background image

Vantage RADIUS User’s Guide 

Wireless LAN With IEEE 802.1x 

 

F-1 

Appendix F 

Wireless LAN With IEEE 802.1x 

As wireless networks become popular for both portable computing and corporate networks, security is now 
a priority.  

Security Flaws with IEEE 802.11 

Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b 
wireless access standard, first published in 1999, was based on the MAC address. As the MAC address is 
sent across the wireless link in clear text, it is easy to spoof and fake. Even the WEP (Wire Equivalent 
Privacy) data encryption is unreliable as it can be easily decrypted with current computer speed  

Deployment Issues with IEEE 802.11 

User account management has become a network administrator’s nightmare in a corporate environment, as 
the IEEE 802.11b standard does not provide any central user account management. User access control is 
done through manual modification of the MAC address table on the access point. Although WEP data 
encryption offers a form of data security, you have to reset the WEP key on the clients each time you 
change your WEP key on the access point.  

IEEE 802.1x 

In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support 
extended authentication as well as providing additional accounting and control features. It is supported by 
Windows XP and a number of network devices.  

Advantages of the IEEE 802.1x 

 

User based identification that allows for roaming. 

 

Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for 
centralized user profile and accounting management on a network RADIUS server.  

 

Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional 
authentication methods to be deployed with no changes to the access point or the wireless stations.  

RADIUS Server Authentication Sequence  

The following figure depicts a typical wireless network with a remote RADIUS server for user 
authentication using EAPOL (EAP Over LAN). 

Содержание VANTAGE RADIUS 50

Страница 1: ...Vantage RADIUS 50 User s Guide Version 1 0 8 2005 ...

Страница 2: ...of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described he...

Страница 3: ...uctions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the r...

Страница 4: ...ompliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment For ...

Страница 5: ...ions NOTE Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the s...

Страница 6: ...l cz CZECH REPUBLIC info cz zyxel com 420 241 091 359 ZyXEL Communications Czech s r o Modranská 621 143 01 Praha 4 Modrany Ceská Republika support zyxel dk 45 39 55 07 00 www zyxel dk DENMARK sales zyxel dk 45 39 55 07 07 ZyXEL Communications A S Columbusvej 5 2860 Soeborg Denmark support zyxel fi 358 9 4780 8411 FINLAND sales zyxel fi 358 9 4780 8448 www zyxel fi ZyXEL Communications Oy Malminka...

Страница 7: ... 195 420 www zyxel es SPAIN sales zyxel es 34 913 005 345 ZyXEL Communications Alejandro Villegas 33 1º 28043 Madrid Spain support zyxel se 46 31 744 7700 www zyxel se SWEDEN sales zyxel se 46 31 744 7701 ZyXEL Communications A S Sjöporten 4 41764 Göteborg Sweden support zyxel co uk 44 0 1344 303044 08707 555779 UK only www zyxel co uk UNITED KINGDOM sales zyxel co uk 44 0 1344 303034 ftp zyxel co...

Страница 8: ...r 2 1 2 1 Web Configurator Overview 2 1 2 2 Resetting Vantage RADIUS 2 3 2 3 Navigating the Web Configurator 2 3 Chapter 3 Advanced Settings 3 1 3 1 Advanced Settings Overview 3 1 3 2 IP Address and Subnet Mask 3 1 3 3 DNS Server Address Assignment 3 2 3 4 MAC Address 3 2 3 5 DHCP Setup 3 2 3 6 IP Pool Setup 3 3 3 7 Domain Name 3 3 3 8 Basic Network Configuration 3 3 3 9 DHCP Server Setup 3 5 3 10...

Страница 9: ...ting A Certificate 5 43 5 10 Setting Up Your Access Point AP 5 46 Maintenance and Management 6 1 Chapter 6 Maintenance 6 1 6 1 Overview 6 1 6 2 System Status 6 1 6 3 Firmware Upload 6 2 6 4 Configuration 6 4 Chapter 7 Management 7 1 7 1 Remote Management Overview 7 1 7 2 Introduction to HTTPS 7 2 7 3 SSH 7 3 7 4 Secure Telnet Using SSH Examples 7 4 7 5 Telnet 7 6 7 6 Remote Access 7 7 7 7 SNMP 7 1...

Страница 10: ...Computer s IPAddress D 1 Appendix E Wireless LAN and IEEE 802 11 E 1 Appendix F Wireless LAN With IEEE 802 1x F 1 Appendix G Types of EAPAuthentication G 1 Appendix H IP Subnetting H 1 Appendix I Command Interpreter I 1 Appendix J Power Adaptor Specifications J 1 Appendix K Open Software Announcements K 1 Appendix L Index L 1 ...

Страница 11: ... Trusted Root Certificate 5 4 Figure 5 3 Server Certificate 5 6 Figure 5 4 RADIUS Server Settings 5 8 Figure 5 5 RADIUS Server Add Remote RADIUS Server 5 12 Figure 5 6 RADIUS Server Add Allowed IP Address 5 13 Figure 5 7 RADIUS Server Add Allowed Network Address 5 14 Figure 5 8 Example 1 Vantage RADIUS Local and Remote Server Setup 5 16 Figure 5 9 Example 1 Vantage RADIUS Local Server Setup 5 17 F...

Страница 12: ...ent Computer A 5 39 Figure 5 35 User Account 5 40 Figure 5 36 CSV File Example 5 42 Figure 5 37 User Account Add New User 5 42 Figure 5 38 ZyAIR RADIUS Settings Example 5 47 Figure 5 39 ZyAIR Wireless Settings Example 5 48 Figure 6 1 System Status 6 1 Figure 6 2 F W Upload 6 3 Figure 6 3 F W Upload 6 3 Figure 6 4 Network Temporarily Disconnected 6 4 Figure 6 5 Configuration Backup 6 5 Figure 6 6 N...

Страница 13: ... Internet Options Privacy A 5 Figure A 3 Internet Options Privacy A 6 Figure A 4 Pop up Blocker Settings A 7 Figure A 5 Internet Options Security A 8 Figure A 6 Security Settings Java Scripting A 9 Figure A 7 Security Settings Java A 10 Figure A 8 Java Sun A 11 ...

Страница 14: ...able 5 1 Trusted Root Certificate 5 5 Table 5 2 Server Certificate 5 6 Table 5 3 RADIUS Server Settings 5 9 Table 5 4 RADIUS Server Add Remote RADIUS Server 5 12 Table 5 5 RADIUS Server Add Allowed IP Address 5 13 Table 5 6 RADIUS Server Add Allowed Network Address 5 14 Table 5 7 Example 1 RADIUS Server User Accounts 5 16 Table 5 8 Example 2 RADIUS Server User Accounts 5 23 Table 5 9 Example 3 RAD...

Страница 15: ...1 Chart C 1 Power over Ethernet Injector Specifications C 1 Chart C 2 Power over Ethernet Injector RJ 45 Port Pin Assignments C 1 Chart H 1 Classes of IP Addresses H 1 Chart H 2 Allowed IP Address Range By Class H 2 Chart H 3 Natural Masks H 2 Chart H 4 Alternative Subnet Mask Notation H 3 Chart H 5 Subnet 1 H 4 Chart H 6 Subnet 2 H 4 Chart H 7 Subnet 1 H 5 Chart H 8 Subnet 2 H 5 Chart H 9 Subnet ...

Страница 16: ......

Страница 17: ...Embedded web help for descriptions of individual screens and supplementary information Packing List Card The Packing List Card lists all items that should have come in the package Certifications Refer to the product page at www zyxel com for information on product certifications ZyXEL Glossary and Web Site Please refer to www zyxel com for an online glossary of networking terms and additional supp...

Страница 18: ...ontrol Panel means first click the Start button then point your mouse pointer to Settings and then click Control Panel e g is a shorthand for for instance and i e means that is or in other words Graphics Icons Key Vantage RADIUS Computer Notebook Computer Server Wireless Access Point Wireless Signal Internet Internet Firewall Router Switch Modem ...

Страница 19: ...Getting Started I Part I Getting Started This part helps you get to know your Vantage RADIUS introduces the web configurator and how to configure for first use ...

Страница 20: ......

Страница 21: ... single point of authentication that is particularly useful when applied to wireless networks where a mobile device could potentially access many servers Vantage RADIUS can be set up as a local or remote server Multiple Vantage RADIUS devices can be set up as remote servers with different user accounts for decentralization and network flexibility The device s web configurator allows easy managemen...

Страница 22: ... A Authentication Authorization Accounting network management Authentication Clients that require access to the wireless network must first be authenticated before they can be authorized Vantage RADIUS identifies valid clients using certificates and shared keys Each new connection is monitored and information is sent to the wireless client such as what IP address to use session time limit informat...

Страница 23: ...gainst wireless eavesdropping and other attacks with the supported IEEE 802 1x security standard including the WLAN security protocols EAP MD5 and PEAP SNMP Support SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Vantage RADIUS supports SNMP agent functionality which allows a...

Страница 24: ...he records via a syslog or e mail server System and RADIUS Logs Vantage RADIUS provides real time system logs and RADIUS logs to perform real time transactions of the RADIUS server such as administrator login the RADIUS server authenticate request the RADIUS accounting request authenticate reply and accounting reply The last seven days log files are kept in Vantage RADIUS export them with TFTP or ...

Страница 25: ...for authentication A replies with identity information including username and password C communicates with Vantage RADIUS which checks the user information against its list of valid accounts and determines whether or not to authenticate A A is authenticated and can communicate with B over the wireless network 1 3 2 Remote RADIUS Authentication Vantage RADIUS can forward authentication for user acc...

Страница 26: ...igure 1 2 Remote RADIUS Authentication The following gives an overview of how remote RADIUS authentication operates in a network Wireless station A attempts to communicate with D over the wireless network via C C sends a request identity message to A for authentication A replies with identity information including username and password C communicates with Vantage RADIUS local RADIUS server 1 which...

Страница 27: ...ge RADIUS forwards the authentication to a remote RADIUS server 2 The remote RADIUS server checks the password and username against its list of valid accounts and determines whether or not to authenticate A A is authenticated and can communicate with D over the wireless network Wireless client B is authenticated by either the local or remote RADIUS server depending on whether B has a user account ...

Страница 28: ......

Страница 29: ...The recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troubleshooting appendix if you want to make sure these functions are allowed in Internet Explor...

Страница 30: ...k a link under MAINTENANCE to see system status user information upload firmware and back up or restore or upload a configuration file Click a link under MANAGEMENT to set up your Vantage RADIUS for remote access and monitoring connections Click LOGOUT in the navigation panel when you have finished managing your device The device automatically logs you out if it is left idle for five minutes If th...

Страница 31: ... sure the PWR LED is on not blinking before you begin Press the RESET button for five seconds or until the SYS LED begins to blink and then release it When the SYS LED begins to blink the defaults have been restored and Vantage RADIUS restarts 2 3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen Figure 2 2 Admin Account MAIN ME...

Страница 32: ...stem related events and download log files RADIUS LOG Use these screens to monitor RADIUS related events and download log files LOG SETTINGS Use this screen to configure the syslog TFTP and Mail servers to specify when and where log files are generated and sent RADIUS ROOT CA Use this screen to configure and download a certificate used to authenticate wireless clients SERVER CERTIFICATE Use this s...

Страница 33: ...figure which IP address es can access Vantage RADIUS SNMP AGENT Use this screen to configure which IP address es can access Vantage RADIUS using SNMP and the access level USER TRACE Use these screens to monitor client access and generate log files LOGOUT Click this label to exit the web configurator RESTART RESET You only need to use this button if you ve forgotten the device s password It returns...

Страница 34: ......

Страница 35: ... your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask The Internet Assigned Number Authority IANA reserves blocks of addresses specifically for private use please do not use any other numbers unless you are told otherwise Let s say you select 192 168 1 0 as the n...

Страница 36: ...hen you sign up If you are using a ZyXEL gateway router you can use it s DNS proxy feature by entering the LAN IP address of the gateway router in the DNS field 3 4 MAC Address Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Table 3 1 Example of Network P...

Страница 37: ...her server computers for instance servers for mail FTP TFTP web etc that you may have 3 7 Domain Name The Domain Name entry is what is propagated to the DHCP clients on the wireless network While you must enter the host name System Name on each individual computer the domain name can be assigned from Vantage RADIUS via DHCP This domain name is for administrators to identify which DHCP server assig...

Страница 38: ...address of the gateway device used to connect your RADIUS to the Internet Primary DNS DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The RADIUS uses a system DNS server in the order you specify here to resolve domain names T...

Страница 39: ... RADIUS server on the network Apply Click Apply to save your changes back to the RADIUS 3 9 DHCP Server Setup Vantage RADIUS dynamically assigns IP addresses to clients Click ADVANCED and then DHCP SERVER in the main menu to configure your Vantage RADIUS as a DHCP server Figure 3 2 DHCP Server Setup The following table describes the labels in this screen ...

Страница 40: ...1 100 DHCP Pool Size This field specifies the size or count of the IP address pool The default is 10 Lease Time Type a time between 1 and 65535 minutes Domain This field identifies your Vantage RADIUS DHCP server on the network and informs administrators which DHCP server you are using The following fields are taken from the IP screen and are not configurable See Figure 3 1 for details on how to c...

Страница 41: ...owing table describes the labels in this screen Table 3 4 DHCP Server Client List LABEL DESCRIPTION DHCP Client List Refresh Click this button to update the DHCP Client List No This is the index number of the host computer IP Address This field displays the IP address relative to the No field listed above MAC Address This field shows the MAC address of the computer with the IP address in the IP Ad...

Страница 42: ... following table describes the labels in this screen Table 3 5 Administrator Account LABEL DESCRIPTION Administrator Account Username Type up to 20 alphanumeric characters to associate a name with administrator access to the RADIUS Password Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Confirm Password...

Страница 43: ...ronize time across the network and generates accurate log files Time can be obtained from the connecting computer or an NTP Network Time Protocol Server To change your time settings click ADVANCED in the main menu and then click TIME Figure 3 5 Time Settings The following table describes the labels in this screen ...

Страница 44: ...C Click this button to have the RADIUS obtain the current time and date from your computer NTP Setup Use NTP Network Time Protocol Time Server Enable the network time server to have the RADIUS automatically synchronize the current rime and date with a time server Server IP Domain Name Type the address of your time server Check with your ISP network administrator if you are unsure of this informati...

Страница 45: ...to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening From Date Enter the month and day that your daylight savings time starts on if you selected Daylight Saving Time End Date Enter the month and day that your daylight savings time ends on if you selected Daylight Saving Time Apply Click Apply to save your changes back t...

Страница 46: ......

Страница 47: ...e RADIUS generates three different types of logs System Logs record internal events see Section 4 4 RADIUS Logs records communication between the wireless AP and Vantage RADIUS see section 4 5 Refer to your wireless AP User s Guide for details of log messages User Trace records client interaction with Vantage RADIUS see section 4 6 The table below describes the maximum file size for each log befor...

Страница 48: ...er to perform real time logging 4 3 Syslog server Syslog servers listen for incoming syslog messages and decodes them for logging purposes All log files are sent to a syslog server specified in the Send Every Real Time Event to Syslog Server fields in the Log Settings screen see section 4 13 Vantage RADIUS allows you to choose seven different locations to save your log files on the syslog server T...

Страница 49: ...which Vantage RADIUS you should configure each Vantage RADIUS on the network to send its log files to different log stores inside the syslog server 4 4 System Log Messages There are nine cases when a system log message is generated The table below outlines the messages logged by Vantage RADIUS and the meaning of the log ...

Страница 50: ...l OK Fail user admin source console Someone has logged to the command interface using the administrator account via the console NTP Time synchronize destination IP An NTP server address was entered into the NTP Server IP Domain field on the TIME settings screen see section 3 12 NTP Time synchronize OK Fail destination IP Vantage RADIUS has synchronized its time settings with the NTP server TFTP Sy...

Страница 51: ...IUS Messages The following types of RADIUS messages are exchanged between the access point and Vantage RADIUS for user authentication Access Request Sent by an access point requesting authentication Access Reject Sent by Vantage RADIUS rejecting access Access Accept Sent by Vantage RADIUS allowing access ...

Страница 52: ... accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by Vantage RADIUS to indicate that it has started or stopped accounting 4 6 User Trace Records Every time a wireless client is authenticated the details of the connection are recorded in the User Trace Records table Vantage RADIUS tracks recent event logs including username MAC address client IP ...

Страница 53: ...oting see section 4 4 for details of system log messages To view logs of system events click ADVANCED in the main menu then click SYSTEM LOG This field displays the account name of the wireless client connected to the network This field displays the name of the wireless AP used by the wireless client to connect to the network These fields refer to the total number of packets transmitted Output Pac...

Страница 54: ...m Log List Clear Log Click this button to remove all log entries from the System Log List Refresh Click this button to update the System Log List with the most recent record able events Email Log Now Click Email Log Now to send logs to the e mail address specified in the Log Settings screen Make sure that you have first filled in the Send log file to mail server fields in Log Settings screen see s...

Страница 55: ... was logged Message This field displays the logged packets details see section 4 4 for details of system log messages Source This field displays the IP address where the packet originated Destination This field displays the destination IP address for the incoming packet 4 8 System Log Files Recorded system events see section 4 4 are sent to the syslog server see section 4 3 and are available for d...

Страница 56: ...load Click this link to download the txt log file from the TFTP server The file is in ASCII format and can be read by any text editor 4 9 Real Time RADIUS Logs Click ADVANCED in the main menu and then RADIUS LOG to view messages passed between your wireless AP and Vantage RADIUS For details of log messages please refer to your wireless AP s user guide Figure 4 6 RADIUS LOG Real Time RADIUS Logs Th...

Страница 57: ...he Log Settings screen Make sure that you have first filled in the Send log file to TFTP server fields in the Log Settings screen see section 4 13 No This field displays the index number in the order of arrival Time This field displays the time and date the log was created Message This field displays the log entry details see section 4 4 for details of system log messages Source This field display...

Страница 58: ...s in ASCII format and can be read by any text editor 4 11 User Trace Vantage RADIUS monitors and records network sessions initiated by wireless clients These screens display events triggered by a wireless client so you can see details about the network session including the time of connection and from which AP the connection came from For a detailed description of user trace records please refer t...

Страница 59: ...ame of the account authenticated by Vantage RADIUS MAC Address This is the MAC address of the wireless AP used by the wireless client to connect to the network NAS ID Network Access Server NAS ID displays the ID of the wireless AP that the wireless client uses to access the network NAS IP Address This field displays the IP address of the wireless AP that the wireless client is uses to access the n...

Страница 60: ...one log file per day If a new log file is generated it appends the old one and changes the time to reflect the time updated File Name View and Download Click this link to download the txt log file from the TFTP server The file is in ASCII format and can be read by any text editor 4 13 Log Settings Screen This screen allows you to specify where you want your log files sent see section 4 1 what type...

Страница 61: ...S User s Guide System Logs 4 15 Figure 4 10 RADIUS Logs Log Files The following table describes the labels in this screen Table 4 9 RADIUS Logs Log Files LABEL DESCRIPTION Send every real time event to syslog server ...

Страница 62: ...end log file to TFTP Server Enable this field to have Vantage RADIUS transmit log files location to the specified TFTP server Type the TFTP server IP address System Log Enable this field to record system events for logging to the TFTP server see section 4 4 Radius Log Enable this field to record messages passed between your Vantage RADIUS and the wireless AP s accessing it to the TFTP server see s...

Страница 63: ...ail Address2 Type a second e mail address if you want your log files to be sent to a second destination Mail Address3 Type a third e mail address if you want your log files to be sent to a third destination System Log Enable this field to record system events for logging to the above e mail addresses see section 4 4 Radius Log Enable this field to record messages passed between your Vantage RADIUS...

Страница 64: ......

Страница 65: ...RADIUS Server II Part II RADIUS Server This part introduces the RADIUS Server screens ...

Страница 66: ......

Страница 67: ...based on a client sever model that supports authentication and accounting where access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the w...

Страница 68: ...ation By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and the RADIUS server perform authentication Vantage RADIUS supports PEAP and EAP MD5 Message Digest Algorithm 5 Refer to the Types of EAP Authentication appendix for descriptions on common types The following figure shows an overview of authentication when you specify a RADIUS server on y...

Страница 69: ...horities In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key an...

Страница 70: ...ts use MD5 authentication protocol you do not need to configure any certificates Otherwise click RADIUS in the main menu and then click ROOT CA to set up a certificate for use with PEAP authentication Figure 5 2 Trusted Root Certificate Each time you change this screen a new certificate is required for successful wireless client authentication The following table describes the labels in this scree...

Страница 71: ...your organizations name Department Type up to 50 ASCII characters to detail the department that is issuing the certificate Contact E mail Type a valid e mail to contact your Certificate Authority Valid Days Type a period in days that the certificate is valid for Download Root CA Certificate Click this hyperlink to create and download the Root CA certificate to your computer Apply Click this button...

Страница 72: ...o identify your state district or region Locality Type up to 50 ASCII characters to identify the city or town where your organization s office is located Organization Type up to 50 ASCII characters to identify your organizations name Department Type up to 50 ASCII characters to detail the department that is issuing the certificate Contact E mail Type a valid e mail to contact your Certificate Auth...

Страница 73: ...ple RADIUS servers can be used by forwarding authentication requests from wireless clients Forwarding authentication to different RADIUS servers allows wireless clients to be authenticated by a user account specific to each RADIUS server Click RADIUS and then RADIUS SERVER in the main menu to set up your Vantage RADIUS to manage connections with wireless APs ...

Страница 74: ...d secret used to connect to your wireless AP The wireless APs use the same shared secret Select Active Directory Account to allow one administrator to manage Vantage RADIUS servers using the same administrator login as a remote RADIUS server computer The Local Account Remote account is set by default Type the name of your local RADIUS server Multiple remote RADIUS servers can be added ...

Страница 75: ...uter Local Account Remote Account Select the Local Account Remote Account radio button to have the local RADIUS server or remote RADIUS server authenticate wireless clients via the AP s Local Realm Name Type a Local Realm Name to identify the local RADIUS server name Apply Click this button to save the changes back to Vantage RADIUS Remote RADIUS Click the Add button to create a remote RADIUS serv...

Страница 76: ...ey to be shared The key must be the same on Vantage RADIUS and your AP The key is not sent over the network Allowed Specified IP Address Network Address Enable this field to allow specified IP addresses of AP s or network addresses in this list to access Vantage RADIUS Apply Click this button to save your configurations back to Vantage RADIUS Allowed IP Address max 20 Add Click this button to add ...

Страница 77: ...ddress of a wireless AP to the Allowed IP Address list Description This field displays the description entered in the Allowed IP Address screen to identify your AP Action Click the button in this field to edit the information required to access your wireless AP Delete Select the check box next to the AP s description in this list that you want to delete then click Delete to remove this entry 5 6 1...

Страница 78: ...ort Type the port number of a remote RADIUS authentication server The default port number is 1812 Make sure your AP uses the same port number Accounting Port Type the port number of a remote RADIUS accounting server The default port number is 1813 Make sure your AP uses the same port number Apply Click this button to save changes back to Vantage RADIUS and return to the RADIUS SERVER screen 5 6 2 ...

Страница 79: ...rver Add Allowed IP Address Table 5 5 RADIUS Server Add Allowed IP Address LABEL DESCRIPTION Allowed IP Address IP Address Type the IP address in dotted decimal notation of an AP Shared Secret Type a password as the key to be used The shared secret is the WEP Key used to access an AP on the network The key must be the same on Vantage RADIUS and your AP The key is not sent over the network Descript...

Страница 80: ... allowed IP addresses Click RADIUS and then RADIUS SERVER in the main menu Now click the Add button in the Allowed Network IP Address section or click Modify next to an entry you want to change The following screen displays Figure 5 7 RADIUS Server Add Allowed Network Address Table 5 6 RADIUS Server Add Allowed Network Address LABEL DESCRIPTION Allowed Network Address Network Address Type the firs...

Страница 81: ...os for your Vantage RADIUS See Section 5 8 for information on wireless client computer account user names Unless otherwise specified a wireless client computer will be referred to as computer in these examples The RADIUS server domain name will be referred to as realm name 5 7 1 Example 1 Vantage RADIUS Local and Remote Server Setup In the following example A B and C request access to E The wirele...

Страница 82: ...ser Accounts RADIUS1 RADIUS2 RADIUS3 ComputerA ComputerB ComputerC RADIUS1 and Computer A Configuration 1 In the RADIUS SERVER screen type the name of your local RADIUS server in the Local Realm Name field 2 Click the Apply button The local RADIUS server is connected to the AP If you have any Remote RADIUS servers they exist behind the local RADIUS server ...

Страница 83: ...unt Password See the section on User Account for more information Type RADIUS1 in the Logon domain field You can leave the Logon domain field blank if you do not know the realm of your local RADIUS server You must enter this field for remote RADIUS servers If computer A uses Odyssey Client utility then type the Login name in computer realm format You can type the Login name as a user account name ...

Страница 84: ...nfiguration 1 In the RADIUS SERVER screen click the Add button under Remote RADIUS 2 The Add Remote RADIUS Server screen displays 3 Type the name of a remote RADIUS server in the Realm Name field 4 Type the IP Address of the remote RADIUS server 5 Type a Shared Secret that matches the shared secret in D 6 The Authentication Port and Accounting Port must match those in D RADIUS1 ComputerA ComputerA...

Страница 85: ...n 5 19 7 Click Apply to save the settings and return to the RADIUS SERVER screen Figure 5 11 Example 1 Add Remote RADIUS Server The Vantage RADIUS now has a remote RADIUS server named RADIUS2 Figure 5 12 Example 1 Vantage RADIUS Remote Server Setup ...

Страница 86: ...ion on User Account for more information Type RADIUS2 in the Login domain field If computer B uses Odyssey Client utility then type the Login name in computer realm format If the remote server is a computer with Windows 2003 IAS the Odyssey Client Login name must by typed in realm computer format for example RADIUS2 ComputerB Figure 5 13 Example 1 Using WZC or Odyssey Client Computer B RADIUS2 Com...

Страница 87: ...server named RADIUS2 Computer B is listed as a user account If successfully authenticated B can communicate with E RADIUS3 and Computer C Configuration 1 In the RADIUS SERVER screen click the Add button and create a remote RADIUS server named RADIUS3 in the same manner that you configured RADIUS2 Figure 5 14 Example 1 Vantage RADIUS Remote Servers Set up the wireless client computer as displayed i...

Страница 88: ...US3 Computer C is listed as a user account If successfully authenticated C can communicate with E 5 7 2 Example 2 Vantage RADIUS Local and Remote Server Setup In the following example computers A and B request access to E Computer A is authenticated by C using RADIUS server 1 Computer B is authenticated by D using RADIUS server 1 The following table displays an example list of user accounts see th...

Страница 89: ...Example 2 Vantage RADIUS Local and Remote Server Setup Table 5 8 Example 2 RADIUS Server User Accounts RADIUS1 ComputerA ComputerB RADIUS1 and Computer A Configuration In the RADIUS SERVER screen type the name of your local RADIUS server in the Local Realm Name field ...

Страница 90: ...A uses Wireless Zero Configuration utility then type the User name ComputerA and the user account Password See the section on User Account for more information Type RADIUS1 in the Login domain field If computer A uses Odyssey Client utility then type the Login name in computer realm format Set up the wireless client computer as displayed in the following screen ...

Страница 91: ...omputer B Configuration The local RADIUS server is in the same subnet as B The RADIUS server 2 must be set as the local RADIUS server and the RADIUS server 1 must be set as a remote RADIUS server 1 In the web configurator of Vantage RADIUS 2 go to the RADIUS SERVER screen and type the name of your local RADIUS server in the Local Realm Name field RADIUS1 ComputerA ComputerA RADIUS1 ...

Страница 92: ...te RADIUS 3 The Add Remote RADIUS Server screen displays 4 Type the name of the remote RADIUS server in the Realm Name field 5 Type the IP Address of the remote RADIUS server 6 Type a Shared Secret that matches the shared secret in C 7 The Authentication Port and Accounting Port must match those in C 8 Click Apply to save the settings and return to the RADIUS SERVER screen ...

Страница 93: ...ADIUS User s Guide RADIUS Configuration 5 27 Figure 5 20 Example 2 Add Remote RADIUS Server RADIUS server 2 now has a remote RADIUS server named RADIUS1 Figure 5 21 Example 2 Vantage RADIUS Remote Server 2 Setup ...

Страница 94: ...n field If your wireless client computer B uses Odyssey Client utility then type the Login name in computer realm format Figure 5 22 Example 2 Using WZC or Odyssey Client Computer B AP D forwards an authentication request to Vantage RADIUS server 2 Computer B has a realm RADIUS1 The authentication request is then forwarded to the remote RADIUS server named RADIUS1 Computer B is listed as a user ac...

Страница 95: ...emote Computer Server Setup In the following example the computer A requests access to B Computer A is authenticated by C via a remote RADIUS server computer 2 Figure 5 23 Example 3 Vantage RADIUS and Remote Computer Server Table 5 9 Example 3 RADIUS Server User Accounts COMSERVER2 ComputerA ...

Страница 96: ...US Local Server Setup 1 In the RADIUS SERVER screen click the Add button and create a remote RADIUS server 2 The Add Remote RADIUS Server screen displays 3 Type the name of the remote RADIUS server in the Realm Name field 4 Type the IP Address of the remote RADIUS server 5 Type a Shared Secret that matches the shared secret in C 6 The Authentication Port and Accounting Port must match those in C 7...

Страница 97: ...Vantage RADIUS User s Guide RADIUS Configuration 5 31 Figure 5 25 Example 3 Add Remote RADIUS Server Figure 5 26 Example 3 Vantage RADIUS Remote Server Setup Follow the steps to set up computer A ...

Страница 98: ...n domain field If computer A uses Odyssey Client utility then type the Login name in computer realm format If the remote server is a computer with Windows 2003 IAS the Odyssey Client Login name must by typed in realm computer format for example ComServer2 ComputerA Figure 5 27 Example 3 Using WZC or Odyssey Client Computer A 1 In the remote RADIUS server computer open the Internet Authentication S...

Страница 99: ...equests from a local RADIUS server such as a Vantage RADIUS device 3 To create a new server group 4 Right click the Remote RADIUS Server Group and create a New Remote RADIUS Server Group Figure 5 28 New Remote RADIUS Server Group 5 The New Remote RADIUS Server Group Wizard opens Type the IP address of the Vantage RADIUS server in the Primary server field ...

Страница 100: ...he Server group shared secret section This should match the shared secret in the AP that you want to use to authenticate a wireless client 7 Click Next to continue Figure 5 29 New Remote RADIUS Server Group Wizard 8 The New Connection Request Policy Wizard opens Click Next to continue ...

Страница 101: ...ser s Guide RADIUS Configuration 5 35 Figure 5 30 New Connection Request Policy Wizard 9 Enter the name of the Windows 2003 IAS computer RADIUS server in the Realm name field 10 Click Next to complete the wizard setup ...

Страница 102: ...RADIUS server using the same administrator login and domain name as a remote RADIUS server computer The remote server computer must exist behind a local Vantage RADIUS server Authentication requests are sent to a local Vantage RADIUS server The Vantage RADIUS server searches for a server computer with the same Domain Administrator Username Domain Administrator Password and computer Domain Name 1 A...

Страница 103: ...r server is found matching the same fields in the Vantage RADIUS the wireless client is authenticated by the AP Figure 5 32 Example 4 Vantage RADIUS and Windows Active Directory Table 5 10 Example 4 RADIUS Server User Accounts RADIUS1 ComputerA 1 In the RADIUS SERVER screen select the Active Directory Account radio button ...

Страница 104: ... server computer This is usually displayed in the NetBIOS setup of the Windows server computer for example ComServer2 5 Click the Apply button Figure 5 33 Example 4 Vantage RADIUS Active Directory Account Setup Follow the steps to set up computer A If computer A uses Wireless Zero Configuration utility then type the User name ComputerA and the user account Password See the section on User Account ...

Страница 105: ...server computer is found with an administrator username password and domain name that match the active directory fields configured in Vantage RADIUS and Computer A is listed as a user account with Vantage RADIUS then computer A is authenticated by C and can successfully communicate with B ComServer2 ComputerA ComServer2 ComputerA ...

Страница 106: ...PTION Import Export User Account Import User Account You can import user names and passwords of up to 200 user accounts Type the name of a CSV file or click the browse button to search for a CSV file on your computer Click Import User Account to import the CSV file Export User Account You can save a list of user names and passwords to your computer in CSV file format When typing the name of the CS...

Страница 107: ...s the account user name Action Change Password Click this button to modify user s password Select All Click this button to select all user accounts Delete Select a check box next to the user s you want to remove and click Delete 5 8 1 CSV File The CSV Comma Separated Value file format is often used to exchange data between disparate applications Microsoft Excel is an application that produces and ...

Страница 108: ...e Example 5 8 2 Adding a New Client Click Add New User in the USER ACCOUNT screen to add a new client account to your Vantage RADIUS Figure 5 37 User Account Add New User The following table describes the labels in this screen Usernames Save the file in CSV format Passwords ...

Страница 109: ... for confirmation Apply Click this button to save your change back to Vantage RADIUS and return to the USER ACCOUNT screen In order to authenticate your wireless client a username and password for your RADIUS account is required If your AP uses PEAP authentication you are required to have a CA Root Certificate as well see the Trusted Root CA section 5 9 Importing A Certificate If you download a ce...

Страница 110: ...Vantage RADIUS User s Guide 5 44 RADIUS Configuration Step 2 Click Install Certificate to open the Certificate Import Wizard as shown below Then click Next ...

Страница 111: ...atically select the certificate store based on the type of certificate or if you prefer specify the location for the certificate to be stored then click Next Step 4 Click Yes to add this certificate to your computer The Certificate Import Wizard dialog box appears as below ...

Страница 112: ...le describes how to configure your AP s RADIUS server settings for use with Vantage RADIUS To set up your ZyAIR s RADIUS server settings click the WIRELESS link under ADVANCED and then the RADIUS tab The screen appears as shown 1 Make sure your RADIUS servers are activated 2 Type the IP address of your Vantage RADIUS in the Server IP Address field 3 Type the port numbers of the external authentica...

Страница 113: ... to enable authentication through an external authentication server Vantage RADIUS If your wireless client uses MD5 authentication either choose static key exchange or disable dynamic key exchange 1 Enable these fields to activate authentication and accounting services 4 Type a shared secret password to secure communication between the AP and Vantage RADIUS 3 Type the port number of the RADIUS ser...

Страница 114: ...es to authenticate a wireless station Figure 5 39 ZyAIR Wireless Settings Example 2 If your AP uses MD5 authentication then Dynamic WEP Key Exchange must be disabled as MD5 uses static keys PEAP can use both dynamic and static keys 1 Select Authentication Required so that all wireless stations have to enter usernames and passwords before access to the wired network is allowed 3 Select the order of...

Страница 115: ...Maintenance and Management III Part III Maintenance and Management This part explains how to maintain and manage your Vantage RADIUS ...

Страница 116: ......

Страница 117: ...figuration 6 2 System Status This screen displays details about the Vantage RADIUS firmware time running since last startup and a list of wireless clients authenticated and currently connected to the network Click MAINTENANCE in the main menu of the web configurator and then click SYSTEM STATUS to display the following screen Note that these fields are READ ONLY and only used for diagnostic purpos...

Страница 118: ...s username MAC Address This field displays the MAC address NAS ID This field displays the wireless client s IP address NAS IP Address This field displays the IP address of the wireless AP that the wireless client uses to access the network Login Time This field displays the length of time the wireless client is connected for 6 3 Firmware Upload Find the latest firmware at www ZyXEL com in a file t...

Страница 119: ...e bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Apply Click this button to begin the upload process This process may take up to two minutes Update firmware from TFTP server Use this feature to have Vantage RADIUS automatically update the firmware Remote TFTP Server Type the IP address of your TFTP server File Name Type the filename of...

Страница 120: ... following messages display at the bottom of the screen Wait for about two minutes log in again and check your new firmware version in the SYSTEM STATUS screen 6 4 Configuration Click MAINTENANCE and then the Configuration tab Use this screen to backup or restore Vantage RADIUS configuration ...

Страница 121: ...commended once your Vantage RADIUS is functioning properly Table 6 2 Configuration Backup LABEL DESCRIPTION Configuration Backup Backup the system configuration to a local file Apply Click this button to begin the backup process to your computer Backup the system configuration to TFTP server Remote TFTP Server Type the IP address of the TFTP server File Name Type the filename of the file to backup...

Страница 122: ...the file you want to upload Remember that you must decompress compressed ZIP files before you can upload them Apply Click this button to begin the upload process Restore the system configuration from TFTP server Remote TFTP Server Type the IP address of the TFTP server TFTP File Path Type the path and filename of the file to restore Apply Click this button to begin the restore process Do not turn ...

Страница 123: ...he default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 3 See your Quick Start Guide or the Appendices for details on how to set up your computer s IP address ...

Страница 124: ......

Страница 125: ... management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows 1 Console port 2 SSH 3 Telnet 4 HTTPS and HTTP 7 1 1 Remote Management Limitations Remote management will not work when 1 You have disabled that service in the remote management screen 2 The client IP address does...

Страница 126: ...encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed HTTPS on Vantage RADIUS is used so that you may securely access Vantage RADIUS u...

Страница 127: ...hen Vantage RADIUS blocks all HTTP connection attempts 7 3 SSH Unlike Telnet which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Figure 7 2 SSH Communication Example ...

Страница 128: ... and server must agree on the type of encryption method to use Figure 7 3 How SSH Works 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 7 3 2 Requirements for Usin...

Страница 129: ...puter Click Yes to continue Figure 7 4 SSH Example 1 Store Host Key 4 Enter the password to log in to Vantage RADIUS The command prompt Vantage displays next 7 4 2 Example 2 Linux This section describes how to access Vantage RADIUS using the OpenSSH client program that comes with most Linux distributions 1 Test whether the SSH service is available on Vantage RADIUS 2 Enter telnet 192 168 1 1 22 at...

Страница 130: ...assword to log in to Vantage RADIUS Figure 7 6 SSH Example 2 Log in 7 5 Telnet You can configure your Vantage RADIUS for remote Telnet access as shown next ssh 1 192 168 1 3 The authenticity of host 192 168 1 3 192 168 1 3 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 19...

Страница 131: ...US User s Guide Management 7 7 Figure 7 7 Telnet Configuration on a TCP IP Network 7 6 Remote Access To configure your Vantage RADIUS for remote access click MANAGEMENT in the main menu and then click REMOTE ACCESS ...

Страница 132: ...icts access to the list of network addresses and IP addresses in the Allow IP Address and Allowed Network Address lists Idle Time Out The default timeout is five minutes for either the console port or telnet web FTP connections Type the length of time a connection can idle before Vantage RADIUS disconnects Telnet Enable this field to allow telnet access to the Vantage RADIUS You may change the ser...

Страница 133: ... HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number for example 8443 then you must notify people who need to access the web configurator to use https Vantage RADIUS IP Address 8443 as the URL Allowed IP Address This list displays IP addresses of clients that are allowed to use the enabled see above remote services to access Vantage RAD...

Страница 134: ...check box es next to the IP address es you want removed and then click Delete Delete Click this button to delete the IP address es you selected in the Allowed IP Address list 7 6 1 Insert Modify Allowed IP Address In the REMOTE ACCESS screen click Add to insert a new entry in the Allowed IP Address list To edit an existing entry click the Modify button next to a Network IP address you want to chan...

Страница 135: ... to a Network IP address you want to change Figure 7 10 Remote Access Add Modify Network IP Address The following table describes the fields in this screen Table 7 3 Remote Access Add Modify Network IP Address LABEL DESCRIPTION Allowed Network Address Network Address Type the first address in your network This is the start address from which Vantage RADIUS uses the Netmask to allow access from man...

Страница 136: ... supports SNMP agent functionality which allows a manager station to manage and monitor Vantage RADIUS through the network Vantage RADIUS supports SNMP version one SNMPv1 The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured SNMP is only available if TCP IP is configured Figure 7 11 SNMP Management Model An SNMP managed network consists of two main...

Страница 137: ...t response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an a...

Страница 138: ...nagement 7 8 Configuring SNMP1 To configure your SNMP settings click MAINTENANCE in the main menu and then click SNMP AGENT Figure 7 12 SNMP Agent 1 At the time of writing SNMP only has write access to the IP screen in the ADVANCED menu ...

Страница 139: ...S only responds to SNMP messages from the address displayed in this field Privileges This field displays whether or not this entry has read or write SNMP access Action Click the Modify button next to an entry in this list to edit that entry Delete Click this button to remove a trusted network IP address from the list Allowed Community Network IP Address Add Click this button to insert a new truste...

Страница 140: ...with each request to the SNMP manager The default is public and allows all requests IP Address Type the IP address in dotted decimal notation of an allowed computer Privileges Select Write Read Trap Recipients or All from the drop down list box to allow reading and writing via SNMP Apply Click this button to save changes back to Vantage RADIUS and return to the SNMP AGENT screen 7 8 2 Insert Modif...

Страница 141: ...irst address in your network This is the start address from which Vantage RADIUS uses the Netmask to allow access to many clients Netmask Type the subnet mask used to specify the network range limits for accepted IP addresses Privileges Select Write or Read from the drop down list box to allow reading and writing via SNMP Apply Click this button to save changes back to Vantage RADIUS and return to...

Страница 142: ......

Страница 143: ...d will be reset to 1234 8 2 Procedure To Use The Reset Button Make sure the SYS LED is on not blinking before you begin this procedure 1 Press the RESET button for ten seconds or until the SYS LED and PWR LED turns red and then release it If the SYS LED begins to blink the defaults have been restored and the Vantage RADIUS restarts Otherwise go to step 2 2 Turn the Vantage RADIUS off disconnect th...

Страница 144: ...y Defaults The following screen allows you to reset Vantage RADIUS back to the default configuration file without turning the power off or using the RESET button 1 Click RESTART RESET in the main menu 2 Select the check box and then click Apply Figure 8 1 RESTART RESET ...

Страница 145: ... I IV V APPENDICES This part provides troubleshooting and background information about setting up your computer s IP address wireless LAN 802 1x and IP subnetting It also provides information on the command interpreter interface ...

Страница 146: ......

Страница 147: ...this case you should contact your local vendor Vantage RADIUS reboots automatically sometimes The supplied power to Vantage RADIUS is too low Check that Vantage RADIUS is receiving enough power Make sure the power source is working properly Problems with the Ethernet Interface Chart A 2 Troubleshooting the Ethernet Interface PROBLEM CORRECTIVE ACTION Cannot access Vantage RADIUS from the LAN If th...

Страница 148: ...addresses must be on the same subnet for LAN access If you changed the Vantage RADIUS s IP address then enter the new one as the URL See the following section to check that pop up windows JavaScripts and Java permissions are allowed You may also need to clear your Internet browser s cache In Internet Explorer click Tools and then Internet Options to open the Internet Options screen In the General ...

Страница 149: ...t the computer IP address is allowed to access Vantage RADIUS For HTTPS check the port number has not changed in the REMOTE MANAGEMENT screen Problems with Telnet Chart A 4 Troubleshooting Telnet PROBLEM CORRECTIVE ACTION I cannot access Vantage RADIUS through Telnet Refer to the Problems with the Ethernet Interface section for instructions on checking your Ethernet connection Check that telnet is...

Страница 150: ...s Step 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure A 1 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab Step 1 In Internet Explorer select Tools Internet Options Privacy Step 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop ...

Страница 151: ...to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps Step 1 In Internet Explorer select Tools Internet Options and then the Privacy tab Step 2 Select Settings to open the Pop up Blocker Settings screen ...

Страница 152: ...g Figure A 3 Internet Options Privacy Step 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 Step 4 Click Add to move the IP address to the list of Allowed sites ...

Страница 153: ...ck Close to return to the Privacy screen Step 6 Click Apply to save this setting JavaScripts Step 1 If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed Step 2 In Internet Explorer click Tools Internet Options and then the Security tab ...

Страница 154: ...s Security Step 3 Click the Custom Level button Step 4 Scroll down to Scripting Step 5 Under Active scripting make sure that Enable is selected the default Step 6 Under Scripting of Java applets make sure that Enable is selected the default Step 7 Click OK to close the window ...

Страница 155: ...pting Java Permissions Step 1 From Internet Explorer click Tools Internet Options and then the Security tab Step 2 Click the Custom Level button Step 3 Scroll down to Microsoft VM Step 4 Under Java permissions make sure that a safety level is selected Step 5 Click OK to close the window ...

Страница 156: ...hooting Figure A 7 Security Settings Java JAVA Sun Step 1 From Internet Explorer click Tools Internet Options and then the Advanced tab Step 2 Make sure that Use Java 2 for applet under Java Sun is selected Step 3 Click OK to close the window ...

Страница 157: ...Vantage RADIUS User s Guide Troubleshooting A 11 Figure A 8 Java Sun ...

Страница 158: ......

Страница 159: ...dity 10 to 90 Non condensing Storage Humidity 5 to 95 Non condensing Firmware CHART B 2 FIRMWARE SPECIFICATIONS Standards IEEE802 3u 100BASE TX IEEE 802 3 and 802 3u 10Base T and 100Base TX IEEE 802 1x security standard IEEE 802 3af draft Spanning Tree Protocol IEEE 802 1d Security IEEE 802 1x security MD5 and PEAP included WPA support Dynamic WEP key exchange Built in RADIUS server MD5 security a...

Страница 160: ...FLASH memory DRAM Dual Ethernet port Syslog RADIUS log User Trace log Management Embedded Web Configurator management Command line interface Telnet support Password protected telnet access to internal configuration manager TFTP Web for firmware downloading configuration backup and restoration Telnet remote access support Built in Diagnostic Tool SNMP Management RADIUS client Secure connections usi...

Страница 161: ... The injector must comply to IEEE 802 3af Chart C 1 Power over Ethernet Injector Specifications Power Output 15 4 Watts maximum Power Current 400 mA maximum Chart C 2 Power over Ethernet Injector RJ 45 Port Pin Assignments PIN NO RJ 45 SIGNAL ASSIGNMENT 1 Output Transmit Data 2 Output Transmit Data 3 Receive Data 4 Power 5 Power 6 Receive Data 7 Power 1 2 3 4 5 6 7 8 8 Power ...

Страница 162: ......

Страница 163: ...clude the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your networ...

Страница 164: ...If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add b Select Client and then click Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from the list...

Страница 165: ...tically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 2 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in ...

Страница 166: ...K to save and close the TCP IP Properties window 5 Click OK to close the Network window Insert the Windows CD if prompted 6 Turn on your Vantage RADIUS and restart your computer when prompted Verifying Your Computer s IP Address 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your comput...

Страница 167: ...s D 5 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections 3 Right click Local Area Connection and then click Properties ...

Страница 168: ...n XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Страница 169: ...Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished 7 In the Internet Protocol TCP IP Properties window the Gener...

Страница 170: ...S and restart your computer if prompted Verifying Your Computer s IP Address 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP t...

Страница 171: ...e Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Vantage RADIUS in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your Vantage RADIUS and restart your computer if prompted Verifying Your Computer s IP Address Check your...

Страница 172: ...mically assigned settings select Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Vantage RADIUS in the Router address box 5 Click Apply Now and close the window 6 Turn on your Vantage RADIUS and restart you...

Страница 173: ... to set up easy to use wireless networks that cover the entire campus transparently IEEE 802 11 The 1997 completion of the IEEE 802 11 standard for wireless LANs WLANs was a first important step in the evolutionary development of wireless networking technologies The standard was developed to maximize interoperability between differing brands of wireless LANs as well as to introduce a variety of pe...

Страница 174: ...s network traffic in the immediate neighborhood Multiple access points can provide wireless coverage for an entire building or campus All communications between stations or between a station and a wired network client go through the access point The Extended Service Set ESS shown in the next figure consists of a series of overlapping BSSs each containing an Access Point connected together by means...

Страница 175: ...Vantage RADIUS User s Guide Wireless LAN and IEEE 802 11 E 3 Diagram E 2 ESS Provides Campus Wide Coverage ...

Страница 176: ......

Страница 177: ...done through manual modification of the MAC address table on the access point Although WEP data encryption offers a form of data security you have to reset the WEP key on the clients each time you change your WEP key on the access point IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additi...

Страница 178: ...Vantage RADIUS User s Guide F 2 Wireless LAN With IEEE 802 1x Diagram F 1 Sequences for EAP MD5 Challenge Authentication Client computer access authorized Client computer access not authorized ...

Страница 179: ...needed by both the server and the wireless stations for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electron...

Страница 180: ...ion Protocol is a Cisco implementation of IEEE802 1x For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical ...

Страница 181: ...ss the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for futur...

Страница 182: ...t ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a bit of the IP address If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID Subnet masks are expressed in dotted decimal notation just as IP add...

Страница 183: ...1100 0000 255 255 255 224 27 1110 0000 255 255 255 240 28 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 1100 The first mask shown is the class C natural mask Normally if no mask is specified it is understood that the natural mask is being used Example Two Subnets As an example you have a class C address 192 168 1 0 with subnet mask of 255 255 255 0 NETWORK NUMBER HOST ID IP Addres...

Страница 184: ...28 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 The remaining 7 bits determine the number of hosts each subnet can have Host IDs of all zeros represent the subnet itself and host IDs of al...

Страница 185: ...inary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Chart H 8 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 S...

Страница 186: ...o create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last octet values for each subnet Chart H 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 223 254 255 The following table is a summary for class C subnet planni...

Страница 187: ...A address has three host ID octets see Chart J 1 available for subnetting The following table is a summary for class B subnet planning Chart H 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 25...

Страница 188: ......

Страница 189: ... in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example netconf type on off means that you must specify the type of netbios filter and whether to turn it on or off Command Usage A list of valid commands can be found by typing help or at the command prompt Always type the full command Type exit to close the sessio...

Страница 190: ...168 1 3 to 192 168 1 40 because another device has the same IP address and also the gateway address has changed to 192 168 1 154 type the following netconf IP 192 168 1 40 gateway 192 168 1 154 IP Address 192 168 1 3 Netmask 255 255 255 0 Gateway 192 168 1 254 Primary DNS 168 95 1 1 Secondary DNS 168 95 192 1 MAC 00 00 84 40 50 05 Vantage help netconf netconf netconf ip IP address netmask netmask ...

Страница 191: ...pe http enable to allow remote HTTP access to Vantage RADIUS Type http disable to have Vantage RADIUS block remote http access https Type https to show the current status of your HTTPS settings Vantage http REMOTE ACCESS HTTP yes Port 80 IP Address 192 168 1 40 Netmask 255 255 255 0 Gateway 192 168 1 154 Primary DNS 168 95 1 1 Secondary DNS 168 95 192 1 MAC 00 00 84 40 50 05 Vantage http REMOTE AC...

Страница 192: ...Vantage RADIUS User s Guide I 4 Command Interpreter Type https enable to allow remote HTTPS access to Vantage RADIUS Type https disable to have Vantage RADIUS block remote HTTPS access ...

Страница 193: ...UL C UL EUROPEAN PLUG STANDARDS AC Power Adaptor Model HPW 1005U Input Power AC220V 50HZ Output Power DC 5V Power Consumption 5 8W Safety Standards CB TUV UNITED KINGDOM PLUG STANDARDS AC Power Adaptor Model HPW 1005U Input Power AC240V 50HZ Output Power DC 5V Power Consumption 6 5W Safety Standards CB TUV JAPAN PLUG STANDARDS AC Power Adaptor Model HPW 1005U Input Power AC100V 50HZ Output Power D...

Страница 194: ...DIUS User s Guide J 2 Power Adaptor Specifications AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC Power Adaptor Model HPW 1005U Input Power AC240V 50HZ Output Power DC 5V Power Consumption 6 5W Safety Standards DFT ...

Страница 195: ...any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgme...

Страница 196: ...and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly Mark Adler jloup gzip org madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net rfc rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 ...

Страница 197: ...ducts derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ...

Страница 198: ... the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by ...

Страница 199: ...opyright c dates as appropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary ...

Страница 200: ...copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS ...

Страница 201: ...e Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of t...

Страница 202: ... you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two steps 1 copyright the software a...

Страница 203: ...y part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying...

Страница 204: ...rogram except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to acce...

Страница 205: ...to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this Licens...

Страница 206: ...INDICATE YOUR ASSENT TO THEM IF YOU DO NOT AGREE TO THESE TERMS THEN ZyXEL INC IS UNWILLING TO LICENSE THE SOFTWARE TO YOU IN WHICH EVENT YOU SHOULD RETURN THE UNINSTALLED SOFTWARE AND PACKAGING TO THE PLACE FROM WHICH IT WAS ACQUIRED AND YOUR MONEY WILL BE REFUNDED 1 Grant of License for Personal Use ZyXEL Communications Corp ZyXEL grants you a non exclusive non sublicense non transferable licens...

Страница 207: ...at the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information You agree to reasonably communicate the terms and conditions of this License Agreement to those persons employed by you who come into contact wit...

Страница 208: ...O ANY APPLICABLE LAWS REGULATIONS ORDERS OR OTHER RESTRICTIONS ON THE EXPORT OF THE SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME YOU SHALL NOT EXPORT THE SOFTWARE DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION WITHOUT COMPLYING WITH SUCH LAWS REGULATIONS ORDERS OR OTHER RESTRICTIONS YOU AGREE TO INDEMNIFY ZyXEL AGAINST ALL CLAIMS LOSSES DAMA...

Страница 209: ...of or relating to this License Agreement shall be an appropriate court or Commercial Arbitration Association sitting in ROC Taiwan This License Agreement shall constitute the entire Agreement between the parties hereto This License Agreement the rights granted hereunder the Software and Documentation shall not be assigned by you without the prior written consent of ZyXEL Any waiver or modification...

Страница 210: ......

Страница 211: ...Set E 2 BSS See Basic Service Set C CA G 1 Canada iv Caution iv Certificate Authority See CA Certificates 1 5 5 3 Importing 5 43 Certifications iii Classes of IP Addresses H 1 Command Interpreter I 1 exit I 3 h or help I 1 http I 3 https I 3 netconf I 2 Command List I 1 Command Syntax I 1 Command Usage I 1 Computer s IP Address D 1 Configuration 3 2 Copyright ii Customer Support vi CyberTrust 5 3 ...

Страница 212: ...EE 802 11 E 1 Deployment Issues F 1 Security Flaws F 1 IEEE 802 1x F 1 Advantages F 1 Independent Basic Service Set E 2 Industry Canada iv Infrastructure Configuration E 2 Internet Security Gateway xvii IP Address 3 1 3 7 IP Addressing H 1 IP Classes H 1 IP Configuration 3 3 3 4 IP Pool Setup 3 3 L Logs 1 6 4 1 RADIUS Events 4 4 RADIUS Log Files 4 11 RADIUS Logs 4 10 Real Time System 4 7 Settings ...

Страница 213: ... 5 Server Certificate 5 5 Service v SNMP 7 12 Get 7 13 Manager 7 13 MIBs 7 13 Screens 7 14 Trap 7 13 Traps 7 13 SNMP Simple Network Management Protocol 1 5 SNMP Support 1 5 SSH 1 6 7 3 7 4 Subnet Mask 3 1 Subnet Masks H 2 Subnetting H 2 Support Disk xvii Syntax Conventions xvii Syslog 4 2 System Status 6 1 System Timeout 7 2 T TCP IP 7 7 Telnet 7 6 Telnet Configuration 7 7 TFTP 4 2 TFTP and FTP Ov...

Страница 214: ... Web Configurator 2 3 Summary 2 4 Web Configurator Overview 2 1 Wireless Access Point Example 5 46 Wireless Accounts 1 6 Wireless Authentication Setup Example 5 47 Wireless LAN E 1 Benefits E 1 Wireless LAN and IEEE 802 11 E 1 Wireless Network Authentication 1 6 WLAN See Wireless LAN www zyxel com v Z ZyAIR G 3000 RADIUS Setup Example 5 46 ZyXEL Limited Warranty Note v ZyXEL website v ...

Отзывы: