal RADIUS server to authenticate its wireless clients Each wireless client must have a user name and password configured in the AUTH SERVER gt Trusted Users screen The following figure shows how this is done Wireless clients make access requests to truste
139. VVMx ID heBgNV BAOTF 1J TQSBEYXRhIFN1Y3VyaXRSLCBJbmMuNS4uLAYDVQOLEyVTZUNicmUgU2Vy dri LEN lenRp 2m14 XRpb2 4gQXVOaG9 yaXRSNIGHNAOGCSqGS Ib3 DOEBAQUALAGI ADCBhQJ AJT LOesGugzSaqomDV 6w1 AXYMra6OLD 062V4 ZF QDSYRAVCM jvjiioII OhaGNiXpsSECrXZogZoFokvdSyVmI 128i deP94F ZbYQHZXATCXY m3dM41CJVphI uR2 nKROTLKoRWZveF AVIVCx zOmmCs Z SnG1w20513S3UyBS7AGMBAREWDOYIKoZI v Export Apply Cancel The following table describes the labels in this screen Table 72 Certificates gt Trusted CAs Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Select this check box to have the NWA check incoming certificates Check incoming that are issued by this certification authority against a Certificate certificates issued Revocation List CRL by this CA against a CRL Clear this check box to have the NWA not check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 72 Certificates gt Trusted CAs Details continued LABEL DESCRIPTION Certificate Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification auth
140. Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 70 Trusted CAs continued LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the NWA check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Details Click Details to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the NWA to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the NWA Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click this b
141. WA Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The NWA uses rsa pkcsi shal RSA public private key encryption algorithm and the SHA1 hash algorithm Some certification authorities may use ras pkcsi md5 RSA public private key encryption algorithm and the MD5 hash algorithm NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 69 Certificates gt My Certificate Details continued LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair
142. WEP key encrypting A higher bit key offers better security You can manually enter 64 bit 128 bit or 152 bit WEP keys More information on Wireless Security can be found in Appendix B on page 233 NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen NWA 3500 NWA 3550 User s Guide RADIUS Screen 11 1 Overview This chapter describes how you can use the Wireless gt RADIUS screen Remote Authentication Dial In User Service RADIUS is a protocol that can be used to manage user access to large networks It is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server Figure 100 RADIUS Server Setup u ADS 7 gt Authentication R 4 ee ZyXEL Device RADIUS Server In the figure above wireless clients A and B are trying to access the Internet via the NWA The NWA in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet In this scenario only client U s identity is verified by the RADIUS server and allowed access to the Internet 11 2 What You Can Do in the RADIUS Screen Use the Security gt RADIUS screen see Section 11 4 on page 163 if you want to authenticate wireless users using a RADIUS Server and or Accounting Server NWA 3500 NWA 3550 User s Guide Chapter 11 RADIUS Screen 11 3 What You Need To Know The RADIUS se
143. You also have a network mail file server marked NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial E and a computer marked F connected to the wired network The coffee shop s access point is marked 1 Figure 47 Tutorial Wireless Network Example In the figure the solid circle represents the range of your wireless network and the dashed circle represents the extent of the coffee shop s wireless network Note that the two networks overlap This means that one or more of your APs can detect the AP 1 in the other wireless network When configuring the rogue AP feature on your NWAs in this example you will need to use the information in the following table You need the IP addresses of your APs to access their Web configurators and you need the MAC address of each AP to configure the friendly AP list You need the IP address of the mail server to set up e mail alerts Table 16 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point A 192 168 1 1 00 AA 00 AA 00 AA Access Point B 192 168 1 2 AA 00 AA 00 AA 00 Access Point C 192 168 1 3 A0 0A A0 0A A0 0A Access Point D 192 168 1 4 0A A0 0A A0 0A A0 File Mail Server E 192 168 1 25 N A Access Point 1 UNKNOWN AF AF AF FA FA FA NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial Note The NWA can detect the MAC addresses of APs automatically However it is more secure to obtain the correct MAC ad
144. Your Computer s IP Address 3 When the Network preferences pane opens select Built in Ethernet from the network connection type list and then click Configure Figure 200 Mac OS X 10 4 Network Preferences 6090 Network a gt Showall Q i Location Automatic iz Show Network Status By Buik in Ethernet is currently active and has the IP address Built in Ethernet 10 0 1 2 You are connected to the internet via Built in Ethernet 5 Internet Sharing is on and is using AirPort to share the AirPort connection cence 2 i lt lt lt lt lt lt aa Click the lock to prevent further changes Assist me Apply Now 4 For dynamically assigned settings select Using DHCP from the Configure IPv4 list in the TCP IP tab Figure 201 Mac OS X 10 4 Network Preferences gt TCP IP Tab i 6000 Network 4 gt Show All Q Location Automatic zs Show Built in Ethernet wy AppleTalk Proxies Ethernet i PPPoE Configure IPv4 Using DHCP IP Address 0 0 0 0 Renew DHCP Lease Subnet Mask DHCP Client ID if required Router DNS Servers Search Domains Optional IPv6 Address Configure IPv6 Click the lock to prevent further changes Assist me Apply Now 9 NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 5 For statically assigned settings do the
145. able 93 Other Specifications Approvals Radio e USA FCC Part 15C 15 247 FCC Part 15E 15 407 FCC OET65 e EU ETSI EN 300 328 V1 7 1 ETSI EN 301 893 V1 2 3 e Taiwan DGT LP0002 e Canada Industry Canada RSS 210 e Australia AS NZS 4268 EMC EMI e USA FCC Part 15 Subpart B e EU EN 301 489 17 V1 2 1 08 2002 EN 55022 2006 e Canada ICES 003 e Australia AS NZS CISPR22 EMC EMS e EU EN 301 489 1 V1 5 1 11 2004 Environmental e 2002 95 EC RoHS Restriction of Hazardous Substances Directive e 2002 96 EC WEEE Waste Electrical and Electronic Equipment Directive e European Parliament and Council Directive 94 62 EC of 20 December 1994 on packaging and packaging waste 288 NWA 3500 NWA 3550 User s Guide Chapter 25 Product Specifications Compatible ZyXEL Antennas At the time of writing you can use the following antennas in your NWA Table 94 NWA Compatible Antennas MODEL EXT 108 EXR 109 EXT 114 EXT 118 ANT2206 ANT3108 ANT3218 FEATURE S Frequency 2400 2400 2400 2400 240 490 5150 4900 Band 2500 2500 2500 2500 O O 5875 5875 MHz 250 587 0 5 Gain dBi 8 9 14 18 6 8 8 18 Max 2 0 1 1 5 1 1 5 1 1 5 1 2 0 2 0 2 0 1 2 0 1 VSWR 1 1 HPBW 360 650 30 15 65 50 360 18 Horizontal HPBW 15 60 30 5 750 500 20 18 Vertical Impedance 50 50 50 50 50 50 50 Ohm Connector
146. about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcsi shal RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities may use ras pkcsi md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the NWA uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 72 Certificates gt Trusted CAs Details
147. access priority to the wireless network If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity then the new traffic stream reduces the throughput of the other traffic streams The NWA uses WMM QoS to prioritize traffic streams according to the IEEE 802 1q tag or DSCP information in each packet s header The NWA automatically determines the priority to use for an individual traffic stream This prevents NWA 3500 NWA 3550 User s Guide 137 Chapter 8 Wireless Configuration reductions in data transmission for applications that are sensitive to latency delay and jitter variations in delay 8 5 6 1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the NWA uses Table 32 WMM QoS Priorities PRIORITY LEVEL DESCRIPTION voice Typically used for traffic that is especially sensitive to jitter Use this priority to reduce latency for improved voice quality WMM_VOICE P E y p q video Typically used for traffic which has some tolerance for jitter but needs to be prioritized over other data traffic WMM_VIDEO best effort Typically used for traffic from applications or devices that lack QoS capabilities Use best effort priority for traffic that is less WMM_BEST_EFFORT sensitive to latency but is affected by long delays such as Internet surfing background This is typically used for non critical traffic
148. accounts to each VLAN Group 1Using the Active Directory Users and Computers administrative tool create the VLAN Groups that will be used for each VLAN ID One VLAN Group must be created for each VLAN defined on the NWA The VLAN Groups must be created as Global Security groups 1a Type a name for the VLAN Group that describes the VLAN Group s function 1b Select the Global Group scope parameter check box 1c Select the Security Group type parameter check box NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 1d Click OK Figure 150 New Global Security Group New Object Group J xj 8 Create in Group name van Group 1d Group name ore Windows 2000 VLAN Group 10 r Group scope Group type Domainlocal Secunty Global C Distribution f Universal a 2 In VLAN Group ID Properties click the Members tab e The IAS uses group memberships to determine which user accounts belong to which VLAN groups Click the Add button and configure the VLAN group details 3 Repeat the previous step to add each VLAN group required Figure 151 Add Group Members Ei E Geneial Members Memter Of Managed By Members Name ActweDlirectoryFoler 4 test 802 1x OK Cancel Apply 20 5 3 2 Configuring Remote Access Policies Once the VLAN Groups have been created the IAS Remote Access Policy needs to be defined This allows the IAS to compare the user account being authenticated against the group m
149. adcast range NWA 3500 NWA 3550 User s Guide Chapter 4 Management Mode Table 8 The Management Mode Screen LABEL DESCRIPTION Manual AP Controller IP Check this is you know the IP address of the controller AP that you want to manage this AP e Primary AP Controller IP Enter the IP address of the primary controller AP e Secondary AP Controller IP Enter the IP address of the secondary controller AP Apply Click this to save your changes Note If you change the mode in this screen the NWA restarts Wait a short while before you attempt to log in again If you changed the mode to Managed AP you cannot log in as the web configurator is disabled you must manage the NWA through the management AP on your network Reset Click this to return this screen to its previously saved settings NWA 3500 NWA 3550 User s Guide Chapter 4 Management Mode 52 NWA 3500 NWA 3550 User s Guide Controller AP Mode 5 1 Overview This chapter discusses the Controller AP management mode When the NWA is used as a CAPWAP Control And Provisioning of Wireless Access Points controller AP the Web Configurator changes to reflect this by including the Controller and Profile Edit screens Refer to Section 4 1 on page 47 for more information on CAPWAP 5 1 1 What You Can Do in AP Controller Mode e Use the Navigation Menu Section 5 2 on page 54 to manage settings across al
150. adiomAC Radio MAC SSID List EE 00 19 CB 89 7C CA 802 802 11b g 6 ZyXELO3 00 19 CB 89 7C CA 00 19 CB 89 7C CA 00 19 CB 89 7C CB 802 11 E ZyXEL03 00 19 CB 89 7C E o P 001349DF42A8NWA 3500 00 13 49 DF 42 A8 802 11 b g ZyXELO3 00 13 49 DF 42 A8 0 00 13 49 DF 42 A9 a Refresh The following table describes the labels in this screen Table 5 Status gt AP List LABEL DESCRIPTION AP Description This is the descriptive name configured for this AP in the Controller gt AP List Model This is the model name of the AP Radio MAC This is the MAC address of each wireless module 802 11 Mode This is the wireless standard supported by each wireless module on the AP NWA 3500 NWA 3550 User s Guide Chapter 3 Status Screens Table 5 Status gt AP List LABEL DESCRIPTION Channel ID This is the channel ID number used by each wireless module on the AP SSID List This is the SSID s currently used by each wireless module VLAN This is the VLAN ID of each SSID in use It shows if the SSID does not use VLAN Stations This is the number of the wireless clients currently associated to each wireless module Refresh Click this button to update the screen statistics immediately 3 1 2 AP Statistics Click the AP Statistics link the Status screen when the NWA is in AP controller manageme
151. aegees 319 NWA 3500 NWA 3550 User s Guide Table of Contents Appendix C Pop up Windows JavaScripts and Java Permissions c ccceeeeeeeeeeeeeeeees 335 Appendix D Importing Certificates ssori a aE EARE RE E ARKAE ERNE 343 Appendix E IP Addresses and Subnetting cccccccccccsccceecceecceeccececeeceeceeeececeeeeeeseseeeeeess 369 Appendix F Text File Based Auto Configuration ccccccccccccccceccecccecececeeeeeeeeeeeeeeeeseeeeeess 379 Appendix G Legal Information cccccsccsccccecccaeeaeceeeceaeccecceecenecceeccceceeceeeeeeeeeeeeeeeeeseeeeess 387 MON a E E a a E E E A E A E T 391 NWA 3500 NWA 3550 User s Guide Table of Contents NWA 3500 NWA 3550 User s Guide PART Introduction Introducing the NWA 23 Introducing the Web Configurator 35 Status Screens 39 Management Mode 47 Tutorial 67 Introducing the NWA This chapter introduces the main applications and features of the NWA It also introduces the ways you can manage the NWA 1 1 Introducing the NWA Your NWA extends the range of your existing wired network without additional wiring providing easy network access to mobile users It is highly versatile supporting multiple BSSIDs simultaneously The Quality of Service QoS features allow you to prioritize time sensitive or highly important applications such as VoIP Multiple security profiles allow you to easily assign different types
152. ages sent independently by the SNMP agent the agent must authenticate the SNMP manager If the SNMP manager does not provide the correct security details the agent does not send the traps The NWA has two SNMP version 3 login accounts User and Admin Each account has different security settings You can use either account s security settings for authenticating SNMP traps Select User to have the NWA use the User account s security settings or select Admin to have the NWA use the Admin account s security settings Use the Configure SNNMPv3 User Profile link to set up each account s security settings Configure SNMPv3 User Profile Click this to go to the SNMPv3 User Profile screen where you can configure administration and user login details SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the NWA using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA using this service Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service Apply Click Apply to save your customized settings a
153. agging NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 8 Click Apply The following screen displays Figure 147 VLAN Aware Switch VID Active Name Delete 10 Yes VID1 3 Yes 2 3 Yes 3 0 4 Yes VLAN4 a 5 Yes cth test 9 Click VLAN Status to display the following screen Figure 148 VLAN Aware Switch VLAN Status ED VLAN Statu S VLAN Port Setting Static VLAN The Number Of VLAN 5 Port Number 6 8 10 12 14 16 18 20 22 24 26 2 Elapsed Time Status 7 BF 1 134 16 17 18 27 23 26 pst TI YU Index VID ce i 0 08 28 Static 0 08 28 Static tlelelc N 3 3 7 ee ei eee ee ie ee 0 08 28 Static 4 4 Wj t 0 08 27 Static 5 5 Lel aA L 0 08 27 Static sielas Tols Ta Miele la Teele is Follow the instructions in the Quick Start Guide to set up your NWA for configuration The NWA should be connected to the VLAN aware switch In the above example the switch is using port 1 to connect to your computer and port 2 to connect to the NWA Figure 145 on page 241 1In the NWA web configurator click VLAN to open the VLAN setup screen 2 Select the Enable VLAN Tagging check box and type a Management VLAN ID 10 in this example in the field provided NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 3 Click Apply Figure 149 VLAN Setup WIRELESS VLAN RADIUS VLAN VIRTUAL LAN Setur v Enable VIRTUAL LAN Wireless VIRTUAL LAN Setup
154. al field is configurable The fields in this screen vary according to the current wireless mode of each WLAN adaptor Figure 173 Maintenance gt System Status Show Statistics WLAN1 Active Remote Bridge MAC __Status_ _TxPkts_ _RxPkts_ Port Status TxPkts RxPkts Collisions Tx B s_ RxB s UpTime 100M7Full 12379 158304 0 64 0 0 24 47 54M 164442 7 0 64 0 Down 164334 0 0 0 0 00 00 00 E 0 00 37 a 00 00 00 00 00 00 bow o o WLAN2 B o M No 00 00 00 00 00 00 o a 00 00 00 00 00 00 pon o o 00 00 00 00 00 00 pon o o 00 00 00 00 00 00 pon o o Active Remote Bridge MAC __Status_ _TxPkts_ _RxPkts_ No 00 00 00 00 00 00 Down 0 0 3 No 00 00 00 00 00 00 Down 0 0 00 00 00 00 00 00 Down 0 0 00 00 00 00 00 00 Poll Interval s 00 00 00 00 00 00 pwn o o 5 sec Set Interval Stop The following table describes the labels in this screen Table 85 Maintenance gt System Status Show Statistics LABEL DESCRIPTION Port This is the Ethernet port LAN or wireless LAN adaptor WLAN1 or WLAN2 Status This shows the port speed and duplex setting if you are using Ethernet encapsulation for the Ethernet port Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to send and receive simultaneously wh
155. all p File Edit View Tools Help Control Panel Home Peo System and Maintenance User Accounts stead Get started with Windows Change account type Aw Back up your computer Appearance and Personalization Change desktop background Security Check for updates Allow a program through Windows Firewall Change the color scheme Adjust screen resolution etwork and Internet Connect to the Internet Clock Language and Region View network status and tasks 2 Change keyboards or other input methods Set up file sharin Change display language Click the Network and Sharing Center icon Figure 193 Windows Vista Network And Internet GO a gt Control Panel Network and Internet File Edit View Tools Help Control Panel Home ah a Aa Network and Sharing Center ee ania as nnect to a network System and Maintenance Security View network computers and devices Add a device to the network Set up file sharing Network and Internet Internet Options Connect to the Internet Change your homepage Manage browser add ons Programs Delete browsing history and cookies Hardware and Sound f NWA 3500 NWA 3550 User s Guide 297 Appendix A Setting Up Your Computer s IP Address 4 Click Manage network connections Figure 194 Windows Vista Network and Sharing Center CION SS Network and Internet p Network and Sharing Center v s File Edit View Tools
156. ally configure a TFTP server IP address and a file name for the AP to use for auto provisioning whenever the AP starts up See Section 25 1 on page 257 for how to access the Command Interpreter CI Table 114 Manual Configuration COMMAND DESCRIPTION wcfg autocfg server IP Specify the TFTP server IP address and file name filename from which the AP is to download a configuration file whenever the AP starts up Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration Use the following procedure to have the AP download the configuration file Table 115 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server Step 2 pwTftpFileName Set the file name for example g3000hcfg txt Step 3 pwTftpFileType Set to 3 text configuration file Step 4 pwTftpOpCommand Set to 2 download Verifying Your Configuration File Upload Via SNMP You can use SNMP management software to display the configuration file version currently on the device by using the following MIB Table 116 Displaying the File Version ITEM OBJECT ID DESCRIPTION pwCfgVersion 1 3 6 1 4 1 890 1 9 This displays the current configuration file 1 2 version Troubleshooting Via SNMP If you have any difficulties with the c
157. an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA and WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKIP TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael They both include a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keyi
158. an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP LEAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as EAP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authentication EAP GTC is implemented only by Cisco LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x NWA 3500 NWA 3550 User s Guide 327 Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A n
159. and set whether or not you want the NWA to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Click Certificates gt Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CAs Details screen Figure 136 Certificates gt Trusted CAs Details Name VeriSign cer Property l Check incoming certificates issued by this CA against a CRL Certificate Path Refresh Certificate Information Type Selfsigned X 509 Certificate Version v1 Serial Number 355880216084885406223240701 1527417280 Subject OU Secure Server Certification Authority O RSA Data Security Inc C US Issuer OU Secure Server Certification Authority O RSA Data Security Inc C US Signature Algorithm rsa pkes1 md2 Valid From 1994 Nov 9th 00 00 00 GMT Valid To 2010 Jan 7th 23 59 59 GMT Key Algorithm rsaEncryption 1000 bits MD5 Fingerprint 74 7b 82 03 43 10 00 9e 6b b3 ec 47 bf85 a5 93 SHA1 Fingerprint 44 63 5 31 d7 cc 1 00 67 94 61 2b b6 56 d3 bf 62 57 84 6f Certificate in PEM Base 64 Encoded Format MIICNDCCAaECEAKt Z2nSOR SeV288mB le3cAwDQYIKoZ IhvcNAQECBQAWwXZELMAkG ALUEBhNCVVMx ID AeBgNVBAOTF 1J TQSBEYXRhIFN1Y3VyaXRSLCBJbmMuNs4uL AyD VQOQLEyVTZUNicmUgU2VydmV yIEN LenRp Zm1jYXRpb2 4gQXVOaG9 yaXRSMB4XDTKO NTEwOTAvMD AwMF oXDTEWMDEwNz I zNTK10VowXzELMAkGA1UEBhHNC
160. apter describes how you can configure Service Set Identifier SSID profiles in your NWA Figure 88 Sample SSID Profiles MAC 00 AA 00 AA 00 AA mju m u n n eee VolP_SSID SSIDO4 In the figure above the NWA has three SSID profiles configured a standard profile SSIDO4 a profile with high QoS settings for Voice over IP VoIP users VoIP_SSID and a guest profile that allows visitors access only the Internet and the network printer Guest_SSID 9 2 What You Can Do in the SSID Screen Use the Wireless gt SSID screen see Section 9 4 on page 143 to configure up to 16 SSID profiles for your NWA NWA 3500 NWA 3550 User s Guide Chapter 9 SSID Screen 9 3 What You Need To Know When the NWA is set to Access Point AP Bridge or MBSSID mode you need to choose the SSID profile s you want to use in your wireless network see Chapter 1 on page 31 for more information on operating modes To configure the settings of your SSID profile you need to know the Media Access Control MAC addresses of the devices you want to allow access to it Each SSID profile references the settings configured in the following screens e Wireless gt Security one of the security profiles e Wireless gt RADIUS one of the RADIUS profiles e Wireless gt MAC Filter the MAC filter list if activated in the SSID profile e Wireless gt Layer 2 Isolation the layer 2 isolation list if activated in the SSID profile
161. are using FTP TFTP commands 23 4 System Status Screen 23 4 1 Use this screen to get a quick summary of the status of your NWA Click Maintenance gt System Status The following screen displays Figure 172 Maintenance gt System Status Status Association List Channel Usage FAW Upload Configuration Restart System Name NWA Series ZyNOS Firmware Version V3 70 AAH 0 b2 12 19 2008 IP Address 192 168 1 2 DHCP None IP Subnet Mask 255 255 255 0 The following table describes the labels in this screen Table 84 Maintenance gt System Status LABEL DESCRIPTION System Name This is the System Name you can configure in the SYSTEM gt General screen It is for identification purposes ZyNOS Firmware This is the ZyNOS Firmware version and date created ZyNOS is Version ZyXEL s proprietary Network Operating System design IP Address This is the Ethernet port IP address IP Subnet Mask This is the Ethernet port subnet mask DHCP This is the Ethernet port DHCP role Client or None Show Statistics Click Show Statistics to see the NWA performance statistics such as number of packets sent and number of packets received for each port System Statistics Screen Use this screen to view diagnostic information about the NWA Click Maintenance gt Show Statistics The following screen pops up NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance Note The Poll Interv
162. ategory and a parameter to decide what to record Table 78 Log Categories and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS error 0 1 2 3 mten 0 1 Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Use the sys logs save command to store the settings in the NWA you must do this in order to record logs Displaying Logs Use the sys log Use the sys log catego Use the sys log NWA log category Use the sys log ries s display command to show all of the logs in the NWA s log s category display command to show the log settings for all of the log s display log category command to show the logs in an individual s clear command to erase all of the NWA s logs Log Command Example This example shows how to set the NWA to record the error logs and alerts and then view the results ras gt sys logs load ras gt sys logs category error 3 ras gt sys logs save ras gt sys logs display access time source destination notes message O 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK NWA 3500 NWA 3550 User s Guide VLAN 20 1 Overview This chapter discusses how to configure VLAN on the NWA A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple l
163. ator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise You must also enable Network Address Translation NAT on the NWA Once you have decided on the network number pick an IP address for your NWA that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your NWA will compute the subnet mask automatically based on the IP address that NWA 3500 NWA 3550 User s Guide 377 Appendix E IP Addresses and Subnetting you entered You don t need to change the subnet mask computed by the NWA unless you are instructed to do otherwise Private IP Addresses 378 Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hos
164. ay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The NWA default is 1800 seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 10 4 5 Security WPA2 or WPA2 MIX Use this screen to set the selected profile to WPA2 or WPA2 MIX security mode Select WPA2 or WPA2 MIX in the Security Mode field to display the following screen Figure 98 Wireless gt Security WPA2 or WPA2 MIX Wireless SSID Security RADIUS Layer Isolation MAC Filter Profile Name se
165. bes the labels in this screen Table 60 Remote MGNT gt SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is public and allows all requests Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Trap Destination Type the IP address of the station to send your SNMP traps to SNMP Version Select the SNMP version for the NWA The SNMP version on the NWA must match the version on the SNMP manager Choose SNMP version 1 SNMPv1 SNMP version 2 SNMPv2 or SNMP version 3 SNMPv3 Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests This field is available only when SNMPv1i or SNMPv2 is selected in the SNMP Version field NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens Table 60 Remote MGNT gt SNMP LABEL DESCRIPTION User Profile This field is available only when you select SNMPv3 in the SNMP Version field When sending SNMP v3 traps mess
166. between computers Itis therefore very unlikely that anyone read this page as it traveled across the network Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Firefox and click Tools gt Options Figure 259 Firefox 2 Tools Menu Web Search Downloads Add ons Java Console Error Console Page Info Clear Private Data Ctrl Shift Del X NWA 3500 NWA 3550 User s Guide 353 Options Appendix D Importing Certificates 2 In the Options dialog box click Advanced gt Encryption gt View Certificates Figure 260 Firefox 2 Options w G AA ala Main Tabs Content Feeds Privacy Security Advanced General Network Update Encryption Protocols Use SSL 3 0 Use TLS 1 0 Certificates When a web site requires a certificate Select one automatically Ask me every time View Cerifcates Revocation lst Ca Coe Cae 3 In the Certificate Manager dialog box click Web Sites gt Import Figure 261 Firefox 2 Certificate Manager Certificate Manager Your Certificates Other People thorities You have certificates on file that identify these web sites NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 4 Use the Select File dialo
167. bout This User s Guide Customer Support In the event of problems that cannot be solved by using this manual you should contact your vendor If you cannot contact your vendor then contact a ZyXEL office for the region in which you bought the device See http www zyxel com web contact_us php for contact information Please have the following information ready when you contact an office e Product model and serial number e Warranty Information e Date that you received your device e Brief description of the problem and the steps you took to solve it 4 NWA 3500 NWA 3550 User s Guide Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide Warnings tell you about things that could harm you or your NWA Note Notes tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions The NWA 3500 or the NWA 3550 may be referred to as the NWA the device the system or the product in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or
168. by the device unless you are instructed to do otherwise 7 3 1 Administrator Authentication on RADIUS The administrator authentication on RADIUS feature lets a external or internal RADIUS server authenticate management logins to the NWA This is useful if you need to regularly change a password that you use to manage several NWAs Activate administrator authentication on RADIUS in the SYSTEM gt Password screen and configure the same user name password and RADIUS server information on each NWA Then whenever you want to change the password just change it on the RADIUS server NWA 3500 NWA 3550 User s Guide att Chapter 7 System Screens 7 4 General Setup Screen Use the General screen to identify your NWA over the network Click System gt General The following screen displays Figure 73 System gt General General Password Time Setting General Setup System Name NWA Series Domain Name Administrator Inactivity Timer fio minutes 0 means no timeout System DNS Servers First DNS Server From DHCP fo 0 0 0 Second DNS Server From DHCP fo 0 0 0 Third DNS Server From DHCP fo 0 0 0 Apply Reset The following table describes the labels in this screen Table 23 System gt General LABEL DESCRIPTION General Setup System Name Type a descriptive name to identify the NWA in the Ethernet network This name can be up to 30 alphanumeric characters long Spaces are no
169. c D A I 7 4 7 P at zA 7 4 Pe og r Fa Ki wt Managed APs a 2nd 3rd and 4th floors Secondary and Primary Controller APs 1st floor 6 5 2 Your Requirements 1 You want to manage the APs in your company using one controller AP s Web Configurator That is you only need to know one IP address to edit the settings of the NWAs in your wireless network 2 You want to have a backup of the NWA controller AP configuration NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 5 3 Setup In this example each of your NWA standalone AP mirror each other They all have the same SSID profiles stored First you need to download the configuration file from one of your NWAs for backup purposes Refer to Section 23 8 1 on page 272 for information on how to download the configuration file from your NWA In case there are various SSID profiles stored in each NWA standalone AP the administrator will have to copy each SSID profile to just one NWA which will serve as the NWA controller AP Note This tutorial covers only the MGNT MODE and Controller screens You will need to do the following steps to configure the management modes of your NWAs 1 Assign one NWA AP A as the controller AP for your wireless NWA AP network This will be your primary controller AP Acquire another NWA with the same model and firmware version as A to serve as the secondary controller AP E Both controller APs A and E are
170. can view text files usually referred to as pages using your web browser via HyperText Transfer Protocol HTTP SNMP Simple Network Management Protocol SNMP is a member of the TCP IP protocol suite used for exchanging management information between network devices Your NWA supports SNMP agent functionality which allows a manager station to manage and monitor the NWA through the network The NWA supports SNMP NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens version one SNMPv1 and version two SNMPv2c The next figure illustrates an SNMP management operation Note SNMP is only available if TCP IP is configured Figure 119 SNMP Management Mode SNMP AGENT AGENT Managed Device Managed Device Managed Device An SNMP managed network consists of two main types of component agents and a manager An agent is a management software module that resides in a managed device the NWA An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices SNMP allows a manager and agents to communicate for the purpose of accessing information such as packets received node port status etc Remote Management Limitations Remote management over LAN or WLAN will not
171. cated in an external log server B An email server C can also send harvested logs to the user s email account NWA 3500 NWA 3550 User s Guide 227 Chapter 19 Log Screens 19 2 What You Can Do in the Log Screens e Use the View Log screen Section 19 4 on page 228 to display all logs or logs for a certain category You can view logs and alert messages in this page Once the log entries are all used the log will wrap around and the old logs will be deleted e Use the Log Settings screen Section 19 5 on page 229 to configure where and when the NWA will send the logs and which logs and or immediate alerts it will send 19 3 What You Need To Know Alerts and Logs An alert is a type of log that warrants more serious attention Some categories such as System Errors consist of both logs and alerts You can differentiate them by their color in the View Log screen Alerts are displayed in red and logs are displayed in black Receiving Logs via Email If you want to receive logs in your email account you need to have the necessary details ready such as the Server Name or SMPT Address of your email account Ensure that you have a valid email address Enabling Syslog Logging To enable Syslog Logging obtain your Syslog server s IP address or server name 19 4 The View Log Screen Use this screen to see the logs for the categories that you selected in the Log Settings screen see Figure 141 on page 230 Options inc
172. cctssccssateatnassasouezensas 253 Chapter 21 Load Balane MO gdh idan ares ialiph cosa seadncd ela dadasshanaadevadescaddeniallgdapeadiscutecausdeiaeduesibueitdameiennapinnaie Ady ME ie E ance con comrreerr ec ere acre A 21 1 1 What You Need to Know About Load Balancing eccceececeeeeeeeeseeenteeeeeeeeneeeees NWA 3500 NWA 3550 User s Guide Table of Contents 2 Whee Load Balai SRI siii 257 21 2 1 Disassociating and Delaying Connections cccccceceeeeeeeeeeeeeeceeeeeeeeeeeeeeeeeees 258 Chapter 22 Dynamic Channel SS CEI Mosas o aai aE ENa 261 PET OVENI orroe E a a E 261 A Ey STEE enhe na ANAAO AASA EE AAAA EE EOE E A EEE 262 Chapter 23 P 11 RBG rc covanancoware cuane sudan quate npnamupncantiasanvumanvetass pracuciaaeniacdcuus me quiaeepeeainaea RaaeeNRe Supeaenn ee 265 2o AVON Y apuasivebscehuisacanaaeinaariaduaheabect du liaansctennbanspsdtinsanancuaktananes uicednapabtuhgabeeacnibanesswacmeanhe tite 265 23 2 What You Can Do in the Maintenance Screens ccccceseseeeceeeceseeeeeeeeanenseeeeeeeaaeeeeeeees 265 23 3 What You Need To Know About the Maintenance Screens c ccccceceeeeeeeeeeeeeaeeeees 266 234 System Slatus SOMO cicsiiass seaccdvuasirancciveyemnaaeustaauawieinaaaanurisenaaaiaitialdedieaatdabeamaatns ieee 266 23 4 1 System Statistics Sereen caivianecetaitaaaceteaisvanededsstnaacedaidenaondecastapaqesedinannededintaneebaiiaenas 266 239 PSSUC UO Lier ss CROC annaa E N 268
173. cecerentsuuscconagsues toncnasbuytaarsrduardeneadiey eiaanaadeyeveanndssintuns 19 6 3 Configuring What You Want the NWA to LOg ssssssssrsesissssersssssessrnssrssssaneseisnasnnsass i hee oe 1b 10 9 ls 9 E ter E E N A P IE cere tar renee trererer rer recente rere rrr 19 6 5 bog Command EXQMPIC sxcccsiscsasvccevss seuscesiiaqenidcnchssanerectsqzaduccessassunecenassbeacenaceuierens Chapter 20 TN EEE A AN E A TE NA AEE tibet O E AIEN N A UD ENEN iaa aa i via loan one agian o abuts 202 What You Can Do in the VLAN SCREEN geccistcsscciaacaissasiacauedcestaseieccorsscaucracsantuapeceenansucctenes 20 3 What You Need To Know About VLAN sissscassitisssntsnesssonseciaasannsssaanssaacceedsoaassezeasaassancinenns 20 4 Wireless YLAN SOREN dccccisiacuccaeinccaensiaeeeionauieiemniiasiehnaeaaieeedsialenanisnensnee 2041 RADIUS VLAN GOreEI vic scacesponterin ctssacouscetiaddesdiavigiecs Heatadatiadaiaebi aoi ina 20 9 lechnical Rererenoe usadioa aaan aaa a aaa a aad aaa aaa TAAN WIA aS 20 5 2 Configuring Management VLAN Example cccceeccccceesseccceeeensecceeeeneecaeeenneees 20 5 3 Configuring Microsoft s IAS Server Example cccccceeeeeccceeeeeeecceeeeeeeecneeeeenees 20 5 3 1 Configuring VLAN Groups sccsssccasecveneneserersssecdurivanacdunressunendiytaante 244 20 5 3 2 Configuring Remote Access Policies ccccssseeeeeseneeees 245 20 5 4 Second RX VLAN ID Example auiii EE EEE 20 5 4 1 Second Rx VLAN Setup Example ccscsccncicccss
174. certificate Figure 279 Konqueror 3 5 Server Authentication 4 Server Authentication Konqueror Ke Would you like to accept this certificate forever without being prompted Eorever 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 280 Konqueror 3 5 KDE SSL Information amp KDE SSL Information Konqueror lt Current connection is secured with SSL Chain Peer certificate Issuer Organizational unit XYZ200 Organizational unit XYZ200 Country us Country us Common name 172 23 37 202 Common name 172 23 37 202 Organization ZyXEL Organization ZyXEL IP address 172 23 37 202 URL https 172 23 37 202 loginwrap html Certificate state Certificate is self signed and thus may not be trustworthy valid from Wednesday 21 May 2008 06 42 35 am GMT Valid until Saturday 21 May 2011 06 42 35 am GMT Serial number 11139321193569894228 MDS digest 3F 9A 76 6E A9 F5 07 41 BE 4C 8B 8B A2 D3 F0 2F Cipher in use DHE RSA AES256 SHA Details DHE RSA AES256 SHA SSLv3 Kx DH Au RSA Enc AES 256 Mac SHA1 SSL version TLSv1 SSLv3 Cipher strength 256 bits used of a 256 bit cipher Sg Cryptography Configuration NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates Installing a Stand Alone Certificate File in Konqueror Rather than browsing to a ZyXEL web configurator and instal
175. choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e g is a shorthand for for instance and i e means that is or in other words NWA 3500 NWA 3550 User s Guide Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The NWA icon is not an exact representation of your NWA Table 1 Common Icons NWA Computer Notebook Ly 0 Server Printer Telephone Switch Router Internet Cloud Firewall DSLAM Wireless Signal 7 6 NWA 3500 NWA 3550 User s Guide Safety Warnings Safety Warnings e Do NOT use this product near water for example in a wet basement or near a swimming pool e Do NOT expose your device to dampness dust or corrosive liquids e Do NOT store things on the device e Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from li
176. ciate with the NWA Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the NWA The transmission rate of your NWA might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the NWA Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting Disable This field displays only when you select 802 11a in the 802 11 Mode channel field Select this if you do not want to use DFS Dynamic Frequency Selection Choose Set the operating frequency channel depending on your particular Channel ID region To manually set the NWA to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the NWA automatically select a channel click Scan instead Scan Click this button to have the NWA automatically scan for and select the channel with the least interference Disable This field is available when you select 802 11a in the 802 11 Mode channel field switching for DFS DFS dynamic frequency selection allows an AP to detect other devices in the same channel If there is another device using the same channel the AP changes to a different channel so that it can avoid interference with radar systems or other wirel
177. ckup Configuration Restore Configuration Back to Factory Defaults 23 8 1 Backup Configuration Backup configuration allows you to back up save the NWA s current configuration to a file on your computer Once your NWA is configured and functioning properly 272 NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the NWA s current configuration to your computer 23 8 2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your NWA Table 89 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the file you want to upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click Upload to begin the upload process Do not turn off the NWA while configuration file upload is in progress After you see a restore configuration successfu screen you must then wait one minute before logging into the NWA again Figure 181 Configuration Upload Successful Restore Configuration successful The D
178. col may either be NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen Microsoft Challenge Handshake Authentication Protocol Version 2 MSCHAPv2 or Generic Token Card GTC Further information on these terms can be found in Appendix B on page 233 10 4 The Security Screen Note The following screens are configurable only in Access Point AP Bridge and MBSSID operating modes Use this screen to choose and edit a security profile Click Wireless gt Security The following screen displays Figure 92 Wireless gt Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index ProfileName____ ___ SecurityMode___ fe 1 security01 None security02 None security03 None security04 None security05 None security06 None security0 None security08 None security09 None security10 None security11 None security12 None security13 None security14 None security15 None security16 None ES The following table describes the labels in this screen Table 40 Wireless gt Security LABEL DESCRIPTION Index This is the index number of the security profile Profile Name This field displays a name given to a security profile in the Security configuration screen NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen Table 40 Wireless gt Security LABEL DES
179. continued LABEL DESCRIPTION Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the NWA calculated using the MD5 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the NWA has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 18 3 on page 208 for how to verify a remote host s certificate before you import it into the NWA SHA1 Fingerprint This is the certificate s message digest that the NWA calculated using the SHA1 algorithm You cannot use this value to verify that this is the r
180. creens Table 74 Logs gt Log Settings LABEL DESCRIPTION Send Alerts to Enter the e mail address where the alert messages will be sent If this field is left blank alert messages will not be sent via e mail SMTP Authentication If you use SMTP authentication the mail receiver should be the owner of the SMTP account User Name If your e mail account requires SMTP authentication enter the username here Password Enter the password associated with the above username Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog IP Enter the server name or IP address of the syslog server that will Address log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail e Daily e Weekly e Hourly e When Log is Full e None If the Weekly or the Daily option is selected specify a time of day when the E mail should be sent If the Weekly option is selected then also specify which day of the week the E mail should be sent If the When Log is Full option is selected an alert is sent when the log
181. ct Guest_SSID s entry in the list and click Edit The following screen appears Figure 41 Tutorial Guest Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name Guest_SSID SSID Guest_SSID_Example Hide Name SSID Disable gt Security security03 gt RADIUS radius01 gt Qos NONE gt L2 Isolation iZisolationO1 Intra BSS Traffic blocking Enable gt MAC Filtering Disable gt Apply Reset Choose a new SSID for the guest network In this example enter Guest_SSID_Example Note that although the SSID changes the SSID profile name Guest_SSID remains the same as before Select Disable from the Hide Name SSID list box This makes it easier for guests to configure their own computers wireless clients to your network s settings The standard network SSIDO4 is already using the securityO1 profile and the VoIP network is using the securityO2 profile renamed VoIP_Security so select the securityO3 profile from the Security field Leave all the other fields at their defaults and click Apply 6 2 3 1 Set Up Security for the Guest Profile Now you need to configure the security settings to use on the guest wireless network Click the Security tab NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial You already chose to use the securityO3 profile for this network so select security03 s entry in the list and click Edit The following screen ap
182. ctedsmatnaar interface for information Network Interface en1 Sn ee ae L Interface Morano Transfer Statistics Hardware Address 00 30 65 25 6a b3 Sent Packets 1230 IP Address es 10 0 2 2 Send Errors 0 Link Speed 11 Mbit s Recv Packets 1197 Link Status Active Recv Errors 0 Vendor Apple Collisions 0 Model Wireless Network Adapter 802 11 Linux Ubuntu 8 GNOME This section shows you how to configure your computer s TCP IP settings in the GNU Object Model Environment GNOME using the Ubuntu 8 Linux distribution The procedure screens and file locations may vary depending on your specific distribution release version and individual configuration The following screens use the default Ubuntu 8 installation Note Make sure you are logged in as the root administrator Follow the steps below to configure your computer IP address in GNOME NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 1 Click System gt Administration gt Network Figure 209 Ubuntu 8 System gt Administration Menu XK Preferences gt P Authorizations 9 T Te F re Hardware Drivers elp and Suppo About GNOME G About Ubuntu Quit 3 Hardware Testing Ee Language Support E Login Window E Network Tools 2 When the Network Settings window opens click Unlock to open the Authenticate window By default the Unlock button is greyed out until clicked You cannot make c
183. ctions gt Properties ocal Area Connection Standard PCI Fast Ethernet Adapte Disable Status Repair Bridge Connections Create Shortcut Rename 4 On the General tab select Internet Protocol TCP IP and then click Properties Figure 189 Windows XP Local Area Connection Properties ocal Area Connection Properties General Authentication Advanced Connect using E9 Accton EN1207D TX PCI Fast Ethernet Adapter This connection uses the following items v e Client for Microsoft Networks r File and Printer Sharing for Microsoft Networks 4 Description Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected NWA 3500 NWA 3550 User s Guide 295 Appendix A Setting Up Your Computer s IP Address 5 The Internet Protocol TCP IP Properties window opens Figure 190 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address Obtain DNS server address automatically 4 pi Use the followi
184. curity NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA e Enable wireless security on your NWA Choose the most secure encryption method that all devices on your network support See Section 10 4 on page 150 for directions on configuring encryption If you have a RADIUS server enable IEEE 802 1x or WPA 2 user identification on your network so users must log in This method is more common in business environments e Hide your wireless network name SSID The SSID can be regularly broadcast and unauthorized users may use this information to access your network See Section 9 4 1 on page 144 for directions on using the web configurator to hide the SSID e Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address See Section Note on page 174 for directions on configuring the MAC filter 1 6 Maintaining Your NWA Do the following things regularly to keep your NWA running e Check the ZyXEL website www zyxel com tw regularly for new firmware for your NWA Ensure you download the correct firmware for your model Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the NWA to its factory default settings If you backed up an earlier configuration file you would not
185. curity Overview Wireless security is vital to your network to protect wireless communication between wireless clients access points and the wired network Wireless security methods available on the NWA are data encryption wireless client authentication restricting access by device MAC address and hiding the NWA identity The following figure shows the relative effectiveness of these wireless security methods available on your NWA Table 99 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA WPA2 Most Secure Note You must enable the same wireless security settings on the NWA and on all wireless clients that you want to associate with it NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming e Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network
186. curity01 Security Mode WPA2 MIX ReAuthentication Timer jo seconds 0 means no Refuthentication Idle Timeout 3600 seconds Group Key Update Timer fi 800 seconds PMK Cache Enable Pre Authentication Disable Apply Reset NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen The following table describes the labels not previously discussed Table 45 Wireless gt Security WPA2 or WPA2 MIX LABEL DESCRIPTIONS Profile Name Type a name to identify this security profile Security Mode Choose WPA2 or WPA2 MIX in this field ReAuthentication Specify how often wireless stations have to resend usernames and Timer passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter O to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key The Group Key Update Timer is the rate at which the AP sends a Update Timer new group key out to all clients The re keying process is the
187. d APs which relay the requests to the NWA Figure 128 Trusted APs Overview ZyXEL RADIUS Server Trusted APs Wireless clients 2 T i B m Take the following steps to set up trusted APs and trusted users 1 Configure an IP address and shared secret in the Trusted AP database to specify an AP as trusted 2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the NWA s internal RADIUS server and the wireless clients The wireless clients can then be authenticated by the NWA s internal RADIUS server PEAP Protected EAP and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection See Appendix B on page 319 for more information on the types of EAP authentication and the internal RADIUS authentication method used in your NWA NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server Note The internal RADIUS server does not support domain accounts DOMAIN user When you configure your Windows XP SP2 Wireless Zero Configuration PEAP MS CHAPv2 settings deselect the Use Windows logon name and password check box When authentication begins a pop up dialog box requests you to type a Name Password and Domain of the RADIUS server Specify a name and password only do not specify a domain NWA 3500 NWA 3550 User s Guide Certificates 18
188. d Password for authenticating to a remote server Tunnel Prefeience RADIUS Standard Relative preference assigned to each tunnel when Tunnel Pyt Group 1D RADIUS Standard Group ID fer a parbcular tunneled session Tunnel ServerAuthD RADIUS Standard Name used by the tunel terminator during the auth Tunnel Server Endp RADIUS Standard IP address of the server end of the tunnel Tunnel Type RADIUS Standard Tunneling protocols to be used Vendor Spectic RADIUS Standard Used to support proprictary NAS features CiscoAY Pair Cisco Cisco AV Pair VSA Ignore Liser Dialin Properties Microsoft Ignere the user s dial in properties USR ACCM Type U S Rebotics Description not available USR AT Callnput Filter U S Rebotics Description not available USR AT Call Output Filter U S Robotics Description not available USR AT Input Fiter U S Rebotics Description not available Add Clese 12 The Enumerable Attribute Information screen displays Select the 802 value from the Attribute value drop down list box e Click OK Figure 160 802 Attribute Setting for Tunnel Medium Type aid Attribute name Tunnel Medium Type Attribute number g Attribute Format Enumerator Attribute value 802 includes 2 media plus Ethemet canonical format Cancel 13 Return to the RADIUS Attribute Screen shown as Figure 159 on page 250 13a Select Tunnel Pvt Group ID 13b Click Add 14 The Attribute Information scr
189. d an additional three RADIUS VLAN attributes required for 802 1X Dynamic VLAN Assignment Figure 158 Connection Attributes Screen Diakin Constraints IP Multilink Authentication Encryption Advanced Specify additional connection attributes to be retumed to the Remote Access Server Parameters Service T ype RADIUS Standard Framed Framed Protocol RADIUS Standard PPP Cancel Apply 11 The RADIUS Attribute screen displays From the list three RADIUS attributes will be added eTunnel Medium Type eTunnel Pvt Group ID eTunnel Type 114a Click the Add button 11b Select Tunnel Medium Type NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 11c Click the Add button Figure 159 RADIUS Attribute Screen 2 xI To add an attrbute to the Profile select the attribute and click Add RADIUS attributes Name Vendor Descriplion a Login TCP Port RADIUS Standard TCP pott to which user should be connected Reply Message RADIUS Standard Message to be displayed lo user when authenticatiaal Service Type RADIUS Standard Type of service user has requested Tunnel Assignment ID RADIUS Standard Tunnel to which a session is to be assigned Tunnel ClentAuth ID RADIUS Standard Nare used by the tumel initiator during the authen Tunnel ClentEndpt RADIUS Standard IP address of the initiator end of the tunnel ype RADIUS Standard Trareport medium to use when creating a tunnel fo Tunnel Password RADIUS Standar
190. d the correct security settings do the following Attempt to access Server 1 You should be able to do so Attempt to access the Internet You should be able to do so Attempt to access Server 2 You should be unable to do so If you can do so layer 2 isolation is misconfigured e Using Alice s computer and wireless client and incorrect security settings attempt to associate with the SERVER_1 network You should be unable to do so If you can do so security is misconfigured Using another computer and wireless client but with the correct security settings attempt to associate with the SERVER_1 network You should be unable to do so If you can do so MAC filtering is misconfigured 2 Test the SERVER_2 network e Using Bob s computer and wireless client and the correct security settings do the following Attempt to access Server 2 You should be able to do so Attempt to access the Internet You should be able to do so Attempt to access Server 1 You should be unable to do so If you can do so layer 2 isolation is misconfigured e Using Bob s computer and wireless client and incorrect security settings attempt to associate with the SERVER_2 network You should be unable to do so If you can do so security is misconfigured Using another computer and wireless client but with the correct security settings attempt to associate with the SERVER_2 network You should be unable to do so If you can do so MAC filtering i
191. dd to add a condition for this policy to act on 3 Inthe Select Attribute screen click Windows Groups and the Add button p Condition Figure 153 Specifying Windows Grou Add Remote Access Policy x Conditions Determine the conditions fo match spect the conto nat ETE TS Condkicns Selact the type of attnbute to add and then click the Add bulton Alinbute tyoes Name ji Description Calied 5tationId Phone number disled by user Caling Statiorld Phone rumber Irom kich call oiginsted Clent Fiendly N ame Friendy name fot the RADIUS cient 145 only ChentlPAddess P address of RADIUS chert IAS ony ChentVendoy Manulacturer of RADIUS proxy or NAS 145 onl DayAnd Time Time penod ard days of week dunng which use Framed tolocol he potocel to be usec NAS Identher Stnng identilang the NAS ongnatng the request NaS IPAddrese P of the NAS criginaling the request l Add ey NAS Port Type Type of sal per used by the NAS onginstn Service Type Type oi user hat requesied Tunnel ype Tunneling piotozols to be used Andon ro Windows groups that user belongs to NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 4 The Select Groups window displays Select a remote access policy and click the Add button The policy is added to the field below Only one VLAN Group should be associated with each policy 5 Click OK and Next in the next few screens to accept the group value Figure 154 Adding VLAN Group i Nare
192. dentifying the AP before you click Add to Friendly AP List A maximum of 32 alphanumeric characters are allowed in this field Spaces underscores _ and dashes are allowed Add to Friendly AP List If you know that the AP described in an entry is not a threat select the Active check box enter a short description in the Description field and click this button to add the entry to the friendly AP list see Section 15 3 2 on page 183 When the NWA next scans for rogue APs the selected AP does not appear in the rogue AP list Reset Click Reset to return all fields in this screen to their default values NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection NWA 3500 NWA 3550 User s Guide Remote Management Screens 16 1 Overview This chapter shows you how to enable remote management of your NWA It provides information on determining which services or protocols can access which of the NWA s interfaces Remote Management allows a user to administrate the device over the network You can manage your NWA from a remote location via the following interfaces e WLAN e LAN e Both WLAN and LAN e Neither Disable Figure 118 Remote Management Example LAN WLAN Server 4 _e gt _E I 5D In the figure above the NWA A is being managed by a desktop computer B connected via LAN Land Area Network It is also being accessed by a notebook C connected via WLAN Wireless
193. device on your network that is not on the layer 2 isolation list If you receive a reply check the settings in the WIRELESS gt Layer 2 Isolation gt Edit screen and ensure that the correct layer 2 isolation profile is enabled in the Guest_SSID profile screen NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 3 How to Set Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the NWA A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network The example also shows how to set the NWA to send out e mail alerts whenever it detects a rogue wireless access point See Chapter 15 on page 179 for background information on the rogue AP function and security considerations In this example you want to ensure that your company s data is not accessible to an attacker gaining entry to your wireless network through a rogue AP Your wireless network operates in an office building It consists of four access points all NWAs and a variable number of wireless clients You also know that the coffee shop on the ground floor has a wireless network consisting of a single access point which can be detected and accessed from your floor of the building There are no other static wireless networks in your coverage area The following diagram shows the wireless networks in your area Your access points are marked A B C and D
194. dress 8443 as the URL Server Access Select a NWA interface from Server Access on which incoming HTTPS access is allowed You can allow only secure web configurator access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface s Secured Client A secure client is a trusted computer that is allowed to communicate IP Address with the NWA using this service Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens 16 7 The SNMP Screen Use this screen to have a manager station administrate your NWA over the network To change your NWA s SNMP settings click REMOTE MGMT gt SNMP The following screen displays Figure 123 Remote MGNT gt SNMP TELNET FTP Set Community Trap Destination SNMP Version User Profile Service Port Service Access Get Community Trap Community Configure SNMPv3 User Profile Secured Client IP Address www SNMP public public 0 0 0 0 SNMPv2 v public 161 WLAN amp LAN gt ANC Selected 0 0 0 0 Reset The following table descri
195. dresses from another source and add them to the friendly AP list manually For example an attacker s AP mimicking the correct SSID could be placed on the friendly AP list by accident if selected from the list of auto detected APs In this example you have spoken to the coffee shop s owner who has told you the correct MAC address of his AP In this example you will do the following things 1 Set up and save a friendly AP list 2 Activate periodic Rogue AP Detection 3 Set up e mail alerts 4 Configure your other access points 5 Test the setup 6 3 1 Set Up and Save a Friendly AP list Take the following steps to set up and save a list of access points you want to allow in your network s coverage area 1 Ona computer connected to the wired network F in the previous figure open your Internet browser and enter the URL of access point A 192 168 1 1 Login to the Web configurator and click ROGUE AP gt Friendly AP The following screen displays Figure 48 Tutorial Friendly AP Before Data Entry Configuration Friendly AP RogueAP MACAddress Description S Asa Eror 2 Fill in the MAC Address and Description fields as in the following table Click Add after you enter the details of each AP to include it in the list NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial Note You can add APs that are not part of your network to the friendly AP list as long as you know
196. e 4094 zyxel 1 4094 1 4094 1 4094 p m 1 4034 zyxe fl 4034 fre zyxel 1 4094 E Jxe 1 4094 ba Stt lt i S 73PSCi lt CS ts J 1 4094 Bea 1 4034 fevral 1 4094 zyxel zyxe PRE zyxel Apply Reset The following table describes the labels in this screen Table 80 VLAN gt RADIUS VLAN LABEL DESCRIPTION Block station if RADIUS server assign VLAN name error Select this to have the NWA forbid access to wireless clients when the VLAN attributes sent from the RADIUS server do not match a configured Name field When you select this check box only users with names configured in this screen can access the network through the NWA VLAN Mapping Table Use this table to map names to VLAN IDs so that the RADIUS server can assign each user or user group a mapped VLAN ID See your RADIUS server documentation for more information on configuring VLAN ID attributes See Section 20 5 3 on page 243 for more information Select a check box to enable the VLAN mapping profile Type a VLAN ID Incoming traffic from the WLAN is authorized and NWA 3500 NWA 3550 User s Guide assigned a VLAN ID before it is sent to the LAN Chapter 20 VLAN Table 80 VLAN gt RADIUS VLAN LABEL DESCRIPTION Name Type a name to have the NWA check
197. e octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 28 2 or 254 possible hosts The following figure shows the company network before subnetting Figure 287 Subnetting Example Before Subnetting I I A 4 5 il lil I D Las 3 2 192 168 1 0 24 LEE EEEE ee ee es Ed You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 NWA 3500 NWA 3550 User s Guide 373 Appendix E IP Addresses and Subnetting The following figure shows the company network after subnetting There are now two sub networks A and B Figure 288 Subnetting Example After Subnetting 17 B if it it a oO 3 2 j ana ee Se SS E eee eee 4 192 168 1 0 25 7 4192 168 1 128 ane Seu eee eee Ed Qem eae se sp In a 25 bit subnet the host ID has 7 bits so each sub network has a maximum of 27 2 or 126 possible hosts a host ID of all zeroes is the subnet s address itself all ones is the subnet s broadcast address 192 168 1 0 with mask 255 255 255 128 is subnet A itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that
198. e 103 Wireless gt Layer 2 Isolation Wireless SSID Security RADIUS Layer Isolation MAC Filter dex CP rofileName I2isolation01 I2isolation02 2isolation03 2isolation04 2isolation05 2isolation06 2isolation07 2isolation08 2isolation09 2isolation10 2isolation11 2isolation12 2isolation13 2isolation14 2isolation15 2isolation16 The following table describes the labels in this screen Table 48 Wlireless gt Layer 2 Isolation LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a layer 2 isolation profile in the Layer 2 Isolation Configuration screen Edit Select an entry from the list and click Edit to configure settings for that profile 12 4 1 Configuring Layer 2 Isolation Use this screen to specify the configuration for your layer 2 isolation profile Select a layer 2 isolation profile in Wireless gt Layer 2 Isolation and click Edit to display the following screen NWA 3500 NWA 3550 User s Guide 167 Chapter 12 Layer 2 Isolation Screen Note When configuring this screen remember to select the correct layer 2 isolation profile in the Wireless gt SSID gt Edit screen of the relevant SSID profile Figure 104 Wireless gt Layer 2 Isolation gt Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile
199. e Web Configurator ZyXEL STATUS MGNT MODE SYSTEM Automatic Refresh Interval None z Refresh CERS System Name NWA Series Flash i j 2 4MB iP 2A ose Memory ene Firmware Version V3 70 AAM 0 b1 11 14 2008 ROGUE AP cpu 0 RE OTECHT System UP Time 00 57 09 A See Current Date Time 00 57 06 2000 01 01 MARIS aone aea CERTIFI CATES WLAN1 Operating Mode AP WLAN2 Associations 0 128 LOGS WLAN2 Operating Mode AP VLAN Managenent VLAN Disable Interface Status LOAD IP 192 168 1 2 Interface Status Rate BALANCING LAN MAC 00 19 cb 89 7crca LAN Up 100M Full DCS WLAN1I MAC 00 19 cb 89 7crca WLAN Up ch 54M WLAN2 MAC 00 19 cb 89 7c cb WLAN2 Up Ch36 54M MAINTENANCE SSID Status LOGOUT Interface SSID BSSID Security LAN WLAN1 ZyXELO3 00 19 cbi89 7cica None Disabled WLAN2 ZyXELO4 00 19 cb 89 7e cb None Disabled System Status Show Statistics Association ist Channel Usage Loss Rogue AP List Status Ready e Click the links on the left of the screen to configure advanced features such as MGNT MODE AP Controller Standalone AP or Managed AP SYSTEM General Password and Time Setting WIRELESS Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter IP ROGUE AP Configuration Friendly AP Rogue AP REMOTE MGNT Telnet FTP WWW and SNMP AUTH SERVER Setting Trusted AP Trusted Users CERTIFICATES My Certificates Trusted CAs LOGS View Log and Log Settings VLAN Wireless VLAN and RADIUS VLAN
