ZyXEL Communications NWA-3166 User Manual Download Page 188 | Manualshive

Page: 188 / 332

background image

Chapter 18 Certificates

NWA-3166 User’s Guide

188

18.1.2 What You Need To Know About Certificates

The following terms and concepts may help as you read through this chapter.

The NWA also trusts any valid certificate signed by any of the imported trusted CA
certificates. The certification authority certificate that you want to import has to
be in one of these file formats:

• Binary X.509: This is an ITU-T recommendation that defines the formats for

X.509 certificates.

• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64

ASCII characters to convert a binary X.509 certificate into a printable form.

• Binary PKCS#7: This is a standard that defines the general syntax for data

(including digital signatures) that may be encrypted. The NWA currently allows

the importation of a PKS#7 file that contains a single certificate.

• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format

uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable

form.

18.2 My Certificates Screen

Use this screen to view the NWA’s summary of certificates and certification
requests. Click Certificates > My Certificates. The following screen displays.

Figure 114

Certificates > My Certificates

«
...
186
187
188
189
190
...
»

Summary of Contents for NWA-3166

Page 1: ...l com NWA 3166 Wireless N Dual Band Business WLAN Access Point Copyright 2009 ZyXEL Communications Corporation Firmware Version 3 6 Edition 3 02 2009 Default Login Details IP Address http 192 168 1 2 User Name Password 1234 ...

Page 2: ......

Page 3: ...ht away It contains information on setting up your network and configuring for Internet access Support Disc Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following addr...

Page 4: ...or example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Status Show Statistics means you first click Maintenance in the navigation panel then the Status su...

Page 5: ... s Guide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The NWA icon is not an exact representation of your device NWA Computer Notebook computer Server Printer Firewall Telephone Switch Router ...

Page 6: ...t where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the power outlet Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is ...

Page 7: ...dge Repeater Mode Example 20 1 2 3 AP Bridge 22 1 2 4 MBSSID 22 1 2 5 Pre Configured SSID Profiles 24 1 2 6 Configuring Dual WLAN Adaptors 24 1 3 CAPWAP 25 1 4 Ways to Manage the NWA 25 1 5 Good Habits for Managing the NWA 26 1 6 Hardware Connections 26 1 7 LEDs 27 Chapter 2 The Web Configurator 29 2 1 Overview 29 2 2 Accessing the Web Configurator 29 2 3 Resetting the NWA 30 2 3 1 Methods of Rest...

Page 8: ...3 3 4 Testing the Wireless Networks 46 3 4 How to Set Up and Use Rogue AP Detection 47 3 4 1 Set Up and Save a Friendly AP list 49 3 4 2 Activate Periodic Rogue AP Detection 52 3 4 3 Set Up E mail Logs 53 3 4 4 Configure Your Other Access Points 54 3 4 5 Test the Setup 55 3 5 Using MAC Filters and L 2 Isolation Profiles 55 3 5 1 Scenario 55 3 5 2 Your Requirements 56 3 5 3 Setup 56 3 5 4 Configure...

Page 9: ...Profile Edit Screens 83 6 6 1 The Radio Profile Screen 83 6 6 2 The Radio Profile Edit Screen 84 Chapter 7 System Screens 87 7 1 Overview 87 7 1 1 What You Can Do in the System Screens 87 7 1 2 What You Need To Know About the System Screens 88 7 2 General Screen 89 7 3 Password Screen 91 7 4 Time Setting Screen 93 7 5 Technical Reference 95 7 5 1 Administrator Authentication on RADIUS 95 7 5 2 Pre...

Page 10: ... Roaming 118 8 3 7 1 Requirements for Roaming 120 8 3 8 Additional Wireless Terms 121 Chapter 9 SSID Screen 123 9 1 Overview 123 9 1 1 What You Can Do in the SSID Screen 123 9 1 2 What You Need To Know About SSID 124 9 2 The SSID Screen 125 9 2 1 Configuring SSID 126 Chapter 10 Wireless Security Screen 129 10 1 Overview 129 10 1 1 What You Can Do in the Security Screen 129 10 1 2 What You Need To ...

Page 11: ...eference 149 Chapter 13 MAC Filter Screen 151 13 1 Overview 151 13 1 1 What You Can Do in the MAC Filter Screen 151 13 1 2 What You Should Know About MAC Filter 151 13 2 The MAC Filter Screen 152 13 2 1 Configuring the MAC Filter 153 Chapter 14 IP Screen 155 14 1 Overview 155 14 1 1 What You Can Do in the IP Screen 155 14 1 2 What You Need To Know About IP 155 14 2 The IP Screen 156 14 3 Technical...

Page 12: ...180 17 2 Internal RADIUS Server Setting Screen 180 17 3 The Trusted AP Screen 182 17 4 The Trusted Users Screen 183 17 5 Technical Reference 184 Chapter 18 Certificates 187 18 1 Overview 187 18 1 1 What You Can Do in the Certificates Screen 187 18 1 2 What You Need To Know About Certificates 188 18 2 My Certificates Screen 188 18 2 1 My Certificates Import Screen 190 18 2 2 My Certificates Create ...

Page 13: ...n 217 20 2 1 RADIUS VLAN Screen 219 20 3 Technical Reference 220 20 3 1 VLAN Tagging 220 20 3 2 Configuring Management VLAN Example 220 20 3 3 Configuring Microsoft s IAS Server Example 223 20 3 3 1 Configuring VLAN Groups 224 20 3 3 2 Configuring Remote Access Policies 225 20 3 4 Second Rx VLAN ID Example 233 20 3 4 1 Second Rx VLAN Setup Example 233 Chapter 21 Maintenance 237 21 1 Overview 237 2...

Page 14: ...eshooting 250 Appendix A Product Specifications 251 22 6 Wall Mounting Instructions 253 Appendix B Wireless LANs 255 Appendix C Pop up Windows JavaScripts and Java Permissions 271 Appendix D IP Addresses and Subnetting 279 Appendix E Text File Based Auto Configuration 301 Appendix F How to Access and Use the CLI 309 Appendix G Legal Information 315 Appendix H Customer Support 319 Index 327 ...

Page 15: ...15 PART I Introduction Introduction 17 The Web Configurator 29 Tutorials 33 ...

Page 16: ...16 ...

Page 17: ...tiple security profiles allow you to easily assign different types of security to groups of users The NWA controls network access with Media Access Control MAC address filtering rogue Access Point AP detection layer 2 isolation and an internal authentication server It also provides a high level of network traffic security supporting Institute of Electronic Engineers IEEE 802 1x Wi Fi Protected Acc...

Page 18: ...ting mode are shown below Note A different channel should be configured for each WLAN interface to reduce the effects of radio interference 1 2 1 Access Point The NWA is an ideal access solution for wireless Internet connection A typical Internet access application for your NWA is shown as follows Stations A B and C can access the wired network through the NWAs Figure 1 Access Point Application AP...

Page 19: ...ent bridge loops When the NWA is in Bridge Repeater mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key See Section 8 2 2 on page 104 for more details Once the security set...

Page 20: ...en both NWAs are in Bridge Repeater mode they form a WDS Wireless Distribution System allowing the computers in LAN 1 to connect to the computers in LAN 2 Figure 4 Bridging Example Be careful to avoid bridge loops when you enable bridging in the NWA Bridge loops cause broadcast traffic to circle the network endlessly resulting in possible ...

Page 21: ...Figure 5 Bridge Loop Two Bridges Connected to Hub If your NWA in bridge mode is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN Figure 6 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that you enable Spanning Tree Protocol STP in the Wireless screen or your NWA is not set to bridge mode while connected...

Page 22: ...he wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key Unless specified the term security settings refers to the traffic between the wireless stations and the NWA Figure 7 AP Bridge Application 1 2 4 MBSSID A Basic Service Set BSS is the set of devices forming a single wireless ne...

Page 23: ...ears to be a different access point As in any wireless network clients can associate only with the SSIDs for which they have the correct security settings For example you might want to set up a wireless network in your office where Internet telephony VoIP users have priority You also want a regular wireless network for standard users as well as a guest wireless network for visitors In the followin...

Page 24: ...have access to the rest of the network Layer 2 isolation is enabled see Section on page 146 and QoS is set to NONE Intra BSS traffic blocking is also enabled see Section 8 1 2 on page 98 These fields are all user configurable 1 2 6 Configuring Dual WLAN Adaptors The NWA is equipped with dual wireless adaptors This means you can configure two different wireless networks to operate simultaneously In...

Page 25: ... access points The managed APs receive all their configuration information from the controller AP The CAPWAP dataflow is protected by Datagram Transport Layer Security DTLS The following ZyXEL AP models can be CAPWAP managed APs NWA 3160 NWA 3163 NWA 3500 NWA 3550 NWA 3166 The following figure illustrates a CAPWAP wireless network The user U configures the controller AP C which then automatically ...

Page 26: ...e NWA Do the following things regularly to make the NWA more secure and to manage it more effectively Change the password often Use a password that s not easy to guess and that consists of different types of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working config...

Page 27: ...S DESCRIPTION WDS Off Either The NWA is in Access Point or MBSSID mode and is functioning normally or The NWA is in AP Bridge or Bridge Repeater mode and has not established a Wireless Distribution System WDS connection Green On The NWA is in AP Bridge or Bridge Repeater mode and has successfully established a Wireless Distribution System WDS connection ...

Page 28: ...a Yellow On The NWA has a 100 Mbps Ethernet connection Blinking The NWA has a 100 Mbps Ethernet connection and is sending receiving data Off The NWA does not have an Ethernet connection POWER SYS Green On The NWA is receiving power and functioning properly Off The NWA is not receiving power Red Blinking Either If the LED blinks during the boot up process the system is starting up or If the LED bli...

Page 29: ...o the NWA refer to the Quick Start Guide 2 Launch your web browser 3 Type http 192 168 1 2 as the URL default 4 Type 1234 default as the password and click Login In some versions the default password appears automatically if this is the case click Login 5 You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm then cl...

Page 30: ...s the web configurator you will need to use the RESET button This replaces the current configuration file with the factory default configuration file This means that you will lose all the settings you previously configured The password will be reset to 1234 2 3 1 Methods of Restoring Factory Defaults You can erase the current configuration and restore factory defaults in three ways Use the RESET b...

