Netgear WNDAP620 Reference Manual
Contents
1. Setting Description Time Zone Select the time zone to match your location Current Time This is a nonconfigurable field that displays the current date and time Installation and Basic Configuration 24 3 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 3 Time system settings continued Setting Description NTP Client Enable the Network Time Protocol NTP client to synchronize the time of the wireless access point with an NTP server By default the Enable radio button is selected Use Custom NTP Server Select this check box if you want to use a custom NTP server Note You need to have an Internet connection to use an NTP server that is not on your local network Hostname IP Address Enter the host name or IP address of the custom NTP server The default is time b netgear com Note If you use a host name make sure that you have configured a DNS server For more information see the next section Click Apply to save your settings Configure the IPv4 Settings Note For information about how to configure the IPv6 settings see Configure the IPv6 Settings on page 99 A WARNING If you enable the DHCP client the IP address of the wireless access point changes when you click Apply causing you to lose your connection to the wireless access point You then need to use the new IP address to reconnect to the wireless access point2. 0055 19 Requirements for Entering IP Addresses 0000 e uae 19 Install and Configure the Wireless Access Point 000 20 Connect the Wireless Access Point to a Computer 20 Log In to the Wireless Access Point 0 0000 cece enue 22 Configure Basic General System Settings and Time Settings 23 Configure the IPW4 Settings 2 ses seesessaauce edi aveda diacees 25 Configure the Optional DHCPv4 Server 0 0c eee ae eee 27 Configure the Basic Wireless Settings 200000000 28 Test Basic Wireless Connectivity 000 0c cee eee eee 34 Mount the Wireless Access Point 0 0 0 0 ccc eee nee e eens 35 Gelling Installation ciccc cae ide mens ic gee trett adidas see nnce cas 35 Wal PSAAION occ cee kecd eee eect bed eee eRe a aay 38 Deck Moratti ea aaa ch Rha wick ds nee cag esd decd mani a eae a A Baca ne dale 41 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Chapter 3 Wireless Configuration and Security Wireless Data Security Options 0 0000 cece eee eee 42 Cocu PMG icck sna pehener dade as Paw ReRd Bae Raw rE 44 Before You Change the SSID WEP and WPA Settings 46 Configure and Enable Security Profiles 00055 48 Configure RADIUS Server Settings 000 ccc eee eee 57 Restrict Wireless Access by MAC Address 0000 0 eeu 60 Schedule the Wireless Radio to Be Turned
3. Setting Description Client MAC Address The MAC address of the client that is connected to the ad hoc network BSSID The BSSID of the ad hoc network Note A wireless access point that is connected to a wired network and a set of wireless stations is called a basic service set BSS The basic service set identifier BSSID differentiates one WLAN from another Wired Connectivity If the ad hoc network has wired connectivity the field displays YES If the ad hoc network does not have wired connectivity the field displays NO Management and Monitoring 98 Advanced Contiguration This chapter describes how to configure the advanced features of the wireless access point The chapter includes the following sections Configure IPv6 Settings and Optional DHCPV6 Server Settings Configure Spanning Tree Protocol 802 1Q VLAN and Link Layer Discovery Protocol Configure Hotspot Settings Configure Advanced Wireless Settings Configure Advanced Quality of Service Settings Configure Quality of Service Policies Configure Wireless Bridging Configure IPv6 Settings and Optional DHCPv6 Server Settings The wireless access point supports IPv6 You can manage the wireless access point from an IPv6 address The wireless access point can function as an IPv6 DHCP client The DHCPV6 server of the wireless access point can allocate IPv6 addresses to its wireless clients either through stateless or stateful allo
4. authentication failure attack Authentication failure attack status authentication flood Authentication flood attack status cts flood CTS flood attack status rts flood RTS flood attack status deauthentication broadcast attack Deauthentication broadcast attack status device probing for AP Device probing for AP attack status disassociation flood Disassociation flood attack status known client association Adhoc nw Known client association ADHOC network attack status mac spoofing MAC spoofing attack status malformed 802 11 packet detection Malformed IEEE802 11 packet detection attack status premature EAP failure attack Premature EAP failure attack status premature EAP success attack Premature EAP success attack status ps poll flood attack PS POLL flood attack status rf jamming attack RF jamming attack status rogue ap detection Rogue AP detection attack status unauthenticated association Unauthenticated association attack status virtual carrier attack Virtual carrier attack status wireless bridge gt Wireless bridge setting security profile gt Create security profile 1 gt 1st security profile authentication Authentication type encryption Data encryption name Profile name presharedkey Preshared key remote mac Remote MAC status Profile status wep pass phrase Wireless wep passphrase key wepkey Wireless wep key wepk
5. DHCP server IPv4 DHCPVv4 server Disabled DHCPv4 server VLAN ID 1 DHCPv4 server IP range start address 192 168 0 2 DHCPv4 server IP range start address 192 168 0 50 DHCPv4 server subnet mask 255 255 255 0 DHCPVv4 server gateway IPv4 address 192 168 0 1 DHCPv4 server IP address lease for clients 1 day IPv6 DHCPV6 server Disabled DHCPV6 server state Stateful DHCPV6 server VLAN ID 1 DHCPV6 server IP range start address 2001 05c0 9168 10 DHCPV6 server IP range start address 2001 05c0 9168 50 DHCPV6 server prefix length 64 DHCPV6 server gateway IPv4 address 2001 05c0 9168 1 DHCPV6 server IP address lease for clients 1 day Radio and wireless settings Operating mode Access point infrastructure mode Wireless access point name netgearxxxxxx where xxxxxx are the last 6 digits of the wireless access point MAC address Country and region Varies by region Wireless communication 2 4 GHz radio enabled 5 GHz radio disabled Supplemental Information 143 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 40 Default configuration settings continued Feature Description Wireless mode ding Wireless network name SSID NETGEAR_11ng Broadcast network name SSID Enabled 802 11ng radio frequency channel Auto MCS index data rate transmission speed Best Note Maximum wireless signal rate derived from IEEE Standard 802 11 specificati
6. NETGEAR ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Reference Manual ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Support Thank you for choosing NETGEAR After installing your device locate the serial number on the label of your product and use it to register your product at httos my netgear com You must register your product before you can use NETGEAR telephone support NETGEAR recommends registering your product through the NETGEAR website For product updates and web support visit http support netgear com Phone US amp Canada only 1 888 NETGEAR Phone Other Countries Check the list of phone numbers at http support netgear com general contact default aspx NETGEAR recommends that you use only the official NETGEAR support resources Trademarks NETGEAR the NETGEAR logo and Connect with Innovation are trademarks and or registered trademarks of NETGEAR Inc and or its subsidiaries in the United States and or other countries Information is subject to change without notice Other brand and product names are registered trademarks or trademarks of their respective holders NETGEAR Inc All rights reserved Revision History Publication Version Publish Date Comments Part Number 202 10983 02 2 0 October 2012 Minor nontechnical revisions 202 10983 02 1 0 September 2012 Added and refined information no new features added e Added Appendix B Command
7. Note It should not be necessary to change the wireless channel unless you experience interference indicated by lost connections or slow data transfers If this happens you might want to experiment with different channels to see which is the best For more information see the guidelines following this table Note For more information about available channels and frequencies see Technical Specifications on page 139 11na mode only MCS Index Data From the drop down list select a Modulation and Coding Rate Scheme MCS index and transmit data rate for the wireless Note For most network The default setting is Best For a list of all options networks the default that you can select from in 11na mode see Factory Default settings work fine Settings on page 142 Channel Width From the drop down list select a channel width The options are Dynamic 20 40 MHz 20 MHz and 40 MHz The default is Dynamic 20 40 MHz A wider channel improves the performance but some legacy devices can operate only in either 20 MHz or 40 MHz Guard Interval From the drop down list select the guard interval to protect transmissions from interference The default is Auto or you can select Long 800 ns Some legacy devices can operate only with a long guard interval Installation and Basic Configuration 33 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 7 Basic 5 GHz band wireless settings continue
8. ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration System IP Basic Advanced Wireless Settings QoS Settings QoS Policies Monitoring Maintenance Support Security Wireless Bridge Wireless Settings Wireless Settings 802 11b ba ng 862 11ia na RTS Threshold 0 2347 Fragmentation Length 256 2346 Beacon Interval 100 1000 Aggregation Length 1024 65535 AMPDU RIFS Transmission DTIM Interval 1 255 Preamble Type Antenna 802 11d Client Isolation Max Wireless Clients IDS IPS 2347 2346 100 65535 Enable O Enable 3 auto internal B Disable 128 O Disable Disable O tong External CANCEL Figure 64 2 Optional To configure advanced wireless settings for the 802 11a na modes click the 802 11a na tab 3 Specify the settings as explained in the following table Table 31 Advanced wireless settings Setting Description RTS Threshold 0 2347 Enter the Request to Send RTS threshold The default setting is 2347 If the packet size is equal to or less than the RTS threshold the wireless access point uses the Carrier Sense Multiple Access with Collision Detection CSMA CD mechanism and the data frame is transmitted immediately after the silence period If the packet size is larger than the RTS threshold the wireless access point uses the CSMA with Collision Avoidance CSMA CA mechanism In this si
9. TKIP AES TKIP AES supports both WPA and WPA2 Broadcast packets use TKIP For unicast point to point transmissions WPA clients use TKIP and WPA2 clients use AES For the WPA amp WPA2 mixed mode TKIP AES is the only supported data encryption method Passphrase Enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive The default passphrase is sharedsecret You can display the actual passphrase by selecting the Show Passphrase in Clear Text Yes radio button Show Passphrase Select the Yes radio button to display the actual passphrase in the Passphrase field The in Clear Text default setting is No Configure RADIUS Server Settings For authentication accounting or both authentication and accounting using RADIUS you need to configure primary servers and optional secondary servers These RADIUS server settings can apply to all devices that are connected to the wireless access point You can configure both IPv4 and IPv6 servers In the IPv4 Radius Server Settings section enter IPv4 addresses only in the IPv6 Radius Server Settings section enter IPv6 addresses only Wireless Configuration and Security 57 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 gt To configure the RADIUS server settings 1 Select Configuration gt Security gt Advanced gt Radius Server Settings The Radius Server Settings screen displays Configuration M
10. WEP key size and authentication Choose the key size by circling one 64 128 or 152 bits Choose the authentication type by circling one open system or shared key Passphrase Note If you select shared key the other devices in the network cannot connect unless they are set to shared key and have the same keys in the same positions as those in the wireless access point WPA PSK pre shared key and WPA2 PSK Record the WPA PSK passphrase WPA PSK passphrase Record the WPA2 PSK passphrase WPA2 PSK passphrase WPA RADIUS settings For WPA record the following settings for the primary and secondary RADIUS servers Server name IP address Primary Secondary Port Shared secret WPA2 RADIUS settings For WPA2 record the following settings for the primary and secondary RADIUS servers Server name IP address Primary Secondary Port Shared secret Wireless Configuration and Security 47 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configure and Enable Security Profiles To configure and enable a security profile you need to enable the associated radio e For 802 11b bg ng modes the 2 4 GHz radio needs to be enabled see Configure 802 11b bg ng Wireless Settings on page 28 e For 802 11a na modes the 5 GHz radio needs to be enabled see Configure 802 11a na Wireless Settings on page 31 gt To configure and enable a security profile 1 Select Conf
11. 131 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Basic Functioning Verify the Correct Sequence of Events at Startup No LEDs Are Lit on the Wireless Access Point The Active LED or the LAN LED Is Not Lit The WLAN LED Does Not Light Up Note For descriptions of the LEDs see Top Panel on page 11 Verify the Correct Sequence of Events at Startup After you turn on power to the wireless access point check that the following sequence of events occurs The Power Test LED is first steady amber then goes off and then blinks green before turning steady green after about 45 seconds The Active LED is lit or blinks green when there is Ethernet traffic The LAN LED indicates the LAN speed green for 1000 Mbps amber for 100 Mbps and no light for 10 Mbps The WLAN LED is lit or blinks green when the wireless LAN WLAN is ready If any of these conditions does not occur see to the appropriate following section No LEDs Are Lit on the Wireless Access Point It takes a few seconds for the Power LED to light up Wait a minute and check the Power LED status on the wireless access point If the wireless access point has no power If you use a PoE switch to provide power to the wireless access point check these items Make sure that the Ethernet cable between the wireless access point and the PoE switch is correctly connected at both ends Make sure that the power cord of the PoE switch is plugged into a wor
12. 3 Click Save to export the list of known access points to a file A window opens so you can browse to the location where you want to save the file The default file name is macList txt You can now import the saved list into the Known AP List on the Rogue AP screen see Enable and Configure Rogue AP Detection on page 85 Management and Monitoring 88 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configure Wireless Intrusion Detection and Prevention e Configure Wireless Intrusion Detection and Prevention Policy Settings e Configure Wireless Intrusion Detection and Prevention Mail Settings e Monitor Traps Counters and Ad Hoc Networks Configure Wireless Intrusion Detection and Prevention Policy Settings The wireless access point provides a wireless intrusion detection system WIDS and wireless intrusion prevention system WIPS to detect and mitigate wireless attacks These intrusion systems are referred to as IDS IPS If enabled the IDS recognizes multiple types of wireless attacks and the IPS automatically neutralizes many attacks Attacks are covered by preconfigured policy rules When an attack occurs the wireless access point can notify a network administrator though an email The following table lists all IDS IPS policies with their policy rules Most of these policies provide protection against denial of service DoS attacks You can enable or disable IDS IPS policies but both the policies and th
13. key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 4 gt 4th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name key1 Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name Command Line Reference 148 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incomin
14. 5 52 Mbps 6 58 5 Mbps 7 65 Mbps 8 13 Mbps 9 26 Mbps 10 39 Mbps 11 52 Mbps 12 78 Mbps 13 104 Mbps 14 117 Mbps 15 130 Mbps 16 19 5 Mbps 17 39 Mbps 18 58 5 Mbps 19 78 Mbps 20 117 Mbps 21 156 Mbps 22 175 5 Mbps 23 195 Mbps and auto rate capable Data rates for a 40 MHz channel width and an automatic guard interval 0 15 Mbps 1 30 Mbps 2 45 Mbps 3 60 Mbps 4 90 Mbps 5 120 Mbps 6 135 Mbps 7 150 Mbps 8 30 Mbps 9 60 Mbps 10 90 Mbps 11 120 Mbps 12 180 Mbps 13 240 Mbps 14 270 Mbps 15 300 Mbps 16 45 Mbps 17 90 Mbps 18 135 Mbps 19 180 Mbps 20 270 Mbps 21 360 Mbps 22 405 Mbps 23 450 Mbps and auto rate capable 139 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 39 Technical specifications continued Feature Description 802 11ng MCS index and data rates continued Data rates for a 40 MHz channel width and a long guard interval 800 ms 0 13 5 Mbps 1 27 Mbps 2 40 5 Mbps 3 54 Mbps 4 81 Mbps 5 108 Mbps 6 121 5 Mbps 7 135 Mbps 8 27 Mbps 9 54 Mbps 10 81 Mbps 11 108 Mbps 12 162 Mbps 13 216 Mbps 14 243 Mbps 15 270 Mbps 16 40 5 Mbps 17 81 Mbps 18 121 5 Mbps 19 162 Mbps 20 243 Mbps 21 324 Mbps 22 364 5 Mbps 23 405 Mbps and auto rate capable 802 11b bg ng operating frequencies e 2 412 2 462 GHz US e 2 457 2 462 GH
15. 63 Management and Monitoring This chapter describes how to use the management and monitoring features of the wireless access point The chapter includes the following sections Enable Remote Management Upgrade the Wireless Access Point Software Manage the Configuration File or Reset to Factory Defaults Change the Administrator Password Manage User Accounts Enable the Syslog Server Monitor the Wireless Access Point Enable Rogue AP Detection and Monitor Access Points Configure Wireless Intrusion Detection and Prevention Enable Remote Management SNMP Management Secure Shell and Telnet Management Both Simple Network Management Protocol SNMP and the remote console Secure Shell SSH are enabled by default which allows for remote management of the wireless access point from a client running SNMP management software as well as from an SSH client The Telnet console is disabled by default SNMP Management gt To set up an SNMP management interface 1 Select Maintenance gt Remote Management gt SNMP The SNMP screen displays 64 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Password Reset i Upgrade SNMP SNMP Remote Console SNMP Settings SNMP Enable Disable Read Only Community Name public Read Write Community Name private Trap Community Name trap IP Address to Receive Traps Trap Port 162_ CANCEL
16. IDS wireless intrusion prevention system IPS and configurable wireless QoS policies You can manage the wireless access point from either an IPv4 or IPv6 address and the wireless access point can allocate either IPv4 or IPv6 DHCP addresses to its wireless clients What Is in the Box The product package contains the following items e ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e Power adapter and cord 12 VCD 1 5A e Straight through Category 5 Ethernet cable e Installation guide e Resource CD which includes this manual e Wall mount kit made up of brackets and hardware Contact your reseller or customer support in your area if there are any missing or damaged parts See the NETGEAR website at http support netgear com general contact default aspx for the telephone number of customer support in your area Keep the installation guide along with the original packing materials If you need to return the wireless access point for repair use the packing materials to repack the wireless access point Introduction 7 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 System Requirements Before installing the wireless access point make sure that your system meets these requirements A 10 100 1000 Mbps local area network device such as a hub or switch The Category 5 UTP straight through Ethernet cable with RJ 45 connector included in the package or one like it A 100 120V 50 6
17. QoS policies 113 SNMP communities 65 users 75 wireless access point 24 wireless network SSID for 802 11a na modes 33 wireless network SSID for 802 11b bg ng modes 30 NetBIOS name 24 network ad hoc 97 authentication 45 configuration troubleshooting 136 integrity check 26 101 Network Time Protocol NTP client and server 25 O open system no security 51 53 operating frequencies 140 operating modes 9 order of installation and configuration 20 output power 2 4 GHz transmission 31 5 4 GHz transmission 34 P package contents 7 packets capturing 138 received and transmitted 84 passphrase WEP 54 WPA WPA2 and mixed mode 44 57 password changing or restoring 74 default 22 login 142 physical connections troubleshooting 136 physical specifications 141 pinging wireless access point 134 135 placement wireless equipment 17 PoE Power over Ethernet 10 21 point to multipoint bridge regular mode 122 repeating wireless signal 126 point to point bridge 118 port and connectors rear panel 13 ports QoS policy classification 116 169 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 RADIUS servers 58 SNMP manager traps 65 syslog server 77 power adapter specifications 141 power socket 13 Power Test LED behavior 21 described 12 troubleshooting 132 powersaving WMM 63 preamble type 109 prefix length default 142 DHCPV 6 clients 103 wireless access point 79 100 pre
18. points by selecting the check box in the column heading 7 Click Move to transfer the access points from the Unknown AP List to the Known AP List 8 Click Apply to save your settings gt To remove APs from the Known AP List and return them to the Unknown AP List 1 In the Known AP List select individual check boxes for access points or select all access points by selecting the check box in the column heading 2 Click Delete gt To importa file with a precompiled list of access points into the Known AP List 1 Take one of the following actions e Select the Replace radio button to let the imported list of access points replace the existing Known AP List Management and Monitoring 86 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e Select the Merge radio button to add the imported list of access points to the existing Known AP List 2 Click Browse and locate the file that contains the list of access points This file needs to be a simple text file with one MAC address per line 3 Select the file and click Open 4 Click Apply to upload the list of access points to the Known AP List View and Save Access Point Lists The wireless access point detects nearby APs and wireless stations and maintains them ina list You can use this list to prevent them from connecting to the wireless access point gt To view the Unknown AP List and save it to a file 1 Select Monitoring gt Rogue AP gt
19. 7 channel width 802 11na 33 channel width and offset 802 11ng 30 channels and frequencies defaults 140 selecting for 802 11a na modes 33 selecting for 802 11b bg ng modes 30 channels wireless spacing 18 classifications QoS policies 114 117 Clear to Send CTS packets 108 CLI command line interface commands 146 clients associated number of 85 DHCPv4 enabling 26 DHCPv6 enabling 100 isolation enabling 109 maximum number 109 monitoring 80 NTP enabling 25 trusted 61 wireless separation enabling 45 52 collision detection and collision avoidance CSMA 108 command line interface CLI commands 146 community names and traps SNMP 65 compliance 161 electromagnetic 141 notification of 161 configuration file backing up or restoring 70 connectors and ports rear panel 13 console port 13 country wireless location 24 CSMA Carrier Sense Multiple Access 108 CTS Clear to Send packets 108 CTS flood 91 cwMin minimum contention window and cwMax maximum contention window values 111 D data encryption WEP 54 WPA and WPA2 57 data rates 802 11a mode 34 802 11b bg modes 31 specifications for all modes 139 140 date and time troubleshooting 137 deauthentication broadcast attack 90 defaults channels and frequencies 140 DHCPVv4 gateway 28 DHCPv6 gateway 103 factory settings list of 142 145 factory settings restoring 71 IPv4 address 22 142 IPv6 address 142 ISP gateway 26 101 login
20. Band Wireless N Access Point WNDAP620 If you want to enable wireless client association while the wireless access point functions as a point to point bridge select the Enable Wireless Client Association check box Click Edit to configure the security profile settings The Edit Security Profile screen displays Configuration Monitoring Maintenance System IP Wireless Security IDS IPS gt Bridging Edit Security Profile Profile Definition Profile Name NETGEAR WDS 1 Remote MAC Address Authentication Settings Network Authentication Open System v Data Encryption None v CANCEL APPLY Figure 69 Specify the settings as explained in the following table Table 36 Point to point bridge profile and authentication settings Setting Description Profile Definition Profile Name Enter a profile name that is easy to remember The default name is NETGEAR WDS 1 Remote MAC Address Enter the MAC address of the remote wireless access point the MAC address of AP2 on LAN Segment 1 in Figure 67 on page 119 Authentication Settings Network From the Network Authentication drop down list select Open System Authentication and WPA PSK or WPA2 PSK Your selection determines the options that the Data Data Encryption Encryption drop down list provides and whether the WPA Passphrase Network Key field displays Advanced Configuration 120 ProSafe Premium 3 x 3 Dual Band Wirele
21. Bridge Wireless Point to Multi Point Bridge Enable Wireless Client Association m Profile Name Security 1 NETGEAR WDS 1 Open System 2 NETGEAR WDS 2 Open System 3 NETGEAR WDS 3 Open System 4 NETGEAR WDS 4 Open System CANCEL APPLY Figure 71 Optional To display the Bridging screen for the 802 11a na modes click the 802 11a na tab Select the Enable Wireless Bridging check box The Local MAC Address field is a nonconfigurable field that shows the MAC address of the wireless access point Select the Wireless Point to Multi Point Bridge radio button The screen adjusts The profile table shows four security profiles Choose a security profile to edit by selecting the corresponding radio button to the left of the profile Click Edit to configure the selected security profile settings The Edit Security Profile screen displays for the selected security profile The following figure contains an example Configuration Monitoring Maintenance Support System IP Wireless Security IDS IPS gt Bridging Edit Security Profile Profile Definition Profile Name NETGEAR WDS 1 Remote MAC Address 1a b2 3e d4 33 36 Authentication Settings Network Authentication WPA2 PSK Data Encryption AES v WPA Passphrase Network Key ewne BACK CANCEL APPLY Figure 72 Advanced Configuration 123 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 g Specify the settings as explained in th
22. Data 1 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example e Data 2 Video Highest priority queue minimum delay Time sensitive video data is automatically sent to this queue e Data 3 Voice Highest priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue gt To configure advanced QoS 1 Select Configuration gt Wireless gt Advanced gt QoS Settings The advanced QoS Settings screen displays Advanced Configuration 110 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Manitoring Maintenance Support System IP Security Wireless Bridge IDS IPS QoS Settings Basic Y Advanced Wireless Settings QoS Sethigs QoS Policies Qos Settings 802 11b bg ng 802 ila na AP EDCA parameters Queue AIFS cwMin cwMax Max Burst Data 0 Best Effort Data 1 Background Data 2 Video Data 3 Voice Station EDCA parameters Queue cwMax Data 0 Best Effort Data 1 Background Data 2 Video Data 3 Voice CANCEL APPLY Figure 65 Optional To configure advanced QoS for the 802 11a na modes click the 802 11a na tab Specify the settings as explained in the following table Table 32 EDCA settings Setting Description AP EDCA parameters AIFS Enter the Arbitration Inter F
23. IPS Mail Settings gt IDS IPS Mail Settings IDS IPS Mail Settings Show as Mail Sender SMTP Server Port Number 25 This server requires authentication p User Name Password Send Notifications to Admin Ex admin yourdomain com Figure 55 2 Configure the settings as explained in the following table Table 25 IDS IPS mail settings Setting Description A descriptive name of the sender for email identification purposes For example enter WNAP620 IDS IPS company com Show as Mail Sender SMTP Server The IP address or Internet name of the outgoing email SMTP server of your ISP The port number of the outgoing email SMTP server of your ISP The default port number is 25 Port Number This server requires If the SMTP server requires authentication select the This server requires authentication authentication check box and enter the user name and password User Name The user name for SMTP server authentication Password The password for SMTP server authentication Send Notifications to Admin The email address to which the notifications should be sent Typically this is the email address of the administrator 3 Click Apply to save your settings Management and Monitoring 95 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Monitor Traps Counters and Ad Hoc Networks The IDS IPS monitoring screens provide information about the most recent
24. Management ari Restore Settings Upgrade TE Restore Settings Upgrade TFTP Restore saved settings from a file gt Backup Settings Restore Settings CANCEL APPLY Figure 40 2 Click Browse and locate the backup configuration file the file name is config 3 Click Apply to initiate the restoration process During the restoration process the wireless access point automatically restarts The restoration process typically takes about 1 minute When the Test LED turns off wait a few more seconds before doing anything with the wireless access point Restore the Wireless Access Point to the Factory Default Settings You can restore the wireless access point to the factory default settings by two methods that are described in the following sections e Use the Web Management Interface to Restore Factory Default Settings e Use the Reset Button to Restore Factory Default Settings Management and Monitoring 71 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note After you have restored the factory default settings on the wireless access point All custom configurations are lost The login password is password The default LAN IP address is 192 168 0 100 The DHCP client is disabled The Access Point Name field is reset to the name printed on the label on the bottom of the unit Use the Web Management Interface to Restore Factory Default Settings IMPORTANT During the res
25. Off 61 Configure Basic Wireless Quality of Service 00005 62 Chapter 4 Management and Monitoring Enable Remote Management 2200 eee eee 64 SNMP Management rererere cant sawkeoteeemtneeeaeiod eae tan 64 Secure Shell and Telnet Management 22 00 000005 66 Upgrade the Wireless Access Point Software 0000 00a 67 Web Browser Upgrade Procedure 000 02 eee eeee 68 TFTP Server Upgrade Procedure 00 cece eee n eee 69 Manage the Configuration File or Reset to Factory Defaults 70 Save ihe Comores ee cade te theactekaiedeeageecwndee gs 70 Restore the Configuration 242 204 4024 s0Sasereede bees sada ds 71 Restore the Wireless Access Point to the Factory Default Settings 71 Reboot the Wireless Access Point without Restoring the Default Configuration secsi ede Gk Eee Bleed oda OE aS 73 Change the Administrator Password naaa naaa aaeeea 74 Manage User ACCOUNIS seske sene oe ee ee ei tanisa vrsni 75 Enable the Syslog SNE o csreiirrurcsreiroridssreds iti dibred 76 Monitor the Wireless Access Point 2000 eee ee eee 77 View System Information sees ces eee ee ceew beew eee e eee e es Tr Monitor Wireless Stations a na ke ee kk 80 Wie bie Poy LOO einir ar 83 Trame SISUSHGS 43 Seta Sets a sede PRG edd deo ete da 83 Enable Rogue AP Detection and Monitor Access Points 85 Enable and Configure Rog
26. Off gt QoS Settings gt Advanced Wireless Settings 802 11b bg ng 802 11a na Wireless Mode 2 4GHz Band 11b O 11bg 11ng Turn Radio On B Wireless Network Name SSID NETGEAR_1ling Wireless On Off Status OFF Broadcast Wireless Network Name SSID Yes O No Channel Frequency Auto v MCS Index Data Rate Best v Channel Width 20 MHz v Guard Interval Auto Output Power Full v CANCEL APPLY Figure 15 Specify the wireless mode in the 2 4 GHz band by selecting one of the following radio buttons e 11b Both 802 11n and 802 11g compliant devices can connect to the access point because they are backward compatible e 11bg 802 11n compliant devices can connect to the access point because they are backward compatible e 11ng This is the default setting 802 11b compliant devices cannot connect to the access point If you keep the default setting go to Step 5 When you change the wireless mode the Turn Radio On check box is automatically cleared and all fields buttons and drop down lists onscreen are masked out Turn on the radio by selecting the Turn Radio On check box A pop up screen displays Note Under normal conditions you want the radio to be turned on Turning off the radio disables access through the wireless access point which can be helpful for configuration network tuning or troubleshooting activities Click OK to confirm the change of wireless mode The change does not take effect until y
27. ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 AP2 ya Wireless PC card yo in a notebook computer Wireless PC card in a notebook computer Point to point bridge mode Point to point bridge mode gt gt Router N INTERNET Hub or switch 192 168 0 1 s y J J Segment 1 Segment 2 Figure 67 gt To configure a point to point wireless network 1 Configure the wireless access point AP1 on LAN Segment 1 in the previous figure as a point to point bridge a Select Configuration gt Wireless Bridge The Bridging screen displays see the following figure b Optional To display the Bridging screen for the 802 11a na modes click the 802 11a na tab c Select the Enable Wireless Bridging check box The Local MAC Address field is a nonconfigurable field that shows the MAC address of the wireless access point d Select the Wireless Point to Point Bridge radio button The screen adjusts Configuration Monitoring Maintenance Support System IP Wireless Security IDS IPS gt Bridging Bridging Bridging 802 11b bg ng 802 11a na Enable Wireless Bridging M Local MAC Address 90 44 DE 44 F4 40 Wireless Point to Point Bridge O Wireless Point to Multi Point Bridge Enable Wireless Client Association M Profile Name Security Enable 1 NETGEAR WDS 1 Open System CANCEL APPLY Figure 68 Advanced Configuration 119 ProSafe Premium 3 x 3 Dual
28. VLAN ID for the DHCP server The VLAN ID range is from 1 to 4094 The default VLAN is 1 Starting IPv6 Address Enter the first address in the range of IPv6 addresses to be assigned to DHCP clients The default address is 2001 05c0 9168 10 Ending IPv6 Address Enter the last address in the range of IPv6 addresses to be assigned to DHCP clients The default address is 2001 05c0 9168 50 Advanced Configuration 102 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 29 DHCP server settings for IPv6 continued Setting Description Prefix Length Enter the prefix length to be used by DHCP clients The default length is 64 Gateway IPv6 Address Enter the IPv6 address of the default routing gateway to be used by DHCP clients The default address is 2001 05c0 9168 1 Primary DNS Address Enter the IP address of the primary Domain Name System DNS server available to DHCP clients Secondary DNS Address Enter the IP address of the secondary DNS server available to DHCP clients Primary WINS Server Enter the IP address of the primary WINS server for the network if there is any Secondary WINS Server Enter the IP address of the secondary WINS server for the network if there is any Lease Enter the period that the DHCP server grants to DHCP clients to use the assigned IP addresses The default time is one day 3 Click Apply to save you