200. e due to a server misconfiguration You are connected to a site pretending to be 172 20 37 202 possibly to obtain your confidential information Please notify the site s webmaster about this problem Before accepting this certificate you should examine this site s certificate carefully Are you willing to to accept this certificate for the purpose of identifying the Web site 172 20 37 202 Examine Certificate O Accept this certificate permanently e pes f this session Do not accept this certificate and do not connect to this Web site c ee NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 3 The certificate is stored and you can now connect securely to the web configurator A sealed padlock appears in the address bar which you can click to open the Page Info gt Security window to view the web page s security information Figure 258 Firefox 2 Page Info Page Info Web Site Identity Verified The web site 172 20 37 202 supports authentication for the page you are viewing The identity of this web site has been verified by ZyXEL a certificate authority you trust for this purpose View the security certificate that verifies this web site s identity Connection Encrypted High grade Encryption AES 256 256 bit The page you are viewing was encrypted before being transmitted over the Internet Encryption makes it very difficult for unauthorized people to view information traveling
201. e in AP Access Point AP Bridge Bridge Repeater or MBSSID mode NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration 8 3 What You Need To Know The following are wireless network terminologies that are relevant to this chapter BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network and communicate with each other When Intra BSS traffic blocking is enabled wireless station A and B can still access the wired network but cannot communicate with each other Figure 77 Basic Service set ss a eee a Sa a po S S m M a BSS 4 L x 7 ae 3 Fi ESS An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS An ESSID ESS IDentification uniquely identifies each ESS All access points and NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration their associated wireless stations within the same ESS must have the same ESSID in order to communicate Figure 78 Extended Service Set mg l
202. e sure your computer s IP address is in the same subnet as the NWA 5 Reset the device to its factory defaults and try to access the NWA with the default IP address Contact your vendor 6 If the problem continues contact the network administrator or vendor or try the advanced suggestions Advanced Suggestions NWA 3500 NWA 3550 User s Guide Chapter 24 Troubleshooting e Try to access the NWA using another service such as Telnet If you can access the NWA check the remote management settings to find out why the NWA does not respond to HTTP can see the Login screen but cannot log in to the NWA 1 Make sure you have entered the user name and password correctly The default password is 1234 This fields are case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using the SMT or Telnet to access the NWA Log out of the NWA in the other session or ask the person who is logged in to log out 3 Disconnect and re connect the power adaptor or cord to the NWA 4 If this does not work you have to reset the device to its factory defaults Contact your vendor cannot access the SMT See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser cannot use FTP to upload download the configuration file cannot use FTP to upload new firmware See
203. e to the managed AP list Management Mode This field is available only when the NWA is in AP controller management mode This displays Controller when the NWA is in AP controller management mode System Resources Flash This field displays the amount of the NWA s flash memory currently in use The flash memory is used to store firmware and SSID profiles Memory This field displays what percentage of the NWA s volatile memory is currently in use The higher the memory usage the more likely the NWA is to slow down Some memory is required just to start the NWA and to run the web configurator CPU This field displays what percentage of the NWA s processing ability is currently being used The higher the CPU usage the more likely the NWA is to slow down WLAN1 Associations This field is not available when the NWA is in AP controller management mode This field displays the number of wireless clients currently associated with the first wireless module Each wireless module supports up to 128 concurrent associations WLAN2 Associations This field is not available when the NWA is in AP controller management mode This field displays the number of wireless clients currently associated with the second wireless module Each wireless module supports up to 128 concurrent associations Interface Status This section is not available when the NWA is in AP controller management mode
204. e your NWA s time and date This screen allows you to configure the NWA s time based on your local time zone 7 3 What You Need To Know IP Address Assignment Every computer on the Internet must have a unique IP address If your networks are isolated from the Internet for instance only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks Table 22 Private IP Address Ranges 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space IP Address and Subnet Mask Similar to the way houses on a street share a common st
205. ecurity threat In the following example an attacker X is stationed in a vehicle outside a company building using a rogue access point equipped with a powerful antenna By mimicking a legitimate company network AP the attacker tries to capture usernames passwords and other sensitive information from unsuspecting clients A and B who attempt to connect This is known as a honeypot attack Figure 114 Honeypot Attack Ak j mf Ras X f 5 Y p z E K i 44 a i a Pd e gt lt 7 e x L e e Q a a 2 o a B p 4 A s 5 w If a rogue AP in this scenario has sufficient power and is broadcasting the correct SSID Service Set IDentifier clients have no way of knowing that they are not associating with a legitimate company AP The attacker can forward network traffic from associated clients to a legitimate AP creating the impression of normal service This is a variety of man in the middle attack This scenario can also be part of a wireless denial of service DoS attack in which associated wireless clients are deprived of network access Other opportunities for the attacker include the introduction of malware malicious software into the network NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection 15 3 1 Configuration Screen Use this screen to enable your NWA s Rogue AP detection settings Click Rogue AP gt Conf
206. ed with each SSID profile or Disable if MAC filtering is not configured on an SSID profile Edit Click the radio button next to the profile you want to configure and click Edit to go to the SSID configuration screen 9 4 1 Configuring SSID Use this screen to configure an SSID profile Select an SSID profile in Wireless gt SSID and click Edit to display the following screen Figure 90 Wireless gt SSID gt Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name ssipar SSID 2 xELO7 Hide Name SSID Disable gt Security l security01 z RADIUS radius01 z QoS NONE x Layer 2 Isolation l Disable z Intra BSS Traffic blocking Disable z MAC Filtering J Disable z The following table describes the labels in this screen Table 38 Wireless gt SSID gt Edi LABEL DESCRIPTION Profile Name Enter a name identifying this profile SSID When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Hide Name SSID Select Disable if you want the NWA to broadcast this SSID a wireless client scanning for an AP will find this SSID Alternatively select Enable to have the NWA hide this SSID a wireless client scanning for an AP will not find this SSID Security Select a security profile to use with this SSID profile See Section 10 4 on page 150 for more information RADIUS Select a RADIU
207. ed for diagnostic purposes Use the Show Statistics screen Section 23 4 1 on page 266 to access read only information such as port status packet specific statistics and bridge link status Also provided are system up time and poll interval s Use the Association List screen Section 23 5 on page 268 to view the wireless stations that are currently associated with the NWA Use the Channel Usage screen Section 23 6 on page 269 to view whether a channel is used by another wireless network or not If a channel is being used you should select a channel removed from it by five channels to completely avoid overlap Use the F W Upload screen Section 23 7 on page 270 to upload the latest firmware for your NWA Use the Configuration screen Section 23 8 on page 272 to view information related to factory defaults backup configuration and restoring configuration Use Restart screen Section 23 9 on page 274 to reboot the NWA without turning the power off NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance 23 3 What You Need To Know About the Maintenance Screens Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension for example Model bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot See the Firmware and Configuration File Maintenance chapter for upgrading firmw
208. een For this example we set the Registration Type to Manual To add a managed AP to the controller AP s coverage go to Controller gt AP Lists Figure 68 Tutorial AP List Un Managed AP Lists Configuration Redundancy Managed Access Points List index mi ee ENN _ 3500 a 127 0 0 1 00 19 CB 08 81 03 202 11a g NWA Primary Controller _Edit Delete Un Managed Access Points List index mi P MAC Address Model Description i 192 168 1 33 00 13 49 DF 42 A8 P 192 168 1 35 00 19 27 DF 42 16 NWA 3500 NWA Managed AP 2nd floor 802 11a g Automatic Refresh Interval None zj Refresh NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 2 Select the NWA managed APs from the Un Managed Access Points List as shown in the screen above You can also identify these managed APs by filling in the Description field Click Add 3 The 2nd 3rd and 4th floor NWA managed APs B C and D should now be in the Manged Access Points List By default newly added managed APs in the list have their WLAN Radio Profile set to disabled This means that their wireless functions are turned off Note The NWA controller AP uses WLAN Radio Profile to categorize different wireless settings present in a managed AP Each profile contains the SSID security mode RADIUS Layer 2 Isolation and MAC filter configurations Turn on a WLAN Radio Profile by selecting the
209. een displays 14a In the Enter the attribute value in field select String and type a number in the range 1 to 4094 or a Name for this policy This Name should match a name in the VLAN mapping table on the NWA Wireless stations belonging to NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN the VLAN Group specified in this policy will be given a VLAN ID specified in the NWA VLAN table 14b Click OK Figure 161 VLAN ID Attribute Setting for Tunnel Pvt Group ID Attribute name TunnelPyt Group ID Attribute number 81 Attribute format OctetStiing Enter the attribute valuein Sting C Hexadecimal fi 0 Cancel 15 Return to the RADIUS Attribute Screen shown as Figure 159 on page 250 15a Select Tunnel Type 15b Click Add 16 The Enumerable Attribute Information screen displays 16a Select Virtual LANs VLAN from the attribute value drop down list box 16b Click OK Figure 162 VLAN Attribute Setting for Tunnel Type x Attribute name Tunnel Type Attribute number g Attribute format Enumerator Attribute value Virtual LANs VLAN Cancel 17 Return to the RADIUS Attribute Screen shown as Figure 159 on page 250 17a Click the Close button NWA 3500 NWA 3550 User s Guide 251 Chapter 20 VLAN 17b The completed Advanced tab configuration should resemble the following screen Figure 163 Completed Advanced Tab oe Allow VLAN Group
210. efined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified Table 26 Default Time Servers ntpi cs wisc edu ntp1i gbg netnod se ntp2 cs wisc edu tock usno navy mil ntp3 cs wisc edu ntp cs strath ac uk ntp1 sp se timel stupi se tick stdtime gov tw tock stdtime gov tw time stdtime gov tw When the NWA uses the pre defined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried NWA 3500 NWA 3550 User s Guide Wireless Configuration 8 1 Overview This chapter discusses the steps to configure the Wireless Settings screen on the NWA It also introduces the Wireless LAN WLAN and some basic scenarios Figure 76 Wireless Mode Q O NWA In the figure above the NWA allows access to another bridge device A and a notebook computer B upon verifying their settings and credentials It denies access to other devices C and D with configurations that do not match those specified in your NWA 8 2 What You Can Do in the Wireless Screen Use the Wireless gt Wireless screen see Section 8 4 on page 123 to configure the NWA to use a WLAN interface and operat
211. eived a rogue AP alert email alerts are correctly configured on that NWA e If you have another access point that is not used in your network make a note of its MAC address and set it up next to each of your NWAs in turn while the network is running Either wait for at least ten minutes to ensure the NWA performs a scan in that time or login to the NWA s Web configurator and click ROGUE AP gt Rogue AP gt Refresh to have the NWA perform a scan immediately e Check the ROGUE AP gt Rogue AP screen You should see an entry in the list with the same MAC address as your rogue AP e Check the LOGS gt View Logs screen You should see a Rogue AP Detection entry in red text including the MAC address of your rogue AP e Check your e mail You should have received at least one e mail alert your other NWAs may also have sent alerts depending on their proximity and the output power of your rogue AP 6 4 How to Use Multiple MAC Filters and L 2 Isolation Profiles This example shows you how to allow certain users to access only specific parts of your network You can do this by using multiple MAC filters and layer 2 isolation profiles 6 4 1 Scenario In this example you run a company network in which certain employees must wirelessly access secure file servers containing valuable proprietary data You have two secure servers 1 and 2 in the following figure Wireless user Alice A needs to access server 1
212. emberships of each VLAN Group NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 1Using the Remote Access Policy option on the Internet Authentication Service management interface create a new VLAN Policy for each VLAN Group defined in the previous section The order of the remote access policies is important The most specific policies should be placed at the top of the policy list and the most general at the bottom For example if the Day And Time Restriction policy is still present it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence qda 1 Right click Remote Access Policy and select New Remote Access Policy 1b Enter a Policy friendly name that describes the policy Each Remote Access Policy will be matched to one VLAN Group An example may be Allow VLAN 10 Policy 1c Click Next Figure 152 New Remote Access Policy for VLAN Group Add Remote Access Policy xj Poley Name Specify a hiendy name f the policy meeting ceitain conditions Policy Iriendly name A Remote Access Policy iz a set of actions which can be aopled to a group of usais Analogous te mes you can apply to ncoming mail in an e mail apolcation you can specty a cet cf condilions that must be matched for the Remote Access Policy to apply You can then specify actions to b taken when the condtions are met alow VLAN 10 Pelicy ores 2 The Conditions window displays Select A
213. emote host s actual certificate because the NWA has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 18 3 on page 208 for how to verify a remote host s certificate before you import it into the NWA Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name and or set whether or not you want the NWA to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority Cancel Click Cancel to quit and return to the Trusted CAs screen 18 6 Technical Reference This section provides technical background information about the topics covered in this chapter NWA 3500 NWA 3550 User s Guide 22 Chapter 18 Certificate
214. ency as an active radar system could disrupt the radar system Therefore if the NWA detects radar activity on the channel you select it automatically instructs the wireless clients to move to another channel then resumes communications on the new channel 8 5 3 Roaming A wireless station is a device with an IEEE 802 11a b g compliant wireless interface An access point AP acts as a bridge between the wireless and wired networks An AP creates its own wireless coverage area A wireless station can associate with a particular access point only if it is within the access point s coverage area In a network environment with multiple access points wireless stations are able to switch from one access point to another as they move between the coverage areas This is known as roaming As the wireless station moves from place to place it is responsible for choosing the most appropriate access point depending on the signal strength network utilization or other factors NWA 3500 NWA 3550 User s Guide 133 Chapter 8 Wireless Configuration The roaming feature on the access points allows the access points to relay information about the wireless stations to each other When a wireless station moves from a coverage area to another it scans and uses the channel of a new access point which then informs the other access points on the LAN about the change An example is shown in Figure 83 on page 134 With roaming a wireless LAN mobile
215. epends on the certificate information configured on the wireless client Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name auto_generated_self_signed_cert is the factory default certificate common to all NWAs that use certificates Note It is recommended that you replace the factory default certificate with one that uses your NWA s MAC address Do this when you first log in to the NWA or in the CERTIFICATES gt My Certificates screen Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the NWA uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server Table 63 Internal RADIUS Server Setting Screen continued LABEL DESCRIPTION Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country
216. er 100 Select SSID Profile Index Active Profile _____ Index Active Profile __ VoIP_SSID E SERVER_1 Guest_SSID E SERVER _1 SERVER_1 E SERVER_1 gt SERVER_2 gt E SERVER _1 2 Next click the SSID tab Check that each configured SSID profile uses the correct Security Layer 2 Isolation and MAC Filter profiles as shown in the following figure Figure 61 Tutorial SSID Tab Correct Settings Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Layer 2 pee a eon sieu l moue J es ims i ucr E voir SSID ZyXEL01 security01 radius01 VoIP Disable Disable ZyXELO2 security01 radius01 NONE 2isolation01 SSID_S1 security03 radius01 NONE SERVER_2 SSID_S2 security04 radius01 NONE ZyXELO5 security01 i i Disable ZyXELO6 security01 i Disable Disable XELO Disable MacFilter SERVER _ ISO_SERVER 1 ls MacFilter SERVER 2 If the settings are not as shown follow the steps in the relevant section of this tutorial again NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 4 6 2 Testing the Configuration Before you allow employees to use the network you need to thoroughly test whether the setup behaves as it should Take the following steps to do this 1 Test the SERVER_1 network e Using Alice s computer and wireless client an
217. er for a group of similar NWAs to take advantage of the feature e They should all be within the same subnet e They should all have the same SSID radio mode and security mode e There should be a minimum of 2 NWAs within the same broadcast radius or at the very least within an overlapping broadcast radius 21 2 The Load Balancing Screen Use this screen to configure the load balancing feature on the NWA Click Load Balancing in the navigation menu The following screen appears Figure 167 Load Balancing Load Balancing Enable Load Balancing Mode By station number Max station number 10 By traffic level Dissociate station when overloaded Enable Apply The following table describes the labels in this screen Table 82 Load Balancnig FIELD DESCRIPTION Enable Load Balancing Select this option to turn on wireless load balancing Mode Use the option to choose the specific method by which you want to enable load balancing on your NWA By station number Enter the maximum number of stations the AP allows to connect to it You can enter a value from 1 127 By traffic level Choose a load balancing traffic level The traffic level you select here determines how much bandwidth the AP allows to pass through it before it becomes overloaded and starts delaying or rejecting connections e Low Up to 6 Mbps before it becomes overloaded e Medium Up to 13 Mbps before it becomes overloaded e High
218. er or computer network to connect to the NWA refer to the Quick Start Guide Launch your web browser Type 192 168 1 2 as the URL default Type 1234 default as the password and click Login In some versions the default password appears automatically if this is the case click Login You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm then click Apply Alternatively click Ignore NWA 3500 NWA 3550 User s Guide 35 Chapter 2 Introducing the Web Configurator Note If you do not change the password the following screen appears every time you login Figure 9 Change Password Screen Use this screen to change the password New Password CJ RARAN e Confirm 6 Click Apply in the Replace Certificate screen to create a certificate using your NWA s MAC address that will be specific to this device Figure 10 Replace Certificate Screen Replace Factory Default Certificate The factory default certificate is common to all NWA models Click Apply to create a certificate using your NWA s MAC address that will be specific to this device You should now see the Status screen See Chapter 2 on page 35 for details about the Status screen Note The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the NWA
219. erent WEP keys for different BSSs If two stations have different BSSIDs they are in different BSSs but have the same WEP keys they may hear each other s communications but not communicate with each other 122 NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration MBSSID should not replace but rather be used in conjunction with 802 1x security 8 4 Configuring Wireless Settings Click WIRELESS gt Wireless The screen varies depending upon the operating mode you select 8 4 1 Access Point Mode Select Access Point as the Operating Mode to display the screen shown next Figure 79 Wireless Access Point Layer 2 Isolation MAC Filter Access Point xi Channel 036 5180MHz z Configuration Configuration NWA 3500 NWA 3550 User s Guide 123 Chapter 8 Wireless Configuration The following table describes the general wireless LAN labels in this screen Table 27 Wireless Access Point switching for DFS LABEL DESCRIPTION WLAN Select which WLAN adapter you want to configure Interface It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions Operating Select Access Point from the drop down list Mode 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the NWA Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to asso
220. ess networks Select this option to disable DFS on the NWA when 802 11 Mode is set to 802 11a NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration Table 27 Wireless Access Point LABEL DESCRIPTION RTS CTS The threshold number of bytes for enabling RTS CTS handshake Data Threshold with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to its smallest value 256 turns on the RTS CTS handshake Enter a value between 256 and 2346 This field is not available when Super Mode is selected Beacon When a wirelessly networked device sends a beacon it includes with it a Interval beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon This value can be set from 20ms to 1000ms A high value helps save current consumption of the access point DTIM Delivery Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 100 Fragmentation The threshold number of byte
221. ess of the managed AP Model This displays the model name and 802 11 mode of the managed AP Description This displays the description of the managed AP NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode Table 10 The Controller gt AP Lists Screen LABEL DESCRIPTION Status This displays whether the managed AP is active not active or upgrading its firmware e Red the AP is not active e Green the AP is active e Yellow the AP is upgrading its firmware Note You can still edit a managed AP s settings even if it is offline However the changes only take effect when the NWA detects that the managed AP is online again Edit Select the managed AP from the list and click this to edit the managed AP s settings Delete Select the managed AP from the list and click this to delete the managed AP from the list When you do this the managed AP is no longer handled by the NWA until you add it back to the list Un Managed Access This section lists the CAPWAP enabled access points in the area Points List that are in managed AP mode but which are not currently controlled by the NWA Index This is the index number of an unmanaged AP that is requesting to be managed by the NWA Select Click this then select Add to include the unmanaged AP in the NWA s managed AP list IP This displays the IP address of the unmanaged AP MAC Address This displays
222. essages are exchanged between the access point and the RADIUS server for user accounting e Accounting Request Sent by the access point requesting accounting e Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of EAP Authentication This section discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate also called digital IDs can be used to authenticate users and a CA issues ce
223. evice Is Rebooting Now Please Wait After the device finishes rebooting the login screen displays The NWA automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 182 Network Temporarily Disconnected D Local Area Connection Network cable unplugged NWA 3500 NWA 3550 User s Guide 273 Chapter 23 Maintenance If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP address 192 168 1 2 See your Quick Start Guide for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 183 Configuration Upload Error Restore configuration error The configuration file was not accepted by the router Please return to the previous page and select a valid configuration file Click Help for more information Return 23 8 3 Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the NWA to its factory defaults as shown on the screen The following warning screen will appear Figure 184 Reset Warning Message AP back to factory defaults The device will now reboot As there will be no indication of w
224. ew WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic WEP is enabled Note EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical The following table is a comparison of the features of authentication types Table 100 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity No No Yes Yes No Protection WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both
225. f of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions NWA 3500 NWA 3550 User s Guide Appendix G Legal Information Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or
226. fect They are overridden by the configurations of the primary controller AP NWA 3500 NWA 3550 User s Guide The Web Configurator System Screens 109 Wireless Configuration 119 SSID Screen 141 Wireless Security Screen 147 RADIUS Screen 161 Layer 2 Isolation Screen 165 MAC Filter Screen 171 IP Screen 175 Rogue AP Detection 179 Remote Management Screens 187 Internal RADIUS Server 199 Certificates 207 Log Screens 227 VLAN 235 Maintenance 265 107 System Screens 7 1 Overview This chapter provides information and instructions on how to identify and manage your NWA over the network Figure 72 NWA Setup DNS Server III NTP Server In the figure above the NWA connects to a Domain Name Server DNS server to avail of a domain name It also connects to an Network Time Protocol NTP server to set the time on the device 7 2 What You Can Do in the System Screens e Use the General screen see Section 7 4 on page 112 to specify the System name Domain name and Web Configurator timeout limit You can also configure your System DNS Servers in this screen e Use the Password screen see Section 7 5 on page 113 to manage the password for your ZyXEL Device and have a RADIUS server authenticate management logins to the ZyXEL Device NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens e Use the Time Setting screen see Section 7 6 on page 116 to chang
227. ficates Screen Use this screen to view the NWA s summary of certificates and certification requests Click Certificates gt My Certificates The following screen displays NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Note Certificates display in black and certification requests display in gray Figure 130 Certificates gt My Certificates My Certificates Trusted CAs PKI Storage Space in Use ox hoo Certificates Setting Type Subject Issuer___ Valid From Valid To CN NWA 3500 CN NWA 3500 i 2 auto_generated_self_signed_cert SELF DaD aAa OPEV OTS aoe 2000 Jan 1st 00 00 00 GMT 2030 Jan 1st 00 00 00 GMT Details Create Import Delete Refresh The following table describes the labels in this screen Table 66 Certificates gt My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the NWA s PKI storage space that is currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates My Certificates Setting This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It i
228. for specific VLAN attributes on incoming messages from the RADIUS server Access accept packets sent by the RADIUS server contain VLAN related attributes The configured Name fields are checked against these attributes If a configured Name field matches these attributes the corresponding VLAN ID is added to packets sent from this user to the LAN If the VLAN related attributes sent by the RADIUS server do not match a configured Name field a wireless station is assigned the wireless VLAN ID associated with its SSID unless the Block station if RADIUS server assign VLAN error check box is selected Apply Click Apply to save your changes to the NWA Reset Click Reset to begin configuring this screen afresh 20 5 Technical Reference 20 5 1 20 5 2 This section provides some technical background information and configuration examples about the topics covered in this chapter VLAN Tagging The NWA supports IEEE 802 1q VLAN tagging Tagged VLAN uses an explicit tag VLAN ID in the MAC header of a frame to identify VLAN membership The NWA can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames Note You must connect the NWA to a VLAN aware device that is a member of the management VLAN in order to perform management See the Configuring Management VLAN example BEFORE you configure the VLAN screens Configuring Management VLAN Example This section shows you how to create a VL
229. formation VLAN Mapping Table Use this table to have the NWA assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the NWA Index This is the index number of the SSID profile Name This is the name of the SSID profile SSID This is the SSID the profile uses VLAN ID Enter a VLAN ID number from 1 to 4094 Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the NWA Different SSID profiles can use the same or different VLAN IDs This allows you to split wireless stations into groups using similar VLAN IDs Second Rx VLAN ID Enter a number from 1 to 4094 but different from the VLAN ID Traffic received from the LAN that is tagged with this VLAN ID is sent to all SSIDs with this VLAN ID configured in the VLAN ID or Second Rx VLAN ID fields See Section 20 5 4 on page 253 for more information Apply Click this to save your changes to the NWA Reset Click this to return this screen to its last saved settings NWA 3500 NWA 3550 User s Guide Chapter 20 VLAN 20 4 1 RADIUS VLAN Screen Use this screen to configure your RADIUS Virtual LAN setup Click VLAN gt RADIUS VLAN The following screen appears Figure 144 VLAN gt RADIUS VLAN Wireless VLAN RADIUS VLAN RADIUS VIRTUAL LAN Setup l Block station if RADIUS server assign VLAN name error VLAN EA Table mmea Mo aws fet E l Tile feos
230. g box to locate the certificate and then click Open Figure 262 Firefox 2 Select File Select File containing Web Site certificate to import Look in Desktop 4 My Computer my Documents my Network Places File name CA cer Files of type Certificate Files 5 The next time you visit the web site click the padlock in the address bar to open the Page Info gt Security window to see the web page s security information Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools gt Options Figure 263 Firefox 2 Tools Menu Web Search Ctrl kK Downloads Ctrl J Add ons Java Console Error Console Page Info Clear Private Data Ctrl Shift Del X NWA 3500 NWA 3550 User s Guide 355 Options Appendix D Importing Certificates 2 In the Options dialog box click Advanced gt Encryption gt View Certificates Figure 264 Firefox 2 Options w G Ag amp eS Main Tabs Content Feeds Privacy Security Advanced General Network Updafe Encryption Protocols Use SSL 3 0 Use TLS 1 0 Certificates When a web site requires a certificate Select one automatically Ask me every time View Certificates Revocation Lists Ca Coe Cae 3 Inthe Certificate Manager dialog box select the Web Sites tab select the certificate that you want to remove and then click De
231. gh which a computer may access the NWA Access using SSH Secured A secured client is a trusted computer that is allowed to communicate Client IP with the NWA using this service Address Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 16 5 The FTP Screen You can upload and download the NWA s firmware and configuration files using FTP To use this feature your computer must have an FTP client To change your NWA s FTP settings click REMOTE MGMT gt FTP The following screen displays Figure 121 Remote MGNT gt FTP TELNET FTP www SNMP Server Port 21 Server Access WLAN amp LAN gt Secured Client IP Address AC Selected 0 0 0 0 Reset NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens The following table describes the labels in this screen Table 58 Remote MGNT gt FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the NWA using this service
232. ghtning e Connect ONLY suitable accessories to the device e ONLY qualified service personnel should service or disassemble this device e Make sure to connect the cables to the correct ports e Place connecting cables carefully so that no one will step on them or stumble over them e Always disconnect all cables from this device before servicing or disassembling e Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe e Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord e Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution e If the power adaptor or cord is damaged remove it from the device and the power source e Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one e Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning e Antenna Warning This device meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s e If you wall mount your device make sure that no electrical lines gas or water pipes will be damaged e The PoE Power over Ethernet devices that supply or receive power and their connected Ethernet cables must
233. ginning on page 343 to complete the installation process Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7 NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 1 Open Internet Explorer and click Tools gt Internet Options Figure 252 Internet Explorer 7 Tools Menu Ch gt dh E Pae G Delete Browsing History Pop up Blocker Phishing Filter Manage Add ons Work Offine Windows Update Full Screen Menu Bar Toolbars Windows Messenger Diagnose Connection Problems Sun Java Console Internet Options 2 Inthe Internet Options dialog box click Content gt Certificates Figure 253 Internet Explorer 7 Internet Options Internet Options General Security Priva bnnections Programs Advanced Content Advisor Ratings help you control the Internet content that can be viewed on this computer Certificates la Use certificates for encrypted connections and identification Corsa se cesas raters AutoComplete AutoComplete stores previous entries on webpages and suggests matches for you Feeds provide updated content from websites that can be read in Internet Explorer and other programs 350 NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 3 In the Certificates dialog box click the Trusted Root Certificates Authorities tab se
234. gure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it The default setting is None Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen 7 5 Configuring the Password It is strongly recommended that you change your NWA s password Click SYSTEM gt Password The screen appears as shown If you forget your NWA s password or IP address you will need to reset the device See the section on resetting the NWA for details NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens Note Regardless of how you configure this screen you still use the local system password to log in via the console port for internal use only Figure 74 System gt Password General Password Time Setting Enable Admin at Local C Use old setting Use new setting Old Password New Password Retype to Confirm J Enable Admin on RADIUS Use old setting Use new setting User Name Password RADIUS 7 Reset The following table describes the labels in this screen Table 24 System gt Password LABEL DESCRIPTIONS Enable Admin at Local Select this check box to have the device authenticate management logins to the device Use old setting Select this to have the NWA use the local management password already configured on the device 1234 is the default
235. h RADIUS Select the RADIUS server profile of the RADIUS server that is to authenticate management logins to the NWA The NWA tests the user name and password against the RADIUS server when you apply your settings e The user name and password must already be configured in the RADIUS server e You must already have a RADIUS profile configured for the RADIUS server see Section 11 4 on page 163 e The server must be set to Active in the profile Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens 7 6 Configuring Time Setting To change your NWA s time and date click SYSTEM gt Time Setting The screen appears as shown Use this screen to configure the NWA s time based on your local time zone Figure 75 System gt Time Setting General Password Time Setting Current Time and Date Current Time 00 33 4 Current Date 2000 01 01 Time and Date Setup Manual New Time hh mm ss fo 20 a24 New Date yyyy mm dd 2000 afi afi C Get from Time Server Auto User Defined Time Server Address Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London gt M Daylight Savings Start Date First 7 End Date Fir st zj z 2000 01 02 at fo o clock z 2000 01 02 at fo o clock Reset The following table describes the labels in this scree
236. hanges to your configuration unless you first enter your admin password Figure 210 Ubuntu 8 Network Settings gt Connections Ia Network Settings x 5a Location lt Connections General l DNS Hosts yProperties E Point to point connec This network interface is not c NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 3 Inthe Authenticate window enter your admin account name and password then click the Authenticate button Figure 211 Ubuntu 8 Administrator Account Authentication Authenticate x 4 7 System policy prevents modifying the configuration An application is attempting to perform an action that requires privileges Authentication as one of the users below is required to perform this action B CJ chris gt Details Ocan Authenticate Re In the Network Settings window select the connection that you want to configure then click Properties Figure 212 Ubuntu 8 Network Settings gt Connections or Network Settings x Connections General DNS Hosts Point to point connec This network interface is not c NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 5 The Properties dialog box opens Figure 213 Ubuntu 8 Network Settings gt Properties E e
237. have to totally re configure the NWA You could simply restore your last configuration 1 7 Hardware Connections See your Quick Start Guide for information on making hardware connections Note Your NWA has two wireless LAN adaptors WLAN1 and WLAN2 WLAN uses the RF1 antenna or the antenna on the right when facing the device and WLAN2Z2 uses the RF2 antenna or the antenna on the left If you connect only one antenna you can use only the associated wireless LAN adaptor NWA 3500 NWA 3550 User s Guide 31 Chapter 1 Introducing the NWA 1 8 LEDs This section applies to the NWA 3500 only Figure 8 LEDs ae amama NOSNOD Ld S Table 3 LEDs LABEL LED COLOR STATUS DESCRIPTION 1 WL1 Green On The wireless adaptor WLAN1 is active Blinking The wireless adaptor WLAN1 is active and transmitting or receiving data Off The wireless adaptor WLAN1 is not active NWA 3500 NWA 3550 User s Guide Chapter 1 Introducing the NWA Table 3 LEDs continued LABEL LED COLOR STATUS DESCRIPTION 2 WDS SYS Green On The NWA is in AP Bridge or Bridge Repeater mode and has successfully established a Wireless Distribution System WDS connection Red Flashing The NWA is starting up Off Either The NWA is in Access Point or MBSSID mode and is functioning normally The NWA is in AP Bridge or Bridge Repeater mode and has not e
238. he network while computer B is granted connectivity The NWA secure communications via data encryption wireless client authentication and MAC address filtering It can also hide its identity in the network 10 2 What You Can Do in the Security Screen Use the Wireless gt Security screen see Section 10 4 on page 150 to choose the security mode for your NWA NWA 3500 NWA 3550 User s Guide 147 Chapter 10 Wireless Security Screen 10 3 What You Need To Know User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network You can make every user log in to the wireless network before they can use it However every device in the wireless network has to support IEEE 802 1x to do this For wireless networks you can store the user names and passwords for each user in a RADIUS server This is a server used in businesses more than in homes If you do not have a RADIUS server you cannot set up user names and passwords for your users Unauthorized wireless devices can still see the information that is sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network You can configure up to 16 security profiles in your NWA The following table shows the relative effectiveness of wi
239. he following screen Figure 99 Wireless gt Security WPA PSK WPA2 PSK or WPA2 PSK MIX Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode WPA2 PSK MIX x Pre Shared Key ReAuthentication Timer jo seconds 0 means no Refuthentication Idle Timeout 3600 seconds Group Key Update Timer fi B00 seconds Apply Reset The following table describes the labels not previously discussed Table 46 Wireless gt Security WPA PSK WPA2 PSK or WPA2 PSK MIX LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose WPA PSK WPA2 PSK or WPA2 PSK MIX in this field Pre Shared Key The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Specify how often wireless stations have to resend usernames and Timer passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatical
240. he main browser window not all browsers show the padlock in the same location In this appendix you can import a public key certificate for e Internet Explorer on page 343 e Firefox on page 352 e Opera on page 357 e Konqueror on page 364 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional however they can also apply to Internet Explorer on Windows Vista NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 1 If your device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error Figure 238 Internet Explorer 7 Certification Error we k Certificate Error Navigation Blocked x There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage Continue to this website not recommended More information 2 Click Continue to this website not recommended Figure 239 Internet Explorer 7 Certification Error Continue to
241. hen the process is complete please wait for one minute before attempting to access the device again You can also press the RESET button to reset your NWA to its factory default settings Refer to Section 2 2 on page 37 for more information 23 9 Restart Screen Use this screen to restart the NWA without turning it off and on 274 NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance Click Maintenance gt Restart The following screen displays Click Restart to have the NWA reboot This does not affect the NWA s configuration Figure 185 Restart Screen Status Association List Channel Usage FAW Upload Configuration System Restart NWA 3500 NWA 3550 User s Guide 275 Chapter 23 Maintenance 276 NWA 3500 NWA 3550 User s Guide PART INI 277 278 Troubleshooting This chapter offers some suggestions to solve problems you might encounter The potential problems are divided into the following categories e Power and Hardware Connections e NWA Access and Login e Internet Access e Wireless Router AP Troubleshooting 24 1 Power and Hardware Connections The NWA does not turn on 1 Make sure you are using the PoE power injector included with the NWA 2 Make sure the PoE power injector is connected to the NWA and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the PoE power injector to the NWA 4 If the
242. his zone contains all Web sites you Gites haven t placed in other zones r Security level for this zone Move the slider to set the security level for this zone Medium Safe browsing and still functional a Prompts before downloading potentially unsafe content Unsigned Activex controls will not be downloaded Appropriate for most Internet sites C Custom Level D Default Level OK Cancel Apply 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default NWA 3500 NWA 3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 6 Click OK to close the window Figure 235 Security Settings Java Scripting Security Settings Settings Scripting E Active scripting Disable brome 3 Allow paste operations via script O Disable Enable O Prompt E Scripting of Java applets O Disable Enable Prompt Llenar Aukhanbkieskinm m Reset custom settings to to Medium 7 Reset cme Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected NWA 3500 NWA 3550 User s
243. ial Log into the NWA s Web Configurator and click WIRELESS gt SSID The following screen displays showing the SSID profiles you already configured Figure 56 Tutorial SSID Profile Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter SERVER_1 a VoIP_SSID ZyXEL01 security01 radius01 Disable Disable Fre Guest_SSID security01 radius 1 I2isolation01 Disable 9 SERVER_1 security03 radius01 Disable Disable 2 SERVER_2 security04 radius01 Disable Disable EE ssp ZyXELO5 security03 radius01 NONE Disable Disable HEJ sspe ZyXEL06 security01 radius01 NONE Disable Disable pA sso ZyXELO7 security01 radius01 NONE Disable Disable HEJA sso ZyXELO8 security01 radius01 NONE Disable Disable HDE ssp ZyXELO9 security01 radius01 NONE Disable Disable HE sso ZyXEL10 security01 radius01 NONE Disable Disable DEI ssn ZyXEL11 security01 radius01 NONE Disable Disable DOR ssi ZyXEL12 security01 radius01 NONE Disable Disable pA ssm ZyXEL13 security01 radius01 NONE Disable Disable DR ss ZyXEL14 security01 radius01 NONE Disable Disable EE ssis ZyXEL15 security01 radius01 NONE Disable Disable DEJ sse ZyXEL16 security01 radius01 NONE Disable Disable 2 Select SERVER_1 s entry and click Edit The following screen displays Figure 57 Tutorial SSID Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Prof
244. icate authorities 172 20 37 202 AAA Certificate Services Actalis Root CA AddTrust Class 1 CA Root AddTrust External CA Root AddTrust Public CA Root AddTrust Qualified CA Root Baltimore CyberTrust Code Signing Root Baltimore CyberTrust Mobile Root Baltimore CyberTrust Root Certum CA Certum CA Level I Certum CA Level IT Certum CA Level III Certum CA Level IV Class 1 Public Primary Certification Authority Class 1 Public Primary Certification Authority G2 c 1998 VeriSig Class 2 Public Primary Certification Authority 4 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 2 Click Continue Figure 278 Konqueror 3 5 Server Authentication Server Authentication Konqueror The server certificate failed the authenticity test 172 20 37 202 X Cancel 3 Click Forever when prompted to accept the
245. icates Server Port 22 Server Access WLAN amp LAN z Secured Client IP Address All C Selected foooo Apply Reset The following table describes the labels in this screen Table 57 Remote MGNT gt Telnet LABEL DESCRIPTION TELNET Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s through which a computer may access the NWA Access using Telnet NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens Table 57 Remote MGNT gt Telnet LABEL DESCRIPTION Secured A secured client is a trusted computer that is allowed to communicate Client IP with the NWA using this service Address Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service SSH Server Select the certificate whose corresponding private key is to be used to Certificate identify the NWA for SSH connections You must have certificates already configured in the Certificates gt My Certificates screen Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s throu
246. ication request corresponding to the imported certificate must already exist on NWA After the importation the certification request will automatically be deleted File Path Browse Apply Cancel The following table describes the labels in this screen Table 67 Certificates gt My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the NWA Cancel Click Cancel to quit and return to the My Certificates screen 18 4 2 My Certificates Create Screen Use this screen if you do not have an existing or issued certificate and want to have the NWA create a self signed certificate enroll a certificate with a certification authority or generate a certification request NWA 3500 NWA 3550 User s Guide 211 Chapter 18 Certificates Click Certificates gt My Certificates and then Create to open the My Certificate Create screen The following figure displays Figure 132 Certificates gt My Certificate Create Common Name C E Mail Organizational Unit Organization Country Key Length CA Certificate Key Certificate Name Subject Information Host IP Address 0 0 0 0 Host Domain Name Create a self signed certificate C Create a certification request and save it
247. ide 321 Appendix B Wireless LANs wireless gateway but out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other Figure 227 RTS CTS RTS Range Station AP gin e e1 When station A sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes e
248. iguration The following screen appears Figure 115 Rogue AP gt Configuration Configuration Friendly AP Rogue AP Rogue AP Period Detection Disable Period 10 minutes Expiration Time 0 minutes Q Friendly AP List Expor File Path Browse Apply Reset The following table describes the labels in this screen Table 54 Rogue AP gt Configuration LABEL DESCRIPTION Rogue AP Period Select Enable to turn rogue AP detection on You must also enter Detection a time value in the Period field Select No to turn rogue AP detection off Period minutes Enter the period you want the NWA to wait between scanning for rogue APs between 10 and 60 minutes You must also select Enable in the Active Rogue AP Period Detection field Expiration Time minutes Specify how long between 30 and 180 minutes an AP s entry can remain in the Rogue AP List before the NWA removes it from the list if the AP is no longer active Friendly AP List Export Click this button to save the current list of friendly APs MAC addresses and descriptions as displayed in the ROGUE AP gt Friendly AP screen to your computer File Path Enter the location of a previously saved friendly AP list to upload to the NWA Alternatively click the Browse button to locate a list Browse Click this button to locate a previously saved list of friendly APs to upload to the NWA Import Click this
249. igure 204 Mac OS X 10 5 Apple Menu Finder File Edit Viev About This Mac Software Update Mac OS X Software OT System Preferences y R UO gt Recent Items gt Force Quit XY O Sleep Restart Shut Down NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 2 In System Preferences click the Network icon a 205 Mac OS X 10 5 o Preferences Personal Vij j a eE E o Appearance Desktop amp Expos amp International Screen Saver Spaces Hardware M v C4 CDs amp DVDs Displays Energy Keyboard amp Print amp Fax Saver Mouse Internet amp Ngawa Mac Network QuickTime Sharing System 2 Q O amp Accounts Date amp Time Parental Software Speech Controls Update Sinai t Disk Time Machine Universal Access NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 3 When the Network preferences pane opens select Ethernet from the list of available connection types Figure 206 Mac OS X 10 5 Network Preferences gt Ethernet 000 Network Internal Modem Q e 3 pod Status Not Connected Not Connected The cable for Ethernet is connected but PPPoE your computer does not have an IP address g bh ooo Not Connected S Ethernet gt Configure Using DHCP ie Not Connected FireWire Not Connected e AirPort Off DNS Server Search Domains 802 1X W
250. igure an SSID profile s QoS settings the NWA applies the same QoS setting to all of the profile s traffic L2 Isolation Select a layer 2 isolation profile from the drop down list box If you do not want to use layer 2 isolation on this profile select Disable See Section on page 166 for more information Intra BSS Traffic blocking Select Enable from the drop down list box to prevent wireless clients in this profile s BSS from communicating with one another MAC Filtering Select a MAC filter profile from the drop down list box If you do not want to use MAC filtering on this profile select Disable See Section Note on page 174 for more information Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 9 SSID Screen NWA 3500 NWA 3550 User s Guide Wireless Security Screen 10 1 Overview This chapter describes how to use the Wireless Security screen This screen allows you to configure the security mode for your NWA Wireless security is vital to your network It protects communications between wireless stations access points and the wired network Figure 91 Securing the Wireless Network internet f ZyXEL Device B In the figure above the NWA checks the identity of devices before giving them access to the network In this scenario computer A is denied access to t
251. ile half duplex indicates that traffic can flow in only one direction at a time The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect This shows the transmission speed only for the wireless adaptors TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions This is the number of collisions on this port Tx B s This shows the transmission speed in bytes per second on this port Rx B s This shows the reception speed in bytes per second on this port Up Time This is total amount of time the line has been up NWA 3500 NWA 3550 User s Guide 267 Chapter 23 Maintenance Table 85 Maintenance gt System Status Show Statistics LABEL DESCRIPTION WLAN1 This section displays only when wireless LAN adaptor WLAN1 is in AP Bridge or Bridge Repeater mode WLAN2 This section displays only when wireless LAN adaptor WLAN2 is in AP Bridge or Bridge Repeater mode Bridge Link This is the index number of the bridge connection Active This shows whether the bridge connection is activated or not Remote Bridge MAC This is the MAC address of the peer device in bridge mode Status This shows the current status of the bridge connection which can be Up or Down TxPkts This is the number of transmitted packets on the wireless bridge RxPkts This is the number of received packet
252. ile Name SERVER 1 iw SSID S5003 lt s Hide Name SSID Enable gt Security security03 RADIUS radiuso gt QoS L2 Isolation l2isolationO3 v Intra BSS Traffic blocking MAC Filtering macfilter03 v Reset Select I2IsolationO3 in the L2 Isolation field and select macfilterO3 in the MAC Filtering field Click Apply NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 3 Click the Layer 2 Isolation tab When the Layer 2 Isolation screen appears select L2Isolation0O3 s entry and click Edit The following screen displays Figure 58 Tutorial Layer 2 Isolation Edit Wireless SSID Security RADIUS Layer2 Isolation MAC Filter ayer2 Isolation Configuration Profile Name JL 2 ISO_SERVER_1 Allow devices with these MAC addresses Index __MAC Address__ _Description __ Index _ MAC Address Description BRR 77 5514332 NET_SWITCH BA c0 00 00 00 00 0 2 0 99 88 77 66 55 SERVER_ 1 18 ag 00 00 00 00 00 EI 55 44 33 22 11 GATEWAY EI 00 00 00 00 00 s Enter the network switch s MAC Address and add a Description NET_SWITCH in this case in Set 1 s entry Enter server 1 s MAC Address and add a Description SERVER_1 in this case in Set 2 s entry Change the Profile Name to L 2 ISO_SERVER_1 and click Apply You have restricted users on the SERVER_1 network to access only the devices with the
253. ilter To change your NWA s MAC filter settings click WIRELESS gt MAC Filter gt Edit The screen appears as shown Figure 110 Wireless gt MAC Filter gt Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter AAC Address Filter Profile Name mactiterO1 Filter Action Deny Association index MAC Address__ __Description _ Index MAC Address __Description __ ce Rabe ha eee a 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 00 00 00 66 00 00 00 00 00 00 a 00 00 00 00 00 00 00 00 00 00 00 00 4 00 00 00 00 00 00 e oo 00 00 00 00 00 Jo0 00 00 00 00 00 69 oo 00 00 00 00 00 Sa 00 00 00 00 00 00 oo 00 00 00 00 00 m 00 00 00 00 00 00 71 0 00 00 00 00 00 Apply Reset The following table describes the labels in this screen Table 51 Wireless gt MAC Filter gt Edit LABEL DESCRIPTION Profile Name Type a name to identify this profile Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router NWA 3500 NWA 3550 User s Guide 173 Chapter 13 MAC Filter Screen Table 51 Wireless gt MAC Filter
254. in the 1st floor of the building recommended The NWA APs B C and D from the 2nd 3rd and 4th floors are going to be your managed APs Note The controllers need to have static IP addresses in the same network Make sure you set the IP addresses in the IP screen see Section 14 4 on page 176 e Configure the newly added NWA E in Secondary Controller AP mode e Configure the 1st floor NWA in Primary Controller AP A mode and enter the IP address of your Secondary Controller AP E for synchronization 2 Change the management mode of your 2nd 3rd and 4th floor NWAs B C and D originally in default standalone mode to Managed AP mode You can also manually enter the IP addresses of your primary and secondary NWA controller APs 3 Add the newly converted managed APs B C and D from step 4 to the Managed Access Points List of the NWA primary controller AP 4 Check your settings and test the configuration This example uses screens from G 302 v3 a wireless client that will try to access one of the mananged APs for this section NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 5 4 Configure Your NWA in Controller AP Mode The NWA is set to Standalone AP mode by default After you have made sure you have the correct configuration see Section 23 8 on page 272 in the NWAs A and E of the 1st floor you need to set both of them to controller AP mode one will serve as your main controller while the other works as
255. ing a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is O then the corresponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal Table 102 Subnet Masks 1ST 2ND 3RD 4TH OCTET OCTET OCTET OCTET 192 168 1 2 IP Address Binary 11000000 10101000 00000001 00000010 Subnet Mask Binary 11111111 11111111 11111111 00000000 370 NWA 3500 NWA 3550 User s Guide Appendix E IP Addresses and Subnetting Table 102 Subnet Masks 1ST 2ND 3RD 4TH OCTET OCTET OCTET OCTET 192 168 1 2 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of the network number part the bits with a 1 value For example an 8 bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes Subnet masks are expressed in dotted decimal n
256. io profile Profile Name This field displays the identification name of each radio profile on the NWA 802 11 Mode This field displays the IEEE 802 11 wireless mode the radio profile uses Channel ID This field displays the wireless channel the radio profile uses Edit Click the radio button next to the profile you want to configure and click Edit to go to the radio profile configuration screen NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 8 The Radio Profile Edit Screen Use this screen to configure a specific radio profile In the Profile Edit gt Radio screen select a profile and click Edit The following screen displays Figure 30 The Profile Edit gt Radio gt Edit Screen Layer Isolation MAC Filter Configuration Configuration Index Active Index Active 1 M 5 a 2 a E 3 E 7 E 4 E E 6 8 NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode The following table describes the labels in this screen Table 14 The Profile Edit gt Radio gt Edit Screen LABEL DESCRIPTION Profile Name Enter a name identifying this profile 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the NWA Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the NWA Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the NWA The
257. ircle the network endlessly resulting in possible throughput degradation and disruption of communications The following examples show two network topologies that can lead to this problem e If two or more NWAs in bridge mode are connected to the same hub Figure 86 Bridge Loop Two Bridges Connected to Hub ee we a al U La O yi Rie a AP Bridge AP Bridge po lt 4 NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration e If your NWA in bridge mode is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN Figure 87 Bridge Loop Bridge Connected to Wired LAN a 5x 7 N u i J Io N 7 Bridge Bridge To prevent bridge loops ensure that you enable STP in the Wireless screen or your NWA is not set to bridge mode while connected to both wired and wireless segments of the same LAN 8 5 5 Quality of Service This section discusses the Quality of Service QoS features available on the NWA 8 5 6 WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service ensures quality of service in wireless networks It controls WLAN transmission priority on packets to be transmitted over the wireless network WMM QoS prioritizes wireless traffic according to delivery requirements WMM QoS is a part of the IEEE 802 11e QoS enhancement to certified Wi Fi wireless networks On APs without WMM QoS all traffic streams are given the same
258. ireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Positioning the antennas properly increases the range and coverage area of a wireless LAN Antenna Characteristics Frequency An antenna in the frequency of 2 4GHz IEEE 802 11b or 5GHZ IEEE 802 11a is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications NWA 3500 NWA 3550 User
259. iscnaracoth ab vencateatunnaedath aaea a aaan aieiaa 136 8 025 Quality of GPAC ccncsesiscccieesescanntousssnsnasscdsonnaactts toneseues viens swuarsemeasauy Tedmecaurvenecenavs ries 137 ooo MODI OGS eeni E E t37 8 5 0 1 WMM QoS PriorilioS scsi cisccasasatesceeesassennecssavsiaeesapepeaaccsaaveraaanaaenns 138 SE E EE saul E E E E E A O E TEE EE E E E T 138 CaO ATEEN i nteor ae eA crane tre etree renee nn remne ene cme ee nm ken cere erence 139 8 5 8 1 ATC WMM from LAN to WLAN ssccccsssssccccsssvvesceassavesncnssaansccataanonse 139 8 5 8 2 ATC WMM from WLAN to LAN eacsssissacssscrisaastassiiaaassesiiveacsseevieaass 140 Chapter 9 SSID S Ere CI rarae aiT aA EA EEEE EEE 141 AT ONONO n RNN N N 141 92 What You Can D iH the SSID SOEBEN sesccictecs deci cinch decessatenstes cess seeidsiees gets iateiienicesiveaierens 141 9a Vhat You Need TO KNOW acipar moh piia aa aa ee E taudsinrecdslaudiacisianied vane 142 94 TE SSID SGEE anri N NE 143 DaT amn oD a Pre rrr rr ee Terr trea tert rrn tert r re Ter Pere crrn ret ttre 144 Chapter 10 Wireless Security SCKECN iiccccsssccssscsiescnccsesstnssssnsnnsnsessccsecationsesavcssionensestessaccerssudnsaunednannsonacs 147 NWA 3500 NWA 3550 User s Guide Table of Contents WT IV OIMIOW a A A 147 10 2 What You Can Do in the Security Screen i cccasscasccceassanccecassaancdeassianadceassenedcacartrandaaeatbnaanan 147 103 What Tau Need TO KAOU rinine A eats 148 TA The SPN STO a A 150 TO SSC N EP aaan aa Sa 151
260. l connected APs Use the Status screen Section 5 3 on page 55 to view information about your managed wireless network Use the AP Lists screen Section 5 4 on page 57 to manage connected APs e Use the Configuration screen Section 5 5 on page 60 to control the way in which the NWA accepts new APs to manage Use the Redundancy screen Section 5 6 on page 61 to set the controller AP as a primary or secondary controller e Use the Profile Edit screens Section 5 7 on page 62 to edit an individual AP s Radio SSID Security RADIUS Layer 2 Isolation and MAC Address settings 5 1 2 What You Need to Know The following terms and concepts may help as you read through this chapter Controller AP Mode Your NWA can be a CAPWAP controller AP In this setup the NWA can manage the wireless configurations and device settings of several APs at the same time NWA 3500 NWA 3550 User s Guide 53 Chapter 5 Controller AP Mode In the figure below an administrator is able to manage the security settings of 5 APs 1 controller AP and 4 managed APs He changes the security mode to WPA PSK just by accessing the Web Configurator of the controller AP C Figure 20 CAPWAP Controller Managed APs I t i i c O J A A A A m ee Ca ee aa i E e _ Note Be careful when configuring the controller AP as its managed APs automatically inherit some its settings Moreover some of these changes will automa
261. le S SID15 ZyXEL15 security01 radius01 NONE Disable Disable SSID16 ZyXEL16 security01 radius01 NONE Disable Disable Eai The following table describes the labels in this screen Table 37 Wireless gt SSID LABEL DESCRIPTION Index This field displays the index number of each SSID profile Profile Name This field displays the identification name of each SSID profile on the NWA SSID This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates which security profile is currently associated with each SSID profile See Section 10 4 on page 150 for more information RADIUS This field displays which RADIUS profile is currently associated with each SSID profile if you have a RADIUS server configured Qos This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile NWA 3500 NWA 3550 User s Guide Chapter 9 SSID Screen Table 37 Wireless gt SSID LABEL DESCRIPTION Layer 2 Isolation This field displays which layer 2 isolation profile is currently associated with each SSID profile or Disable if Layer 2 Isolation is not configured on an SSID profile MAC Filter This field displays which MAC filter profile is currently associat
262. lect the certificate that you want to delete and then click Remove Figure 254 Internet Explorer 7 Certificates Certificates Intended purpose lt All I gt aI Intermediate Certification Authoritigs Trusted Root Certification Authorities Tgisted Publ gt ES 172 20 37 202 aBA ECOM Root CA Jautoridad Certifica autoridad Certifica Xbaltimore EZ by DST caw HKT SecureN caw HKT SecureN Belgacom E Trust P Issued By 172 20 37 202 ABA ECOM Root CA Autoridad Certificador Autoridad Certificador Baltimore EZ by DST Belgacom E Trust Prim C amp W HKT SecureNet C amp W HKT SecureNet Expiratio 5 21 2011 7 10 2009 6 29 2009 6 30 2009 7 4 2009 1 21 2010 10 16 2009 10 16 2009 Friendly Name lt None gt DST ABA ECOM Autoridad Certifi Autoridad Certifi DST Baltimore E Belgacom E Trus CW HKT Secure CW HKT Secure a C amp W HKT SecureNet 10 16 2010 CW HKT Secure caw HKT SecureN Cre Son Creo Certificate intended purposes lt All gt 4 Inthe Certificates confirmation click Yes Figure 255 Internet Explorer 7 Certificates Certificates Deleting system root certificates might prevent some Windows components from working properly If Update Root Certificates is installed any deleted third party root certificates will be restored automatically but the system root certificates will not Do you wan
263. lete Figure 265 Firefox 2 Certificate Manager Certificate Manager Your Certificates Other Peopl amp s Web Sites Afthorities You have certificates on file that identify these web sites Certificate Name Purposes ZyXEL 4 01 72 20 37 202 Client Server Status Responder NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 4 5 Opera In the Delete Web Site Certificates dialog box click OK Figure 266 Firefox 2 Delete Web Site Certificates Delete Web Site Certificates Are you sure you want to delete these web site certificates 172 20 37 202 If you delete a web site certificate you will be asked to accept it again the ne The next time you go to the web site that issued the public key certificate you just removed a certification error appears The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platforms If your device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error Click Install to accept the certificate Figure 267 Opera 9 Certificate signer not found Certificate signer not found The root certificate for this server is not registered You may install this certificate Accept install 172 20 37 202 The root certificate from 172 20 37 202 is not known to Opera Opera cannot decide if this certificate can
264. light Savings The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Oct Last Sun The time you type in the o clock field depends on your time zone In Germany for instance you would type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen NWA 3500 NWA 3550 User s Guide 117 Chapter 7 System Screens 7 7 Technical Reference This section provides technical background information about the topics covered in this chapter Pre defined NTP Time Servers List When you turn on the NWA for the first time the date and time start at 2000 01 01 00 00 00 When you select Auto in the SYSTEM gt Time Setting screen the NWA then attempts to synchronize with one of the following pre defined list of NTP time servers The NWA continues to use the following pre d
265. line Gaming High 60 90 NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration Table 33 Typical Packet Sizes TIME TYPICAL PACKET APPLICATION SENSITIVITY SIZE BYTES Web browsing Medium 300 600 http FTP Low 1500 When ATC is activated the device sends traffic with smaller packets before traffic with larger packets if the network is congested ATC assigns priority to packets as shown in the following table Table 34 Automatic Traffic Classifier Priorities BYTES az ATC PRIORITY 1 250 ATC_High 250 1100 ATC_Medium 1100 ATC_Low You should activate ATC on the NWA if your wireless network includes networking devices that do not support WMM QoS or if you want to prioritize traffic but do not want to configure WMM QoS settings 8 5 8 ATC WMM The NWA can use a mapping mechanism to use both ATC and WMM QoS The ATC WMM function prioritizes all packets transmitted onto the wireless network using WMM QoS and prioritizes all packets transmitted onto the wired network using ATC See Section 9 4 1 on page 144 for details of how to configure ATC WMM Use the ATC WMM function if you want to do the following enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already have one see Section 8 5 8 1 on page 139 e automatically prioritize all packets going from your wireless network to the wi
266. ling a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 281 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 282 Konqueror 3 5 Certificate Import Result E Certificate Import Result Kleop Detailed results of importing CA der ea Total number processed 1 Imported 1 The public key certificate appears in the KDE certificate manager Kleopatra Figure 283 Konqueror 3 5 Kleopatra W Kleopatra File View Certificates CRLs Tools Settings Help search ______________________ ntecalereates Subject Issuer Serial CN 10R CA 1 PN O Bundesnetzagentur C CN 10R CA 1 PN O B 2A CN 11R CA 1 PN O Bundesnetzagentur C CN 11R CA 1 PN 0 B 2D CN 172 20 37 202 0U XYZ200 0 ZyXEL CN 172 20 37 202 0 CN 6R Ca 1 PN NAMEDISTINGUISHER 1 0 CN 6R Ca 1 PN NAME CN 7R CA 1 PN NAMEDISTINGUISHER 1 0 CN 7R CA 1 PN NAME CN 8R CA 1 PN O Regulierungsbehorde f CN 8R CA 1 PN O Re 01 CN 9R CA 1 PN 0 Regulierungsbehorde f CN 9R CA 1 PN O Re 02 CN CA Cert Signing Authority EMAlL supp CN CA Cert Signing A 00 CN D TRUST Qualified Root CA 1 2006 PN CN D TRUST Qualifie OOB9SF CN D TRUST Qualified Root CA 2 2006 PN CN D TRUST Qualifie 00B9 CN S TRUST Qualified Root CA 2006 001
267. locally for later manual enrollment Create a certification request and enroll for a certificate immediately online Enrollment Protocol CA Server Address Request Authentication e m n 1024 7 bits E See Trusted CAs Reference Number m Cancel The following table describes the labels in this screen Table 68 Certificates gt My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name is mandatory The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that each certificate have unique subject information Common Name Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address can be up to 31 ASCII characters The domain name or e mail address is for identification purposes only and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You may use a
268. lude logs about system maintenance system errors and access control You can view logs and alert messages in this page Once the log entries are all used the log will wrap around and the old logs will be deleted Click a column heading to sort the entries A triangle indicates ascending or descending sort order NWA 3500 NWA 3550 User s Guide Chapter 19 Log Screens Click Logs gt View Log The following screen displays Figure 140 Logs gt View Log View Log Log Settings Display Jan Logs Email Log Now Refresh Clear Log Index Time A Message Source Destination Notes MAC 00 13 a6 10 1b c1 1 pamtam Rogue AP Detection Channel 01 Security None arin SSID testonly 01 01 2000 Cert trusted CN NWA3550 2 54 24 24 001349000001 cert ee 3 MO ayaa Successful HTTPS login 192 168 1 33 User admin The following table describes the labels in this screen Table 73 Logs gt View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category To view all logs select All Logs The number of categories shown in the drop down list box depends on the selection in the Log Settings page Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number
269. ludes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Details Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one or more features is configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can delete it now Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the NWA generate a certificate or a certification request Import Click Import to o
270. ly disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen Table 46 Wireless gt Security WPA PSK WPA2 PSK or WPA2 PSK MIX LABEL DESCRIPTION Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The NWA s default is 1800 seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 10 5 Technical Reference This section provides technical background information on the topics discussed in this chapter The following is a general guideline in choosing the security mode for your NWA Use WPA 2 security if you have WPA 2 aware wireless clients and a RADIUS server WPA has user authentication and improved data encryption over WEP server Use WPA 2 PSK if you have WPA 2 aware wireless clients but no RADIUS e If you don t have WPA 2 aware wireless clients then use
271. managed AP from the list and clicking Edit Figure 69 Tutorial AP List Managed AP Lists Configuration Redundancy Managed Access Points List eee ae 49 CR ne 27 NWA 3160 T 127 0 0 1 00 19 CB 08 81 03 802 11a g NWA Primary Controller Edt 192 168 1 33 00 13 49 DF 42 A8 nae NWA Managed AP 1st floor a r 192 168 1 35 00 19 27 DF 42 16 nw 3600 NWA Managed AP 2nd floor 802 11a g 3 Delete Un Managed Access Points List index mf IP MAC Address Model Description Add Automatic Refresh Interval None z Refresh 4 Inthe screen that opens choose the radio profile for each WLAN radio and click Apply Figure 70 Tutorial eae AP WLAN Radio Profile AP Configuration Model NWA 3500 MAC Address00 13 49 DF 42 A8 Description NWA M anaged AP 1st floor M Enable Breathing LED WLAN1 Radio Profile tadio06 z WLAN2 Radio Profile Disable z Apply Reset NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial In this example the 1st floor NWA managed AP uses radioO6 for its WLAN1 Radio Profile The WLAN2 radio is disabled Refer to Section 5 7 1 on page 62 for instructions on how to set up WLAN radio profiles in the NWA controller APs 6 5 7 Checking your Settings and Testing the Configuration The NWAs should be working at this point You can configure the settings of each NWA unit by just opening the Web Configurator of the primary c
272. ministrator Settings Install Software a System Information System Folders A Home Folder 2 My Documents PY Network Folders a 2 4G Media 2 0 GB available Eavorites Applications Computer History User zyxel on linux h20z openSUSE 2 When the Run as Root KDE su dialog opens enter the admin password and click OK Figure 217 openSUSE 10 3 K Menu gt Computer Menu Run as root KDE su Please enter the Administrator root password to continue Command sbin yast2 Password NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 3 When the YaST Control Center window opens select Network Devices and then click the Network Card icon Figure 218 openSUSE 10 3 YaST Control Center YaST Control Center linux h20z File Edit Help D Software Le Network Card iO Network Services Novell AppArmor Q Security and Users gt Miscellaneous 4 When the Network Settings window opens click the Overview tab select the appropriate connection Name from the list and then click the Configure button Figure 219 openSUSE 10 3 Network Settings YaST2 linux h20z Network Card a Network Settings Overview Obtain an overview of installed network cards Global Options Overview Hostname DNS Routing Additionally edit their configuration Name IP Address AMD PCnet Fast 79C971 DHCP
273. mote Bridge MAC Type the MAC address of the peer device in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc PSK Type a pre shared key PSK from 8 to 63 case sensitive ASCII characters including spaces and symbols You must also set the peer device to use the same pre shared key Each peer device can use a different pre shared key NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration See Table 27 on page 124 for information on the other labels in this screen 8 4 3 AP Bridge Mode Select AP Bridge as the Operating Mode in the WIRELESS gt Wireless screen to have the NWA function as a bridge and access point simultaneously See the section on applications for more information Figure 81 Wireless AP Bridge Layer 2 Isolation MAC Filter Configuration Configuration Basic l Basic ic E pei 2 Index Active Remote Bridge MAC 1 E 0 00 00 00 00 00 2 00 00 00 00 00 00 3 adaa4 NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration See the tables describing the fields in the Access Point and Bridge Repeater operating modes for descriptions of the fields in this screen 8 4 4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode Select MBSSID as the Operating Mode The following screen diplays Figure 82 Wireless MBSSID Security Layer 2 Isolation MAC Filter
274. multiple SSID profiles simultaneously Configure SSID profiles in the Profile Edit gt SSID screens Index This is the SSID profile s index number Active Select this to use the SSID profile selected in the Profile field Profile Select the profile you want to use Ensure that you also select the Active box Enable Antenna Select this to have access points using this radio profile use Diversity antenna diversity where available Antenna diversity uses multiple antennas to reduce signal interference Apply Click this to save your changes Reset Click this to reload the previous configuration for this screen NWA 3500 NWA 3550 User s Guide Tutorial This chapter first provides an overview of how to configure the wireless LAN on your NWA and then gives step by step guidelines showing how to configure your NWA for some example scenarios 6 1 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the NWA and the steps you should take to set up the wireless LAN in each wireless mode See Section 6 1 3 on page 70 for links to more information on each step Note This section describes how to use the NWA in standalone mode For information on using the NWA in a CAPWAP network see Chapter 4 on page 47 6 1 1 Choosing the Wireless Mode e Use Access Point operating mode if you want to allow wireless clients to access your wired ne
275. n Table 25 System gt Time Setting LABEL DESCRIPTION Current Time This field displays the time of your NWA Each time you reload this page the NWA synchronizes the time with the time server if configured Current Date This field displays the last updated date from the time server Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered New Time This field displays the last updated time from the time server or hh mm ss the last time configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens Table 25 System gt Time Setting LABEL DESCRIPTION New Date yyyy mm dd This field displays the last updated date from the time server or the last date configured manually When you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the NWA get the time and date from the time server you specify below Auto Select this to have the NWA use the predefined list of time servers User Defined Time Server Address Enter the IP address or URL of your time server Check with yo
276. n File Example name Test wep security wep wep keysize 64 ascii wep keyl abcde wep key2 bcdef wep key3 cdefg wep key4 defgh wep keyindex 1 ve ssid wep rity Test wep lation disable ilter disable Figure 292 802 1X Configuration File Example ZYXEL PROWLAN VERSION 12 wefg wefg wefg wefg wefg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg security 2 security 2 security 2 security 2 security 2 security 2 security 2 security sa radius 2 na radius 2 pr radius 2 ba radius save ssid 2 name ssid 2 secu ssid 2 radi ssid 2 qos ssid 2 12is ssid 2 macf ssid save name Test 8021x mode 8021x staticl28 wep keyl abcdefghijklm wep key2 bcdefghijklmn wep keyindex 1 reauthtime 1800 idletime 3600 ve me radius rd imary 172 23 3 4 1812 1234 enable ckup 172 23 3 5 1812 1234 enable ssid 8021x rity Test 8021x us radius rd 4 olation disable ilter disable NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration Figure 293 WPA PSK Configuration File Example ZYXI EL PROWLAN VERSION 13 wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg wcfg security 3 name Test wpapsk security 3 mode wpapsk security 3 passphrase qwertyuiop security 3 reauthtime 1800 security 3 idletime 3600 security 3 groupkeytime 1800 security save ssid ssid ssid ssid ssid ssid 3 name ssid wpapsk 3 security Test
277. ncing by station number limits the number of devices allowed to connect to your AP If you know exactly how many stations you want to let connect choose this option For example if your company s graphic design team has their own NWA and they have 10 computers you can load balance for 10 Later if someone from the sales department visits the graphic design team s offices for a meeting and he tries to access the network he won t be able to because his laptop is device number 11 which is one more than 10 and thus exceeds the load balance If one of the graphic design team s computers disconnects from the network then the sales computer can join Load balancing by traffic level limits the number of connections to the NWA based on maximum bandwidth available If you are uncertain as to the exact number of wireless connections you will have then choose this option By setting a maximum bandwith cap you allow any number of devices to connect as long as their total bandwidth usage does not exceed the bandwidth cap associated with this setting Once the cap is hit any new connections are rejected or delayed provided that there are other APs in range that have the same settings as the NWA 3160 Series User s Guide NWA such as SSID security mode radio mode and so on Chapter 21 Load Balancing Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers The coffee shop owner can
278. nd exit this screen Reset Click Reset to begin configuring this screen afresh 16 8 Technical Reference 16 8 1 This section provides some technical background information about the topics covered in this chapter MIB Managed devices in an SMNP managed network contain object variables or managed objects that define each piece of information to be collected about a NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens 16 8 2 16 8 3 device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations e Get Allows the manager to retrieve an object variable from the agent e GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPvi when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations e Set Allows the manager to set values for object variables within an agent e Trap Used by the agent to inform the manager of some events Supported MIBs The NWA supports MIB II that is defined in RFC 1213 and RFC 1215 as well as the proprietary ZyXEL private MIB The
279. nd interface using the command interface See command interface mask 110 max age 132 MBSSID 23 26 Message Integrity Check MIC 329 mobile access 23 mode 23 MSDU 65 125 N NAT 377 network 23 network access 23 network bridge 24 network number 110 network traffic 23 O operating mode 23 out of band management 240 P Pairwise Master Key PMK 329 331 password 113 286 path cost 132 PoE 290 power specification 285 power specifications 285 290 preamble mode 323 pre configured profiles 27 priorities 138 prioritization 23 private IP address 110 177 private networks 110 product registration 390 PSK 329 Q QoS 23 137 145 QoS priorities 138 Quick Start Guide 35 R radio 24 RADIUS 325 message types 325 messages 325 shared secret key 326 rapid STP 131 reauthentication time 153 155 156 157 158 registration product 390 related documentation 3 remote management limitations 188 repeater 24 reset button 285 restore 273 RF interference 24 roaming 133 requirements 135 rogue AP 23 179 180 181 182 183 root bridge 132 RTS Request To Send 322 threshold 321 322 RTS CTS handshake 65 125 NWA 3500 NWA 3550 User s Guide Index S safety warnings 7 security 24 security profiles 23 server 23 Service Set 122 125 131 Service Set Identifier see SSID SNMP 287 MIBs 196 traps 196 specifications 290 SSID 26 SSID profile 142 pre configured 27
280. ned by any of the imported trusted CA certificates You can use the NWA to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority The NWA only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Certificates are based on public private key pairs Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates e PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The NWA currently allows the importation of a PKS 7 file that contains a single certificate e PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form You can have the NWA act as a certification authority and sign its own certificates See Section 18 4 2 on page 211 for details on how to apply this My Certi
281. network administrator instructs you to do so with additional information Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external accounting server and the NWA The key must be the same on the external accounting server and your NWA The key is not sent over the network Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide 12 1 Layer 2 Isolation Screen Overview This chapter describes how you can configure the Layer 2 Isolation screen on your NWA Layer 2 isolation is used to prevent wireless clients associated with your NWA from communicating with other wireless clients APs computers or routers in a network In the following figure layer 2 isolation is enabled on the NWA Z to allow a guest wireless client A to access the main network router B The router provides access to the Internet C and the network printer D while preventing the client from accessing other computers and servers on the network The client can communicate with other wireless clients only if Intra BSS Traffic blocking is disabled Note Intra BSS Traffic Blocking is activated when you enable layer 2 isolation Figure 102 Layer 2 Isolation Application im B a NWA 3500 NWA 3550 User s Guide Chapter 12 Layer 2 Isolation Screen MAC addresses that are no
282. ng mechanism WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs a consistent single al
283. ng DNS server addresses Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically Select Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP You may also have to enter a Preferred DNS server and an Alternate DNS server if that information was provided Click OK to close the Internet Protocol TCP IP Properties window Click OK to close the Local Area Connection Properties window Verifying Settings Click Start gt All Programs gt Accessories gt Command Prompt In the Command Prompt window type ipconfig and then press ENTER You can also go to Start gt Control Panel gt Network Connections right click a network connection click Status and then click the Support tab to view your IP address and connection information NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address Windows Vista 1 2 3 This section shows screens from Windows Vista Professional Click Start gt Control Panel Figure 191 Windows Vista Start Menu Dr eye 7 0 Professional Connect To g Media Player Classic gt All Programs a HLE In the Control Panel click the Network and Internet icon Figure 192 Windows Vista Control Panel GS gt Control Panel Sane
284. ng figure shows the NWA Z using its internal RADIUS server to control access to a wired network A wireless notebook A requests access by sending its credentials The NWA consults its internal RADIUS server s list of user names and passwords If the credentials of the wireless notebook match an entry the NWA allows the client to access the network Figure 124 RADIUS Server Access Re O quest gt O Pa 1 a Z N NWA s Allow or Deny Response The NWA can also serve as a RADIUS server to authenticate other APs and their wireless clients For more background information on RADIUS see Section 11 3 on page 162 NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server 17 2 What You Can Do in the Internal Radius Server Screens e Use the AUTH SERVER gt Setting screen see Section 17 4 on page 200 to turn the NWA s internal RADIUS server off or on and to view information about the NWA s certificates e Use the AUTH SERVER gt Trusted AP screen see Section 17 5 on page 202 to specify APs as trusted Trusted APs can use the NWA s internal RADIUS server to authenticate wireless clients e Use the AUTH SERVER gt Trusted Users screen see Section 17 6 on page 204 to configure a list of wireless client user names and passwords 17 3 What You Need To Know The NWA has a built in RADIUS server that can authenticate wireless clients or other trusted APs Certificates are used by wireles
285. nge the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the NWA using this service Secured Client A secured client is a trusted computer that is allowed to communicate IP Address with the NWA using this service Select All to allow any computer to access the NWA using this service Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service HTTPS Server Select the Server Certificate that the NWA will use to identify itself Certificate The NWA is the SSL server and must always authenticate itself to the SSL client the computer which requests the HTTPS connection with the NWA Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself with the NWA by sending the NWA a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the NWA see the appendix on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the NWA for example 8443 then you must notify people who need to access the NWA web configurator to use https NWA IP Ad
286. nneneee 210 18 4 2 My Certificates Create SOreen sisiesiccss ssssiccsssssssccevsseveesenseceuaiensaesisteasrsssacenns cuarvennas 211 NWA 3500 NWA 3550 User s Guide Table of Contents 18 4 0 My Corificates Dotalls SIGE cccissssaxzetriassntessinnnrzsegernencssaeiansassestinouesessinaacssesinoass 16 5 WR CAS OOED cit cites ccs sas rears aa cones dina Sonus suena S A EA AAE NERE 126 51 Trusted CAS Impor Sorem xc iccics sactehievsentceyiee teen sediceeoeisessaadauiedurtaeviaudorseuscaaty tants 18 52 Tustod CAS Dotails SGE aiiwct vit ssaciertuigedl R ERREA 18 6 Tecinical REISER CS grccicia caccasudcccasatnheronnnee EE E N ARE aE 186 1 Pee US CHO rieien ae E Et r 186 2 CUAL PULMONIC Sosa eindan ssa ses was sala Lauits aa AE a a aiaa a Aa Gaa 18 6 3 Checking the Fingerprint of a Certificate on Your Computer ssssssseseeeeeseneseeeeeene Chapter 19 Lied eC PORN etd a a E E E E E E eas TETON ON aaa ha vrree tree ere tre ere rT rrerree rrr Pret rrr tre rer TrrreT rerrrrre Terre terry 19 2 What You Can Do in the Log Screens sccssanasececisaniecesestotesdencanedetoateanmeteoenbemeeesendanecadaeiaines 19 3 What You Need To KNOW senissisinarei ii iaoi aa 194 The vViow Log Daa acco Sines cathodic ren iane sored ae Se EEE SEEE 129 me LOG SOUINGS SCROON aen aoa NN TO TSC iG al RTN ie 19 6 1 Example Log Mossagos cca taxc ana diets de nnsieutsacenagdavad civasauiacceasautacwanadudedianasdusezeasdaubhaiens 19 6 2 Log COMMAIWS iccccseccesccsieurrsansrdu
287. nt mode Figure 15 Status gt AP Statistics Channel Rx FCS Error Tx Retry AP Description 802 11 Mode meal Rx PKT Tx PKT Count 802 11b g 6 1528 2220 1708 63 0 0 AP LOCAL 802 11b g 6 3152 2222 3922 56 17 0 802 11b g 6 6144 3618 a058 33 65 1 AP 001349DF42A8 Automatic Refresh Interval None z Refresh Reset The following table describes the labels in this screen Table 6 Status gt AP Statistics LABEL DESCRIPTION AP Description This is the descriptive name configured for this AP in the Controller gt AP Lists 802 11 Mode This is the wireless standard supported by each wireless module on the AP Channel ID This is the channel ID number used by each wireless module on the AP Rx PKT This is the number of received packets on this AP Tx PKT This is the number of transmitted packets on this port Rx FCS Error Count This is the number of received packets with the Frame Check Sequence FCS error s Tx Retry Count This is the number of times for the NWA to resend the packets Automatic Refresh Interval Select a number of seconds or None from the drop down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics Refresh Click this button to update the screen statistics immediately Reset NWA 3500 NWA 355
288. ntroller Secondary IP f192 168 1 27 Secondary AP Controller Apply Reset 2 Enable Redundancy Then select Primary AP Controller and enter the IP address of the secondary controller AP required Click Apply Note Only NWAs in managed AP mode are visible to the controller AP NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 5 5 Setting Your NWA in Managed AP Mode After setting the NWAs A and E to controller AP modes you can now transform the NWAs B C and D in the 2nd 3rd and 4th floors of your company building to managed APs It is very important to note that once an NWA is in managed AP mode its web configurator cannot be viewed anymore It cannot be accessed any other way other than through its controller AP s Web Configurator The same rule applies to its TELNET FTP and SMNP features To put it simply the managed NWA is not directly configurable This is because its controller AP is continuously managing it You can switch the NWA to standalone AP mode by pressing the reset button on the casing NWA 3500 only Previous configurations are lost 1 To set your NWA in managed AP mode open the MGNT screen in the Web Configurator of the NWA that you want to serve as a managed AP Figure 66 Tutorial Managed AP MGNT Mode AP Controller andalnne AP Managed AP C Auto AP Controller IP DCHP Server Option 43 setting required Manual AP Controller IP Primary AP Controller
289. ny character including spaces but the NWA drops trailing spaces NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 68 Certificates gt My Certificate Create continued LABEL DESCRIPTION Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You may use any character including spaces but the NWA drops trailing spaces Country Type up to 127 characters to identify the nation where the certificate owner is located You may use any character including spaces but the NWA drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the NWA generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the NWA generate and store a request for a certificate Use the My Certificate Details screen to view the
290. ogical networks Stations on a logical network can belong to one or more groups Only stations within the same group can talk to each other Figure 142 VLAN Example l N Hm Ye Internet NWA J IOP Pe eee eee 4 Server In the figure above the NWA allows station A to connect to the internet but not to the server It allows station B to connect to the server but not to the Internet 20 2 What You Can Do in the VLAN Screen e Use the Wireless VLAN screen Section 20 4 on page 237 to enable and configure your Wireless Virtual LAN setup The NWA tags all packets from an SSID with the VLAN ID you set in this screen e Use the Radius VLAN screen Section 20 4 1 on page 239 to configure your RADIUS Virtual LAN setup Your RADIUS server assigns VLAN IDs to a user or user group s traffic based on what you set in this screen NWA 3500 NWA 3550 User s Guide 235 Chapter 20 VLAN 20 3 What You Need To Know About VLAN When you use wireless VLAN and RADIUS VLAN together the NWA first tries to assign VLAN IDs based on RADIUS VLAN configuration If a client s user name does not match an entry in the RADIUS VLAN screen the NWA assigns a VLAN ID based on the settings in the Wireless VLAN screen See Section 20 5 3 on page 243 for more information Note To use RADIUS VLAN you must first select Enable VIRTUAL LAN and configure the Management VLAN ID in the VLAN gt Wireless VLAN screen The Management VLAN
291. omatic Image Resizing x gt Restore Defaults Cancel Apply NWA 3500 NWA 3550 User s Guide Importing Certificates This appendix shows you how to import public key certificates into your web browser Public key certificates are used by web browsers to ensure that a secure web site is legitimate When a certificate authority such as VeriSign Comodo or Network Solutions to name a few receives a certificate request from a website operator they confirm that the web domain and contact information in the request match those on public record with a domain name registrar If they match then the certificate is issued to the website operator who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate Many ZyXEL products such as the NSA 2401 issue their own public key certificates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a trusted authority Note You can see if you are browsing on a secure website if the URL in your web browser s address bar begins with https or there is a sealed padlock icon amp somewhere in t
292. on is an independent Ad hoc WLAN that connects a set of computers with wireless adapters A B C Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 224 Peer to Peer Communication in an Ad hoc Network __ Ss A Ne Ne B G BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless clients in the BSS When Intra BSS is enabled wireless client A and B can access the wired network and communicate NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs with each other When Intra BSS is disabled wireless client A and B can still access the wired network but cannot communicate with each other Figure 225 Basic Service Set o e eee ESS An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access
293. onfiguration file upload you can try using the following MIB 10 to 20 seconds after using SNMP to have the AP download the configuration file Table 117 Displaying the File Version ITEM OBJECT ID DESCRIPTION pwTftpOpStatu 1 3 6 1 4 1 890 1 9 This displays the current operating status of the Ss 1 6 TFTP client Configuration File Format The text based configuration file must use the following format Figure 290 Configuration File Format ZYXEL PROWLAN VERSION 12 wcfg security 1 xxx wcfg security save wefg ssid 1 xxx wcfg ssid save The first line must be ZYXEL PROWLAN NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration The second line must specify the file version The AP compares the file version with the version of the last configuration file that it downloaded If the version of the downloaded file is the same or smaller older the AP ignores the file If the version of the downloaded file is larger newer the AP uses the file Configuration File Rules You can only use the wlan and wcfg commands in the configuration file The AP ignores other ZyNOS commands but continues to check the next command The AP ignores any improperly formatted commands and continues to check the next line If there are any errors while processing the configuration file the AP generates a message with the line number and reason for the first error Subsequent err
294. ontroller AP One way to test if the setup is working is to use a wireless client to check if all the profiles you have set up in the managed APs and the controller APs are available for wireless connection For this example we use the G 302 v3 wireless client utility screen to check if radio6 SSID Mktg Grp 6 is in the list of wireless networks available Figure 71 Tutorial Checking your Setup MGNT Mode Settings Available Network List Site Information inom SSID M e HASTINGS 1 100 _ aa a a ET 11795 Glenn IGS ZXEL_MIS 11 100 a ou kelltest 11 100 Surveyed at 14 13 32 Network Type Infrastructure Network Mode 802 11g Channel 1 HSG2ANN FieldTrial 11 Scan Connect Open the wireless client s screen that list the available networks within range In the image above we can see Mktg Grp 6 which is the SSID in the WLAN1 radio profile enabled for the ist floor NWA managed AP Do the same for the other WLAN radio profiles of the remaining NWA APs both controller and managed APs and check if all the security configurations and device settings are in place Do the proper modifications in the primary controller AP s Web Configurator if necessary Note Be sure you update the primary controller AP and not the secondary controller AP when setting the congfiguration for the managed APs If you accidentally set up the secondary controller AP instead the changes you made will not take ef
295. or information on how to set up e mail logs You can set how often you want the NWA to scan for rogue APs in the Rogue AP gt Configuration screen see Section 15 3 1 on page 182 Friendly APs If you have more than one AP in your wireless network you must also configure the list of friendly APs Friendly APs are other wireless access points aside from the NWA that are detected in your network as well as any others that you know are not a threat those from neighboring networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points If you do not add them to the friendly AP list these access points will appear in the Rogue AP list each time the NWA scans The friendly AP list displays details of all the access points in your area that you know are not a threat If you have more than one AP in your network you need to configure this list to include your other APs If your wireless network overlaps with NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection that of a neighbor for example you should also add these APs to the list as they do not compromise your own network s security If you do not add them to the friendly AP list these access points will appear in the Rogue AP list each time the NWA scans Honeypot Attack Rogue APs need not be connected to the legitimate network to pose a severe s
296. ority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the end entity s own certificate The NWA does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the Information certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information
297. ors during the processing of an individual configuration file are not recorded You can use SNMP management software to display the message by using the following MIB Table 118 Displaying the Auto Configuration Status ITEM OBJECT ID DESCRIPTION pwAutoCfgMessage 1 3 6 1 4 1 890 1 9 1 Auto configuration status message string 9 The commands will be executed line by line just like if you entered them in a console or Telnet CI session Be careful to ensure the integrity of the whole AP configuration If there are existing settings in the AP the newly loaded configuration file will either coexist with the previous settings or replace them You can zip each configuration file You must use the store compression method and a zip file extension When zipping a configuration file you can also add password protection using the same password that you use to log into the AP NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles Figure 291 ZYXEL PROWLAN VERSION 11 wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg security 1 security 1 security 1 security 1 security 1 security 1 security 1 security 1 security sa ssid 1 name ssid 1 secu ssid 1 1l2io ssid 1 macf ssid save WEP Configuratio
298. otation just like IP addresses The following examples show the binary and decimal notation for 8 bit 16 bit 24 bit and 29 bit subnet masks Table 103 Subnet Masks BINARY 1ST 2ND 3RD 4TH DECIMAL OCTET OCTET OCTET OCTET 8 bit mask 11111111 00000000 00000000 00000000 255 0 0 0 16 bit 11111111 11111111 00000000 00000000 255 255 0 0 mask 24 bit 11111111 11111111 11111111 00000000 255 255 255 0 mask 29 bit 11111111 11111111 11111111 11111000 255 255 255 24 mask 8 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones is the broadcast address for that network 192 168 1 255 with a 24 bit subnet mask for example NWA 3500 NWA 3550 User s Guide 371 Appendix E IP Addresses and Subnetting As these two IP addresses cannot be used for individual hosts calculate the maximum number of possible hosts in a network as follows Table 104 Maximum Host Numbers SUBNET MASK HOST ID SIZE aaa be aa ae 8 bits 255 0 0 0 24 bits 224 2 16777214 16 bits 255 255 0 0 16 bits 216_ 9 65534 24 bits 255 255
299. page 124 for information on the other labels in this screen 8 5 Technical Reference This section provides technical background information about the topics covered in this chapter Refer to Appendix B on page 319 for further readings on Wireless LAN 8 5 1 Spanning Tree Protocol STP STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other STP compliant bridges in your network to ensure that only one route exists between any two stations on the network 8 5 1 1 Rapid STP The NWA uses IEEE 802 1w RSTP Rapid Spanning Tree Protocol that allow faster convergence of the spanning tree while also being backwards compatible with STP only aware bridges Using RSTP topology change information does not have NWA 3500 NWA 3550 User s Guide 131 Chapter 8 Wireless Configuration to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database In RSTP the port states are Discarding Learning and Forwarding 8 5 1 2 STP Terminology The root bridge is the base of the spanning tree it is the bridge with the lowest identifier value MAC address Path cost is the cost of transmitting a frame onto a LAN through that port It is assigned according to the speed of the link to which a port is attached The slower the media the higher the cost see the following table Table 30 STP
300. pears Figure 42 Tutorial Guest Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name Guest_Security Security Mode WPA PSK Pre Shared Key hisismyGuestWPApre shared key ReAuthentication Timer fi 800 in seconds Idle Timeout 3600 in seconds Group Key Update Timer fi 800 in seconds Reset Change the Name field to Guest_Security to make it easier to remember and identify Select WPA PSK in the Security Mode field WPA PSK provides strong security that is supported by most wireless clients Even though your Guest_SSID clients do not have access to sensitive information on the network you should not leave the network without security An attacker could still cause damage to the network or intercept unsecured communications Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyGuestWPApre sharedkey Click Apply The WIRELESS gt Security screen displays Ensure that the Profile Name for entry 3 displays Guest_Security and that the Security Mode is WPA PSK Figure 43 Tutorial Guest Security Updated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index Profile Name security01 WPA2 PSK VoIP_Security WPA2 PSK fe 3 Guest_Security WPA PSK D C 4 PCUTItyte fone _ a NWA 3500 NWA 3550 User s Guide Chapte
301. pecific MAC filter and layer 2 isolation profiles 2 Configure the SERVER_1 network s MAC filter profile 3 Configure the SERVER_1 network s layer 2 isolation profile 4 Repeat steps 1 3 for the SERVER_2 network 5 Check your settings and test the configuration To configure layer 2 isolation you need to know the MAC addresses of the devices on your network which are as follows Table 19 Tutorial Example Network MAC Addresses DEVICE LABEL MAC ADDRESS NWA Z BB AA 99 88 77 66 1 AA 99 88 77 66 55 Secure Server 2 2 99 88 77 66 55 44 Workstation C 88 77 66 55 44 33 D E Secure Server 1 Switch 77 66 55 44 33 22 Security gateway 66 55 44 33 22 11 To configure MAC filtering you need to know the MAC addresses of the devices Alice and Bob use to connect to the network which are as follows Table 20 Tutorial Example User MAC Addresses USER MAC ADDRESS Alice 11 22 33 44 55 66 Bob 22 33 44 55 66 77 6 4 4 Configure the SERVER_1 Network First you will set up the SERVER_1 network which allows Alice to access secure server 1 via the network switch You will configure the MAC filter to restrict access to Alice alone and then configure layer 2 isolation to allow her to access only the network switch the file server and the Internet security gateway Take the following steps to configure the SERVER_1 network NWA 3500 NWA 3550 User s Guide Chapter 6 Tutor
302. pen a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the NWA Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click Refresh to display the current validity status of the certificates 18 4 1 My Certificates Import Screen Use this screen if you have an existing CA issued certificate you want to use for authentication Follow the instructions in this screen to save it to the NWA Click Certificates gt My Certificates and then Import to open the My Certificate Import screen NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Note You can import only a certificate that matches a corresponding certification request that was generated by the NWA Note The certificate you import replaces the corresponding request in the My Certificates screen Note You must remove any spaces from the certificate s filename before you can import it Figure 131 Certificates gt My Certificates Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS 7 e PEM Base64 encoded PKCS 7 For my certificate importation to be successful a certif
303. performance as less time sending preamble means more time for sending data All IEEE 802 11b g compliant wireless adapters support long preamble but not all support short preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support and to provide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have the AP automatically use short preamble when wireless adapters support it otherwise the AP uses long preamble Note The AP and the wireless adapters MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or lower depending on range IEEE 802 11g has NWA 3500 NWA 3550 User s Guide 323 Appendix B Wireless LANs several intermediate rate steps between the maximum and minimum data rates The IEEE 802 11g data rate and modulation are as follows Table 98 IEEE 802 11g MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5 11 CCK Complementary Code Keying 6 9 12 18 24 36 OFDM Orthogonal Frequency Division Multiplexing 48 54 Wireless Se
304. phanumeric password to derive a PMK which is used to generate unique temporal encryption NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a network Other WPA2 authentication features that are different from WPA include key caching and pre authentication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again Pre authentication enables fast roaming by allowing the wireless client already connecting to an AP to perform IEEE 802 1x authentication with another AP before connecting to it Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey clien
305. problem continues contact the vendor 24 2 NWA Access and Login forgot the IP address for the NWA 1 The default IP address is 192 168 1 2 NWA 3500 NWA 3550 User s Guide 279 Chapter 24 Troubleshooting 2 Ifyou changed the static IP address and have forgotten it you have to reset the device to its factory defaults Contact your vendor If you set the NWA to get a dynamically assigned IP address from a DHCP server check your DHCP server for the IP address assigned to the ZyXEL Device forgot the password 1 The default password is 1234 2 If this does not work you have to reset the device to its factory defaults Contact your vendor cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address e The default IP address is 192 168 1 2 e If you changed the IP address Section 14 4 on page 176 use the new IP address e If you changed the IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the NWA 2 Check the hardware connections See the Quick Start Guide 3 Make sure your Internet browser does not block pop up windows and has JavaScripts and Java enabled See Section 24 1 on page 279 4 Make sure your computer is in the same subnet as the NWA If you know that there are routers between your computer and the NWA skip this step e If there is no DHCP server on your network mak
306. r local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space NWA 3500 NWA 3550 User s Guide 177 Chapter 14 IP Screen 178 NWA 3500 NWA 3550 User s Guide Rogue AP Detection 15 1 Overview This chapter discusses rogue wireless access points and how to configure the NWA s rogue AP detection feature Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can open up holes in a network s security Attackers can take advantage of a rogue AP s weaker or non existent security to gain access to the network or set up their own rogue APs in order to capture information from wireless clients If a scan reveals a rogue AP you can use commercially available software to physically locate it Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker In this case any AP detected can be classified as rogue Figure 113 Rogue AP Example In the example above a corporate ne
307. r 6 Tutorial 6 2 3 2 Set up Layer 2 Isolation Configure layer 2 isolation to control the specific devices you want the users on your guest network to access Click WIRELESS gt Layer 2 Isolation The following screen appears Figure 44 Tutorial Layer 2 Isolation Wireless SSID Security RADIUS MAC Filter Index Profile Name NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial The Guest_SSID network uses the I2isolationO1 profile by default so select its entry and click Edit The following screen displays Figure 45 Tutorial Layer 2 Isolation Profile Wireless SSID Security RADIUS MAC Filter Layer 2 Isolation Configuration 2isolationO1 MAC Address __ Description _ Index _ MAC Address 00 AA 00 AA 00 44 network router Fa 00 00 00 00 00 00 00 00 00 00 00 00 oowoo Enter the MAC addresses and descriptions of the two network devices you want users on the guest network to be able to access the main network router 00 AA 00 AA 00 AA and the network printer AA 00 AA 00 AA 00 Click Apply NWA 3500 NWA 3550 User s Guide 81 Chapter 6 Tutorial 6 2 3 3 Activate the Guest Profile You need to activate the Guest_SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the check box for the Guest_SSID profile and click Apply Figure 46 Tutorial Activate Guest Profile owe 100 Select SSID Profile lindex Activel___Profile__ Inde
308. r NWA and network 1 5 1 Control Access to Your Device Ensure only people with permission can access your NWA Control physical access by locating devices in secure areas such as locked rooms Most NWAs have a reset button If an unauthorized person has access to the reset button they can then reset the device s password to its default password log in and reconfigure its settings e Change any default passwords on the NWA such as the password used for accessing the NWA s web configurator if it has a web configurator Use a password with a combination of letters and numbers and change your password regularly Write down the password and put it in a safe place Avoid setting a long timeout period before the NWA s web configurator automatically times out A short timeout reduces the risk of unauthorized person accessing the web configurator while it is left idle See Chapter 7 on page 109 for instructions on changing your password and setting the timeout period e Configure remote management to control who can manage your NWA See Chapter 16 on page 187 for more information If you enable remote management ensure you have enabled remote management only on the IP addresses services or interfaces you intended and that other remote management settings are disabled 1 5 2 Wireless Security Wireless devices are especially vulnerable to attack If your NWA has a wireless function take the following measures to improve wireless se
309. raa E RARA EER a EANA 171 MF pun 171 13 2 What You Can Do in the MAC Filter Screen anrriiinerin iarr na kernek Er ANERE ARRENA 171 13 3 What You Should Know About MAC FIET secession nanai iiia 172 TA TBE MAG Fiter SEEEN aarne ai EA EEA aO a eased 172 134 1 Configuring the MAC FIRS saccsscrcsscccosreduststaincuieetabencdariseenedunisentenmarsaieneiremneduarvenne 173 Chapter 14 IP Serenan E E N a e A EER 175 Te TENETE sieri Enee aE EEE EO EA 175 14 2 What You Can Do in the P Screen sensere ernn E E ERRE 175 14 3 What You Need To Know About IP gijsas sentenced cael panera tae ya Prin ANAE 176 TA ThE IPF SEEEN sra a Catia hm ccaea mshi 176 TaS lechia ROVERS INE sicsiessduetactecane cease swideda tai ddetiadcedeeiaoeiisiaa i AE EEA E 177 NWA 3500 NWA 3550 User s Guide 15 Table of Contents 14 5 1 WAN IP Adress ASSIA ssasiraiasiiid kN A 177 Chapter 15 Rogue AF I ccm eaa AEA a 179 TaT OVON coia A RRE 179 15 2 What You Can Do in the Rogue AP SGreen sisesiaisnncnisnieninesanninnsniai 180 133 WIA You Need TORNO sirenaren anaia Eaa aaa a na a a aad 180 1331 COMO SCION anan 182 eae ey AR Seen E T aaa CR anil A E EAE AN 183 133 3 ROVE AF Cre sais ie E n SE ree at aoa 184 Chapter 16 Remote Management ScreenS sasiisisiscissistesiastisinatstacteindsnvstisiacanninainiiadatidinsussdteidndataciatinhanens 187 TeL CE cerno eE E aa 187 16 2 What You Can Do in the Remote Management Screens 0 ccesceceeeeeseeeeeeeeeetteeeeeeeens 188 16
310. re network connections A certificate store is the system area where certificates are kept To continue click Next NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 243 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Certificate Store Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for Automatically select the certificate store based on the type of certificate Place all certificates in the following store 7 Otherwise select Place all certificates in the following store and then click Browse Figure 244 Internet Explorer 7 Certificate Import Wizard Place all certificates in the following store Certificate store NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 8 9 In the Select Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 245 Internet Explorer 7 Select Certificate Store Select Certificate Store Select the certificate store you want to use ERS erson H Trusted Root Certification Authorities J Enterprise Trust J Intermediate Certification Authorities H E Active Directory User
311. rea around and determining what channels are currently being used by other devices When numerous APs broadcast within a given area they introduce the possibility of heightened radio interference especially if some or all of them are broadcasting on the same radio channel This can make accessing the network potentially rather difficult for the stations connected to them If the interference becomes too great then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using in order to give the connected stations a minimum degree of cross channel interference Figure 170 An example of cross channel interference M ye Channel 2 y Channel 3 Y jot 4 VA py k HRAhyan NWA 3160 Series User s Guide Chapter 22 Dynamic Channel Selection In this example if the NWA attempts to broadcast on channels 1 2 or 3 it is met with cross channel interference from the other AP that shares the channel This can result in noticeably slower data transfer rates the dropping of the connection altogether or even lost data packets However if the NWA broadcasts on the otherwise empty channel 4 then there will be minimal interference and a clearer connection to the network To alleviate this problem of having to manually change channels every time interference crops up you would normally need to scan the area quite often to see which channels are currently unused
312. red network see Section 8 5 8 2 on page 140 8 5 8 1 ATC WMM from LAN to WLAN ATC WMM from LAN the wired Local Area Network to WLAN the Wireless Local Area Network allows WMM prioritization of packets that do not already have WMM QoS priorities assigned The NWA automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration The following table shows how priorities are assigned for packets coming from the LAN to the WLAN Table 35 ATC WMM Priority Assignment LAN to WLAN RACKETSIAE ATC VALUE WMM VALUE BYTES 1 250 ATC_High WMM_VIDEO 250 1100 ATC_Mediu WMM_BEST_EFFORT m 1100 ATC_Low WMM_BACKGROUND 8 5 8 2 ATC WMM from WLAN to LAN ATC WMM from WLAN to LAN automatically prioritizes assigns an ATC value to all packets coming from the WLAN Packets are assigned an ATC value based on their WMM value not their size The following table shows how priorities are assigned for packets coming from the WLAN to the LAN when using ATC WMM Table 36 ATC WMM Priority Assignment WLAN to LAN WMM VALUE _ ATC VALUE WMM_VOICE ATC_High WMM_VIDEO ATC_High WMM_BEST_EFFORT ATC_Medium WMM_BACKGROUN ATC_Low D NONE ATC_Medium NWA 3500 NWA 3550 User s Guide SSID Screen 9 1 Overview This ch
313. reet name computers on a LAN share one common network number Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established The Internet Assigned Number Authority IANA NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 2 for your device but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed
314. reless security methods Table 39 Wireless Security Levels SECURITY SECURITY TYPE LEVEL Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA WPA2 Most Secure The available security modes in your NWA are as follows e None No data encryption e WEP Wired Equivalent Privacy WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen e 802 1x Only This is a standard that extends the features of IEEE 802 11 to support extended authentication It provides additional accounting and control features This option does not support data encryption 802 1x Static64 This provides 802 1x Only authentication with a static 64bit WEP key and an authentication server 802 1x Static128 This provides 802 1x Only authentication with a static 128bit WEP key and an authentication server WPA Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA WPA2 MIX This commands the NWA to use either WPA2 or WPA depending on which security mode the wireless client uses
315. rifying Settings Click Start gt All Programs gt Accessories gt Command Prompt In the Command Prompt window type ipconfig and then press ENTER You can also go to Start gt Control Panel gt Network Connections right click a network connection click Status and then click the Support tab to view your IP address and connection information NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address Mac OS X 10 3 and 10 4 The screens in this section are from Mac OS X 10 4 but can also apply to 10 3 1 Click Apple gt System Preferences Figure 198 Mac OS X 10 4 Apple Menu W Finder File Edit Vie About This Mac Software Update Mac OS X Software System Preferences Dock Location Recent Items Force Quit Sleep Restart Shut Down 2 Inthe System Preferences window click the Network icon Figure 199 Mac OS X 10 4 System Preferences ear System Preferences 4 Show all tal Personal ore M a Q Appearance Dashboard amp Desktop amp Dock International Security Spotlight Expos Screen Saver Hardware i gt bt a amp 0 O Y 0 m Bluetooth CDs amp DVDs Displays Energy Keyboard amp Print amp Fax Sound Saver Mouse Internet amp Ne Mac QuickTime Sharing System D pss za Accounts Date amp Time Software Speech Startup Disk Universal Update Access NWA 3500 NWA 3550 User s Guide Appendix A Setting Up
316. rosisearnena e A 24 Te ENTE ROPO NOT airia E NEA EEEE ERAN 24 Aas AP YEN E ason aie bexsaudiiedsexsaduareevngeatiacuuhaatde tought resinale eudgdermmeairreeegereuneie 25 aes WS Sl baad sais iia oa eae ee ee A 26 1 2 0 Pre Conigured SSID Prolo coicnuincanchinneleen mean aasihenas 27 1 26 Configuring Dual WLAN Adaptors ccccccssccccceccstentsesiansanerectnncnneenasssenmeetaaremmeannemmereevncan 28 OUR Oe Lr yrn a aE A E Oa SEEE ERS 28 1A Nane O Monade he NN nerian AN RN 29 1 5 Configuring Your NWA s Security Features sssisrisssississiirisinsrissisntissis dnin iriri naris 30 1 5 1 Control Access to Your Device ness citicsccdseciiivrenadeia sietsaedansctntanidsseesadoii sdeneaatahinuraeniihcenaeds 30 15 2 Wireless Se0Uriy scrini ceetstevsateiesocnicecsceets REA aa E ceumeestnnie 30 To Mananni YIU N ossia 31 Lt Hardware Connections suniniraronr iar ANNEN 31 TOLED ninn a a anaes 32 Chapter 2 Introducing the Web Configurator issic raioane ioniese erasi kanaanske iiaii 35 2 l Accessing ihe Web CORTON OR ides sstcrescexsensietssetdavadeceeiaucerdiaehaatiasiceusv aaae E AAA NASE oo 22 Resetting the NWA sicinvczenceduarcavasiotes suinte oiai abia EE ENEE ENNE or 2 2 1 Methods of Restoring Factory Defaulls csc csssccsserssccasspecanatiorsstectnvorsdenonsstatanverds 37 2 Navigating the Web Coniiguratol sesrcscsannn a 37 NWA 3500 NWA 3550 User s Guide at Table of Contents Chapter 3 OUI EG ey e a E AA A E E E E E E E I A 39 ST T
317. rtificates and guarantees the identity of each certificate owner EAP MD5 Message Digest Algorithm 5 MD5 authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless client The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs However MD5 authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is
318. rver handles the following tasks e Authentication which determines the identity of the users e Authorization which determines the network services available to authenticated users once they are connected to the network e Accounting which keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server You should know the IP addresses ports and share secrets of the external RADIUS server and or the external RADIUS accounting server you want to use with your NWA You can configure a primary and backup RADIUS and RADIUS accounting server for your NWA You can configure up to four RADIUS server profiles Each profile also has one backup authentication server and a backup accounting server These profiles can be assigned to an SSID profile in the Wireless gt SSID configuration screen NWA 3500 NWA 3550 User s Guide Chapter 11 RADIUS Screen 11 4 The RADIUS Screen Use this screen to set up your NWA s RADIUS server settings Click Wireless gt RADIUS The screen appears as shown Figure 101 Wireless gt RADIUS Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index fi x Profile Name fradius01 po Primary Backup _ RADIUS Option C Internal External C Internal External RADIUS Server IP Address foooo 0 0 0 0 RADIUS Server Port fisi2 fi 81
319. s 18 6 1 18 6 2 Private Public Certificates When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital signature and your public key allows people to verify whether data was signed by you or by someone else This process works as follows Tim wants to send a message to Jenny He needs her to be sure that it comes from him and that the message content has not been altered by anyone else along the way Tim generates a public key pair one public key and one private key Tim keeps the private key and makes the public key openly available This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not Tim uses his private key to sign the message and sends it to Jenny Jenny receives the message and uses Tim s public key to verify it Jenny knows that the message is from Tim and that although other people may have been able to read the message no one can have altered it because they canno
320. s for the fragmentation boundary for Threshold directed messages It is the maximum data fragment size that can be sent Enter an even number between 256 and 2346 This field is not available when Super Mode is selected Output Power Set the output power of the NWA in this field If there is a high density of APs in an area decrease the output power of the NWA to reduce interference with other APs Select one of the following 100 50 25 12 5 or Minimum See the product specifications for more information on your NWA s output power This field is not available when you select 802 11a in the 802 11 Mode field SSID Profile The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID Select an SSID Profile from the drop down list box Configure SSID profiles in the SSID screen see Section 9 4 on page 143 for information on configuring SSID Note If you are configuring the NWA from a computer connected to the wireless LAN and you change the NWA s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the NWA s new settings NWA 3500 NWA 3550 User s Guide 125 Chapter 8 Wireless Configuration Table 27 Wireless Access Point LABEL DESCRIPTION Rates Thi
321. s recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the NWA uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Table 66 Certificates gt My Certificates continued LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable The text displays in red and inc
322. s Guide 13 Table of Contents To UES he PASSIONS ssai EA 113 FO ROTI MMe SENG saiisine iaieiiea nAi tis didn 116 Ta USDA GTR sain a EE a aklagdueehectenenindes 118 Chapter 8 Wireless ConfiguratiOn sissien ennea o aa Aa Ae Aai Kaaa KASD 119 STOVEN N eaei nE ESE E A EEANN a KE AREE 119 8 2 What You Can Do in the Wireless Sereen cscsccecccenenececcenececansssnseeeseesesecenenenenens 119 Ge What You Need To KNOW 4 tantesssentenitdeats maid saeadi aay eis ates Gadeieedd Waves Batre 120 RaW Operan IS sidasceis Scan tas Stratis cnt lech a Sande lsouana sein apc aa tsk 121 Bide 2 MAB SID ean eA E A 122 S4 Coniguning Wireless SOUINGS stisdiesnrsssaseommsacsdinerseernniraseuiuarsestaiaexieernodaaaaniodaseiiess 123 6 4 1Access Pont Mode oeroue R N ENEE 123 8 4 2 Bridge Repeater MOOS siiciciis sescssiis cennsainiesiadaatinstandanors cenadadidessadasinnstendabens aiai aas 126 CLS AP NUS MOGE cei Sad tan a acl easi e a EAA eaaads onee 129 BA IIB SSID MOJO saccra S N 130 09 Technical REISENE erani E 131 6 5 1 Spanning Tree Frotocol STP ssirrarisiirr iessen innur Ennassi EASE EN ENNE ESEE 131 Da 14 Rep SUP punai a 131 Soke or TIO O aaa 132 Bs lad How STP WOKS cronan a NE AERE 132 OIA SIP POr a OS coia detianbieaaeiee 133 C DFS orma ia a a a aA 133 oe A A E tere reer E E S EE E rer E A A E rer AE E E 133 8 5 3 1 Requirements for ROamMINg ssscsissssnirisisssisiiiisss s inns 135 8 5 4 Bridge R peater Example ainnisscaiesiasneedu
323. s clients to authenticate the RADIUS server These are digital signatures that identify network devices Certificates ensure that the clients supply their login details to the correct device Information matching the certificate is held on the wireless client s utility A password and user name on the utility must match the Trusted Users list so that the RADIUS server can be authenticated Note The NWA can function as an AP and as a RADIUS server at the same time 17 4 Internal RADIUS Server Setting Screen Use this screen to turn the NWA s internal RADIUS server off or on and to view information about the NWA s certificates NWA 3500 NWA 3550 User s Guide Chapter 17 Internal RADIUS Server Click AUTH SERVER gt Setting The following screen displays Figure 125 Setting Screen Setting Trusted AP Trusted Users M Active Apply Reset The following table describes the labels in this screen Table 63 Internal RADIUS Server Setting Screen LABEL DESCRIPTION Active Select the Active check box to have the NWA use its internal RADIUS server to authenticate wireless clients or other APs This field displays the certificate index number The certificates are listed in alphabetical order Use the CERTIFICATES screens to manage certificates The internal RADIUS server uses one of the certificates listed in this screen for authentication with each wireless client The exact certificate used d
324. s misconfigured If you cannot do something that you should be able to do check the settings as described in Section 6 4 6 1 on page 96 and in the individual Security layer 2 isolation and MAC filter profiles for the relevant network If this does not help see the Troubleshooting chapter in this User s Guide NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 5 How to Configure Management Modes This example shows you how to configure the NWA s controller AP and manage AP modes 6 5 1 Scenario In this example you are the administrator of a company network wherein a group of users need stable wireless connection These users are employees who move around the company building a lot yet need to connect to network resources at various times of the day Currently you have 4 NWA standalone APs A B C and D in each floor of the 4 storey company building Though the current setup works it takes a lot of your time to edit profiles in the APs because of their location You want to convert one of your NWA to a controller AP A which will allow you to manage all 4 NWA APs using the Web Configurator of this newly transformed NWA controller AP Additionally you want a backup for this controller AP You add another NWA E in the first floor of the building which you will then set as a secondary controller AP Figure 62 Tutorial Controller AP with Backup and Managed APs Example i 5 Router with a A You B 4
325. s on the wireless bridge Poll Interval s Enter the time interval for refreshing statistics Set Interval Click this button to apply the new poll interval you entered above Stop Click this button to stop refreshing statistics 23 5 Association List Screen Use this screen to know which wireless clients are associated with the NWA Click Maintenance gt Association List The following screen displays Figure 174 Maintenance gt Association List WLAN1 Stations Status Association List Channel Usage E MAC Address ___Association Time _SSID_______ Signal _ FAN Upload Configuration Restart WDS Link Remote Bridge MAC_ __LinkTime___ __Security __ _Signal_ WLAN2 WDS Link _ Remote Bridge MAC LinkTime Security Signal _ Refresh The following table describes the labels in this screen Table 86 Maintenance gt Association List LABEL DESCRIPTION Stations This is the index number of an associated wireless station MAC Address This field displays the MAC address of an associated wireless station NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance Table 86 Maintenance gt Association List LABEL DESCRIPTION Association Time This field displays the time a wireless station first associated with the NWA SSID This field displays the SSID to which the wireless station is as
326. s section controls the data rates permitted for clients Configuration For each Rate select an option from the Configuration list The options are e Basic 1 11 Mbps only Clients can always connect to the access point at this speed e Optional Clients can connect to the access point at this speed when permitted to do so by the AP e Disabled Clients cannot connect to the access point at this speed Breathing LED Enable Select this to use antenna diversity Antenna diversity uses multiple Antenna antennas to reduce signal interference Diversity Enable Select this check box to enable the blue breathing LED also known as the NWA LED Clear the check box to turn this LED off even when the NWA is on and data is being transmitted and received Enable Spanning Tree Control STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select this to activate STP on the NWA Enable Roaming allows wireless stations to switch from one access point to Roaming another as they move from one coverage area to another Select this to enable roaming on the NWA if you have two or more NWAs on the same subnet Note All APs on the same subnet and the wireless stations must have the same SSID
327. s to see details of the security settings used by each SSID and the number of wireless clients associated with each SSID NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 4 AP List Screen Use this screen to view and add managed APs By default the NWA is always included in this table Although you cannot remove it you can edit its settings Click Controller gt AP Lists The following screen displays Figure 24 The Controller gt AP Lists Screen AP Lists Configuration Redundancy Managed Access Points List IndexSelect___IP__ MAC Address NWA3550 27 0 0 100 19 CB 89 7C cannes Sree AP LOCAL Edt Delete Un Managed Access Points List Par MAC Address Model Description _ 192 168 1 3500 13 49 DF 42 A8 A SSO on sap Faza8 802 11a g Add Automatic Refresh Interval 30 seconds Refresh The following table describes the labels in this screen Table 10 The Controller gt AP Lists Screen LABEL DESCRIPTION Managed Access This section lists the access points currently controlled by the Points List NWA This always includes the NWA itself Index This is the index number of the managed AP Select Click this then select Edit to configure the managed AP s settings Click Delete to remove it from the NWA s managed AP list IP This displays the IP address of the managed AP MAC Address This displays the MAC addr
328. sed Auto Configuration TREP O AP 1cfg txt AP 1 AP 2 AP 2cfg txt AP3cfg txt i AP 4cfg txt uu f O AP 3 AP 4 Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download NWA 3500 NWA 3550 User s Guide 379 Appendix F Text File Based Auto Configuration You can have a different configuration file for each AP You can also have multiple APs use the same configuration file Note If adjacent APs use the same configuration file you should leave out the channel setting since they could interfere with each other s wireless traffic Auto Configuration by DHCP A DHCP response can use options 66 and 67 to assign a TFTP server IP address and a filename If the AP is configured as a DHCP client these settings can be used to perform auto configuration Table 113 Auto Configuration by DHCP COMMAND DESCRIPTION wcfg autocfg dhcp enable Turn configuration of TFTP server IP address disable and filename through DHCP on or off If this feature is enabled and the DHCP response provides a TFTP server IP address and a filename the AP will try to download the file from the specified TFTP server The AP then uses the file to configure wireless LAN settings Note Not all DHCP servers allow you to specify options 66 and 67 Manual Configuration Use the following command to manu
329. sid ssid ssid ssid ssid ssid ssid ssid ssid ssid EL PROWLAN 15 1 name s 1 securi 2 name s 2 securi 2 radius 3 name s 3 securi 4 name s 4 securi save line starting wit change to channel 8 lan chid 8 change operating mode gt AP mode then select ssid wep as running WLAN profile lan opmode 0 lan ssidprofile ssid wep change operating mode gt MBSSID mode then select ssid wpapsk ssid wpa2Zpsk as running WLAN profiles lan opmode 3 lan ssidprofile ssid wpapsk ssid wpa2psk set output power level to 50 sid wep ty Test wep sid 8021x ty Test 8021x radius rd sid wpapsk ty Test wpapsk sid wpa2psk ty Test wpa2psk h is comment wlan output power 2 NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration NWA 3500 NWA 3550 User s Guide Legal Information Copyright Copyright 2009 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products
330. sociated Signal This field displays the RSSI Received Signal Strength Indicator of the wireless connection WDS Link This section displays only when bridge mode is activated on one of the NWA s WLAN adaptors This field displays the index number of a bridge connection on the WDS Remote Bridge MAC This field displays a remote bridge MAC address Link Time This field displays the WDS link up time Security This field displays whether traffic on the WDS is encrypted TKIP or AES or not None Signal This field displays the RSSI Received Signal Strength Indicator of the wireless connection Refresh Click Refresh to reload the screen 23 6 Channel Usage Screen Use this screen to see what channel the wireless clients are using to associate with the NWA as well as the signal strength and network mode Click Maintenance gt Channel Usage The following figure displays Wait a moment while the NWA compiles the information Figure 175 Maintenance gt Channel Usage Status Association List Channel Usage FAW Upload Configuration Restart O ssb MACAddress Channel Signal Network Mode WLAN 7496fqz 00 02 CF DD B7 8C 1 100 Infra WPA2 PSK MIX WLAN 9471myf 00 02 CF DD B7 AC 1 100 Infra WPA2 PSK MIX 681 2 wifi 00 19 CB 30 22 10 3 22 Infra WPA PSK 11795 Glenn 00 13 49 00 00 05 6 82 Infra WEP ZyXEL_MIS 00 19
331. spaces and symbols 2 The AP checks each wireless client s password and only allows it to join the network if the password matches 3 The AP and wireless clients use the pre shared key to generate a common PMK Pairwise Master Key NWA 3500 NWA 3550 User s Guide 331 Appendix B Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them Figure 229 WPA 2 PSK Authentication PSK r i uu Internet J Y Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Table 101 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY ENCRYPTIO ENTER IEEE 802 1X MANAGEMENT N METHOD MANUAL KEY d PROTOCOL Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP AES No Enable WPA PSK TKIP AES Yes Disable WPA2 TKIP AES No Enable WPA2 PSK TKIP AES Yes Disable NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs Antenna Overview An antenna couples RF signals onto air A transmitter within a w
332. ss of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Radio Mode This is the 802 11 Mode of the AP Security This field displays the type of wireless encryption the AP is currently using Last Seen This field displays the last time the NWA scanned for the AP Description This is the description you entered when adding the AP to the list Delete Click this button to remove an AP s entry from the list NWA 3500 NWA 3550 User s Guide Chapter 15 Rogue AP Detection 15 3 3 Rogue AP Screen Use this scren to display details of all wireless access points within the NWA s coverage area Click Rogue AP gt Rogue AP The following screen displays Figure 117 Rogue AP gt Rogue AP Configuration Friendly AP Rogue AP List Rogue AP List _Reftesh Sis SS Se Rogue AP E E s E roo 19 cb 13 36 33 WLAN 1190Ivt N WPA2 PSK MIX 3 16 af SSS S m 00 02 cf dd b7 8c WLAN 7496fqz 1 BGN ree asf 7 00 02 cf dd b7 ac WLAN 9471 myf 1 BGN WPA2 PSK MIX3 1 es S 00 00 00 00 00 00 N A 1 B WEP basa E 0a 19 cb 4b 22 0f ZyXEL_Guest 1 BG WPA2 MIX Bass 00 19 cb 30 22 10 681 2 wifi 3 BG WPA PSK bass S E 00 19 70 1
333. ssesas seenscnrsreasurnesineaerreemeaumensnied 99 SRE MN ie cre E ic rhachis pea do aed dna onda ia feo aed ea ipa eae dines 99 05 2 Your Rogue mone oxi ssniecadaci acetone hei aoe oe 99 NS UN ir Ssh a a hn ac eal ra a ere reel Raa lan seca 100 6 5 4 Configure Your NWA in Controller AP Mode 0 eecccceeeeeeteeeeeesecneeeeeeteneeeeeeetneeeeeees 101 6 0 4 1 Secondary AP Controller siccccccsscsesvvsesssseurvearsatuartesanteaneteenncrsavevenaas 101 6 5 4 2 Primary AP Onell sisissicsundaresssennnegstanenoonssagslnensnseianvodsesesanenssye 102 6 5 5 Setting Your NWA in Managed AP Mode sessecesrsseseeesreeersreesseerreeerrnnesseeerneeersnenass 103 6 5 6 Configuring the Managed Access Points List cccsseecceessenecceesseenneceessennecneessenes 104 6 5 7 Checking your Settings and Testing the Configuration cceeeseeeeeeeesteeeeeeeenaees 106 Part Il The Web Configurator cccccceeeeeeeeeeeeeeeeeeneeeeeesenaeeeeeesenes 107 Chapter 7 E a EE E T E 109 PLOTO N rnn ea aen et aadea na ncataaaannalarstaaseleaia ane necoeamesaarea aa eo aa eee 109 7 2 What You Can Do in the System ScreGns sesiiissirsiiiosinissiisiiururisrinidi neninn aia 109 Fo What You Nacd To KNOW esti ccauarsiis Ca retintana dictates catints stpdaaich E AnaS N Eae aa aa 110 7 3 1 Administrator Authentication on RADIUS eesessssessssesessssrsssesaraaarssenassesnnneenninassaesaan 111 Tal Genaral SOP SCOGII soriana aa aAA A 112 NWA 3500 NWA 3550 User
334. stablished a Wireless Distribution System WDS connection or The NWA is not receiving power 3 WL2 Green On The wireless adaptor WLAN2 is active Blinking The wireless adaptor WLAN2 is active and transmitting or receiving data Off The wireless adaptor WLAN2 is not active 4 ZyAIR Blue On The NWA is receiving power You can turn the ZyAIR LED off and on using the Web configurator See Section 8 4 on page 123 Blinking The NWA is receiving power and transmitting data to or receiving data from its wireless stations Off Either The NWA is not receiving power or The ZyAIR LED has been disabled See Section 8 4 on page 123 for how to enable the ZyAIR LED 5 ETHERNET Green On The NWA has a 10 Mbps Ethernet connection Blinking The NWA has a 10 Mbps Ethernet connection and is sending or receiving data Yellow On The NWA has a 100 Mbps Ethernet connection Blinking The NWA has a 100 Mbps Ethernet connection and is sending receiving data Off The NWA does not have an Ethernet connection NWA 3500 NWA 3550 User s Guide 33 Chapter 1 Introducing the NWA NWA 3500 NWA 3550 User s Guide Introducing the Web Configurator This chapter describes how to access the NWA s web configurator and provides an overview of its screens 2 1 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your comput
335. stribution System 120 Dynamic Frequency Selection 133 dynamic WEP key exchange 328 E EAP authentication 326 encryption 26 329 ESS 120 320 ESS IDentification 120 ESSID 283 Extended Service Set 120 see ESS Extended Service Set IDentification 122 125 131 F FCC interference statement 387 file version 381 filtering 23 firmware file maintenance 266 fragmentation threshold 323 friendly AP list 180 183 FTP 30 189 restrictions 189 G general setup 112 guest SSID 27 H hidden node 321 honeypot attack 181 host 114 host ID 110 humidity 285 286 IANA 110 378 IBSS 319 IEEE 802 11g 323 IEEE 802 1x 23 in band management 240 Independent Basic Service Set 270 see IBSS initialization vector IV 329 installation 23 interference 24 internal authentication server 23 Internal RADIUS Server Setting Screen 200 Internet Assigned Numbers Authority See IANA Internet security gateway 23 Internet telephony 27 IP address 110 177 286 IPSec VPN capability 286 isolation 23 L LAN 268 layer 2 isolation 23 27 LEDs 32 log descriptions 232 logs 227 MAC address 23 166 172 MAC address filter action 173 MAC filter 27 MAC filtering 287 MAC service data unit 65 125 NWA 3500 NWA 3550 User s Guide Index maintenance 23 management 23 Management Information Base MIB 196 management VLAN 240 managing the device good habits 31 using FTP See FTP using Telnet See comma
336. such as bulk transfers and print jobs that are allowed but that should not affect other WMM_BACKGROUND applications and users Use background priority for applications that do not have strict latency and throughput requirements 8 5 7 ATC Automatic Traffic Classifier ATC is a bandwidth management tool that prioritizes data packets sent across the network ATC assigns each packet a priority and then queues the packet accordingly Packets assigned a high priority are processed more quickly than those with low priority if there is congestion allowing time sensitive applications to flow more smoothly Time sensitive applications include both those that require a low level of latency and a low level of jitter such as Voice over IP or Internet gaming and those for which jitter alone is a problem such as Internet radio or streaming video ATC assigns priority based on packet size since time sensitive applications such as Internet telephony Voice over IP or VoIP tend to have smaller packet sizes than non time sensitive applications such as FTP File Transfer Protocol The following table shows some common applications their time sensitivity and their typical data packet sizes Note that the figures given are merely examples sizes may differ according to application and circumstances Table 33 Typical Packet Sizes TIME TYPICAL PACKET APPLICATION SENSITIVITY SIZE BYTES Voice over IP SIP High lt 250 On
337. t The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example You need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system The AP passes the wireless client s authentication request to the RADIUS server The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients Figure 228 WPA 2 with RADIUS Application Example E A i G N N es Internet a E A l 5 _ S ot fo Li l WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including
338. t s currently in use choose one with low signal strength for minimum interference Network Mode Network mode in this screen refers to your wireless LAN infrastructure refer to the Wireless LAN chapter and security setup Refresh Click Refresh to reload the screen 23 7 F W Upload Screen Use this scren to upload firmware to your NWA Click MAINTENANCE gt F W Upload The following screen displays Figure 176 Maintenance gt F W Upload Status Association List Channel Usage FAW Upload Configuration Restart To upgrade the internal device firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure File Path Browse Upload 270 NWA 3500 NWA 3550 User s Guide Chapter 23 Maintenance The following table describes the labels in this screen Table 88 Maintenance gt F W Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minu
339. t I I v C M1 M2 M3 M4 a gt Xanna el aie a Note The NWA can be a standalone AP default or a CAPWAP controller AP or a CAPWAP managed AP NWA 3500 NWA 3550 User s Guide Chapter 4 Management Mode 4 1 1 CAPWAP Discovery and Management The link between CAPWAP enabled access points proceeds as follows An AP in managed AP mode joins a wired network receives a dynamic IP address The AP sends out a management request looking for an AP in CAPWAP AP controller mode If there is an AP controller on the network it receives the management request 4 1 2 CAPWAP and DHCP CAPWAP managed APs must be DHCP clients supplied with an IP address by a DHCP server on your network Furthermore the AP controller must have a static IP address it cannot be a DHCP client 4 1 3 CAPWAP and IP Subnets By default CAPWAP works only between devices with IP addresses in the same subnet see the appendices for information on IP addresses and subnetting However you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following e Activate DHCP option 43 on your network s DHCP server e Configure DHCP option 43 with the IP address of the CAPWAP AP controller on your network NWA 3500 NWA 3550 User s Guide Chapter 4 Management Mode DHCP Option 43 allows the CAPWAP management request from the AP in managed AP mode to reach the AP controller in a different
340. t Guide for information on how to set up your NWA in Access Point mode Now your network is expanding and you want to make use of the MBSSID feature see Section 8 3 2 on page 122 to provide multiple wireless networks Each wireless network will cater for a different type of user You want to make three wireless networks one standard office wireless network with all the same settings you already have another wireless network with high Quality of Service QoS settings for Voice over IP users and a guest network that allows visitors to your office to access only the Internet and the network printer To do this you will take the following steps 1 Change the operating mode from Access Point to MBSSID and reactivate the standard network 2 Configure a wireless network for Voice over IP users 3 Configure a wireless network for guests to your office NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial The following figure shows the multiple networks you want to set up Your NWA is marked Z the main network router is marked A and your network printer is marked B Figure 32 Tutorial Example MBSSID Setup VoIP_SSID Guest_SSID SSID04 The standard network SSIDO4 has access to all resources The VoIP network VoIP_SSID has access to all resources and a high Quality of Service QoS setting see Chapter 8 on page 119 for information on QoS The guest network Guest_SSID has access to the Internet and the network prin
341. t SSID to something that is difficult to guess This type of security is fairly weak however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the information that is sent in the wireless network Channel A channel is the radio frequency ies used by IEEE 802 11a b g wireless devices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Wireless Mode The IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features Your NWA can support 802 11a 802 11b Only 802 11g Only and 802 11b g 8 3 2 MBSSID Traditionally you needed to use different APs to configure different Basic Service Sets BSSs As well as the cost of buying extra APs there was also the possibility of channel interference The NWA s MBSSID Multiple Basic Service Set IDentifier function allows you to use one access point to provide several BSSs simultaneously You can then assign varying levels of privilege to different SSIDs Wireless stations can use different BSSIDs to associate with the same AP The following are some notes on multiple BSS e A maximum of eight BSSs are allowed on one AP simultaneously e You must use diff
342. t Wizard 12 The next time you start Internet Explorer and go to a ZyXEL web configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 249 Internet Explorer 7 Website Identification z gt Website Identification o 172 20 37 202 has identified this site as 172 20 37 202 This connection to the server is encrypted Should trust this site View certificates NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates Installing a Stand Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 250 Internet Explorer 7 Public Key Certificate File 2 Inthe security warning dialog box click Open Figure 251 Internet Explorer 7 Open File Security Warning Open File Security Warning Do you want to open this file gt CA cer gt Unknown Publisher Security Certificate D Documents and Settings 13435 Desktop V Always ask before opening this file While files from the Intemet can be useful this file type can potentially harm your computer If you do not trust the source do not open this software What s the risk 3 Refer to steps 4 12 in the Internet Explorer procedure be
343. t allowed but dashes and underscores _ are accepted Domain Name This is not a required field Leave this field blank or enter the domain name here if you know it Administrator Type how many minutes a management session either via the web Inactivity Timer configurator or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how long it has been left idle not recommended System DNS Servers 112 NWA 3500 NWA 3550 User s Guide Chapter 7 System Screens Table 23 System gt General LABEL DESCRIPTION First DNS Server Second DNS Server Third DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server information and the NWA s Ethernet IP address The field to the right displays the read only DNS server IP address that the DHCP assigns Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select None if you do not want to confi
344. t datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 77 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname This message is sent by the RAS when this syslog is src lt srcIP srcPort gt generated The messages and notes are defined in this dst lt dstIP dstPort gt appendix s other charts msg lt msg gt note lt note gt 19 6 2 Log Commands Go to the command interpreter interface refer to Appendix F on page 379 for a discussion on how to access and use the commands 19 6 3 Configuring What You Want the NWA to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the NWA is to record NWA 3500 NWA 3550 User s Guide 233 Chapter 19 Log Screens 19 6 4 19 6 5 Use sys logs category followed by a log c
345. t listed in the Allow devices with these MAC addresses table of the Wireless gt Layer 2 Isolation screen are blocked from communicating with the NWA s wireless clients except for broadcast packets Layer 2 isolation does not check the traffic between wireless clients that are associated with the same AP Intra BSS Traffic allows wireless clients associated with the same AP to communicate with each other 12 2 What You Can Do in the Layer 2 Isolation Screen Use the Wireless gt Layer 2 Isolation screen see Section 12 4 on page 167 to configure the MAC addresses of the wireless client AP computer or router that you want to allow the associated wireless clients to have access to 12 3 What You Need To Know Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of each device to configure MAC filtering on the NWA If layer 2 isolation is enabled you need to know the MAC address of each wireless client AP computer or router that you want to allow to communicate with the ZyXEL Device s wireless clients NWA 3500 NWA 3550 User s Guide Chapter 12 Layer 2 Isolation Screen 12 4 The Layer 2 Isolation Screen Use this screen to select and configure a layer 2 isolation profile Click Wireless gt Layer 2 Isolation The screen appears as shown next Figur
346. t re sign the message with Tim s private key Additionally Jenny uses her own private key to sign a message and Tim uses Jenny s public key to verify the message Certification Authorities A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the NWA to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates 18 6 3 Checking the Fingerprint of a Certificate on Your Computer A certificate s fingerprints are message digests calculated using the MD5 or SHA1 algorithms The following procedure describes how to check a certificate s fingerprint to verify that you have the actual certificate 1 Browse to where you have the certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 137 Certificates on Your Computer bnd Ll veriSign cer CA Certificates 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 138 Certificate Details General Details Certification Path Show lt
347. t to delete the selected certificate s Yes 5 Inthe Root Certificate Store dialog box click Yes Figure 256 Root Certificate Store A Internet Explorer 7 Root Certificate Store Do you want to DELETE the following certificate from the Root Store Subject 172 20 37 202 ZyXEL Issuer Self Issued Time Validity Wednesday May 21 2008 through Saturday May 21 2011 Serial Number 00846BC7 48BF7C2E CB Thumbprint sha 1 DC44635D 10FE2D0D E76A72ED 002B9AF7 677EBOE9 Thumbprint md5 65 5E948 FOBC9598 50803387 C6A 18384 NWA 3500 NWA 3550 User s Guide Appendix D Importing Certificates 6 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 257 Firefox 2 Website Certified by an Unknown Authority Website Certified by an Unknown Authority Unable to verify the identity of 172 20 37 202 as a trusted site A Possible reasons for this error Your browser does not recognize the Certificate Authority that issued the site s certificate The site s certificate is incomplet
348. tagged with a VLAN ID incoming VLAN ID These incoming VLAN packets are forwarded to the NWA The NWA compares the VLAN ID in the packet header with each SSID s configured VLAN ID and second Rx VLAN ID settings In this example SSIDO1 s second Rx VLAN ID is set to 2 All incoming packets tagged with VLAN ID 2 are forwarded to SSIDO2 and also to SSIDO1 However SSID02 has no second Rx VLAN ID configured and the NWA forwards only packets tagged with VLAN ID 2 to it 20 5 4 1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the NWA 1 Log into the Web Configurator NWA 3500 NWA 3550 User s Guide 253 Chapter 20 VLAN Click VLAN gt Wireless VLAN If VLAN is not already enabled click Enable Virtual LAN and set up the Management VLAN ID see Note If no devices are in the management VLAN then no one will be able to access the NWA and you will have to restore the default configuration file Select the SSID profile you want to configure SSIDO3 in this example and enter the VLAN ID number between 1 and 4094 Enter a Second Rx VLAN ID The following screen shows SSIDO3 tagged with a VLAN ID of 3 and a Second Rx VLAN ID of 4 Figure 165 Configuring SSID Second Rx VLAN ID Example WIRELESS VLAN RADIUS VLAN Management VLAN ID VLAN Mapping Table VIRTUAL LAN Setup Enable VIRTUAL LAN Wireless VIRTUAL LAN Setup fi O i4094
349. te While the primary controller AP is online the secondary controller AP cannot configure any of the managed APs However it still has to be turned on to synchronize with the primary controller AP s latest settings NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 1 To set your NWA in secondary controller AP mode open the Controller gt Redundacy screen this screen only appears when the NWA is in Controller AP mode in the Web Configurator of the NWA that you want to serve as backup Figure 64 Tutorial Secondary Controller AP AP Lists Configuration Redundancy Redundancy Enable x Primary AP Controller Seconda Secondary AP Controller Apply Reset 2 Enable Redundancy Then select Secondary AP Controller and click Apply 6 5 4 2 Primary AP Controller The primary controller AP manages the NWA APs in managed AP mode in your network Changes made in the Web Configurator of the NWA primary AP controller are synchronized automatically with the secondary controller AP if there is one and the members of the managed AP list 1 To set your NWA in primary controller AP mode open the Controller gt Redundacy screen this screen only appears when the NWA is in Controller AP mode in the Web Configurator of the NWA that you want to serve as the main controller Figure 65 Tutorial Primary Controller AP AP Lists Configuration Redundancy Redundancy Enable _ Primary AP Co
350. ter 1 Introducing the NWA In the figure below A and B use X as an AP to access the wired network while X and Y communicate in bridge mode When the NWA is in AP Bridge mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key See Section 8 4 3 on page 129 for more details Unless specified the term security settings refers to the traffic between the wireless stations and the NWA Figure 4 AP Bridge Application i S Ethernet Il y bo QF S z gt 7 E 7 S lt T 7 S B Pa S 7 e ie al cr E _ 1 2 4 MBSSID A BSS Basic Service Set is the set of devices forming a single wireless network usually an access point and one or more wireless clients An SSID Service Set IDentifier is the name of a BSS In MBSSID Multiple BSS mode the NWA provides multiple virtual APs each forming its own BSS and using its own individual SSID profile You can configure up to sixteen SSID profiles and have up to eight active at any one time You can assign different wireless and security settings to each SSID profile This allows you to compartmentalize groups of users set varying access privileges and prioritize network traffic to and from certain BSSs NWA 3500 NWA 3550
351. ter for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that signs the imported trusted remote host certificates Cancel Click Cancel to quit and return to the My Certificates screen NWA 3500 NWA 3550 User s Guide 217 Chapter 18 Certificates 18 5 Trusted CAs Screen Use this screen to view the list of trusted certificates The NWA accepts any valid certificate signed by a certification authority on this list as being trustworthy You do not need to import any certificate that is signed by any certification authority on this list Click Certificates gt Trusted CAs to open the Trusted CAs screen The following figure displays Figure 134 Certificates gt Trusted CAs My Certificates Trusted CAs PKI Storage Space in Use 0 hoo Trusted CA Certificates e me smeo imer vaaran vaate S ssuer Details Import Delete
352. ter only and a low QoS setting To configure these settings you need to know the MAC Media Access Control addresses of the devices you want to allow users of the guest network to access The following table shows the addresses used in this example Table 15 Tutorial Example Information Network router A MAC address 00 AA 00 AA 00 AA Network printer B MAC address AA 00 AA 00 AA 00 NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 2 1 Change the Operating Mode Log in to the NWA see Section 2 1 on page 35 Click WIRELESS gt Wireless The Wireless screen appears In this example the NWA is using WLAN Interface 1 in Access Point operating mode and is currently set to use the SSID04 profile Figure 33 Tutorial Wireless LAN Before Layer 2 Isolation MAC Filter NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial Select MBSSID from the Operating Mode drop down list box The screen displays as follows Figure 34 Tutorial Wireless LAN Change Mode Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter WLAN Interface 802 11 Mode M Super Mode Choose Channel ID Channel O6 2437MHz 7 or RTS CTS Threshold 2 346 256 2348 Fragmentation Threshold 2 346 256 2346 Fragmentation threshold shall be an even number Output Power 100 Select SSID Profile mee a wi VoIP_SSID EA E 551D03 7 2 Guest_SSID 6 E ssin03 z Ea o RB Tso r
353. tes Do not turn off the NWA while firmware upload is in progress After you see the Firmware Upload in Process screen wait two minutes before logging into the NWA again Figure 177 Firmware Upload In Process Firmware Upload In Process Warning Do Not Turn Off the Device Please wait for the device to finish restarting This should take about two minutes To access the device after a successful firmware upload you need to login again Check you new firmware version in the system status menu The NWA automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 178 Network Temporarily Disconnected D Local Area Connection Network cable unplugged After two minutes log in again and check your new firmware version in the System Status screen NWA 3500 NWA 3550 User s Guide 271 Chapter 23 Maintenance If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 179 Firmware Upload Error 23 8 Configuration Screen Use this screen backup or upload your NWA s configuration file You can also reset the configuration of your device in this screen Click Maintenance gt Configuration The following figure displays Figure 180 Maintenance gt Configuration Status Association List Channel Usage FAN Upload Ba
354. the NWA can communicate with another wireless client AP computer or router only if the MAC addresses of those devices are listed in this table Index This is the index number of the MAC address MAC Address Type the MAC addresses of the wireless client AP computer or router that you want to allow the associated wireless clients to have access to in these address fields Type the MAC address in a valid MAC address format six hexadecimal character pairs for example 12 34 56 78 9a bc Description Type a name to identify this device NWA 3500 NWA 3550 User s Guide Chapter 12 Layer 2 Isolation Screen Table 49 Wireless gt Layer 2 Isolation gt Edit LABEL DESCRIPTION Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 12 5 Technical Reference This section provides technical background information on the topics discussed in this chapter The figure that follows illustrates two example layer 2 isolation configurations on your NWA A Figure 105 Layer 2 Isolation Example Configuration C 00 00 c5 00 00 66 Hit l A B 00 00 c5 00 00 cc f A La l E WJ 3 2 Example 1 Restricting Access to Server In the following example wireless clients 1 and 2 can communicate with file server C but not access point B or wireless client 3 NWA 3500 NWA 3550 User s Guide Chapter 12 Layer 2 Isolation Screen 170
355. the NWA is in AP controller mode click CONTROLLER gt Redundancy The following screen displays Figure 28 The Controller gt Configuration Screen AP Lists Redundancy Secondary IP Primary AP Controller Secondary AP Controller Configuration Redundancy Disable z fc 0 0 0 Apply Reset The following table describes the labels in this screen Table 12 The Controller gt Redundancy Screen LABEL DESCRIPTION Redundancy Select Enable to set the NWA either as a Primary AP Controller or as a Secondary Controller AP Select Disable when the NWA acts as a primary AP controller without a backup Primary AP Controller Select this if the NWA has a secondary controller AP You must give the IP address of this backup in the field below Secondary IP Enter the IP address of the secondary controller AP Secondary AP Controller Select this if the NWA is the secondary controller AP Apply Click this to save the changes in this screen Reset Click this to return the fields in this screen to their previously saved values NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 7 The Profile Edit Screens This section describes the Profile Edit screens which are available only in AP controller mode The following Profile Edit screens are identical to those in regular mode e The Profile Edit gt SSID screen see Section 9 2 on page 129
356. the same subnet and configured with the same ESSID If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station e The adjacent access points should use different radio channels when their coverage areas overlap All access points must use the same port number to relay roaming information e The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment To enable roaming on your NWA click WIRELESS gt Wireless The screen appears as shown Figure 84 Enabling Roaming gt i Ba gt il Enable Breathing LED pable Spanning Tree Protocol STP Enable Roaming Soaming are common settings The changes are for both WLAN Interfaces Reset Select the Enable Roaming check box and click Apply Note Roaming cannot be enabled in Bridge Repeater mode NWA 3500 NWA 3550 User s Guide 135 Chapter 8 Wireless Configuration 8 5 4 Bridge Repeater Example This section shows an example of two NWAs in Bridge Repeater mode forming a WDS Wireless Distribution System and allowing the computers in LAN 1 to connect to the computers in LAN 2 This is shown in the following figure Figure 85 Bridging Example _ a Be careful to avoid bridge loops when you enable bridging in the NWA Bridge loops cause broadcast traffic to c
357. the second network 6 1 2 Wireless LAN Configuration Overview The following figure shows the steps you should take to configure the wireless settings according to the operating mode you select Use the Web Configurator to set up your NWA s wireless network see your Quick Start Guide for information on setting up your NWA and accessing the Web Configurator NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial Figure 31 Configuring Wireless LAN Select the WLAN Interface you want to configure Select Operating Mode Y Y y Y Access Point Bridge AP Bridge MBSSID Mode Repeater Mode Mode Mode Select 802 11 t Select 802 11 Select 802 11 Mode Channel ID Mode and a Channel ID nnel ID Channel ID Select SSID Cont Select SSID gure WDS Security Profile Configure Profiles WDS Security v Configure SSID Profile Select SSID Profile Configure each SSID Profile Y Y Edit Security Profile Configure Y SSID Profile Configure each y i Security Profile Configure RADIUS y authentication optional EG Security E rong Configure RADIUS authentication i optional 3 Configure RADIUS Configure internal AUTH authentication optional Y
358. the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser 24 3 Internet Access cannot access the Internet NWA 3500 NWA 3550 User s Guide Chapter 24 Troubleshooting Check the hardware connections and make sure the NWA is connected to a broadband modem or router that provides Internet access See the Quick Start Guide Make sure your Internet account is activated and you entered your ISP account information correctly in the broadband modem or router to which the NWA is connected These fields are case sensitive so make sure Caps Lock is not on If you are trying to access the Internet wirelessly make sure the wireless settings on the wireless client are the same as the settings on the AP Disconnect all the cables from your device and follow the directions in the Quick Start Guide again If the problem continues contact your ISP cannot access the Internet anymore had access to the Internet with the NWA but my Internet connection is not available anymore Check the hardware connections See the Quick Start Guide 2 Reboot the NWA If the problem continues contact your ISP The Internet connection is slow or intermittent There might be a lot of traffic on the network If the NWA is sending or receiving a lot of information try closing some programs that use the Internet especially peer to peer
359. this box to disable the WLAN LED light Clear this box to enable the WLAN LED WLAN1 Radio Profile Select the radio profile you want to use for this AP Configure radio profiles in the Profile Edit gt Radio screen Select Disable if you do not want to use a radio profile The AP s radio is not active when you select Disable WLAN2 Radio Profile This field displays only if the managed AP has dual radios Select the second radio profile you want to use for this AP Configure radio profiles in the Profile Edit gt Radio screen Select Disable if you do not want to use a second radio profile The AP s radio is not active when you select Disable Apply Click this to save the changes in this screen Reset Click this to return the fields in this screen to their previously saved values NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode 5 5 Configuration Screen Use this screen to control the way in which the NWA accepts new APs to manage You can also configure the pre shared key PSK that is use to secure the data transmitted between the NWA and the APs it manages When the NWA is in AP controller mode click CONTROLLER gt Configuration The following screen displays Figure 27 The Controller gt Configuration Screen Type AP Lists Configuration Redundancy alle Bie Shared 12345678 8 32 characters Key Registration G Manual Always Accept Apply
360. tho Properties x Connection Settings A Configuration IP address Subnet mask Gateway address e In the Configuration list select Automatic Configuration DHCP if you have a dynamic IP address e In the Configuration list select Static IP address if you have a static IP address Fill in the IP address Subnet mask and Gateway address fields 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen NWA 3500 NWA 3550 User s Guide 311 Appendix A Setting Up Your Computer s IP Address 7 If you know your DNS server IP address es click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided Figure 214 Ubuntu 8 Network Settings gt DNS Ge Network Settings Ea Location lt E g Connections General DNS Hosts DNS Servers 10 0 23 add ig Delete Search Domains h Add i Delete Bom 8 Click the Close button to apply the changes Verifying Settings Check your TCP IP properties by clicking System gt Administration gt Network Tools and then selecting the appropriate Network device from the Devices 312 NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address tab The Interface Statistics column shows data if your connection is working properly Figure 215 Ubuntu 8
361. throughput either is lowered or the client connection is picked up by another AP For example here the AP has a balanced bandwidth allotment of 6 Mbps If the red laptop R attempts to connect and it could potentially push the AP over its allotment say to 7 Mbps then the AP delays the red laptop s connection until it NWA 3160 Series User s Guide Chapter 21 Load Balancing can afford the bandwidth for it or the red laptop is picked up by a different AP that has bandwidth to spare Figure 168 Delaying a Connection 6 Mbps 7 Mbps The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment Figure 169 Kicking a Connection 6 Mbps 7 Mbps 2 Mbps Connections are kicked based in either idle timeout or signal strength The NWA first looks to see which devices have been idle the longest then starts kicking them in order of highest idle time If no connections are idle the next criteria the NWA analyzes is signal strength Devices with the weakest signal strength are kicked first NWA 3160 Series User s Guide Chapter 21 Load Balancing NWA 3160 Series User s Guide 22 1 Dynamic Channel Selection Overview This chapter discusses how to configure dynamic channel selection on the NWA Dynamic channel selection is a feature that allows your NWA to automatically select the radio channel upon which it broadcasts by scanning the a
362. tically disconnect the wireless clients of the managed APs 5 1 3 Before You Begin Note The Controller AP options are only available when the NWA is set to function in this mode Therefore ensure that you have switched modes first as described in Section 4 2 on page 49 before continuing 5 2 Controller AP Navigation Menu When you choose Controller AP mode in the MGNT MODE screen and click Apply you are automatically logged off from the Web Configurator The NWA reboots and shows the following message Figure 21 System Restart The device is rebooting Please wait at least 35 seconds before attempting to access the device again Note The NWA reboots every time you change mode in the MGMT MODE screen You can switch from Standalone AP to Controller AP and vice versa using the Web Configurator NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode After logging in again the navigation menu changes to include links for the Controller and Profile Edit screens The items marked below are screens that can be configured for all APs managed by the NWA Figure 22 Controller AP Navigation Links ZyXEL STATUS MGNT MODE CONTROLLER PROFILE EDIT ROGUE AP VLAN LOAD BALANCING DCS SYSTEM IP REMOTE MGNT AUTH SERVER CERTIFICATES LOGS MAINTENANCE LOGOUT In the figure above changes made in the highlighted screens of the Controller AP A are automatically applied to all the Managed A
363. tion Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks OK Cancel NWA 3500 NWA 3550 User s Guide Appendix A Setting Up Your Computer s IP Address 7 The Internet Protocol Version 4 TCP IPv4 Properties window opens Figure 197 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 TCP IPv4 Properties 2 E General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses Advanced cence 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically Select Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP You may also have to enter a Preferred DNS server and an Alternate DNS server if that information was provided Click Advanced 9 Click OK to close the Internet Protocol TCP IP Properties window Click OK to close the Local Area Connection Properties window Ve
364. to allow roaming Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 8 4 2 Bridge Repeater Mode The NWA can act as a wireless network bridge and establish wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge mode The NWA can establish up to five wireless links with other APs NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration To have the NWA act as a wireless bridge only click WIRELESS gt Wireless and select Bridge Repeater as the Operating Mode Figure 80 Wireless Bridge Repeater e 5 Index Active 1 Ej 2 3 Channel 036 5180MHz z Configuration Configuration Optional x Remote Bridge MAC 00 00 00 00 00 00 00 00 00 00 00 00 NWA 3500 NWA 3550 User s Guide 127 Chapter 8 Wireless Configuration The following table describes the bridge labels in this screen Table 28 Wireless Bridge Repeater LABEL DESCRIPTIONS Operating Mode Select Bridge Repeater in this field Enable WDS Security Select this to turn on security for the NWA s Wireless Distribution System WDS A Wireless Distribution System is a wireless connection between two or more APs If you do not select the check box traffic between APs is not encrypted Note WDS security is independent of the security settings between the NWA and any wireless clients
365. tr reer nt re recen Cerne tr eter 60 o6 Redundancy SOPEGN sic scaciecisssesinveccsdeatiucdtesasisviwed ian E SEE EA E A 61 5 7 The Prolil Edit SNS esinaine aan aai iaa E Ea aN a Ea a 62 Dek cl me Rado PONG OTG ennaa a 62 50 The Radio Prolo EJI SUGOD assssseasvessisenscteassesivanedas A 64 Chapter 6 HaC reli AN EE T T A A E E A E E 67 6 1 How to Configure the Wireless LAN Lesarsenunitnnn t nanninannan 67 6 1 1 Choosing the Wireless MOOG sccicccacciscsecassisaesisesssaniencessdierectiacennecssaetenceesdaemnceaveennees 67 6 1 1 1 Configuring Dual WLAN Adaptors sseesssesseeeeeessseerresererressrrrrnssrens 68 6 1 2 Wireless LAN Configuration OY rvieW ssssirisssiirnsriirsrsna ninnan naa 68 ARa e aae T E IA I E A A E A P E E E 70 6 2 How to Configure Multiple Wireless Networks sssssseissseseiresessrrrsserrrssrirrrnssterrnssenrnssrennnne 70 6 241 Change tie Operating Mode scccccsisesncassstaseccassissssrecaaesessecasaventneed arvusineesarvausbecnaveenees 72 6 2 2 Congue the Vol NOIWOIK 5 siscscesrssadazassisnnsazatiansnncsaevnasacesanernosasderannanaseenannansiaeundoandee 73 6 2 2 1 Set Up Security for the VolP Profile srsessssssrsssrrsesrsnsniirsssrneissensasa 75 12 NWA 3500 NWA 3550 User s Guide Table of Contents 6 2 2 2 Activate tie VolP Pre scccecisssnxaserswnistexwseaxcsasevnemssasrianmnaseiawnress 77 6 2 3 Configure the Guest TUNE ta dices sa seccnesssnanduties seaariqucenadaciudas seatedunduaaticntuscatidon n n E 77 6 2 3
366. ts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 e 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space NWA 3500 NWA 3550 User s Guide Text File Based Auto Configuration This chapter describes how administrators can use text configuration files to configure the wireless LAN settings for multiple APs Text File Based Auto Configuration Overview You can use plain text configuration files to configure the wireless LAN settings on multiple APs The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information Figure 289 Text File Ba
367. twork all using the same security and Quality of Service QoS settings See Section 1 2 1 on page 24 for details Use Bridge Repeater operating mode if you want to use the NWA to communicate with other access points See Section 1 2 2 on page 24 for details The NWA is a bridge when other APs access your wired Ethernet network through the NWA The NWA is a repeater when it has no Ethernet connection and allows other APs to communicate with one another through the NWA e Use AP Bridge operating mode if you want to use the NWA as an access point see above while also communicating with other access points See Section 1 2 3 on page 25 for details e Use MBSSID operating mode if you want to use the NWA as an access point with some groups of users having different security or QoS settings from other groups of users See Section 1 2 4 on page 26 for details NWA 3500 NWA 3550 User s Guide Chapter 6 Tutorial 6 1 1 1 Configuring Dual WLAN Adaptors The NWA is equipped with dual wireless adaptors This means you can configure two different wireless networks to operate simultaneously See Section 1 2 6 on page 28 for details You can configure each wireless adaptor separately in the WIRELESS gt Wireless screen To configure the first wireless network select WLAN1 in the WLAN Interface field and follow the steps in Section 6 1 2 on page 68 Then select WLAN2 in the WLAN Interface field and follow the same procedure to configure
368. twork s security is compromised by a rogue AP R set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly A The company s legitimate wireless network NWA 3500 NWA 3550 User s Guide 179 Chapter 15 Rogue AP Detection the dashed ellipse B is well secured but the rogue AP uses inferior security that is easily broken by an attacker X running readily available encryption cracking software In this example the attacker now has access to the company network including sensitive data stored on the file server C 15 2 What You Can Do in the Rogue AP Screen e Use the Rogue AP gt Configuration screen see Section 15 3 1 on page 182 to enable your NWA s Rogue AP detection settings You can choose to scan for rogue APs manually or to have the NWA scan automatically at pre defined intervals e Use the Rogue AP gt Friendly AP screen see Section 15 3 2 on page 183 to specify APs as trusted e Use the Rogue AP gt Rogue AP screen see Section 15 3 3 on page 184 to display details of all IEEE 802 11a b g wireless access points within the NWA s coverage area except for the NWA itself and the access points included in the friendly AP list 15 3 What You Need To Know You can configure the NWA to detect rogue IEEE 802 11a 5 GHz and IEEE 802 11b g 2 4 GHz APs You can also set the NWA to e mail you immediately when a rogue AP is detected see Chapter 19 on page 229 f
369. ular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help fa FCC Radiation Exposure Statement e This transmitter must not be co located or operating in conjunction with any other antenna or transmitter For operation within 5 15 5 25GHz frequency range it is restricted to indoor environment IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons Ee it ki EREE TAL ELIA ZIR RAS RRR JERETI gt ZR RREH Ia ote A BS RS gt ADRK ae RPE RIE Z a Vues BARAER ABE Mae ERER HB Ss REEL A PHEDL SRF gt MEI ZEIMSE A gt MU SB EHR Te H o
370. ur ISP network administrator if you are unsure of this information Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Select this option if you use daylight savings time Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Start Date Configure the day and time when Daylight Saving Time starts if you selected Daylight Savings The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Mar Last Sun The time you type in the o clock field depends on your time zone In Germany for instance you would type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Day
371. urned from Microsoft s IAS RADIUS service to place the wireless station into the correct VLAN Table 81 Standard RADIUS Attributes ATTRIBUTE NAME TYPE VALUE Tunnel Type 064 13 decimal VLAN Tunnel Medium Type 065 6 decimal 802 Tunnel Private Group 081 lt vlan name gt string either the Name you enter in ID the NWA s VLAN gt RADIUS VLAN screen or the number See Figure 161 on page 251 The following occurs under Dynamic VLAN Assignment 1 When you configure your wireless credentials the NWA sends the information to the IAS server using RADIUS protocol 2 Authentication by the RADIUS server is successful 3 The RADIUS server sends three attributes related to this feature 4 The NWA compares these attributes with the VLAN screen mapping table 4a If the Name for example VLAN 20 is found the mapped VLAN ID is used 4b If the Name is not found in the mapping table the string in the Tunnel Private Group ID attribute is considered as a number ID format for example 2493 The range of the number ID Name string is between 1 and 4094 4c If aorb are not matched the NWA uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station This VLAN ID is independent and hence different to the ID in the VLAN screen 20 5 3 1 Configuring VLAN Groups To configure a VLAN group you must first define the VLAN Groups on the Active Directory server and assign the user
372. user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas Wireless stations can still associate with other APs even if you disable roaming Enabling roaming ensures correct traffic forwarding bridge tables are updated and maximum AP efficiency The AP deletes records of wireless stations that associate with other APs Non ZyXEL APs may not be able to perform this 802 1x authentication information is not exchanged at the time of writing Figure 83 Roaming Example a ay Ethernet The steps below describe the roaming process Wireless station Y moves from the coverage area of access point AP 1 to that of access point AP 2 Wireless station Y scans and detects the signal of access point AP 2 Wireless station Y sends an association request to access point AP 2 Access point AP 2 acknowledges the presence of wireless station Y and relays this information to access point AP 1 through the wired LAN NWA 3500 NWA 3550 User s Guide Chapter 8 Wireless Configuration 5 Access point AP 1 updates the new position of wireless station Y 8 5 3 1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas e All the access points must be on
373. user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA 3500 NWA 3550 User s Guide Chapter 10 Wireless Security Screen 10 4 3 Security 802 1x Static 64 bit 802 1x Static 128 bit Use this screen to set the selected profile to 802 1x Static 64 or 802 1x Static 128 security mode Select 802 1x Static 64 or 802 1x Static 128 in the Security Mode field to display the following screen Figure 96 Wireless gt Security 802 1x Static 64 bit 802 1x Static 128 bit Wireless SSID Profile Name Security Mode Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 Key1 C Key2 C Key3 C Key4 ReAuthentication Timer 1500 in seconds 0 mean no ReAuthentication Idle Timeout Security RADIUS Layer 2 Isolation MAC Filter security04 8021x Staticl26 v ASCII C Hex oe ee n a 3600 in seconds Apply Reset The following table describes the labels in this screen Table 43 Wireless gt Security 802 1x Static 64 bit 802 1x Static 128 bit LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose 802 1x Static 64 or 802 1x Static 128 in this field ASCII Select this option to enter
374. usly set to sign the imported trusted remote host certificates Certificate Path Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The NWA does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the Information certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated by the N
375. utton to display the current validity status of the certificates 18 5 1 Trusted CAs Import Screen Use this screen to save a trusted certification authority s certificate to the NWA Click Certificates gt Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CAs Import screen The following figure displays Note You must remove any spaces from the certificate s filename before you can import the certificate Figure 135 Certificates gt Trusted CAs Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS e PEM Base64 encoded PKCS File Path Browse Apply Cancel NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates The following table describes the labels in this screen Table 71 Certificates gt Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the NWA Cancel Click Cancel to quit and return to the Trusted CAs screen 18 5 2 Trusted CAs Details Screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name
376. ve current consumption of the access point DTIM Delivery Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 100 Output Power Set the output power of the NWA in this field If there is a high density of APs in an area decrease the output power of the NWA to reduce interference with other APs Select one of the following 100 Full Power 50 25 12 5 or Minimum See the product specifications for more information on your NWA s output power NWA 3500 NWA 3550 User s Guide Chapter 5 Controller AP Mode Table 14 The Profile Edit gt Radio gt Edit Screen LABEL DESCRIPTION Rates Configuration This section controls the data rates permitted for clients of an AP using this radio profile For each Rate select an option from the Configuration list The options are Basic 1 11 Mbps only Clients can always connect to the access point at this speed Optional Clients can connect to the access point at this speed when permitted to do so by the AP Disabled Clients cannot connect to the access point at this speed Select SSID Profile Use this section to choose the SSID profile or profiles you want access points using this radio profile to use Each AP can use
377. work when You have disabled that service in one of the remote management screens The IP address in the Secured Client IP field does not match the client IP address If it does not match the NWA will disconnect the session immediately e You may only have one remote management session running at one time The NWA automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows NWA 3500 NWA 3550 User s Guide Chapter 16 Remote Management Screens 1 Telnet 2 HTTP System Timeout There is a default system management idle timeout of five minutes three hundred seconds The NWA automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling You can change the timeout period in the SYSTEM screen 16 4 The Telnet Screen Use this screen to configure your NWA for remote Telnet access You can use Telnet to access the NWA s Command Line Interface CLS Click REMOTE MGNT gt TELNET The following screen displays Figure 120 Remote MGNT gt Telnet TELNET FTP www SNMP TELNET Server Port 23 Server Access WLAN amp LAN gt Secured Client IP Address C ANC Selected fo 0 0 0 ESS Server Certificate auto_generated_self_signed_cert Y See My Certif
378. wpapsk 3 qos 4 3 12siolation disable 3 macfilter disable save Figure 294 WPA Configuration File Example ZYX EL PROWLAN VERSION 14 wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg security 4 name Test wpa security 4 mode wpa security 4 reauthtime 1800 security 4 idletime 3600 security 4 groupkeytime 1800 security save radius 4 name radius rdl radius 4 primary 172 0 20 38 1812 20 enable radius 4 backup 172 0 20 39 1812 20 enable radius save ssid ssid ssid ssid ssid ssid 4 name ssid wpa 4 security Test wpa 4 gos 4 4 12isolation disable 4 macfilter disable Save Wlan Command Configuration File Example This example configuration file uses the wlan command to configure the AP to use the security and SSID profiles from the wcfg command configuration file examples and general wireless settings You could actually combine all of this chapter s example configuration files into a single configuration file Remember that the commands are applied in order So for example you would place the NWA 3500 NWA 3550 User s Guide Appendix F Text File Based Auto Configuration commands that create security and SSID profiles before the commands that tell the AP to use those profiles Figure 295 Wlan Configuration File Example ZYX VERSION wefg wefg wefg wefg wefg wefg wefg wefg wefg wefg Ss zz E 2 es s
379. x Active __ Profile___ i VoIP_SSID m 551003 z SSIDOS E ss1003 E SSIDO3 gt Your guest wireless network is now ready to use 6 2 4 Testing the Wireless Networks To make sure that the three networks are correctly configured do the following e On a computer with a wireless client scan for access points You should see the Guest_SSID network but not the VoIP_SSID network If you can see the VoIP_SSID network go to its SSID Edit screen and make sure Hide Name SSID is set to Enable Whether or not you see the standard network s SSID SSIDO4 depends on whether hide SSID is enabled e Try to access each network using the correct security settings and then using incorrect security settings such as the WPA PSK for another active network If the behavior is different from expected for example if you can access the VoIP wireless network using the security settings for the Guest_SSID wireless network check that the SSID profile is set to use the correct security profile and that the settings of the security profile are correct e Access the Guest_SSID network and try to access other resources than those specified in the Layer 2 Isolation I2isolationO1 profile screen You can use the ping utility to do this Click Start gt Run and enter cmd in the Open field Click OK At the c gt prompt enter ping 192 168 1 10 substitute the IP address of a real
380. xists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If the RTS CTS value is greater than the Fragmentation Threshold value see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Note Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy 322 NWA 3500 NWA 3550 User s Guide Appendix B Wireless LANs Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and Long refer to the length of the synchronization field in a packet Short preamble increases
381. y enrolls a certificate or generates a certification request or a self signed certificate you see a screen with a Return button that takes you back to the My Certificates screen If you configured the My Certificate Create screen to have the NWA enroll a certificate and the certificate enrollment is not successful you see a screen with a Return button that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NWA to enroll a certificate online My Certificates Details Screen Use this screen to view in depth certificate information and change the certificate s name In the case of a self signed certificate you can set it to be the one that the NWA uses to sign the trusted remote host certificates that you import to the NWA NWA 3500 NWA 3550 User s Guide Chapter 18 Certificates Click Certificates gt My Certificates to open the My Certificates screen Figure 130 on page 209 Click the details button to open the My Certificate Details screen Figure 133 Certificates gt My Certificate Details d Certificate Path Certificate Information Certificate in PEM Base 64 Encoded Format eUFJUIBHLTEwMDBQIEZhY3 RvenkgRGVmYXVsdaCBDZXJOallZpY2FOZTAeF wOwMDAx MDEwMDAwMDBaF wO zMDAxMDEwMD AWMNDBaMDOxMj AWBGNVBAMTKVpSQULSI
382. your backup Note If your NWA is in controller AP mode it serves as an access point for other APs in managed mode as well as for wireless clients in the network That is it still functions like a regular access point on top of being a controller AP If you enable a SSID profile for it the controller AP can still appear in the list of available wireless networks for wireless clients However in case you have both primary and secondary controller APs in the network the secondary controller AP s WLAN radio is turned off as long as the primary controller AP is turned on 1 Access the Web Configurator of the NWA Go to MGNT MODE to open the following screen Figure 63 Tutorial MGNT Mode AP Controller MGNT Mode AP Controller Standalone AP Managed AP Auto AP Controller IP DCHP Server Option 43 setting required C Manual AP Controller IP Primary AP Controller IP fo 0 0 0 Secondary AP Controller booo IP Apply Reset 2 Select AP Controller and click Apply 3 The device reboots You need to log in again to the Web Configurator 6 5 4 1 Secondary AP Controller The secondary AP controller is simply a backup of the primary AP controller It takes over the management of APs covered by the primary controller AP as soon as the secondary controller AP fails to detect the primary AP controller s presence This happens when the primary controller AP is disconnected from the network rebooting or turned off No
Download Pdf Manuals
Related Search