Page 31: ...the screen to configure advanced features such as SYSTEM General Password and Time Setting WIRELESS Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter IP ROGUE AP Configuration Friendly AP Rogue AP REMOTE MGNT Telnet FTP WWW and SNMP AUTH SERVER Setting Trusted AP Trusted Users CERTIFICATES My Certificates Trusted CAs LOGS View Log and Log Settings VLAN Wireless VLAN and RADIUS VLAN Click ...

Page 32: ...Chapter 2 The Web Configurator NWA 3166 User s Guide 32 ...

Page 33: ...g the same security and Quality of Service QoS settings See Section 1 2 1 on page 18 for details Use Bridge Repeater operating mode if you want to use the NWA to communicate with other access points See Section 1 2 2 on page 19 for details The NWA is a bridge when other APs access your wired Ethernet network through the NWA The NWA is a repeater when it has no Ethernet connection and allows other ...

Page 34: ...rofile Configure RADIUS authentication optional Configure internal AUTH SERVER optional Configure Layer 2 Isolation optional Configure MAC Filter optional Select 802 11 Mode and Channel ID Configure WDS Security Select 802 11 Mode and Channel ID Configure WDS Security Select SSID Profile Configure SSID Profile Edit Security Profile Configure RADIUS authentication optional Configure internal AUTH S...

Page 35: ... Wireless Networks In this example you have been using your NWA as an access point for your office network See your Quick Start Guide for information on how to set up your NWA in Access Point mode Now your network is expanding and you want to make use of the MBSSID feature see Section 8 2 4 on page 109 to provide multiple wireless networks Each wireless network will cater for a different type of u...

Page 36: ...ork VoIP_SSID has access to all resources and a high QoS setting The guest network Guest_SSID has access to the Internet and the network printer only and a low QoS setting To configure these settings you need to know the Media Access Control MAC addresses of the devices you want to allow users of the guest network to access The following table shows the addresses used in this example Table 2 Tutor...

Page 37: ...the Operating Mode Log in to the NWA see Section 2 2 on page 29 Click Wireless Wireless The Wireless screen appears In this example the NWA is in Access Point operating mode and is currently set to use the SSID03 profile Figure 15 Tutorial Wireless LAN Before ...

Page 38: ... you to activate or deactivate SSID profiles Your wireless network was previously using the SSID03 profile so select SSID04 in one of the Profile list boxes number 3 in this example Select the Index box for the entry and click Apply to activate the profile Your standard wireless network SSID03 is now accessible to your wireless clients as before You do not need to configure anything else for your ...

Page 39: ... cannot change this security profile without changing the standard network s parameters so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles Figure 17 Tutorial WIRELESS SSID The Voice over IP VoIP network will use the pre configured SSID profile so select VoIP_SSID s radio button and click Edit The following screen displays Figure 1...

Page 40: ...SSID to wireless clients scanning the area 3 The standard network SSID04 is currently using the security01 profile so use a different profile for the VoIP network If you used the security01 profile anyone who could access the standard network could access the VoIP wireless network Select security02 from the Security field 4 Leave all the other fields at their defaults and click Apply 3 3 2 1 Set U...

Page 41: ...u do not have a RADIUS server for authentication so select WPA2 PSK in the Security Mode field WPA2 PSK provides strong security that anyone with a compatible wireless client can use once they know the pre shared key PSK Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyWPA2 PSKpre sharedkey 3 Click Apply The Wireless Security screen displ...

Page 42: ...he Guest Network When you are setting up the wireless network for guests to your office your primary concern is to keep your network secure while allowing access to certain resources such as a network printer or the Internet For this reason the pre configured Guest_SSID profile has layer 2 isolation and intra BSS traffic blocking enabled by default Layer 2 isolation means that a client accessing t...

Page 43: ...hanges the SSID profile name Guest_SSID remains the same as before 2 Select Disable from the Hide Name SSID list box This makes it easier for guests to configure their own computers wireless clients to your network s settings 3 The standard network SSID04 is already using the security01 profile and the VoIP network is using the security02 profile renamed VoIP_Security so select the security03 prof...

Page 44: ... Select WPA PSK in the Security Mode field WPA PSK provides strong security that is supported by most wireless clients Even though your Guest_SSID clients do not have access to sensitive information on the network you should not leave the network without security An attacker could still cause damage to the network or intercept unsecured communications 3 Enter the PSK you want to use in your networ...

Page 45: ...ing screen appears Figure 26 Tutorial Layer 2 Isolation The Guest_SSID network uses the l2isolation01 profile by default so select its entry and click Edit The following screen displays Figure 27 Tutorial Layer 2 Isolation Profile Enter the MAC addresses of the two network devices you want users on the guest network to be able to access the main network router 00 AA 00 AA 00 AA and the network pri...

Page 46: ... Try to access each network using the correct security settings and then using incorrect security settings such as the WPA PSK for another active network If the behavior is different from expected for example if you can access the VoIP wireless network using the security settings for the Guest_SSID wireless network check that the SSID profile is set to use the correct security profile and that the...

Page 47: ...data is not accessible to an attacker gaining entry to your wireless network through a rogue AP Your wireless network operates in an office building It consists of four access points all NWAs and a variable number of wireless clients You also know that the coffee shop on the ground floor has a wireless network consisting of a single access point which can be detected and accessed from your floor o...

Page 48: ...ly However it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually For example an attacker s AP mimicking the correct SSID could be placed on the friendly AP list by accident if selected from the list of auto detected APs In this example you have spoken to the coffee shop s owner who has told you the correct MAC address of his AP In t...

Page 49: ...point A 192 168 1 1 Login to the Web configurator and click ROGUE AP Friendly AP The following screen displays Figure 30 Tutorial Friendly AP Before Data Entry 2 Fill in the MAC Address and Description fields as in the following table Click Add after you enter the details of each AP to include it in the list MAC ADDRESS DESCRIPTION 00 AA 00 AA 00 AA My Access Point _A_ AA 00 AA 00 AA 00 My Access ...

Page 50: ...hey do not pose a threat to your network s security The Friendly AP screen now appears as follows Figure 31 Tutorial Friendly AP After Data Entry 3 Next you will save the list of friendly APs in order to provide a backup and upload it to your other access points Click the Configuration tab The following screen appears Figure 32 Tutorial Configuration ...

Page 51: ... appears click Save Figure 33 Tutorial Warning 5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network In this example save it on the network file server E in Figure 29 on page 47 The default filename is Flist Figure 34 Tutorial Save Friendly AP list ...

Page 52: ...Period Detection field Figure 35 Tutorial Periodic Rogue AP Detection 2 In the Period min field enter how often you want the NWA to scan for rogue APs You can have the NWA scan anywhere from once every ten minutes to once every hour In this example enter 10 3 In the Expiration Time field enter how long an AP s entry can remain in the list before the NWA discards it from the list when the AP is no ...

Page 53: ... your wireless network s coverage area Click LOGS Log Settings The following screen appears Figure 36 Tutorial Log Settings 1 In this example your mail server s IP address is 192 168 1 25 Enter this IP address in the Mail Server field 2 Enter a subject line for the alert e mails in the Mail Subject field Choose a subject that is eye catching and identifies the access point in this example ALERT_Ac...

Page 54: ... if it detects an access point not on the list Now you need to configure the other wireless access points on your network to do the same things For each access point take the following steps 1 From a computer on the wired network enter the access point s IP address and login to its Web configurator 2 Import the friendly AP list Click ROGUE AP Configuration Browse Find the Flist file where you prev...

Page 55: ...ator and click ROGUE AP Rogue AP Refresh to have the NWA perform a scan immediately 1 Check the ROGUE AP Rogue AP screen You should see an entry in the list with the same MAC address as your rogue AP 2 Check the LOGS View Logs screen You should see a Rogue AP Detection entry in red text including the MAC address of your rogue AP 3 Check your e mail You should have received at least one e mail aler...

Page 56: ... want to set up a second wireless network to allow only Bob to access Server 2 and the Internet 3 5 3 Setup In this example you have already set up the NWA in MBSSID mode see Chapter 12 on page 145 It uses two SSID profiles simultaneously You have configured each SSID profile as shown in the following table Table 4 Tutorial SSID Profile Security Settings SSID Profile Name SERVER_1 SERVER_2 SSID SS...

Page 57: ... configure MAC filtering you need to know the MAC addresses of the devices Alice and Bob use to connect to the network which are as follows 3 5 4 Configure the SERVER_1 Network First you will set up the SERVER_1 network which allows Alice to access secure server 1 via the network switch You will configure the MAC filter to restrict access to Alice alone and then configure layer 2 isolation to allo...

Page 58: ...uide 58 Take the following steps to configure the SERVER_1 network 1 Log into the NWA s Web Configurator and click Wireless SSID The following screen displays showing the SSID profiles you already configured Figure 38 Tutorial SSID Profile ...

Page 59: ...olation screen appears select L2Isolation03 s entry and click Edit The following screen displays Figure 40 Tutorial Layer 2 Isolation Edit 4 Enter the network router s MAC Address and add a Description NET_ROUTER in this case in Set 1 s entry 5 Enter server 1 s MAC Address and add a Description SERVER_1 in this case in Set 2 s entry 6 Change the Profile Name to L 2 ISO_SERVER_1 and click Apply You...

Page 60: ...R_1 You have restricted access to the SERVER_1 network to only the networking device whose MAC address you entered The SERVER_1 network is now configured 3 5 5 Configure the SERVER_2 Network Next you will configure the SERVER_2 network that allows Bob to access secure server 2 and the Internet To do this repeat the procedure in Section 3 5 4 on page 57 substituting the following information Table ...

Page 61: ...layer 2 isolation profiles 1 Click Wireless Wireless Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated as shown in the following figure Figure 42 Tutorial SSID Profiles Activated Set 2 MAC Address 99 88 77 66 55 44 Description SERVER_2 Set 3 MAC Address 66 55 44 33 22 11 Description GATEWAY MAC Filter macfilter04 Edit Screen Profile Name MacFilte...

Page 62: ...rity settings do the following Attempt to access Server 1 You should be able to do so Attempt to access the Internet You should be able to do so Attempt to access Server 2 You should be unable to do so If you can do so layer 2 isolation is misconfigured Using Alice s computer and wireless client and incorrect security settings attempt to associate with the SERVER_1 network You should be unable to ...

Page 63: ...le to do so If you can do so security is misconfigured Using another computer and wireless client but with the correct security settings attempt to associate with the SERVER_2 network You should be unable to do so If you can do so MAC filtering is misconfigured If you cannot do something that you should be able to do check the settings as described in Section 3 5 6 1 on page 61 and in the individu...

Page 64: ...Chapter 3 Tutorials NWA 3166 User s Guide 64 ...

Page 65: ...7 Wireless Screen 97 SSID Screen 123 Wireless Security Screen 129 RADIUS Screen 141 Layer 2 Isolation Screen 145 MAC Filter Screen 151 IP Screen 155 Rogue AP Detection 159 Remote Management Screens 167 Internal RADIUS Server 179 Certificates 187 Log Screens 205 VLAN 215 Maintenance 237 ...

Page 66: ...66 ...

Page 67: ...k at the current status of the device system resources and interfaces The Status screen also provides detailed information about system statistics associated wireless clients and logs 4 2 The Status Screen Use this screen to get a quick view of system Ethernet WLAN and other information regarding your NWA Click Status The following screen displays Figure 44 The Status Screen ...

Page 68: ...e Wireless Wireless screen Management VLAN This field displays the management VLAN ID if VLAN is active or Disabled if it is not active You can enable or disable VLAN or change the management VLAN ID in the VLAN Wireless VLAN screen IP This field displays the current IP address of the NWA on the network LAN MAC This displays the MAC Media Access Control address of the NWA on the LAN Every network ...

Page 69: ...less adaptor Security This field displays the type of wireless security used by each SSID VLAN This field displays the VLAN ID of each SSID in use or Disabled if the SSID does not use VLAN System Status Show Statistics Click this link to view port status and packet specific statistics See Section 23 2 on page 254 Association List Click this to see a list of wireless clients currently associated to...

Page 70: ...Chapter 4 Status Screen NWA 3166 User s Guide 70 ...

Page 71: ...ss Access Points CAPWAP network 5 2 About CAPWAP The NWA supports CAPWAP This is ZyXEL s implementation of the IETF s CAPWAP protocol RFC 4118 The CAPWAP dataflow is protected by Datagram Transport Layer Security DTLS The following figure illustrates a CAPWAP wireless network You U configure the AP controller C which then automatically updates the configurations of the managed APs M1 M4 Figure 45 ...

Page 72: ...the AP to its Managed Access Points list and provides the managed AP with default configuration information as well as securely transmitting the DTLS pre shared key The managed AP is ready for association with wireless clients 5 2 2 CAPWAP and DHCP CAPWAP managed APs must be Dynamic Host Configuration Protocol DHCP clients supplied with an IP address by a DHCP server on your network Furthermore th...

Page 73: ...lementation of the CAPWAP protocol When the AP controller uses its internal Remote Authentication Dial In User Service RADIUS server managed APs also use the AP controller s authentication server to authenticate wireless clients Only one AP controller can exist in any single broadcast domain If a managed AP s link to the AP controller is broken the managed AP continues to use the wireless settings...

Page 74: ...eb configurator neither managing nor managed by other devices Managed AP Select this to have the NWA managed by another NWA on your network When you do this the NWA can be configured ONLY by the management AP If you do not have an AP controller on your network and want to return the NWA to standalone mode you must use its physical RESET button All settings are returned to their default values Appl...

Page 75: ...ew information about your managed wireless network Use the AP Lists screen Section 6 4 on page 79 to manage connected APs Use the Configuration screen Section 6 5 on page 82 to control the way in which the NWA accepts new APs to manage Use the Redundancy screen Section 6 6 on page 87 to set the controller AP as a primary or secondary controller Use the Profile Edit screens Section 6 6 on page 83 t...

Page 76: ...e wireless clients of the managed APs 6 1 3 Before You Begin The Controller AP options are only available when the NWA is set to function in this mode Therefore ensure that you have switched modes first as described in Section 5 3 on page 74 before continuing 6 2 Controller AP Navigation Menu When you choose Controller AP mode in the MGNT MODE screen and click Apply you are automatically logged of...

Page 77: ...ote A managed AP may potentially be turned if it is within range of its controller AP while the controller AP updates its settings The managed AP retains the last settings acquired from the controller AP and is automatically updated once it is detected again by the controller AP 6 3 Controller AP Status Screen When the NWA is in AP controller mode the Status screen displays some unique fields in t...

Page 78: ...ed by the NWA that are not currently active turned off or otherwise unreachable on the network Un managed This field displays the number of access points on the network that are not managed by the NWA but are transmitting CAPWAP management requests 5GHz This field displays the number of wireless clients associated with APs managed by the NWA including the NWA itself broadcasting at 5GHz 2 1GHZ Thi...

Page 79: ...ontroller AP Lists Screen LABEL DESCRIPTION Managed Access Points List This section lists the access points currently controlled by the NWA This always includes the NWA itself Index This is the index number of the managed AP Select Click this then select Edit to configure the managed AP s settings Click Delete to remove it from the NWA s managed AP list IP This displays the IP address of the manag...

Page 80: ...cess Points List This section lists the CAPWAP enabled access points in the area that are in managed AP mode but which are not currently controlled by the NWA Index This is the index number of an unmanaged AP that is requesting to be managed by the NWA Select Click this then select Add to include the unmanaged AP in the NWA s managed AP list IP This displays the IP address of the unmanaged AP MAC ...

Page 81: ...een LABEL DESCRIPTION Model This is the model number of the managed AP MAC Address This is the MAC address of the managed AP Description Enter a short description of this access point up to 32 English keyboard characters WLAN1 Radio Profile Select the radio profile you want to use for this AP Configure radio profiles in the Profile Edit Radio screen Select Disable if you do not want to use a radio...

Page 82: ...ypt communications between the NWA and its managed APs This key is used to encrypt DTLS Datagram Transport Layer Security transmissions Enter 8 32 English keyboard characters The proprietary AutoPSK protocol transfers the DTLS key from the NWA to the managed APs automatically Registration Type This controls whether the NWA manages all CAPWAP enabled APs that transmit management request packets or ...

Page 83: ... screen see Section 10 2 on page 132 The Profile Edit RADIUS screen see Section 11 2 on page 143 The Profile Edit Layer 2 Isolation screen see Section 12 2 on page 147 The Profile Edit MAC Filter screen see Section 13 2 on page 152 6 6 1 The Radio Profile Screen Use this screen to configure radio profiles Radio profiles contain information about an AP s wireless settings and can be applied to APs ...

Page 84: ... Radio Edit Screen Table 13 The Profile Edit Radio Screen LABEL DESCRIPTION Index This field displays the index number of each radio profile Profile Name This field displays the identification name of each radio profile on the NWA 802 11 Mode This field displays the IEEE 802 11 wireless mode the radio profile uses Channel ID This field displays the wireless channel the radio profile uses Edit Clic...

Page 85: ...from the drop down list box RTS CTS Threshold Request To Send The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to its smallest value 256 turns on the RTS CTS handsha...

Page 86: ... when permitted to do so by the AP Disabled Clients cannot connect to the access point at this speed Select SSID Profile Use this section to choose the SSID profile or profiles you want access points using this radio profile to use Each AP can use multiple SSID profiles simultaneously Configure SSID profiles in the Profile Edit SSID screens Index This is the SSID profile s index number Active Sele...

Page 87: ...1 1 What You Can Do in the System Screens Use the General screen see Section 7 2 on page 89 to specify the System name Domain name and Web Configurator timeout limit You can also configure your System DNS Servers in this screen Use the System Password screen see Section 7 3 on page 91 to manage the password for your ZyXEL Device and have a RADIUS server authenticate management logins to the ZyXEL ...

Page 88: ...ardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space IP Address and Subnet Mask Similar to the way houses on a street share a common street name computers on a LAN share one c...

Page 89: ...s Your device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the device unless you are instructed to do otherwise 7 2 General Screen Use the General screen to identify your NWA over the network Click System General The following screen displays Figure 59 System General The following table describes the labels...

Page 90: ...s The field to the right displays the read only DNS server IP address that the DHCP assigns Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP add...

Page 91: ...this to have the NWA use the local management password already configured on the device 1234 is the default Use new setting Select this if you want to change the local management password Old Password Type in your existing system password 1234 is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays an asterisk for ...

Page 92: ... are using PEAP authentication this password field is limited to 14 ASCII characters in length RADIUS Select the RADIUS server profile of the RADIUS server that is to authenticate management logins to the NWA The NWA tests the user name and password against the RADIUS server when you apply your settings The user name and password must already be configured in the RADIUS server You must already hav...

Page 93: ...s page the NWA synchronizes the time with the time server if configured Current Date This field displays the last updated date from the time server Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered New Time hh mm ss Th...

Page 94: ... March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and 2 00 Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select ...

Page 95: ...ge the password just change it on the RADIUS server 7 5 2 Pre defined NTP Time Servers List When you turn on the NWA for the first time the date and time start at 2000 01 01 00 00 00 When you select Auto in the System Time Setting screen the NWA then attempts to synchronize with one of the following pre defined list of NTP time servers The NWA continues to use the following pre defined list of NTP...

Page 96: ...server and tries to synchronize with it If the synchronization fails then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried tick stdtime gov tw tock stdtime gov tw time stdtime gov tw Table 19 Default Time Servers continued ...

Page 97: ...bove the NWA allows access to another bridge device A and a notebook computer B upon verifying their settings and credentials It denies access to other devices C and D with configurations that do not match those specified in your NWA 8 1 1 What You Can Do in the Wireless Screen Use the Wireless Wireless screen see Section 8 2 on page 101 to configure the NWA to use a WLAN interface and operate in ...

Page 98: ...affic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network and communicate with each other When Intra BSS traffic blocking is enabled wireless station A and B can still access the wired network but cannot communicate with each other Figure 63 Basic Service set ESS An Extended Service Set ESS consists of a series of o...

Page 99: ...ess communication to other devices in the network Bridge Repeater The NWA acts as a wireless network bridge and establishes wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge mode The NWA can establish up to five wireless links with other APs AP Bridge Mode The NWA functions as a bridge and access point simultaneously MBSSID Mode The Mult...

Page 100: ...d use a different channel than an adjacent AP access point to reduce interference Wireless Mode The IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features Wireless Mode supports 802 11b g 802 11a 802 11n g and 802 11n a MBSSID Traditionally you needed to use different APs to configur...