29. Web Browser Upgrade Procedure e TFTP Server Upgrade Procedure Note The web browser that you use to upload new firmware into the wireless access point needs to support HTTP uploads Use a browser such as Microsoft Internet Explorer 6 0 or later or Mozilla 1 5 or later Management and Monitoring 67 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note You cannot perform the software upgrade from a computer that is connected to the wireless access point over a wireless link You need to use a computer that is connected to the wireless access point over an Ethernet cable A WARNING When uploading software to the wireless access point do not interrupt the web browser by closing the window clicking a link or loading a new page If the browser is interrupted the upload might fail corrupt the software and render the wireless access point inoperable IMPORTANT In some cases such as a major upgrade you might need to erase the configuration and manually reconfigure your wireless access point after upgrading it See the release notes included with the software to find out if you need to reconfigure the wireless access point Web Browser Upgrade Procedure To use a web browser to upgrade the wireless access point firmware 1 Download the new software file from the NETGEAR website and save it to your hard disk If necessary unzip the new software file If available read the release notes before upgrad
30. access the secondary RADIUS server for accounting The default port number is 1813 Shared Secret Enter the shared key that is used between the wireless access point and the secondary RADIUS server during the accounting process Authentication Settin gs Reauthentication Time Seconds The interval in seconds after which the supplicant is reauthenticated with the RADIUS server The default interval is 3600 seconds 1 hour Enter 0 to disable reauthentication Update Global Key Every Seconds Select the check box to allow the global key update and enter the interval in seconds The check box is selected by default and the default interval is 1800 seconds 30 minutes Clear the check box to prevent the global key update Click Apply to save your settings Wireless Configuration and Security 59 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Restrict Wireless Access by MAC Address For increased security you can restrict access to an SSID by allowing access to only specific computers or wireless stations based on their MAC addresses You can restrict access to only trusted computers so that unknown computers cannot connect wirelessly to the wireless access point MAC address filtering adds an obstacle against unwanted access to your network but the data broadcast over the wireless link is fully exposed Note For wireless adapters you can usually find the MAC add
31. achieve higher throughput Enabling the aggregated MAC protocol data unit A MPDU could lead to better network performance By default the Enable radio button is selected RIFS Transmission Note This setting does not apply to the 802 11b bg modes and the 802 11a mode Select the Enable radio button to allow transmission of successive frames at different transmit powers Enabling reduced interframe space RIFS could lead to better network performance By default the Disable radio button is selected DTIM Interval 1 255 Enter the delivery traffic indication message DTIM interval also referred to as the data beacon rate which indicates the beacon delivery traffic indication message period in multiples of beacon intervals This value needs to be between 1 and 255 The default setting is 3 Preamble Type Note This setting does not apply to the 802 11a na modes Select one of the following radio buttons to specify the preamble type Long A long transmit preamble might provide a more reliable connection or a slightly longer range A short transmit preamble gives better performance Auto The Auto setting enables the wireless access point to handle both long and short preambles The default setting is Auto Antenna Note This setting does not apply to the 802 11a na modes Select one of the following radio buttons to specify the antenna Internal Enables the internal antenna This is the default
32. at least 5 minutes and check the date and time again The day is correct or one day ahead or behind and the hours are ahead or behind Cause You have selected an incorrect time zone for your area Specify the correct time zone in the basic General system settings screen see Configure Basic General System Settings and Time Settings on page 23 Troubleshooting 137 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Use the Packet Capture Tool You can capture wireless packets to analyze traffic patterns with a network traffic analyzer tool The captured packet flow can show if traffic is flowing correctly to its destinations or if packets are dropped There is a limit to the size of the packet flow that you can capture ina file gt To capture packets 1 Select Monitoring gt Packet Capture The Packet Capture screen displays Configuration Monitoring Maintenance Support tocout System Wireless Stations Rogue AP Logs Statistics e IDS IPS Packet Capture Packet Capture Packet Capture Figure 76 2 Click Start to start capturing wireless packets leaving or entering the wireless access point on the active operating channel Depending on which interface is enabled packets on the 2 4 GHz interface or 5 GHz interface are captured Normal functioning of the wireless access point is not affected during the packet capture process If any previously captured packets exist you are prompted
33. can allow all HTTP TCP port 80 requests to be captured and redirected to the URL you specify Rogue AP and ad hoc network detection Rogue AP filtering and ad hoc network detection ensure that unknown APs and networks are not given access to any part of the secured wireless and wired LAN Access control MAC address filtering can ensure that only trusted wireless stations can use the wireless access point to gain access to the wireless and wired LAN Security profiles When using multiple BSSIDs you can configure unique security settings encryption SSID and so on for each BSSID Hidden mode The SSID is not broadcast assuring that only clients configured with the correct SSID can connect Secure Telnet command line interface The secure Telnet command line interface CLI enables direct secure access over the serial port and easy scripting of configuration of multiple wireless access points across an extensive network through the Ethernet interface A Secure Shell SSH client is required Upgradeable firmware Firmware is stored in a flash memory You can upgrade it easily using only your web browser and you can upgrade it remotely You can also use the command line interface Configuration backup Configuration settings can be backed up to a file and restored Secure and economical operation Adjustable power output allows more secure or economical operation PoE support Using Power over Ethernet PoE any 802 3af complian
34. connections Make sure that the Active LED and LAN LED are on If one or both of these LEDs are off follow the instructions in The Active LED or the LAN LED Is Not Lit on page 133 Check that the corresponding link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and wireless access point e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your computer Verify that the IP address for your wireless access point and your workstation are correct and that the addresses are on the same subnet Troubleshooting 136 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly test the path from your computer to a remote device 1 2i From the Windows toolbar click the Start button and select Run In the Windows Run window type ping n 10 lt P address gt where lt P address gt is the IP address of a remote device such as the DNS server of your ISP If the path is functioning correctly replies as in the previous section display If you do not receive replies Check that your computer has the IP address of your router listed as the default wireless access point If the IP configuration of your computer is assigned by DHCP this information is not visible in yo
35. disabled If you have a DHCPV6 server on your LAN and you select the Enable radio button the wireless access point receives its dynamic IPv6 address prefix length and default gateway settings automatically from the DHCPV6 server on your network when you connect the wireless access point to your LAN IPv6 Address Enter the IP address of your wireless access point The default IP address is 2001 21c cOff fe69 To change the address enter an unused IPv6 address from the address range used on your LAN Prefix Length Enter the prefix length for the IPv6 address The default prefix length us 64 Advanced Configuration 100 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 28 IPv6 settings continued Setting Description Default Gateway Enter the IPv6 address of the ISP gateway to which the wireless access point connects Dynamic IPv6 Address The dynamic IPv6 address that is assigned by the DHCPV6 server on your network This address does not overwrite the address in the IPv6 Address field Primary DNS Server Secondary DNS Server Enter the IP address of the primary and secondary DNS servers A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP transfers the IP address of one or two DNS servers to your wireless access point during login If the ISP does not transfer an address
36. indicator 82 RTS Request to Send threshold 108 RTS flood 91 Rx sequence 82 S Secure Shell SSH enabling 66 security lock 13 security profiles creating and configuring 48 52 described 44 security wireless options 42 separating wireless clients 45 52 serial number 79 servers configuring DHCPv4 27 DHCPv6 102 DNS 26 28 101 103 hotspot 106 NTP 25 RADIUS 57 syslog 76 service set identifiers See SSIDs settings 117 shared key WEP 51 53 shared secrets RADIUS servers 59 signal to noise ratio SNR 82 SMA connectors external antennas 13 SNMP Simple Network Management Protocol configuring 64 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 software backing up 70 factory defaults 71 restoring from backup file 71 upgrading 68 version viewing 79 source port QoS policies 116 Spanning Tree Protocol STP enabling 105 specifications technical 139 SSH Secure Shell enabling 66 SSIDs service set identifiers broadcasting 50 broadcasting and security 43 broadcasting for 802 11a na modes 33 broadcasting for 802 11b bg ng modes 30 matching 19 stateless and stateful DHCPv6 server 102 station EDCA parameters 112 statistics traffic 83 STP Spanning Tree Protocol enabling 105 streaming media advanced QoS 110 WMM QoS 62 subnet mask default 142 DHCPvV4 clients 28 wireless access point 26 supported standards 8 syslog 76 system monitoring 77 system requiremen
37. link is detected baad On or blinking green Ethernet traffic is detected 3 t LAN Off 10 Mbps or no link is detected Amber 10 100 Mbps link is detected Green 1000 Mbps link is detected 4 2 4 WLAN Off Wireless 802 11b g n 2 4 GHz LAN is not ready or Ghz no wireless activity is detected On or blinking green Wireless 802 11b g n 2 4 GHz LAN is ready or wireless activity is detected 5 5 WLAN Off Wireless 802 11n a 5 GHz LAN is not ready or no Ghz wireless activity is detected On or blinking green Wireless 802 11n a 5 GHz LAN is ready or wireless activity is detected Introduction 12 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Rear Panel Figure 2 The rear panel components of the wireless access point from left to right are described in the following list 1 2 N First reverse SMA connector for an optional 2 4 GHz antenna Factory default Reset button Using a sharp object press and hold this button for about 5 seconds to reset the wireless access point to factory defaults settings All configuration settings are lost and the default password is restored For more information see Restore the Wireless Access Point to the Factory Default Settings on page 71 10 100 1000BASE T Gigabit Ethernet RJ 45 port with Auto Uplink Auto MDI X with IEEE 802 3af Power over Ethernet PoE support for connection to a switch or router Second reverse SMA con
38. management bandwidth allocation and resource optimization Key Features The wireless access point provides solid functionality including the following features Dual band The wireless access point can operate either in the 2 4 GHz band or the 5 GHz band The choice of band is reflected in the wireless modes that you can select and the administration screens that are displayed in the web management interface e IPv4 and IPv6 The wireless access point is manageable from either an IPv4 or IPv6 address it can function as an IPv4 or IPv6 DHCP client and its DHCP server can allocate either IPv4 or IPv6 addresses Multiple operating modes Wireless access point Operates as a standard 802 11b g n or 802 11a n wireless access point Point to point bridge In this mode the wireless access point communicates only with another bridge mode wireless station or wireless access point Network authentication should be used to protect this communication Point to multipoint bridge Select this option only if this wireless access point is the master for a group of bridge mode wireless stations The other bridge mode wireless stations send all traffic to this master and do not communicate directly with each other Network authentication should be used to protect this traffic Repeater In this mode the wireless access point does not function as an access point for clients but functions only in point to multipoint bridge mode to repe
39. point at its permanent position Note The figures in the procedures in this section do not show the WNDAP620 wireless access point However the procedures are generic and do apply to the WNDAP620 wireless access point Ceiling Installation The best location for ceiling installation is at the center of your wireless coverage area and within line of sight of all mobile devices Make sure the top the dome side of the wireless access point is directed toward the users and not the ceiling Installation and Basic Configuration 35 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note Do not place the wireless access point in a false ceiling space facing up gt To install the wireless access point using the ceiling installation kit 1 Verify the package contents of the ceiling installation kit Mounting plate A gt Clamp with screws e Installation and Basic Configuration 36 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 4 Attach the mounting plate to the clamp Installation and Basic Configuration 37 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 7 Attach the cover to the wireless access point Wall Installation The best location for wall installation is at the center of your wireless coverage area and within line of sight of all mobile devices Make sure the top the dome side of the wireless access point is directed toward the
40. power preamble radio rate rifs transmission rogue ap detection rts threshold 11dSupport client isolation create qos policy create qos classification delete qos policy delete qos classification Data encryption Profile name Preshared key Remote MAC Profile status Wireless wep passphrase key Wireless wep key Wireless wep key type WMM settings Access Access Access Access point best effort voice data point low priority data point video data point voice data Station best effort voice data Station low priority data Station video data Station voice data Support 5 0 GHz wireless LAN interface setting Aggregated packet size Aggregated MAC Protocol Data Unit Wireless beacon period in TU 1024 us Wireless channel depends on country and wireless mode Wireless channel width Wireless DTIM period in beacon interval Wireless fragmentation threshold even only Interval from interference from other transmissions Add known access point Delete known access point Add wireless access control ACL Delete Delete wireless access control ACL database wireless access control ACL Transmit data rate Enable wireless access control ACL Wireless operation mode Wireless transmit power Wireless preamble only effect on 802
41. setting e External Enables an optional external antenna or antennas 802 11d Note This setting does not apply to the 802 11a na modes Select this check box to enable support for additional regulatory domains that are not in the current standard support includes the addition of a country information element to beacons probe requests and probe responses This check box is selected by default Client Isolation From the drop down list select one of the following options e Enable Communication between wireless clients that are associated to different virtual access points VAPs is blocked e Disable Communication between wireless clients that are associated to different VAPs is allowed This is the default setting Max Wireless Clients Enter the maximum number of wireless clients that can simultaneously connect to the wireless access point at one time The default setting is 128 clients Advanced Configuration 109 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 4 Click Apply to save your settings Configure Advanced Quality of Service Settings For most networks the default Quality of Service QoS queue settings work well For information about how to configure basic QoS see Configure Basic Wireless Quality of Service on page 62 You can specify the settings on multiple queues for increased throughput and better performance of differentiated wireless traffic such as Vo
42. source MAC address in Ethernet ll frame header e Destination MAC Indicates the destination MAC address in Ethernet ll frame header e Source IP Indicates the source IP address in the IP header e Destination IP Indicates the destination IP address in the IP header e Source port Indicates the source port number in the port header e Destination port Indicates the destination port number in the port header For each classification in a QoS policy you can configure rate limiting by specifying the maximum bit rate and maximum burst rate Packets that exceed the maximum bit rate are retained in the traffic queue and are processed when transmission falls below the maximum bit rate again You can also configure the overall maximum bit rate and maximum burst rate for the entire wireless interface You can configure up to eight QoS policies To configure a new QoS policy 1 Select Configuration gt Wireless gt Advanced gt QoS Policies The advanced QoS Policies screen displays T Configuration Monitoring Maintenance Support tocour J System IP Security Wireless Bridge 1DS IPS gt Basic QoS Policies Advanced gt Wireless Settings gt QoS Settings QoS Policies Qos Policies 802 11b bg ng 802 1lla na Create Policy NEW Policy Name NEW Classifications DELETE POLICY DELETE CLASSIFICATION Match Frame Fields Match Classifications Apply Classification IP Precedence Routine 0 v Best Effort 0 v Classifica
43. that are shown in the following table Note Pressing the Reset button for a shorter period of time simply causes the wireless access point to reboot Table 40 Default configuration settings Feature Description Login for management and configuration LAN IPv4 management address 192 168 0 100 Subnet mask for IPv4 management address 255 255 255 0 LAN IPv6 management address 2001 21c cOff fe69 Prefix length for IPv6 management address 64 Required static IPv4 address for management 192 168 0 210 and 255 255 255 0 computer User name case sensitive for login admin Login password case sensitive for login password LAN and management features DHCPv4 client Disabled DHCPV 6 client Disabled Untagged VLAN Enabled VLAN ID 1 Management VLAN VLAN ID 1 SNMP Disabled Syslog Disabled Spanning Tree Protocol STP Disabled Link Layer Discovery Protocol LLDP Enabled Secure Shell SSH Enabled Supplemental Information 142 Table 40 Default configuration settings continued ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Feature Description Hotspot Disabled Secure Telnet Disabled Time zone USA Pacific NTP client Enabled Custom NTP server Disabled Port speed 10 100 1000 Ethernet MAC address See bottom label
44. the VLAN ID for the DHCP server The VLAN ID range is from 1 to 4094 The default VLAN is 1 Starting IPv4 Address Enter the first address in the range of IPv4 addresses to be assigned to DHCP clients The default address is 192 168 1 02 Installation and Basic Configuration 27 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 5 DHCP server settings for IPv4 continued Setting Description Ending IPv4 Address Enter the last address in the range of IPv4 addresses to be assigned to DHCP clients The default address is 192 168 1 50 Subnet Mask Enter the subnet mask to be used by DHCP clients The default mask is 255 255 255 0 Gateway IPv4 Address Enter the IPv4 address of the default routing gateway to be used by DHCP clients The default address is 192 168 0 1 Primary DNS Address Enter the IP address of the primary Domain Name System DNS server available to DHCP clients Secondary DNS Address Enter the IP address of the secondary DNS server available to DHCP clients Primary WINS Server Enter the IP address of the primary WINS server for the network if there is any Secondary WINS Server Enter the IP address of the secondary WINS server for the network if there is any Lease Enter the period that the DHCP server grants to DHCP clients to use the assigned IP addresses The default time is one day 3 Click Apply to s
45. the name for a user account 1 On the User Accounts screen in the lower part of the screen select the user from the Existing Users drop down list 2 Inthe User Name field modify the name 3 Click Modify Click Apply to save your settings e gt To change the privilege for a user account 1 On the User Accounts screen in the lower part of the screen select the user from the Existing Users drop down list 2 From the Privilege drop down list select another privilege 3 Click Reset Password The password is reset to the default password which is password Click Apply to save your settings e gt To reset the password for a user account 1 On the User Accounts screen in the lower part of the screen select the user from the Existing Users drop down list 2 Click Reset Password The password is reset to the default password which is password 3 Click Apply to save your settings Note If you want to modify a password delete the user account and then recreate the user account with the password of your choice gt To delete a user account 1 On the User Accounts screen in the lower part of the screen select the user from the Existing Users drop down list 2 Click Delete 3 Click Apply to save your settings Enable the Syslog Server The Syslog screen allows you to enable the syslog option if you have a syslog server on your LAN If syslog is enabled the wireless access point sends its syslog fil
46. to be turned back on Use 24 hour time format Radio OFF Time Enter the time that you want the radio to be turned off Use 24 hour time format 3 Click Apply to save your settings Configure Basic Wireless Quality of Service Wi Fi Multimedia WMM is a subset of the 802 11e standard WMM allows wireless traffic to have a range of priorities depending on the type of data Time dependent information such as video or audio has a higher priority than normal traffic For WMM to function correctly wireless clients also need to support WMM By enabling WMM you allow Quality of Service QoS control for upstream traffic flowing from a wireless station to the wireless access point and for downstream traffic flowing from the wireless access point to a wireless station WMM defines the following four queues in decreasing order of priority e Voice The highest priority queue with minimum delay which makes it ideal for applications like VoIP and streaming media Wireless Configuration and Security 62 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e Video The second highest priority queue with low delay is given to this queue Video applications are routed to this queue e Best Effort The medium priority queue with medium delay is given to this queue Most standard IP applications use this queue e Background Low priority queue with high throughput Applications such as FTP that are not time sensitive but req
47. to delete them and only then can you capture new packets 3 Click Stop to stop capturing packets 4 Click Save as to save the pacture pcap file on your computer or to a disk drive Troubleshooting 138 Supplemental Information This appendix provides factory default settings and technical specifications for the ProSafe Premium 3 x 3 Dual Band following sections Wireless N Access Point WNDAP620 The appendix includes the e Technical Specifications e Factory Default Settings Technical Specifications Table 39 Technical specifications Feature Description 802 11b bg ng wireless s pecifications 802 11b data rates 1 2 5 5 and 11 Mbps and auto rate capable 802 11bg data rates 1 2 5 5 6 9 11 12 18 24 36 48 54 Mbps and auto rate capable 802 11ng MCS index and data rates Data rates for a 20 MHz channel width and an automatic guard interval 0 7 2 Mbps 1 14 4 Mbps 2 21 7 Mbps 3 28 9 Mbps 4 43 3 Mbps 5 57 8 Mbps 6 65 Mbps 7 72 2 Mbps 8 14 44 Mbps 9 28 88 Mbps 10 43 33 Mbps 11 57 77 Mbps 12 86 66 Mbps 13 115 56 Mbps 14 130 Mbps 15 144 44 Mbps 16 21 7 Mbps 17 43 3 Mbps 18 65 Mbps 19 86 7 Mbps 20 130 7 Mbps 21 173 3 Mbps 22 195 Mbps 23 216 7 Mbps and auto rate capable Data rates for a 20 MHz channel width and a long guard interval 800 ms 0 6 5 Mbps 1 13 Mbps 2 19 5 Mbps 3 26 Mbps 4 39 Mbps
48. 0 Troubleshooting This chapter provides information about troubleshooting the wireless access point After each problem description instructions are given to help you diagnose and solve the problem For the common problems listed go to the section indicated Is the wireless access point on Go to Basic Functioning on page 132 Have connected the wireless access point correctly Go to Basic Functioning on page 132 cannot access the Internet or the LAN Go to You Cannot Access the Internet or the LAN from a Wireless Capable Computer on page 134 cannot access the wireless access point from a browser Go to You Cannot Configure the Wireless Access Point from a Browser on page 134 A time out occurs Go to When You Enter a URL or IP Address a Time Out Error Occurs on page 135 have problems with the LAN connection Go to Troubleshoot a TCP IP Network Using the Ping Utility on page 135 cannot remember the wireless access point s configuration password Go to Change the Administrator Password on page 74 want to clear the configuration and start over again Go to Restore the Wireless Access Point to the Factory Default Settings on page 71 The date or time is not correct Go to Problems with Date and Time on page 137 The wireless access point provides a packet capture tool that enables you to perform problem diagnoses For information about how to use this tool see Use the Packet Capture Tool on page 138
49. 0 1023 Data 1 1023 Data 2 15 Data 3 7 TXOP Limit Enter the transmission opportunity TXOP value that specifies the time interval in microseconds in which a client station can initiate transmissions on the wireless medium WM Decreasing this value increases the priority of the queue Valid values for TXOP Limit are all multiples of 32 between 0 and 8192 inclusive of 0 and 8192 The default values are Data 0 0 Data 1 0 Data 2 3008 Data 3 1504 4 Click Apply to save your settings Configure Quality of Service Policies The wireless access point lets you configure and apply QoS policies to wireless clients In each QoS policy you can specify multiple classifications match clauses and apply traffic to eight priority queues based on the following information in the Layer 2 Layer 3 Layer 3 IP headers and Layer 4 IP precedence Indicates the IP Type of Service ToS or precedence in the IP headers IP DSCP Indicates the Differentiated Services Code Point DSCP marking in the IP header IP protocol 119 Indicates the IP protocol field in the IP header with value 119 802 1P Indicates the 3 bit Class of Service CoS field in the class header IP protocol Indicates the protocol field in the IP header Advanced Configuration 112 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e EtherType Indicates the EtherType field in Ethernet ll frame header e Source MAC Indicates the
50. 0 Hz AC power source A computer with the TCP IP protocol installed and a web browser for configuration such as Microsoft Internet Explorer 6 0 or later or Mozilla 1 5 or later An 802 11a n or 802 11b g n compliant device such as the NETGEAR N600 Wireless N Dual Band USB Adapter WNDA3100 Key Features and Standards Supported Standards and Conventions Key Features 802 11b g n and 802 11a n Standards Based Wireless Networking Autosensing Ethernet Connections with Auto Uplink The wireless access point is easy to use and provides solid wireless and networking support It also offers a wide range of security options Supported Standards and Conventions The wireless access point supports the following standards and conventions Standards compliance The wireless access point complies with the IEEE 802 11a b g standards for wireless LANs and is Wi Fi certified for 802 11n standard WPA and WPA2 The wireless access point provides WPA and WPA2 enterprise class strong security with RADIUS and certificate authentication as well as dynamic encryption key generation The WPA PSK and WPA2 PSK pre shared key authentication does not have the overhead of RADIUS servers but provides the strong security of WPA Multiple BSSIDs The wireless access point supports multiple BSSIDs When a wireless access point is connected to a wired network and a set of wireless stations it is called a basic service set BSS The basic service set identifier BS
51. 11b rates Enable wireless radio Wireless transmission date rate Enable successive frame transmission at different transmit powers Enable rogue access point detection Wireless RTS CTS threshold IEEE802 11d status Client Create Create Delete Delete isolation status QoS Quality of service policy Qos Quality of service classification QoS Quality of service policy Qos Quality of service classification Command Line Reference 152 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 security profile gt Create security profile 1 gt 1st security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgo
52. 6 5 Complete the registration form 6 Click submit Introduction 16 Installation and Basic Configuration This chapter describes how to install and configure the wireless access point for wireless connectivity to your LAN This basic configuration enables computers with either 2 4 GHz 802 11b g n or 5 GHz 802 11a n wireless adapters to connect to the Internet or access printers and files on your LAN In planning your wireless network consider the level of security required Chapter 3 Wireless Configuration and Security describes how to set up wireless security for your network This chapter includes the following sections What You Need Before You Begin Install and Configure the Wireless Access Point Test Basic Wireless Connectivity Mount the Wireless Access Point What You Need Before You Begin Wireless Equipment Placement and Range Guidelines Ethernet Cabling Requirements LAN Configuration Requirements Hardware Requirements for Computers on Your LAN Operating Frequency Channel Guidelines Requirements for Entering IP Addresses You need to consider the following guidelines and requirements before you can set up your wireless access point See also System Requirements on page 8 Wireless Equipment Placement and Range Guidelines The range of your wireless connection can vary significantly based on the location of the wireless access point The latency data throughput performance and power consumption of wireless
53. 68 10 Ending IPv6 Address 2001 05c0 9168 50 Prefix Length 64 Gateway IPv6 Address 2001 05c0 9168 1 Primary ONS Server Secondary DNS Server Primary WINS Server Secondary WINS Server Lease 1 days 0 hours 0 minutes CANCEL Figure 60 2 Configure the settings as explained in the following table Table 29 DHCP server settings for IPv6 Setting Description Select the DHCPv6 Server Enable radio button to enable the DHCP server Use the default settings or specify the pool of IPv6 addresses to be assigned by setting the starting IPv6 address and ending IPv6 address These addresses should be part of the same IP address subnet as the wireless access point s LAN IPv6 address State From the State drop down list select the DHCPv6 server option Stateless The IPv6 clients in the LAN generate their own IP address by using a combination of locally available information and router advertisements but receive DNS server information from the DHCPv6 server Note When you select the Stateless option you do not need to configure any other DHCPV6 server settings fields e Stateful The IPv6 clients in the LAN obtain an interface IP address configuration information such as DNS server information and other parameters from the DHCPV6 server The IP address is a dynamic address Note When you select the Stateful option you need to configure all other DHCPV6 server settings fields DHCP Server VLAN ID Enter the
54. D NETGEAR_1ing Channel 1 Rate 0 00 State QOS ERP HT Type open AID 1 Mode iing Status Associated RSSI 65 Idle Time 0 Tx Sequence 0 Rx Sequence Capability Cipher SNR 0 Recy Bytes 1681 Trans bytes 3347 Assoc Time Stamp 00 02 22 IP Address NONE Channel Width Static20 Figure 48 Management and Monitoring 81 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 The following table explains the fields of the Wireless Stations Details screen Table 20 Wireless stations details fields Setting Description MAC Address The MAC address of the wireless station BSSID The BSSID that the wireless station is using SSID The SSID that the wireless station is using Channel The channel that the wireless station is using Rate The transmit data rate in Mbps of the wireless station State The features that are enabled on the wireless station Type The authentication and encryption type that the wireless station is using AID The associated identifier AID of the wireless station Mode The wireless mode in which the wireless station is operating Status The wireless status of the wireless station Associated RSSI The received signal strength indicator RSSI of the wireless station Idle Time The time since the last frame was received from the wireless station Tx Sequence The sequence number of the last frame that was transmitted to the wireless station Rx
55. DAP620 T Configuration Monitoring Maintenance Support koGourt System IP Wi Security Wireless Bridge IDS IPS Basic Wireless Settings Wireless Settings Wireless On Off QoS Settings Sadconcod 802 11b bg ng 602 1l1a na Wireless Settings Wireless Mode 5GHz Band 11a tina Turn Radio On 2 Wireless Network Name SSID NETGEAR_1lina Wireless On Off Status OFF Broadcast Wireless Network Name SSID Yes No Channel Frequency Auto x MCS Index Data Rate Best v Channel Width Dynamic 20 40 MHz Guard Interval Auto v Output Power Full v Figure 16 Specify the wireless mode in the 5 GHz band by selecting one of the following radio buttons e 11a 802 11n compliant devices can connect to the access point because they are backward compatible e ina This is the default setting If you keep the default setting go to Step 5 When you change the wireless mode the Turn Radio On check box is automatically cleared and all fields buttons and drop down lists onscreen are masked out Turn on the radio by selecting the Turn Radio On check box A pop up screen displays Note Under normal conditions you want the radio to be turned on Turning off the radio disables access through the wireless access point which can be helpful for configuration network tuning or troubleshooting activities Click OK to confirm the change of wireless mode The change does not take effect until you click the Appl
56. EP encryption using 40 64 bit encryption 128 bit WEP Standard WEP encryption using 104 128 bit encryption e 152 bit WEP Proprietary WEP encryption mode using 128 24 bit encryption This mode functions only with other wireless stations that support this mode Passphrase Enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive The secret passphrase allows you to generate the keys automatically by clicking Generate Keys The default passphrase is sharedsecret You can display the actual passphrase by selecting the Show Passphrase in Clear Text Yes radio button Encryption Key Key1i Key4 Either enter a key manually or allow the key to be automatically generated by clicking Generate Keys e For ASCII format depending on the key size selected the manually entered encryption key needs to have a length of 5 64 bit WEP 13 128 bit WEP or 16 characters 152 bit WEP For HEX format depending on the key size selected the manually entered or automatically generated encryption key needs to have a length of 10 64 bit WEP 26 128 bit WEP or 32 152 bit WEP characters Note Wireless stations need to use the key to access the wireless access point Show Passphrase in Clear Text Select the Yes radio button to display the actual passphrase in the Passphrase field The default setting is No Configure Legacy 802 1X To use legacy 802 1X security you need to d
57. ETGEAR_11na 7 for the eighth profile Wireless Configuration and Security 50 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 9 Profile definition settings continued Setting Description Broadcast Wireless Network Name SSID Select the Yes radio button to enable the wireless access point to broadcast its SSID allowing wireless stations that have a null blank SSID to adopt the wireless access point s SSID Yes is the default setting To prevent the SSID from being broadcast select the No radio button Specify the settings of the Authentication Settings section of the Edit Security Profile screen as explained in the following table The wireless access point is set by default as an open system with no authentication When you configure network authentication bear in mind the following e Ifyou are using access point mode which is the default mode if you did not enable wireless bridging then all options are available In other modes such as bridge mode some options might be unavailable e Not all wireless adapters support WPA or WPA2 Windows XP Windows 2000 with Service Pack 3 and Windows Vista do include the client software that supports WPA However client software is required on the client Consult the product documentation for your wireless adapter and WPA or WPA2 client software for instructions about how to configure WPA2 settings Table 10 Profile
58. Figure 34 2 Specify the settings as explained in the following table Table 16 SNMP settings Setting Description SNMP Select the Enable radio button to allow the SNMP network management software such as HP OpenView to manage the wireless access point through SNMPv1 v2 protocol By default the Disable radio button is selected Read Only Community Name Enter the community string to allow the SNMP manager to read the wireless access point s Management Information Base MIB objects The default is public Read Write Community Name Enter the community string to allow the SNMP manager to read and write the wireless access point s MIB objects The default is private Trap Community Name Enter the community string to allow the SNMP manager to send traps The default is trap IP Address to Receive Traps Enter the IP address of the SNMP manager to receive traps sent from the wireless access point Trap Port Enter the number of the SNMP manager port to receive traps sent from the wireless access point The default is 162 3 Click Apply to save your settings Management and Monitoring 65 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Secure Shell and Telnet Management gt To configure remote console features gt 1 3 Select Maintenance gt Remote Management gt Remote Console The Remote Console screen displays Configuration Monitoring Mainte
59. From the Network Authentication drop down list select Open System and WPA PSK or WPA2 PSK Your selection determines the options that the Data Encryption Data Encryption drop down list provides and whether the WPA Passphrase Network Key field displays Open System Although you can use the bridge communication without any authentication and encryption NETGEAR recommends that you use WEP if you do select an open system From the Data Encryption drop down list select one of the following None No authentication and encryption 64 bit WEP Standard WEP encryption using 40 64 bit encryption e 128 bit WEP Standard WEP encryption using 104 128 bit encryption e 152 bit WEP Proprietary WEP encryption mode using 128 24 bit encryption This mode functions only with other wireless stations that support this mode Advanced Configuration 128 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 38 Wireless signal repeating profile and authentication settings continued Setting Description Network Authentication WPA PSK TKIP Temporal Key Integrity Protocol is the standard and encryption method used with WPA PSK and the only Data Encryption selection possible from the Data Encryption drop down list continued In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive WPA2 PSK AES Adva
60. Line Reference e Added Index 202 10983 01 1 0 August 2012 First publication Contents Chapter 1 Introduction About the ProSafe Premium 3 x 3 Dual Band Wireless N Access Point PIPES a a ere aan aera nk Ghote ah ek nano 6 Wheat Ie Withe Bae 4 jis s9844 dee i Cehe seed deeds peRweR Rede e ee 7 System Requirements cos cicke ca cee code eaRRA eH DR RO HARE CERO ORE 8 Key Features and Standards 0 0 0 cece cece eens 8 Supported Standards and Conventions 00 cece eee 8 Key Features 22ccccceercc ev tee ew ee eee tee ww incest hee wt hea a ae 9 802 11b g n and 802 11a n Standards Based Wireless Networking 11 Autosensing Ethernet Connections with Auto Uplink 11 Hardware DSSCION iii eee eee eee a ee i ee 11 TOO PONG 2s seach he Peeks eOhe GES es CREE RSER See OE eS ee TS 11 Ron PAO ecard acd aire ae diag A ara ge ROM a det eh acd ane ekg 13 Bottom Panel with Product Label 220000000 ees 13 Register the Wireless Access Point 20000e eee eeeeee 14 Chapter 2 Installation and Basic Configuration What You Need Before You Begin 0 cece eee eee 17 Wireless Equipment Placement and Range Guidelines 17 Ethernet Cabling Requirements 0 00 cece eee e eee 18 LAN Configuration Requirements 0000 cece eee eee 18 Hardware Requirements for Computers on Your LAN 19 Operating Frequency Channel Guidelines
61. MIMO can increase wireless throughput considerably The wireless access point provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage interacting with a wireless network interface card NIC through an antenna Typically an individual in building wireless access point provides a maximum connectivity area with about a 500 foot radius The wireless access point can support a maximum of 128 clients in a range of several hundred feet The throughput is shared between all clients Make sure that you install a sufficient number of wireless access points to meet the required coverage throughput and quality of your wireless network The wireless access point acts as a bridge between the wired LAN and wireless clients Connecting multiple wireless access points through a wired Ethernet backbone can further increase the wireless network coverage As a mobile computing device moves out of the range of one wireless access point it moves into the range of another As a result wireless clients can freely roam from one wireless access point to another and still maintain a seamless connection to the network The autosensing capability of the wireless access point allows packet transmission at up to 450 Mbps or at reduced speeds to compensate for distance or electromagnetic interference Advanced wireless features that are supported on the wireless access point include a wireless intrusion detection system
62. R _1ina Open System NETGEAR 1 NETGEAR_1ina 1 Open System NETGEAR 2 NETGEAR_lina 2 Open System NETGEAR 3 NETGEAR_iina 3 Open System NETGEAR 4 NETGEAR_iina 4 Open System NETGEAR S NETGEAR_iina S Open System NETGEAR 6 NETGEAR_lina 6 Open System NETGEAR 7 NETGEAR_lina 7 Open System a a o FJ a m O CANCEL APPLY Figure 19 The following table explains the fields of the Profile Settings screen Table 8 Profile settings Setting Description Profile Name The unique name of the wireless security profile that makes it easy to recognize the profile SSID The wireless network name SSID for the wireless security profile Security The configured wireless authentication method for the wireless security profile VLAN The default VLAN ID that is associated with the wireless security profile Enable The check box that lets you select the wireless security profile so you can enable it by clicking Apply To configure a wireless security profile select the corresponding radio button to the left of the wireless security profile The Edit Security Profile screen opens for the selected wireless security profile see the following figure The screen has three sections e Profile Definition see Step 4 e Authentication Settings see Step 5 e QoS Policies see Step 6 Wireless Configuration and Security 49 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monit
63. S 3 Open System 4 NETGEAR WDS 4 Open System CANCEL Figure 74 e The profile table shows four security profiles Choose a security profile to edit by selecting the corresponding radio button to the left of the profile f Click Edit to configure the selected security profile settings The Edit Security Profile screen displays for the selected security profile The following figure contains an example Advanced Configuration 127 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System IP Wireless Security IDS IPS gt Bridging Edit Security Profile Profile Definition Profile Name NETGEAR WDS 1 Remote MAC Address La b2 3e d4 33 36 Authentication Settings Network Authentication WPA2 PSK Data Encryption AES WPA Passphrase Network Key hHHhe CANCEL APPLY Figure 75 Specify the settings as explained in the following table Table 38 Wireless signal repeating profile and authentication settings Setting Description Profile Definition Profile Name Enter a profile name that is easy to remember The default names for the four security profiles are NETGEAR WDS 1 NETGEAR WDS 2 NETGEAR WDS 3 and NETGEAR WDS 4 Remote MAC Address Enter the MAC address of the remote wireless access point the MAC address of AP1 or AP3 in Figure 73 on page 126 Authentication Settings Network Authentication
64. SID is a unique identifier attached to the header of packets sent over a WLAN that differentiates one WLAN from another when a mobile device tries to connect to the network The multiple BSSID feature allows you to configure up to 16 SSIDs 8 per radio but only one radio can be active at a time on your wireless access point and assign different configuration settings to each SSID All the configured SSIDs are active and the network devices can connect to the wireless access point by using any of these SSIDs Introduction 8 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 DHCP server and client The DHCP server of the wireless access point can provide a dynamic IPv4 or IPv6 address to wireless clients The wireless access point can also act as a client and obtain an IPv4 or IPv6 address from a DHCP server on the LAN e SNMP The wireless access point supports Simple Network Management Protocol SNMP for Management Information Base MIB management e STP and LLDP The wireless access point supports Spanning Tree Protocol STP and Ethernet Link Layer Discovery Protocol LLDP LLDP is enabled by default e 802 1Q VLAN A network of computers can behave as if they are connected to the same network even though they might actually be physically on different segments of a LAN Virtual LANs VLANs are configured through software rather than hardware which makes them very flexible VLANs are very useful for user and host
65. Select Maintenance gt Upgrade gt Firmware Upgrade TFTP The Firmware Upgrade TFTP screen displays Configuration Monitoring Maintenance Support Password Reset Remote Management rinn are Firmware Upgrade TFTP Upgrade gt Firmware Firmware Upgrade TFTP Upgrade TFTP Firmware File Name Backup Settings TFTP Server IP gt Restore Settings CANCEL APPLY Figure 38 5 Specify the following information Firmware File Name The name of the unzipped software file TFTP Server IP The IP address of your TFTP server 6 Click Apply to initiate the upgrade process During the upgrade process the wireless access point automatically restarts The upgrade process typically takes several minutes When the Test LED turns off wait a few more seconds before doing anything with the wireless access point Management and Monitoring 69 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 7 Verify that the new software file has been installed by selecting Monitoring gt System The System screen displays see Figure 46 on page 78 The firmware version is shown in the Access Point Information section of the screen Manage the Configuration File or Reset to Factory Defaults Save the Configuration Restore the Configuration Restore the Wireless Access Point to the Factory Default Settings Reboot the Wireless Access Point without Restoring the Default Configuration The wireless access point settings ar
66. Sequence The sequence number of the last frame that was received from the wireless station Capability The summary of the capability of the wireless station that was detected during association Cipher The cipher that the wireless station is using and that defines the type of encryption SNR The signal to noise ratio SNR that indicates how much the signal of the wireless station has been corrupted by noise Recv Bytes The number of bytes received on the wireless station since it last started up Trans bytes The number of bytes transmitted by the wireless station since it last started up Assoc Time Stamp The time when these details of the wireless station were retrieved IP Address The IP address of the wireless station Channel Width The channel width at which the wireless station operates Management and Monitoring 82 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 View the Activity Log You can view the wireless access point s activity logs onscreen and save the logs gt To display the activity log and save it 1 Select Monitoring gt Logs The Logs screen displays Configuration Monitoring Maintenance Support System Wireless Stations Rogue AP Statistics Packet Capture IDS IPS kernel kernel Operating Mode linght20 kernel brtrunk port 13 wifiOwds3 entering list kernel brtrunk port 2 wifiOvap0 entering forwa kernel 8021q ad
67. Statistics fields Setting Description Wired Ethernet Packets The number of packets received and transmitted over the Ethernet connection since the wireless access point was restarted Bytes The number of bytes received and transmitted over the Ethernet connection since the wireless access point was restarted Wireless 802 11b Wireless 802 11bg Wireless 801 11ng Wireless 802 11a or Wireless 802 11na Note The section heading depends on the configured wireless mode Unicast Packets The number of unicast packets received and transmitted over the wireless connection since the wireless access point was restarted Management and Monitoring 84 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 21 Statistics fields continued Setting Description Broadcast Packets The number of broadcast packets received and transmitted over the wireless connection since the wireless access point was restarted Multicast Packets The number of multicast packets received and transmitted over the wireless connection since the wireless access point was restarted Total Packets The total number of packets received and transmitted over the wireless connection since the wireless access point was restarted Total Bytes The total number of bytes received and transmitted over the wireless connection since the wireless access point was restarted Client Asso
68. Tip If you enable the DHCP client on the wireless access point you can discover the new IP address of the wireless access point by accessing the DHCP server on your LAN or by using a network IP address scanner application gt To configure the IPv4 settings 1 Select Configuration gt IP gt IP Settings The IP Settings screen displays Installation and Basic Configuration 25 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 T Configuration Monitoring Maintenance Support System gt Wireless Security Wireless Bridge IDS IPS gt IP Settings IP Settings IPv6 Settings IP Settings DHCP Server Settings DHCP Client O Enable Disable IP Address 192 168 0 100 IP Subnet Mask 255 255 255 0 Default Gateway Primary DNS Server Secondary DNS Server Network Integrity Check Figure 13 2 Configure the IPv4 settings as explained in the following table Table 4 IPv4 settings Setting Description DHCP Client By default the Dynamic Host Configuration Protocol DHCP client is disabled If you have a DHCP server on your LAN and you select the Enable check box the wireless access point receives its IP address subnet mask and default gateway settings automatically from the DHCP server on your network when you connect the wireless access point to your LAN IP Address Enter the IP address of your wireless access point The default IP address is 192 168 0 100 To change the ad
69. Unknown AP List The Unknown AP List screen displays configuration E Monitoring Maintenance Support System Wireless Stations ue Logs Statistics Packet Capture IDS IPS Unknown AP List Unknown AP List phoma OF ree Unknown AP List 802 11ng MAC Address Privacy Channel Rate Beacon Int of Beacons Last Beacon 00 1F123 C4 F7 F EVA2000_WEP64 3 749115 COMSFIOE BOIB7 A2 FULLRATEB7A2 744907 30 46r9A 85 A9 3E XCES3700 730218 CO SF OE 85 C5 02 ngguest 727936 00 24 82 SA 4F 27 CES3703 745097 REFRESH Figure 52 2 Click Refresh to let the wireless access point discover the access points and populate the Unknown AP List for the configured wireless mode The following table explains the fields of the Unknown AP List screen Table 22 Unknown AP List fields Setting Description MAC Address The MAC address of the unknown AP SSID The SSID that the unknown AP is using Privacy Indicates whether security is enabled 1 means enabled 0 means disabled Channel The channel that the unknown AP is using Rate The transmit data rate in Mbps of the unknown the AP Beacon Int The interval for each beacon transmission in ms Management and Monitoring 87 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 22 Unknown AP List fields continued Setting Description of Beacons The number of beacons transmitted by the unknown AP that the wireless access
70. Wireless wep passphrase key Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy Command Line Reference 147 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 delete outgoing QoSpolicy Delete outgoing QoS policy 2 gt 2nd security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 3 gt 3rd security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3
71. a H r me l sir NETGEAR Inc yfir v ad Radiolan er samr mi vid grunnkr fur og a rar Icelandic kr fur sem ger ar eru tilskipun 1999 5 EC Norsk NETGEAR Inc erkl rer herved at utstyret Radiolan er i samsvar med de grunnleggende Norwegian krav og vrige relevante krav i direktiv 1999 5 EF This device is a 2 4 GHz wideband transmission system transceiver intended for use in all EU member states and EFTA countries except in France and Italy where restrictive use applies In Italy the end user should apply for a license at the national spectrum authorities in order to obtain authorization to use the device for setting up outdoor radio links and or for supplying public access to telecommunications and or network services This device may not be used for setting up outdoor radio links in France and in some areas the RF output power may be limited to 10 mW EIRP in the frequency range of 2454 2483 5 MHz For detailed information the end user should contact the national spectrum authority in France FCC Requirements for Operation in the United States FCC Information to User This product does not contain any user serviceable components and is to be used with approved antennas only Any product changes or modifications will invalidate all applicable regulatory certifications and approvals FCC Guidelines for Human Exposure Radiation Exposure Statement This equipment complies with FCC radiation exposure limi
72. adapters also vary depending on your configuration choices 17 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note Failure to follow these guidelines can result in significant performance degradation or inability to connect wirelessly to the wireless access point For complete performance specifications see Appendix A Supplemental Information Note Before you position and mount the wireless access point at its permanent position first configure the wireless access point and test the computers on your LAN for wireless connectivity as explained in this chapter For best results place your wireless access point according to the following general guidelines Near the center of the area in which the wireless devices will operate In an elevated location such as a high shelf where the wirelessly connected devices have line of sight access even if through walls Away from sources of interference such as computers microwaves ovens and 2 4 GHz cordless phones Away from large metal surfaces or water Placing an external antenna in a vertical position provides best side to side coverage Placing an external antenna in a horizontal position provides best up and down coverage An external antenna does not come standard with the wireless access point If you are using multiple wireless access points it is better if adjacent wireless access points use different radio frequency channels to reduce interference T
73. and product warranty NETGEAR encourages you to register your product The first time that you connect to the wireless access point while it is connected to the Internet you have the option to register your product At any time you can register your product from the web management interface or you can go to the NETGEAR website for registration at https my netgear com registration login aspx gt To register the wireless access point with NETGEAR 1 Select Support gt Registration The Product Registration screen displays Documentation gt Product Product Registration Registration n Registration We are delighted to have you as a customer Registration confirms your email alerts will work lowers technical support resolution time and ensures your shipping address accuracy We d also like to incorporate your feedback into future product development NETGEAR will never sell or rent your email address and you may opt out of communications at any time REGISTER J Figure 4 2 Click Register A new screen displays in your browser Introduction 14 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Please complete the form below to register your product Serial Number 1234567891232 Model No WNDAP629 Date Purchased 8 22 2012 Country Email First name Last name Telephone Fields are mandatory you enter a valid email address you will be sent a username and password giving yo
74. at the Available Wireless Stations table includes only the stations associated with this wireless access point gt To view the attached wireless stations and to view details for a wireless station 1 Select Monitoring gt Wireless Stations The Wireless Stations screen displays Management and Monitoring 80 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System Rogue AP Logs Statistics Packet Capture 1DS IPS vies sranane Wireless Stations Available Wireless Stations 802 11ng MAC Address BSSID Channel Rate State AID Mode Status 10 C3 05 3C 60 68 90 ad de 4a f4 40 NETGEAR 11n QOS ERP HT open ting Assodated REFRESH DETAILS Figure 47 To update the list click Refresh If the wireless access point is rebooted the wireless station data is lost until the wireless access point rediscovers the devices To force the wireless access point to look for associated devices click Refresh The Available Wireless Stations table shows the MAC address BSSID SSID channel rate state type AID mode and status for each device For information about these and more fields see the table that follows the next figure To view details of a wireless station select the corresponding radio button and then click Details The Wireless Stations Details screen displays Wireless Stations Details MAC Address 10 C3 05 3C 60 6B BSSID 90 a4 de 4a f4 40 SSI
75. at the wireless signal and send all traffic to a remote access point Network authentication should be used to protect this communication e WMM Wi Fi Multimedia WMM is a subset of the 802 11e standard WMM allows wireless traffic to have a range of priorities depending on the kind of data Time dependent information like video or audio has a higher priority than normal traffic For WMM to function correctly wireless clients also need to support WMM Introduction 9 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 QoS Quality of Service QoS support lets you configure parameters that affect traffic flowing from the wireless access point to the client station and traffic flowing from the client station to the wireless access point The QoS settings let you prioritize traffic such as voice and video traffic so that packets do not get dropped The QoS policies let you configure classifications match clauses and apply traffic to eight priority queues based on IP precedence DSCP MAC address IP address and other information that might be present in Layer 2 and Layer 3 packet headers Wireless IDS IPS The wireless intrusion detection system IDS and intrusion prevention system IPS can detect and prevent a variety of wireless attacks Attacks are covered by preconfigured policy rules When an attack occurs the wireless access point can notify a network administrator though an email Hotspot support You
76. attacks the number of occurrences per attack and ad hoc networks This information is read only Most Recent Attacks gt To display the last 50 attacks against the wireless access point and its clients Select Monitoring gt IPS IDS gt Traps The Traps screen displays Configuration Monitoring Maintenance Support System Wireless Stations Rogue AP Logs Statistics Packet Capture gt Traps Traps gt Counters Traps 802 11ng gt Adhoc Networks j Attack Name Time Stamp IPS RF Jamming Attack Wed Aug 22 17 16 21 2012 No RF Jamming Attack Wed Aug 22 17 16 22 2012 No REFRESH Figure 56 To update the information onscreen click Refresh The following table explains the fields of the Traps screen Table 26 Traps fields Setting Description Attack Name The name of the attack that corresponds to a policy in Table 24 on page 89 Time Stamp The time that the attack occurred IPS If the IPS has prevented the attack the field displays Yes If the IPS did not prevent the attack or the IPS is not applicable to the attack the field displays No Attack Counter gt To display the number of occurrences per attacks Select Monitoring gt IPS IDS gt Counters The Counters screen displays Management and Monitoring 96 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System Wireless Stations Rogue AP Logs Statist
77. authentication settings Setting Description Network Authentication and Data Encryption Note The data encryption fields that display onscreen depend on your selection from the Network Authentication drop down list Open System This is the default setting Use an open system without any encryption or with WEP encryption See Configure an Open System with WEP or Shared Key with WEP on page 53 Shared Key Use WEP encryption and enter at least one shared key See Configure an Open System with WEP or Shared Key with WEP on page 53 Legacy 802 1X Configure the RADIUS server settings Encryption is not supported See Configure Legacy 802 1X on page 54 WPA with Radius Configure the RADIUS server settings and select TKIP or TKIP AES encryption See Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 WPA2 with Radius Configure the RADIUS server settings and select AES or TKIP AES encryption See Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 Note Select this setting only if all clients support WPA2 Wireless Configuration and Security 51 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 10 Profile authentication settings continued Setting Description Network Authentication and Data Encryption continued WPA amp WPA2 with Radius Con
78. ave your settings Configure the Basic Wireless Settings For proper compliance and compatibility between similar products in your coverage area you need to configure the 802 11b g n or 802 11a n wireless adapter settings correctly including the operating channel and country You also need to configure the basic wireless network settings for wireless devices to connect to your network For other wireless features including wireless security see Chapter 3 Wireless Configuration and Security A WARNING If you configure the wireless access point from a wireless computer and you change the wireless access point s SSID channel or wireless security settings you lose your wireless connection when you click Apply You then need to change the wireless settings of your computer to match the wireless access point s new settings Configure 802 11b bg ng Wireless Settings gt To configure the 802 11b g n wireless settings 1 Select Configuration gt Wireless gt Basic gt Wireless Settings The basic Wireless Settings screen displays The following figure shows the 11ng settings Installation and Basic Configuration 28 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note The radio wave icon displays next to the enabled wireless mode Configuration Monitoring Maintenance Support System IP Security Wireless Bridge IDS IPS Basic Wireless Settings gt Wireless Settings gt Wireless On
79. ble HTTP redirection http redirect url HTTP redirection URL ids ips mail gt IDS IPS mail settings mail sender Administrator superuser mail address smtp server SMTP server address amp port smtp server authentication SMTP server status username Username of the Administrator superuser password Password of the Administrator superuser 146 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 send notifications interface gt wlan gt Administrator superuser mail address Select wireless lan interface 2 4GHz gt aggregation length ampdu beacon interval channel channelwidth dtim interval fragmentation length guardinterval knownap add knownap del macacl add macacl database macacl del mcsrate mode operation mode power preamble radio fate rifs transmission rogue ap detection rts threshold lldSupport client isolation create qos policy create gos classification delete qgos policy delete gos classification security profile gt 1 gt authentication encryption hide network name keyl key2 key3 key4 keyno name presharedkey security separation ssid status vlan id wep pass phrase wepkeytype Wireless LAN interface setting 2 4 GHz wireless LAN interface setting Aggregated packet size Aggregated MAC Protocol Data Unit Wireles
80. can specify for each classification rate limiting for the wireless interface needs to be specified only once gt To specify rate limiting for the wireless interface 1 Specify rate limiting for the entire wireless interface as explained in the following table Table 35 Wireless interface rate limiting settings Setting Description Interface Rate Limiting Bits Per Sec Enter a value between 0 and 300 000 000 bps to specify the maximum data rate up to which packets are queued for transmission and sent immediately over the wireless interface This value applies to all traffic on the wireless interface Note When the maximum rate is exceeded packets are retained in the queue and sent when the transmission falls below the maximum rate again Burst Rate Bytes Enter a value between 0 and 37 500 000 bytes to specify the maximum amount of data that can be transmitted in a burst over the wireless interface This value applies to all traffic on the wireless interface 2 Click Apply to save your settings gt To modify a QoS policy 1 2 3 4 From the Create Policy drop down list select the policy that you want to modify To delete a classification select it in the Classification field and click Delete Classification To add a classification follow Step 5 through Step 7 in the procedure to configure a new QoS policy You can also change the name of the policy Click Apply to sav
81. cation Configure the IPv6 Settings Note For information about how to configure the IPv4 settings see Configure the IPv4 Settings on page 25 99 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 WARNING If you enable the DHCP client the IP address of the wireless access point changes when you click Apply causing you to lose your connection to the wireless access point You then need to use the new IP address to reconnect to the wireless access point Tip If you enable the DHCP client on the wireless access point you can discover the new IP address of the wireless access point by accessing the DHCP server on your LAN or by using a network IP address scanner application gt To configure the IPv6 settings 1 Select Configuration gt IP gt IPv6 Settings The IP Settings screen displays Configuration Monitoring Maintenance Support LOGOUT System Wireless Security Wireless Bridge IDS IPS gt IP Settings IPv6 Settings IP v6 Settings IPv6 Settings gt DHCP Server Settings DHCP Client O Enable Disable IPv6 Address 2001 21c cOff fe69 Prefix Length 64 Default Gateway Dynamic IPv6 Address Primary DNS Server Secondary DNS Server Network Integrity Check CANCEL Figure 59 2 Configure the IPv6 settings as explained in the following table Table 28 IPv6 settings Setting Description DHCP Client By default the Dynamic Host Configuration Protocol DHCP client is
82. ccess point sends a channel change frame to the legitimate clients and uses automatic channel selection to switch to a new clear channel 60 Trap Management and Monitoring 91 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 24 IDS IPS policies and policy rules continued Policy Description Policy Rule Threshold Notification RF jamming attack Attack Multiple RF transmissions 100 or more are sent to the 100 Trap wireless access point jamming the radio frequency e Result Wireless service is disrupted Note The IDS detects this attack but the IPS does not take action against this attack Virtual carrier attack Attack Multiple frames 60 or more with a large duration value 60 Trap are sent to the wireless access point e Result Wireless service is disrupted e Solution The wireless access point sends a channel change frame to the legitimate clients and uses automatic channel selection to switch to a new clear channel MAC spoofing Attack Several frames 3 or more that contain the spoofed 3 Trap MAC address of the wireless access point itself or the spoofed MAC address of a legitimate client are sent to the wireless access point e Result Wireless security might be compromised Note The IDS detects MAC spoofing but the IPS does not take action against MAC spoofing Rogue AP detection Detection A wireless access point is not in the ma
83. cept any interference received including interference that may cause undesired operation For products available in the USA market only channel 1 11 can be operated Selection of other channels is not possible Radiation Exposure Statement This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment This equipment should be installed and operated with minimum distance 23 cm between the radiator amp your body Industry Canada This device complies with RSS 210 of the Industry Canada Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation This device has been designed to operate with an antenna having a maximum gain of 6 29dB Antenna having a higher gain is strictly prohibited per regulations of Industry Canada The required antenna impedance is 50 ohms Under Industry Canada regulations this radio transmitter may only operate using an antenna of a type and maximum or lesser gain approved for the transmitter by Industry Canada To reduce potential radio interference to other users the antenna type and its gain should be so chosen that the equivalent isotropically radiated power e i r p is not more than that necessary for successful communication IMPORTANT NOTE Radiation Exposure Statement This equipment complies
84. cess Point Informatio n Access Point Name The NetBIOS name For information about how to change the default name see Configure Basic General System Settings and Time Settings on page 23 Ethernet MAC Address The MAC address of the wireless access point s Ethernet port Wireless MAC Address The MAC address of the wireless access point s wireless card Ethernet LLDP Enabled indicates that LLDP is enabled Disabled indicates that it is not Country Region The country or region for which the wireless access point is licensed for use For information about how to change the country or region see Configure Basic General System Settings and Time Settings on page 23 Note It might not be legal to operate this wireless access point in a country or region other than one of those identified in this field Firmware Version The version of the firmware that is currently installed Serial Number The serial number of the wireless access point Current Time The current time For information about how to change the time settings see Configure Basic General System Settings and Time Settings on page 23 Current IPv4 Settings For information about how to change any of these IP settings see Configure the IPv4 Settings on page 25 IP Address The IPv4 address of the wireless access point Subnet Mask The subnet mask for the address of the wireless access point Default Gate
85. cess point list unknownaplist Unknown access point list ids ips statistics IDS IPS statistics ids ips thresholds IDS IPS thresholds ids ips traps IDS IPS trap list qos policies Q0S policy list 5GHz gt 5GHz wlan interface settings configuration Interface configuration statistics Interface statistics stationlist Station list trusted stationlist Trusted station list knownaplist Known access point list unknownaplist Unknown access point list ids ips statistics IDS IPS statistics ids ips thresholds IDS IPS thresholds ids ips traps IDS IPS trap list qos policies 00S policy list Command Line Reference 159 log gt system time ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 System log System setting System time settings Command Line Reference 160 Notification of Compliance NETGEAR Dual Band Wireless Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices Failure of the end user to comply with the applicable requirements may result in unlawful operation and adverse action against the end user by the applicable National regulatory authority Note This product s firmware limits operation to only the channels allowed in a particular Region or Country Therefore all op
86. ciation 802 11b Radio 802 11bg Radio or 802 11ng Radio 802 11na Radio or 802 11a Radio The number of associated clients connected to the radio in the configured wireless modes Enable Rogue AP Detection and Monitor Access Points Enable and Configure Rogue AP Detection e View and Save Access Point Lists Enable and Configure Rogue AP Detection The wireless access point can detect rogue access points and prevent them from connecting to the wireless access point The wireless access point maintains a list of access points it detects in the area Initially all detected access points are displayed in the Unknown AP List You restrict communication to approved access points by adding them to the Known AP List and enabling the rogue AP detection feature If you enable rogue AP detection the wireless access point continuously scans the wireless network and collects information about all access points on its channel gt To enable and configure rogue AP detection 1 Select Configuration gt Security gt Advanced gt Rogue AP The Rogue AP screen displays The following figure shows examples in the Known AP List and Unknown AP List Management and Monitoring 85 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 T Configuration Monitoring Maintenance Support System IP Wireless Wireless Bridge IDS IPS gt Profile Settings Rogue AP Y Advanced Rogue AP 3 Rogue AP gt MAC Authent
87. computers have a wireless link to the wireless access point If you have enabled the DHCP server on the wireless access point verify that your computers are able to obtain an IP address through DHCP from the wireless access point 3 Verify network connectivity by using a browser such as Internet Explorer 6 0 or later or Mozilla Firefox 1 5 or later to browse the Internet or check for file and printer access on your network Note If you have trouble connecting to the wireless access point see Chapter 6 Troubleshooting Installation and Basic Configuration 34 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 NETGEAR recommends that you complete the following tasks before you deploy the wireless access point in your network e Configure wireless security and other wireless features as described in Chapter 3 Wireless Configuration and Security e Configure any additional features that you might need as described in Chapter 4 Management and Monitoring and Chapter 5 Advanced Configuration After you have completed the configuration of the wireless access point you can reconfigure the computer that you used for this process back to its original TCP IP settings Mount the Wireless Access Point e Ceiling Installation e Wall Installation e Desk Installation Note NETGEAR recommends that you review the information in Wireless Equipment Placement and Range Guidelines on page 17 before you mount the wireless access
88. configure the RADIUS server settings see Configure RADIUS Server Settings on page 57 Wireless Configuration and Security 60 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 5 Click Refresh to refresh the Available Wireless Stations table The wireless access point places the MAC addresses of the attached wireless stations in this table 6 Populate the Trusted Wireless Stations table by one of the following methods e Select MAC addresses from the Available Wireless Stations table a Select individual check boxes for MAC addresses or select all MAC addresses by selecting the check box in the heading b Click Move to transfer the MAC addresses from the Available Wireless Stations table to the Trusted Wireless Stations table e Enter MAC addresses manually a Enter a MAC address directly in the Trusted Wireless Stations table b Click Add To delete a MAC address from the Trusted Wireless Stations table select individual check boxes for MAC addresses or select all MAC addresses by selecting the check box in the heading and then click Delete 7 Click Apply to save your settings Now only devices in the Trusted Wireless Stations table are allowed to connect to the wireless access point over a wireless connection A WARNING When configuring the wireless access point from a wireless computer whose MAC address is not on the access control list you lose your wireless connection when you click Apply Y
89. cribes some of the key features The chapter includes the following sections About the ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 What Is in the Box System Requirements Key Features and Standards Hardware Description Register the Wireless Access Point Note For more information about the topics covered in this manual visit the Support website at http support netgear com Note Firmware updates with new features and bug fixes are made available from time to time at downloadcenter netgear com Some products can regularly check the site and download new firmware or you can check for and download new firmware manually If the features or behavior of your product do not match what is described in this guide you might need to update your firmware About the ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 The ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 going forward in this manual referred to as the wireless access point is a powerful building block of a wireless LAN infrastructure It provides either 2 4 GHz 802 11b g n or 5 GHz 802 11a n connectivity between wired Ethernet networks and radio equipped wireless notebook systems desktop systems print servers and other devices Support for three transmit radio ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 chains and three receive radio chains also referred to as 3x3 multiple input multiple output
90. ct press and hold the Reset button for about 5 seconds until the Test LED blinks rapidly to reset the wireless access point to factory defaults settings Note Pressing the Reset button for a shorter time simply causes the wireless access point to reboot 2 Release the Reset button During the restoration process the wireless access point automatically restarts The restoration process typically takes about 1 minute When the Test LED turns off wait a few more seconds before doing anything with the wireless access point Reboot the Wireless Access Point without Restoring the Default Configuration If you do not have physical access to the wireless access point to switch it off and on again you can use the software to reboot the wireless access point gt To reboot the wireless access point 1 Select Maintenance gt Reset gt Reboot AP The Reboot AP screen displays Configuration Monitoring Maintenance Support Password i Remote Management Upgrade Reboot AP Reboot AP gt Restore Defaults Reboot AP Reboot Ores No CANCEL APPLY Figure 42 2 Select the Yes radio button By default the No radio button is selected 3 Click Apply to reboot the wireless access point Management and Monitoring 73 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 The reboot process typically takes about 1 minute When the Test LED turns off wait a few more seconds before doing anything with the wi
91. ct from the Network Authentication drop down list and are shown in the table that follows the figures e WPA PSK Authentication Settings Network Authentication WPA PSK Data Encryption TKIP v WPA Passphrase Network Key inlet Show Passphrase in Clear Text No O Yes Figure 27 e WPA2 PSK Authentication Settings Network Authentication WPA2 PSK Data Encryption AES v WPA Passphrase Network Key OONO GRN Show Passphrase in Clear Text No O Yes Figure 28 Wireless Configuration and Security 56 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e WPA PSK amp WPA2 PSK Authentication Settings Network Authentication WPA PSK amp WPA2 PSK Data Encryption TKIP AES WPA Passphrase Network Key GO MSS I Show Passphrase in Clear Text No O Yes Figure 29 Table 13 Settings for WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK Setting Descriptions Data Encryption TKIP Temporal Key Integrity Protocol TKIP is the standard encryption method used with WPA You can also use TKIP with WPA2 Note TKIP provides only legacy slower rates of operation NETGEAR recommends WPA2 authentication with AES encryption if you want to use the 11n rates and speed AES Advanced Encryption Standard AES is the standard encryption method used with WPA2 Note Although some wireless clients might support AES with WPA the WNDAP620 wireless access point does not support WPA with AES
92. d Setting Descriptions 11a mode only Data Rate From the drop down list select the transmit data rate of the wireless network The default setting is Best For a list of all options that you can select from in 11a mode see Factory Default Settings on page 142 Output Power From the drop down list select the transmission power of the wireless access point Full Half Quarter Eighth Minimum The default is Full Note Increasing the power improves performance but if two or more wireless access points are operating in the same area and on the same channel interference can occur Note Make sure that you comply with the regulatory requirements for total radio frequency RF output power in your country 6 Click Apply to save your settings and enable the selected wireless mode Note For information about how to configure advanced wireless settings see Configure Advanced Wireless Settings on page 107 Test Basic Wireless Connectivity After you have configured the wireless access point as explained in the previous sections test the computers on your LAN for wireless connectivity before you position and mount the wireless access point at its permanent position gt To test for wireless connectivity 1 Configure the 802 11b g n or 802 11a n wireless adapters of your computers so that they all have the same SSID and channel that you have configured on the wireless access point 2 Verify that your
93. d Best Effort Assured Forwarding Class 1 Low Assured Forwarding Class 1 Medium Assured Forwarding Class 1 High Assured Forwarding Class 2 Low Assured Forwarding Class 2 Medium Assured Forwarding Class 2 High Assured Forwarding Class 3 Low Assured Forwarding Class 3 Medium Assured Forwarding Class 3 High Assured Forwarding Class 4 Low Assured Forwarding Class 4 Medium Assured Forwarding Class 4 High Class Selector 1 e Class Selector 2 e Class Selector 3 e Class Selector 4 e Class Selector 5 e Class Selector 6 e Class Selector 7 Expedited Forwarding IP Protocol119 Traffic is matched against value 119 in the IP protocol field in the IP header Advanced Configuration 114 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 33 QoS classification settings continued Setting Description Match Frame Fields and Match Classifications continued 802 1P From the Match Classifications drop down list select the CoS priority value against which the information in the IP header needs to be matched Routine 0 e Priority 1 Immediate 2 e Flash 3 Flash Override 4 e Critic CCP 5 Inter Control 6 e Network Control 7 IP Protocol In the Match Classifications field enter the IP protocol value against which the information in the IP header needs to be matched A list of pro
94. d 802 11 packets detected EAPOL Start Attack EAPOL Logoff Attack Premature EAP Failure Attack Figure 54 2 Select the Enable radio button By default the IDS IPS is disabled 3 Specify the detection policy by making a selection from the IDS IPS Detection Policy drop down list e Mild The wireless access point scans for attacks every 10 seconds e Moderate The wireless access point scans for attacks every 5 seconds This is the default setting e Aggressive The wireless access point scans for attacks every second 4 Optional Click a policy name to display the policy rules that are stated next to the policy in the table IDS IPS policy rules are not configurable 5 Optional Clear check boxes for policies that you want to disable By default the check box next to Select Policy in the table heading is selected and all IDS IPS policies are enabled 6 Click Apply to save your settings Management and Monitoring 94 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configure Wireless Intrusion Detection and Prevention Mail Settings For the IDS IPS to send a notification according to the policy rule you need to configure the email settings To configure IDS IPS email settings 1 Select Configuration gt IDS IPS Mail Settings The IDS IPS Mail Settings screen displays T Configuration Monitoring Maintenance Support tocour System IP Wireless Security Wireless Bridge gt IDS IPS IDS
95. d Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 Security Profiles e Before You Change the SSID WEP and WPA Settings e Configure and Enable Security Profiles Security profiles let you configure unique security settings for each SSID on each radio of the wireless access point For each radio the wireless access point supports up to eight security profiles BSSIDs that you can configure on the individual Edit Wireless Network screens that are accessible from the Edit Security Profile screen see Configure and Enable Security Profiles on page 48 Wireless Configuration and Security 44 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 To set up a security profile select its network authentication type data encryption wireless client security separation and VLAN ID Network authentication The wireless access point is set by default as an open system with no authentication When you configure network authentication bear in mind that not all wireless adapters support WPA or WPA2 Windows XP Windows 2000 with Service Pack 3 and Windows Vista do include the client software that supports WPA However client software is required on the client Consult the product documentation for your wireless adapter and WPA or WPA2 client software for instructions about how to configure WPA2 settings For information about the types of network authentication that the wireless access point supports see Configu
96. d authentication Choose the key size by circling one 64 128 or 152 bits Choose the authentication type by circling one open system or shared key Passphrase Note If you select shared key the other devices in the network cannot connect unless they are set to shared key and have the same keys in the same positions as those in the wireless access point WPA PSK pre shared key and WPA2 PSK Record the WPA PSK passphrase WPA PSK passphrase Record the WPA2 PSK passphrase WPA2 PSK passphrase WPA RADIUS settings For WPA record the following settings for the primary and secondary RADIUS servers Server name IP address Primary Secondary Port Shared secret WPA2 RADIUS settings For WPA2 record the following settings for the primary and secondary RADIUS servers Server name IP address Primary Secondary Port Shared secret Wireless Configuration and Security 46 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Form for 802 11a an Modes Print this page and store the security information in a safe place SSID The service set identifier SSID identifies the wireless local area network You can customize it by using up to 32 alphanumeric characters Write your SSID on the line SSID The SSID in the wireless access point is the SSID you configure on the wireless adapter card All wireless nodes in the same network need to be configured with the same SSID
97. ddikjara li dan Radiolan jikkonforma mal htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid Dirrettiva 1999 5 EC Magyar Hungarian Alul rott NETGEAR Inc nyilatkozom hogy a Radiolan megfelel a vonatkoz alapvet6 k vetelm nyeknek s az 1999 5 EC ir nyelv egy b eldirasainak Polski Polish Niniejszym NETGEAR Inc o wiadcza e Radiolan jest zgodny z zasadniczymi wymogami oraz pozosta ymi stosownymi postanowieniami Dyrektywy 1999 5 EC Portugu s NETGEAR Inc declara que este Radiolan est conforme com os requisitos essenciais e Portuguese outras disposi es da Directiva 1999 5 CE Slovensko NETGEAR Inc izjavlja da je ta Radiolan v skladu z bistvenimi zahtevami in ostalimi Slovenian relevantnimi dolo ili direktive 1999 5 ES Slovensky NETGEAR Inc t mto vyhlasuje e Radiolan spliia z kladn po iadavky a v etky Slovak pr slu n ustanovenia Smernice 1999 5 ES Suomi Finnish NETGEAR Inc vakuuttaa t ten ett Radiolan tyyppinen laite on direktiivin 1999 5 EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen Svenska Swedish H rmed intygar NETGEAR Inc att denna Radiolan st r verensst mmelse med de v sentliga egenskapskrav och vriga relevanta best mmelser som framg r av direktiv 1999 5 EG Notification of Compliance 162 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 islensk
98. ding VLAN 0 to HW filter on devi kernel brtrunk port 2 wifiOvapO entering liste kernel brtrunk port 2 wifiOvapO entering learn kernel brtrunk topology change detected propag kernel brtrunk port 2 wifiOvapO entering forwa kernel wifiOvapO no IPv6 routers present 6 6 6 6 6 6 6 6 6 6 REFRESH CLEAR SAVE AS Figure 49 2 Click Save As to save the log contents to a file on your computer or to a disk drive To update the display onscreen click Refresh to clear the log content click Clear Traffic Statistics The Statistics screen displays information for both wired LAN and wireless WLAN network traffic gt To display the Statistics screen Select Monitoring gt Statistics Management and Monitoring 83 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System Wireless Stations Rogue AP Logs Packet Capture IDS IPS Statistics Statistics Wired Ethernet Received Transmitted aE 10006 5735 Bytes 1460918 15678585 Wireless 802 11ng eal Received Transmitted Unicast Packets o 699 Broadcast Packets o Multicast Packets o Total Packets 699 Total Bytes 156576 Client Association pire a ee Number of Associated Clients 802 11ng Radio o REFRESH Figure 50 To update the statistics information click Refresh The following table explains the fields of the Statistics screen Table 21
99. dress enter an unused IP address from the address range used on your LAN or enable DHCP the server IP Subnet Mask Enter the network number portion of an IP address Unless you are implementing subnetting enter 255 255 0 0 as the subnet mask Default Gateway Enter the IP address of the ISP gateway to which the wireless access point connects Primary DNS Server Enter the IP address of the primary and secondary DNS servers A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP transfers the IP address of one or two DNS servers to your wireless access point during login If Secondary DNS Server the ISP does not transfer an address you need to obtain it from the ISP and enter it manually in this field Network Integrity Check Select this check box to validate that the upstream link is active before allowing wireless associations Ensure that the default gateway is configured 3 Click Apply to save your settings Installation and Basic Configuration 26 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configure the Optional DHCPv4 Server The wireless access point provides a built in DHCPv4 server for wireless clients only which can be especially useful in small networks When the DHCP server is enabled the wireless access point provides preconfigured TCP IP configurations to all connected wireless stati
100. e authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 8 gt 8th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id Command Line Reference 155 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 wep pass phras Wireless wep passphrase key wepkeyt
101. e SNMP management supports SNMP MIB I MIB II 802 11 MIB and proprietary configuration MIB Maximum clients Limited by the amount of wireless network traffic generated by each node a maximum of 128 clients is supported Status LEDs e Power Test LED e Link speed LED e Ethernet LAN e Wireless LAN 2 4 GHz and 5 GHz Electrical and Physical Specifications Power adapter 12 VDC 1A plug is localized to country of sale Physical specifications e Dimensions h x w x d 253 75 x 253 75 x 54 76 mm 10 0 x 10 0 x 2 16 in e Weight 1 5 kg 3 31 Ib Environmental specifications Operating temperature 0 to 55 C 32 to 131 F Operating humidity 10 9 noncondensing Compliance Note For more information about compliance see Appendix C Notification of Compliance Electromagnetic compliance e FCC Part 15 SubPart B e FCC Part 15 SubPart C e FCC Part 15 SubPart E e CE e C TICK Supplemental Information 141 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Factory Default Settings You can use the Reset button located on the rear of the wireless access point to reset all settings to their factory defaults This is called a hard reset To perform a hard reset use a sharp object to press and hold the Reset button for approximately 5 seconds until the Test LED blinks rapidly This returns the wireless access point to the factory configuration settings
102. e following table Table 37 Point to multipoint bridge profile and authentication settings Setting Description Profile Definition Profile Name Enter a profile name that is easy to remember The default names for the four security profiles are NETGEAR WDS 1 NETGEAR WDS 2 NETGEAR WDS 3 and NETGEAR WDS 4 Remote MAC Address Enter the MAC address of the remote wireless access point the MAC address of AP2 or AP 3 on LAN Segment 1 in Figure 70 on page 122 Authentication Setting sS Network Authentication and Data Encryption From the Network Authentication drop down list select Open System WPA PSK or WPA2 PSK Your selection determines the options that the Data Encryption drop down list provides and whether the WPA Passphrase Network Key field displays Open System Although you can use the bridge communication without any authentication and encryption NETGEAR recommends that you use WEP if you do select an open system From the Data Encryption drop down list select one of the following None No authentication and encryption e 64 bit WEP Standard WEP encryption using 40 64 bit encryption e 128 bit WEP Standard WEP encryption using 104 128 bit encryption e 152 bit WEP Proprietary WEP encryption mode using 128424 bit encryption This mode functions only with other wireless stations that support this mode WPA PSK TKIP Temporal Key Integrity Protocol is the
103. e policy rules are not configurable All thresholds are measured over a short period For the IDS IPS to send a notification according to the policy rule you first need to configure the email settings see Configure Wireless Intrusion Detection and Prevention Mail Settings on page 95 Table 24 IDS IPS policies and policy rules Policy Description Policy Rule Threshold Notification Authentication flood Attack Multiple authentication requests 5 or more that use spoofed MAC addresses of legitimate clients are sent to the wireless access point Result The client association table overflows causing authentication requests from legitimate clients to be denied Solution The oldest clients that are stuck in the authentication phase are removed from the table 5 Trap Association flood Attack Multiple association requests 5 or more that use spoofed MAC addresses of legitimate clients are sent to the wireless access point Result The client association table overflows causing association requests from legitimate clients to be denied Solution The oldest associations are removed from the table Trap Management and Monitoring 89 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 24 IDS IPS policies and policy rules continued Policy Description Policy Rule Threshold Notification Unauthenticated association Attack Mu
104. e radio lectriquea l intention des autres utilisateurs il faut choisir le type d antenne et son gain de sorte que lapuissance isotrope rayonn e quivalente p i r e ne d passe pas l intensit n cessaire al tablissement d une communication satisfaisante NOTE IMPORTANTE D claration d exposition aux radiations Cet quipement est conforme aux limites d exposition aux rayonnements IC tablies pour un environnement non contr l Cet quipement doit tre install et utilis avec un minimum de 23 cm de distance entre la source de rayonnement et votre corps Notification of Compliance 164 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Avertissement Les dispositifs fonctionnant dans la bande 5150 5250 MHz sont r serv s uniquement pour une utilisation a l int rieur afin de r duire les risques de brouillage pr judiciable aux syst mes de satellites mobiles utilisant les m mes canaux De plus les utilisateurs devraient aussi tre avis s que les utilisateurs de radars de haute puissance sont d sign s utilisateurs principaux c a d qu ils ont la priorit pour les bandes 5250 5350 MHz et 5650 5850 MHz et que ces radars pourraient causer du brouillage et ou des dommages aux dispositifs LAN EL Detachable Antenna Usage This device has been designed to operate with a Dipole antenna with a maximum gain of 5dBi An antenna having a higher gain is strictly prohibited per regulations of Industry Ca
105. e radio button c Select the Enable Wireless Client Association check box to enable wireless client association Note If you do not select the Enable Wireless Client Association check box the wireless access point does not function in point to multipoint bridge but in repeater mode d If the correct profile names and security options are displayed in the table select the check boxes in the Enable column for all security profiles that you want to enable e Click Apply on the Bridging screen to activate your point to multipoint bridge settings Configure AP2 on LAN Segment 2 see Figure 70 on page 122 in point to point bridge mode with the remote MAC address of AP1 Configure AP3 on LAN Segment 3 see Figure 70 on page 122 in point to point bridge mode with the remote MAC address of AP1 Verify the following for all wireless access points e Only AP1 on LAN Segment 1 is configured in point to multipoint bridge mode and all others APs are configured in point to point bridge mode e AP2 and AP3 the point to point APs have AP1 s MAC address in their Remote MAC Address field All APs are on the same LAN that is the LAN IP addresses of all APs are in the same network as the LAN devices e If you use DHCP all wireless access points can obtain IP addresses automatically as DHCP clients For more information see Configure the Optional DHCPv4 Server on page 27 or Configure the Optional DHCPv6 Server on page 101 e All wirel
106. e stored in the configuration file You can save this file back it up to a computer restore it from a computer or reset it to factory default settings Save the Configuration gt To save your settings 1 Select Maintenance gt Upgrade gt Backup Settings The Backup Settings screen displays see the following figure 2 Click Backup Your browser extracts the configuration file the file name is config from the wireless access point and prompts you for a location on your computer to store the file 3 Follow the instructions of your browser to save the file Configuration Monitoring Maintenance Support Password Reset Remote Management Seneare Backup Settings Upgrade cinneware Backup Settings Upgrade TFTP gt Backup Settings Restore Settings CANCEL APPLY Figure 39 Backup a copy of the current settings to a file BACKUP Management and Monitoring 70 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Restore the Configuration IMPORTANT During the restoration process do not try to go online turn off the wireless access point shut down the computer or do anything else to the wireless access point until it finishes restarting gt To restore your settings from a saved configuration file 1 Select Maintenance gt Upgrade gt Restore Settings The Restore Settings screen displays Configuration Monitoring Maintenance Support Password Reset Remote
107. e the 802 11b 11bg or 11ng wireless settings and the 802 11a or 11na wireless settings as described in Chapter 2 Installation and Basic Configuration The wireless access point functions with an Ethernet LAN connection Make sure that you have verified wireless connectivity before you set up wireless security and additional wireless features A WARNING If you are configuring the wireless access point from a wireless computer and you change the wireless access point s SSID channel or wireless security settings you lose your wireless connection when you click Apply You then need to change the wireless settings of your computer to match the wireless access point s new settings Wireless Data Security Options Indoors computers can connect over 802 11n wireless networks at a maximum range of 300 feet Typically a wireless access point inside a building works best with devices within a 100 foot radius Such distances can allow for others outside your immediate area to access your network 42 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Unlike wired network data your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter For this reason use the security features of your wireless equipment The wireless access point provides highly effective security features that are covered in detail in this chapter Deploy the security features appropriate to your n
108. e your settings gt To delete a QoS policy 1 From the Create Policy drop down list select the policy that you want to delete 2 Click Delete Policy 3 Click Apply to save your settings Advanced Configuration 117 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configure Wireless Bridging Configure a Point to Point Wireless Network Configure a Point to Multipoint Wireless Network Configure the Wireless Access Point to Repeat the Wireless Signal Using Point to Multipoint Bridge Mode The wireless access point supports a wireless distributing system WDS that lets you build large bridged wireless networks You can select from the following wireless access point modes Wireless point to point bridge In this mode the wireless access point can communicate with another bridge mode wireless station and as an option also with wireless clients Use WEP WPA PSK or WPA2 PSK to secure the communication For information about how to configure this mode see Configure a Point to Point Wireless Network on page 118 Wireless point to multipoint bridge In this mode the wireless access point is the master for a group of bridge mode wireless stations As an option the wireless access point can also communicate with wireless clients You can configure up to four profiles The other bridge mode wireless stations need to be set to point to point bridge mode using the MAC address of the master wireless access p
109. eed to be made on other screens Management and Monitoring 77 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 gt To view the System screen Select Monitoring gt System Configuration Monitoring Maintenance Wireless Stations Rogue AP Logs gt System System Access Point Information Statistics Support Packet Capture IDS IPS Access Point Name Ethernet MAC Address Wireless MAC Address Ethernet LLDP Country Region Firmware Yersion Serial Number Current Time Current IPv4 Settings netgear44F448 90 44 DE 4A F4 48 90 44 DE 48 F4 40 Enabled United States WNDAP660_BETA_v2 9 4 1234567891236 Wed Aug 8 14 02 54 PDT 2012 IPv4 Address Subnet Mask Default Gateway DHCP Client Current IPv6 Settings 192 168 100 69 255 255 255 0 192 168 100 1 Enabled IPv6 Address Prefix Length Dynamic IPv6 Address Default Gateway LAN IPv6 Link Local Address DHCP Client 2001 21c cOff fe69 64 64 2001 21c cOff fe69 64 2001 21c cOff fe69 64 fe80 92a4 deff fe4s f448 64 Disabled Current Wireless Settings for 802 11ng Access Point Mode Channel Frequency Rogue AP Detection Figure 46 Access Point Auto 1 Enabled Management and Monitoring ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 The following table ex plains the fields of the System screen Table 19 System screen fields Setting Description Ac
110. eeds Wireless Data Security Options RS Range Up to 500 feet RADIUS i e Iit 4 s laid gA 1 No security Easy but no security 2 MAC Access List No data security 3 WEP Secure but vulnerable 4 WPA or WPA PSK Strong security 5 WPA2 or WPA2 PSK Very strong security Figure 17 There are several ways you can enhance the security of your wireless network e Use multiple BSSIDs combined with VLANs You can configure combinations of VLANS and BSSIDs security profiles with stronger or less restrictive access security according to your requirements For example visitors could be given wireless Internet access but be excluded from any access to your internal network For information about how to configure BSSIDs see Configure and Enable Security Profiles on page 48 e Restrict access based by MAC address You can allow only trusted devices to connect so that unknown devices cannot wirelessly connect to the wireless access point Restricting access by MAC address adds an obstacle against unwanted access to your network but the data broadcast over the wireless link is fully exposed For information about how to restrict access by MAC address see Restrict Wireless Access by MAC Address on page 60 Turn off the broadcast of the wireless network name SSID If you disable broadcast of the SSID only devices that have the correct SSID can connect This nullifies the wireless network discovery feature of some prod
111. efine RADIUS server settings For information about RADIUS servers see Configure RADIUS Server Settings on page 57 When you select Legacy 802 1X from the Network Authentication drop down list the Data Encryption drop down list is automatically set to None To use legacy 802 1X security you need to define the RADIUS servers only Wireless Configuration and Security 54 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Authentication Settings Network Authentication Legacy 802 1x Data Encryption None v Figure 23 Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS WPA WPA2 and WPA amp WPA2 security requires RADIUS based 802 1x authentication so you also need to define RADIUS server settings For information about RADIUS servers see Configure RADIUS Server Settings on page 57 The selections that are available from the Data Encryption drop down list depend on the type of WPA authentication that you select from the Network Authentication drop down list and are shown in the table that follows the figures e WPA with RADIUS Authentication Settings Network Authentication WPA with Radius Data Encryption TKIP v Figure 24 e WPA2 with RADIUS Authentication Settings Network Authentication WPA2 with Radius Data Encryption AES v Figure 25 WPA amp WPA2 with RADIUS Authentication Settings Network Authentication WPA amp WPA2 with Radius Data Encrypti
112. entication with AES encryption if you want to use the 11n rates and speed h Click Apply to save your security profile settings The Bridging screen displays again i If the correct profile name and security option are displayed in the table select the check box in the Enable column j Click Apply on the Bridging screen to save your point to point bridge settings Configure a second wireless access point AP2 on LAN Segment 2 see Figure 67 on page 119 in point to point bridge mode AP1 needs to have AP2 s MAC address in its Remote MAC Address field and AP2 needs to have AP1 s MAC address in its Remote MAC Address field Verify the following settings for both wireless access points e Both wireless access points are configured to operate in the same LAN network address range as the LAN devices e Both wireless access points use the same channel authentication mode and security settings Verify connectivity across the LAN 1 and LAN 2 Advanced Configuration 121 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 A computer on either LAN segment should be able to connect to the Internet or share files and printers of any other computers or servers connected to LAN Segment 1 or LAN Segment 2 Configure a Point to Multipoint Wireless Network In a point to multipoint bridge the wireless access point is the master for a group of bridge mode wireless access points All traffic is sent to
113. er source and then plug it in again Make sure that optional external antennas are tightly connected to the wireless access point Contact NETGEAR technical support if the WLAN LED remains off Troubleshooting 133 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 You Cannot Access the Internet or the LAN from a Wireless Capable Computer There is a configuration problem gt Check these items You might not have restarted the computer with the wireless adapter to allow TCP IP changes take effect Restart the computer The computer with the wireless adapter might not have the correct TCP IP settings to communicate with the network Restart the computer and check that TCP IP is set up correctly for that network In Windows the usual setting for Network Properties is to obtain an IP address automatically The wireless access point s default values might not work with your network Check the wireless access point s default configuration against the configuration of other devices in your network Make sure that the SSID network authentication and data encryption settings of the computer with the wireless adapter are the same as those of the wireless access point Ping the IP address of the wireless access point to verify that there is a wireless connection between the computer with the wireless adapter and the wireless access point If the ping fails check the network configuration for the wireless access p
114. erver secondary sharedsecret Secondary authentication server shared secret reauthentication time update global key update global key interval radiusv6 gt Radiusv4 settings accounting server primary Primary accounting server accounting server primary port Primary accounting server port accounting server primary sharedsecret Primary accounting server shared secret accounting server secondary Secondary accounting server accounting server secondary port Secondary accounting server port accounting server secondary sharedsecret Secondary accounting server shared secret authentication server primary Primary authentication server authentication server primary port Primary system accounting server shared secret authentication server primary sharedsecret Primary authentication server shared secret authentication server secondary Secondary authentication server authentication server secondary port Secondary authentication server port authentication server secondary sharedsecret Secondary authentication server shared secret reauthentication time update global key update global key interval remote gt Remote access settings ssh Enable remote access via SSH telnet Enable remote access via Telnet snmp gt SNMP settings description SNMP system description read community SNMP ReadCommunity snmp status SNMP status trap community SNMP ReadComm
115. es to the syslog server gt To enable a syslog server 1 Select Configuration gt System gt Advanced gt Syslog The Syslog screen displays Management and Monitoring 76 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 T Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Basic Syslog Advanced gt General Hotspot Enable Syslog gt Syslog Syslog Server IP Address gt Ethernet LLDP Port Number User Accounts CANCEL APPLY Figure 45 Syslog Settings Specify the settings as explained in the following table Table 18 Syslog settings Setting Description Enable Syslog Select the check box to enable the syslog option By default the syslog option is disabled Syslog Server IP Address Enter the IP address of the syslog server to which the wireless access point sends the syslog files Port Number Enter the port number that is configured on the syslog server The default port number is 514 2 Click Apply to save your settings Monitor the Wireless Access Point e View System Information e Monitor Wireless Stations e View the Activity Log e Traffic Statistics View System Information The System screen provides a summary of the current wireless access point configuration settings including current IP settings and current wireless settings This information is read only so any changes n
116. ess access points use the same channel authentication mode and security settings Verify connectivity across the LANs A computer on any LAN segment should be able to connect to the Internet or share files and printers with any other devices or servers connected to any of the three LAN segments Advanced Configuration 125 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note You can extend this multipoint bridging configuration by adding additional wireless access points that are configured in point to point mode for each additional LAN segment Furthermore you can extend the range of the wireless network with NETGEAR wireless antenna accessories Configure the Wireless Access Point to Repeat the Wireless Signal Using Point to Multipoint Bridge Mode You can configure the wireless access point to repeat the wireless signal without communication with other wireless clients All traffic is sent to the remote or downstream wireless access point You can configure up to four security profiles to enable the wireless access point to repeat the wireless signal for four remote wireless access points Each security profile requires a unique name and needs to include the MAC address of the remote wireless access point You can configure up to four such security profiles NETGEAR WDS 1 NETGEAR WDS 2 and so on The following figure shows an example in which AP1 AP2 and AP3 repeat the wireless signal in point to multipoin
117. et cable from the wireless access point to the computer point A in the following figure Securely insert the other end of the cable into the wireless access point s Ethernet port point B in the following figure Installation and Basic Configuration 20 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Ethernet cable Figure 7 5 Turn on your computer 6 Connect the power adapter to the wireless access point Tip The wireless access point supports Power over Ethernet PoE If you have a switch that provides PoE you do not need to use the power adapter to power the wireless access point Using PoE can be especially convenient when the wireless access point is installed in a high location far away from a power outlet 7 Verify the following O 2 4 Ghz 5 Ghz Power Test LED The Power Test LED blinks when the wireless access point is first turned on To be exact during startup the LED is first steady amber then goes off and then blinks green After about 45 seconds the LED should stay lit steady green If after 1 minute the Power Test LED is not lit or is still blinking check the connections and see if the power outlet is controlled by a wall switch that is turned off Active LED The Active LED is lit or blinks green when there is Ethernet traffic LAN LED The LAN LED indicates the LAN speed green for 1000 Mbps amber for 100 Mbps and no light for 10 Mbps If the LAN LED is
118. ey security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 6 gt 6th security profile authentication Wireless authentication type Command Line Reference 154 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 7 gt 7th security profil
119. eytype Wireless wep key type 2 gt 2nd security profile authentication Authentication type encryption Data encryption name Profile name presharedkey Preshared key remote mac Remote MAC status Profile status wep pass phrase Wireless wep passphrase key wepkey Wireless wep key wepkeytype Wireless wep key type 3 gt 3rd security profile authentication Authentication type encryption Data encryption name Profile name presharedkey Preshared key remote ma Remote MAC status Profile status wep pass phrase Wireless wep passphrase key wepkey Wireless wep key wepkeytype Wireless wep key type 4 gt 4th security profile authentication Authentication type Command Line Reference 151 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 encryption name presharedkey remote mac status wep pass phrase wepkey wepkeytype wmm gt ap data0 best effort ap datal background ap data2 video ap data3 voice powersave station data0 best effort station datal background station data2 video station data3 voice support 5GHz gt aggregation length ampdu beacon interval channel channelwidth dtim interval fragmentation length guardinterval knownap add knownap del macacl adqd macacl database macacl del mcsrate mode operation mode
120. f default gateway Enable dhcpv4 client IPv4 address Set host IPv6 of DNS server Host IPv6 address Command Line Reference 157 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 default gateway IPv6 address of default gateway Enable dhcpv6 client IPv6 address of DNS server dhcep client dns server network integrity check log gt Syslog Enable Syslog setting syslog status syslog client syslog server ip server IP address syslog server port Syslog server port number lldp status Enable Disable LLDP radiusv4 gt Radiusv4 settings accounting server primary Primary accounting server accounting server primary port Primary accounting server port accounting server primary sharedsecret Primary accounting server shared secret accounting server secondary Secondary accounting server accounting server secondary port Secondary accounting server port accounting server secondary sharedsecret Secondary accounting server shared secret authentication server primary Primary authentication server authentication server primary port Primary system accounting server shared secret authentication server primary sharedsecret Primary authentication server shared secret authentication server secondary Secondary authentication server authentication server secondary port Secondary authentication server port authentication s
121. fe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Install and Configure the Wireless Access Point Install and configure your wireless access point in the order of the following sections oe ee 6 Connect the Wireless Access Point to a Computer Log In to the Wireless Access Point Configure Basic General System Settings and Time Settings Configure the IPv4 Settings Configure the Optional DHCPv4 Server Configure the Basic Wireless Settings Before installing the wireless access point make sure that your Ethernet network functions After you have connected the wireless access point to the Ethernet network computers with either 802 11b g n or 802 11a n wireless adapters are able to communicate with the Ethernet network For this to work correctly verify that you have met all the system requirements shown in System Requirements on page 8 Connect the Wireless Access Point to a Computer Tip Before you place the wireless access point in an elevated position that is difficult to reach first set up and test the wireless access point to verify wireless network connectivity gt To set up the wireless access point f 2 Unpack the box and verify the contents Prepare a computer with an Ethernet adapter If this computer is already part of your network record its TCP IP configuration settings Configure the computer with a static IP address of 192 168 0 210 and 255 255 255 0 as the subnet mask Connect an Ethern
122. fferent SSID from same MAC address e Result An attack might occur or wireless security might become compromised Solution The wireless access point does not respond to probe requests that do not contain its SSID 30 Trap PS poll flood attack Attack Multiple power save PS Poll frames 50 or more are sent to the wireless access point from an address that has a spoofed MAC address of a legitimate client Result Traffic that is intended for the legitimate client is sent to the attacking address and is lost Solution PS Poll frames without a corresponding traffic indication map TIM are rejected 50 Trap Management and Monitoring 93 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 gt To enable and configure the IDS IPS 1 Select Configuration gt IDS IPS The IDS IPS screen displays T Configuration Monitoring Maintenance Support tocout System IP Wireless Security Wireless Bridge gt IDS IPS IDS IPS gt IDS IPS Mail Settings IDS IPS Policy settings 802 11b bg ng 802 1 1la na 105 1P Enable O Disable 105 1PS Detection Policy Moderate w Policy Policy Rules Authentication Flood Select Policy Threshold Noticification s p Authentication Flood Trap Association Flood Unauthenticated Assocation Assocation Table Overflow Authentication Failure Attack Deauthentication Broadcast Attack Disassociation Flood Malforrne
123. field to the right of the radio button enter a MAC address Advanced Configuration 115 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 33 QoS classification settings continued Setting Description Match Frame Source IP In the Match Classifications field enter the source IP address against Fields and Match which the information in the IP header needs to be matched Classifications continued Destination IP_ In the Match Classifications field enter the destination IP address against which the information in the IP header needs to be matched Source Port The Match Classifications field is separated into two sections In the left section enter the source port number and optionally in the right section enter the associated IP address against which the information in the IP header needs to be matched Destination The Match Classifications field is separated into two sections In the left Port section enter the destination port number and optionally in the right section enter the associated IP address against which the information in the IP header needs to be matched Apply From the Apply Classification drop down list select the traffic class that needs to be Classification applied to the packets that match the selection in the Match Classifications field Best Effort 0 e Background 1 Spare 2 Excellent 3 Control Load 4 Video lt 100 ms La
124. figure the RADIUS server setting TKIP AES encryption is the default encryption See Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 Note This setting allows clients to connect through either WPA with TKIP or WPA2 with AES WPA PSK Enter a WPA passphrase and select TKIP or TKIP AES encryption See Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 WPA2 PSK Enter a WPA passphrase and select AES or TKIP AES encryption See Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 Note Select this setting only if all clients support WPA2 WPA PSK amp WPA2 PSK Enter a WPA passphrase TKIP AES encryption is the default encryption See Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 Note This setting allows clients to connect through either WPA with TKIP or WPA2 with AES Wireless Client Security If you enable wireless client security separation by selecting Enable from the Separation drop down list the associated wireless clients cannot communicate with each other By default Disable is selected from the drop down list This feature is intended for hotspots and other public access situations VLAN ID Enter the VLAN ID to be associated with this wireless security profile The default VLAN ID is 1 The VLAN ID needs to match the VLAN ID that is used by the other devices in your network 6 O
125. g QoS policy delete outgoing QoSpolicyv Delete outgoing QoS policy 3 gt 5th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 6 gt 6th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeyty
126. haredkey remote mac status wep pass phrase wepkey wepkeytype wmm gt ap data0 best effort ap datal background ap data2 video ap data3 voice powersave station data0 best effort station datal background station data2 video station data3 voice support ipv4 gt address default gateway dhcp client dns server network integrity check ipv6 gt address Data encryption Profile name Preshared key Remote MAC Profile status Wireless wep Wireless wep Wireless wep 3rd security passphrase key key key type profile Authentication type Data encryption Profile name Preshared key Remote MAC Profile status Wireless wep Wireless wep Wireless wep 4th security passphrase key key key type profile Authentication type Data encryption Profile name Preshared key Remote MAC Profile status Wireless wep Wireless wep Wireless wep WMM settings Access point Access point Access point Access point Station best passphrase key key key type best effort voice data low priority data video data voice data effort voice data Station low priority data Station video data Station voice data 22 Set host IPv4 Host IPv4 address IPv4 address o
127. he recommended channel spacing between adjacent wireless access points is five channels for example use Channels 1 and 6 or 6 and 11 or 1 and 11 The time it takes to establish a wireless connection can vary depending on both your security settings and placement WEP connections can take slightly longer to establish Also WEP encryption can consume more battery power on a notebook computer Ethernet Cabling Requirements The wireless access point connects to your LAN using twisted pair Category 5 Ethernet cable with RJ 45 connectors LAN Configuration Requirements For the initial configuration of your wireless access point you need to connect a computer to the wireless access point Installation and Basic Configuration 18 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Hardware Requirements for Computers on Your LAN To connect to the wireless access point on your network each computer needs to have an 802 11b g n or 802 11a n wireless adapter installed NETGEAR recommends using the wireless access point with computers that have the NETGEAR N600 Wireless Dual Band USB Adapter WNDA3100 installed Operating Frequency Channel Guidelines You do not need to change the operating frequency channel unless you notice interference problems or you place the wireless access point near another wireless access point If you do change the operating frequency observe the following guidelines e Wireless access p
128. he wireless access point and remain constant The menu items in the blue bar change according to the navigation tab that is selected Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Figure 9 The bottom right corner of all screens that allow you to make configuration changes show the Apply and Cancel buttons and on several screens the Edit button Installation and Basic Configuration 22 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 EDIT CANCEL APPLY Figure 10 These buttons have the following functions Edit Allows you to edit the existing configuration e Cancel Cancels all configuration changes that you made on the screen e Apply Saves and applies all configuration changes that you made on the screen Configure Basic General System Settings and Time Settings Note After you have successfully logged in to the wireless access point the basic General system settings screen displays gt To configure basic system settings 1 Select Configuration gt System gt Basic gt General The basic General system settings screen displays f Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Basic General Genera Time gt Advanced Access Point Name netgearsAras6 General Country Region United States Figure 11 Installation and Basic Configuration 23 ProSafe Premium 3 x 3 D
129. ication 802 11b bg ng 802 1 1a na Radius Server Settings Turn Rogue AP Detection On yy Rogue AP Detection Policy Moderate v Import AP List from a file O Replace merge Known AP List DELETE Unknown AP List E MAC Address SSID Channel E MAC Address SSID Channel o 00 24 82 61 94 21 NG 119 1 00 26 F2 F8 14 00 NG_lig CO 00 17 31 23 09 0A Wireless OO 1F 33 C4 F7 FB EVA2000_WEP64 00 1F 33 02 AD 82 EVAZ000_mixed 1 CO 3F OE BO B7 A2 FULLRATEB7A2 o CO 3F 0E 85 CB 00 ngwlan 1 00 22 3F C3 6A CB8 NETGEAR C _ 00 18 F3 EF DB 84 Customer ID 11 00 27 31 23 08 DE Wireless 00 18 F3 EF DB 8C Wireless REFRESH CANCEL Figure 51 2 Optional To enable and configure rogue AP detection for the 802 11a na modes click the 802 11a na tab 3 Select the Turn Rogue AP Detection On check box to enable rogue AP detection 4 Specify the detection policy by making a selection from the Rogue AP Detection Policy drop down list e Mild The wireless access point scans for rogue access points every 10 seconds e Moderate The wireless access point scans for rogue access points every 5 seconds This is the default setting e Aggressive The wireless access point scans for rogue access points every second 5 Click Refresh to let the wireless access point discover the access points and populate the Unknown AP List 6 In the Unknown AP List select individual check boxes for access points or select all access
130. ice over IP VoIP other types of audio video and streaming media as well as traditional IP data The advanced QoS options on the wireless access point are as follows e AP EDCA parameters Specify the access point AP Enhanced Distributed Channel Access EDCA settings for different types of data transmitted from the wireless access point to wireless clients Station EDCA parameters Specify the station EDCA parameters for different types of data transmitted from the wireless clients to the wireless access point If WMM is disabled you cannot configure the Station EDCA parameters For information about how to enable WMM see Configure Basic Wireless Quality of Service on page 62 When you configure the EDCA settings the wireless access point can leverage existing information in the IP packet header that is related to the Type of Service ToS The wireless access point examines the ToS field in the headers of all packets that it processes Based on the value in a packet s ToS field the wireless access point prioritizes the packet for transmission by assigning it to one of the queues A different type of data is associated with each queue You can configure how the wireless access point treats each queue The queues defined for different types of data transmitted from AP to station and station to AP are e Data 0 Best Effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue e
131. ics Packet Capture gt Traps Counters Counters Counters 802 11ng gt Adhoc Networks M Authentication Flood Association Flood Unauthenticated Association Association Table Overflow Authentication Failure Attack Deauthentication Broadcast Attack Disassociation Flood Malformed 802 11 packets detected EAPOL Start Attack EAPOL Logoff Attack Premature EAP Failure Attack Premature EAP Success Attack CTS Flood RTS Flood RF Jamming Attack Virtual carrier Attack MAC Spoofing Device probing for Access Points PS Poll Flood Attack AP Property changed Rogue AP detection REFRESH Figure 57 oe oooeoooeoeooeoeceegeoegeoo To update the information onscreen click Refresh Ad Hoc Networks gt To display the ad hoc networks and their associated clients Select Monitoring gt IPS IDS gt Adhoc Networks The Adhoc Network screen displays Management and Monitoring 97 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System Wireless Stations Rogue AP Logs Statistics Packet Capture Traps Adhoc Networks gt Counters Adhoc Networks 802 11ng gt Adhoc Networks Client MAC Address BSSID Wired Connectivity fS db 7f 22 29 09 de 00 e0 07 00 3F N REFRESH Figure 58 To update the information onscreen click Refresh The following table explains the fields of the Adhoc Networks screen Table 27 Ad hoc network fields
132. iguration gt Security gt Profile Settings The Profile Settings screen for the 802 11b bg ng modes displays showing eight wireless security profiles If the 2 4 GHz radio is disabled the Enable column is masked out Configuration Monitoring Maintenance Support System IP Wireless Wireless Bridge IDS IPS gt Profile Settings Profile Settings gt Advanced Profile Settings 802 11b bg ng 802 11la na Profile Name SSID Security VLAN Enable 1 NETGEAR NETGEAR_lLing Open System 2 NETGEAR 1 NETGEAR_ling 1 Open System 3 NETGEAR 2 NETGEAR_ling 2 Open System 4 NETGEAR 3 NETGEAR_ling 3 Open System 5 NETGEAR 4 NETGEAR_ling 4 Open System 6 NETGEAR S NETGEAR_ling S Open System NETGEAR 6 NETGEAR_ling 6 Open System 8 NETGEAR 7 NETGEAR_ling 7 Open System m O m o a O m O oogoogogo mome Figure 18 2 Optional To display the Profile Settings screen for the 802 11a na modes click the 802 11a na tab This screen also shows eight wireless security profiles If the 5 GHz radio is disabled the Enable column is masked out Wireless Configuration and Security 48 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System IP Wireless Wireless Bridge IDS IPS gt Profile Settings Profile Settings pocuanced Profile Settings 802 11b bg ng 802 11a na Profile Name SSID Security VLAN Enable 1 1 NETGEAR NETGEA
133. iguration requirements 18 IPv4 and IPv6 addresses 142 troubleshooting 134 LAN LED behavior 21 described 12 troubleshooting 133 LAN path troubleshooting 136 168 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 lease DHCP v4 28 DHCPv6 103 LEDs behavior 21 described 12 troubleshooting 132 legacy 802 1X wireless security 51 54 LLDP Link Layer Discovery Protocol 105 local MAC addresses 60 location country and region 24 logging activities 83 logging in 22 login URL name and password 142 losing wireless connection 61 MAC addresses ad hoc network clients 98 default wireless access point 24 Ethernet port 79 known access points 88 QoS policies 115 restricting access by 43 60 unknown access points 87 wireless card 79 MAC spoofing 92 malformed 802 11 packets 90 management VLAN 104 management remote options 64 match clauses QoS policies 114 117 maximum burst value 112 maximum contention window cwMax value 111 maximum number of clients 109 MCS Modulation and Coding Scheme index and data rate 802 11na 33 index and data rate 802 11ng 30 mild detection policy 86 94 minimum contention window cwMin value 111 moderate detection policy 86 94 Modulation and Coding Scheme MCS 30 33 mounting plate ceiling 36 wall 38 multicast packets transmitted and received 85 N names attacks and IDS IPS policies 89 firmware file 69 mail sender 95 NTP server 25 profiles 50
134. ing gt System gt Advanced gt Ethernet LLDP The Ethernet LLDP screen displays Advanced Configuration 105 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 toGourt Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Ethernet LLDP Basic Advanced Ethernet LLDP General Hotspot Syslog gt Ethernet LLDP User Accounts Ethernet LLDP O Enable Disable CANCEL APPLY Figure 62 2 Select the Disable radio button By default the Enable radio button is selected 3 Click Apply to save your settings Configure Hotspot Settings If the wireless access point functions as a public access point and you want it to capture and redirect all HTTP requests over TCP port 80 set up a hotspot server to redirect the requests to the specified URL and manage the clients For example you can redirect HTTP requests to a web server for authentication timing control or advertising A hotel might want all wireless connections to go to its server to start a billing transaction Note The redirection occurs only the first time that a wireless client opens a web browser gt To set up a hotspot server 1 Select Configuration gt System gt Advanced gt Hotspot The Hotspot screen displays Advanced Configuration 106 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance S
135. ing QoS policy 2 gt 2nd security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 3 gt 3rd security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication Command Line Reference 153 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pa
136. ing attack status malformed 802 11 packet detection Malformed IEEE802 11 packet detection attack status premature EAP failure attack Premature EAP failure attack status Premature EAP success attack status PS POLL flood attack status RF jamming attack status premature EAP success attack ps poll flood attack rf jamming attack rogue ap detection Rogue AP detection attack status unauthenticated association Unauthenticated association attack status virtual carrier attack Virtual carrier attack status wireless bridge gt security profile gt Wireless bridge setting Create security profile 1 gt lst security profile authentication Authentication type encryption Data encryption name Profile name presharedkey Preshared key remote mac status wep pass phrase Remote MAC Profile status Wireless wep passphrase key wepkey Wireless wep key wepkeytype Wireless wep key type 2 gt 2nd security profile authentication Authentication type Command Line Reference 156 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 encryption name presharedkey remote mac status wep pass phrase wepkey wepkeytype 235 authentication encryption name presharedkey remote mac status wep pass phrase wepkey wepkeytype A authentication encryption name pres
137. ing the cache deleting the cookies and launching the browser again e Make sure that you are using the correct login information The factory default login name is admin and the password is password Make sure that Caps Lock is off when entering this information gt Ifthe wireless access point does not save changes you have made in the web management interface check the following e When entering configuration settings be sure to click the Apply button before moving to another screen or tab or your changes are lost e Click the Refresh or Reload button in the web browser The changes might have occurred but the web browser might be caching the old configuration When You Enter a URL or IP Address a Time Out Error Occurs A number of things could be causing this gt Try the following troubleshooting steps e Check whether other computers on the LAN work correctly If they do ensure that your computer s TCP IP settings are correct If you use a fixed static IP address check the subnet mask default gateway DNS and IP addresses of the wireless access point see Configure the IPv4 Settings on page 25 e If the computer is configured correctly but still not working ensure that the wireless access point is connected and turned on Access it and check its settings If you cannot connect to the wireless access point check the LAN and power connections e Ifthe wireless access point is configured correctly check your Inte
138. ing the software Select Maintenance gt Upgrade gt Firmware Upgrade The Firmware Upgrade screen displays Configuration Monitoring Maintenance Support Password Reset Remote Management Prlawers Firmware Upgrade Upgrade Eiman Firmware Upgrade Upgrade TFTP Select file Browse Backup Settings Restore Settings CANCEL Figure 37 Management and Monitoring 68 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 5 Click Browse and locate the image zip upgrade file 6 Click Apply to initiate the upgrade process During the upgrade process the wireless access point automatically restarts The upgrade process typically takes several minutes When the Test LED turns off wait a few more seconds before doing anything with the wireless access point 7 Verify that the new software file has been installed by selecting Monitoring gt System The System screen displays see Figure 46 on page 78 The firmware version is shown in the Access Point Information section of the screen TFTP Server Upgrade Procedure To use this method you need to have a TFTP server set up To use a TFTP server to upgrade the wireless access point firmware 1 Download the new software file from the NETGEAR website and save it to your hard disk 2 Place the software file in your TFTP server location You do not need to unzip the file 3 If available read the release notes before upgrading the software 4
139. is the default user account which you cannot delete However you can add other user accounts modify them and delete them Users for whom you set up an account can access the web management interface with read only or read write privileges Note Only the administrator can create change and delete user accounts gt To add anew user account 1 Select Configuration gt System gt Advanced gt User Accounts The User Accounts screen displays f Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS S Dasit User Accounts Advanced General Hotspot Syslog Password _ eeeecece gt Ethernet LLDP Privilege Select Privilege Y User Accounts ADD User Accounts User Name admin User Accounts Existing Users Select User v User Name Password Privilege Select Privilege v MODIFY _ DELETE RESET PASSWORD CANCEL APPLY Figure 44 2 Configure the settings in the upper part of the screen as explained in the following table Table 17 Add user account settings Setting Description User Name Enter a new user name Password Enter a password between 4 and 12 characters in length Privilege From the Privilege drop down list select Read Write or Read Only 3 Click Add 4 Click Apply to save your settings Management and Monitoring 75 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 gt To change
140. isotrope rayonnee equivalente p i r e ne depasse pas l intensite necessaire al etablissement d une communication satisfaisante Le present emetteur radio IC 4054A 12200202 Model WNDAP620 a ete approuve par Industrie Canada pour fonctionner avec les types d antenne enumeres ci dessous et ayant un gain admissible maximal et I impedance requise pour chaque type d antenne Les types d antenne non inclus dans cette liste ou dont le gain est superieur au gain maximal indique sont strictement interdits pour l exploitation de l emetteur Notification of Compliance 165 Index Numerics 11a and 11na wireless modes 32 11b 11bg and 11ng wireless modes 29 2 4 GHz antenna connectors for 13 2 4 GHz or 5 GHz operation 9 64 bit 128 bit and 152 bit WEP 54 802 11b g n and 802 11a n wireless adapters 19 wireless settings 28 34 802 11d support 109 802 1P QoS policies 115 802 1Q VLAN 9 105 A access restricting by MAC address 43 60 accounting RADIUS servers 57 59 accounts users 75 Active LED behavior 21 described 12 troubleshooting 133 ActiveX 135 activity log 83 ad hoc networks detecting 92 monitoring 97 admin password changing or restoring 74 default 142 AES Advanced Encryption Standard 44 56 57 Aggregated MAC Protocol Data Unit A MPDU frames 109 aggregation length 109 aggressive detection policy 86 94 AID associated identifier 82 AIFS Arbitration Inter Frame Spacing interval 111 A MPDU Aggrega
141. king power outlet or power strip Make sure that your PoE switch is functioning normally Troubleshooting 132 gt ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 If you use a power cord to provide power to the wireless access point check these items Make sure that the power cord is connected to the wireless access point Make sure that the power adapter is connected to a functioning power outlet If itis ina power strip make sure that the power strip is turned on If it is plugged directly into the wall verify that it is not a switched outlet Make sure that you are using the correct NETGEAR power adapter that is supplied with your wireless access point The Active LED or the LAN LED Is Not Lit There is a hardware connection problem Check these items Make sure that the cable connectors are securely plugged in at the wireless access point and the network device hub PoE switch or router Make sure that the connected device is turned on Make sure that the correct cable is used Use a standard Category 5 Ethernet patch cable If the network device has Auto Uplink MDI MDIX ports you can use either a crossover cable or a normal patch cable The WLAN LED Does Not Light Up The wireless access point s antenna is not working Check these items If the WLAN LED remains off either disconnect the cable to the PoE switch and then reconnect it again or disconnect the adapter from its pow
142. less Access Point to Repeat the Wireless Signal Using Point to Multipoint Bridge Mode 126 Chapter 6 Troubleshooting Basie PUNCHING 535 chee er epik noe eded ad ede erga dbade i 132 Verify the Correct Sequence of Events at Startup 132 No LEDs Are Lit on the Wireless Access Point 132 The Active LED or the LAN LED Is Not Lit 133 The WLAN LED Does Not Light Up 20 00 00 133 You Cannot Access the Internet or the LAN from a Wireless Capable Computer 00000 cece eee eens 134 You Cannot Configure the Wireless Access Point from a Browser 134 When You Enter a URL or IP Address a Time Out Error Occurs 135 Troubleshoot a TCP IP Network Using the Ping Utility 135 Test the LAN Path to Your Wireless Access Point 136 Test the Path from Your Computer to a Remote Device T37 Problems with Date and Time nnana aana eee ee eee 137 Use the Packet Capture Tool 0 0 cece eee eee 138 Appendix A Supplemental Information Technical SpScnealons vsageuedaveede vende deeeeyeds supe den 139 Factory Default Seling 4 ccc cc ceec er deenweeeadeio cere daeea es 142 Appendix B Command Line Reference Appendix C Notification of Compliance Index Introduction This chapter introduces the NETGEAR ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 and des
143. ltiple unauthenticated association requests 5 or more that use spoofed MAC addresses of legitimate clients are sent to the wireless access point Result The client association table overflows causing authentication requests from legitimate clients to be denied Solution The oldest clients that are stuck in the authentication phase are removed from the table 5 Trap Association table overflow Attack Multiple clients 5 or more that use spoofed MAC addresses of legitimate clients attempt to connect to the wireless access point Result The client association table overflows causing association requests from legitimate clients to be denied Solution The oldest associations are removed from the table Trap Authentication failure attack Attack Multiple invalid authentication requests 5 or more that use the spoofed MAC address of a legitimate client are sent to the wireless access point Result The client is disconnected from the wireless access point Solution The wireless access point determines if the legitimate client is already connected before processing an authentication request Trap Deauthentication broadcast attack Attack Multiple deauthentication frames 5 or more that use the spoofed MAC address of the wireless access point are sent to legitimate clients Result Clients are disconnected from the wireless access point Note The IDS detects this attack but the IPS does not take ac
144. mature EAP attacks 91 pre shared key PSK WPA WPA2 and mixed mode 44 57 priority queues advanced QoS 110 WMM QoS 62 privileges user accounts 75 product registration 14 profiles security creating and configuring 48 52 described 44 PS poll flood attack 93 PSK pre shared key WPA WPA2 and mixed mode 44 57 Q QoS Quality of Service advanced settings 110 112 basic settings WMM 62 63 policies 112 117 rate limiting and burst rate 116 117 R radio scheduling to turn off 61 turning off 2 4 GHz 29 turning off 5 GHz 32 RADIUS servers configuring 57 range guidelines wireless equipment 17 rate limiting QoS policies 116 117 read only name read write name SNMP 65 rear panel 13 reauthentication time RADIUS servers 59 rebooting from web management interface 73 received signal strength indicator RSSI 82 redirecting HTTP requests 106 Reduced Interframe Space RIFS transmission 109 region wireless location 24 registering product 14 remote devices troubleshooting 137 remote MAC addresses 60 remote management options 64 repeating wireless signal 126 Request to Send RTS threshold 108 Reset button 13 73 142 restoring factory defaults 71 password 74 settings from backup file 71 restricting access by MAC address 43 60 RF jamming attack 92 RIFS Reduced Interframe Space transmission 109 roaming 45 rogue access point detection 85 88 RSSI received signal strength
145. n function without any encryption or with pre shared WEP key encryption without RADIUS authentication The security level of static WEP is not very strong When you select Open System from the Network Authentication drop down list and any selection other than None from the Data Encryption drop down list the screen expands to display the WEP fields Authentication Settings Network Authentication Open System v Data Encryption 64 bit WEP v Passphrase HOR Oh Hm a h e Generate Keys Key1 B6E6806317 key2 O 8E6076FDBE Key 3 6ACEE0SE76 Key 4 O 617B53CB2 Show Passphrase in Clear Text No O Yes Figure 21 Shared key with WEP Shared key provides pre shared WEP key encryption without RADIUS authentication The security level of static WEP is not very strong When you select Shared Key from the Network Authentication drop down list the screen expands to display the WEP fields Wireless Configuration and Security 53 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Authentication Settings Network Authentication Shared Key Data Encryption Passphrase Key1 Key 2 O Key 3 Key 4 O Show Passphrase in Clear Text No Figure 22 64 bit WEP v eee Generate Keys B6E6806317 SE6076FDBE 6ACEEOSE76 E617B53CB2 Table 11 WEP encryption settings Setting Descriptions Data Encryption Select the encryption key size from the drop down list e 64 bit WEP Standard W
146. nada The required antenna impedance is 50 ohms Under Industry Canada regulations this radio transmitter may only operate using an antenna of a type and maximum or lesser gain approved for the transmitter by Industry Canada To reduce potential radio interference to other users the antenna type and its gain should be so chosen that the equivalent isotropically radiated power e i r p is not more than that necessary for successful communication This radio transmitter IC 4054A 12200202 Model WNDAP620 has been approved by Industry Canada to operate with the antenna type maximum permissible gain and required antenna impedance for each antenna type indicated Antenna types not included in this user s manual having a gain greater than the maximum gain indicated for that type are strictly prohibited for use with this device Ce dispositif a ete concu pour fonctionner avec une antenne ayant un gain maximal de Dipole antenna avec 5aBi Une antenne a gain plus eleve est strictement interdite par les reglements d Industrie Canada L impedance d antenne requise est de 50 ohms Conformement a la reglementation d Industrie Canada le present emetteur radio peutfonctionner avec une antenne d un type et d un gain maximal ou inferieur approuve pourl emetteur par Industrie Canada Dans le but de reduire les risques de brouillage radioelectriquea l intention des autres utilisateurs il faut choisir le type d antenne et son gain de sorte que lapuissance
147. naged AP 0 Trap list see View and Save Access Point Lists on page 87 and is not connected to the secured wireless or wired network e Result Wireless security might be compromised Note The IDS detects rogue APs but the IPS does not take action against rogue APs For information about how to exclude rogue APs from your network see Enable Rogue AP Detection and Monitor Access Points on page 85 Ad hoc network Detection A group of wireless access points are part of an O Trap detected ad hoc network that might broadcast the same SSID as the secured wireless network e Result Wireless security might be compromised Note The IDS detects ad hoc networks but the IPS does not take action against ad hoc networks Ad hoc network with e Detection A group of wireless access points are part of an O Trap wired connectivity ad hoc network that has a wired connection and that might broadcast the same SSID as the secured wireless network e Result Wireless security might be compromised Note The IDS detects ad hoc networks but the IPS does not take action against ad hoc networks Management and Monitoring 92 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 24 IDS IPS policies and policy rules continued Policy Description Policy Rule Threshold Notification Known client associating with ad hoc network e Detection Clients that should be connected t
148. nance Support Password Reset Upgrade gt SNMP Remote Console Remote Console Remote Console Secure Shell SSH Enable Disable Telnet O Enable Disable CANCEL Figure 35 Enable or disable the remote console features e Secure Shell SSH To enable this feature select the Enable radio button which is the default setting Select the Disable button to disable the feature e Telnet To enable this feature select the Enable radio button Select the Disable button to disable the feature which is the default setting Click Apply to save your settings To manage the wireless access point over a Telnet connection 1 2 Connect an Ethernet cable to the console port of the wireless access point Connect the other end of the cable to a VT100 ANSI terminal or a workstation If you attach a PC Apple Macintosh or UNIX workstation start a secure terminal emulation program and configure the terminal emulation program to use the following settings e Baud rate 9600 bps e Data bits 8 e Parity none e Stop bit 1 e Flow control none Start a secure Telnet session from the terminal or workstation to the wireless access point A screen similar to the following displays Management and Monitoring 66 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 of Telnet 192 168 0 236 Telnet gt ap information apname netgear334408 macaddress 66 22 3F 8B 1B 96 firmvwa
149. nced Encryption Standard is the standard encryption method used with WPA2 PSK and the only selection possible from the Data Encryption drop down list In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive Note NETGEAR recommends WPA2 PSK authentication with AES encryption if you want to use the 11n rates and speed h Click Apply to save your security profile settings The Bridging screen displays again i Repeat Step e through Step h for any other security profile that you want to edit For example first configure security profile NETGEAR WDS 1 with the MAC address of AP1 and then configure security profile NETGEAR WDS 2 with the MAC address of AP3 see Figure 73 on page 126 Activate repeater mode on the wireless access point AP2 in Figure 73 on page 126 a On the Bridging screen select the Enable Wireless Bridging check box b Select the Wireless Point to Multi Point Bridge radio button c Clear the Enable Wireless Client Association check box to disable wireless client association see the red circle in Figure 74 on page 127 Note If you do not clear the Enable Wireless Client Association check box the wireless access point functions in regular point to multipoint bridge mode d If the correct profile names and security options are displayed in the table select the check boxes in the Enable column for all security pr
150. nector for an optional 2 4 GHz antenna Console port for connecting to an optional console terminal The port has an RJ 45 connector and supports the following settings 9600 K default baud rate 8 data bits no N parity bit and one 1 stop bit Cable security lock receptacle for an optional lock Power socket for a 12 VDC 1 5A power adapter Third reverse SMA connector for an optional 2 4 GHz antenna Note The wireless access point can support up to three optional 2 4 GHz antennas Bottom Panel with Product Label The product label on the bottom of the wireless access point s enclosure displays factory default settings regulatory compliance and other information Introduction 13 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 N E T G E A R fnar LAN Prosafe 3x3 Dual Radio 2 4GHz or 5GHz oe Py 2 4GHz 5GHz S Wireless Access Point WNDAP620 CEO FE E aa DC Input DC 12 V 1 5A FCC ip PY312200202 IC 4054A 12200202 DEFAULT ACCESS This device complies with Part 15 of the FCC Rules Operation SERIAL OOo is subject to the MAC two conditions 1 this device may not IP http 192 1 68 0 100 cause harmful interference ste 2 this device must accept any MAC User Name admin interference received including interference that may cause 3 password password undesired operation Made in China 272 11419 01 Figure 3 Register the Wireless Access Point To qualify for product updates
151. not lit make sure that the Ethernet cable is securely attached at both ends WLAN LED The 2 4 GHz WLAN LED is lit or blinks green when the wireless LAN WLAN is ready WLAN LED The 5 GHz WLAN LED is lit or blinks green when the wireless LAN WLAN is ready Installation and Basic Configuration 21 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Log In to the Wireless Access Point The default IP address of your wireless access point is 192 168 0 100 By default the DHCP client on the wireless access point is disabled so you can log in using the default IP address gt To log in to the wireless access point 1 Open a web browser such as Microsoft Internet Explorer 6 0 or later or Mozilla Firefox 1 5 or later 2 Connect to the wireless access point by entering its default address of 192 168 0 100 into your browser use http and not https The Login screen displays NETGEAR WNDAP620 Connect with Innovation ProSafe Dual Band Wireless N Access Point Login Login Username admin Password essseses Figure 8 3 Enter the default user name of admin and the default password of password 4 Click Login The web browser displays the basic General system settings screen under the Configuration tab of the main menu as shown in Figure 11 on page 23 Web Management Interface The navigation tabs across the top of the web management interface provide access to all the configuration functions of t
152. nts and other relevant provisions of Directive 1999 5 EC 161 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Espa ol Spanish Por medio de la presente NETGEAR Inc declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE EAAnvikn Greek ME THN MAPOY2A NETGEAR Inc AHAQNEI OTI Radiolan 2YMMOP ONETAI NPOZ TI OYZIOAEIZ ANAITHZEIZ KAI TIZ AOINES ZXETIKEZ AIATA EIZ TH OAHMAZ 1999 5 EK Fran ais French Par la pr sente NETGEAR Inc d clare que l appareil Radiolan est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999 5 CE Italiano Italian Con la presente NETGEAR Inc dichiara che questo Radiolan conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999 5 CE Latviski Latvian Ar o NETGEAR Inc deklar ka Radiolan atbilst Direkt vas 1999 5 EK b tiskaj m prasibam un citiem ar to saistitajiem noteikumiem Lietuvi Lithuanian iuo NETGEAR Inc deklaruoja kad is Radiolan atitinka esminius reikalavimus ir kitas 1999 5 EB Direktyvos nuostatas Nederlands Dutch Hierbij verklaart NETGEAR Inc dat het toestel Radiolan in overeenstemming is met de essenti le eisen en de andere relevante bepalingen van richtlijn 1999 5 EG Malti Maltese Hawnhekk NETGEAR Inc ji
153. o the secured wireless network are instead connected to wireless access points that are part of an ad hoc network e Result Wireless security might be compromised e Solution The clients are disconnected from the ad hoc network 0 Trap AP property changed e Detection Unauthorized changes such as a change of SSID security settings or channel are made on a known wireless access point in the network Result Wireless security is compromised and clients cannot connect to the wireless access point Note The IDS detects that the properties of a known wireless access point in the network are changed but the IPS does not take action The changes that the IDS detects are listed in a table The affected wireless access point is identified by its MAC address To correct the situation access the web management interface of the affected wireless access point and reverse the changes DELETE Beacon Interval E MAC Address SSID Security Channel To remove the detected changes from the table 1 Select the check box to the left of the wireless access point for which you want to remove the changes from the table 2 Above the table click Delete Trap Device probing for access points Detection Multiple probe requests 30 or more are sent to collect information about the wireless access point for possible future attacks For example it is suspect when there are too many probe requests with a di
154. ofiles that you want to enable e Click Apply on the Bridging screen to activate your repeater settings Configure AP1 on LAN Segment 1 see Figure 73 on page 126 in repeater mode with the remote MAC address of AP2 Configure AP3 on LAN Segment 3 see Figure 73 on page 126 in repeater mode with the remote MAC address of AP2 Advanced Configuration 129 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 5 Verify the following for all wireless access points e All APs are on the same LAN that is the LAN IP addresses of all APs are in the same network as the LAN devices e lf you use DHCP all wireless access points can obtain IP addresses automatically as DHCP clients For more information see Configure the Optional DHCPv4 Server on page 27 or Configure the Optional DHCPv6 Server on page 101 e All wireless access points use the same channel authentication mode and security settings 6 Verify connectivity across the LANs A computer on any LAN segment should be able to connect to the Internet or share files and printers with any other devices or servers connected to any of the two LAN segments Note You can extend repetition of the wireless signal by adding up to two more wireless access points that are configured in point to multipoint bridge mode without client association Also you can extend the range of the wireless network with NETGEAR wireless antenna accessories Advanced Configuration 13
155. oint Rather than communicating directly with each other all other bridge mode wireless stations send their traffic to the master wireless access point Use WEP WPA PSK or WPA2 PSK to secure the communication For information about how to configure this mode see Configure a Point to Multipoint Wireless Network on page 122 Repeating the wireless signal In this mode this wireless access point repeats the wireless signal does not support communication with wireless clients and sends all traffic to a remote access point In this mode wireless clients cannot associate with the wireless access point Use WEP WPA PSK or WPA2 PSK to secure the communication For information about how to configure this mode see Configure the Wireless Access Point to Repeat the Wireless Signal Using Point to Multipoint Bridge Mode on page 126 Note You cannot configure wireless bridging when automatic channel selection is enabled On the basic Wireless Settings screen make sure that Auto is not selected from the Channel Frequency drop down list see Configure the Basic Wireless Settings on page 28 Configure a Point to Point Wireless Network In point to point bridge mode the wireless access point communicates with another bridge mode wireless station Use wireless security to protect this communication The following figure shows an example in which two wireless access points APs function in point to point bridge mode Advanced Configuration 118
156. oint see Configure the IPv4 Settings on page 25 Ping the default gateway to verify that there is a path from the computer with the wireless adapter to the default gateway If the ping fails check the network configuration or call the Internet service provider ISP You Cannot Configure the Wireless Access Point from a Browser gt Check these items The wireless access point is correctly installed it is powered on and LAN connections are okay Check that the Active LED and LAN LED are on to verify that the Ethernet connection is okay If your computer uses a fixed static IP address ensure that it is using an IP address in the range of the wireless access point The wireless access point s default IP address is 192 168 0 100 and its subnet mask is 255 255 255 0 with DHCP disabled Make sure that your network configuration settings are correct If you are using the NetBIOS name of the wireless access point to connect ensure that your computer and the wireless access point are on the same network segment or that there is a WINS server on your network If your computer is set to obtain an IP address automatically DHCP client restart it Troubleshooting 134 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e Make sure that your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure that the Java applet is loaded e Try quitting the browser clear
157. oints use a fixed channel You can select a channel that provides the least interference and best performance In the United States and Canada 11 channels are available e If you use multiple wireless access points it is better if adjacent wireless access points use different channels to reduce interference The recommended channel spacing between adjacent wireless access points is 5 channels for example use channels 1 and 6 or 6 and 11 e In infrastructure mode which is the default mode for the wireless access point wireless stations normally scan all channels looking for a wireless access point If more than one wireless access point can be used the one with the strongest signal is used This is possible only if the wireless access points use the same SSID Requirements for Entering IP Addresses IPv4 The fourth octet of an IP address needs to be between 0 and 255 both inclusive This requirement applies to any IP address that you enter on a screen of the web management interface IPv6 IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by colons Any four digit group of zeroes within an IPv6 address can be reduced to a single zero or altogether omitted The following errors invalidate an IPv6 address e More than eight groups of hexadecimal quartets e More than four hexadecimal characters in a quartet e More than two colons in a row Installation and Basic Configuration 19 ProSa
158. on e Result The client is disconnected from the wireless access point e Solution The wireless access point determines if it still receives traffic from the client before disconnecting the client Trap Premature EAP failure attack Attack Several premature EAP failure frames 2 or more are sent to a legitimate client to suggest RADIUS authentication failure Result The client cannot be authenticated and cannot connect to the wireless access point Note The IDS detects this attack but the IPS does not take action against this attack Trap Premature EAP success attack Attack Several premature EAP success frames 2 or more are sent to a legitimate client to suggest RADIUS authentication SUCCESS e Result The client cannot be authenticated and cannot connect to the wireless access point Note The IDS detects this attack but the IPS does not take action against this attack Trap CTS flood Attack Multiple clear to send CTS frames 60 or more are sent to the wireless access point e Result Wireless service is disrupted Solution The wireless access point sends a channel change frame to the legitimate clients and uses automatic channel selection to switch to a new clear channel 60 Trap RTS flood Attack Multiple request to send RTS frames 60 or more are sent to the wireless access point e Result Wireless service is disrupted e Solution The wireless a
159. on TKIP AES Y Figure 26 Wireless Configuration and Security 55 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 12 Settings for WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS Setting Descriptions TKIP Temporal Key Integrity Protocol TKIP is the standard encryption method used with WPA You can also use TKIP with WPA2 Note TKIP provides only legacy slower rates of operation NETGEAR recommends WPA2 authentication with AES encryption if you want to use the 11n rates and speed AES Advanced Encryption Standard AES is the standard encryption method used with WPA2 Note Although some wireless clients might support AES with WPA the WNDAP620 wireless access point does not support WPA with AES TKIP AES The TKIP AES encryption method is supported both for WPA and WPA2 Broadcast packets use TKIP For unicast point to point transmissions WPA clients use TKIP and WPA2 clients use AES For the WPA amp WPA2 mixed mode TKIP AES is the only supported data encryption method Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK WPA PSK WPA PSK and WPA PSK amp WPA2 PSK authentication use a pre shared key PSK also called a passphrase or a network key and do not require authentication from a RADIUS server The selections that are available from the Data Encryption drop down list depend on the type of WPA PSK authentication that you sele
160. onfigured wireless mode Access Point Mode The operating mode of the wireless access point One of the following modes is indicated e Access Point e Point to Point Bridge e Point to Point Bridge with Access Point e Multi Point Bridge with without client association For information about how to change the mode see Configure Wireless Bridging on page 118 Channel Frequency The channel that the wireless port is using For information about how to change the channel and frequency see Configure 802 11b bg ng Wireless Settings on page 28 and Configure 802 11a na Wireless Settings on page 31 Rogue AP Detection Enabled indicates that rogue AP detection is enabled Disabled indicates that it is not Monitor Wireless Stations The Wireless Stations screen contains the Available Wireless Stations table This table shows all IP devices that are associated with the wireless access point in the wireless network that is defined by the wireless network name SSID The table heading indicates the wireless mode 802 11b 802 11bg or 802 11ng for the 2 4 GHz band or 802 11a or 802 11na for the 5 GHz band Note A wireless network can include multiple wireless access points all using the same network name SSID This uniformity extends the reach of the wireless network and allows users to roam from one wireless access point to another providing seamless network connectivity Under these circumstances be aware th
161. onitoring Maintenance Support System IP Wireless Wireless Bridge IDS IPS Profile Settings Radius Server Settings Advanced IPv4 Radius Server Settings Rogue AP gt MAC een IPv4 Address Shared Secret Authentication Primary Authentication Server secccccccces gai Secondary Authentication Server adusaaeneies 2 erimary accounting Server eeeecccccece Secondary Accounting Server ETITI IPv6 Radius Server Settings po tv Address Port _ Shared Secret Primary Authentication Server eooooooooooo Secondary Authentication Server Primary Accounting Server eeeccccecces Secondary Accounting Server See eeeseeee Authentication Settings Reauthentication Time Seconds vy Update Global Key Every Seconds Figure 30 2 Specify the settings as explained in the following table Table 14 RADIUS server settings for IPv4 and IPv6 Setting Descriptions Radius Server Settings Primary IPv4 Address or Enter the IP address of the primary RADIUS server for Authentication Server IPv6 Address authentication Port Enter the number of the UDP port on the wireless access point that is used to access the primary RADIUS server for authentication The default port number is 1812 Shared Secret Enter the shared key that is used between the wireless access point and the primary RADIUS server during authentication Wireless Configuration and Security 58 ProSafe P
162. ons Note For information about how to configure the DHCPV6 server see Configure the Optional DHCPv6 Server on page 101 gt To configure DHCPV4 server settings 1 Select Configuration gt IP gt DHCP Server Settings The DHCP Server Settings screen displays The following figure displays the DHCPv4 server settings only For information about the DHCPV6 server settings see Configure the Optional DHCPv6 Server on page 101 T Configuration Monitoring Maintenance Support toGourt System IP Wireless Security Wireless Bridge IDS IPS gt IP Settings DHCP Server Settings IPv6 Settings DHCPv4 Server Settings DHCP Server Settings DHCPv4 Server Enable Disable DHCP Server VLAN ID 1 Starting IPv4 Address 192 168 0 2 Ending IPv4 Address 192 168 0 50 Subnet Mask 255 255 255 0 Gateway IPv4 Address 192 168 0 1 Primary DNS Server Secondary DNS Server Primary WINS Server Secondary WINS Server Lease 1 days 0 hours 0 minutes Figure 14 2 Configure the settings as explained in the following table Table 5 DHCP server settings for IPv4 Setting Description Select the DHCPv4 Server check box to enable the DHCP server Use the default settings or specify the pool of IPv4 addresses to be assigned by setting the starting IPv4 address and ending IPv4 address These addresses should be part of the same IPv4 address subnet as the wireless access point s LAN IPv4 address DHCP Server VLAN ID Enter
163. ons Actual throughput will vary Network conditions and environmental factors including volume of network traffic building materials and construction and network overhead lower actual data throughput rate Channel width 20 MHz Guard interval Auto Output power Full Wireless on off radio scheduling Disabled RTS threshold 2347 Fragmentation length 2346 Beacon interval 100 Aggregation length 65535 AMPDU Enabled RIFS transmission Disabled DTIM interval 3 Preamble type Auto Antenna Internal 802 11d Enabled Client isolation Disabled Maximum wireless clients 128 Wi Fi Multimedia WMM Enabled WMM powersave Enabled AP EDCA parameters QoS settings Station EDCA parameters QoS settings See Table 32 on page 111 Supplemental Information ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 40 Default configuration settings continued Feature Description QoS policies None Wireless bridging Disabled Default wireless profile and profile security Profile name NETGEAR Profile state Enabled Wireless network name SSID NETGEAR_11ng Broadcast wireless network name SSID Enabled Network authentication Open system no authentication Data encryption None Wireless client security separation Disabled VLAN ID 1 Wireless security features Rogue AP detection Di
164. oring Maintenance Support System IP gt Wireless Wireless Bridge IDS IPS Profile Settings Edit Security Profile Advanced Profile Definition Profile Name NETGEAR Wireless Network Name SSID NETGEAR_1lina Broadcast Wireless Network Name SSID Yes no Authentication Settings Network Authentication WPA PSK Data Encryption TKIP AES Y WPA Passphrase Network Key PRETSTE RCO Show Passphrase in Clear Text no O Yes Wireless Client Security Separation Disable LAN ID 1 QoS Policies Incoming Outgoing Apply Policy None None Policy Details CANCEL APPLY Figure 20 Specify the settings of the Profile Definition section of the Edit Security Profile screen as explained in the following table Table 9 Profile definition settings Setting Description Profile Name Enter a unique name of the wireless security profile that makes it easy to recognize the profile The default names are NETGEAR NETGEAR 1 NETGEAR 2 and so on through NETGEAR 7 You can enter a value of up to 32 alphanumeric characters Wireless Network Name The wireless network name SSID for the wireless security profile The default SSID names depend on the selected radio band e 802 11b bg ng The default names are NETGEAR_1ing NETGEAR_11ng 1 NETGEAR_11ng 2 and so on through NETGEAR_11ng 7 for the eighth profile e 802 11a na The default names are NETGEAR_11na NETGEAR_11na 1 NETGEAR_11na 2 and so on through N
165. ory 67 fragmentation length 108 frequencies and channels defaults 140 selecting for 802 11a na modes 33 selecting for 802 11b bg ng modes 30 FTP traffic advanced QoS 110 WMM QoS 63 G gateways ISP and DHCPv4 26 28 ISP and DHCPv6 101 103 generating keys WEP 54 Gigabit Ethernet RJ 45 port 13 graphical user interface GUI described 22 troubleshooting 134 guard interval 802 11na 33 802 11ng 30 H hotspot server 106 idle time 82 IDS intrusion detection system 10 89 importing known access points 86 infrastructure mode 19 installation kits 35 installation order 20 interface rate limiting and burst rate 117 interference 18 internal antenna disabling 109 Internet browsing troubleshooting 134 intrusion detection system IDS and intrusion prevention system IPS 10 89 IP addresses NTP servers 25 QoS policies 116 SNMP manager 65 syslog server 77 TFTP server 69 IP DCSP and IP precedence QoS policies 114 IPS intrusion prevention system 10 89 IPv4 addresses default 22 26 79 142 DHCPv4 and DNS servers 26 28 DHCPv4 WINS servers 28 errors 19 RADIUS servers 58 requirements 19 static for management computer 142 IPv6 addresses default 79 100 142 DHCPv6 and DNS servers 100 103 DHCPv6 WINS servers 103 dynamic 79 101 errors 19 RADIUS servers 58 requirements 19 isolating clients 109 J Java and Javascript 135 K key generation WEP 54 key update RADIUS servers 59 L LAN conf
166. ou click the Apply button after you have completed the wireless configuration Installation and Basic Configuration 29 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Specify the remaining wireless settings as explained the following table Table 6 Basic 2 4 GHz band wireless settings Setting Descriptions Wireless Network Name Enter a 32 character maximum service set identifier SSID the characters are SSID case sensitive The default is NETGEAR_11ng The SSID assigned to a wireless device needs to match the wireless access point s SSID for the wireless device to communicate with the wireless access point If the SSIDs do not match you do not get a wireless connection to the wireless access point Wireless On Off Status This field is not configurable It shows the status of the wireless scheduler For more information see Schedule the Wireless Radio to Be Turned Off on page 61 Broadcast Wireless Select the Yes radio button to enable the wireless access point to broadcast its Network Name SSID SSID allowing wireless stations that have a null blank SSID to adopt the wireless access point s SSID Yes is the default setting To prevent the SSID from being broadcast select the No radio button Channel Frequency From the drop down list select the channel you wish to use for your wireless LAN The wireless channels and frequencies depend on the country and wireless mode The defa
167. ou then need to access the wireless access point from a wired computer or from a wireless computer that is on the access control list to make any further changes Schedule the Wireless Radio to Be Turned Off Scheduling the wireless radio to be turned off is a green feature that allows you to turn off the wireless radio during scheduled vacations office shutdowns on evenings or on weekends gt To schedule the radio to be turned on and off 1 Select Configuration gt Wireless gt Basic gt Wireless On Off The Wireless On Off screen displays Wireless Configuration and Security 61 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System IP Security Wireless Bridge IDS IPS v Basic Wireless On Off gt Wireless Settings gt Wireless On Off gt QoS Settings Wireless On Off gt Advanced Wireless On Off Radio off schedule Radio ON Time Radio OFF Time Figure 32 2 Specify the settings as explained in the following table Table 15 Wireless radio on off settings Setting Description Wireless On Off Select the On radio button to enable the timer By default the Off radio button is selected Radio off schedule Select check boxes to specify the days when you want to schedule the radio to be turned off By default Saturday and Sunday are selected Radio ON Time Enter the time that you want the radio
168. p key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 8th security profile Wireless authentication type Data encryption Hide network name key 1 key 2 key 3 key 4 Wireless wep Wireless wep Wireless wep Wireless wep Key number Profile name Pre shared key Disable Network associated wireless client communication 1 32 chars status name Profile VLAN id Wireless wep passphrase key Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy IDS IPS Intrusion detection amp prevention system status IDS IPS Intrusion detection amp prevention system policies IDS IPS attack configurations EAPOL logoff attack status EAPOL start attack status ADHOC ADHOC AP property change attack status network detected attack status network wired connectivity attack status Association flood attack status Association table overflow attack status Command Line Reference 150 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620
169. password 22 142 prefix length 142 SNMP 65 subnet mask 26 142 user name 22 142 delivery traffic indication message DTIM interval 109 destination port QoS policies 116 detection policies IDS IPS 94 rogue access points 86 device probing 93 DHCP Dynamic Host Configuration Protocol DHCPv4 client and server 26 28 DHCPV6 client and server 100 103 disassociation flood 90 DNS Domain Name System servers IPv4 26 28 IPv6 100 103 DTIM delivery traffic indication message interval 109 dual band support nonconcurrent 9 Dynamic Host Configuration Protocol DHCP DHCPv4 client and server 26 28 DHCPV6 client and server 100 103 E EAPOL Extensible Authentication Protocol attacks 91 EDCA Enhanced Distributed Channel Access parameters 110 112 electromagnetic compliance 141 email settings IDS IPS 95 encryption WEP 54 WPA and WPA2 57 environmental specifications 141 ESS extended service set 45 Ether type QoS policies 115 Ethernet cabling requirements 18 167 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Ethernet packets and bytes received and transmitted 84 extended service set ESS 45 Extensible Authentication Protocol EAPOL attacks 91 external antennas connecting 13 enabling 109 F factory default settings list of 142 145 restoring 71 firmware backing up 70 factory defaults 71 restoring from backup file 71 upgrading 68 version viewing 79 flash mem
170. pe Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 7 gt 7th security profile Command Line Reference 149 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 authentication encryption hide network name keyl key2 key3 key4 keyno name presharedkey security separation ssid status vlan id wep pass phrase wepkeytype 8 gt authentication encryption hide network name key1 key2 key3 key4 keyno name presharedkey security separation ssid status vlan id wep pass phrase wepkeytype ids ips profile gt ips status ips detection policy attack status gt EAPOL logoff attack EAPOL start attack adhoc network detected ap property change association flood adhoc nw wired connectivity association table overflow Wireless authentication type Data encryption Hide network name Wireless wep key 1 Wireless wep key 2 Wireless wep key 3 Wireless wep key 4 Key number Profile name Pre shared key Disable Network associated wireless client communication 1 32 chars status name Profile VLAN id Wireless wep passphrase key Wireless we
171. point has detected Last Beacon The time stamp that indicates the time when the most recent beacon was detected 3 Click Save to export the list of unknown or known APs to a file A window opens so you can browse to the location where you want to save the file The default file name is macList txt If you wish you can now import the saved list into the Known AP List on the Rogue AP screen see Enable and Configure Rogue AP Detection on page 85 gt To view the Known AP Lists and save it to a file 1 Select Monitoring gt Rogue AP gt Known AP List The Known AP List screen displays Configuration Monitoring Maintenance Support System Wireless Stations Logs Statistics Packet Capture IDS IPS Unknown AP List Known AP List SLi ee Known AP List 802 11ng MAC Address SSID Channel 00 24 82 61 94 21 NG_1ig 1 00 17 31 23 09 0A Wireless C0 3F 0E 85 CB 00 ngwlan 2 3 OO 1F 33 D02 AD 82 EVA2000_mixed 1 4 s 00 18 F3 EF DB 84 Customer ID REFRESH Figure 53 2 Click Refresh to let the wireless access point discover the access points and populate the Known AP List for the configured wireless mode The following table explains the fields of the Known AP List screen Table 23 Known AP List fields Setting Description MAC Address The MAC address of the known AP SSID The SSID that the known AP is using Channel The channel that the known AP is using
172. ps 8 30 Mbps 9 60 Mbps 10 90 Mbps 11 120 Mbps 12 180 Mbps 13 240 Mbps 14 270 Mbps 15 300 Mbps 16 45 Mbps 17 90 Mbps 18 135 Mbps 19 180 Mbps 20 270 Mbps 21 360 Mbps 22 405 Mbps 23 450 Mbps and auto rate capable Data rates for a 40 MHz channel width and a long guard interval 800 ms 0 13 5 Mbps 1 27 Mbps 2 40 5 Mbps 3 54 Mbps 4 81 Mbps 5 108 Mbps 6 121 5 Mbps 7 135 Mbps 8 27 Mbps 9 54 Mbps 10 81 Mbps 11 108 Mbps 12 162 Mbps 13 216 Mbps 14 243 Mbps 15 270 Mbps 16 40 5 Mbps 17 81 Mbps 18 121 5 Mbps 19 162 Mbps 20 243 Mbps 21 324 Mbps 22 364 5 Mbps 23 405 Mbps and auto rate capable Supplemental Information 140 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 39 Technical specifications continued Feature Description 802 11a na operating frequencies e 5 180 5 240 GHz US lower frequencies e 5 260 5 320 GHz US middle frequencies e 5 180 5240 GHz CE EU lower frequencies e 5 260 5 320 GHz CE EU middle frequencies e 5 500 5 680 GHz CE EU upper frequencies 802 11 a na encryption e 64 bit 128 bit and 52 bit WEP e AES e TKIP Management and Other Specifications Network management e Remote configuration and management through the web management interface through SNMP or through Telnet or SSH with the command line interface CLI
173. ptional In the QoS Policies section of the screen select a QoS policy from the Incoming drop down list Outgoing drop down list or both Depending on your selection the policy is applied to incoming packets outgoing packets or both incoming and outgoing packets and is displayed in the Policy Details fields Note To be able to select a QoS policy you first need to have configured one or more policies see Configure Quality of Service Policies on page 112 7 Click Apply to save your settings Wireless Configuration and Security 52 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 A WARNING If you use a wireless computer to configure wireless security settings you are disconnected when you click Apply Reconfigure your wireless computer to match the new settings or access the wireless access point from a wired computer to make further changes gt To change the QoS policy selection on the Edit Security Profile screen 1 2 3 4 From the drop down list from which you want select another QoS policy select None Click Apply to remove the old policy from the security profile Select the new QoS policy from the same drop down list Click Apply to save your settings Configure an Open System with WEP or Shared Key with WEP Whether you use an open system with WEP or shared key with WEP configure the settings that are explained in the following table Open system with WEP An open system ca
174. r settings Configure Spanning Tree Protocol 802 1Q VLAN and Link Layer Discovery Protocol e Configure STP and VLANs e Configure Ethernet LLDP As part of the advanced system configuration you can enable the Spanning Tree Protocol STP configure the VLANs and enable Ethernet Link Layer Discovery Protocol LLDP Configure STP and VLANs STP provides network traffic optimization in locations where multiple wireless access points are active by preventing path redundancy NETGEAR recommends that you enable STP if you have more than one active wireless access point at your location The 802 1Q VLAN protocol on the wireless access point logically separates traffic on the same physical network Untagged VLAN When the wireless access point sends frames that are associated with the untagged VLAN from its Ethernet interface those frames are untagged When the wireless access point receives untagged frames over its Ethernet interface those frames are assigned to the untagged VLAN Advanced Configuration 103 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note Select the Untagged VLAN check box only if the hubs and switches on your LAN support the 802 1Q VLAN protocol Likewise change the untagged VLAN value only if the hubs and switches on your LAN support the 802 1Q VLAN protocol e Tagged VLAN When you clear the Untagged VLAN check box the wireless access point tags all frames that are sent from it
175. rame Spacing AIFS interval that specifies the wait time in milliseconds between data frames A higher AIFS value means a higher priority for a queue Valid values for AIFS are 0 through 8 The default values are Data 0 3 Data 1 7 Data 2 1 Data 3 1 cwMin Enter the minimum contention window cwMin value that specifies the upper limit in milliseconds of a range from which the initial random back off wait time is determined Decreasing this value increases the priority of the queue The value for cwMin needs to be lower than the value for cwMax Valid values are 0 1 3 7 15 31 63 127 255 511 and 1023 The default values are Data 0 15 Data 1 15 Data 2 7 Data 3 3 cwMax Enter the maximum contention window cwMax value that specifies the upper limit in milliseconds for the doubling of the random back off value Decreasing this value increases the priority of the queue The value for cwMax needs to be higher than the value for cwMin Valid values are 0 1 3 7 15 31 63 127 255 511 and 1023 The default values are Data 0 63 Data 1 1023 Data 2 15 Data 3 7 Advanced Configuration 111 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 32 EDCA settings continued Setting Description Max Burst Enter the maximum burst value that specifies the maximum burst length in microseconds allowed for packet bursts on the wireless network A packet bur
176. re and Enable Security Profiles on page 48 Data encryption Select the data encryption that you want to use The available options depend on the network authentication setting described earlier otherwise the default is None The data encryption settings are explained in Configure and Enable Security Profiles on page 48 Wireless client security separation If this feature is enabled the associated wireless clients using the same SSID are not able to communicate with each other This feature is useful for hotspots and other public access situations By default wireless client separation is disabled For more information see Configure and Enable Security Profiles on page 48 VLAN ID If this feature is enabled and if the network devices hubs and switches on your LAN support the VLAN 802 1Q standard the default VLAN ID for the wireless access point is associated with each profile The default VLAN ID needs to match the IDs that are used by the other network devices For more information see Configure and Enable Security Profiles on page 48 Some concepts and guidelines regarding the SSID are explained in the following list A basic service set BSS is a group of wireless stations and a single wireless access point all using the same security profile or service set identifier BSSID The actual identifier in the BSSID is the MAC address of the wireless radio A wireless radio can have multiple MAC addresses one for each security p
177. re version WNAP216_1 6 BETA2 6 country region unitedstates http redirect disable http redirect url http www netgear com spanning tree disable time zone usa pacif ic ssh disable telnet enable syslog disable Figure 36 Enter the login name and password admin and password are the defaults After successful login the gt prompt appears preceded by the name of the wireless access point In this example the prompt is netgear334408 Enter the CLI commands that you want to use You can enter show configuration to display the available CLI commands The CLI commands are also listed in Appendix B Command Line Reference Note You can also access the wireless access point remotely over a Telnet or SSH session using an application such as PuTTY if such an encryption application is allowed by law in your country After you have connected to the wireless access point enter the login name and password to access the CLI Upgrade the Wireless Access Point Software The software of the wireless access point is stored in flash memory and can be upgraded as NETGEAR releases new software You can download upgrade files from the NETGEAR website If the upgrade file is compressed zip file you first need to extract the image rmt file before sending it to the wireless access point You can send the upgrade file using your browser There are two methods to perform a software upgrade that are described in the following sections e
178. reless access point Change the Administrator Password The default password is password NETGEAR recommends that you change this password to a more secure password You cannot change the administrator login name admin The ideal password contains no dictionary words from any language and is a mixture of letters both uppercase and lowercase numbers and symbols Your password can be up to 30 characters gt To change the administrator password 1 Select Maintenance gt Password gt Change Password The Change Password screen displays Configuration Monitoring Maintenance i Reset Remote Management Upgrade Change Password Change Password Change Password Current Password eeccccce New Password Repeat New Password Restore Default Password O Yes No CANCEL APPLY Figure 43 2 Take one of the following actions e Enter a new password twice once in the New Password field and again in the Repeat New Password field e Next to Restore Default Password select the Yes radio button to restore the default password By default the No radio button is selected 3 Click Apply to save your settings If you have restored the default password the login password is password If you have configured a new password write it down in a secure place Management and Monitoring 74 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Manage User Accounts The admin user account
179. remium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 14 RADIUS server settings for IPv4 and IPv6 continued Setting Descriptions Secondary Authentication Server IPv4 Address or Enter the IP address of the secondary RADIUS server for IPv6 Address authentication The secondary RADIUS server is used when the primary RADIUS server is not available Port Enter the number of the UDP port on the wireless access point that is used to access the secondary RADIUS server for authentication The default port number is 1812 Shared Secret Enter the shared key that is used between the wireless access point and the secondary RADIUS server during authentication Primary Accounting Server IPv4 Address or IPv6 Address Enter the IP address of the primary RADIUS server for accounting Port Enter the number of the UDP port on the wireless access point that is used to access the primary RADIUS server for accounting The default port number is 1813 Shared Secret Enter the shared key that is used between the wireless access point and the primary RADIUS server during the accounting process Secondary Accounting Server IPv4 Address or IPv6 Address Enter the IP address of the secondary RADIUS server for accounting The secondary RADIUS server is used when the primary RADIUS server is not available Port Enter the number of the UDP port on the wireless access point that is used to
180. ress printed on the wireless adapter gt To restrict access based on MAC addresses 1 Select Configuration gt Security gt Advanced gt MAC Authentication The MAC Authentication screen displays The following figure shows some examples T Configuration Monitoring Maintenance Support System IP Wireless cur Wireless Bridge IDS IPS gt Profile Settings MAC Authentication Advanced Rogue AP MAL Authenticahur 802 11b ba ng 802 lia na MAC Authentication gt Radius Server Settings Turn Access Control On a Select Access Control Database Local MAC Address Database v Trusted Wireless Stations ADD DELETE Available Wireless Stations E MAC Address StationID MAC Address aa fe ja 10 C3 05 3C 60 68 MOYE C A1 82 C3 11 22 33 C A1 A2 A3 11 22 33 REFRESH CANCEL APPLY Figure 31 2 Optional To display the MAC Authentication screen for the 802 11a na modes click the 802 11a na tab 3 Select the Turn Access Control On check box to enable the access control feature 4 From the Select Access Control Database drop down list select one of the following database options e Local MAC Address Database The wireless access point uses the local MAC address database for access control This is the default setting e Remote MAC Address Database The wireless access point uses the MAC address database on an external RADIUS server on the LAN for access control If you select this database you first need to
181. rnet connection for example your cable modem to make sure that it is working correctly Troubleshoot a TCP IP Network Using the Ping Utility e Test the LAN Path to Your Wireless Access Point e Test the Path from Your Computer to a Remote Device Most TCP IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply You can easily troubleshoot a TCP IP network by using the ping utility in your computer Troubleshooting 135 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Test the LAN Path to Your Wireless Access Point You can ping the wireless access point from your computer to verify that the LAN path to your wireless access point is set up correctly gt To ping the wireless access point from a computer running Windows 95 or later 1 From the Windows toolbar click the Start button and select Run 2 Inthe field provided type ping followed by the IP address of the wireless access point as in this example ping 192 168 0 100 3 Click OK You should see a message like this one Pinging lt IP address gt with 32 bytes of data If the path is working you see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical
182. rofile An extended service set ESS is a group of wireless stations and multiple wireless access points all using the same identifier ESSID Different wireless access points within an ESS can use different channels To reduce interference adjacent wireless access points should use different channels Roaming is the ability of wireless stations to connect wirelessly when they physically move from one BSS to another one within the same ESS The wireless station automatically changes to the wireless access point with the least interference or best performance Wireless Configuration and Security 45 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Before You Change the SSID WEP and WPA Settings For a new wireless network print or copy one of the following forms and fill in the settings For an existing wireless network the network administrator can provide this information Be sure to set the country or region correctly as the first step Form for 802 11b bg ng Modes Print this page and store the security information in a safe place SSID The service set identifier SSID identifies the wireless local area network You can customize it by using up to 32 alphanumeric characters Write your SSID on the line SSID The SSID in the wireless access point is the SSID you configure on the wireless adapter card All wireless nodes in the same network need to be configured with the same SSID WEP key size an
183. rtual access points 109 version software 79 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 video traffic advanced QoS 110 WMM QoS 63 virtual access points VAPs 109 virtual carrier attack 92 VLANs DHCPv4 server VLAN ID 27 DHCPV6 server VLAN ID 102 identifiers IDs 45 52 tagged untagged and management enabling 103 VoIP voice over IP traffic advanced QoS 110 WMM QoS 62 W web browsers recommended 22 web management interface described 22 troubleshooting 134 WEP wired equivalent privacy configuring 51 53 types of encryption 43 WEP legacy 802 1X configuring 51 54 WIDS wireless intrusion detection system 10 89 Wi Fi Multimedia WMM 9 62 63 Wi Fi Protected Access WPA WPA2 and mixed mode adapter restrictions 51 PSK pre shared key configuring with 52 56 RADIUS configuring with 51 55 types of encryption 44 WINS servers 28 103 WIPS wireless intrusion prevention system 10 89 wired equivalent privacy WEP configuring 51 53 types of encryption 43 wireless adapters 802 11b g n and 802 11a n 19 wireless bridging modes 118 wireless clients associated number of 85 monitoring 80 separating 45 52 trusted 61 wireless connection losing 61 wireless equipment placement and range 17 wireless IDS IPS 10 89 wireless interface rate limiting and burst rate 117 wireless intrusion detection system WIDS and wireless intrusion prevention system WIPS 10 89 wireless location 24 wirele
184. s Ethernet interface Only incoming frames that are tagged with known VLAN IDs are accepted e Management VLAN The management VLAN can be active only when the wireless access point functions as a point to point or point to multipoint bridge see Configure Wireless Bridging on page 118 The management VLAN is used for managing traffic Telnet SNMP and HTTP to and from the wireless access point Frames belonging to the management VLAN are not given any 802 1Q header when they are sent over the trunk If a port is in a single VLAN it can be untagged However if the port is a member of multiple VLANs it needs to be tagged gt To configure STP and VLANs 1 Select Configuring gt System gt Advanced gt General The advanced General system settings screen displays Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Basic General Advanced General Hotspot Spanning Tree Protocol O Enable Disable Spanning Tree Protocol Syslog Ethernet LLDP 802 10 VLAN User Accounts Untagged LAN Management LAN CANCEL APPLY Figure 61 Advanced Configuration 104 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 2 Specify the settings as explained in the following table Table 30 STP and VLAN settings Setting Description Spanning Tree Protoco Spanning Tree Protocol Select the Enable radio bu
185. s beacon period in TU 1024 us Wireless channel depends on country and wireless mode Wireless channel width Wireless DTIM period in beacon interval Wireless fragmentation threshold even only Interval from interference from other transmissions Add known access point Delete known access point Add wireless access control ACL Delete wireless access control ACL database Delete wireless access control ACL Transmit data rate Enable wireless access control ACL Wireless operation mode Wireless transmit power Wireless preamble only effect on 802 11b rates Enable wireless radio Wireless transmission date rate Enable successive frame transmission at different transmit powers Enable rogue access point detection Wireless RTIS CTS threshold IEEE802 11d status Client isolation status Create QoS Quality of service policy Create Qos Quality of service classification Delete QoS Quality of service policy Delete Qos Quality of service classification Create security profile lst security profile Wireless authentication type Data encryption Hide network name Wireless wep key 1 Wireless wep key 2 Wireless wep key 3 Wireless wep key 4 Key number Profile name Pre shared key Disable associated wireless client communication Network name 1 32 chars Profile status VLAN id
186. sabled Rogue AP detection policy Moderate MAC authentication Disabled RADIUS servers None RADIUS authentication port number 1812 RADIUS shared secret sharedsecret RADIUS accounting port number 1813 RADIUS reauthentication time 3600 seconds RADIUS update of the global key 1800 seconds IDS IPS Disabled IDS IPS policies Preconfigured policies see Table 24 on page 89 all disabled IDS IPS detection policy Moderate IDS IPS mail settings Blank Supplemental Information Command Line Reference The wireless access point can be configured through either the command line interface CLI a web browser or a MIB browser The CLI allows viewing and modification of the configuration from a terminal or computer through a Telnet or SSH connection Keyword Description backup configuration Backup configuration config gt Configuration setting apname Access point name country Country region dhcpv4 gt DHCPv4 server dns server DNS server gateway Default gateway ip address IP range lease time Lease time status Status vlan id Vlan id subnet mask Subnet mask wins server WINS server dhcpv6 gt DHCPv6 server dns server DNS server gateway Default gateway ip address IP range prefixlen Prefixlen of IP status Status vlan id Vlan id state State wins server WINS server http redirect Ena
187. ss N Access Point WNDAP620 Table 36 Point to point bridge profile and authentication settings continued Setting Description Network Authentication and Data Encryption continued Open System Although you can use the bridge communication without any authentication and encryption NETGEAR recommends that you use WEP if you do select an open system From the Data Encryption drop down list select one of the following e None No authentication and encryption e 64 bit WEP Standard WEP encryption using 40 64 bit encryption e 128 bit WEP Standard WEP encryption using 104 128 bit encryption e 152 bit WEP Proprietary WEP encryption mode using 128424 bit encryption This mode functions only with other wireless stations that support this mode WPA PSK TKIP Temporal Key Integrity Protocol is the standard encryption method used with WPA PSK and the only selection possible from the Data Encryption drop down list In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive WPA2 PSK AES Advanced Encryption Standard is the standard encryption method used with WPA2 PSK and the only selection possible from the Data Encryption drop down list In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive Note NETGEAR recommends WPA2 PSK auth
188. ss modes 2 4 GHz band 29 5 GHz band 32 monitoring 80 wireless network name SSID broadcasting 50 broadcasting and security 43 broadcasting for 802 11a na modes 33 broadcasting for 802 11b bg ng modes 30 matching 19 wireless packets and bytes transmitted and received 84 wireless radio turning off 2 4 GHz radio 29 5 GHz radio 32 scheduling 61 wireless security options 42 wireless specifications 139 wireless stations associated number of 85 monitoring 80 separating 45 52 trusted 61 WLAN LED behavior 21 described 12 troubleshooting 133 WMM Wi Fi Multimedia 9 62 63 WPA Wi Fi Protected Access WPA2 and mixed mode adapter restrictions 51 PSK pre shared key configuring with 52 56 RADIUS configuring with 51 55 types of encryption 44 172
189. ss phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 4 gt 4th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared key security separation Disable associated wireless client communication ssid Network name 1 32 chars status Profile status vlan id VLAN id wep pass phrase Wireless wep passphrase key wepkeytype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy 9 gt 5th security profile authentication Wireless authentication type encryption Data encryption hide network name Hide network name keyl Wireless wep key 1 key2 Wireless wep key 2 key3 Wireless wep key 3 key4 Wireless wep key 4 keyno Key number name Profile name presharedkey Pre shared k
190. st is a collection of multiple frames transmitted without header information Decreasing this value increases the priority of the queue Valid values for maximum burst length are all multiples of 32 between 0 and 8192 inclusive of 0 and 8192 The default values are Data 0 0 Data 1 0 Data 2 3008 Data 3 1504 Station EDCA parameters AIFS Enter the Arbitration Inter Frame Spacing AIFS interval that specifies the wait time in milliseconds between data frames A higher AIFS value means a higher priority for a queue Valid values for AIFS are 0 through 8 The default values are Data 0 3 Data 1 7 Data 2 2 Data 3 2 cwMin Enter the minimum contention window cwMin value that specifies the upper limit in milliseconds of a range from which the initial random back off wait time is determined Decreasing this value increases the priority of the queue The value for cwMin needs to be lower than the value for cwMax Valid values are 0 1 3 7 15 31 63 127 255 511 and 1023 The default values are Data 0 15 Data 1 15 Data 2 7 Data 3 3 cwMax Enter the maximum contention window cwMax value that specifies the upper limit in milliseconds for the doubling of the random back off value Decreasing this value increases the priority of the queue The value for cwMax needs to be higher than the value for cwMin Valid values are 0 1 3 7 15 31 63 127 255 511 and 1023 The default values are Data
191. standard encryption method used with WPA PSK and the only selection possible from the Data Encryption drop down list In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive WPA2 PSK AES Advanced Encryption Standard is the standard encryption method used with WPA2 PSK and the only selection possible from the Data Encryption drop down list In the WPA Passphrase Network Key field enter a passphrase The passphrase length needs to be between 8 and 63 characters inclusive Note NETGEAR recommends WPA2 PSK authentication with AES encryption if you want to use the 11n rates and speed h Click Apply to save your security profile settings The Bridging screen displays again Repeat Step c through Step h for any other security profile that you want to edit Advanced Configuration 124 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 For example first configure security profile NETGEAR WDS 1 with the MAC address of AP2 and then configure security profile NETGEAR WDS 2 with the MAC address of AP3 see Figure 70 on page 122 Activate the wireless access point AP1 on LAN Segment 1 in Figure 70 on page 122 as a point to multipoint bridge that is it is the master in the wireless network a On the Bridging screen select the Enable Wireless Bridging check box b Select the Wireless Point to Multi Point Bridg
192. t bridge mode AP2 requires a security profile for AP1 and another one for AP3 AP1 a AP2 Multipoint AP3 bridge mode repeating only Multipoint bridge mode Router repeating only PP an Multipoint 192 168 0 1 bridge mode ICI repeating only LAN PCs Segment 1 Hub or switch LAN JII Segment 3 rcs Figure 73 Advanced Configuration 126 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 gt To configure the wireless access point to repeat the wireless signal 1 Configure the security profiles on the wireless access point AP2 in the previous figure a Select Configuration gt Wireless Bridge The Bridging screen displays see the following figure b Optional To display the Bridging screen for the 802 11a na modes click the 802 11a na tab c Select the Enable Wireless Bridging check box The Local MAC Address field is a nonconfigurable field that shows the MAC address of the wireless access point d Select the Wireless Point to Multi Point Bridge radio button The screen adjusts T Configuration Monitoring Maintenance Support System IP Wireless Security I id IDS IPS Bridging Bridging 802 11b bg ng 802 11a na Enable Wireless Bridging Local MAC Address 90 44 DE 44 F4 40 Wireless Point to Point Bridge wireless Point to Multi Point Bridge Enable Wireless Client Association CH Profile Name Security Enable 1 NETGEAR WDS 1 Open System 2 NETGEAR WDS 2 Open System 3 NETGEAR WD
193. t midspan or end span source can supply power to the wireless access point over its Ethernet port Autosensing Ethernet connection with Auto Uplink interface Connects to 10 100 1000 Mbps IEEE 802 3 Ethernet networks LED indicators Power Test Active LAN and WLAN for each radio mode are easily identified VLAN security profiles Each security profile is automatically allocated a VLAN ID when the security profile is modified Introduction 10 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 802 11b g n and 802 11a n Standards Based Wireless Networking The wireless access point provides a bridge between wired Ethernet LANs and 802 11b g n and 802 11a n compatible wireless LAN networks It provides connectivity between wired Ethernet networks and radio equipped wireless notebook systems desktop systems print servers and other devices In addition the wireless access point supports the following wireless features e Aggregation support e Reduced InterFrame spacing support e 3x3 multiple input multiple output MIMO support e Distributed coordinated function CSMA CA back off procedure ACK procedure retransmission of unacknowledged frames e RTS CTS handshake e Beacon generation e Packet fragmentation and reassembly e Auto or long preamble e Roaming among wireless access points on the same subnet Autosensing Ethernet Connections with Auto Uplink The wireless access point can connect to a s
194. tandard Ethernet network The LAN interface is autosensing and capable of full duplex or half duplex operation The wireless access point incorporates Auto Uplink technology The Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub That port then configures itself correctly This feature also eliminates any concerns about crossover cables as Auto Uplink accommodates either type of cable to make the right connection Hardware Description This section describes the top and rear hardware functions of the wireless access point e Top Panel e Rear Panel e Bottom Panel with Product Label Top Panel The LEDs of the wireless access point are described in the following figure and table Introduction 11 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Figure 1 Table 1 Top panel LEDs Item LED Description 1 1 Power Test Off Power is off On green Power is on Amber then blinking A self test is running or software is being loaded green During startup the LED is first steady amber then goes off and then blinks green before turning steady green after about 45 seconds If after 1 minute the LED remains amber or continues to blink green it indicates a system fault 2 4 Active Off No Ethernet traffic is detected or no
195. ted MAC Protocol Data Unit frames 109 antennas connecting external 13 enabling internal or external 109 external orientation 18 Arbitration Inter Frame Spacing AIFS interval 111 associated identifier AID 82 association flood and table overflow 89 90 associations wireless clients 85 attacks detecting and preventing 89 monitoring 96 authentication network 45 RADIUS servers 57 58 authentication flood and failure attack 89 90 autosensing over Ethernet 10 background traffic advanced QoS 110 WMM QoS 63 backing up 70 basic service set BSS 45 basic service set identifier BSSID ad hoc networks 98 configuring 48 57 described 8 43 44 monitoring 81 beacon interval 109 beacons unknown access points 87 best effort traffic advanced QoS 110 WMM QoS 63 bits per second QoS policies 116 117 bridging modes wireless 118 broadcast packets transmitted and received 85 broadcasting wireless network names SSIDs 802 11a na modes 33 802 11b bg ng modes 30 security 43 browsers recommended 22 BSS basic service set 45 BSSID basic service set identifier ad hoc networks 98 configuring 48 57 described 8 43 44 monitoring 81 166 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 burst rate QoS policies 116 117 bytes received and transmitted Ethernet connection 84 wireless connection 82 C capturing packets 138 Carrier Sense Multiple Access CSMA 108 Category 5 Ethernet cable
196. tency 5 Voice lt 10 ms Latency 6 Network Conirol 7 6 Optional Specify rate limiting for the classification as explained in the following table Table 34 Classification rate limiting settings Setting Description Bits Per Sec Enter a value between 0 and 300 000 000 bps to specify the maximum data rate up to which packets that match the classification are queued for transmission and sent immediately over the wireless interface This value applies only to traffic that matches the classification Classification Note When the maximum rate is exceeded packets are retained in Rate Limiting the queue and sent when the transmission falls below the maximum rate again Burst Rate Enter a value between 0 and 37 500 000 bytes to specify the maximum Bytes amount of data that can be transmitted in a burst for packets that match the classification This value applies only to traffic that matches the classification 7 Click Add to add the classification to the Classifications field 8 To add another classification to the QoS policy repeat Step 5 Step 6 and Step 7 9 Click Apply to save your settings The QoS policy is saved Advanced Configuration 116 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note Rate limiting for the wireless interface is an optional setting that applies to all traffic on the wireless interface Unlike classification rate limiting which you
197. the master rather than to the other wireless access points Use wireless security to protect this communication For each wireless access point that you want the master to be able to connect to you need to configure a security profile with a unique name and the MAC address of the wireless access point You can configure up to four such security profiles NETGEAR WDS 1 NETGEAR WDS 2 and so on The following figure shows an example in which AP1 functions in point to multipoint bridge mode and AP2 and AP3 function in point to point bridge mode AP2 o AP3 Wireless PC card Point to point Point to point in a notebook computer bridge mode bridge mode f Router Hub or switch INTERNET 192 168 0 1 jm LAN a J Segment 2 LAN PCs Segment 3 LAN Segment 1 Figure 70 gt To configure a point to multipoint wireless network 1 Configure the security profiles on the wireless access point AP1 on LAN Segment 1 in the previous figure a Select Configuration gt Wireless Bridge The Bridging screen displays The following figure shows the screen after you have completed Step d Advanced Configuration 122 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Configuration Monitoring Maintenance Support System IP Wireless Security rid IDS IPS Bridging Bridging 802 11b bg ng 802 11a na Enable Wireless Bridging K Local MAC Address 90 A4 DE 4A F4 40 Wireless Point to Point
198. tion against this attack Trap Disassociation flood Attack Multiple disassociation frames 5 or more that use the spoofed MAC address of the wireless access point are sent to a legitimate client Result The client is disconnected from the wireless access point Note The IDS detects this attack but the IPS does not take action against this attack Trap Malformed 802 11 packets detected Detection Multiple malformed packets 5 or more are sent to the wireless access point Result Clients behave unexpectedly or crash Solution The wireless access point drops the malformed packets Trap Management and Monitoring 90 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 24 IDS IPS policies and policy rules continued Policy Description Policy Rule Threshold Notification EAPOL start attack Attack Multiple EAPOL start frames 5 or more are sent to the wireless access point to initiate the RADIUS authentication process for clients e Result Wireless service is disrupted Solution The wireless access point determines if the legitimate clients have already been authenticated before processing EAPOL start frames 5 Trap EAPOL logoff attack Attack Several EAPOL logoff frames 2 or more that use the spoofed MAC address of a legitimate client are sent to the wireless access point to terminate a RADIUS authenticated sessi
199. tion Rate Limiting Bits Per Sec 0 300000000 Burst Rate Bytes 0 37500000 Interface Rate Limiting Bits Per Sec 0 300000000 Burst Rate Bytes 0 37500000 Figure 66 2 Optional To configure the QoS Policies screen for the 802 11a na modes click the 802 11a na tab 3 From the Create Policy drop down list select NEW If you have not created any QoS policies NEW is the only selection possible 4 Inthe Policy Name field enter a name for the new QoS policy 5 Specify a classification for the QoS policy as explained in the following table Advanced Configuration 113 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Note Depending on your selection from the Match Frame Fields drop down list Match Classifications appears either as a drop down list from which you need to make a selection or a field in which you need to enter information Table 33 QoS classification settings Setting Description Match Frame IP DCSP From the Match Classifications drop down list select the DSCP traffic Fields and Match class against which the information in the IP header needs to be Classifications matched Routine 0 e Priority 1 Immediate 2 Flash 3 Flash Override 4 e Critic CCP 5 Inter Control 6 e Network Control 7 IP Precedence From the Match Classifications drop down list select the DSCP marking against which the information in the IP header needs to be matche
200. tions described in this user s guide may not be available in your version of the product Europe EU Declaration of Conformity CEO Marking by the above symbol indicates compliance with the Essential Requirements of the R amp TTE Directive of the European Union 1999 5 EC This equipment meets the following conformance standards EN300 328 2 4 GHz EN301 489 17 EN301 893 5 GHz EN60950 1 For complete DoC please visit the NETGEAR EU Declarations of Conformity website at http support netgear com app answers detail a_id 11621 EDOC in Languages of the European Community Language Statement Cesky Czech NETGEAR Inc t mto prohla uje ze tento Radiolan je ve shode se z kladn mi po adavky a dal mi pr slu n mi ustanoven mi smernice 1999 5 ES Dansk Danish Undertegnede NETGEAR Inc erkl rer herved at f lgende udstyr Radiolan overholder de v sentlige krav og vrige relevante krav i direktiv 1999 5 EF Deutsch Hiermit erkl rt NETGEAR Inc dass sich das Ger t Radiolan in bereinstimmung mit den German grundlegenden Anforderungen und den brigen einschl gigen Bestimmungen der Richtlinie 1999 5 EG befindet Eesti Estonian K esolevaga kinnitab NETGEAR Inc seadme Radiolan vastavust direktiivi 1999 5 EU p hin uetele ja nimetatud direktiivist tulenevatele teistele asjakohastele s tetele English Hereby NETGEAR Inc declares that this Radiolan is in compliance with the essential requireme
201. tocol values is available at http www iana org assignments protocol numbers protocol numbers xml Ether Type In the Match Classifications field enter the Ether type value against which the information in the IP header needs to be matched A list of Ether type values is available at http standards ieee org develop regauth ethertype eth txt Source MAC In the Match Classifications field select or enter the source MAC address against which the information in the IP header needs to be matched To select the MAC address of a wireless client that is connected to the wireless access point 1 Select the radio button to the left of the Match Classifications drop down list 2 From the drop down list select a MAC address To enter a MAC address 1 Select the radio button to the right of the Match Classifications drop down list 2 Inthe field to the right of the radio button enter a MAC address Destination MAC In the Match Classifications field select or enter the destination MAC address against which the information in the IP header needs to be matched To select the MAC address of a wireless client that is connected to the wireless access point 1 Select the radio button to the left of the Match Classifications drop down list 2 From the drop down list select a MAC address To enter a MAC address 1 Select the radio button to the right of the Match Classifications drop down list 2 Inthe
202. toration process do not try to go online turn off the wireless access point shut down the computer or do anything else to the wireless access point until it finishes restarting To restore the factory default settings using the web management interface 1 Select Maintenance gt Reset gt Restore Defaults The Restore Defaults screen displays Configuration Monitoring Maintenance Password Remote Management Upgrade Reboot AP Restore Defaults Restore Defaults Restore Defaults Restore to factory default settings O Yes No CANCEL APPLY Figure 41 2 Select the Yes radio button By default the No radio button is selected 3 Click Apply to reset the wireless access point to the factory default settings During the restoration process the wireless access point automatically restarts The restoration process typically takes about 1 minute When the Test LED turns off wait a few more seconds before doing anything with the wireless access point Management and Monitoring 72 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Use the Reset Button to Restore Factory Default Settings To restore the factory default settings when you do not know the login user name login password or IP address you need to use the Reset button on the rear panel of the wireless access point see Figure 2 on page 13 gt To restore the factory default settings using the Reset button 1 Using a sharp obje
203. ts 8 T tagged VLAN 104 TCP IP network troubleshooting 135 technical specifications 139 technical support 2 Telnet enabling 66 Temporal Key Integrity Protocol TKIP 44 56 57 TFTP server upgrade procedure 69 time and time zone configuring 24 troubleshooting 137 time out error 135 TKIP Temporal Key Integrity Protocol 44 56 57 TKIP AES WPA amp WPA2 mixed mode 56 57 top panel 11 trademarks 2 traffic advanced QoS 110 patterns analyzing 138 statistics 83 WMM QoS 62 traffic classes QoS policies 116 transmission opportunity TXOP limit 112 transmission output power 2 4 GHz radio 31 5 4 GHz radio 34 traps IDS IPS 89 SNMP 65 troubleshooting basic functioning 132 browser configuration 134 capturing packets 138 date 137 Internet and LAN connection 134 IP addresses requirements 19 LAN path 136 LEDs 132 network configuration 136 path to remote device 137 physical connections 136 pinging 134 135 PoE connection 132 power cord 133 TCP IP settings 134 time and time zone 137 time out error 135 trusted wireless stations 61 turning off 2 4 GHz radio 29 5 GHz radio 32 scheduling wireless radio 61 Tx sequence 82 TXOP transmission opportunity limit 112 U unauthenticated association 90 unauthorized changes 93 unicast packets encryption methods 56 transmitted and received 84 untagged VLAN 103 upgrading software 68 URLs redirecting 106 user accounts 75 user name default 22 142 V VAPs vi
204. ts set forth for an uncontrolled environment This equipment should be installed and operated with minimum distance of 23 cm between the radiator and your body This device and its antenna s must not be co located or operation in conjunction with any other antenna or transmitter FCC Declaration of Conformity We NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 declare under our sole responsibility that the ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 complies with Part 15 Subpart B of FCC CFR47 Rules Operation is subject to the following two conditions e This device may not cause harmful interference and e This device must accept any interference received including interference that may cause undesired operation FCC Radio Frequency Interference Warnings amp Instructions This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment uses and can radiate radio frequency energy and if not installed and used in accordance with the instr
205. tton to enable STP to prevent path redundancy By default the Disable radio button is selected 802 1Q VLAN Untagged VLAN Select the Untagged VLAN check box to configure one VLAN as an untagged VLAN By default the Untagged VLAN check box is selected Specify a VLAN ID The default VLAN ID is 1 Management VLAN Specify an ID for the VLAN from which the wireless access point can be managed The default VLAN ID is 1 Note If you configure the management VLAN ID as 0 zero the wireless access point can be managed over any VLAN and frames that belong to the management VLAN are not tagged with an 802 1Q header when sent over the trunk A WARNING Selecting the Untagged VLAN check box or changing the untagged VLAN value causes loss of IP connectivity if the hubs and switches on your LAN have not yet been configured with the corresponding VLAN 3 Click Apply to save your settings Configure Ethernet LLDP Link Layer Discovery Protocol LLDP IEEE 802 1ab is a management tool that delivers link layer messages to adjacent network devices For example LLDP messages enable networking devices such as switches and management tools to discover the wireless access point in the network and might indicate whether the wireless access point receives power through a PoE connection LLDP is intervendor compatible By default LLDP is enabled on the wireless access point gt To turn off LLDP 1 Select Configur
206. tuation the transmitting station sends an RTS packet to the receiving station and waits for the receiving station to return a Clear to Send CTS packet before sending the actual packet data Fragmentation Length 256 2346 Enter the maximum packet size that is used for the fragmentation of data packets Packets that are larger than the specified fragmentation length are broken up into smaller packets before being transmitted The fragmentation length needs to be an even number The default setting is 2346 Advanced Configuration 108 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 31 Advanced wireless settings continued Setting Description Beacon Interval 100 1000 Enter the interval between 100 ms and 1000 ms for each beacon transmission which allows the wireless access point to synchronize the wireless network The default setting is 100 Aggregation Length 1024 65535 Note This setting does not apply to the 802 11a mode Enter the maximum length of aggregated MAC protocol data unit A MPDU packets Larger aggregation lengths could lead to better network performance Aggregation is a mechanism used to achieve higher throughput The default setting is 65535 AMPDU Note This setting does not apply to the 802 11b bg modes and the 802 11a mode Select the Enable radio button to allow the aggregation of several MAC frames into a single large frame to
207. u access to the NETGEAR customer support site which will bilow you to view your support history and purchase extended warrany options Figure 5 Enter the information in the blank fields The serial number model number and date of purchase are entered automatically Click Register The registration web page displays Introduction 15 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 NETGEAR Change Language Products Registration Customer Service Service Offerings Discussion Forums Support Home NETGEAR com Home gt Service Portal Search KB for Answers Register your product and be eligible for offers and other exclusive Ask any question or about a upgrades from Netgear model or feature ie Please complete the form below to register your product Last name Telephone Country Email Product Serial number Date purchased 1 _ vjan v 2012 s e Where do you generally purchase your products Store vendor name 1 wish to receive email communication from NETGEAR I wish to be a part of 7 w the NETGEAR beta program Yes M Yes If you enter valid email address you will be sent a username and password giving you access to the NETGEAR customer support site which will allow you to view your support history and purchase extended warranty options sht 1996 112 NETGEAR Contact Us Home Privacy Policy ental Factor Figure
208. ual Band Wireless N Access Point WNDAP620 2 Configure the settings as explained in the following table Table 2 Basic general system settings Setting Description Access Point Name _ This unique name is the wireless access point NetBIOS name The name is printed on the rear label of the wireless access point The default is netgearxxxxxx in which XXXXXX represents the last 6 digits of the wireless access point MAC address You can replace the default name with a unique name up to 15 characters long The access point name can be retrieved through SNMP Country Region From the Country Region drop down list select the country where the wireless access point is installed Note It might not be legal to operate this wireless access point in a region other than one of those identified in this field 3 Click Apply to save your settings gt To configure time settings 1 Select Configuration gt System gt Basic gt Time The Time screen displays f Configuration Monitoring Maintenance Support IP Wireless Security Wireless Bridge IDS IPS Basit Time General gt Timo Advanced Time Zone USA Pacific Current Time Mon Aug 6 13 26 13 PDT 2012 NTP Client Enable Disable Use Custom NTP Server o Hostname IP Address time b netgear corm Time Settings CANCEL Figure 12 2 Configure the settings as explained in the following table Table 3 Time system settings
209. uctions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following methods e Reorient or relocate the receiving antenna e Increase the separation between the equipment and the receiver e Connect the equipment into an electrical outlet on a circuit different from that which the radio receiver is connected e Consult the dealer or an experienced radio TV technician for help FCC Caution Any changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate this equipment Notification of Compliance 163 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e This transmitter must not be co located or operating in conjunction with any other antenna or transmitter For operation within 5 15 5 25GHz frequency range it is restricted to indoor environment This device meets all the other requirements specified in Part 15E Section 15 407 of the FCC Rules e This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must ac
210. ucts such as Windows XP but the data is still exposed For information about how to turn off broadcast of the SSID see Configure and Enable Security Profiles on page 48 e WEP Wired Equivalent Privacy WEP data encryption provides data security WEP shared key authentication and WEP data encryption block all but the most determined eavesdropper This data encryption mode has been superseded by WPA PSK and WPA2 PSK For information about how to configure WEP see Configure and Enable Security Profiles on page 48 and Configure an Open System with WEP or Shared Key with WEP on page 53 e Legacy 802 1X Legacy 802 1X uses RADIUS based 802 1x authentication but no data encryption For information about how to configure Legacy 802 1X see Configure and Enable Security Profiles on page 48 and Configure Legacy 802 1X on page 54 Wireless Configuration and Security 43 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 e WPA and WPA PSK TKIP Wi Fi Protected Access WPA data encryption provides strong data security with Temporal Key Integrity Protocol TKIP encryption The very strong authentication along with dynamic per frame rekeying of WPA makes it virtually impossible to compromise WPA uses RADIUS based 802 1x authentication for more information see Configure and Enable Security Profiles on page 48 and Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 WPA PSK uses a pre shared ke
211. ue AP Detection 065 85 View and Save Access Point Lists 0 00 000 e ee eaeee 87 Configure Wireless Intrusion Detection and Prevention 89 Configure Wireless Intrusion Detection and Prevention Policy Settings 89 Configure Wireless Intrusion Detection and Prevention Mail Settings 95 Monitor Traps Counters and Ad Hoc Networks 200 96 Chapter 5 Advanced Configuration Configure IPv6 Settings and Optional DHCPv6 Server Settings 99 Configure the IPv6 Settings 000 cece eee eee 99 Configure the Optional DHCPv6 Server 00e eee eee 101 Configure Spanning Tree Protocol 802 1Q VLAN and Link Layer Discovery Protocol ccisccsd see eias ieee ed easdened eas 103 Configure STP and VLANS j cccn an cda ke ean en ec caw cana we acaad 103 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Wonnigure Ethene LLDP ys 234 say dow edhe eeidysedes ede quad ies 105 Configure Hotspot Settings 0 0 cece eee eee 106 Configure Advanced Wireless Settings 0 0 00 cece eee 107 Configure Advanced Quality of Service Settings 110 Configure Quality of Service Policies 20 0 0 cee ene 112 Configure Wireless Bridging 0 000 cece cece e eee 118 Configure a Point to Point Wireless Network 118 Configure a Point to Multipoint Wireless Network 122 Configure the Wire
212. uire high throughput can use this queue The WMM Powersave feature saves power for battery powered equipment by increasing the efficiency and flexibility of data transmission Note For information about how to configure advanced wireless QoS that is to configure specific Enhanced Distributed Channel Access EDCA settings see Configure Advanced Quality of Service Settings on page 110 gt To configure basic wireless QoS 1 Select Configuration gt Wireless gt Basic gt QoS Settings The basic QoS Settings screen displays Configuration Monitoring Maintenance Support System IP Security Wireless Bridge IDS IPS v Basic QoS Settings Wireless Settings Wireless On Off QoS Settings gt Advanced Qos Settings 802 11b bg ng 802 11a na Enable Wi Fi Multimedia WMM Enable Disable WMM Powersave Enable Disable CANCEL APPLY Figure 33 2 Optional To display the basic QoS Settings screen for the 802 11a na modes click the 802 11a na tab 3 Enable or disable the WMM features e Enable Wi Fi Multimedia WMM To enable this feature select the Enable radio button which is the default setting Select the Disable radio button to disable the feature WMM Powersave To enable this feature select the Enable radio button which is the default setting Select the Disable radio button to disable the feature 4 Click Apply to save your settings Wireless Configuration and Security
213. ult setting is Auto Note It should not be necessary to change the wireless channel unless you experience interference indicated by lost connections or slow data transfers If this happens you might want to experiment with different channels to see which is the best For more information see Operating Frequency Channel Guidelines on page 19 Note For more information about available channels and frequencies see Technical Specifications on page 139 11ng mode only MCS Index Data From the drop down list select a Modulation and Coding Rate Scheme MCS index and transmit data rate for the wireless Note For most network The default setting is Best For a list of all options networks the default that you can select from in 11ng mode see Factory Default settings work fine Settings on page 142 Channel Width From the drop down list select a channel width The options are Dynamic 20 40 MHz 20 MHz and 40 MHz The default is 20 MHZ A wider channel improves the performance but some legacy devices can operate only in either 20 MHz or 40 MHz Guard Interval From the drop down list select the guard interval to protect transmissions from interference The default is Auto or you can select Long 800 ns Some legacy devices can operate only with a long guard interval Installation and Basic Configuration 30 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 6 Basic 2 4 GHz band
214. unity trap server SNMP TrapServer IP address Command Line Reference 158 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 write community SNMP WriteCommunity spanning tree Enable spanning tree protocol time gt Time Setting custom ntp server Custom NTP server host name ntp client NTP client host name ntp server NTP server host name time zone Time zone vlan gt VLAN settings management vlan VLAN management id untagged vlan Untagged VLAN id untagged vlan status Untagged vlan status exit Logout from CLI file firmware upgrade Upload new system firmware file from httpd server firmware upgrade tftp Upload new system firmware file from tftpd server password System password reboot System reboot restore configuration Restore system configuration restore default password Restore default system password restore factory default Restore default system configurations show gt Show system settings configuration Show system configuration interface gt Show wireless lan interface eth gt Ethernet interface statistics Show ethernet statistics wlan gt Wlan interface settings 2 4GHz gt 2 4GHz wlan interface settings configuration Interface configuration statistics Interface statistics stationlist Stabion List trusted stationlist Trusted station list knownaplist Known ac
215. upport m IP Wireless Security Wireless Bridge IDS IPS gt Basic Hotspot Advanced Hotspot Settings General gt Hotspot HTTP Redirect O Enable Disable Syslog Redirect URL http www netgear com Ethernet LLDP User Accounts CANCEL APPLY Figure 63 2 To enable HTTP redirection select the Enable radio button By default the Disable radio button is selected 3 In the Redirect URL field enter the URL of the web server to which you wish to redirect HTTP requests 4 Click Apply to save your settings All HTTP requests are now redirected to the specified URL Configure Advanced Wireless Settings Use the advanced Wireless Settings screen to configure and enable various WLAN settings for the 802 11b bg ng or 802 11a na modes You can configure the settings only for the active mode For information about how to change the wireless mode see Configure the Basic Wireless Settings on page 28 The default WLAN settings normally work well However you can use the advanced settings to fine tune the overall performance of the wireless access point for your specific environment gt To configure advanced wireless settings 1 Select Configuration gt Wireless gt Advanced gt Wireless Settings The advanced Wireless Settings screen displays The following figure shows the 11ng settings as indicated by the radio wave icon that is displayed next to ng Advanced Configuration 107
216. ur computer s Network Control Panel Verify that the IP address of the router is listed as the default wireless access point Check to see that the network address of your computer the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL modem is connected and functioning If your ISP assigned a host name to your computer enter that host name as the account name in the basis General system settings screen see Configure Basic General System Settings and Time Settings on page 23 Problems with Date and Time The Time Settings screen that is accessible through the Configuration gt System gt Basic gt Time menu choices displays the current date and time of day The wireless access point uses the Network Time Protocol NTP to obtain the current time from a network time server on the Internet that you specify in the Time Settings screen see Configure Basic General System Settings and Time Settings on page 23 Each entry on the Logs screen is stamped with the date and time of day Problems with the date and time function can include the following Date and time shown is Fri Dec 31 00 00 00 1999 or a similar incorrect date and time Cause The wireless access point has not yet successfully reached the network time server Check that your Internet access settings are configured correctly If you have just completed configuring the wireless access point wait
217. users and not the wall gt To install the wireless access point using the wall installation kit 1 Verify the package contents of the wall installation kit Installation and Basic Configuration 38 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Screws and wall supports 4 Connect the cables to the wireless access point Installation and Basic Configuration 39 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 6 Attach the cover to the wireless access point Installation and Basic Configuration 40 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Desk Installation gt To install the wireless access point on a desk Attach the rubber feet to the holes in the bottom of the wireless access point Rubber feet Installation and Basic Configuration 41 Wireless Configuration and Security This chapter describes how to configure the wireless features of the wireless access point The chapter includes the following sections e Wireless Data Security Options e Security Profiles e Configure RADIUS Server Settings e Restrict Wireless Access by MAC Address e Schedule the Wireless Radio to Be Turned Off e Configure Basic Wireless Quality of Service Before you set up wireless security and additional wireless features that are described in this chapter connect the wireless access point get the Internet connection working and configur
218. way The default IPv4 gateway for the wireless access point communication DHCP Client Enabled indicates that the current IP address was obtained from a DHCPv4 server on your LAN network Disabled indicates a static IP configuration Current IPv6 Settings For information about how to change any of these IP settings see Configure IPv6 Settings and Optional DHCPVv6 Server Settings on page 99 IPv6 Address The default IPv6 address of the wireless access point Prefix Length The prefix length for the address of the wireless access point Dynamic IPv6 Address The dynamically assigned IPbv6 address if the DHCPv6 server has the stateful option enabled Default Gateway The default IPv6 gateway for the wireless access point communication LAN IPv6 Link Local This is an automatically generated IPv6 address that uses the IPv4 address in the Address interface portion of its address Management and Monitoring 79 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Table 19 System screen fields continued Setting Description DHCP Client Enabled indicates that the current IP address was obtained from a DHCPV6 server on your LAN network Disabled indicates a static IP configuration or Current Wireless Settings for 802 11b 802 11g or 802 11ng Current Wireless Settings for 802 11a or 802 11na Note The section heading depends on the c
219. wireless settings continued Setting Descriptions 11b and 11bg modes only Data Rate From the drop down list select the transmit data rate of the wireless network The default setting is Best For a list of all options that you can select from in 11b mode and 11bg mode see Factory Default Settings on page 142 Output Power From the drop down list select the transmission power of the wireless access point Full Half Quarter Eighth Minimum The default is Full Note Increasing the power improves performance but if two or more wireless access points are operating in the same area and on the same channel interference can occur Note Make sure that you comply with the regulatory requirements for total radio frequency RF output power in your country 6 Click Apply to save your settings and enable the selected wireless mode Note For information about how to configure advanced wireless settings see Configure Advanced Wireless Settings on page 107 Configure 802 11a na Wireless Settings gt To configure the 802 11a na wireless settings 1 Select Configuration gt Wireless gt Basic gt Wireless Settings The basic Wireless Settings screen displays The following figure shows the 802 11na settings Note The radio wave icon displays next to the selected radio mode Installation and Basic Configuration 31 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WN
220. with IC radiation exposure limits set forth for an uncontrolled environment This equipment should be installed and operated with minimum distance 23 cm between the radiator and your body Caution The device for operation in the band 5150 5250 MHz is only for indoor usage to reduce the potential for harmful interference to co channel mobile satellite systems High power radars are allocated as primary users that is priority users of the bands 5250 5350 MHz and 5650 5850 MHz and these radars could cause interference and or damage to LE LAN devices Industrie Canada Ce dispositif est conforme a la norme CNR 210 d Industrie Canada applicable aux appareils radio exempts de licence Son fonctionnement est sujet aux deux conditions suivantes 1 le dispositif ne doit pas produire de brouillage pr judiciable et 2 ce dispositif doit accepter tout brouillage regu y compris un brouillage susceptible de provoquer un fonctionnement ind sirable Ce dispositif a t con u pour fonctionner avec une antenne ayant un gain maximal de dB 6 29 Une antenne a gain plus lev est strictement interdite par les r glements d Industrie Canada L imp dance d antenne requise est de 50 ohms Conform ment a la r glementation d Industrie Canada le pr sent metteur radio peutfonctionner avec une antenne d un type et d un gain maximal ou inf rieur approuv pourl metteur par Industrie Canada Dans le but de r duire les risques de brouillag
221. y PSK for authentication for more information see Configure and Enable Security Profiles on page 48 and Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 e WPA2 and WPA2 PSK AES Wi Fi Protected Access version 2 WPA2 data encryption provides strong data security with Advanced Encryption Standard AES encryption The very strong authentication along with dynamic per frame rekeying of WPA2 makes it virtually impossible to compromise WPA2 uses RADIUS based 802 1x authentication for more information see Configure and Enable Security Profiles on page 48 and Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 WPA2 PSK uses a pre shared key PSK for authentication for more information see Configure and Enable Security Profiles on page 48 and Configure WPA PSK WPA2 PSK and WPA PSK amp WPA2 PSK on page 56 e WPA amp WPA2 and WPA PSK amp WPA2 PSK mixed modes These modes support data encryption either with both WPA and WPA2 clients or with both WPA PSK and WPA2 PSK clients and provide the most reliable security WPA amp WPA2 uses RADIUS based 802 1x authentication for more information see Configure and Enable Security Profiles on page 48 and Configure WPA with RADIUS WPA2 with RADIUS and WPA amp WPA2 with RADIUS on page 55 WPA PSK amp WPA2 PSK uses a pre shared key PSK for authentication for more information see Configure and Enable Security Profiles on page 48 an
222. y button after you have completed the wireless configuration Installation and Basic Configuration 32 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 Specify the remaining wireless settings as explained the following table Table 7 Basic 5 GHz band wireless settings Setting Descriptions Wireless Network Name Enter a 32 character maximum service set identifier SSID the characters are SSID case sensitive The default is NETGEAR_11na The SSID assigned to a wireless device needs to match the wireless access point s SSID for the wireless device to communicate with the wireless access point If the SSIDs do not match you do not get a wireless connection to the wireless access point Wireless On Off Status This is a nonconfigurable field that shows the status of the wireless scheduler For more information see Schedule the Wireless Radio to Be Turned Off on page 61 Broadcast Wireless Select the Yes radio button to enable the wireless access point to broadcast its Network Name SSID SSID allowing wireless stations that have a null blank SSID to adopt the wireless access point s SSID Yes is the default setting To prevent the SSID from being broadcast select the No radio button Channel Frequency From the drop down list select the channel you wish to use on your wireless LAN The wireless channels and frequencies depend on the country and wireless mode The default setting is Auto
223. you need to obtain it from the ISP and enter it manually in this field Network Integrity Check Select this check box to validate that the upstream link is active before allowing wireless associations Ensure that the default gateway is configured 3 Click Apply to save your settings Configure the Optional DHCPv6 Server The wireless access point provides a built in DHCPv6 server for wireless clients only which can be especially useful in small networks When the DHCP server is enabled the wireless access point provides preconfigured TCP IP configurations to all connected wireless stations Note For information about how to configure the DHCPv4 server see Configure the Optional DHCPv4 Server on page 27 gt To configure DHCPV6 server settings 1 Select Configuration gt IP gt DHCP Server Settings The DHCP Server Settings screen displays The following figure displays the DHCPV6 server settings only For information about the DHCPV6 server settings see Configure the Optional DHCPv4 Server on page 27 Advanced Configuration 101 ProSafe Premium 3 x 3 Dual Band Wireless N Access Point WNDAP620 J configuration Monitoring Maintenance Support LOGOUT System Wireless Security Wireless Bridge IDS IPS IP Settings DHCPv6 Server Settings gt IPv6 Settings DHCPv6 Server Enable Disable DHCP Server Settings State State Full DHCP Server VLAN ID 1 Starting IPv Address 2001 05c0 91
224. ype Wireless wep key type apply incoming QoSpolicy Apply QoS policy as a incoming apply outgoing QoSpolicy Apply QoS policy as a outgoing delete incoming QoSpolicy Delete incoming QoS policy delete outgoing QoSpolicy Delete outgoing QoS policy ids ips profile gt ips status IDS IPS Intrusion detection amp prevention system status ips detection policy IDS IPS Intrusion detection amp prevention system policies IDS IPS attack configurations EAPOL logoff attack status EAPOL start attack status ADHOC network detected attack status ADHOC network wired connectivity attack status attack status gt EAPOL logoff attack EAPOL start attack adhoc network detected adhoc nw wired connectivity ap property change AP property change attack status association flood Association flood attack status association table overflow Association table overflow attack status authentication failure attack Authentication failure attack status authentication flood Authentication flood attack status cts flood CTS flood attack status rts flood RTS flood attack status deauthentication broadcast attack Deauthentication broadcast attack status device probing for AP Device probing for AP attack status disassociation flood Disassociation flood attack status known client association Adhoc nw Known client association ADHOC network attack status mac spoofing MAC spoof
225. z Spain e 2 410 2 484 GHz Japan 11b e 2 410 2 472 GHz Japan 11Nng e 2 457 2 472 GHz France e 2 412 2 472 GHz Europe ETSI e 2 412 2 472 GHz China 802 11 b bg ng encryption e 64 bit 128 bit and 52 bit WEP e AES e TKIP 802 11a na wireless specifications 802 11a data rates 6 9 12 18 24 36 48 54 Mbps and auto rate capable 802 11na data rates Data rates for a 20 MHz channel width and an automatic guard interval 0 7 2 Mbps 1 14 4 Mbps 2 21 7 Mbps 3 28 9 Mbps 4 43 3 Mbps 5 57 8 Mbps 6 65 Mbps 7 72 2 Mbps 8 14 44 Mbps 9 28 88 Mbps 10 43 33 Mbps 11 57 77 Mbps 12 86 66 Mbps 13 115 56 Mbps 14 130 Mbps 15 144 44 Mbps 16 21 7 Mbps 17 43 3 Mbps 18 65 Mbps 19 86 7 Mbps 20 130 7 Mbps 21 173 3 Mbps 22 195 Mbps 23 216 7 Mbps and auto rate capable Data rates for a 20 MHz channel width and a long guard interval 800 ms 0 6 5 Mbps 1 13 Mbps 2 19 5 Mbps 3 26 Mbps 4 39 Mbps 5 52 Mbps 6 58 5 Mbps 7 65 Mbps 8 13 Mbps 9 26 Mbps 10 39 Mbps 11 52 Mbps 12 78 Mbps 13 104 Mbps 14 117 Mbps 15 130 Mbps 16 19 5 Mbps 17 39 Mbps 18 58 5 Mbps 19 78 Mbps 20 117 Mbps 21 156 Mbps 22 175 5 Mbps 23 195 Mbps and auto rate capable Data rates for a 40 MHz channel width and an automatic guard interval 0 15 Mbps 1 30 Mbps 2 45 Mbps 3 60 Mbps 4 90 Mbps 5 120 Mbps 6 135 Mbps 7 150 Mb
Download Pdf Manuals
Related Search