Page 101: ...e Wireless Screen Use this screen to choose the operating mode for your NWA Click Wireless Wireless The screen varies depending upon the operating mode you select 8 2 1 Access Point Mode Use this screen to use your NWA as an access point Select Access Point as the Operating Mode The following screen displays Figure 65 Wireless Access Point ...

Page 102: ...ireless network if you have wireless clients that are associated with the same AP but out of range of one another When enabled a wireless client sends an RTS Request To Send and then waits for a CTS Clear To Send before it transmits This stops wireless clients from transmitting packets at the same time and causing data collisions A wireless client sends an RTS for all packets larger than the numbe...

Page 103: ...tch the NWA s new settings Rates Configuration This section controls the data rates permitted for clients For each Rate select an option from the Configuration list The options are Basic 1 11 Mbps only Clients can always connect to the access point at this speed Optional Clients can connect to the access point at this speed when permitted to do so by the AP Disabled Clients cannot connect to the a...

Page 104: ...have the NWA act as a wireless network bridge repeater and establish wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge repeater mode Note You can view an example of this setup in Section 8 3 7 on page 118 Figure 66 Wireless Bridge Repeater ...

Page 105: ...less network To have the NWA automatically select a channel click Scan instead RTS CTS Threshold Use RTS CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another When enabled a wireless client sends an RTS Request To Send and then waits for a CTS Clear To Send before it transmits This stops wireless clie...

Page 106: ...point can use a different pre shared key Configure WDS security and the relevant PSK in each of your other access point s Note Other APs must use the same encryption method to enable WDS security TKIP ZyAir Series Compatible Select this to enable Temporal Key Integrity Protocol TKIP security on your WDS This option is compatible with other ZyXEL access points that support WDS security Use this if ...

Page 107: ... Control STP R STP Section 8 3 5 on page 116 detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select the check box to activate STP on the NWA Apply Click Apply to save your changes Reset Click Res...

Page 108: ... have the NWA function as a bridge and access point simultaneously Select AP Bridge as the Operating Mode The following screen diplays Figure 67 AP Bridge See the tables describing the fields in the Access Point and Bridge Repeater operating modes for descriptions of the fields in this screen ...

Page 109: ...r 8 Wireless Screen NWA 3166 User s Guide 109 8 2 4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode Select MBSSID as the Operating Mode The following screen diplays Figure 68 Multiple BSS ...

Page 110: ...S CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another When enabled a wireless client sends an RTS Request To Send and then waits for a CTS Clear To Send before it transmits This stops wireless clients from transmitting packets at the same time and causing data collisions A wireless client sends an R...

Page 111: ... NWA from a computer connected to the wireless LAN and you change the NWA s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the NWA s new settings Index Select the check box to activate an SSID profile Profile Select the profile s of the SSIDs you want to use in your wireless netwo...

Page 112: ...apacity then the new traffic stream reduces the throughput of the other traffic streams The NWA uses WMM QoS to prioritize traffic streams according to the IEEE 802 1q or DSCP information in each packet s header The NWA automatically determines the priority to use for an individual traffic stream This prevents reductions in data transmission for applications that are sensitive to latency and jitte...

Page 113: ...lowing table shows some common applications their time sensitivity and their typical data packet sizes Note that the figures given are merely examples sizes may differ according to application and circumstances When ATC is activated the device sends traffic with smaller packets before traffic with larger packets if the network is congested best effort WMM_BEST_EFFORT Typically used for traffic fro...

Page 114: ...assign a WMM priority to packets that do not already have one see Section 8 3 3 1 on page 114 automatically prioritize all packets going from your wireless network to the wired network see Section 8 3 3 2 on page 115 8 3 3 1 ATC WMM from LAN to WLAN ATC WMM from LAN the wired Local Area Network to WLAN the Wireless Local Area Network allows WMM prioritization of packets that do not already have WM...

Page 115: ... on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particul...

Page 116: ... is not specified then the traffic is treated as best effort This means the wireless clients and the devices with which they are communicating must both set the DSCP value in order to make the best use of WMM QoS A Voice over IP VoIP device for example may allow you to define the DSCP value The following table lists which WMM QoS priority level the NWA uses for specific DSCP values 8 3 5 Spanning ...

Page 117: ... bridge has the lowest cost to the root among the bridges connected to the LAN 8 3 5 3 How STP Works After a bridge determines the lowest cost spanning tree with STP it enables the root port and the ports that are the designated ports for connected LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible n...

Page 118: ... the radar system Therefore if the NWA detects radar activity on the channel you select it automatically instructs the wireless clients to move to another channel then resumes communications on the new channel 8 3 7 Roaming A wireless station is a device with an IEEE 802 11a b g n compliant wireless interface An access point AP acts as a bridge between the wireless and wired networks An AP creates...

Page 119: ...ng a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas Wireless stations can still associate with other APs even if you disable roaming Enabling roaming ensures corr...

Page 120: ...ts must be on the same subnet and configured with the same ESSID If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station The adjacent access points should use different radio channels when their coverage areas overlap All access points must use the same port number to relay roaming information...

Page 121: ...e see below then wireless devices never have to get permission to send information to the NWA Preamble A preamble affects the timing in your wireless network There are two preamble modes long and short If a device uses a different preamble mode than the NWA does it cannot communicate with the NWA Fragmentation Threshold A small fragmentation threshold is recommended for busy networks while a large...

Page 122: ...Chapter 8 Wireless Screen NWA 3166 User s Guide 122 ...

Page 123: ...ure above the NWA has three SSID profiles configured a standard profile SSID04 a profile with high QoS settings for Voice over IP VoIP users VoIP_SSID and a guest profile that allows visitors access only the Internet and the network printer Guest_SSID 9 1 1 What You Can Do in the SSID Screen Use the Wireless SSID screen see Section 9 2 on page 125 to configure up to 16 SSID profiles for your NWA ...

Page 124: ... SSID profile you need to know the Media Access Control MAC addresses of the devices you want to allow access to it Each SSID profile references the settings configured in the following screens Wireless Security one of the security profiles Wireless RADIUS one of the RADIUS profiles Wireless MAC Filter the MAC filter list if activated in the SSID profile Wireless Layer 2 Isolation the layer 2 isol...

Page 125: ...rofile on the NWA SSID This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates which security profile is currently associated with each SSID profile See Section 10 2 on page 132 for more information RADIUS This field displays ...

Page 126: ...nfigure and click Edit to go to the SSID configuration screen Table 32 SSID LABEL DESCRIPTION Table 33 Configuring SSID LABEL DESCRIPTION Profile Name Enter a name to identify this profile SSID When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Hide Name SSID Select Disable if you want the NWA to broadcast this SSID a...

Page 127: ...If you select WMM_VOICE WMM_VIDEO WMM_BEST_EFFORT or WMM_BACKGROUND the NWA applies that QoS setting to all of that SSID s traffic If you select NONE the NWA applies no priority to traffic on this SSID Note When you configure an SSID profile s QoS settings the NWA applies the same QoS setting to all of the profile s traffic L2 Isolation Select a layer 2 isolation profile from the drop down list bo...

Page 128: ...Chapter 9 SSID Screen NWA 3166 User s Guide 128 ...

Page 129: ...igure 75 Securing the Wireless Network In the figure above the NWA checks the identity of devices before giving them access to the network In this scenario Computer A is denied access to the network while Computer B is granted connectivity The NWA secure communications via data encryption wireless client authentication and MAC address filtering It can also hide its identity in the network 10 1 1 W...

Page 130: ...eless devices can still see the information that is sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network You can configure up to 16 security profiles in your NWA The following table shows the relative effecti...

Page 131: ...ssphrase functions like a password In WEP security mode it is further converted by the NWA into a complicated string that is referred to as the key This key is requested from all devices wishing to connect to a wireless network PSK The Pre Shared Key PSK is a password shared by a wireless access point and a client during a previous secure connection The key can then be used to establish a connecti...

Page 132: ... screens are configurable only in Access Point AP Bridge and MBSSID operating modes Use this screen to choose and edit a security profile Click Wireless Security The following screen displays Figure 76 Wireless Security The following table describes the labels in this screen Table 35 Wireless Security LABEL DESCRIPTION Index This is the index number of the security profile Profile Name This field ...

Page 133: ...ries according to the Security Mode you select 10 2 1 Security WEP Use this screen to set the selected profile to Wired Equivalent Privacy WEP security mode Select WEP in the Security Mode field to display the following screen Figure 78 Security WEP Security Mode This field displays the security mode this security profile uses Edit Select an entry from the list and click Edit to configure security...

Page 134: ... data encryption Authentication Method Select Auto or Shared Key from the drop down list box The default setting is Auto ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding 0x is entered automatically Key 1 to Key 4 The WEP keys are used to encrypt data Both the NWA and the wireless stations must us...

Page 135: ...d ReAuthenticatio n Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server...

Page 136: ...uthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations The preceding 0x is entered automatically You must configure all four keys but only one key can be activated at any one time The default key is key 1 ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to ...

Page 137: ...turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed The defaul...

Page 138: ...s The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The NWA automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the usern...

Page 139: ...ea which can cause delays to time sensitive applications the AP and the client can store or cache and use information about their previous authentication Select Enable to allow PMK caching or Disable to switch this feature off Pre Authentication Pre authentication allows a wireless client to perform authentication with a different AP from the one to which it is currently connected before moving in...

Page 140: ... Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout...

Page 141: ...del that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server Figure 84 RADIUS Server Setup In the figure above wireless clients A and B are trying to access the Internet via the NWA The NWA in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet In this scenario only client U s ident...

Page 142: ... connected to the network Accounting which keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server You should know the IP addresses ports and share secrets of the external RADIUS server and or the external RADIUS accounting server you want to use with your NWA You can configu...

Page 143: ...ated with the Index number above Primary Configure the fields below to set up user authentication and accounting Backup If the NWA cannot communicate with the Primary accounting server you can have the NWA use a Backup RADIUS server Make sure the Active check boxes are selected if you want to use backup servers The NWA will attempt to communicate three times before using the Backup servers Request...

Page 144: ...not available when you select Internal Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external authentication server and the NWA The key must be the same on the external authentication server and your NWA The key is not sent over the network This field is not available when you select Internal Active Select the check box to enable user accountin...

Page 145: ...ss the main network router B The router provides access to the Internet C and the network printer D while preventing the client from accessing other computers and servers on the network The client can communicate with other wireless clients only if Intra BSS Traffic blocking is disabled Note Intra BSS Traffic Blocking is activated when you enable layer 2 isolation Figure 86 Layer 2 Isolation Appli...

Page 146: ...147 to configure the MAC addresses of the wireless client AP computer or router that you want to allow the associated wireless clients to have access to 12 1 2 What You Need To Know About This Chapter Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You ne...

Page 147: ...s shown next Figure 87 Wireless Layer 2 Isolation The following table describes the labels in this screen Table 43 WIRELESS Layer 2 Isolation LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a layer 2 isolation profile in the Layer 2 Isolation Configuration screen Edit Select an entry from the list and click Edit to configure settin...

Page 148: ... Wireless SSID Edit screen of the relevant SSID profile Figure 88 Wireless Layer 2 Isolation Configuration Screen The following table describes the labels in this screen Table 44 Wireless Layer 2 Isolation Configuration LABEL DESCRIPTION Profile Name Type a name to identify this layer 2 isolation profile Allow devices with these MAC addresses These are the MAC address of a wireless client AP compu...

Page 149: ...of the MAC address MAC Address Type the MAC addresses of the wireless client AP computer or router that you want to allow the associated wireless clients to have access to in these address fields Type the MAC address in a valid MAC address format six hexadecimal character pairs for example 12 34 56 78 9a bc Description Type a name to identify this device Apply Click Apply to save your changes Rese...

Page 150: ...s field and enter File Server C in the Description field Figure 90 Layer 2 Isolation Example 1 Example 2 Restricting Access to Client In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3 Enter the server s and your NWA s MAC addresses in the MAC Address fields Enter File Server C in C s Description field and enter Access ...

Page 151: ...because its MAC address is in the allowed association list specified in the NWA The MAC address of client A is either denied association or is not in the list of allowed wireless clients specified in the NWA 13 1 1 What You Can Do in the MAC Filter Screen Use the Wireless MAC Filter screen see Section 13 2 on page 152 to specify which wireless station is allowed or denied access to the ZyXEL Devic...

Page 152: ...ofile The NWA provides 16 MAC Filter profiles each of which can hold up to 32 MAC addresses Click Wireless MAC Filter The screen displays as shown Figure 93 WIRELESS MAC Filter The following table describes the labels in this screen Table 45 WIRELESS MAC Filter LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a MAC filter profile in...

Page 153: ...13 MAC Filter Screen NWA 3166 User s Guide 153 13 2 1 Configuring the MAC Filter To change your NWA s MAC filter settings click WIRELESS MAC Filter Edit The screen appears as shown Figure 94 MAC Address Filter ...

Page 154: ...ne the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router MAC Address Enter the MAC addresses in XX XX XX XX XX XX format of the wireless stat...

Page 155: ... of your NWA The gateway IP address is 192 168 1 1 and the IP address of the NWA is 192 168 1 2 default The gateway and the device must belong in the same subnet mask to be able to communicate with each other 14 1 1 What You Can Do in the IP Screen Use the IP Screen see Section 14 2 on page 156 to configure the IP address of your NWA 14 1 2 What You Need To Know About IP The Ethernet parameters of...

Page 156: ...dress Select this option if your NWA is using a static IP address When you select this option fill in the fields below IP Address Enter the IP address of your NWA in dotted decimal notation Note If you change the NWA s IP address you must use the new IP address if you want to access the web configurator again IP Subnet Mask Type the subnet mask Gateway IP Address Type the IP address of the gateway...

Page 157: ...our IP address from the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of...

Page 158: ...Chapter 14 IP Screen NWA 3166 User s Guide 158 ...

Page 159: ...Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker In this case any AP detected can be classified as rogue Figure 97 Rogue AP Example In the example above a corporate network s security is compromised by a rogue AP R set up by an employee at his workstation in order to allow him to connect his notebook computer w...

Page 160: ...e mail logs You can set how often you want the NWA to scan for rogue APs in the ROGUE AP Configuration screen see Section 15 2 on page 162 Friendly APs If you have more than one AP in your wireless network you must also configure the list of friendly APs Friendly APs are other wireless access points aside from the NWA that are detected in your network as well as any others that you know are not a ...

Page 161: ...connect This is known as a honeypot attack Figure 98 Honeypot Attack If a rogue AP in this scenario has sufficient power and is broadcasting the correct SSID Service Set IDentifier clients have no way of knowing that they are not associating with a legitimate company AP The attacker can forward network traffic from associated clients to a legitimate AP creating the impression of normal service Thi...

Page 162: ... Period Detection field Expiration Time minutes Specify how long between 30 and 180 minutes an AP s entry can remain in the Rogue AP List before the NWA removes it from the list if the AP is no longer active Friendly AP List Export Click this button to save the current list of friendly APs MAC addresses and descriptions as displayed in the ROGUE AP Friendly AP screen to your computer File Path Ent...

Page 163: ...his button to include the AP in the list Friendly AP List This is the list of safe wireless access points you have already configured Index This is the index number of the AP s entry in the list MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also...

Page 164: ... to move to the friendly AP list see Section 15 2 1 on page 163 MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Radio Mode The fiel...

Page 165: ...ck box enter a short description in the Description field and click this button to add the entry to the friendly AP list see Section 15 2 1 on page 163 When the NWA next scans for rogue APs the selected AP does not appear in the rogue AP list Reset Click Reset to return all fields in this screen to their default values Table 51 Rogue AP Rogue AP LABEL DESCRIPTION ...

Page 166: ...Chapter 15 Rogue AP Detection NWA 3166 User s Guide 166 ...

Page 167: ...the NWA s interfaces Remote Management allows a user to administrate the device over the network You can manage your NWA from a remote location via the following interfaces WLAN LAN Both WLAN and LAN Neither Disable Figure 102 Remote Management Example In the figure above the NWA A is being managed by a desktop computer B connected via LAN Land Area Network It is also being accessed by a notebook ...

Page 168: ...a network systems manager can access the ZyXEL Device 16 1 2 What You Need To Know About Remote Management The following terms and concepts may help as you read through this chapter Telnet Telnet is short for Telecommunications Network which is a client side protocol that enables you to access a device over the network FTP File Transfer Protocol FTP allows you to upload or download a file or sever...

Page 169: ...or managed devices SNMP allows a manager and agents to communicate for the purpose of accessing information such as packets received node port status etc Remote Management Limitations Remote management over LAN or WLAN will not work when You have disabled that service in one of the remote management screens The IP address in the Secured Client IP field does not match the client IP address If it do...

Page 170: ... The Telnet Screen Use this screen to configure your NWA for remote Telnet access You can use Telnet to access the NWA s Command Line Interface CLS Click REMOTE MGNT TELNET The following screen displays Figure 104 Remote Management Telnet The following table describes the labels in this screen Table 52 Remote Management Telnet LABEL DESCRIPTION TELNET Server Port You can change the server port num...

Page 171: ...onding private key is to be used to identify the NWA for SSH connections You must have certificates already configured in the Certificates My Certificates screen Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may acces...

Page 172: ...t You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the NWA using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA using this service Select All to a...

Page 173: ...cates optional to require the SSL client to authenticate itself with the NWA by sending the NWA a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the NWA see the appendix on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a di...

Page 174: ...ncoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is public and allows all requests Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all ...

Page 175: ...lect Admin to have the NWA use the Admin account s security settings Use the Configure SNNMPv3 User Profile link to set up each account s security settings Configure SNMPv3 User Profile Click this to go to the SNMPv3 User Profile screen where you can configure administration and user login details SNMP Service Port You may change the server port number for a service if needed however you must use ...

Page 176: ... object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events 16 6 2 Supported MIBs The NWA supports MIB II that is defin...

Page 177: ... RFC 1214 and RFC 1907 must be enabled on in order for the device to send authenticationFailure traps Use a MIB browser to enable or disable snmpEnableAuthenTraps Traps defined in the ZyXEL Private MIB whyReboot 1 3 6 1 4 1 890 1 5 1 3 0 1 This trap is sent with the reason for restarting before the system reboots warm start System reboot by user is added for an intentional reboot for example downl...

Page 178: ...6 User s Guide 178 Virtual enet3 enet9 WLAN1 in MBSSID mode enet10 enet16 WLAN2 in MBSSID mode enet17 enet21 WLAN1 in WDS mode enet22 enet26 WLAN2 in WDS mode Table 57 SNMP Interface Index to Physical and Virtual Port Mapping TYPE INTERFACE PORT ...

Page 179: ... Z using its internal RADIUS server to control access to a wired network A wireless notebook A requests access by sending its credentials The NWA consults its internal RADIUS server s list of user names and passwords If the credentials of the wireless notebook match an entry the NWA allows the client to access the network Figure 108 RADIUS Server The NWA can also serve as a RADIUS server to authen...

Page 180: ...ead through this chapter The NWA has a built in RADIUS server that can authenticate wireless clients or other trusted APs Certificates are used by wireless clients to authenticate the RADIUS server These are digital signatures that identify network devices Certificates ensure that the clients supply their login details to the correct device Information matching the certificate is held on the wirel...

Page 181: ...certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the NWA uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority S...

Page 182: ... and Shared Secret to authenticate a trusted AP IP Address Type the IP address of the trusted AP in dotted decimal notation Shared Secret Enter a password up to 31 alphanumeric characters no spaces as the key for encrypting communications between the AP and the NWA The key is not sent over the network This key must be the same on the AP and the NWA Both the NWA s IP address and this shared secret ...

Page 183: ...password activated on their wireless utilities User Name Enter the user name for this user account This name can be up to 31 alphanumeric characters long including spaces The wireless client s utility must use this name as its login name Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type The pa...

Page 184: ...hows how this is done Wireless clients make access requests to trusted APs which relay the requests to the NWA Figure 112 Trusted APs Overview Take the following steps to set up trusted APs and trusted users 1 Configure an IP address and shared secret in the Trusted AP database to specify an AP as trusted 2 Configure wireless client user names and passwords in the Trusted Users database to use a t...

Page 185: ...f EAP authentication and the internal RADIUS authentication method used in your NWA Note The internal RADIUS server does not support domain accounts DOMAIN user When you configure your Windows XP SP2 Wireless Zero Configuration PEAP MS CHAPv2 settings deselect the Use Windows logon name and password check box When authentication begins a pop up dialog box requests you to type a Name Password and D...

Page 186: ...Chapter 17 Internal RADIUS Server NWA 3166 User s Guide 186 ...

Page 187: ... exchange public keys for use in authentication Figure 113 Certificates Example 18 1 1 What You Can Do in the Certificates Screen Use the Certificates My Certificate see Chapter 18 on page 195 screens to view details of certificates storage space and settings This screen also allows you to import or create a new certificate Use the Certificates Trusted CAs see Chapter 18 on page 199 screens to sav...

Page 188: ...rivacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The NWA currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses ...

Page 189: ... valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the NWA uses to sign imported trusted remote host certificates CERT represents a certificate issued by a...

Page 190: ...e details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can dele...

Page 191: ...ng table describes the labels in this screen Table 62 Certificates My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the NWA Cancel Click Cancel to quit and return to the My Certificates screen ...

Page 192: ...e Create The following table describes the labels in this screen Table 63 Certificates My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name is mand...

Page 193: ...a self signed certificate Select Create a self signed certificate to have the NWA generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment...

Page 194: ...CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the certification authority s certificate from the CA Certificate drop down list box You must have the certifi...

Page 195: ...s name In the case of a self signed certificate you can set it to be the one that the NWA uses to sign the trusted remote host certificates that you import to the NWA Click Certificates My Certificates to open the My Certificates screen Figure 114 on page 188 Click the details button to open the My Certificate Details screen Figure 117 Certificates My Certificate Details ...

Page 196: ...e only one in the list The NWA does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means tha...

Page 197: ...te s path MD5 Fingerprint This is the certificate s message digest that the NWA calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the NWA calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characte...

Page 198: ... field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique sub...

Page 199: ... have the NWA check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Details Click Details to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the NWA to check a certification authority s list of revoked certificates before trusting a certificate issu...

Page 200: ... trusting a certificate issued by the certification authority Click Certificates Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CAs Details screen Figure 120 Certificates Trusted CAs Details Table 66 Certificates Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Cl...

Page 201: ...n path Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed a...

Page 202: ... actual certificate because the NWA has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 18 1 2 on page 188 for how to verify a remote host s certificate before you import it into the NWA SHA1 Fingerprint This is the certificate s message digest that the NWA calculated using the SHA1 algorithm You cannot use this value to ...

Page 203: ...tered by anyone else along the way Tim generates a public key pair one public key and one private key 2 Tim keeps the private key and makes the public key openly available This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not 3 Tim uses his private key to sign the message and sends it to Jenny 4 Jenny receives the message...

Page 204: ...computer 2 Make sure that the certificate has a cer or crt file name extension Figure 121 Certificates on Your Computer 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 122 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the T...

Page 205: ...traced Logs are also essential for auditing and keeping track of changes made by users Figure 123 Accessing Logs in the Network The figure above illustrates three ways to access logs The user U can access logs directly from the NWA A via the Web configurator Logs can also be located in an external log server B An email server C can also send harvested logs to the user s email account 19 1 1 What Y...

Page 206: ...k Receiving Logs via Email If you want to receive logs in your email account you need to have the necessary details ready such as the Server Name or SMPT Address of your email account Ensure that you have a valid email address Enabling Syslog Logging To enable Syslog Logging obtain your Syslog server s IP address or server name 19 2 The View Log Screen Use this screen to see the logs for the categ...

Page 207: ...age Index This field displays the log index number The logs are listed in chronological order Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This fie...

Page 208: ... Guide 208 19 3 The Log Settings Screen Use this screen to configure where and when the NWA will send the logs and which logs and or immediate alerts to send Click Logs Log Settings The following screen displays Figure 125 Logs Log Settings ...

Page 209: ...yslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the ...

Page 210: ... DESCRIPTION Time calibration is successful The NWA has adjusted its time based on information from the time server Time calibration failed The NWA failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a cl...

Page 211: ...agrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp...

Page 212: ...e sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual NWA log category Use the sys logs clear command to erase all of the NWA s logs 19 4 5 Log Command Example This example shows how to set the NWA to record the error logs and alerts and then view the results Table 73 Log Categories...

Page 213: ...Chapter 19 Log Screens NWA 3166 User s Guide 213 ...

Page 214: ...Chapter 19 Log Screens NWA 3166 User s Guide 214 ...

Page 215: ...NWA allows station A to connect to the internet but not to the server It allows station B to connect to the server but not to the Internet 20 1 1 What You Can Do in the VLAN Screen Use the Wireless VLAN screen Section 20 2 on page 217 to enable and configure your Wireless Virtual LAN setup The NWA tags all packets from an SSID with the VLAN ID you set in this screen Use the Radius VLAN screen Sect...

Page 216: ...n the settings in the Wireless VLAN screen See Section 20 3 3 on page 223 for more information Note To use RADIUS VLAN you must first select Enable VIRTUAL LAN and configure the Management VLAN ID in the VLAN Wireless VLAN screen The Management VLAN ID identifies the management VLAN A device must be a member of this management VLAN in order to access and manage the NWA If a device is not a member ...

Page 217: ...VLAN NWA 3166 User s Guide 217 20 2 Wireless VLAN Screen Use this screen to enable and configure your Wireless Virtual LAN setup Click VLAN Wireless VLAN The following screen appears Figure 127 VLAN Wireless VLAN ...

Page 218: ... to connect to the NWA Index This is the index number of the SSID profile Name This is the name of the SSID profile SSID This is the SSID the profile uses VLAN ID Enter a VLAN ID number from 1 to 4094 Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the NWA Different SSID profiles can use the same or different VLAN IDs This allows you to split wireless sta...

Page 219: ...he NWA forbid access to wireless clients when the VLAN attributes sent from the RADIUS server do not match a configured Name field When you select this check box only users with names configured in this screen can access the network through the NWA VLAN Mapping Table Use this table to map names to VLAN IDs so that the RADIUS server can assign each user or user group a mapped VLAN ID See your RADIU...

Page 220: ...N VLAN ID 1 The following procedure shows you how to configure a tagged VLAN Active Select a check box to enable the VLAN mapping profile ID Type a VLAN ID Incoming traffic from the WLAN is authorized and assigned a VLAN ID before it is sent to the LAN Name Type a name to have the NWA check for specific VLAN attributes on incoming messages from the RADIUS server Access accept packets sent by the R...

Page 221: ...o port 2 and your computer connected to port 1 The management VLAN ID is 10 Figure 129 Management VLAN Configuration Example Perform the following steps in the switch web configurator 1 Click VLAN under Advanced Application 2 Click Static VLAN 3 Select the ACTIVE check box 4 Type a Name for the VLAN ID 5 Type a VLAN Group ID This should be the same as the management VLAN ID on the NWA 6 Enable Tra...

Page 222: ...2 VLAN Aware Switch VLAN Status Follow the instructions in the Quick Start Guide to set up your NWA for configuration The NWA should be connected to the VLAN aware switch In the above example the switch is using port 1 to connect to your computer and port 2 to connect to the NWA Figure 129 on page 221 1 In the NWA web configurator click VLAN to open the VLAN setup screen 2 Select the Enable VLAN T...

Page 223: ...re device you will lock yourself out of the NWA If this happens you must reset the NWA to access it again 20 3 3 Configuring Microsoft s IAS Server Example Dynamic VLAN assignment can be used with the NWA Dynamic VLAN assignment allows network administrators to assign a specific VLAN configured on the NWA to an individual s Windows User Account When a wireless station is successfully authenticated...

Page 224: ...4094 4c If a or b are not matched the NWA uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station This VLAN ID is independent and hence different to the ID in the VLAN screen 20 3 3 1 Configuring VLAN Groups To configure a VLAN group you must first define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group 1 Using the Active Direc...

Page 225: ...which user accounts belong to which VLAN groups Click the Add button and configure the VLAN group details 3 Repeat the previous step to add each VLAN group required Figure 135 Add Group Members 20 3 3 2 Configuring Remote Access Policies Once the VLAN Groups have been created the IAS Remote Access Policy needs to be defined This allows the IAS to compare the user account being authenticated agains...

Page 226: ...al at the bottom For example if the Day And Time Restriction policy is still present it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence 1a 1 Right click Remote Access Policy and select New Remote Access Policy 1b Enter a Policy friendly name that describes the policy Each Remote Access Policy will be matched to one VLAN Group An example may be Allow VLA...

Page 227: ...ays Select a remote access policy and click the Add button The policy is added to the field below Only one VLAN Group should be associated with each policy 5 Click OK and Next in the next few screens to accept the group value Figure 138 Adding VLAN Group 6 When the Permissions options screen displays select Grant remote access permission 6a Click Next to grant access based on group membership ...

Page 228: ...Dial in Profile screen displays Click the Authentication tab and select the Extensible Authentication Protocol check box 7a Select an EAP type depending on your authentication needs from the drop down list box 7b Clear the check boxes for all other authentication types listed below the drop down list box Figure 140 Authentication Tab Settings ...

Page 229: ...ncryption Tab Settings 9 Click the IP tab and select the Client may request an IP address check box for DHCP support 10 Click the Advanced tab The current default parameters returned to the NWA should be Service Type and Framed Protocol Click the Add button to add an additional three RADIUS VLAN attributes required for 802 1X Dynamic VLAN Assignment Figure 142 Connection Attributes Screen ...

Page 230: ...edium Type Tunnel Pvt Group ID Tunnel Type 11a Click the Add button 11b Select Tunnel Medium Type 11c Click the Add button Figure 143 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays Select the 802 value from the Attribute value drop down list box Click OK Figure 144 802 Attribute Setting for Tunnel Medium Type ...

Page 231: ...r this policy This Name should match a name in the VLAN mapping table on the NWA Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the NWA VLAN table 14b Click OK Figure 145 VLAN ID Attribute Setting for Tunnel Pvt Group ID 15 Return to the RADIUS Attribute Screen shown as Figure 143 on page 230 15a Select Tunnel Type 15b Click Add 16 The E...

Page 232: ...a Click the Close button 17b The completed Advanced tab configuration should resemble the following screen Figure 147 Completed Advanced Tab Note Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list ...

Page 233: ...h a VLAN ID incoming VLAN ID These incoming VLAN packets are forwarded to the NWA The NWA compares the VLAN ID in the packet header with each SSID s configured VLAN ID and second Rx VLAN ID settings In this example SSID01 s second Rx VLAN ID is set to 2 All incoming packets tagged with VLAN ID 2 are forwarded to SSID02 and also to SSID01 However SSID02 has no second Rx VLAN ID configured and the N...

Page 234: ...store the default configuration file 4 Select the SSID profile you want to configure SSID03 in this example and enter the VLAN ID number between 1 and 4094 5 Enter a Second Rx VLAN ID The following screen shows SSID03 tagged with a VLAN ID of 3 and a Second Rx VLAN ID of 4 Figure 149 Configuring SSID Second Rx VLAN ID Example 6 Click Apply to save these settings Outgoing packets from clients in SS...

Page 235: ...Chapter 20 VLAN NWA 3166 User s Guide 235 ...

Page 236: ...Chapter 20 VLAN NWA 3166 User s Guide 236 ...

Page 237: ...uld select a channel removed from it by five channels to completely avoid overlap Use the F W Upload screen Section 21 4 on page 240 to upload the latest firmware for your NWA Use the Configuration screen Section 21 5 on page 242 to view information related to factory defaults backup configuration and restoring configuration Use Restart screen Section 21 6 on page 244 to reboot the NWA without tur...

Page 238: ... 77 Maintenance Association List LABEL DESCRIPTION Stations Index This is the index number of an associated wireless station MAC Address This field displays the MAC address of an associated wireless station Association Time This field displays the time a wireless station first associated with the NWA SSID This field displays the SSID to which the wireless station is associated Signal This field di...

Page 239: ...es an AP and an Ad Hoc network also known as Independent Basic Service Set IBSS as one that doesn t See the chapter on wireless configuration for more information on basic service sets BSS and extended service sets ESS MAC Address This field displays the MAC address of the AP in an Infrastructure wireless network It is randomly generated so ignore it in an Ad Hoc wireless network Channel This is t...

Page 240: ...ess After you see the Firmware Upload in Process screen wait two minutes before logging into the NWA again Figure 153 Firmware Upload In Process Table 79 Maintenance F W Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compress...

Page 241: ...ting systems you may see the following icon on your desktop Figure 154 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 155 Firmware Upload Error ...

Page 242: ...intenance Configuration 21 5 1 Backup Configuration Backup configuration allows you to back up save the NWA s current configuration to a file on your computer Once your NWA is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previo...

Page 243: ... In some operating systems you may see the following icon on your desktop Figure 158 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP address 192 168 1 2 See your Quick Start Guide for details on how to set up your computer s IP address Table 80 Restore Confi...

Page 244: ... and returns the NWA to its factory defaults as shown on the screen The following warning screen will appear Figure 160 Reset Warning Message You can also press the RESET button to reset your NWA to its factory default settings Refer to Section 2 3 on page 30 for more information 21 6 Restart Screen Use this screen to restart the NWA without turning it off and on Click Maintenance Restart The foll...

Page 245: ... None of the LEDs turn on 1 Make sure you are using the power adaptor or cord included with the NWA 2 Make sure the power adaptor or cord is connected to the NWA and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the power adaptor or cord to the NWA 4 If the problem continues contact the vendor One of the LEDs does not behave as expect...

Page 246: ...r browser s URL bar The default System Name is NWA Series See Section 7 2 on page 89 for information on locating and changing the NWA s System Name Note If you changed the System Name and the new name is over 15 characters long you must enter NWA Series instead If you know your NWA s MAC Media Access Control address enter its last six characters in your browser s URL bar in the format zyxelXXXXXX ...

Page 247: ...Internet browser does not block pop up windows and has JavaScripts and Java enabled 4 Make sure your computer is in the same subnet as the NWA If you know that there are routers between your computer and the NWA skip this step If there is no DHCP server on your network make sure your computer s IP address is in the same subnet as the NWA 5 Reset the device to its factory defaults and try to access...

Page 248: ...to reset the device to its factory defaults See Section 2 3 1 on page 30 I cannot access the NWA via the console port 1 Check to see if the NWA is connected to your computer s console port 2 Check to see if the communications program is configured correctly The communications software should be configured as follows VT100 terminal emulation 9 600 bps is the default speed on leaving the factory Try...

Page 249: ...SP I cannot access the Internet anymore I had access to the Internet with the NWA but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 7 on page 27 2 Reboot the NWA 3 If the problem continues contact your ISP The Internet connection is slow or intermittent 1 There might be a lot ...

Page 250: ...re the wireless LAN is enabled on the NWA 2 Make sure the wireless adapter on the wireless station is working properly 3 Make sure the wireless adapter installed on your computer is IEEE 802 11 compatible and supports the same wireless standard as the NWA 4 Make sure your computer with a wireless adapter installed is within the transmission range of the NWA 5 Check that both the NWA and your wirel...

Page 251: ...U FL R SMT connectors 2T 3R Output Power IEEE 802 11a 5150 5250 Using single antenna 12dBm IEEE 802 11a 5250 5850 Using single antenna 18dbm IEEE 802 11b Using single antenna 17dBm IEEE 802 11g Using single antenna 14dBm IEEE 802 11gn HT20 Using single antenna 12 5dBm Using three antennas 17dBm IEEE 802 11gn HT40 Using single antenna 8 5 dBm Using three antennas 13 dBm IEEE 802 11an HT20 HT40 5150...

Page 252: ...and logs unknown access points APs operating in the area Internal RADIUS server PEAP 32 entry Trusted AP list 128 entry Trusted Users list VLAN 802 1Q VLAN tagging STP Spanning Tree Protocol RSTP Rapid STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure t...

Page 253: ...ogging and packet tracing Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Auto Configuration Administrators can use text configuration files to configure the wireless LAN settings for multiple APs The AP can automatically get a configuration file from a TFTP server at start up or after renewing DHCP...

Page 254: ... on the back of the NWA with the screws on the wall Hang the NWA on the screws Figure 162 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm Figure 163 Masonry Plug and M4 Tap Screw ...

Page 255: ...nt network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 164 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired ...

Page 256: ...ded Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network tra...

Page 257: ...aphical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least...

Page 258: ...messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for...

Page 259: ...usy networks or networks that are prone to interference If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and Long refer to the length...

Page 260: ...nimum data rates The IEEE 802 11g data rate and modulation are as follows Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients access points and the wired network Wireless security methods available on the NWA are data encryption wireless client authentication restricting access by device MAC address and hiding the NWA ide...

Page 261: ...DIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS RADIUS is based on a client server model that supports authenticatio...

Page 262: ...equesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate tha...

Page 263: ... the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys f...

Page 264: ... WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic WEP is enabled Note EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and...

Page 265: ...s less secure than WPA or WPA2 Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA and WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKIP TKIP uses 128 bit keys that are dynamically gene...

Page 266: ...al encryption keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a n...

Page 267: ...DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynami...

Page 268: ...s use the TKIP or AES encryption process to encrypt data WPA 2 PSK Authentication 4 Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Table 86 Wireless Security Relational Matrix AUTHENTICATION METHOD...

Page 269: ...PA TKIP AES No Enable WPA PSK TKIP AES Yes Disable WPA2 TKIP AES No Enable WPA2 PSK TKIP AES Yes Disable Table 86 Wireless Security Relational Matrix continued AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X ...

Page 270: ...Appendix B Wireless LANs NWA 3166 User s Guide 270 ...

Page 271: ... Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker...

Page 272: ...n the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 171 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab ...

Page 273: ...NWA 3166 User s Guide 273 2 Select Settings to open the Pop up Blocker Settings screen Figure 172 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 ...

Page 274: ...dd to move the IP address to the list of Allowed sites Figure 173 Pop up Blocker Settings 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed ...

Page 275: ...rer click Tools Internet Options and then the Security tab Figure 174 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default ...

Page 276: ... OK to close the window Figure 175 Security Settings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected ...

Page 277: ...issions NWA 3166 User s Guide 277 5 Click OK to close the window Figure 176 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected ...

Page 278: ...Appendix C Pop up Windows JavaScripts and Java Permissions NWA 3166 User s Guide 278 3 Click OK to close the window Figure 177 Java Sun ...

Page 279: ... and the other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the n...

Page 280: ... which bits are part of the host ID using a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying th...

Page 281: ...umber determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones is the broadcast address for that network 192 168 1 255 wit...

Page 282: ... For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks using both notations Table 89 Maximum Host Numbers SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS 8 bits 255 0 0 0 24 bits 224 2 16777214 16 bits 255 255 0 0 16 bits 216 2 65534 24 bits 255 255 255 0 8 bits 28 2 254 29 bits 255 255 255 2 48 3 bits 23 2...

Page 283: ... 192 168 1 0 The first three octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 28 2 or 254 possible hosts The following figure shows the company network before subnetting Figure 179 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet ...

Page 284: ...255 128 is subnet A itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that can be assigned to an actual host for subnet A is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 b...

Page 285: ...R LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Table 93 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101...

Page 286: ...92 168 1 255 Highest Host ID 192 168 1 254 Table 94 Subnet 4 continued IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Table 95 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 96 24 bit Network Number Subnet Planning NO BORROWED H...

Page 287: ...e use please do not use any other number unless you are told otherwise You must also enable Network Address Translation NAT on the NWA Once you have decided on the network number pick an IP address for your NWA that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP a...

Page 288: ... you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space Setting up Your Computer s IP Address A...

Page 289: ...ling Components The Network window Configuration tab displays a list of installed components You need a network adapter the TCP IP protocol and Client for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2...

Page 290: ...t for Microsoft Networks from the list of network clients and then click OK 5 Restart your computer so the changes you made take effect Configuring 1 In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify ...

Page 291: ...rties DNS Configuration 4 Click the Gateway tab If you do not know your gateway s IP address remove previously installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your NWA and restart your computer when prompted ...

Page 292: ...IP address subnet mask and default gateway Windows 2000 NT XP 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel Figure 184 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 185 Windows XP Control Panel ...

Page 293: ...XP Control Panel Network Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 187 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 294: ...nal IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in...

Page 295: ...If you have previously configured DNS servers click Advanced and then the DNS tab to order them Figure 189 Windows XP Internet Protocol TCP IP Properties 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your NWA and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories...

Page 296: ...ix D IP Addresses and Subnetting NWA 3166 User s Guide 296 Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel Figure 190 Macintosh OS 8 9 Apple Menu ...

Page 297: ... assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your NWA in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your NWA and restart your computer if prompted Verifying Settings Check y...

Page 298: ...eferences window Figure 192 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 193 Macintosh OS X Network 4 For statically assigned settings do the following ...

Page 299: ...e your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your NWA in the Router address box 5 Click Apply Now and close the window 6 Turn on your NWA and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 300: ...Appendix D IP Addresses and Subnetting NWA 3166 User s Guide 300 ...

Page 301: ...ou can use plain text configuration files to configure the wireless LAN settings on multiple APs The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information Figure 194 Text File Based Auto Configuration Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name ...

Page 302: ... IP address and a filename the AP will try to download the file from the specified TFTP server The AP then uses the file to configure wireless LAN settings Note Not all DHCP servers allow you to specify options 66 and 67 Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP Use the following procedure to have the AP download the configuration file Table 98 A...

Page 303: ...version The AP compares the file version with the version of the last configuration file that it downloaded If the version of the downloaded file is the same or smaller older the AP ignores the file If the version of the downloaded file is larger newer the AP uses the file Configuration File Rules You can only use the wlan and wcfg commands in the configuration file The AP ignores other ZyNOS comm...

Page 304: ...You can zip each configuration file You must use the store compression method and a zip file extension When zipping a configuration file you can also add password protection using the same password that you use to log into the AP Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles Figure 196 WEP Configuration File ...

Page 305: ...us 2 primary 172 23 3 4 1812 1234 enable wcfg radius 2 backup 172 23 3 5 1812 1234 enable wcfg radius save wcfg ssid 2 name ssid 8021x wcfg ssid 2 security Test 8021x wcfg ssid 2 radius radius rd wcfg ssid 2 qos 4 wcfg ssid 2 l2isolation disable wcfg ssid 2 macfilter disable wcfg ssid save ZYXEL PROWLAN VERSION 13 wcfg security 3 name Test wpapsk wcfg security 3 mode wpapsk wcfg security 3 passphr...

Page 306: ...ion files into a single configuration file Remember that the commands are applied in order So for example you would place the ZYXEL PROWLAN VERSION 14 wcfg security 4 name Test wpa wcfg security 4 mode wpa wcfg security 4 reauthtime 1800 wcfg security 4 idletime 3600 wcfg security 4 groupkeytime 1800 wcfg security save wcfg radius 4 name radius rd1 wcfg radius 4 primary 172 0 20 38 1812 20 enable ...

Page 307: ...st 8021x wcfg ssid 2 radius radius rd wcfg ssid 3 name ssid wpapsk wcfg ssid 3 security Test wpapsk wcfg ssid 4 name ssid wpa2psk wcfg ssid 4 security Test wpa2psk wcfg ssid save line starting with is comment change to channel 8 wlan chid 8 change operating mode AP mode then select ssid wep as running WLAN profile wlan opmode 0 wlan ssidprofile ssid wep change operating mode MBSSID mode then selec...

Page 308: ...Appendix E Text File Based Auto Configuration NWA 3166 User s Guide 308 ...

Page 309: ...a console port 1 Connect your computer to the console port on the NWA using the appropriate cable 2 Use terminal emulation software with the following settings 3 Press ENTER to open the login screen Telnet 1 Connect your computer to one of the Ethernet ports Table 103 Default Settings for the Console Port SETTING DEFAULT VALUE Terminal Emulation VT100 Baud Rate 9600 bps Parity None Number of Data ...

Page 310: ... accessing the NWA through one or more routers Logging in Use the administrator username and password If this is your first login use the default values in some NWA models you may not need to enter the user name The NWA automatically logs you out of the management interface after five minutes of inactivity If this happens simply log back in again Use the sys stdio set command to extend the idle ti...

Page 311: ...r Return key on your keyboard cr means press the ENTER key An arrow indicates that this line is a continuation of the previous line A long list of pre defined values may be replaced by a command input value variable so as to avoid a very long command in the description table Refer to the command input values table if you are unsure of what to enter Note Commands are case sensitive Enter commands e...

Page 312: ...lp command to view the executable commands on the NWA Follow these steps to create a list of supported commands 1 Log into the CLI 2 Type help and press ENTER A list comes up which shows all the commands available for this device Table 107 CLI Shortcuts and Help COMMAND KEY S DESCRIPTION yz up down arrow keys Scrolls through the list of recently used commands You can edit any command or press ENTE...

Page 313: ...In the NWA some commands are saved as you run them and others require you to run a save command See the related section of this guide to see if a save command is required Note Unsaved configuration changes are lost once you restart the NWA Logging Out Use the exit command to log out of the CLI ...

Page 314: ...Appendix F How to Access and Use the CLI NWA 3166 User s Guide 314 ...

Page 315: ...sing out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of Zy...

Page 316: ...e user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help FCC Radiation Expo...

Page 317: ...t the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials Zy...

Page 318: ...y or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to rece...

Page 319: ...mation Date that you received your device Brief description of the problem and the steps you took to solve it is the prefix number you dial to make an international telephone call Corporate Headquarters Worldwide Support E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road ...

Page 320: ...Web www zyxel co cr Regular Mail ZyXEL Costa Rica Plaza Roble Escazú Etapa El Patio Tercer Piso San José Costa Rica Czech Republic E mail info cz zyxel com Telephone 420 241 091 350 Fax 420 241 091 359 Web www zyxel cz Regular Mail ZyXEL Communications Czech s r o Modranská 621 143 01 Praha 4 Modrany Ceská Republika Denmark Support E mail support zyxel dk Sales E mail sales zyxel dk Telephone 45 3...

Page 321: ...e Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Regular Mail ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany Hungary Support E mail support zyxel hu Sales E mail info zyxel hu Telephone 36 1 3361649 Fax 36 1 3259100 Web www zyxel hu Regular Mail ZyXEL Hungary 48 Zoldlomb Str H 1025 Budapest Hungary India Support E mail support zyxel in Sales E mail sales zyxel i...

Page 322: ...ostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web http www zyxel com my Regular Mail ZyXEL Malaysia Sdn Bhd 1 02 1 03 Jalan Kenari 17F Bandar Puchong Jaya 47100 Puchong Selangor Darul Ehsan Malaysia North America Support E mail support zyxel com ...

Page 323: ...support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singapore Pte Ltd No 2 International Business Park The Strategy 03 2...

Page 324: ...1F No 333 Sec 2 Dunhua S Rd Da an District Taipei Thailand Support E mail support zyxel co th Sales E mail sales zyxel co th Telephone 662 831 5315 Fax 662 831 5395 Web http www zyxel co th Regular Mail ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Turkey Support E mail cso zyxel com tr Telephone 90 212 222 55 22 Fax 90 212 220 2526 Web http www zyxel...

Page 325: ...e 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 1344 303044 0845 122 0301 UK only Fax 44 1344 303034 Web www zyxel co uk Regular Mail ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK ...

Page 326: ...Appendix H Customer Support NWA 3166 User s Guide 326 ...

Page 327: ...ration status 304 B backup 242 Basic Service Set 98 see BSS bridge 19 22 Bridge Protocol Data Units BPDUs 117 Bridge Repeater 18 19 BSS 22 23 255 BSSID 17 C CA 203 263 CAPWAP 71 73 75 Certificate Authority See CA certificates 181 CA 203 thumbprint algorithms 204 thumbprints 204 verifying fingerprints 204 Certification Authority See CA certifications 315 notices 317 viewing 317 channel 18 100 257 i...

Page 328: ...ence statement 315 file version 303 filtering 17 firmware file maintenance 237 fragmentation threshold 259 friendly AP list 160 163 FTP 26 169 restrictions 169 G general setup 89 guest SSID 24 H help in the CLI 312 hidden node 258 honeypot attack 161 host 91 host ID 88 humidity 251 I IANA 88 288 IBSS 255 IEEE 802 11g 260 IEEE 802 1x 17 in band management 221 Independent Basic Service Set 239 see I...

Page 329: ...ssage Integrity Check MIC 265 mobile access 17 mode 18 MSDU 85 N NAT 287 network 17 network access 17 network bridge 19 network number 88 network traffic 17 O operating mode 18 out of band management 221 P Pairwise Master Key PMK 265 268 password 252 path cost 117 Per Hop Behavior 115 PHB Per Hop Behavior 116 power specifications 251 preamble mode 259 pre configured profiles 24 priorities 112 prio...

Page 330: ...STP how it works 117 STP Spanning Tree Protocol 252 STP path costs 117 STP port states 118 STP terminology 117 subnet 279 subnet mask 88 252 280 subnetting 283 syntax conventions 4 system name 89 system timeout 170 T tagged VLAN example 221 telnet 170 Telnet accessing the CLI 309 temperature 251 Temporal Key Integrity Protocol TKIP 265 text file based auto configuration 253 301 TFTP restrictions 1...

Page 331: ...60 WLAN interference 257 security parameters 268 WLAN interface 18 WMM 127 WPA 17 265 key caching 266 pre authentication 266 user authentication 266 vs WPA PSK 266 wireless client supplicant 266 with RADIUS application example 267 WPA2 17 265 user authentication 266 vs WPA2 PSK 266 wireless client supplicant 266 with RADIUS application example 267 WPA2 Pre Shared Key 265 WPA2 PSK 265 266 applicati...

Page 332: ...Index NWA 3166 User s Guide 332 ...

Reviews:

No comments

Related manuals for NWA-3166

Brand: CTC Union Pages: 4

Brand: 3onedata Pages: 4

pathport quattro

Brand: pathway Pages: 14

Brand: Extron electronics Pages: 23

Brand: AXIOMTEK Pages: 57

Brand: DoorKing Pages: 72

Brand: RTA Pages: 88

P-661HW-D Series

Brand: ZyXEL Communications Pages: 146

Brand: T-VIPS Pages: 200

Brand: Argent Data Systems Pages: 34

Brand: Televes Pages: 46

Brand: SolarEdge Pages: 49

EA_Gatekeeper 3 Series

Brand: Elster Pages: 10

Brand: ICP Global Pty Pages: 5

Brand: B+B SmartWorx Pages: 146

Brand: HOOC Pages: 2

Brand: ActionTec Pages: 1

Brand: Lucent Technologies Pages: 4

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands