NXC Series User's Guide
Contents
1. 103 29 File Path Selecta fle path Bronse Unload Customized Login Page Tite NXC TitleColor 2378ec9 cdon CSS color code Message Color black Color CSS color code Note Message Background support format gif png jpg maximum size 100K Picture Select a file path Tace Color 36b9d2 oer s CSS color code Customized Access Page Tite You now have logged in Message Color black CSS color code Note Message none Background support format gif png jpg maximum size 100K Picture Select afilepath Ga mmm amp Color s36b9d2 Color CSS color code Customized User logout Page Title You now have logged in Message Color black CSS color code Note Message none Background support format gitipng jpg maximum size 100K Picture Selecta file path omm emm Color 36b9d2 Codz CSS color code rr Reet NXC Series User s Guide Chapter 14 Captive Portal 170 The following table describes the labels in this screen Table 87 Configuration gt Captive Portal gt Login Page LABEL DESCRIPTION Select Type Use Default Login Page Select this to use the default login page built into the device If you later create a custom login page you can still return to the NXC s default page as it is saved indefinitely Use Customized Login Page Sele2. Mn 236 NXC Series User s Guide 9 Table of Contents Zh bat Yo Can Do qn s Chaptal ausos eso Eae EE Eo t ga Ea x ERR E IHE Rte E etas 236 z1 1 2 What vou Need TO KOON ears mdod tertiis d anTad e Eph Spr CBE Ee FEE CERE dA u REEL U EU E ERR ORAS OMM AREE REM RO PEME 236 21 2 Address SUMMA M 236 Z2 T PRE UE PS auicm ends iba cal Ro ba Pr ia ev Fate Oa da EE an RR Maas BER aaa Nee 237 21 2 Address totus MMII AIS ierant been ennai inate aie amine ane mia 238 21 3 1 Add Edit Address Group RUIE secs icit ub sncesgucsissasngebeiectssacissesinquussder aE ES EEA 239 Chapter 22 E a Ae E o E E E E E A E E E A E E AS A E E E 241 2a OVE EN oara e aa a a a aa 241 2211 What You Can Doin this Chapter T doneert Na Ae E EE ieS 241 22 12 What You Nes Tc KNOW an ionseeieieptrt iS ap tO aaa a Fara E SER ELM ER ag 241 fee BENViCg SUMMA de E 242 Wo AGGEdI Senice RUIG P mE 243 24 Senice Group SUMMA at aks Saad x cde stag ils each Haie nbi daa bebida ett iet p adeb aaa d i dn 244 22 3 1 Add Edit Sanico Group Rule iste nike Ce ptt nasce robo a hb RP e puEM eta bp daa ERA MES Ia IU tM 245 Chapter 23 SOM o PEE E E EA aua e Spe AURI A EI E EE A NUNG EYAFREENER NUUS E VAU RUE Mp 246 BO OVON T 246 23 1 1 What You Cas Do in tbis Chapo 2 ape eti oa HII et EE aaae A AAEE 246 29 1 2 What You Need to KNOW cecercssssserercscqsvarccucrs 4bYs e Speo dux Co P inienn A DIM ania EE SEL Ta YR S S URP FUE R
3. 119 0 2 3 Add DHCPVS Reuuest ODIGIIS 2 oce ci datar i p EE REIR FE pat H DI EF EP ba d Ye LLLI EHE RR 119 241 5 Addidit DHCP Extended tine 1 c oppecteep cH EE bb qu bed Un RE EE Ua Pr ER FEE EPI ITE R PARERE ERE 120 6 NXC Series User s Guide Table of Contents Ba VLANTIBUSP SOR QuocussuaitapFqsti bee RR TAPPA ERTA 122 BOET WLSM CHIEN UN E E A EEE A NS E A AE E I du LL cd HAC hU E b Ee ex tud ruta aie FERME 124 B o 2 PORE LAD uuissouezssbeitandtibic ebrei n kou bar rd dic Ts bu MD ase Eu HD bulb opi andi UP oS POM D 125 B4 Technical FRETS FS o sac ee ec edo el o OR e ERE a gt RR cn an UO RUD 131 Chapter 9 Poley and State ROUTES oicc aa Haa ECHVI E PVERE DURER REV NR UN EE EWIRE TIER SERERE AN AKI TAN RIS FRE EAM KE 134 STONE Uo WEM 134 9 11 What ou Gan Doa Iis Chapter queis diti Dep D BO b dol Eo ER orbe ob b RE 134 84 2 What YOU Need t RPM iioc sue utet HORE a Merz SL OR aid hd tc tera anaa a 134 9 2 PONY ROWO e N 135 9 21 PAE POM ROVE uui aeri a PEERS HERE ERO RU ERU UG CE rr ER a RR E EN 138 Da ruere dec PT 140 cR ME rurfum 141 94 rame ei i TETTE TENENTES ENS 142 Chapter 10 Fi ME E 144 TOA OM 0 me rm 144 TOT Whal Yos Can Doin his Chapar 1e od uo ed Et o o ORO don c D bad pede pe est d 144 10 1 2 What You Need to KNOW 4 coii be ERI DRIVER ES
4. LABEL DESCRIPTION Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 10 FIP You can upload and download the NXC s firmware and configuration files using FTP To use this feature your computer must have an FTP client See Chapter 30 on page 341 for more information about firmware and configuration files To change your NXC s FTP settings click Configuration gt System gt FTP tab The screen appears as shown Use this screen to specify from which zones FTP can be used to access the NXC You can also specify from which IP addresses the access can come Figure 191 Configuration gt System gt FTP FIP General Settings V Enable TLS required Server Port Server Certificate Service Control Ha Page 1 Q add 21 default Y M Zone Address Action ALL ALL Accept Show 50 v items Displaying 1 1 of 1 The following table describes the labels in this screen Table 165 Configuration gt System gt FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NXC using this service TLS required Select the check box to use FTP over TLS Transport Layer Security to encrypt communication This implements TLS as a security mechanism to secure FTP clients and or servers
5. LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry This field displays the index number Name This is the name of the RADIUS server entry Server Address This is the address of the AD or LDAP server NXC Series User s Guide 259 Chapter 24 AAA Server 24 3 1 Add Edit RADIUS Click Configuration gt Object gt AAA Server gt RADIUS to display the RADIUS screen Click the Add icon or an Edit icon to display the following screen Use this screen to create a new entry or edit an existing one Figure 156 Configuration gt Object gt AAA Server gt RADIUS gt Add Edit Add RADIUS General Settings Name Description Server Address Authentication Port Backup Server Address Backup Authentication Port Key Accounting Server Settings Server Address Accounting Port Backup Server Address Backup Accounting Port Key Maximum Retry Count Interim Interval General Server Settings Timeout NAS IP Address NAS Identifier User Login Settings Group Membership Attribute Authentication Server Settings
6. customized zip Background Set how the window s background looks To use a graphic select Picture and upload a graphic Specify the location and file name of the logo graphic or click Browse to locate it You can use the following image file formats GIF PNG or JPG To use a color select Color and specify the color Upload File This section appears when you select Use uploaded file It allows you to choose and upload a zipped web portal file to the NXC Download Click this to download an example web portal file for your reference File Path Browse for the web portal file or enter the file path in the available input box then click Browse the Upload button to put it on the NXC Upload Download Click Download to download the web portal file from the NXC to your computer This button is clickable only after you upload a zipped web port file to the NXC customization file to default Preview Click a button to display the corresponding portal page you uploaded to the NXC The buttons are clickable only after you upload the corresponding portal pages to the NXC Restore Click Restore to set the NXC back to use the default built in login page Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide 171 Chapter 14 Captive Portal 14 3 1 Custom Login and Access Pages The following i
7. Table 35 Monitor gt Wireless gt AP Information gt AP List Icons LABEL DESCRIPTION be This AP is not on the management list LI This AP is on the management list and online beh This AP is in the process of having its firmware updated This AP is on the management list but offline rn This indicates one of the following cases e This AP has a runtime management VLAN ID setting that conflicts with the VLAN ID setting on the Access Controller the NXC A setting the NXC assigns to this AP does not match the AP s capability e Packets sent out on a LAN port of this AP loop back to the AP NXC Series User s Guide Chapter 5 Monitor 5 11 1 Station Count of AP Use this screen to look at configuration information port status and station statistics for the connected AP To access this screen select an entry and click the More I nformation button in the AP List screen Figure 34 Monitor gt Wireless gt AP Information gt AP List gt AP Information Q AP Information x AP Information Configuration Status Config Setting OK Non Support n a Port Status Port Status PVID Up Time PORT1 100M Full n a 00 18 32 Page 1 ofi Show 50 items Displaying 1 1 of 1 VLAN Configuration Name Status VID Member Page 1 of 1 Show 50 v items No data to display Station Count 100 Stations Last Update 2013 12 13 09 58 11 90 80 70 60 50 40 30 20 10 13 58 17 58 21 58 01 58 05
8. NXC Series User s Guide Appendix A Log Descriptions Table 210 E mail Daily Report Logs LOG MESSAGE DESCRIPTION Email Daily Report has been activated The daily e mail report function has been turned on The NXC will e mail a daily report about the selected items at the scheduled time if the required settings are configured correctly Email Daily Report has been deactivated The daily e mail report function has been turned off The NXC will not e mail daily reports Email daily report has been sent successfully The NXC sent a daily e mail report mail successfully Cannot resolve mail server address SS The listed SMTP address configured for the daily e mail report function is incorrect Mail server authentication failed The user name or password configured for authenticating with the e mail server is incorrect Failed to send report Mail From address s1 is inconsistent with SMTP account s2 The user name and password configured for authenticating with the e mail server are correct but the listed sender e mail address does not match the listed SMTP e mail account Failed to connect to The NXC could not connect to the SMTP e mail server 96s The address mail server s configured for the server may be incorrect or there may be a problem with the NXC s or the server s network connection Table 211 P MAC Binding Logs LOG MESSAGE
9. ecciesie nnn nnn nnne nnn rnnt nns 290 29 1 2 THE Svor PMC PION 2255 2 09 a S Rad eG RU Ra NEUTER NAR PER NR ARES NR 290 ZB I ODORE cp va basa M ix Reni E NERA SM iR ons bau ES EAa MI SL E UE MET IS etu KUREO bI CEU Ead Dur E aE 291 2O DNS OVENI er EE 291 28 6 1 DNS Server Address Assignment 22 53 ora exin ito ieee daa ere ir e RR ad POR LU RH RES 292 200 2 Coniguing he DNS S0C 292 200o PEESS RECON arican eede Eai Or AEREE de EEE Aaa es I 294 ZU EIB ROO E ooa k aa nuh thus dad E EAEE 294 28 8 5 Adding an Address TR Record ciui ert a 295 29 0 0 Doman Zone FoIWwarlel asocian ana bed d ceras iG p n LU E d na 296 26 6 7 Add Domam zone OPW SE usi areae aaa Eie bid Een bad oll Eb pa E aaia aaa 296 FSI lisi rH 297 2609 Add MX RECOU X e 297 206 10 Add Semice COMIN seren a R dE 297 NXC Series User s Guide Table of Contents Coxduiviqes o a S 298 20 71 1 1 e NAI Re tes 298 O42 YSIS Timeu UR 299 WU e E E i Ae itia a eei ui E E E Ae A E 299 20 74 CORUNA WYW Semice sweeping m 300 20 4 5 Service Contool RUES m H 302 ZO Ee ATIP 0g6 eT t 303 PO DOPE Gairiencoscctaqused es TS 309 NO o Ss et PC 310 28 8 2 SSH Implementation on the NXC eesssssssssssssssseseeee enne nnne nennen nnns 311 26 6 3 Requirements for USING SSH e 311 Vx Weigel e
10. NXC Series User s Guide 295 Chapter 28 System 28 6 6 Domain Zone Forwarder A domain zone forwarder contains a DNS server s IP address The NXC can query the DNS server to resolve domain zones for features like the time server A domain zone is a fully qualified domain name without the host For example zyxel com is the domain zone for the www zyxel com fully qualified domain name 28 6 7 Add Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record Figure 174 Configuration gt System gt DNS gt Add Domain Zone Forwarder Add Domain Zone Forwarder x Domain Zone DNS Server DNS Server s from ISP ge2 Y First DNS Server N A Second DNS Server N A Third DNS Server N A Public DNS Server ves PSP SP The following table describes the labels in this screen Table 158 Configuration gt System gt DNS gt Add Domain Zone Forwarder LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name For example whenever the NXC receives needs to resolve a zyxel com tw domain name it can send a query to the recorded name server IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically
11. NXC Series User s Guide Chapter 4 Dashboard 4 2 3 Session Usage Use this screen to look at a chart of the NXC s recent traffic session usage To access this screen click Show Active Sessions in the dashboard Figure 21 Dashboard gt Session Usage 166 Sessions Last Update 2013 01 05 12 46 26 149 133 116 100 83 66 50 33 17 i252 22 22 22 2 2 o C9 T ae Pr ir EN EN SR AEA E 16 46 20 46 00 46 04 46 08 46 12 46 Refresh Interval 5 minutes Refresh Now The following table describes the labels in this screen Table 21 Dashboard gt Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away NXC Series User s Guide Chapter 4 Dashboard 4 2 4 DHCP Table Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses To access this screen click the icon beside DHCP Table in the dashboard Figure 22 Dashboard gt DHCP Table DHCP Table Interface IP Address Host Name MAC Address Description Reserve 1 vlan 192 168 1 50 nwa5260 00 13 49 00 00 01 Refresh Interval 5 minutes v
12. NXC Series User s Guide 349 Chapter 30 File Manager 30 4 Shell Script Use shell script files to have the NXC use commands that you specify Use a text editor to create the shell script files They must use a zysh filename extension Click Maintenance gt File Manager gt Shell Script to open this screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files on the NXC at the same time Note You should include write commands in your scripts If you do not use the write command the changes will be lost when the NXC restarts You could use multiple write commands in a long script Figure 211 Maintenance gt File Manager gt Shell Script Configuration File Firmware Package Shell Script Shell Scripts Tif File Name Last Modified Page 1 of 1 Show 50 v items No data to display Upload Shell Script To upload a shell script browse to the location of the file zysh and then click Upload Each field is described in the following table Table 182 Maintenance gt File Manager gt Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the NXC You cannot rename a shell script to the name of another shell script in the NXC Click a shell script s row to select it and click Rename to open the Rename File screen T Rename x Source file wiz VPN 2 zys
13. 311 26 0 5 Examples of Secure Telnet Using SSH 24 aevi oeti ipae pii EE DP RAREPEPOS EMI ERE Ie IM RETIA ia 312 ELEC NI D e E A E E N E E E EA H 314 RIED surani a a PUR Lor cesad oc oa paa roe 315 POAC er n 317 2611 1 Support MBS civ cssinsiesinanedsssensaxecenssbaradsagnd Y ED FEDERER HOP Dai SE EE oso dE E pte EU Le EAS 318 20 112 SOMME TESBS udetriere date addit ERE csi I Mua SPUR exc koc ULL ELA A A PRO ACE ERA eU casters ATQUE 318 2B 11 3 Configuring SNMP siisii iE temas vena E Eabxa E ER bb EE XN Papa sd bv EpEbP ELE Eb EM A FRI AREE 319 29 11 4 Adding or Editing an SNMPvS User Profile ient oorr so ort E Ero ri Mort ena Rad 321 0 12 P eia epi ET E o o Tee Ieee ae ee 321 28 121 Add Edit Trusted RADIUS Cent asisscsssceccezbsssztceezutazkce iini eoni iaa 323 2o LN Ur 324 EEA IFE inn DP 324 Chapter 29 Log and Report tm 326 PT OVOCNOU R 326 29 11 What You Can Doli this Chapar sesion o pm px HR EH R ER 326 29 2 Email Dally REDON e E 326 200 LOG SINUS a tini er eet rerre GEAR eR A San nu UR ICI TR idum ta 328 ZAG NES Ee uA ESCUDO UT ESSE T 329 292 2 EO SVS LG E uns Wem 331 20 3 3 Edit USB Storage Log Solings eisssd ene cipere teata Cebu nta br ri hreur rnai ninr anina RE NNE EAn 333 29 34 Edit Remote Server Log SetingS ausiccieie sesso ra taedet yansi a n Arn dE Eia 336 24 99 Log N S aaa 337 Chapter 30 i re 341 T OVE
14. Cancel Click Cancel to quit and return to the My Certificates screen 26 3 Trusted Certificates Click Configuration gt Object gt Certificate gt Trusted Certificates to open the Trusted Certificates screen This screen displays a summary list of certificates that you have set the NXC to accept as trusted The NXC also accepts any valid certificate signed by a certificate on this list as NXC Series User s Guide 277 Chapter 26 Certificates being trustworthy thus you do not need to import any certificate that is signed by one of these certificates Figure 162 Configuration gt Object gt Certificate gt Trusted Certificates Trusted certc PKI Storage Space in Use Trusted Certificates Setting w 2i Name Subject Issuer Valid From valid To 1 MyCertificate CN Mydevice example CN Mydevice example 2013 04 09 10 44 04 GMT 2016 04 08 10 44 04 GMT Page i of 1 Show 50 v items Displaying 1 1 of 1 Import Refresh The following table describes the labels in this screen Table 146 Configuration gt Object gt Certificate gt Trusted Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the NXC s PKI storage space that is currently in use Space in Use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates Edit Double click an entry or select it and click Edit to open a scre
15. LABEL DESCRIPTION Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide 325 Log and Report 29 1 Overview Use the system screens to configure daily reporting and log settings 29 1 1 What You Can Do In this Chapter The Email Daily Report screen Section 29 2 on page 326 configures how and where to send daily reports and what reports to send The Log Settings screens Section 29 3 on page 328 specify which logs are e mailed where they are e mailed and how often they are e mailed 29 2 Email Daily Report Use this screen to start or stop data collection and view various statistics about traffic passing through your NXC Note Data collection may decrease the NXC s traffic throughput rate NXC Series User s Guide 326 Chapter 29 Log and Report Click Configuration gt Log amp Report gt Email Daily Report to display the following screen Configure this screen to have the NXC e mail you system statistics every day Figure 199 Configuration gt Log amp Report gt Email Daily Report General Settings E Enable Email Daily Report Email Settings Mail Server butgoing SMTP Server Name or IP Address Mail Subject 7 Append system name E Append date time Mail From Qmail Address Mail To mai Address Email Address Email Address Emai
16. The following table describes the labels in this screen Table 22 Dashboard DHCP Table LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific entry Interface This field identifies the interface that assigned an IP address to a DHCP client IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address Click the column s heading cell to sort the table entries by IP address Click the heading cell again to reverse the sort order Host Name This field displays the name used to identify this device on the network the computer name The NXC learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by MAC address Click the heading cell again to reverse the sort order Description For a static DHCP entry the host name or the description you configured shows here This field is blank for dynamic DHCP entries Reserve If this field is selected this entry is a static DHCP entry The IP address is reserved for the MAC address If this field is clear this entry is a dynamic DHCP entry The IP address is assigned to a DHCP client To create a static DHCP entry using an existing dynamic DHCP e
17. 2 In the Options dialog box click Advanced gt Encryption gt View Certificates w G Ag amp 9 Main Tabs Content Feeds Privacy Security Advanced General Network Update Encryption Protocols Use SSL 3 0 Use TLS 1 0 Certificates When a web site requires a certificate Select one automatically Ask me every time View Certificates J Revocation Lists 422 NXC Series User s Guide Appendix C Importing Certificates 3 In the Certificate Manager dialog box select the Web Sites tab select the certificate that you want to remove and then click Delete Certificate Manager aE E3 TETE Your Certificates Other Peopl s Web Sites A thorities You have certificates on file that identify these web sites Certificate Name Purposes ZyXEL d 172 20 37 202 Client Server Status Responder 4 Inthe Delete Web Site Certificates dialog box click OK Delete Web Site Certificates Are you sure you want to delete these web site certificates 172 20 37 202 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears NXC Series User s Guide 423 Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that c
18. Cancel Click Cancel to exit this screen without saving NXC Series User s Guide Chapter 16 Firewall 16 3 Session Control Click Configuration Firewall Session Control to display the Firewall Session Control screen Use this screen to limit the number of concurrent NAT firewall sessions a client can use You can apply a default limit for all users and individual limits for specific users addresses or both The individual limit takes priority if you apply both Figure 108 Configuration gt Firewall gt Session Control Firewall General Settings UDP Session Time Out Session Limit Settings 1 300 seconds E Enable Session Limit IPv4 Rule Summary Default Session per Host Qd 2 Status 8192 0 is unlimited aM IPv4 Address Description a LAN SUBNET example Page 1 of 1 Show 50 v items Displaying 1 1 of 1 The following table describes the labels in this screen Table 95 Configuration gt Firewall gt Session Control LABEL DESCRIPTION General Settings UDP Session Time Out Set how many seconds from 1 to 300 the NXC will allow a UDP session to remain idle without UDP traffic before closing it Session Limit Settings Enable Session limit Select this check box to control the number of concurrent sessions hosts can have IPv4 Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts
19. Chapter 7 Wireless Table 57 Configuration gt Wireless gt DCS continued LABEL DESCRIPTION 2 4 GHz Channel Select auto to have the AP search for available channels automatically in the 2 4 GHz Selection Method band The available channels vary depending on what you select in the 2 4 GHz Channel Deployment field Select manual and specify the channels the AP uses in the 2 4 GHz band Available This text box lists the channels that are available in the 2 4 GHz band Select the channels channels that you want the AP to use and click the right arrow button to add them Channels This text box lists the channels that you allow the AP to use Select any channels that selected you want to prevent the AP from using it and click the left arrow button to remove them 2 4 GHz Channel This field is available only when you set 2 4 GHz Channel Selection Method to auto Deployment Select Three Channel Deployment to limit channel switching to channels 1 6 and 11 the three channels that are sufficiently attenuated to have almost no impact on one another In other words this allows you to minimize channel interference by limiting channel hopping to these three safe channels Select Four Channel Deployment to limit channel switching to four channels Depending on the country domain if the only allowable channels are 1 11 then the NXC uses channels 1 4 7 11 in this configuration otherwise the NXC uses channels 1 5
20. Customer Support In the event of problems that cannot be solved by using this manual you should contact your vendor If you cannot contact your vendor then contact a ZyXEL office for the region in which you bought the device Regional websites are listed below see also http www zyxel com about zyxel zyxel worldwide shtml Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan ZyXEL Communications Corporation http www zyxel com Asia China ZyXEL Communications Shanghai Corp ZyXEL Communications Beijing Corp ZyXEL Communications Tianjin Corp http www zyxel cn India ZyXEL Technology India Pvt Ltd http www zyxel in Kazakhstan ZyXEL Kazakhstan http www zyxel kz NXC Series User s Guide Appendix F Customer Support Europe Korea ZyXEL Korea Corp http www zyxel kr Malaysia ZyXEL Malaysia Sdn Bhd http www zyxel com my Pakistan ZyXEL Pakistan Pvt Ltd http www zyxel com pk Philipines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com Thailand ZyXEL Tha
21. Expiration Date This field displays the date your service expires Count This field displays how many managed APs the NXC can support with your current license This field does not apply to the other services License Activation License Key Enter your iCard s PIN number and click Activation to activate or extend a standard service subscription If a standard service subscription runs out you need to buy a new iCard specific to your NXC and enter the new PIN number to extend the service Service License Refresh Click this button to renew service license information such as the registration status and expiration day 6 3 2 NXC5500 Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration gt Licensing gt Registration gt Service to open the screen as shown next Figure 46 Configuration gt Licensing gt Registration gt Service Registration Service License Status Service 1 Managed AP Service ZyMESH of1i Page 1 License Refresh Service License Refresh Note Status Default Default Show 50 Registration Type Expiration Date standard 48 standard n a v items Displaying 1 2 of 2 Update device license information from myZyXEL com server If you wantto activate lic
22. Apply Reset The following table describes the labels in this screen Table 181 Maintenance gt File Manager gt Firmware Package LABEL DESCRIPTION Version Boot Module This is the version of the boot module that is currently on the NXC Current Version This is the version of the firmware that is currently installed on the NXC The firmware version conists of the trunk version number model code and release number For example V4 10 AAOS 1 means V4 10 is the trunk number AAOS represents NXC5500 and 1 means the first release Released Date This is the date that the firmware was created Upload File File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes Upload Firmware Status Version This is the version of the firmware that you uploaded NXC Series User s Guide Chapter 30 File Manager Table 181 Maintenance gt File Manager gt Firmware Package continued LABEL DESCRIPTION Released Date This is the date that the firmware was created Firmware Update The NXC can be scheduled to install the firmware you uploaded at the specified date and Schedu
23. Enable I P MAC Binding Select this option to have the NXC enforce links between specific IP addresses and specific MAC addresses for this VLAN This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for 1P MAC Binding Select this option to have the NXC generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device s MAC address Violation Static DHCP Configure a list of static IP addresses the NXC assigns to computers connected to the Table interface Otherwise the NXC assigns an IP address dynamically using the interface s I P Pool Start Address and Pool Size Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use alphanumeric and _ characters and it can be up to 60 characters long Connectivity Check The NXC can regularly check the connection to the gateway
24. Standard service activation has succeeded Standard service activation has succeeded Standard service activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server 96s error message returned by myZyXEL com server Service expiration check has succeeded The service expiration day check was successful Service expiration check has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Server setting rror The device could not retrieve the myZyXEL com server s IP address or FQDN from local Resolve server IP has failed The device could not resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate Connect to MyZyXEL com server has failed The device could not connect to the MyZyXEL com server Do account check The device started to check whether or not the user name in MyZyXEL com s database Do device register The d
25. Table3 Default Interfaces Configuration IP ADDRESS AND DHCP SUGGESTED USE WITH DEFAULT PORT INTERFACE ZONE SETTINGS SETTINGS P1 P6 gel ge6 LAN 192 168 1 1 DHCP server Dedicated LAN connections vlanO disabled CONSOLE N A None None Local management The LAN zone contains the gel ge6 interfaces physical ports P1 P6 By default all LAN interfaces are put in vlanO The console port is not in a zone and can be directly accessed by a computer attached to it using a special console to Ethernet adapter NXC Series User s Guide Chapter 1 Introduction 1 3 Applications These are some example applications for your NXC 1 3 1 AP Management Manage multiple separate Access Points APs from a single persistent location APs can also be configured to monitor for rogue APs Figure 2 AP Management Example Here the NXC A connects to a number of Power over Ethernet PoE devices B They connect to the managed Access Points C such as NWA5123 NI which in turn provide access to the network for the wireless clients D within their broadcast radius 1 3 2 Wireless Security Keep the connections between wireless clients and your APs secure with the NXC s comprehensive wireless security tools APs can be configured to require WEP and WPA encryption from all wireless clients attempting to associate with them Furthermore you can protect your network by monitoring for rogue APs Rogue APs
26. but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order of members is not important Select users and groups from the Available list that you want to be members of this group and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 17 4 Setting This screen controls default settings login settings lockout settings and other user settings for the NXC You can also use this screen to specify when users must log in to the NXC before it routes traffic for them To access this screen login to the Web Configurator and click Configuration Object User Group gt Setting NXC Series User s Guide 197 Chapter 17 User Group Figure 114 Configuration gt Object gt User Group gt Setting User Default Setting Default Authentication Timeout Settings A Edi
27. Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers The coffee shop owner can t possibly know how many connections his AP will have at any given moment As such he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows This means anyone can connect to his wireless network as long as the AP has the bandwidth to spare If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP NXC Series User s Guide 109 Interfaces 8 1 Interface Overview Use these screens to configure the NXC s interfaces Ports are the physical ports to which you connect cables nterfaces are used within the system operationally You use them in configuring various features An interface also describes a network that is directly connected to the NXC For example You connect the LAN network to the interface Zones are groups of interfaces used to ease security policy configuration 8 1 1 What You Can Do in this Chapter The Ethernet screens Section 8 2 on page 111 configure the Ethernet interfaces Ethernet interfaces are the foundation for defining other interfaces and network policies The VLAN screens Section 8 3 on page 122 divide the physical network into multiple logical networks VLAN interfaces recei
28. NXC Series User s Guide 381 Appendix A Log Descriptions Table 194 ZySH Logs continued LOG MESSAGE DESCRIPTION can t get reference count s 1st zysh list name can t print entry name Ss lst zysh entry name Can t append entry s lst zysh entry name Can t set entry s lst zysh entry name o Can t define entry s lst zysh entry name s list is full 1st zysh list name Can t undefine s 1st zysh list name Can t remove s lst zysh list name Table OPS s cannot retrieve entries from table 1st zysh table name Ss index is out of range 1st zysh table name Ss cannot set entry 50 1st zysh table name 2st zysh entry num s table is full 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry ded lst zysh entry num s invalid index 1st zysh table name Unable to delete entry ded 1st zysh entry num Unable to change entry ded 1st zysh entry num s cannot retrieve entries from table lst zysh table name s invalid old new index 1st zysh table name Unable to move entry ded lst zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at main stage 1st zysh table name Ss apply failed at closing stage 1st zysh table name 382 NXC
29. Proves your identity to a remote computer Ensures software came from software publisher Protects software from alteration after publication Protects e mail messages Allows data to be signed with the current time Issued to CSO CA Issued by C50 CA Valid from 8 30 2003 to 8 30 2005 Issuer Statement Install Certificate 2 Click Install Certificate and follow the wizard as shown earlier in this appendix NXC Series User s Guide Chapter 28 System 28 7 6 6 Installing a Personal Certificate 1 2 You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard Certificate Import Wizard xj Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation ists from your disk to a certificate store 4 certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue click Next The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you w
30. Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the NXC for FTP connections You must have certificates already configured in the My Certificates screen Service Control This specifies from which computers you can access which NXC zones NXC Series User s Guide Chapter 28 System 316 Table 165 Configuration gt System gt FTP continued LABEL DESCRIPTION Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with a hyphen instead of a number is the NXC s non configurable default policy The NXC applies this to traff
31. Trusted Root Certification Authorities H Enterprise Trust Intermediate Certification Authorities H Active Directory User Object PA Triieted Pi ihlieherc lt Show physical stores Ca J Ce NXC Series User s Guide Appendix C Importing Certificates 9 Inthe Completing the Certificate I mport Wizard screen click Finish Certificate Import Wizard Completing the Certificate Import Wizard You have successfully completed the Certificate Import wizard Hc Pot Certificate Store Selected Automatically determined by 1 Content Certificate 10 If you are presented with another Security Warning click Yes Security Warning dd You are about to install a certificate from a certification authority CA daiming to represent nsa2401 Windows cannot validate that the certificate is actually from nsa2401 You should confirm its origin by contacting nsa2401 The following number will assist you in this process Thumbprint sha1 35D 1C9AC DBCOE654 FE327C71 464D 1548 242E5893 Warning If you install this root certificate Windows will automatically trust any certificate issued by this CA Installing a certificate with an unconfirmed thumbprint is a security risk If you dick Yes you acknowledge this risk Do you want to install this certificate 11 Finally click OK when presented with the successful certificate installation message Certificate Import Wizard LL the import w
32. he policy route d uses empty destination address group Use an empty object group 96d the policy route rule number he policy route d Use an empty object group were flushed pbi rd us 96d the policy route rule number group Policy route rule d Rules is inserted into system Wee ate d the policy route rule number Policy route rule d Rules is appended into system was appended d the policy route rule number Policy route rule d Rule is modified PORNO MIS 96d the policy route rule number Policy route rule d Rule is moved PRECIOUS aep 1st 96d the original policy route rule number 2nd 96d the new policy route rule number Policy route rule d Rule is deleted vas deleted d the policy route rule number Policy route rules Policy routing rules are cleared BWM has been activated The global setting for bandwidth management on the NXC has been turned on BWM has been deactivated The global setting for bandwidth management on the NXC has been turned off Table 199 Built in Services Logs LOG MESSAGE DESCRIPTION User on u u u u has been denied access from s HTTP HTTPS TELNET SSH FTP SNMP access to the device was denied u u u u is IP address 96s is HTTP HTTPS SSH SNMP FTP TELNET HTTPS certificate s does not exist HTTPS service will not work An administrator assigned a nonexistent cert
33. 12 1 Overview Application Layer Gateway ALG allows the following application to operate properly through the NXC s NAT FTP File Transfer Protocol an Internet file transfer service The ALG feature is only needed for traffic that goes through the NXC s NAT 12 1 1 What You Can Do in this Chapter The ALG screen Section 12 2 on page 155 configures the FTP ALG settings 12 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Application Layer Gateway ALG and NAT The NXC can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications to operate properly through the NXC s NAT The NXC dynamically creates an implicit NAT session for the application s traffic from the WAN to the LAN The ALG on the NXC supports all of the NXC s NAT mapping types FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through If the FTP server is located on the LAN you must also configure NAT port forwarding rules if you want to allow access to the server from the WAN 12 1 3 Before You Begin You must also enable NAT in the NXC to allow sessions initiated from the WAN NXC Series User s Guide Chapter 12 ALG 12 2 ALG Click Configuration Network ALG to open this screen Use this screen to turn the ALG off or on configure the port numbers to which it applies Figure 84 Configuration gt Network gt ALG FTP S
34. 18 3 4 1 Add Edit Layer 2 Isolation Profile This screen allows you to create a new layer 2 isolation profile or edit an existing one To access this screen click the Add button or select a layer 2 isolation profile from the list and click the Edit button NXC Series User s Guide Chapter 18 AP Profile Note You need to know the MAC address of each device that you want to allow to be accessed by other devices in the SSID to which the layer 2 isolation profile is applied Figure 132 SSID gt MAC Filter List gt Add Edit Layer 2 Isolation Profile add Profile Name MAC Page 1 ofi Add Layer 2 Isolation Profile X Sede SS SPP She Allow devices with these MAC addresses wW Description Show 50 items No data to display cance The following table describes the labels in this screen Table 119 SSID gt MAC Filter List gt Add Edit Layer 2 Isolation Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Underscores are allowed Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address from the profile s list This field is a sequential value and it is not associated with a speci
35. DESCRIPTION Drop packet s u Su Su Su 02X 02X 502K 02X 0 2X 302X 9 9 The IP MAC binding feature dropped an Ethernet packet The interface the packet came in through and the sender s IP address and MAC address are also shown Cannot bind ip mac from dhcpd st u u u ut 02X 0 2X 9 02X 02X 02X 02X The IP MAC binding feature could not create an IP MAC binding hash table entry The interface the packet came in through the sender s IP address and MAC address are also shown along with the binding type s for static or d for dynamic Cannot remove ip mac binding from dhcpd Ss ou Su Su Su S02X 50 2X 02X 02X 302X 02X The IP MAC binding feature could not delete an IP MAC binding hash table entry The interface the packet came in through the sender s IP address and MAC address are also shown along with the binding type s for static or d for dynamic NXC Series User s Guide Appendix A Log Descriptions Table 212 CAPWAP Server Logs LOG MESSAGE DESCRIPTION WLAN Controller Start Registration Type s Start the AP management service 1st 96s Registration Type Always Accept Manual WLAN Controller Reset Registration Type s Reset the AP management service 1st 96s Registration Type Always Accept Manual WLAN Controller End Stop End the AP management service AP Connect MAC 02x 02x 02x 02x 02x
36. Description Page 1 ofi Show 50 wv items No data to display Cancel The following table describes the labels in this screen Table 117 SSID gt MAC Filter List gt Add Edit MAC Filter Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed Filter Action Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address from the profile s list This field is a sequential value and it is not associated with a specific profile MAC This field specifies a MAC address associated with this profile Description This field displays a description for the MAC address associated with this profile You can click the description to make it editable Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide Chapter 18 AP Profile 18
37. Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing Table 197 Sessions Limit Logs LOG MESSAGE DESCRIPTION Maximum sessions per host d was exceeded d is maximum sessions per host Table 198 Policy Route Logs LOG MESSAGE DESCRIPTION Can t open bwm_entries Policy routing can t activate BWM feature Can t open link down Policy routing can t detect link up down status Cannot get handle from UAM user aware PR is disabled User aware policy routing is disabled due to some reason mblock allocate memory failed Allocating policy routing rule fails insufficient memory pt allocate memory failed Allocating policy routing rule fails insufficient memory To send message to policy route daemon failed Failed to send control message to policy routing manager The policy route d allocates memory fail Allocating policy routing rule fails insufficient memory 96d the policy route rule number The policy route d uses empty user group Use an empty object group 96d the policy route rule number NXC Series User s Guide Appendix A Log Descriptions Table 198 Policy Route Logs continued LOG MESSAGE DESCRIPTION The policy route d uses empty source address group Use an empty object group 96d the policy route rule number
38. Enable Accounting Interim update 4 Case sensitive User Names E New Lae NNN PSP NDS 1812 Optional or FQDN 1 65535 IP or FQDN Optional 1 65535 Optional MEER banned 10 5 127 0 0 1 User Defined IP or FQDN Optional 1 65535 Optional IP or FQDN Optional 1 865535 Optional 1 10 1 1440 minutes 1 300 seconds IP Address M az 1 255 Pm The following table describes the labels in this screen Table 139 Configuration gt Object gt AAA Server gt RADIUS gt Add Edit LABEL DESCRIPTION General Settings Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes NXC Series User s Guide Chapter 24 AAA Server Table 139 Configuration gt Object gt AAA Server gt RADIUS gt Add Edit continued LABEL DESCRIPTION Description Enter the description of each server if any You can use up to 60 printable ASCII characters Authentication Server Settings Server Address Enter the address of the RADIUS authentication server Authentication Port Specify the port number on the RADIUS server to which the NXC sends authentication requests Enter a number between 1 and 65535 Backup Server Address If the RADIUS server has a backup authentication server enter its address here Backup Authentication Port Specify the port n
39. Qd yer i Q E Schedule Def any any none Stat Prio Source Destination Page i of 1 Show 50 v items Authentication unnecessary Optional Optional Optional Optional Optional Displaying 1 2 of 2 Description n a Displaying 1 1of 1 NXC Series User s Guide Chapter 14 Captive Portal The following table describes the labels in this screen Table 84 Configuration gt Captive Portal LABEL DESCRIPTION Enable Captive Portal Select this to turn on the captive portal feature Once enabled all network traffic is blocked until a client authenticates with the NXC through the specifically designated captive portal page Internal Web Portal Select this to use the login page built into the NXC The login page appears whenever the web portal intercepts network traffic preventing unauthorized users from gaining access to the network External Web Portal Select this to use a custom login page from an external web portal instead of the one built into the NXC You can configure the look and feel of the web portal page Note It is recommended to have the external web server on the same subnet as the login users Login URL Specify the login page s URL for example http IIS server IP Address login asp You must configure this field if you select External Web Portal The Internet Information Server IIS is the web server on which the web portal f
40. Show 50 System CONFIG of 1 items Displaying 1 7 of 7 The following table describes the labels in this screen Table 43 Monitor gt View Log LABEL DESCRIPTION Show Filter Click this button to show or hide the filter settings Hide Filter If the filter settings are hidden the Display Email Log Now Refresh and Clear Log fields are available If the filter settings are shown the Display Priority Source Address Destination Address Source Interface Destination Interface Service Keyword Protocol and Search fields are available Display Select the category of log message s you want to view You can also view All Logs at one time or you can view the Debug Log Priority This displays when you show the filter Select the priority of log messages to display The log displays the log messages with this priority or higher Choices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is read only if the category is Debug Log Source Address This displays when you show the filter Type the source IP address of the incoming packet that generated the log message Do not include the port in this filter Destination Address This displays when you show the filter Type the IP address of the destination of the incoming packet when the log message was generated Do not include the port in this filter Source Interface This displa
41. The following table describes the labels in this screen Table 77 Configuration gt Network gt NAT gt Add Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this screen Object Enable Rule Use this option to turn the NAT rule on or off Rule Name Type in the name of the NAT rule The name is used to refer to the NAT rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive NXC Series User s Guide Chapter 11 NAT Table 77 Configuration gt Network gt NAT gt Add Edit continued LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform Virtual Server This makes computers on a private network behind the NXC available to a public network outside the NXC like the Internet 1 1 NAT If the private network server will initiate sessions to the outside clients select this to have the NXC translate the source IP address of the server s outgoing traffic to the same public IP address that the outside clients use to access the server Many 1 1 NAT If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses select this to have the NXC translate the source IP address of each server s outgoing traffic to the same one of the public IP addresses tha
42. This field displays the type of algorithm that was used to generate the certificate s key pair the NXC uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the NXC calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHAI Fingerprint This is the certificate s message digest that the NXC calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays
43. Add Click this to go to the screen where you can have the NXC generate a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The NXC keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Subsequent certificates move up by one when you take this action Object Reference You cannot delete certificates that any of the NXC s features are configured to use Select an entry and click Object Reference to open a screen that shows which settings use the entry This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate mport screen to import the certificate and replace the request SELF represents a self signed certificate CERT represents a certificate issued by a certification
44. Binary X 509 PEM Base 64 encoded x 509 Binary PKCS 7 PEM Base 64 encoded PKCS 7 File Path elect a file path OK Cancel The following table describes the labels in this screen Table 148 Configuration gt Object gt Certificate gt Trusted Certificates gt Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the NXC Browse Click Browse to find the certificate file you want to upload OK Click OK to save the certificate on the NXC Cancel Click Cancel to quit and return to the previous screen 26 4 Technical Reference OCSP The following section contains additional technical information about the features described in this chapter OCSP Online Certificate Status Protocol allows an application or device to check whether a certificate is valid With OCSP the NXC checks the status of individual certificates instead of downloading a Certificate Revocation List CRL OCSP has two main advantages over a CRL The first is real time status information The second is a reduction in network traffic since the NXC only gets information on the certificates that it needs to verify not a huge list When the NXC requests certificate status information the OCSP server returns a expired current or unknown re
45. Can not initial monitor mode signal handler n While an AP is in Monitor mode the handler functions as a daemon if it fails to initialize the handler then this message is returned Table 217 DCS Logs LOG MESSAGE DESCRIPTION des init failed n Indicates that the NXC failed to initialize the dcs daemon init zylog fail n Indicates that the NXC failed to initialize zylog NXC Series User s Guide Appendix A Log Descriptions Table 217 DCS Logs LOG MESSAGE DESCRIPTION channel changed s d gt d n DCS has changed the wireless interface 96s channel from 96d to channel 96d lst 96s interface name 1st d current channel 2nd 96d new channel dcs is terminated DCS was terminated for an unknown reason Table 218 WLAN Station Info LOG MESSAGE DESCRIPTION STA Association Addr 02x 02x 02x 02x 02x 02x AP s A wireless client is connected to the AP lst 02x 6th 02x Managed AP MAC Address 7th s Managed AP s description STA Disassociation Addr 02x 02x 02x S02x 02x 02x AP s A wireless client is disconnected from the AP lst 02x 6th 02x Managed AP MAC Address 7th s Managed AP s description STA Roaming MAC 02x 02x 02x 02 x 02x 02x From s To s A wireless client roams from one AP to another 1st 02x 6th 02x Station MAC Address 7th s Source WTP s description 8th
46. DESCRIPTION IPv4 IPv6 View IPv4 View IPv6 View Use this button to display both IPv4 and IPv6 IPv4 only or IPv6 only configuration fields Show Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 request object that you may use for the DHCPv6 settings in this screen General Settings Enable Interface Select this to enable this interface Clear this to disable this interface Interface Properties Interface Type Select to which type of network you will connect this interface When you select internal or external the rest of the screen s options automatically adjust to correspond The NXC automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces for example LAN to WAN traffic Select internal to connect to a local network Other corresponding configuration options DHCP server and DHCP relay The NXC automatically adds default SNAT settings for traffic flowing from this interface to an external interface Select external to connect to an external network like the Internet If you select general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use al
47. Log Category 1 Account 2 Built in Service 3 CAPWAP 4 Daily Report 5 Default 6 DHCP 7 File Manager 8 Force Authentication 9 Interface 10 Interface Statistics 11 PKI Page 1 of 1 Show 50 items 2x Server Name or IP Address Selection Displaying 1 33 of 33 Selection Displaying 1 23 of 23 NXC Series User s Guide Chapter 29 Log and Report The following table describes the labels in this screen Table 177 Configuration gt Log amp Report gt Log Settings gt Edit Remote Server LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section You specify what kinds of messages are included in log information in the Active Log section Log Format This field displays the format of the log information It is read only VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Server Type the server name or the IP address of the syslog server to which to send log Address information Log Facility Select a log facility The log facility allows you to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection drop down list to change the log settings for all of the log categori
48. The Address screen provides a summary of all addresses in the NXC To access this screen click Configuration gt Object gt Address gt Address Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 138 Configuration gt Object gt Address gt Address Summary Address Group IPv4 Address Configuration Qd est i Name 1 LAN_SUBNET Page 1 Type IPv4 Address INTERFACE SUBNET vlan0 192 168 1 0 24 of 1 Show 50 items Displaying 1 1of 1 The following table describes the labels in this screen Table 124 Configuration gt Object gt Address gt Address Summary LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address Name This field displays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the NXC s interfaces IPv4 Address This field displays the IP add
49. The Schedule screen Section 23 2 on page 247 displays a list of all schedules in the NXC The One Time Schedule Add Edit screen Section 23 2 1 on page 248 creates or edits a one time schedule The Recurring Schedule Add Edit screen Section 23 2 2 on page 249 creates or edits a recurring schedule 23 1 2 What You Need to Know The following terms and concepts may help as you read this chapter One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring Schedules Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours NXC Series User s Guide Chapter 23 Schedules 23 2 Schedule Summary The Schedule summary screen provides a summary of all schedules in the NXC To access this screen click Configuration gt Object gt Schedule Figure 146 Configuration gt Object gt Schedule Schedule One Time Add Name Start Day Time Stop Day Time Page 1 ofi 50 vw items No data to display Recurring Qa est Name Start Time Stop Time Page EL ofi 50 items No data to display The following table describes t
50. The actions that can be taken include Routing the packet to a different gateway or outgoing interface Limiting the amount of bandwidth available and setting a priority for traffic NXC Series User s Guide 135 Chapter 9 Policy and Static Routes IPPR follows the existing packet filtering facility of RAS in style and in implementation Figure 72 Configuration gt Network gt Routing gt Policy Route Static Route E Hide Advanced Settings IPv4 Configuration E Use Policy Route to Override Direct Route Add E M JN gis Sta User Schedule Incoming Source Destina DSCP C Service Source Next Hop DSCP M SNAT Page 1 of 1 Show 50 items No data to display Apply Reset The following table describes the labels in this screen Table 68 Configuration gt Network gt Routing gt Policy Route LABEL DESCRIPTION Show Hide Click this button to display a greater or lesser number of configuration fields Advanced Settings Use Policy Select this to have the NXC forward packets that match a policy route according to the Route to policy route instead of sending the packets directly to a connected network Override Direct Route Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remo
51. This field is a sequential value and it is not associated with a specific object Name This field displays the name of each request object Type This field displays the request type of each request object Interface This field displays the interface used for each request object Value This field displays the value for each request object 27 2 1 Add Edit DHCPv6 Request Object The Request Add Edit screen allows you to create a new request object or edit an existing one To access this screen go to the Request screen and click either the Add icon or an Edit icon Figure 166 Configuration gt Object gt DHCPv6 gt Request gt Add Add Request Object Name rT ette Request Type DNS Server v Interface none Y mM pree The following table describes the labels in this screen Table 150 Configuration gt Object gt DHCPv6 gt Request gt Add Edit LABEL DESCRIPTION Name Type the name for this request object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Request Type Select the request type for this request object You can choose from DNS Server or NTP Server Interface Select the interface for this request object OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 284 NXC Series User s Guide
52. Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 8 5 Examples of Secure Telnet Using SSH This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the NXC The configuration and connection steps are similar for most SSH client programs Refer to your SSH client program user s guide 28 8 5 1 Example 1 Microsoft Windows This section describes how to access the NXC using the Secure Shell Client program Launch the SSH client and specify the connection information IP address port number for the NXC Configure the SSH client to accept connection using SSH version 1 NXC Series User s Guide Chapter 28 System 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 187 SSH Example 1 Store Host Key Host Identification 1 x The host has provided you its identification a host public key The fingerprint of the host public key is gevac bycor kubyz dipah ravut fyduz kazuk goler cavom hifot sexox You can save the host key to the local database by clicking Yes
53. Figure 141 Configuration gt Object gt Address gt Address Group gt Add Edit Add Address Group Rule x Group Members Name bane tSeSPSIS SSISISSSISINISISISISISISIS Description Member List Available Member Object LAN_SUBNET test am Cancel The following table describes the labels in this screen Table 127 Configuration gt Object gt Address gt Address Group gt Add Edit LABEL DESCRIPTION Name Enter a name for the address group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces NXC Series User s Guide 239 Chapter 21 Addresses Table 127 Configuration gt Object gt Address gt Address Group gt Add Edit continued LABEL DESCRIPTION Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Avail
54. HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web NXC Series User s Guide 408 Appendix B Common Services Table 219 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICMP User Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes ICQ UDP 4000 This is a popular Internet chat program IGMP MULTICAST User Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet I Nternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Pro
55. Idle timeout Group Key Update Timer Pre Authentication wpa2 mix External colon upper colon upper tkip 300 1800 Enable 1X 30 30000 seconds 0 is unlimited v 30 30000 seconds 30 30000 seconds w a NXC Series User s Guide Chapter 18 AP Profile The following table describes the labels in this screen Table 115 Configuration gt Object gt AP Profile gt SSID gt Security Profile gt Add Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed Security Mode Select a security mode from the list wep wpa wpa2 or wpa2 mix Radius Server Type Select I nternal to use the NXC s internal authentication database or External to use an external RADIUS server for authentication Primary Secondary Radius Server Activate Select this to have the NXC use the specified RADIUS server Radius Server IP Address Enter the IP address of the RADIUS server to be used for authentication Radius Server Port Enter the port number of the RADIUS server to be used for authentication Radius Server Secret Enter the shared secret password of the RADIUS server to be used for authentication MAC Authentication Select this to use an e
56. Note that subsequent entries move up by one when you take this action This is the index number of the MX record Domain Name This is the domain name where the mail is destined for IP FQDN This is the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above NXC Series User s Guide 293 Chapter 28 System Table 156 Configuration gt System gt DNS continued LABEL DESCRIPTION Service Control This specifies from which computers and zones you can send DNS queries to the NXC Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The ordering of your rules is important as rules are applied in sequence The entry with a hyphen instead of a number is the NXC s non configurable defaul
57. You can continue without saving the host key by clicking No You can also cancel the connection by clicking Cancel Do you want to save the new host key to the local database Enter the password to log in to the NXC The CLI screen displays next 28 8 5 2 Example 2 Linux This section describes how to access the NXC using the OpenSSH client program that comes with most Linux distributions 1 Test whether the SSH service is available on the NXC Enter telnet 192 168 1 1 22 at a terminal prompt and press ENTER The computer attempts to connect to port 22 on the NXC using the default IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the NXC Figure 188 SSH Example 2 Test telnet 192 168 1 1 22 Trying 192 168 1 1 Connected to 192 168 1 1 Escape character is SSH 1 5 1 0 0 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the NXC using SSH version 1 If this is the first time you are connecting to the NXC using SSH a message displays prompting you to save the host information of the NXC Type yes and press ENTER Then enter the password to log in to the NXC Figure 189 SSH Example 2 Log in ssh 1 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6 07 25 7e f 4 75 80 ec af bd d4 3d 80 53 dl Are you sure you want to continue connecting
58. gt AP Profile gt SSID gt MAC Filter List SSID List Security List MAC Filter List Layer 2 Isolation List MAC Filter List Summary Qad sg Profile Name Filter Action 1 example deny Page m of 1 Show 50 items Displaying 1 1of1 The following table describes the labels in this screen Table 116 Configuration gt Object gt AP Profile gt SSID gt MAC Filter List LABEL DESCRIPTION Add Click this to add a new MAC filtering profile Edit Click this to edit the selected MAC filtering profile Remove Click this to remove the selected MAC filtering profile Object Reference Click this to view which other objects are linked to the selected MAC filtering profile for example SSID profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the MAC filtering profile Filter Action This field indicates this profile s filter action if any NXC Series User s Guide Chapter 18 AP Profile 18 3 3 1 Add Edit MAC Filter Profile This screen allows you to create a new MAC filtering profile or edit an existing one To access this screen click the Add button or select a MAC filtering profile from the list and click the Edit button Figure 130 SSID gt MAC Filter List gt Add Edit MAC Filter Profile Q Add MAC Filter Profile x Profile Name L Filter Action deny Y Add Wl MAC
59. server 2 This field is a sequential value and it is not associated with a specific address Log Category This field displays each category of messages It is the same value used in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yellow check mark create log messages alerts and debugging information from this category the NXC does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The NXC does not e mail debugging information even if it is recorded in the System log E mail Server 2 Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 2 The NXC does not e mail debugging information even if it is recorded in the System log Lo
60. statistics daily e mail report 327 traffic 62 status 47 status bar 40 warning message popup 40 stopping the device 21 subscription services status 90 91 upgrading 90 supported browsers 28 syslog 329 337 syslog servers see also logs system log 359 downloading files 359 system log see logs system name 48 286 system reports see reports system uptime 48 system default conf 346 T target market 16 TCP 241 connections 241 port numbers 241 Telnet 314 and address groups 314 and address objects 314 and zones 314 with SSH 312 Temporal Key Integrity Protocol TKIP 432 time 287 time servers default 290 trademarks 451 traffic statistics 62 Transmission Control Protocol see TCP Transport Layer Security TLS 315 NXC Series User s Guide Index triangle routes 182 allowing through the firewall 184 troubleshooting 352 357 372 Trusted Certificates see also certificates 277 U UDP 241 messages 241 port numbers 241 upgrading firmware 347 uploading configuration files 347 firmware 347 shell scripts 350 usage CPU 49 51 flash 50 memory 50 52 onboard flash 50 sessions 50 53 user authentication 190 external 191 local user database 252 user awareness 192 User Datagram Protocol see UDP user group objects 190 user groups 190 192 and firewall 186 189 and policy routes 138 139 user name rules 194 user objects 190 user sessions see sessions users 190 access see also access
61. such as the system name The interface ID option provides slot number port information and the VLAN ID to the DHCPv6 server The remote ID option if any is stripped from the Relay Reply messages before the relay agent sends the packets to the clients The DHCP server copies the interface ID option from the Relay Forward message into the Relay Reply message and sends it to the relay agent The interface ID should not change even after the relay agent restarts Prefix Delegation ICMPv6 Prefix delegation enables an IPv6 router to use the IPv6 prefix network address received from the ISP or a connected uplink router for its LAN The NXC uses the received IPv6 prefix for example 2001 db2 48 to generate its LAN IP address Through sending Router Advertisements RAs regularly by multicast the NXC passes the IPv6 prefix information to its LAN hosts The hosts then can use the prefix to generate their IPv6 addresses Internet Control Message Protocol for IPv6 ICMPv6 or ICMP for IPv6 is defined in RFC 4443 ICMPv6 has a preceding Next Header value of 58 which is different from the value used to identify ICMP for IPv4 ICMPv6 is an integral part of IPv6 IPv6 nodes use ICMPv6 to report errors encountered in packet processing and perform other diagnostic functions such as ping Neighbor Discovery Protocol NDP The Neighbor Discovery Protocol NDP is a protocol used to discover other IPv6 devices and track neighbor s reachability in a
62. 01 05 12 41 06 20 41 00 41 Refresh Now 04 41 08 41 12 41 Y The following table describes the labels in this screen Table 19 Dashboard gt CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usage The x axis shows the time period over which the CPU usage occurred NXC Series User s Guide Chapter 4 Dashboard Table 19 Dashboard gt CPU Usage continued LABEL DESCRIPTION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away 4 2 2 Memory Usage Use this screen to look at a chart of the NXC s recent memory RAM usage To access this screen click Show Memory Usage in the dashboard Figure 20 Dashboard Memory Usage 100 X Last Update 2013 01 05 12 43 43 30 80 70 60 T 50 40 30 20 10 t re PEN 16 43 20 43 00 43 4 43 08 43 12 43 Refresh Interval 5 minutes The following table describes the labels in this screen Table 20 Dashboard gt Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away
63. 1 vlano Page 1 vlan IP Address STATIC 192 168 1 1 Member ge1 9e2 ge3 ge4 ge5 ge6 of 1 Show 50 v items Displaying 1 Lof 1 IP Address Member LINK LOCAL fe80 b2b2 dcfffe6e a897 ge1 ge2 ge3 ge4 ge5 ge6 Displaying 1 1of1 of 1 Show 50 v items Apply Reset Each field is explained in the following table Table 64 Configuration gt Network gt Interface gt VLAN LABEL DESCRIPTION Configuration Use the Configuration section for IPv4 network settings Use the IPv6 Configuration IPv6 section for IPv6 network settings if you connect your NXC to an IPv6 network Both sections Configuration have similar fields as described below Add Click this to create a new VLAN Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Select an entry and click Object Reference to open a screen that shows which settings use Reference the entry This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the interface
64. 2347 042347 Beacon Interval 100 40ms 1000ms DTIM 1 1 255 Output Power Max x Enable Signal Threshold Station Signal Threshold 76 dBm 20 76 Disassociate Station Threshold 90 dbm 20 90 7 Allow Station Connection after Multiple Retries Station Retry Count 6 1 100 Rate Configuration Basic Rate Mbps y 1 g 2 vy 55 MW me rj 9 12 E18 124 F 36 7 48 54 Support Rate Mbps Ig 1 v 2 i55 wi v 6 v 9 vj12 vj 18 v 24 v 36 v 48 v 54 MCS Rate vj 0 yj 1 vj 2 y 3 v 4 v5 vj 6 ig 7 v 8 9 v 10 y 11 ig12 13 v 14 v 15 Multicast Settings Transmission Mode 5 Multicastto Unicast Fixed Multicast Rate Multicast Rate Mbps e 1 2 55 11 O65 o8 12 18 24 36 5 48 5 54 MBSSID Settings SSID Profile 1 default 2 disable 3 disahle 4 disable 5 disable 6 disable disable 8 disable Cx Care NXC Series User s Guide Chapter 18 AP Profile The following table describes the labels in this screen Table 111 Configuration gt Object gt AP Profile gt Add Edit Radio Profile LABEL DESCRIPTION Hide Show Advanced Settings Click this to hide or show the Advanced Settings in this window Create New Object Select an item from this menu to create a new object of that type Any objects created in this way are automatically linked to this radio profile General Settings Activate Select this option to make this profile a
65. 26 Certificates Table 144 Configuration gt Object gt Certificate gt My Certificates gt Edit LABEL DESCRIPTION MD5 Fingerprint This is the certificate s message digest that the NXC calculated using the MD5 algorithm SHAI Fingerprint This is the certificate s message digest that the NXC calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export This button displays for a certification request Use this button to save a copy of the request without its private key Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Export Certificate Use this button to save a copy of the certific
66. 4 0x20 VI 5 0x28 VO 6 0x30 Highest VO 7 0x38 The WMM ACs as implemented on the NXC have the following functions VOICE All wireless traffic to the SSID is tagged as voice data This is recommended if an SSID is used for activities like placing and receiving VolP phone calls VI DEO All wireless traffic to the SSID is tagged as video data This is recommended for activities like video conferencing BEST EFFORT All wireless traffic to the SSID is tagged as best effort meaning the data travels the best route it can without displacing higher priority traffic This is good for activities that do not require the best bandwidth throughput such as surfing the Internet BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one If traffic from an SSID does not have strict throughput requirements then this access category is recommended For example an SSID that only has network printers connected to it NXC Series User s Guide 143 Zones 10 1 Overview Set up zones to configure network security and network policies in the NXC A zone is a group of interfaces The NXC uses zones instead of interfaces in many security and policy settings such as firewall rules Zones cannot overlap Each interface can be assigned to just one zone 10 1 1 What You Can Do in this Chapter The Zone screens see Section 10 2
67. 58 09 58 Q Note The diagram is updated in 5 10 minutes periodically it may not up to date NXC Series User s Guide 73 Chapter 5 Monitor 74 The following table describes the labels in this screen Table 36 Monitor gt Wireless gt AP Information gt AP List gt AP Information LABEL DESCRIPTION Configuration Status This displays whether or not any of the AP s configuration is in conflict with the NXC s settings for the AP Non Support If any of the AP s configuration conflicts with the NXC s settings for the AP this field displays which configuration conflicts It displays n a if none of the AP s configuration conflicts with the NXC s settings for the AP Port Status Configuration Port This shows the name of the physical Ethernet port on the NXC Status This field displays the current status of each physical port on the AP Down The port is not connected Speed Duplex The port is connected This field displays the port speed and duplex setting Full or Half PVID This shows the port s PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines Up Time This field displays how long the physical port has been connected VLAN Name This shows the name of the VLAN Status This displays whether or not the VLAN is activated VID This shows the
68. Address 7th s Managed AP Model Name NXC Series User s Guide 403 Appendix A Log Descriptions Table 212 CAPWAP Server Logs LOG MESSAGE DESCRIPTION AP Reboot MAC 02x 02x 02x 02x 02x S02x Name s Model s Reboot the specified AP in the managed list 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Upgrade AP Firmware MAC 02x 02x 02x 02x 02x 02x Name s Model s Update AP Firmware in the managed list 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Start Send Configuration to AP MAC 02x 02x 02x 02x 02x S02x Name s Model s Start Send Configuration to an AP in the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Sucess Send Configuration to AP MAC 02x 02x 02x 02x 02x 02x Name s Model s Receiving Send Configuration Respons from an AP in the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Start Send Updating Configuration to AP MAC 02x 02x 02x 02x 02x 02x Name s Model s Start Send Updating Configuration to an AP in the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Sucess Send Updating Configur
69. Authentication add w MAC Address OUI MAC Type MAC Role Description 1 00 A0 C5 B1 23 45 int mac address mac users test 2 00 A0 D4 ext oui MACexample Oultest Page 1 of 1 Show 50 items Displaying 1 2 of 2 The following table describes the labels in this screen Table 108 Configuration gt Object gt User Group gt MAC Address LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so NXC Series User s Guide Chapter 17 User Group Table 108 Configuration gt Object gt User Group gt MAC Address continued LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific entry MAC Address The wireless client MAC address or OUI Organizationally Unique Identifier The OUI is the OUI first three octets in a MAC address and uniquely identifies the manufacturer of a network device MAC Type This displays whether the entry is for a MAC address or an OUI ext mac address is a MAC address authenticated by an external server int mac address is a MAC address authenticated by the NXC s local user database ext oui is an OUI authenticated by an external server int oui is an OUI authenticated by the N
70. CB Thumbprint sha1 DC44635D 10FE2D0D E76A72ED 002B9AF7 677EBOE9 Thumbprint md5 65F5E948 F0BC9598 50803387 C6A18384 vs J vw 6 The next time you go to the web site that issued the public key certificate you just removed a certification error appears 41 8 NXC Series User s Guide Appendix C Importing Certificates Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Website Certified by an Unknown Authority Unable to verify the identity of 172 20 37 202 as a trusted site Possible reasons for this error Your browser does not recognize the Certificate Authority that issued the site s certificate The site s certificate is incomplete due to a server misconfiguration You are connected to a site pretending to be 172 20 37 202 possibly to obtain your confidential information Please notify the site s webmaster about this problem Before accepting this certificate you should examine this site s certificate carefully Are you willing to to accept this certificate for the purpose of identifying the Web site 172 20 37 202 Examine Certificate Accept this certificate permanently UU ER
71. Capture Diagnostics Packet Capture Core Dump Wireless Frame Capture Capture Files MON Mode APs Configure AP to MON Mode Available MON Mode APs Capture MON Mode APs Misc setting File Size 1000 File Prefix monitor Capture The following table describes the labels in this screen Table 190 Maintenance gt Diagnostics gt Wireless Frame Capture gt Capture LABEL DESCRIPTION MON Mode APs Configure AP to Click this to go the Configuration gt Wireless gt AP Management screen where MON Mode you can set one or more APs to monitor mode Available MON This column displays which APs on your wireless network are currently configured Mode APs for monitor mode Use the arrow buttons to move APs off this list and onto the Captured MON Mode APs list Capture MON Mode This column displays the monitor mode configured APs selected to for wireless APs frame capture Misc Setting NXC Series User s Guide Chapter 31 Diagnostics Table 190 Maintenance gt Diagnostics gt Wireless Frame Capture gt Capture continued LABEL DESCRIPTION File Size Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the NXC including any existing capture files and any new capture files you generate Note If you have existing capture files you may need to set this size larger or delete existing capture files The valid range
72. Configuration gt Object gt AP Profile gt SSID gt Security List gt Add Edit Security Profile and configure an SSID security profile s MAC authentication settings to have the AP use the external server to authenticate wireless clients by MAC address see Section 18 3 2 1 on page 220 Click Configuration gt Object gt User Group gt User gt Add and create a MAC address user account see Section 17 2 1 on page 194 Click Configuration gt Object gt User Group gt MAC Address gt Add and map the notebook s MAC address to the MAC address user account also called a MAC role See Section 17 5 on page 206 User Groups User groups may consist of user accounts or other user groups Use user groups when you want to create the same rule for several user accounts instead of creating separate rules for each one Note You cannot put access users and admin users in the same user group Note You cannot put the default admin account into any user group User Awareness By default users do not have to log into the NXC to use the network services it provides The NXC automatically routes packets for everyone If you want to restrict network services that certain users can use via the NXC you can require them to log in to the NXC first The NXC is then aware of the user who is logged in and you can create user aware policies that define what services they can use User Role Priority The NXC checks the foll
73. EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity NXC Series User s Guide Appendix D Wireless LANs RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point requesting authentication Access Reject Sent by a RADIUS server rejecting access Access Accept Sent by a RADIUS server allowing access Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIU
74. Guide Chapter 26 Certificates You must remove any spaces in the certificate s filename before you can import it Figure 161 Configuration gt Object gt Certificate gt My Certificates gt Import 4 Import Certificates x Please specify the location of the certificate file to be imported The certificate file must be in one of the following Formats Binary x 509 PEM Base 64 encoded x 509 Binary PKCS amp 7 PEM Base 64 encoded PKCS 7 Binary PKCS 12 For my certificate importation to be successful a certification request corresponding to the imported certificate must already exist on ZyWALL After the importation the certification request will automatically be deleted File Path Select a file path Password PKCS 12 only OK Cancel The following table describes the labels in this screen Table 145 Configuration gt Object gt Certificate gt My Certificates gt Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the NXC Browse Click Browse to find the certificate file you want to upload Password This field only applies when you import a binary PKCS 12 format file Type the file s password that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the NXC
75. H 323 ALG signal port d failed H323 ALG apply signal port failed 96d Port number NXC Series User s Guide Appendix A Log Descriptions Table 202 NAT Logs continued LOG MESSAGE DESCRIPTION Register FTP ALG extra FTP ALG apply additional signal port failed pore TUR EE 96d Port number Register FTP ALG FTP ALG apply signal port failed signal port d failed osd RS humber Table 203 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CR
76. IP address settings change For example if you change an Ethernet interface s IP address the NXC automatically updates the rules or settings that use the interface based LAN subnet address object You can use the Configuration gt Object screens to create objects before you configure features that use them If you are in a screen that uses objects you can also usually select Create new Object to be able to configure a new object Use the Object Reference screen to see what objects are configured and which configuration settings reference specific objects NXC Series User s Guide Chapter 1 Introduction 1 6 Starting and Stopping the NXC Here are some of the ways to start and stop the NXC Always use Maintenance Shutdown or the shutdown command before you turn off the NXC or remove the power Not doing so can cause the firmware to become corrupt Table 5 Starting and Stopping the NXC METHOD DESCRIPTION Turning on the power A cold start occurs when you turn on the power to the NXC The NXC powers up checks the hardware and starts the system processes Rebooting the NXC A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The NXC writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the NXC set
77. IP Assignment This field displays how the interface gets its IP address Static This interface has a static IP address DHCP Client This interface gets its IP address from a DHCP server Action Use this field to get or to update the IP address for the interface Click Renew to send a new DHCP request to a DHCP server The Latest Alert Logs This section of the screen displays recent logs generated by the NXC This is the entry s rank in the list of alert logs Time This field displays the date and time the log was created Priority This field displays the severity of the log Category This field displays the type of log generated Message This field displays the actual log message Source This field displays the source address if any in the packet that generated the log Destination This field displays the destination address if any in the packet that generated the log AP Information This shows a summary of connected wireless Access Points APs All AP This section displays a summary for all connected wireless APs Click the link to go to the AP information gt AP List screen Management AP Online This displays the number of currently connected management APs Management AP Offline This displays the number of currently offline managed APs NXC Series User s Guide Chapter 4 Dashboard Table 18 Dashboard continued LABEL DESCRIPTI
78. If you fill in both fields the Ending Port service uses the range of ports ICMP Type This field appears if the IP Protocol is ICMP Type Select the ICMP message used by this service This field displays the message text not the message number IP Protocol This field appears if the IP Protocol is User Defined Bod Enter the number of the next level protocol IP protocol Allowed values are 0 255 OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide 243 Chapter 22 Services 22 3 Service Group Summary The Service Group summary screen provides a summary of all service groups In addition this screen allows you to add edit and remove service groups To access this screen log in to the Web Configurator and click Configuration gt Object gt Service gt Service Group Figure 144 Configuration gt Object gt Service gt Service Group Configuration QAdd Family Name Description Allow_DMZ_To_EnterpriseWL System Default Allow From DMZ To Enterprise WLAN Allow_WAN_To_EnterpriseWL System Default Allow From WAN To EnterpriseWLAN Allow WLAN To EnterpriseW System Default Allow From WLAN To EnterpriseWLAN CU SEEME DNS IRC NetBIOS ROADRUNNER RTSP SNMP SNMP TRAPS SSH e e 9 e e 9 e 9 Y 9 9 9 Show 50 v items Displaying 1 12 of 12 The following table describes the labe
79. Monday of January Hours The following table describes the labels in this screen Table 153 Configuration gt System gt Date Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your NXC Current Date This field displays the present date of your NXC Time and Date yyyy mm dd Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the NXC uses the new setting once you click Apply New Time This field displays the last updated time from the time server or the last time configured hh mm ss manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date This field displays the last updated date from the time server or the last date configured manually When you set Time and Date Setup to Manual enter the new date in this field and then click Apply 288 NXC Series User s Guide Chapter 28 System Table 153 Configuration gt System gt Date Time continued LABEL DESCRIPTION Get from Time Server Select this radio button to have the NXC get the time and date from the time server you specify below The NXC requests t
80. My Certificates Certificate screen Authentication Method Select an authentication method if you have created any in the Configuration gt Object gt Auth Method screen Service Control This specifies from which computers you can access which NXC zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This is the index number of the entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the profile IP Address This is the IP address of the RADIUS client that is allowed to exchange messages with the NXC Mask This is the subnet mask of the RADIUS client Description This is the description of the RADIUS client Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 28 System 28 12 1 Add Edit
81. NXC Series User s Guide Chapter 8 Interfaces Table 64 Configuration gt Network gt Interface gt VLAN continued LABEL DESCRIPTION IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 in the IPv4 network or in the IPv6 network the interface does not have an IP address yet In the IPv4 network this screen also shows whether the IP address is a static IP address STATI C or dynamically assigned DHCP In the IPv6 network this screen also shows whether the IP address is a static IP address STATIC link local IP address LINK LOCAL dynamically assigned DHCP or an IPv6 StateLess Address AutoConfiguration IP address SLAAC See Appendix E on page 436 for more information about IPv6 VID This field displays the VLAN ID number Member This field displays the Ethernet interface s that is a member of this VLAN Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 8 3 2 Add Edit VLAN This screen lets you configure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each VLAN interface To access this screen click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen The following screen appears NXC Series User s Guide Chapter 8 Int
82. Policy Routes Versus Static Routes Policy routes are more flexible than static routes You can select more criteria for the traffic to match and can also use schedules and NAT NXC Series User s Guide 134 Chapter 9 Policy and Static Routes Policy routes are only used within the NXC itself Static routes can be propagated to other routers Policy routes take priority over static routes If you need to use a routing policy on the NXC and propagate it to other routers you could configure a policy route and an equivalent static route DiffServ QoS is used to prioritize source to destination traffic flows All packets in the same flow are given the same priority CoS class of service is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class You can use CoS to give different priorities to different packet types DiffServ Differentiated Services is a class of service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applicatio
83. Portal 3 Authentication Server oeoo0 4 Built in Service 6 Connectivity Check T Daily Report 8 Default 9 DHCP 10 Dynamic Guest Account 2 Force Authentication 4 IP MAC Binding Selection Show 50 items Displaying 1 30 of 30 The following table describes the labels in this screen Table 176 Configuration gt Log amp Report gt Log Settings gt Edit USB Storage LABEL DESCRIPTION Duplicate logs to USB storage if ready Select this to have the NXC save a copy of its system logs to a connected USB storage device Use the Active Log section to specify what kinds of messages to include Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific entry Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software NXC Series User s Guide Chapter 29 Log and Report Table 176 Configuration gt L
84. Protocol Please refer to RFC 1700 for further information about port numbers f the Protocol is TCP UDP or TCP UDP this is the IP port number f the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 219 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH User Defined 51 The IPSEC AH Authentication Header tunneling IPSEC TUNNEL protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger service It is also used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP CLIENT UDP 68 DHCP Client BOOTP SERVER UDP 67 DHCP Server CU SEEME TCP 7648 A popular videoconferencing solution from White Pines Software UDP 24032 DNS TCP UDP 53 Domain Name Server a service that matches web names for example www zyxel com to IP numbers ESP User Defined 50 The IPSEC ESP Encapsulation Security Protocol IPSEC TUNNEL tunneling protocol uses this service FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 File Transfer Program a program to enable fast transfer of files including large files that may not TCP 21 be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol
85. R this is a dynamic route learned through RIP e G the route is to a gateway router in the same network e this is a route which forces a route lookup to fail B this is a route which discards packets L this is a recursive route Persist This is the remaining time of a dynamically learned route The NXC removes the route after this time period is counted down to zero The following fields are available if you click Policy Route in the Routing Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route If you have configured a schedule for the route this screen only displays the route at the scheduled time Incoming This is the interface on which the packets are received NXC Series User s Guide Chapter 32 Packet Flow Explore Table 192 Maintenance gt Packet Flow Explore gt Routing Status continued LABEL DESCRIPTION Source This is the source IP address es from which the packets are sent Destination This is the destination IP address es to which the packets are transmitted Service This is the name of the service object any means all services Source Port This is the name of a service object The NXC applies the policy route to the packets sent from the corresponding service port any means all service ports DSCP Code This is the DSCP value of incoming packets to which th
86. S02x Name s Model s A Managed AP connected to the CAPWAP Server 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name Model of AP is fake MAC 02x 02x 02x 02x 02x S02x Model ID x A Managed AP s model is not support by CAPWAP Server 1st 02x 6th 02x Managed AP MAC Address 7th x Managed AP s Model ID S AP Disconnect MAC 02x 02x 02x 02x 02x S02x Name s Reason s in s tate Model s A Managed AP disconnected from the CAPWAP Server 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Disconnect Reason 9th 96s Managed AP Model Name AP Add AC 02x 02x 02x 02x 02x 02x odel s Add an AP from un managed list to managed list 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name AP Delete AC 02x 02x 02x 02x 02x 02x odel s Delete an AP from managed list 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name pdate AP Configure AC 02x 02x 02x 02x 02x 02x odel s Send configuration to an AP in the managed list 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name pdate AP Configure Fail Wrong Configure Apply MAC 02x 02x 02x 02x 02x 02x Model s Send configuration to an AP in the managed list but AP sent back an apply fail response 1st 02x 6th 02x Managed AP MAC
87. Screens Summary continued FOLDER OR LINK TAB FUNCTION SNMP Configure SNMP communities and services Auth Server Configure the NXC to act as a RADIUS server Language Select the Web Configurator language IPv6 Enables or disables IPv6 support on the NXC Log amp Report Email Daily Report Configure where and how to send daily reports and what reports to send Log Settings Configure the system log e mail logs and remote syslog servers 3 3 2 4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the NXC Table 15 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the NXC Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the NXC Diagnostics Diagnostic Collect diagnostic information Packet Capture Capture packets for analysis Core Dump Connect a USB device to the NXC and save the NXC operating system kernel to it here System Log Connect a USB device to the NXC and archive the NXC system logs to it here Wireless Frame Capture wireless frames from APs for analysis Capture Packet Flow Routing Status Check how the NXC determines where to route a packet Expl
88. Send back DHCP NAK Clear ARP cache done Clear ARP cache done Set manual time has succeeded Current time is s The device date and time was changed manually 96s is the date and time NTP update successful current time is s The device successfully synchronized with a NTP time server 96s is the date and time NTP update failed The device was not able to synchronize with the NTP time server successfully Device is rebooted by administrator An administrator restarted the device Insufficient memory Cannot allocate system memory Update the profile s has failed because of strange server response Update profile failed because the response was strange s is the profile name Update the profile s has succeeded because the IP address of FQDN s was not changed Update profile succeeded because the IP address of profile is unchanged s is the profile name Update the profile s has succeeded Update profile succeeded 96s is the profile name Collect Diagnostic Information has failed Server did not respond There was an error and the diagnostics were not completed Collect Diagnostic Infomation has succeeded The diagnostics scripts were executed successfully Port d is up The specified port has it s link up Port d is down The specified port has it s link down NXC Series User s Guide Appendix A
89. Series User s Guide Appendix A Log Descriptions Table 195 User Logs LOG MESSAGE DESCRIPTION s s from s has A user logged into the NXC i iae ae 1st s The type of user account EnterpriseWLAN 2nd 96s The user s user name 3rd 96s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has A user logged out of the NXC lodgeo out 1st s The type of user account EnterpriseWLAN 2nd 96s The user s user name 3rd 96s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out EnterpriseWLAN re auth timeout The NXC is signing the specified user out due to a re authentication timeout 1st 96s The type of user account 2nd 96s The user s user name 3rd 96s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out EnterpriseWLAN timeout lease The NXC is signing the specified user out due to a lease timeout 1st 96s The type of user account 2nd 96s The user s user name 3rd 96s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out EnterpriseWLAN timeout idle The NXC is signing the specified user out due to an idle timeout 1st 96s The type of user account 2nd 96s The user s user name 3rd 96s Th
90. Series User s Guide 127 Chapter 8 Interfaces Table 65 Configuration gt Network gt Interface gt VLAN gt Add Edit continued LABEL DESCRIPTION Metric Enter the priority of the gateway if any on this interface The NXC decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first IPv6 Address Assignment These IP address fields configure an IPv6 address on the interface itself Enable Stateless Address Auto configuration Select this to enable IPv6 stateless auto configuration on this interface The interface will generate an I Pv6 address itself from a prefix obtained from an IPv6 router in the network SLAAC Link Local This displays the IPv6 link local address and the network prefix that the NXC generates Address itself for the interface IPv6 Address Prefix Length Enter the I Pv6 address and the prefix length for this interface if you want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this interface The NXC decides which gateway to us
91. The NXC does not have to restart in order to use a different configuration file although you will need to wait for a few minutes while the system reconfigures The following screen gives you options for what the NXC is to do if it encounters an error in the configuration file gt Apply Configuration File x Apply Configuration File File Name system default conf If applying the configuration File encounters an error Immediately stop applying the configuration file 9 Immediately stop applying the configuration file and roll back to the previous configuration Ignore errors and finish applying the configuration file Ignore errors and Finish applying the configuration File and then roll back to the previous configuration v OK Cancel Immediately stop applying the configuration file this is not recommended because it would leave the rest of the configuration blank If the interfaces were not configured before the first error the console port may be the only way to access the device Immediately stop applying the configuration file and roll back to the previous configuration this gets the NXC started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the NXC apply most of your configuration and you can refer to the
92. This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the profile ZyMesh SSID This field shows the SSID specified in this ZyMesh profile 20 2 1 Add Edit ZyMesh Profile This screen allows you to create a new ZyMesh profile or edit an existing one To access this screen click the Add button or select and existing profile and click the Edit button Figure 137 Configuration gt Object gt ZyMesh Profile gt Add Edit ZyMesh Profile Add ZyMesh Profile x General Settings Profile Name I for ZyMesh SSID Pre Shared Key 12345678 Emm erm 234 NXC Series User s Guide Chapter 20 ZyMesh Profile The following table describes the labels in this screen Table 123 Configuration gt Object gt ZyMesh Profile gt Add Edit ZyMesh Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name ZyMesh SSID Enter the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link Note The ZyMesh SSID is hidden in the outgoing beacon frame so a wireless device cannot obtain the SSID through scanning using a site survey tool Pre Shared Key Enter a pre shared key of between 8 and 63 case sensitive ASCII characters including spaces and symbols or 64 hexadecimal characters The key is used to encrypt the wireless traff
93. Trusted RADIUS Client Click Configuration gt System gt Auth Server to display the Auth Server screen Click the Add icon or an Edit icon to display the following screen Use this screen to create a new entry or edit an existing one Figure 196 Configuration gt System gt Auth Server gt Add Edit Q Add Trusted Client v Activate Profile Name IP Address Netmask Secret Description 2X The following table describes the labels in this screen Table 170 Configuration gt System gt Auth Server gt Add Edit LABEL DESCRIPTION Activate Select this check box to make this profile active Profile Name Enter a descriptive name up to 31 alphanumerical characters for identification purposes IP Address Enter the IP address of the RADIUS client that is allowed to exchange messages with the NXC Netmask Enter the subnet mask of the RADIUS client Secret Enter a password up to 64 alphanumeric characters as the key to be shared between the NXC and the RADIUS client The key is not sent over the network This key must be the same on the external authentication server and the NXC Description Enter the description of each server if any You can use up to 60 printable ASCII characters OK Click OK to save the changes Cancel Click Cancel to discard the changes NXC Series User s Guide 323 Chapter 28 System 28 13 Language Click C
94. VLAN ID number Member This field displays the Ethernet port s that is a member of this VLAN Station Count The y axis represents the number of connected stations Time The x axis shows the time over which a station was connected Last Update This field displays the date and time the information in the window was last updated NXC Series User s Guide Chapter 5 Monitor 5 12 Radio List Use this screen to view statistics about the wireless radio transmitters in each of the APs connected to the NXC To access this screen click Monitor gt Wireless gt AP Information gt Radio List Figure 35 AP List Radio List k Page 1 Radio List AP D of1 Show 50 Monitor gt Wireless gt AP Information gt Radio List Model MAC Reo Onc APLZyM Freq Cha TP Sn PREPS REPKT RxF TR v items No data to display The following table describes the labels in this screen Table 37 Monitor gt Wireless gt AP Information gt Radio List LABEL DESCRIPTION More Click this to view additional information about the selected radio s SSID s wireless traffic Information and wireless clients Information spans a 24 hour period This is the radio s index number in this list Loading This indicates the AP s load balance status UnderLoad or OverLoad when load balancing is enabled on the AP Otherwise it shows when load balancing is disab
95. View is set to all sessions Select the service or service group whose sessions you want to view The NXC identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined See Chapter 22 on page 241 for more information about services Source This field displays when View is set to all sessions Type the source IP address whose sessions you want to view You cannot include the source port Destination This field displays when View is set to all sessions Type the destination IP address whose sessions you want to view You cannot include the destination port Search This button displays when View is set to all sessions Click this button to update the information on the screen using the filter criteria in the User Service Source Address and Destination Address fields This field displays the index number of each active session User This field displays the user in each active session If you are looking at the sessions by users or all sessions report click or to display or hide details about a user s sessions Service This field displays the protocol used in each active session If you are looking at the sessions by services report click or to display or hide details about a protocol s sessions Source This field displays the source IP address and port in each active session If you are looking at the sessions by source IP report click or to display
96. XP to use it NXC Series User s Guide 433 Appendix D Wireless LANs WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system The AP passes the wireless client s authentication request to the RADIUS server The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly A 256 bit Pairwise Master Key PMK is derived from the authentication process by the RADIUS server and the client The RADIUS server distributes the PMK to the AP The AP then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients Figure 236 WPA 2 with RADIUS Application Example i 7 ER eJ A WPA 2 PSK Application Example A WPA 2 PSK application looks as follows First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols The AP checks each wireless client s password and allows it to join the network only if the pass
97. a remote host due to network error NXC Series User s Guide Appendix A Log Descriptions Table 200 System Logs LOG MESSAGE DESCRIPTION Port d is up When LI NK is up d is the port number Port d is down When LINK is down d is the port number s Ss is dead at A daemon process is gone was killed by the operating system lst 96s Daemon Name 2nd 96s date and time s process count is incorrect at SS The count of the listed process is incorrect 1st 96s Daemon Name 2nd 96s date and time s becomes Zombie at SS A process is present but not functioning lst s Daemon Name 2nd s date and time When memory usage exceed threshold max memory usage reaches d mem threshold max When local storage usage exceeds threshold max 96s Partition name file system usage reaches d disk threshold max When memory usage drops below threshold min System Memory usage drops below the threshold of 96 d9696 mem threshold min When local storage usage drops below threshold min 96s partition name file system drops below the threshold of d disk threshold min DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode disabled DHCP Server executed with cautious mode disabled Received packet is not an ARP response packet A packet was received but it is
98. a shell script file s row to select it and click Apply to have the NXC use that shell script file You may need to wait awhile for the NXC to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last This column displays the date and time that the individual shell script files were last changed or Modified saved Upload The bottom part of the screen allows you to upload a new or previously saved shell script file Shell Script from your computer to your NXC File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes NXC Series User s Guide 351 M Diagnostics 31 1 Overview Use the diagnostics screens for troubleshooting 31 1 1 What You Can Do in this Chapter The Diagnostics screen Section 31 2 on page 352 generates a file containing the NXC s configuration and diagnostic information if you need to provide it to customer support during troubleshooting The Packet Capture screen Section 31 3 on page 354 captures data packets going through the NXC The Core Dump screens Section 3
99. access control configuration 96s service name User s has been denied access from s The NXC blocked a login attempt by the specified user name because of an invalid user name or password 2nd 96s service name LDAP AD Wrong IP or Port IP s Port d LDAP AD Wrong IP or Port Please check the AAA server setting Domain auth fail Domain auth fail Please check the domain auth related setting Failed to join domain Access denied Failed to join domain Access denied Please check the AD server Table 196 Registration Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server respons has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catch MyZyXEL com agent s return code this log will be shown when timeout User has existed The user name already exists in MyZyXEL com s database So the user can t use it for device registration and needs to specify another one User does not exist The user name does not yet exist in MyZyXEL com s database So the user can use it for device registration Internal server error MyZyXEL com s database had an error when checking the user name
100. access the NXC CLI using this service Version 1 Select the check box to have the NXC use both SSH version 1 and version 2 protocols If you clear the check box the NXC uses only SSH version 2 protocol Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the NXC for SSH connections You must have certificates already configured in the My Certificates screen Service Control This specifies from which computers you can access which NXC zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the NXC the user is allowed or denied to access
101. address is used in replies Send Log To Type the e mail address to which the outgoing e mail is delivered Send Alerts To Type the e mail address to which alerts are delivered Sending Log Select how often log information is e mailed Choices are When Full Hourly and When Full Daily and When Full and Weekly and When Full Day for Sending Log This field is available if the log is e mailed weekly Select the day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Retype to Confirm Retype your new password for confirmation Active Log and Alert System log Use the System Log drop down list to change the log settings for all of the log categories disable all logs red X do not log any information for any category for the system log or e mail any logs to e mail server 1 or 2 enable normal logs
102. any computer to send DNS queries to the NXC Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the NXC Zone Select ALL to allow or prevent DNS queries through any zones Select a predefined zone on which a DNS query to the NXC is allowed or denied Action Select Accept to have the NXC allow the DNS queries from the specified computer Select Deny to have the NXC reject the DNS queries from the specified computer OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving 28 7 WWW Overview The following figure shows secure and insecure management of the NXC coming in from the WAN HTTPS and SSH access are secure HTTP and Telnet management access are not secure Figure 177 Secure and Insecure Service Access From the WAN WAN EE V URN EI GE ARRA INTERNEJ HTTP Telnet 28 7 1 Service Access Limitations A service cannot be used to access the NXC when 1 You have disabled that service in the corresponding screen 2 The allowed IP address address object in the Service Control table does not match the client IP address the NXC disallows the session 3 The IP address address object in the Service Control table is not in the allowed zone or the action is set to Deny 298 NXC Series User s Guide Chapter
103. are None the NXC does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the NXC routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the NXC assigns IP addresses and provides subnet mask gateway and DNS server information to the network The NXC is the DHCP server for the network These fields appear if the NXC is a DHCP Relay Relay Server 1 Enter the IP address of a DHCP server for the network Relay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the NXC is a DHCP Server IP Pool Start Address Enter the IP address from which the NXC begins allocating IP addresses If you want to assign a static IP address to a specific computer click Add Static DHCP If this field is blank the Pool Size must also be blank In this case the NXC can assign every IP address allowed by the interface s IP address and subnet mask except for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the NXC can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If t
104. are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can potentially open up critical holes in a network s security policy NXC Series User s Guide Chapter 1 Introduction 1 3 3 Captive Portal The NXC can be configured with a captive portal which intercepts all network traffic regardless of address or port until a connecting user authenticates his or her session through a designated login Web page Figure 3 Applications Captive Portal ZyXEL JNXC 500 WLAN Captive Portal Page The captive portal page only appears once per authentication session Unless a session times out or a user closes the connection he or she generally will not see it again during the same session 1 3 4 Load Balancing With load balancing you can easily distribute wireless traffic across multiple APs to relieve strain on your network When a station becomes overloaded it can automatically delay a connection until the client associates with another network or it can alternatively disassociate idle clients or those clients with weak connections from the network 1 3 5 Dynamic Channel Selection The NXC can automatically select the radio channel upon which its APs broadcast by scanning the area around those APs and determining what channels are currently being used by other devices not connected to the network 1 3 6 User Aware Access Control Set up secu
105. authority NXC Series User s Guide Chapter 26 Certificates Table 142 Configuration gt Object gt Certificate gt My Certificates continued LABEL DESCRIPTION Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired Import Click Import to open a screen where you can save a certificate to the NXC Refresh Click Refresh to display the current validity status of the certificates 270 NXC Series User s Guide Chapter 26 Certificates 26 2 1 Add My Certificates Click Configuration Object Certificate My Certificates and then the Add icon to open the My Certificates Add screen Use this screen to have the NXC create a self signed certificate enrol
106. automatically updates address objects based on an interface s IP address subnet or gateway if the interface s IP address settings change However you need to manually edit any address objects for your LAN that are not based on the interface cannot get the RADIUS server to authenticate the NXC s default admin account The default admin account is always authenticated locally regardless of the authentication method setting The NXC fails to authenticate the ext user user accounts configured 374 NXC Series User s Guide Chapter 35 Troubleshooting An external server such as AD LDAP or RADIUS must authenticate the ext user accounts If the NXC tries to use the local database to authenticate an ext user the authentication attempt will always fail cannot add the admin users to a user group with access users You cannot put access users and admin users in the same user group cannot add the default admin account to a user group You cannot put the default admin account into any user group The schedule configured is not being applied at the configured times Make sure the NXC s current date and time are correct cannot get a certificate to import into the NXC 1 For My Certificates you can import a certificate that matches a corresponding certification request that was generated by the NXC You can also import a certificate in PKCS 12 format including the certificate s pu
107. be 10 Mbps 100 Mbps or 1000 Mbps The duplex mode can be both half or full duplex at 10 100 Mbps and full duplex only at 1000 Mbps An auto negotiating port can detect and adjust to the optimum Ethernet speed and duplex mode of the connected device An auto crossover auto MDI MDI X port automatically works with a straight through or crossover Ethernet cable Default Ethernet Settings The factory default negotiation settings for the Ethernet ports on the NXC are Speed Auto Duplex Auto Flow control On you cannot configure the flow control setting but the NXC can negotiate with the peer and turn it off if needed Console Port NXC5500 Only Connect this port to your computer using an RJ 45 to DB 9 console cable if you want to configure the NXC using the command line interface CLI via the console port For local management you can use a computer with terminal emulation software configured to the following parameters VT100 terminal emulation 115200 bps No parity 8 data bits 1 stop bit No flow control Connect the RJ 45 connector of the console cable to the console port of the NXC Connect the female 9 pin end of the console cable to a serial port COM1 COM2 or other COM port of your computer The following table shows you the wire color codes and pin assignment for the console cable Table 6 RJ 45 to DB 9 Console Cable Color Codes DB 9 SIGNAL DB 9 PINZ WIRE CO
108. bit enterprise number in these fields An enterprise number is a unique number that identifies a company First Class Second Class If you selected VI VC 124 enter the details of the hardware configuration of the host on which the client is running or of industry consortium compliance First If you selected VIVS 125 enter additional information for the corresponding enterprise Information number in these fields Second Information OK Click this to close this screen and update the settings to the previous Edit screen Cancel Click Cancel to close the screen The following table lists the available DHCP extended options defined in RFCs on the NXC See RFCs for more information Table 63 DHCP Extended Options OPTION NAME CODE DESCRIPTION Time Offset 2 This option specifies the offset of the client s subnet in seconds from Coordinated Universal Time UTC Time Server 4 This option specifies a list of Time servers available to the client NTP Server 42 This option specifies a list of the NTP servers available to the client by IP address TFTP Server Name 66 This option is used to identify a TFTP server when the sname field in the DHCP header has been used for DHCP options The minimum length of the value is 1 Bootfile 67 This option is used to identify a bootfile when the file field in the DHCP header has been used for DHCP options The minimum length of the value
109. cause clients to lose connectivity with the network This value can be set from 1 to 255 Output Power Set the output power of the AP in this field If there is a high density of APs in an area decrease the output power of the managed AP to reduce interference with other APs Select one of the following Max 3db 50 6db 2596 9dB 12 5 or Min See the product specifications for more information on your NXC s output power Note Reducing the output power also reduces the NXC s effective broadcast radius Enable Signal Threshold Select the check box to use the signal threshold to ensure wireless clients receive good throughput This allows only wireless clients with a strong signal to connect to the AP Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP Station Signal Threshold Set a minimum client signal strength A wireless client is allowed to connect to the AP only when its signal strength is stronger than the specified threshold 20 dBm is the strongest signal you can require and 76 is the weakest Disassociate Station Threshold Set a minimum kick off signal strength When a wireless client s signal strength is lower than the specified threshold the NXC disconnects the wireless client from the AP 20 dBm is the strongest signal you can require and 90 is the weakest Allow Station Connection after Multiple Retries Select this
110. d4 f0 b2 8d 53 b1 45 41 9e ff 74 82 16 87 37 a0 b0 e3 Certificate in PEM Base 64 Encoded Format MIIBdjCCASCaAwIBAGIESvzw 4 TANBakqhkiG9wOBAQUFADAeMRviwiGgYDVQQDDBNI eGFtcaxloGv4YW1wbGLUuY29EMBAXDTASMTExMzA1MzkwNVoXDTEyMTExMjA 1Mzkw NvowHjEcMBoGA1UEAwwTZXhhbXBszUBleGFtcGxILmNvbTBCMAOGCSqGSIbSDQEB v Password Export Certificate Only Export Certificate with Private Key 274 NXC Series User s Guide Chapter 26 Certificates The following table describes the labels in this screen Table 144 Configuration gt Object gt Certificate gt My Certificates gt Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate You can use up to 31 alphanumeric and amp characters Certification Path This field displays for a certificate not a certification request Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The NXC does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been re
111. display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the NXC s non configurable default policy The NXC applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NXC Web Configurator using HTTP connections Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service to access the NXC NXC Series User s Guide 301 Chapter 28 System Table 161 Configuration gt System gt WWW gt Service Control continued LABEL DESCRIPTION Admin User Service Admi
112. each log NXC Series User s Guide Chapter 29 Log and Report Table 174 Configuration gt Log amp Report gt Log Settings continued LABEL DESCRIPTION Log Category Click this button to open the Log Category Settings screen Settings Apply Click this button to save your changes activate and deactivate logs and make them take effect 330 NXC Series User s Guide Chapter 29 Log and Report 29 3 2 Edit System Log Settings This screen controls the detailed settings for each log in the system log which includes the e mail profiles Go to the Log Settings Summary screen and click the system log Edit icon Figure 201 Configuration gt Log amp Report gt Log Settings gt Edit System Log 2 Edit Log Setting E mail Server 1 Active Mail Server Mail Subject Send From Send Log to Send Alerts to Sending Log When Full r Sending Log Time for Sending Log E SMTP Authentication Jser Name E mail Server 2 Active Log and Alert AC System Logy E mail Server 1 E mail Server 2v System Log eoo Log Category 1 Account 2 Captive Portal 3 Authentication Server 4 Built in Service CAPWAP 5 Connectivity Check 7 Daily Report 8 Default Page 1 of 1 Show 50 v items Active Log and Alert AP System Logy E mail Server 1 E mail Server 2v System Log Log Category eoo 1 Account 2 Built in Service CAPWAP 4 Daily Report Defau
113. example if the Ekahau RTLS Controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the APs send to reach the Ekahau RTLS Controller The following table lists default port numbers and types of packets RTLS uses Table 90 RTLS Traffic Port Numbers PORT NUMBER TYPE DESCRIPTION 8548 TCP Ekahau T201 location update 8549 UDP Ekahau T201 location update 8550 TCP Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user interface 8552 UDP Ekahau Location Protocol 8553 UDP Ekahau Maintenance Protocol 8554 UDP Ekahau T301 firmware update 8560 TCP Ekahau Vision web interface 8562 UDP Ekahau T301W firmware update 8569 UDP Ekahau TZSP Listener Port 15 3 Configuring RTLS Click Configuration gt RTLS to open this screen Use this screen to turn RTLS Real Time Location System on or off and specify the IP address and server port of the Ekahau RTLS Controller Figure 105 Configuration gt RTLS Real Time Location System Ekahua Location Engine E Enable Apply Reset NXC Series User s Guide 179 Chapter 15 RTLS The following table describes the labels in this screen Table 91 Configuration gt RTLS LABEL DESCRIPTION Enable Select this to use Wi Fi to track the location of Ekahau Wi Fi tags IP Address Specify the IP address of the Ekahau RTLS Controller Server Port Specify the server port nu
114. existent security to gain access to the network or set up their own rogue APs in order to capture information from wireless clients If a scan reveals a rogue AP you can use commercially available software to physically locate it Figure 135 Rogue AP Example In the example above a corporate network s security is compromised by a rogue AP RG set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly A The company s legitimate wireless network the dashed ellipse B is well secured but the rogue AP uses inferior security that is easily broken by an attacker X running readily available NXC Series User s Guide Chapter 19 MON Profile encryption cracking software In this example the attacker now has access to the company network including sensitive data stored on the file server C Friendly APs If you have more than one AP in your wireless network you should also configure a list of friendly APs Friendly APs are other wireless access points that are detected in your network as well as any others that you know are not a threat those from recognized networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points NXC Series User s Guide 231 ZyMesh Profile 20 1 Overview This chapter shows you how to configure ZyMesh profiles for the NXC to apply to the ma
115. green check mark create log messages and alerts for all categories for the system log If e mail server 1 or 2 also has normal logs enabled the NXC will e mail logs to them enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories The NXC does not e mail debugging information even if this setting is selected E mail Server 1 Use the E Mail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 NXC Series User s Guide Chapter 29 Log and Report Table 175 Configuration gt Log amp Report gt Log Settings gt Edit System Log continued LABEL DESCRIPTION E mail Server 2 Use the E Mail Server 2 drop down list to change the settings for e mailing logs to e mail server 2 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 2 settings enable normal logs green check mark e mail log messages for all categories to e mail server 2 enable alert logs red exclamation point e mail alerts for all categories to e mail
116. gt Log gt View AP Log LABEL DESCRIPTION Priority Select a priority level to use for filtering displayed log messages Note This criterion only appears when you Show Filter Source Address Enter a source IP address to display only the log messages that include it Note This criterion only appears when you Show Filter Destination Address Enter a destination IP address to display only the log messages that include it Note This criterion only appears when you Show Filter Source Interface Enter a source interface to display only the log messages that include it Note This criterion only appears when you Show Filter Destination Enter a destination interface to display only the log messages that include it Interface Note This criterion only appears when you Show Filter Service Select a service type to display only the log messages related to it Note This criterion only appears when you Show Filter Keyword Enter a keyword to display only the log messages that include it Note This criterion only appears when you Show Filter Protocol Select a protocol to display only the log messages that include it Note This criterion only appears when you Show Filter Search Click this to start the log query based on the selected criteria If no criteria have been selected then this displays all log messages for the specified AP regardless Email Log Now Click this open a new e mai
117. intended users get to use specific IP addresses Enable Logs Select this option to have the NXC generate a log if a device connected to this interface for IP MAC attempts to use an IP address not assigned by the NXC Binding Violation Static DHCP This table lists the bound IP and MAC addresses The NXC checks this table when it assigns Bindings IP addresses If the computer s MAC address is in the table the NXC assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so This is the index number of the static DHCP entry NXC Series User s Guide Chapter 13 IP MAC Binding Table 80 Configuration gt Network gt IP MAC Binding gt Edit continued LABEL DESCRIPTION IP Address This is the IP address that the NXC assigns to a device with the entry s MAC address MAC Address This is the MAC address of the device to which the NXC assigns the entry s IP address Description This helps identify the entry OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving 13 2 2 Add Edit Static DHCP Rule Click Configurati
118. is 1 SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server VIVC 124 Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the software in use or an industry consortium to which the vendor belongs VIVS 125 Vendor Identifying Vendor Specific option DHCP clients and servers may use this option to exchange vendor specific information NXC Series User s Guide Chapter 8 Interfaces Table 63 DHCP Extended Options continued OPTION NAME CODE DESCRIPTION CAPWAP AC 138 CAPWAP Access Controller addresses option The Control And Provisioning of Wireless Access Points Protocol allows a Wireless Termination Point WTP to use DHCP to discover the Access Controllers to which it is to connect This option carries a list of IPv4 addresses indicating one or more CAPWAP ACs available to the WTP TFTP Server 150 The option contains one or more IPv4 addresses that the client may use The current use of this option is for downloading configuration from a VoIP server via TFTP however the option may be used for purposes other than contacting a VoIP configuration server 8 3 VLAN Interfaces A Virtual Local Area Network VLAN divides a physical network into multiple logical networks The standard
119. is recommended The wireless security is not following the re authentication timer setting specified Chapter 35 Troubleshooting If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS server s configuration if you need to use a different re authentication timer setting The NXC is not applying an interface s configured ingress bandwidth limit At the time of writing the NXC does not support ingress bandwidth management The NXC routes and applies SNAT for traffic from some interfaces but not from others The NXC automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General You can also configure a policy route to override the default routing and SNAT behavior for an interface with the I nterface Type set to I nternal or External The NXC keeps resetting the connection If an alternate gateway on the LAN has an IP address in the same subnet as the NXC s LAN IP address return traffic may not go through the NXC This is called an asymmetrical or triangle route This causes the NXC to reset the connection as the connection has not been acknowledged changed the LAN IP address and can no longer access the Internet The NXC
120. is the centerpiece of the RTLS system This server software runs on a Windows computer to track and locate Ekahau tags from Wi Fi signal strength measurements Use the NXC with the Ekahau RTLS system to take signal strength measurements at the APs Integrated Approach Blink Mode The following example shows the Ekahau RTLS Integrated Approach Blink Mode 1 The Wi Fi tag sends blink packets at specified intervals or triggered by something like motion or button presses 2 The APs pick up the blink packets measure the signal strength and send it to the NXC 3 The NXC forwards the signal measurements to the Ekahau RTLS Controller 4 The Ekahau RTLS Controller calculates the tag positions Figure 104 RTLS Example 15 1 1 What You Can Do in this Chapter Use the RTLS screen Section 15 3 on page 179 to use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi Fi tags NXC Series User s Guide 178 Chapter 15 RTLS 15 2 Before You Begin You need At least three APs managed by the NXC the more APs the better since it increases the amount of information the Ekahau RTLS Controller has for calculating the location of the tags P addresses for the Ekahau Wi Fi tags A dedicated RTLS SSID is recommended Ekahau RTLS Controller in blink mode with TZSP Updater enabled Firewall rules to allow RTLS traffic if the NXC firewall is enabled or the Ekahau RTLS Controller is behind a firewall For
121. log occurred at 6 P M in local official time will appear as if it had occurred at 10 30 P M Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 28 System 28 4 1 Pre defined NTP Time Servers List When you turn on the NXC for the first time the date and time start at 2003 01 01 00 00 00 The NXC then attempts to synchronize with one of the following pre defined list of Network Time Protocol NTP time servers The NXC continues to use the following pre defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified Table 154 Default Time Servers 0 pool ntp org 1 pool ntp org 2 pool ntp org When the NXC uses the pre defined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the NXC goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried 28 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Loading message appears you may have to wait up to one minute Figure 170 Loading ry PE ees FE i04 are 3 Loadng Ml L
122. managed AP PVID This shows the port s PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines VLAN Configuration This is the VLAN s index number in this list Status This displays whether or not the VLAN is activated Name This shows the name of the VLAN VID This shows the VLAN ID number Member This field displays the Ethernet port s that is a member of this VLAN NXC Series User s Guide Chapter 7 Wireless Table 50 Configuration gt Wireless gt AP Management gt Edit AP List continued LABEL DESCRIPTION OK Click OK to save your changes back to the NXC Cancel Click Cancel to close the window with changes unsaved 7 3 2 Port Setting Edit Use this screen to enable or disable a port on the managed AP and configure the port s PVID To access this screen select a port and click the Edit button in the Port Setting table of the Configuration gt Wireless gt AP Management gt Edit AP List screen Figure 50 Configuration gt Wireless gt AP Management gt Edit AP List gt Edit Port Edit Port General Settings J Enable Port Properties Name Native VID PVID x lani 1 174094 OK Cancel Each field is described in the following table Table 51 Configuration gt Wireless gt AP Management gt Edit AP L
123. matches the criteria of a routing rule the NXC takes the corresponding action and does not perform any further flow checking Figure 222 Maintenance gt Packet Flow Explore gt Routing Status Direct Route Routing Status SNAT Status Routing Flow Routing Table Q Note Flags A Activated route S Static route C directly Connected G selected Gateway reject B Black hole L Loop Destination Gateway Interface Metric Flags Persist 1 127 0 0 0 8 0 0 0 0 ACG 2 192 168 1 0 24 0 0 0 0 ACG B Page 1 ofi gt gt i Show 50 items Displaying 1 2 of 2 Figure 223 Maintenance gt Packet Flow Explore gt Routing Status Policy Route Routing Staus Routing Flow Routing Table Q Note If you want to configure Policy Route please go to Policy Route PR Incoming Source Destination Service Source Port DSCP Code NextHop T Next Hop l No data to display ofi Pi Show 50 items Routing Table H ote If you want to configure NAT please go to NAT NAT Rule Source Outgoing Gateway No data to display 4 4 Page vi Show 50 NXC Series User s Guide Chapter 32 Packet Flow Explore Figure 225 Maintenance gt Packet Flow Explore gt Routing Status Main Route Routing Status SNAT Status Routing Flow Routing Table q Note Flags A Activated route S Static route C directly Connected G selected Gatew
124. may need to send this file to customer support for troubleshooting NXC Series User s Guide 357 Chapter 31 Diagnostics Click Maintenance Diagnostics Core Dump to open the following screen Figure 217 Maintenance gt Diagnostics gt Core Dump Packet Capture System Log Wireless Frame Capture Settings Core Dump V Save core dump to USB storage if ready The following table describes the labels in this screen Table 187 Maintenance Diagnostics Core Dump LABEL DESCRIPTION Save core dump to USB Select this to have the NXC save a process s core dump to an attached USB storage storage if ready device if the process terminates abnormally crashes If you clear this option the NXC only saves Apply Click Apply to save the changes Reset Click Reset to return the screen to its last saved settings 31 4 1 Core Dump Files Click Maintenance gt Diagnostics gt Core Dump gt Files to open the core dump files screen This screen lists the core dump files stored on the NXC or a connected USB storage device You may need to send these files to customer support for troubleshooting Figure 218 Maintenance gt Diagnostics gt Core Dump gt Files Packet Capture System Log Wireless Frame Capture Settings Files Core dump files in system space u B File Name Last Modified Page 1 of 1 50 v items No data to display Core dump files in USB storage L B File Nam
125. memberOf Domain Authentication for MSChap Enable User Password Retype to Confirm Realm NetBIOS Name Optional Configuration Validation Please enter an existing user account in this server to validate the above settings Username User Name Must be a user who has rights to add a machine to the domain a NXC Series User s Guide Chapter 24 AAA Server Figure 154 Configuration gt Object gt AAA Server gt LDAP gt Add Edit Add LDAP 2 x General Settings Name New Description Optional Server Settings Server Address JQ erver Address or FODN Backup Server Address IP or FQDN Optional Port 389 1 65535 Base DN Use SSL Search time limit 5 1 300 seconds 4 Case sensitive User Names E Server Authentication Bind DN Password Retype to Confirm User Login Settings Login Name Attribute uid Alternative Login Name Attribute Optional Group Membership Attribute uniquemember Configuration Validation Please enter an existing user account in this server to validate the above settings Username The following table describes the labels in these screens Table 137 Configuration gt Object gt AAA Server gt Active Directory or LDAP gt Add Edit LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of e
126. neighborhood NXC Series User s Guide 425 Appendix D Wireless LANs An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate Figure 234 Infrastructure WLAN TETEA TENETE gyti f ASNE 112 a ce va a p das m mur s 4 rd Channel A channel is the radio frequency ies used by wireless devices to transmit and receive data Channels available depend on your geographical area You may have a choice of channels for your region so you should use a channel different from an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 426 NXC Series User s Guide Appendix D Wireless LANs RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or wireless gateway but
127. none if the NXC does not perform NAT for this route Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide 137 Chapter 9 Policy and Static Routes 9 2 1 Add Edit Policy Route 138 Click Configuration Network Routing to open the Policy Route screen Then click the Add or Edit icon to open the Policy Route Edit screen Use this screen to configure or edit a policy route Figure 73 Configuration gt Network gt Routing gt Policy Route gt Add Edit Add Policy Route Configuration V Enable Description Criteria User Incoming Source Address Destination Address DSCP Code Schedule Service Source Port Next Hop Type Interface Auto Disable DSCP Marking DSCP Marking Address Translation The following table describes the labels in this screen Please select one member Hide Advanced Settings 5 Create new Object any Interface Interface gel preserve Source Network Address Translation none Optional Table 69 Configuration gt Network gt Routing gt Policy Route gt Add Edit LABEL DESCRIPTION Show Hide Click this button to display a greater or lesser number of configuration fields Advanced Settings Create new Use this to configure any new settings objects that you need to use in this screen Object Confi
128. on page 227 for details 5 3 Port Statistics Use this screen to look at packet statistics for each Gigabit Ethernet port To access this screen click Monitor gt System Status gt Port Statistics Figure 24 Monitor gt System Status gt Port Statistics Port Statistics General Settings Poll Interval 1 60 seconds Set Interval Stop Statistics Table Switch To Graphic View Port a Status Collisions Up Time Down 0 0 00 00 00 Down 0 0 00 00 00 Down 0 0 00 00 00 1000M Full 783824 299731 05 07 52 Down 0 0 00 00 00 100M Full 280592 749337 29 02 28 Page 1 lofi Show 50 v items Displaying 1 6 of 6 System Up Time 1days 05 02 48 The following table describes the labels in this screen Table 24 Monitor gt System Status gt Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically and click Set Interval Set Interval Click this to set the Poll Interval the screen uses Stop Click this to stop the window from updating automatically You can start it again by setting the Poll Interval and clicking Set Interval Switch to Click this to display the port statistics as a line graph Graphic View NXC Series User s Guide Chapter 5 Monitor Table 24 Monitor gt System Status gt Port Statistics continued LABEL DESCRIPTION This field displays the port s number in the
129. option to allow a wireless client to try to associate with the AP again after it is disconnected due to weak signal strength Station Retry Count Set the maximum number of times a wireless client can attempt to re connect to the AP NXC Series User s Guide 213 Chapter 18 AP Profile Table 111 Configuration gt Object gt AP Profile gt Add Edit Radio Profile continued LABEL DESCRIPTION Rate Configuration This section controls the data rates permitted for clients For each Rate select a rate option from its list The rates are Basic Rate Mbps Set the basic rate configuration in Mbps Support Rate Mbps Set the support rate configuration in Mbps e MCS Rate Set the MCS rate configuration IEEE 802 11n supports many different data rates which are called MCS rates MCS stands for Modulation and Coding Scheme This is an 802 11n feature that increases the wireless network performance in terms of throughput Multicast Settings Use this section to set a transmission mode and maximum rate for multicast traffic Transmission Mode Set how the AP handles multicast traffic Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast traffic Unicast traffic dynamically changes the data rate based on the application s bandwidth requirements The retransmit mechanism of unicast traffic provides more reliable transmission of t
130. out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other Figure 235 RTS CTS RTS Range CTS Range Station AP RTS laco When station A sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations Stations A and B do not E Station A hear each other They Station B can hear the AP RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if
131. physical port Interface Status Display general interface information and packet statistics Traffic Statistics Collect and display traffic statistics Session Monitor Display the status of all current sessions IP MAC Binding List the devices that have received an IP address from NXC interfaces using IP MAC binding Login Users List the users currently logged into the NXC Dynamic Guest List the dynamic guest accounts in the NXC s local database USB Storage Display details about a USB device connected to the NXC Wireless AP Information AP List Display information about the connected APs NXC Series User s Guide Chapter 3 The Web Configurator Table 13 Monitor Menu Screens Summary continued FOLDER OR LINK TAB FUNCTION Radio List Display information about the radios of the connected APs All ZyMesh AP ZyMesh Link Display statistics about the ZyMesh WDS connections between the Info managed APs Station Info Station List Display information about the connected stations Detected Device Display information about suspected rogue APs Log View Log List log entries for the NXC View AP Log Allow you to query connected APs and view log entries for them 3 3 2 3 Configuration Menu 38 Use the configuration menu screens to configure the NXC s features Table 14 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Licensing Registration Registration Regist
132. portal functionality This means all web page requests can initially be redirected to a special web page that requires you to authenticate your session Once authentication is successful you can then connect to the rest of the network or Internet Typically you often find captive portal pages in public hotspots such as bookstores coffee shops and hotel rooms to name a few as soon as you attempt to open a web page the hotspot s AP reroutes your browser to a captive portal page that prompts you to log in Figure 90 Captive Portal Example WLAN KD Captive Portal Page The captive portal page only appears once per authentication session Unless a user idles out or closes the connection he or she generally will not see it again during the same session NXC Series User s Guide Chapter 14 Captive Portal 14 1 1 Captive Portal Type The NXC allows you to use either an internal captive web portal built into the NXC or external captive web portal on an external web server You can even customize the portal page s See Section 14 3 1 on page 172 and Section 14 3 2 on page 174 for portal pages details External Captive Portal http The following table shows you the differences between available web portal options Table 83 Captive Portal Options OPTION PORTAL TYPE USER DEFINED PORTAL PAGES WHERE TO CONFIGURE External Web Portal External Login Logout Welcome Session Captive Po
133. products such as the NXC issue their own public key certificates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a trusted authority Note You can see if you are browsing on a secure website if the URL in your web browser s address bar begins with https or there is a sealed padlock icon B somewhere in the main browser window not all browsers show the padlock in the same location NXC Series User s Guide amo Appendix C Importing Certificates Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional however they can also apply to Internet Explorer on Windows Vista 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error Certificate Error Havigation Blocked Microsoft Internet Explorer provided by ZyXEL go https 192 168 1 1 iv stx P EXE File Edit View Favorites Tools Help qi Favorites Certificate Error Navigation Blocked a eA deh Page Safety Tools X There is a problem with this websit
134. security is vital to your network to protect wireless communication between wireless clients access points and the wired network NXC Series User s Guide Appendix D Wireless LANs Wireless security methods available on the NXC are data encryption wireless client authentication restricting access by device MAC address and hiding the NXC identity The following figure shows the relative effectiveness of these wireless security methods available on your NXC Table 221 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA WPA2 Most Secure Note You must enable the same wireless security settings on the NXC and on all wireless clients that you want to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for
135. service This field is read only and displays any for Many 1 1 NAT Original Service This field is available if Port Mapping Type is Service Select the original service whose destination port s is supported by this NAT rule Mapped Service This field is available if Port Mapping Type is Service Select the translated service whose destination port s is supported if this NAT rule forwards the packet Protocol Type This field is available if Port Mapping Type is Port or Ports Select the protocol TCP UDP or Any used by the service requesting the connection Original Port This field is available if Port Mapping Type is Port Enter the original destination port this NAT rule supports Mapped Port This field is available if Port Mapping Type is Port Enter the translated destination port if this NAT rule forwards the packet Original Start Port This field is available if Port Mapping Type is Ports Enter the beginning of the range of original destination ports this NAT rule supports Original End Port This field is available if Port Mapping Type is Ports Enter the end of the range of original destination ports this NAT rule supports Mapped Start Port This field is available if Port Mapping Type is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if Port Mapping Type is Ports Ent
136. single NXC can support is 512 Maximum Number of ZyMesh Root APs The NXC by default allows up to one ZyMesh root AP which means only one radio of the managed AP can be set to root AP mode You can remove the limit by subscribing to the ZyMesh license 6 2 Registration This screen varies depending on your NXC model 6 2 1 NXC2500 Use this screen to register your NXC with myZyXEL com Click Configuration gt Licensing gt Registration in the navigation panel to open the screen as shown next Figure 42 Configuration gt Licensing gt Registration General Settings This device is not registered to myZyXEL com Please enter information below to register your device If you don t have myZyXEL com account please select new myZyXEL com account below If you have a myZyXEL com account but you forget your User Name or Password please go to iiri myZyXEL com for help new myZyXEL com account existing myZyXEL com account User Name o you can click to check if username exists eet A SN PSP Password Confirm Password E Mail Address Country Seller Details Seller s Name Seller s E mail Seller s Contact Number VAT Number Please read the following Privacy Policy carefully ZyXEL only processes your personal information for the purposes described here We take appropriate security l measures to protect against unauthorized access to or unauthorized alteration disclosure or destruction of
137. successfully downloaded the system protect signature file System protect signature update has succeeded The device successfully downloaded and applied a system protect signature file System protect signature download has failed The device still cannot download the system protect signature file after 3 retries Resolve server IP has failed The device could not resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Connect to MyZyXEL com server has failed The device could not connect to the MyZyXEL com server Build query message has failed Some information was missing in the packets that the device sent to the server NXC Series User s Guide Appendix A Log Descriptions Table 196 Registration Logs continued LOG MESSAGE DESCRIPTION Verify server s certificate has failed The device could not process an HTTPS connection because it could not verify the server s certificate Get server respons has failed The device sent packets to the server but did not receive a response The root cause may be that the connection is abnormal Expiration daily check has failed s The daily check for service expiration failed an error message returned by the MyZyXEL com server will be appended to this log 96s error message returned by myZyXEL com server Do expiration daily check has failed Because of lack m
138. table describes the labels in this screen Table 141 Configuration gt Object gt Auth Method gt Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive For example My_ Device Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Move To change a method s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as NXC authenticates the users using the authentication methods in the order they appear in this screen This field displays the index number Method List Select a server object from the drop down list box You can create a server object in the AAA Server screen The NXC authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentic
139. the IP addresses reserved for specific MAC addresses The Number of Login Users screen Section 4 2 5 on page 55 displays the users currently logged into the NXC NXC Series User s Guide Chapter 4 Dashboard 4 2 Dashboard This screen is the first thing you see when you log into the NXC It also appears every time you click the Dashboard icon in the navigation panel The Dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs You can also collapse refresh and close individual widgets Figure 18 Dashboard DASHBOARD E Virtual Device IN UT ZyXEL 10710071000 4 Device Information NXC5500 NXC5500 System Name Model Name Serial Number 8132Y38000010 MAC Address Range 90 B2 DC 07 A1 74 BO B2 DC 07 A1 79 Firmware Version 4 System Status System Uptime Current Date Time DHCP Table Current Login User Number of Login Users Boot Status Licensed Service Status Status Default Default Name ZyMESH Wil Extension Slot Extension Slot Device 1 USB 1 none 2 USB2 none Interface Status Summary Name Status Zone Managed AP IP AddriNetmask V4 10 AA08 1 V1 03 2013 12 10 16 03 25 02 28 08 2013 12 12 11 43 51 GMT 00 00 admin unlimited 00 28 58 1 OK Version Expirat nia Max Station Cou
140. the NXC The available storage size is displayed as well Note The NXCL reserves some onboard storage space as a buffer Save data to USB storage Select this to have the NXC store packet capture entries only on a USB storage device connected to the NXC Status Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the NXC cannot mount it none no USB storage device is connected available you can have the NXC use the USB storage device The available storage capacity also displays service deactivated the USB storage feature is disabled and the NXC cannot use a connected USB device to store the system log and other diagnostic information Note The NXC reserves some USB storage space as a buffer Captured Packet Files When saving packet captures only to the NXC s onboard storage specify a maximum limit in megabytes for the total combined size of all the capture files on the NXC When saving packet captures to a connected USB storage device specify a maximum limit in megabytes for each capture file Note If you have existing capture files and have not selected the Continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files The valid range depends on the available onboard USB storage size The NXC stops the capture and generates the capture file when either the file reaches this size or
141. the NXC regularly ping the gateway you specify to make sure it is still available Select tcp to have the NXC regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Enter the number of consecutive failures before the NXC stops routing through the Tolerance gateway Check Default Select this to use the default gateway for the connectivity check Gateway Check this Select this to specify a domain name or IP address for the connectivity check Enter address that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number to use for a TCP connectivity check DHCP Setting These fields appear when you set the I nterface Type to I nternal or General NXC Series User s Guide Chapter 8 Interfaces Table 60 Configuration gt Network gt Interface gt Ethernet gt Edit continued LABEL DESCRIPTION DHCP Select what type of DHCP service the NXC provides to the network Choices are None the NXC does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the NXC routes DHCP requests to one or more DHCP servers you specify T
142. the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Certificate Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save OK Click OK to save your changes back to the NXC You can only change the name Cancel Click Cancel to quit and return to the Trusted Certificates screen 26 3 2 Import Trusted Certificates Click Configuration gt Object gt Certificate gt Trusted Certificates gt Import to open the Trusted Certificates mport screen Follow the instructions in this screen to save a trusted certificate to the NXC NXC Series User s Guide Chapter 26 Certificates Note You must remove any spaces from the certificate s filename before you can import the certificate Figure 164 Configuration gt Object gt Certificate gt Trusted Certificates gt Import Import Trusted Certificates Please specify the location of the certificate file to be imported The certificate file must be in one of the Following formats
143. the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If the RTS CTS value is greater than the Fragmentation Threshold value see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Note Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy NXC Series User s Guide 427 Appendix D Wireless LANs Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Sho
144. the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the NXC starts another packet capture file Duration Set a time limit in seconds for the capture The NXC stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the Captured Packet Files field O means there is no time limit File Suffix Specify text to add to the end of the file name before the dot and filename extension to help you identify the packet capture files Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name The file name format is interface name file suffix cap for example vlan2 packet capture cap Number Of Bytes To Capture Per Packet Specify the maximum number of bytes to capture per packet The NXC automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets NXC Series User s Guide 355 Chapter 31 Diagnostics Table 185 Maintenance gt Diagnostics gt Packet Capture continued LABEL DESCRIPTION Capture Click this button to have the NXC capture packets according to the settings con
145. these settings to assign interfaces to this VLAN as members Configuration Edit Click this to edit the selected interface s membership values This is sequential indicator of the interface number Port Name This indicates the interface name Member This indicates whether the selected interface is a member or not of the VLAN which is currently being edited Click this field to edit the value Tx Tagging This indicates whether the selected interface tags outbound traffic with this VLAN s ID Click this field to edit the value IP Address Assignment Get Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically Use Fixed IP Select this if you want to specify the IP address subnet mask and gateway manually Address IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for this interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address is the same for all computers in the network Gateway This field is enabled if you select Use Fixed IP Address Enter the IP address of the gateway The NXC sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface NXC
146. this to allow SNMP managers using SNMPv2c to access the NXC Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is private and allows all requests SNMPv3 Select this to allow SNMP managers using SNMPv3 to access the NXC Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action This the index number of an SNMPv3 user profile User This is the name of the user for which this SNMPv3 user profile is configured Authentication This field displays the type of authentication the SNMPv3 user must use to connect to the NXC using this SNMPv3 user profile Privacy This field displays the type of encryption the SNMPv3 user must use to connect to the NXC using this SNMPv3 user profile Privilege This field displays whether the SNMPv3 user can have read only or read and write access to the NXC using this SNMPv3 user profile Service Control This specifies from which computers you can access whic
147. to provide the Network Access Server identifier attribute with a specific value enter it here Case sensitive Select this if the server checks the case of the usernames User Names User Login Settings Group A RADIUS server defines attributes for its accounts Select the name and number of the Membership attribute that the NXC is to check to determine to which group a user belongs If it does Attribute not display select User Defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create a ext group user user object for each group One with sales as the group identifier another for RD and a third for management OK Click OK to save the changes Cancel Click Cancel to discard the changes NXC Series User s Guide 25 1 Overview Authentication Method Authentication method objects set how the NXC authenticates wireless HTTP HTTPS clients and captive portal clients Configure authentication method objects to have the NXC use the local user database and or the authentication servers and authentication server groups specified by AAA server objects By default user accounts cr
148. to view which other objects are linked to the selected radio profile This field is a sequential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency band which this radio profile is configured to use Channel ID This field indicates the broadcast channel which this radio profile is configured to use Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 18 AP Profile 18 2 1 Add Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one To access this screen click the Add button or select a radio profile from the list and click the Edit button Figure 124 Configuration gt Object gt AP Profile gt Add Edit Radio Profile Add Radio Profile 21x Hide Advanced Settings Create new Object General Settings v Activate Profile Name o 802 11 Band 2 4G v Made b g n Y Channel 6 Y Advanced Settings Channel Width 5 Auto amp 20 MHz Guard Interval o v Enable A MPDU Aggregation A MPDU Limit 50000 100 65535 A MPDU Subframe 32 2 64 v Enable A MSDU Aggregation A MSDU Limit 4096 2290 4096 RTS CTS Threshold
149. vlaniii Cancel The following table describes the labels in this screen Table 75 Network gt Zone gt Add Edit LABEL DESCRIPTION Name Type the name used to refer to the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Block Intra zone Select this check box to block network traffic between members in the zone Traffic Member List Available lists the interfaces that do not belong to any zone Select the interfaces that you want to add to the zone you are editing and click the right arrow button to add them Member lists the interfaces that belong to the zone Select any interfaces that you want to remove from the zone and click the left arrow button to remove them OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving NXC Series User s Guide NAT 11 1 Overview NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet For example the source address of an outgoing packet used within one network is changed to a different IP address known within another network Use Network Address Translation NAT to make computers on a private network behind the NXC available outside the private network If the NXC has only one public IP address you can make the computer
150. when the entry is active and dimmed when the entry is inactive Priority This is the position of your firewall rule in the global rule list including all through NXC and to NXC rules The ordering of your rules is important as rules are applied in sequence Default displays for the default firewall behavior that the NXC performs on traffic that does not match any other firewall rule From This is the direction of travel of packets to which the firewall rule applies To Schedule This field tells you the schedule object that the rule uses none means the rule is active at all times if enabled User This is the user name or user group name to which this firewall rule applies IPv4 Source This displays the source address object to which this firewall rule applies IPv4 Destination This displays the destination address object to which this firewall rule applies Service This displays the service object to which this firewall rule applies NXC Series User s Guide Chapter 16 Firewall Table 93 Configuration gt Firewall continued LABEL DESCRIPTION Access This field displays whether the firewall silently discards packets deny discards packets and sends a TCP reset packet to the sender reject or permits the passage of packets allow Log This field shows you whether a log and alert is created when packets match this rule or not Apply Click Apply to save your changes back to the
151. which matches the security settings in use by the NXC For example if the security mode on the AP is set to WPA WPA2 then make sure the authentication server is running and able to complete the 802 1x authentication sequence See Chapter 18 on page 208 and Chapter 7 on page 92 for more If the AP profile uses an SSID security profile that has the AP use an external server to authenticate wireless clients by MAC address check the SSID security profile s MAC authentication settings see Section 18 3 2 1 on page 220 Enable the AP Wireless LAN logs see Section 29 3 2 on page 331 Check the AP log Wireless LAN logs Section 5 17 on page 84 for WTP logs WTP stands for Wireless Wireless Terminal Point and is equivalent to an AP If you cannot solve the problem on your own before contacting Customer Support use the built in wireless frame capture tools Chapter 31 on page 352 to capture data that can be used for more granular troubleshooting procedures To use the built in wireless frame capture tool first set up a second AP nearby to act as a Monitor AP Chapter 7 on page 92 The AP status is registered as offline even though it is on Check the network connections between the NXC and the AP to ensure they are still intact The AP may be suffering from instability Disconnect it to turn its power off wait some time then reconnect it and see if that resolves the issue The CAPWAP daemon may be down You can use the NXC s
152. 0 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the NXC creates the following entry in the routing table Table 66 Example Routing Table Entry for a Gateway IP ADDRESS ES DESTINATION 0 0 0 0 0 200 200 200 100 The gateway is an optional setting for each interface If there is more than one gateway the NXC uses the gateway with the lowest metric or cost If two or more gateways have the same metric the NXC uses the one that was set up first the first entry in the routing table If the interface gets its IP address and subnet mask from a DHCP server the DHCP server also specifies the gateway if any Interface Parameters The NXC restricts the amount of traffic into and out of the NXC through each interface Egress bandwidth sets the amount of traffic the NXC sends out through the interface to the network Ingress bandwidth sets the amount of traffic the NXC allows in through the interface from the network 1 NXC Series User s Guide 131 Chapter 8 Interfaces If you set the bandwidth restrictions very high you effectively remove the restrictions The NXC also restricts the size of each data packet The maximum number of bytes in each packet is called the maximum transmission unit MTU If a packet is larger than the MTU the NXC divides it into smaller fragments Each fragment is sent separately and the original packet is re assembled later The smaller the MTU the more f
153. 0 minutes periodically it may not up to date 2X OK Cancel NXC Series User s Guide TT Chapter 5 Monitor The following table describes the labels in this screen Table 39 Monitor gt Wireless gt AP Info gt Radio List gt AP Mode Radio Information LABEL DESCRIPTION MBSSID Detail This list shows information about the SSID s that is associated with the radio over the preceding 24 hours This is the items sequential number in the list It has no bearing on the actual data in this list SSID Name This displays an SSID associated with this radio There can be up to eight maximum BSSID This displays the MAC address associated with the SSID ad This displays the security mode in which the SSID is operating Forwarding This field indicates the forwarding mode Local Bridge or Tunnel associated with the Mode SSID profile VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the amount of data moved across this radio in megabytes per second x axis This axis represents the amount of time over which the data moved across this radio Station Count This graph displays information about all the wireless clients that have connected to the radio over the preceding 24 hours y axis The y axis repres
154. 00 9 00 Oo O00 o Oo 0000 eoo Oo Oo o Syslog eoo 000000 o o Oo o Oo o o Syslog eoo O e O o o o Oo o Displaying 1 33 of 33 Displaying 1 23 of 23 P System Log P USB Storage E mail Server 1 E mail Server 2 jij Remote Server 1 jij Remote Server 2 fj Remote Server 3 f Remote Server 4v Syslog eoo eoo eoo eoo eo 000 600 D System Log E mail Server 1 E mail Server 2 jjj Remote Server 1 jjj Remote Server 2 f Remote Server 3 f Remote Server 4 Server 1 E mail Server2 Remote Server Remote Server Remote Server Remote Server Syslog Syslog This screen provides a different view and a different way of indicating which messages are included in each log and each alert The Default category includes debugging messages generated by open source software NXC Series User s Guide Chapter 29 Log and Report The following table describes the fields in this screen Table 178 Configuration gt Log amp Report gt Log Settings gt Log Category Settings LABEL DESCRIPTION System log Use the System Log drop down list to change the log settings for all of the log categories disable all logs red X do not log any information for any category for the system log or e mail any logs to e mail server 1 or 2 enable norm
155. 1 4 on page 357 save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting The System Log screens Section 31 5 on page 359 download files of system logs from a connected USB storage device to your computer The Wireless Frame Capture screens Section 31 6 on page 360 capture network traffic going through the AP interfaces connected to your NXC 31 2 Diagnostics This screen provides an easy way for you to generate a file containing the NXC s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting Click Maintenance Diagnostics to open the Diagnostic screen Figure 212 Maintenance gt Diagnostics Diagnostics Packet Capture Core Dump System Log Wireless Frame Capture Collect Files Diagnostic Information Collector Filename none Last Modified none Size none lV Copy the diagnostic file to USB storage if ready Apply Collect Now NXC Series User s Guide 352 Chapter 31 Diagnostics The following table describes the labels in this screen Table 183 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss S
156. 1 LAN no vlan Page 1 ofi Show 50 v items Displaying 1 1 of 1 The following table describes the labels in this screen Table 74 Configuration gt Network gt Zone LABEL DESCRIPTION Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured zone select it and click Remove The NXC confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with any interface Name This field displays the name of the zone Block Intra zone This field indicates whether or not the NXC blocks network traffic between members in the zone Member This field displays the names of the interfaces that belong to each zone NXC Series User s Guide 145 Chapter 10 Zones 10 2 1 Add Edit Zone This screen allows you to add or edit a zone To access this screen go to the Zone screen and click the Add icon or an Edit icon Figure 77 Network gt Zone gt Add Edit Add Zone 21x Group Members Name esee PS ISSSPSISPSESPSISISISISISSISISIST Block Intra zone Traffic E Member List Available Member Interface gel ge2 ge3 ge4 HE ge5 ge6
157. 2 Turn off Popup Window Blocking in your web browser 3 Turn on Java Runtime Environment JRE in your web browser Internet 28 7 6 4 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the NXC You must have imported at least one trusted CA to the NXC in order for the Authenticate Client Certificates to be active see the Certificates chapter for details NXC Series User s Guide Chapter 28 System Apply for a certificate from a Certification Authority CA that is trusted by the NXC see the NXC s Trusted Certificates Web Configurator screen Figure 183 Trusted Certificates My Certificates PKI Storage Space in Use 0 082 used Trusted Certificates Setting P a Name Subject Issuer Valid From Valid To 1 MyCertificate CN Mydevice example CN Mydevice example 2013 04 09 10 44 04 GMT 2016 04 08 10 44 04 GMT Page 1 of 1 Show 50 v items Displaying 1 1 of 1 The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 28 7 6 5 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next General petais Certification Path Certificate Information This certificate is intended to Ensures the identity of a remote computer 4
158. 2 1x or WPA is not enabled Error configuring WPA state System internal error o 802 1X or WPA enabled System internal error The NXC was not able to configure the wireless device to use WPA Remove the wireless device and reinstall it System internal error Error enabling WPA 802 1X The NXC was not able to enable WPA IEEE 802 1X Station has associated MAC Interface SS Ss A wireless client with the specified MAC address second s associated with the specified WLAN interface first s WPA or WPA2 enterprise EAP timeout Interface Ss MAC Ss There was an EAP timeout for a wireless client connected to the specified WLAN interface first s The MAC address of the wireless client is listed second s Station association has failed Maximum associations have reached the maximum number Interface MAC S s s A wireless client with the specified MAC address second 96s failed to connect to the specified WLAN interface first 96s because the WLAN interface already has its maximum number of wireless clients WPA authentication has failed Interface MAC 7 s s A wireless client used an incorrect WPA key and thus failed to connect to the specified WLAN interface first 96s The MAC address of the wireless client is listed second 96s Incorrect password for WPA or WPA2 enterprise internal authentication Inter
159. 2 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host Systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution NXC Series User s Guide C Importing Certificates This appendix shows you how to import public key certificates into your web browser Public key certificates are used by web browsers to ensure that a secure web site is legitimate When a certificate authority such as VeriSign Comodo or Network Solutions to name a few receives a certificate request from a website operator they confirm that the web domain and contact information in the request match those on public record with a domain name registrar If they match then the certificate is issued to the website operator who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate Many ZyXEL
160. 28 System 28 7 2 System Timeout There is a lease timeout for administrators The NXC automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the NXC for authentication again when the reauthentication time expires You can change the timeout settings in the User Group screens 28 7 3 HTTPS You can set the NXC to use HTTP or HTTPS HTTPS adds security for Web Configurator sessions Specify which zones allow Web Configurator access and from which IP address the access can come HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and private keys see Chapter 26 on page 266 for more information HTTPS on the NXC is used so that you can securely access the NXC using the Web Configurator The SSL protocol specifies that the HTTPS server the NXC must always authenticate itself to the HTTPS client the computer which requests the HTTPS connection with the NXC wher
161. 3 4 Layer 2 Isolation List This screen allows you to create and manage layer 2 isolation profiles that can be used by your SSIDs To access this screen click Configuration gt Object gt AP Profile gt SSID gt Layer 2 Isolation List If a device s MAC addresses is NOT listed in a layer 2 isolation profile it is blocked from communicating with other devices in an SSID on which layer 2 isolation is enabled Note You can have a maximum of 32 layer 2 isolation profiles on the NXC Figure 131 Configuration gt Object gt AP Profile gt SSID gt Layer 2 Isolation List SSID List Security List MAC Filter List Layer 2 Isolation List Layer 2 Isolation List Summary Add a E Profile Name Page 1 ofi Show 50 v items No data to display The following table describes the labels in this screen Table 118 Configuration gt Object gt AP Profile gt SSID gt Layer 2 Isolation List LABEL DESCRIPTION Add Click this to add a new layer 2 isolation profile Edit Click this to edit the selected layer 2 isolation profile Remove Click this to remove the selected layer 2 isolation profile Object Reference Click this to view which other objects are linked to the selected layer 2 isolation profile for example SSID profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the layer 2 isolation profile
162. 32 NXC Series User s Guide Chapter 8 Interfaces Subnet mask The interface provides the same subnet mask you specify for the interface Gateway The interface provides the same gateway you specify for the interface DNS servers The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients You can specify each IP address manually for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS server at an ISP These other interfaces have to be DHCP clients It is not possible for an interface to be the DHCP server and a DHCP client simultaneously WINS WINS Windows Internet Naming Service is a Windows implementation of NetBI OS Name Server NBNS on Windows It keeps track of NetBIOS computer names It stores a mapping table of your network s computer names and IP addresses The table is dynamically updated for IP addresses assigned by DHCP This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name s IP address In this way WINS is similar to DNS although WINS does not use a hierarchy unlike DNS A network can have more than one WINS server Samba can also serve as a WINS server NXC Series User s Guide 133 Policy and Static Routes 9 1 Overview Use policy routes and static routes to override the NXC s default routing be
163. 5 wei M 56 A NVI UN We Pet 56 51 1 What You Can Do in mis CHSpIE scccasaccavecssuuetancsstueceostwanisaswancdunsema dhmieecscheauuydasvaadieteetawiertueuts 56 a2 What Ca Need to KRON Seca tra celts ie estes Lipset a D S T T T 57 Pe POI SDUUSBER E E E A E A A E A te ee eee 57 BOT Pon Statistics Orap insna 59 EA AEE EEA AUN E A A A IEE EN TN IIE NEN TOS A NOONE EA E A A 60 So rame SSCS Me AN AAS aan N e aeeai E a on 62 aO e Ncc TE 65 SIERA E aa EUG acustesodidirpi qu apio Ceden a nr acute rta en kn ad ebade t exstent radeon ERE NRI RUG 67 5B LOGIN USERS 68 STONES pne PT RR ERREUR 69 ro Ud gL ol cet 3 Mes TL 70 CEU MEAP el E 71 OIA eS ss EET ea Wo die irene ec erro ereno nt M M 73 SPAS o LIST E E E O E 75 5 12 1 AP Mode Radio Informatia sansin AA A 77 a ELNE WIG n ads ian ceeded aaa eed mee ee EG 78 S SAGON LISE Me 79 S ta RSTO DEVE asina EMI TRES 80 Aoh ADS m TE 81 Se IGE LO c 84 NXC Series User s Guide 5 Table of Contents Chapter 6 Reis aaee TT T E T E T T ENT E ETT ATARI RR RENE 86 B CIVI srania a a a aa om sspe Du cepta dim i 86 621 1 What You Can Doin this Chapter e 86 61 2 Whatyou Need t0 PT s AT o anatase EEEE E EEEE EAEN EENAA ARAR 86 ERa ae nel fe ME 87 ROM rec rir E 87 p EXSILIUM catu nte uacua s bun
164. 7 Enable Server Port Trap Community Optional Destination Optional E Trap CAPWAP Event V SNMPv2c Get Community public Set Community private V SNMPv3 QAdd VY b User Authentication Page 1 of 1 Show 50 items Service Control Add Hest i gh a Zone Address ALL ALL Page 1 of1 Show 50 items The following table describes the labels in this screen Table 167 Configuration gt System gt SNMP No data to display Displaying 1 1of1 LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NXC using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Trap NXC Series User s Guide Chapter 28 System 320 Table 167 Configuration gt System gt SNMP continued LABEL DESCRIPTION Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the SNMP manager to which your SNMP traps are sent Trap CAPWAP Event Select this option to have the NXC send a trap to the SNMP manager when a managed AP is connected to or disconnected from the NXC SNMPv2c Select
165. 9 13 in this configuration Four channel deployment expands your pool of possible channels while keeping the channel interference to a minimum 5 GHz Settings Enable 5 GHz DFS Select this if your APs are operating in an area known to have RADAR devices This Aware allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected thus preventing it from interfering with that signal Enabling this forces the AP to select a non DFS channel 5 GHz Channel Select auto to have the AP search for available channels automatically in the 5 GHz Selection Method band Select manual and specify the channels the AP uses in the 5 GHz band Available This text box lists the channels that are available in the 5 GHz band Select the channels channels that you want the AP to use and click the right arrow button to add them Channels This text box lists the channels that you allow the AP to use Select any channels that selected you want to prevent the AP from using it and click the left arrow button to remove them Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 7 Wireless 7 7 Auto Healing Use this screen to enable auto healing which allows you to extend the wireless service coverage area of the managed APs when one of the APs fails Click Configuration gt Wireles
166. 9 To IAMAC BIS EXODmpt LIST ases tet epp I EEEE CREME Y iana aae CH E EX Era tasa E P EAA R bI s ETAD 160 Chapter 14 CINNE PONa ete LM Hn 161 RESTI 161 TET Capive Portal THe 3er er E ree a LD E FA E ER d ER E ODE REA 162 14 1 2 What You Can Do in this Chaptal ssasei oett bride Fred o erbe RENE ERREE REIHE EbbER ENE EAE 162 t42 Captive Pal P M 163 14 2 1 Add Exceptional SOS uico tics elo eer opa Eu ata dca edili ei era BR EE Rt o e dice a dl 165 142 2 Auth Policy Add EJIL Loco eri n vr Pers orent E me 167 TA LOO P BONS i saan cian dent Usa ER FILAS UAR EET RADI RR LAUR Rad OR RSS a S appa d 169 14 3 1 Custom Login and Access Pages ieu seesedtkeges eoa take ka aka UL rr natan Fab coU ka Parana dd 172 14 3 2 External or Uploaded Web Portal Details 45 2 pr tentei tte ora ne pente EE cin vk HR YR EE ur etUE RE 174 Chapter 15 me 178 TD Boii Ae T E E E 178 19 11 What you Can Don ils Chaptal isa ee rer robes eere pase pu E PENES ERE RR epe be e et ENS S REEREDISEMERE 178 T2 2 Bote Fou a ej eee epee eer ETT Te en tite Lom un ncn ales Aon Terre tr ere rrr errr met ree d 179 TOCNO RTE d 179 Chapter 16 Firewall e 181 Bs 1 em 181 16 1 1 What You Gan Do Wi this Chapter 1 eere prr Lern aadi ea SEN an
167. 9 for more information Remove Select an entry and click this to delete it from this table Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry See Section 8 2 2 on page 119 for an example This field is a sequential value and it is not associated with any entry Name This field displays the name of the DHCPv6 request object Type This field displays the type of the object Value This field displays the IPv6 address that the NXC obtained from an uplink router NXC Series User s Guide Chapter 8 Interfaces Table 65 Configuration gt Network gt Interface gt VLAN gt Add Edit continued LABEL DESCRIPTION Interface Parameters Egress Enter the maximum amount of traffic in kilobits per second the NXC can send through Bandwidth the interface to the network Allowed values are 0 1048576 Ingress This is reserved for future use Bandwidth Enter the maximum amount of traffic in kilobits per second the NXC can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the NXC divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 DHCP Setting DHCP Select what type of DHCP service the NXC provides to the network Choices
168. 96s Destination WTP s description Disassociation s MAC 1 02x 5 02x 2 02x 5 02x 02x 02x AP s STA List Full STA The number of wireless clients connected to the AP has reached the List of AP s is maximium limit Pons 1st 90s Managed AP s description STA Indicates the reason why a wireless client is disassociated from an AP 1st s Disassociation reason 2nd 02x 7th 02x Wireless client s MAC Address 8th 96s Managed AP Description AP Radio MAC 02x 2 02x 2 02x 202 x 02x 02x Reject Station MAC 02x 2 02x 2 02x 02x 02x 5 02x RSSI d dBm An AP rejected a wireless client s association request 1st 02x 6th 02x AP s MAC Address 7th 02x 12th 02x Wireless client s MAC Address 13th 96d RSSI value NXC Series User s Guide 407 Common Services The following table lists some commonly used services and their associated protocols and port numbers For a comprehensive list of port numbers ICMP type code numbers and services visit the IANA Internet Assigned Number Authority web site Name This is a short descriptive name for the service You can use this one or create a different one if you like Protocol This is the type of IP protocol used by the service If this is TCP UDP then the service uses the same port number with TCP and UDP If this is USER DEFINED the Port s is the IP protocol number not the port number Port s This value depends on the
169. AC address user account MAC role User aware features control MAC address user access to specific resources You do not need to set the lease time and reauthentication time for this type of user account Lease Time This is the default lease time in minutes for each type of user account It defines the number of minutes the user has to renew the current session before the user is logged out Admin users renew the session every time the main screen refreshes in the Web Configurator Access users can renew the session by clicking the Renew button on their screen If you allow access users to renew time automatically the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthenticatio n Time This is the default reauthentication time in minutes for each type of user account It defines the number of minutes the user can be logged into the NXC in one session before having to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access users Select this check box if you want the NXC to mo
170. Address Auto configuration Select this to enable IPv6 stateless auto configuration on this interface The interface will generate an IPv6 address itself from a prefix obtained from an IPv6 router in the network SLAAC Link Local This displays the IPv6 link local address and the network prefix that the NXC generates Address itself for the interface IPv6 Address Prefix Length Enter the I Pv6 address and the prefix length for this interface if you want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this interface The NXC decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first DHCPv6 Setting DHCPv6 Select N A to not use DHCPv6 Select Client to set this interface to act as a DHCPv6 client DUID This field displays the DHCP Unique IDentifier DUI D of the interface which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others See Appendix E on page 436 for more information DUID as MAC Select this if you wan
171. Alternative Name MyCertificate E Enable X 509v3 CRL Distribution Points and OCSP checking Self signed X 509 Certificate v3 1365504244 CN Mydevice amp example com CN Mydevice amp Gexample com rsa pkcsi shai 2013 04 09 10 44 04 GMT 2016 04 08 10 44 04 GMT rsaEncryption 1024 bits Mydevice amp example com DigitalSignature KeyEncipherment KeyCertSign Subject Type CA Path Length Constraint 1 72 11 d9 0b 6c 8b 52 51 9c 2f 84 7b ff ee 51 0f 0f ff 48 56 70 ba 86 c4 4e 41 aa b4 76 96 6b 16 76 1c 17 99 EWRUOMJZODEGr LOGXILITINVD T AT W UXIVIZAUIVIDKXIVIDUQUIVIDR Sr W UXINJAUIYIDOXIVIDUQU MDRaMB8xHTADBgNVBAMMFE 15ZGV 2aWNIQGV4YW 1wbGUuY 29tMIG MA0GCSqGSIb3 DQEBAQUAA4GNADCBIQKBgQC KA 9NKuD9djR fbl edotir CRONIRWYryOrlYiXgl QqAgyhRYGEoStDJOhgpF UoQfqeP TX4oq 1310 2KTBeM06Z 7emqXkkyo Y 1aDkdk LC vl CWiEddRer N ihz SD uEGIGa fS 524p ci 30s1E27h 2 siN Re Aves YDI IV7hA Export Certificate x NXC Series User s Guide 279 Chapter 26 Certificates The following table describes the labels in this screen Table 147 Configuration gt Object gt Certificate gt Trusted Certificates gt Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate You can change the name You can use up to 31 alphanumeric and amp _ characters Certification Path Click the Refresh button to have this read only text box display the end ent
172. Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide 107 Chapter 7 Wireless 7 8 Technical Reference The following section contains additional technical information about the features described in this chapter 7 8 4 Dynamic Channel Selection When numerous APs broadcast within a given area they introduce the possibility of heightened radio interference especially if some or all of them are broadcasting on the same radio channel If the interference becomes too great then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using or at least a channel that has a lower level of interference in order to give the connected stations a minimum degree of interference Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically The AP can scan the area around it looking for the channel with the least amount of interference In the 2 4 GHz spectrum each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart Channel 1 is centered on 2 412 GHz while channel 13 is centered on 2 472 GHz Figure 60 An i Three Channel se eC N N N N N N N N N N N N N N N N N gt on gt gt oR5B gt B gt o5 gt 2 gt o eo Pm e N p w w 2682 ww ow a o0 M gt wo Boc i e e o
173. Bytes 52 808 KBytes Duration 4514 87 7166 6028 Displaying 1 4 of 4 NXC Series User s Guide Chapter 5 Monitor The following table describes the labels in this screen Table 29 Monitor gt System Status gt Session Monitor LABEL DESCRIPTION View Select how you want the information to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessions by source IP display all active sessions grouped by source IP address sessions by destination IP display all active sessions grouped by destination IP address all sessions filter the active sessions by the User Service Source Address and Destination Address and display each session individually sorted by user Refresh Click this button to update the information on the screen The screen also refreshes automatically when you open and close the screen The User Service Source Address and Destination Address fields display if you view all sessions Select your desired filter criteria and click the Search button to filter the list of sessions User This field displays when View is set to all sessions Type the user whose sessions you want to view It is not possible to type part of the user name or use wildcards in this field you must enter the whole user name Service This field displays when
174. Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yellow check mark create log messages alerts and debugging information from this category the NXC does not e mail debugging information however even if this setting is selected USB Storage Select which event log categories to save to a connected USB storage device There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark save log messages and alerts from this category enable normal logs and debug logs yellow check mark save log messages alerts and debugging information from this category E mail Server 1 E mail Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The NXC does not e mail debugging information even if it is recorded in the System log E mail Server 2 E mail Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 2 The NXC does not e mail debugging information even if it is rec
175. Click this button to mark the selected AP as a friendly AP For more on managing friendly AP APs see the Configuration gt Wireless gt MON Mode screen Chapter 7 on page 92 This is the station s index number in this list Status This indicates the detected device s status Device This indicates the detected device s network type such as infrastructure or ad hoc Role This indicates the detected device s role such as friendly or rogue MAC Address This indicates the detected device s MAC address SSID Name This indicates the detected device s SSID Channel ID This indicates the detected device s channel ID 802 11 Mode This indicates the 802 11 mode a b g n transmitted by the detected device Security This indicates the encryption method if any used by the detected device Description This displays the detected device s description For more on managing friendly and rogue APs see the Configuration Wireless MON Mode screen Chapter 7 on page 92 Last Seen This indicates the last time the device was detected by the NXC Refresh Click this to refresh the items displayed on this page 5 16 View Log Log messages are stored in two separate logs one for regular log messages and one for debugging messages In the regular log you can look at all the log messages by selecting All Logs or you can select a specific category of log messages for example user You can also look at the debugging log by selecting
176. Debug Log All debugging messages have the same priority To access this screen click Monitor gt Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first For individual log descriptions see Appendix A on page 381 For the maximum number of log messages in the NXC see the datasheet NXC Series User s Guide Chapter 5 Monitor Events that generate an alert as well as a log message display in red Regular logs display in black Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 40 Monitor gt View Log View Log Hide Filter Logs Display Source Address Source Interface Service 2013 11 18 11 L 2013 11 18 11 1 2013 11 18 10 2013 11 18 09 2013 11 18 09 a 2013 11 18 09 2013 11 18 09 i Page 1 View AP Log System Priority Destination Address Destination Interface Keyword Source Note COMFIG CONFIG System Message Destination IPV6 has been enabled IPV6 has been disabled NTP update has failed with server 1 pool ntp or NTP update has failed with NTP server 0 pool Enterprise WLAN is configured successfully wit IPV6 has been enabled Filesystem was checked
177. Device registration has failed s Device registration failed an error message returned by the MyZyXEL com server will be appended to this log 96s error message returned by the myZyXEL com server Device registration has succeeded The device registered successfully with the myZyXEL com server Registration has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device o s Trial service activation has failed s Trail service activation failed for the specified service an error message returned by the MyZyXEL com server will be appended to this log lst s service name 2nd s error message returned by the myZyXEL com server s Trial service activation has succeeded Trail service was activated successfully for the specified service 96s service name Trial service activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device NXC Series User s Guide Appendix A Log Descriptions Table 196 Registration Logs continued LOG MESSAGE DESCRIPTION Standard service activation has failed s Standard service activation failed this log will append an error message returned by the MyZyXEL com server 96s error message returned by the myZyXEL com server
178. E CD S RE EUST 363 a2 lek Wivek Yot Can Do in mis Chapter 363 dur MMe ROUNE AUS STOGI sairin e reede tni id Ex Daa tates Ceavalediceranaiclecearaunie lt cauanoallsanaahantialealices 363 m The SNAT SIUS SCORN eiio E 366 Chapter 33 intel inisin N LITE 370 TT OONO aiia N AR AE 370 Sa 1 Vat You Nead TO KNOW oc a cndatcmeicesseiscmaraias E 370 nie cilc ME mnai ia iaaa a aea i aeii a a ia 370 Chapter 34 Mil E e E E A E E E E A 371 ROM IU EAERI A UU eT 371 24 1 1 What You Need Ter KNOW auiscesniicen civica Ee Ur pras pU tov te IN p Evn kl I NEP ba tt DU HERI NINE Tes ex dU E iaria 371 vocatus eec EE 371 Chapter 35 Eigsd ipen ol MS 372 KIM ED AEST Eee 372 TANEET E mE 372 LA NTE S a a a a a Vidcat ind eda ae dade 377 30 2 Resetting Me pe 379 NXC Series User s Guide Table of Contents 35 3 Getting More Troubleshooting IBID usse assa rrt dS ha d daa RV a 33 Si dca iaa a us 380 Appendix A Log Descriptions ssssssssssssenenennnennennnnn nennen nennen nennen nnne 381 Appendix B es 910902 Restle TT 408 Appendix C Importing Certificates sssssssssssseenneneeneemeeemenennemn nennen nennen nnne 411 Appendix D Wireless LANG E 424 plc al e ME T TT 436 Append P CuUstomer Suppor aded eer a duda Bari cU Maca A pM ANE 445 Appendix G Legal Information iileeeeceseese eere ta en nra bran a na
179. E cha 266 2B 1 3 What You Can Do on this Chapter 2c ccaiessicusieiissess ieioea dene enie ab ah NDN m ERES 266 20 12 Whal TOU Med T BB cuossssnab rs eivacatu pals as Era ax EA REEL CLE SR PE Eba Rud MR PEU A EK EN EAd UK UA 266 20 13 SENN AC I Ie CRT E OUEST 268 m PETI UI ME a es ed gaa et Heche ek ie een on ek ers ade aoe 269 zB T Add My NC syaira spa ban iepkein a a a aa 271 202 2 Edit My Core m oun e an aa a O E ENE NS 274 20 29 Import GS RO AOS snaren 276 20 9 Musted CellC Ate M 277 20 3 1 Edit cc ueni ERE LT Im E 279 20 3 2 Import Trusted Cernificates sss sa a ad ete pnr tp dE Sa paa REX eaa bx RR x BERE bua eb aaa aga 281 294 Techical ISefelenel ass deb leon AER REA Hb di ehe viet E de ab ele ee 282 Chapter 27 DHC PYG e 283 ImER c0 e EE 283 21 1 1 What You Can Do in dbi WAC sasesana bee 283 27 2 DAGPWE Io 283 21 21 Add Edit DACP Ve Beguest OBIE uu cesi eee bae SERE BED ERR YA paaa Y ER x SEU pe RH SR ERES RR IE 284 Chapter 28 c l0 M ENG 285 ECAEETOOSI ON t 285 28 1 1 What Yoga Com Deo in Ms Chaptal eii cp db Hr IEERERR EE EH ERU ER EE FEE ERR I Ro LEE e een 285 202 acq cU RR TN TTITIUT 286 209 VSB Grage Re M M 286 Aa Ws IR 1 156 ee E LES E a 287 28 4 1 Pre defined NTP Time Servers List
180. EPHRI REA i AN EUREN RE ME ERUNINR EAE REISEN ARN AREE ERE DERE ERE 144 TOA ZONE Rer M 1 145 E mcus MT TT 146 Chapter 11 AE AE cts ce teas vm cicadas A E MEME EM CMM EE 147 TET COR li o er 147 THAT What You Can Do In this Chaplet Lectori HDD STI De POLARIS FHEOHER ER p Dk E Eve ERO Pad la d e bc DRE G 147 Qd SECUTI SS SEU 147 iM mg Imre 149 TL3 echmeal eiiim RT E TE TT wd hea dated dines a ee dat 152 Chapter 12 Libcpe E 154 u RER 1 mm T E A E E E E E E E 154 12 131 Whal vos Can Don This Chaptal stereo od I ERROR a iS rt Od esae ao Pad ls 154 12 1 2 What You Need to KION 1i ieveoe ker IP ERR PRI XEM FREI BEER DRE ex Elo RE RE PER REESE RNRERIEI EE RE 154 T21 BIOS YOM BEGIN e 154 TES E sah wast ss placa ha AIEEE A gale an ecm A c each MM uL EE toli cnc Lehr cs S cie tcd d 1595 Tex Techpical ReicronGE criosan N N R 155 Chapter 13 Dg Pie III eiieeii a a Ne AARRE aeaa aiie 156 NXC Series User s Guide Table of Contents pomES QD 156 13 51 What vou Gan Do in this Chapter sorire aisinada iiia eadi EFRON ERE AONE 156 13 12 What You Need tO KmMOW mte 156 13 2 AMAC Binding DUMNA iain aie aa a aa E 157 13 41 Edit IPIMAC BIBONID ides bb ren durer RN RNa 158 132 4 Add Edi Statie DHCP RUIE e 15
181. Ek Fk pne e Lp gi ds 181 LUE What You Need O KNOW e 181 pot sa aa ANLE NEINA NEEE NAINE 183 16 21 Add Edit Firewall SELBBI censxticeskriciurE Pra ERU oa ra E a AA ERE AAA ha ahaaa SEARA CX LEE ANI PI E Eain 185 160 9 SESSION GORI M t 187 gh ope aa Wet Dim irn E IG MT 188 Chapter 17 ctl mee 190 pESRRO DI CSS ESSET 190 T7 31 1 VRAT Yos Can Dori fils Chaptor 1o in osito Fred pa ed er o oen odo Edo e rct 190 Trotz What xou Need To PM S us pa cede bv E ERR EA TURPE EE oa prb GEM eda beh Lal mnia epee enaabubsd 190 ges xk nu A ys 193 NXC Series User s Guide Table of Contents DON E 5u 5 1 c 194 ME Se OIA SS T e ee e mr 196 Nes 1 jcoise n Me 197 p c dup EP 197 17 4 1 Edit User Authentication Timeout Sallinge 2t err n ERE d eR FH PI PEE d EF ETHER EUH 201 17 4 2 Add Edit Dynamic Guest GOUD iiissescesecssassessetraasesssette ps cct e Menace Utd d AY eL DOR EEEa 202 174 3 User DESDE II CN Um T TT 203 1744 Guest Manager Login EXSPIDIBE eenen creda erp PITE Er DUE RE FU PUE FRU IO cH MER b SR EOR 204 pd a hoc cm 206 14 5 T Add Edit MAC a oy cot eer Popper Pr taper Pere ti Doce ea ea EEE datant odetef e n eaput ree pr Ren rerrye fr 207 Chapter 18 AP POME ird seve Sie tote E ei 208 TOA OVESEN caoirean rnai anaoa ei RE aa Aa a NAA EOE ALENE E NERE 208 18 1 1 What You Can Don th
182. Enter the password again for confirmation E Mail Address Enter your e mail address You can use up to 80 alphanumeric characters periods and the underscore are also allowed without spaces Country Select your country from the drop down box list Seller Details Use this section to enter your seller information Seller s Name Enter your seller s name Seller s E mail Enter your seller s e mail address Seller s Contact Enter your seller s phone number Number VAT Number Enter your seller s Value Added Tax number if you bought your NXC from Europe accept the terms in If you accept the privacy policy statement shown above this field select this check the Privacy Policy box Apply Click Apply to save your changes back to the NXC Note If the NXC is registered already this screen is read only Use the Service screen to update your service subscription status Figure 43 Configuration gt Licensing gt Registration Registered Device Service General Settings 88 NXC Series User s Guide Chapter 6 Registration 6 2 2 NXC5500 Click the link in this screen to register your NXC with myZyXEL com The NXC should already have Internet access before you can register it Click Configuration Licensing Registration in the navigation panel to open the screen as shown next Figure 44 Configuration gt Licensing gt Registration Registration Service General Settings Note If you want to reg
183. File Name Page 1 Last Modified ofi v items No data to display The following table describes the labels in this screen Table 186 Maintenance gt Diagnostics gt Packet Capture gt Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NXC Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space NXC Series User s Guide Chapter 31 Diagnostics Table 186 Maintenance gt Diagnostics gt Packet Capture gt Files continued LABEL DESCRIPTION File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the size in bytes of a configuration file Last Modified This column displays the date and time that the individual files were saved 31 3 2 Example of Viewing a Packet Capture File Here is an example of a packet capture file viewed in the Wireshark packet analyzer Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes The NXC truncated the frame becaus
184. GET packets Most used protocols or service ports and the amount of traffic on each one LAN IP with heaviest traffic and how much traffic has been sent to and from each one NXC Series User s Guide Chapter 5 Monitor You use the Traffic Statistics screen to tell the NXC when to start and when to stop collecting information for these reports You cannot schedule data collection you have to start and stop it manually in the Traffic Statistics screen Figure 27 Monitor gt System Status gt Traffic Statistics Traffic Statistics Data Collection v Collect Statistics since 2013 11 18 Mon 11 14 09 to 2013 11 18 Mon 13 50 57 Apply Reset Statistics Interface vlanO M Sort By Host IP Address User Y Refresh Flush Data Direction 1 Rx From Tx To Rx From Tx To Page 1 IP Address User Amount 0 0 0 0 admin EN 121 824 KBytes 255 255 255 255 pou 121 824 KBytes 192 188 1 29 admin EE 49 546 KBytes 192 168 1 255 Gy 48 548 KBytes jofi Show 50 items Displaying 1 4 of 4 There is a limit on the number of records shown in the report See Table 28 on page 64 for more information The following table describes the labels in this screen Table 27 Monitor gt System Status gt Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statistics Select this to have the NXC collect data for the report If the NXC has already been collectin
185. I Perform basic diagnostics CLI WWW TELNET SSH Console Access Users NXC Series User s Guide Chapter 17 User Group Table 97 Types of User Accounts continued TYPE ABILITIES LOGIN METHOD S user Access network services Captive Portal TELNET SSH Browse user mode commands CLI guest Access network services Captive Portal ext user External user account Captive Portal ext group user External group user account Captive Portal guest manager Create dynamic guest accounts WWW dynamic guest Access network services Captive Portal mac address As permitted by the user aware feature MAC Authentication configuration Note The default admin account is always authenticated locally regardless of the authentication method setting Ext User Accounts Set up an ext user account if the user is authenticated by an external server and you want to set up specific policies for this user in the NXC If you do not want to set up policies for this user you do not have to set up an ext user account All ext user users should be authenticated by an external server such as AD LDAP or RADIUS If the NXC tries to use the local database to authenticate an ext user the authentication attempt always fails Note If the NXC tries to authenticate an ext user using the local database the attempt always fails Once an ext user user has been authenticated the NXC tries to get the
186. Information gt Radio List I cons LABEL DESCRIPTION B When an AP is being load balanced this icon means it is operating over the maximum allocated bandwidth m When an AP is being load balanced this icon means it is operating under the maximum allocated bandwidth NXC Series User s Guide Chapter 5 Monitor 5 12 1 AP Mode Radio Information This screen allows you to view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More I nformation button in the Radio List screen Figure 36 Monitor gt Wireless gt AP Information gt Radio List gt AP Mode Radio Information AP Mode Radio Information MBSSID Detail SSID Name BSSID Security Mode Forwarding Mode VLAN 1 ZyXEL B0 B2 DC 6A 16 NONE Local Bridge 1 Page 1 ofi Show 50 v items Displaying 1 1 of 1 Traffic Statistics 7 Kbps TX RX Last Update 2013 12 13 10 10 22 6 3 T 5 6 T 4 9 4 2 3 5 28 21 1 4 0 7 G i ee rr 14 10 18 10 22 10 02 10 06 10 10 10 Q Note The diagram is updated in 5 10 minutes periodically it may not up to date Station Count 100 Stations Last Update 2013 12 13 10 10 22 90 80 T 70 F 60 T 50 T 40 30 T 20 T 10 T i224 244252922 9 42524 25749 2459 29 224 44 499 4 94 14 10 18 10 22 10 02 10 06 10 10 10 Q Note The diagram is updated in 5 1
187. L is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to timeout 26 Database method failed 27 Path was not verified 28 Maximum path length reached NXC Series User s Guide 397 Appendix A Log Descriptions Table 204 Interface Logs LOG MESSAGE DESCRIPTION down Default route will not apply until interface s links up Interface s has been An administrator deleted an interface 96s is the interface name deleted Interface s has been An administrator changed an interface s configuration s interface name changed Interface s has been An administrator added a new interface s interface name added Interface s is An administrator enabled an interface s interface name enabled Interface s is An administrator disabled an interface s interface name disabled Interface s links An administrator set a static gateway in interface but this interface is link down At this time the configuration will be saved but route will not take effect until the link becomes up 1st 96s interface name 2nd 96s interface name name s Status s TxP kts u RxPkts u Colli u T xB s u RxB s u UpTime s Port statistics log This log will be sent to the VRPT server lst 96s physical port name 2nd 96s physical port status 1
188. LABEL DESCRIPTION Create account Enter the number up to 32 of dynamic guest accounts you want to create Expiration Date Guest Name This field is available only when you want to create one account Enter the name for the guest account Phone This field is available only when you want to create one account Enter the telephone number for the guest account E mail This field is available only when you want to create one account Enter the E mail address for the guest account Company Enter the company name up to 64 characters for the guest account s Address Enter the geographic address up to 64 characters for the guest account s Other Enter the additional information up to 60 characters for the guest account s Account Select the date when the account s becomes invalid Account Expiration Time Select the time when the account s becomes invalid Dynamic Guest Select the dynamic guest group with which the dynamic guest account s is associated User Group Apply Click this icon to create the account s Logout Click this icon to exit and go back to the Web Configurator login screen NXC Series User s Guide Chapter 17 User Group 17 4 4 1 Guest Account List After you click Apply to create dynamic guest accounts the following guest account list screen appears Figure 119 Guest Account List The following table describes the labels in this scree
189. LOR RJ45 PIN CTS 8 White Orange 1 DSR DCD 6 1 Orange 2 RD 2 White Green 3 GND 5 Blue 4 GND 5 White Blue 5 NXC Series User s Guide Chapter 2 Hardware Installation and Connection Table 6 RJ 45 to DB 9 Console Cable Color Codes DB 9 SIGNAL DB 9 PINZ WIRE COLOR RJ45 PIN TD 3 Green 6 DTR 4 White Brown 7 RTS 7 Brown 8 USB 2 0 Ports Connect a USB storage device to a USB port on the NXC to archive the NXC system logs or save the NXC operating system core dump to it 2 2 3 Front Panel LEDs This section describes the front panel LEDs 2 2 3 1 NXC2500 The following table describes the LEDs Table7 Front Panel LEDs NXC2500 LED COLOR STATUS DESCRIPTION PWR Off The NXC is turned off Green On The NXC is turned on Red On There is a hardware component failure Shut down the device wait for a few minutes and then restart the device see Section 1 6 on page 21 If the LED turns red again then please contact your vendor SYS Green Off The NXC is not ready or has failed On The NXC is ready and running Blinking The NXC is booting Red On The NXC had an error or has failed P1 P6 Green On This port has a successful link to a 10 100 Mbps Ethernet network Blinking The NXC is sending or receiving packets to from a 10 100 Mbps Ethernet network on this port Orange On This port has a successful link to a 1000 Mbps Ethernet network Blinking The N
190. Log Descriptions Table 201 Connectivity Check Logs LOG MESSAGE DESCRIPTION Can t open link up2 Cannot recover routing status which is link down Can not open s pid Cannot open connectivity check process ID file 96s interface name Can not open s arg Cannot open configuration file for connectivity check process 96s interface name The connectivity The link status of interface is still activate after check of connectivity check check is activate for Process qe PBURDLIOS 96s interface name The connectivity The link status of interface is fail after check of connectivity check process check is fail for s 96s interface name interface Can t get gateway IP The connectivity check process can t get the gateway IP address for the of s interface specified interface 96s interface name Can t alloc memory The connectivity check process can t get memory from OS Can t load s module The connectivity check process can t load module for check link status 96s the connectivity module currently only ICMP available isalive s module Can t handle function of The connectivity check process can t execute isalive function from module for check link status 96s the connectivity module currently only ICMP available Create socket error The connectivity check process can t get socket to send packet Can t get IP address of s interface The connectivit
191. NXC Reset Click Reset to return the screen to its last saved settings 16 2 1 Add Edit Firewall Screen In the Firewall screen click the Edit or Add icon to display this screen Figure 107 Configuration gt Firewall gt Add Edit amp 3 Add Firewall Rule x i 5 Create new Object v 4 Enable From any M To any Excluding EnterpriseWL v Description Optional Schedule none Y User any v Source any v Destination any Y Service any Y Access allow Y Log no Vv OK Cancel The following table describes the labels in this screen Table 94 Configuration gt Firewall gt Add Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Select this check box to activate the firewall rule From For through NXC rules select the direction of travel of packets to which the rule applies To any means all interfaces EnterpriseWLAN means packets destined for the NXC itself Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule Spaces are allowed Schedule Select a schedule that defines when the rule applies Otherwise select none and the rule is always effective NXC Series User s Guide Chapter 16 Firewall Table 94 Configuration gt Firewall gt Add Edit continued LABEL DESCRIPTION User This field is not availabl
192. NXC even though you can still configure it Ethernet interfaces are similar to other types of interfaces in many ways They have an IP address subnet mask and gateway used to make routing decisions They restrict the amount of bandwidth and packet size They can provide DHCP services and they can verify the gateway is available Use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management Figure 63 Configuration gt Network gt Interface gt Ethernet Configuration 2 Edit Activate Inactivate 3g Object Reference Status Name IP Address EVE MEE o E ML E ge2 STATIC 0 0 0 0 1 ge3 STATIC 0 0 0 0 ge4 STATIC 0 0 0 0 ge5 STATIC 0 0 0 0 ge6 STATIC 0 0 0 0 Page i of1 Show 50 v items Displaying 1 6 of 6 IPv6 Configuration 3t IP Address LINK LOCAL fe80 b2b2 dcfffe6e 3898 64 LINK LOCAL fe80 b2b2 dcfffe6e a899 64 LINK LOCAL fe80 b2b2 dcfffe6e 389a 64 LINK LOCAL fe80 b2b2 dcfffe6e a89b 64 LINK LOCAL fe80 b2b2 dcfffe6e a89c 64 co qu eA WN a Show 50 gt tems Displaying 1 6 of 6 NXC Series User s Guide Chapter 8 Interfaces Each fi
193. Note Leave 10 cm of clearance at the sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the screws Note Failure to use the proper screws may damage the unit 2 1 1 Rack Mounted Installation Procedure This section uses the NXC5500 drawings as an example 1 Align one bracket with the holes on one side of the NXC and secure it with the included bracket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion NXC Series User s Guide 22 Chapter 2 Hardware Installation and Connection 3 After attaching both mounting brackets position the NXC in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the NXC to the rack with the rack mounting screws oe 2 2 Front Panel This section gives you an overview of the front panel 2 2 1 NXC2500 There are LEDs one reset button two USB ports and six Ethernet ports on the NXC2500 front panel Figure 4 Front Panel NXC2500 fal AN M Vct 25 i EUM ULM 2 2 2 NXC5500 There are one reset button six Ethernet ports one console port two USB ports and LEDs on the NXC5500 front panel Figure 5 Front Panel NXC5500 BBBBEBE S NXC Series User s Guide 23 Chapter 2 Hardware Installation and Connection Ethernet Ports The auto negotiating auto crossover Ethernet ports support 10 100 1000 Mbps Gigabit Ethernet so the speed can
194. O X zu la sical l The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful If the synchronization was not successful a log displays in the View Log screen Try re configuring the Date Time screen To manually set the NXC date and time Click System gt Date Time Select Manual under Time and Date Setup Enter the NXC s time in the New Time field Enter the NXC s date in the New Date field Under Time Zone Setup select your Time Zone from the list As an option you can select the Enable Daylight Saving check box to adjust the NXC clock for daylight savings Click Apply NXC Series User s Guide Chapter 28 System To get the NXC date and time from a time server 1 Click System Date Time 2 Select Get from Time Server under Time and Date Setup 3 Under Time Zone Setup select your Time Zone from the list 4 Under Time and Date Setup enter a Time Server Address 5 Click Apply 28 5 Console Speed This section shows you how to set the console port speed when you connect to the NXC via the console port using a terminal emulation program See Table 4 on page 20 for default console port settings Click Configuration System Console Speed to open this screen Figure 171 Configuration gt System gt Console Speed Console Speed General Settings Console Port Speed 115200 v Apply Ii Reset The following ta
195. ON Un Management AP This displays the number of non managed APs All Station This section displays a summary of connected stations Click the link to go to the Station I nfo gt Station List screen Station This displays the number of stations currently connected to the network All Sensed Device This sections displays a summary of all wireless devices detected by the network Click the link to go to the Rogue AP gt Detected Device screen Un Classified AP This displays the number of detected unclassified APs Rogue AP This displays the number of detected rogue APs Friendly AP This displays the number of detected friendly APs ZyMesh AP This shows a summary of managed APs that act as a root AP or a repeater to form a Information ZyMesh WDS All ZyMesh AP This section displays a summary for all ZyMesh APs Click the link to go to the Monitor gt Wireless gt All ZyMesh AP gt ZyMesh Link Info screen Online ZyMesh AP This displays the number of currently connected ZyMesh APs Offline ZyMesh AP This displays the number of currently offline ZyMesh APs 4 2 1 CPU Usage Use this screen to CPU Usage in the Figure 19 Dashboa ook at a chart of the NXC s recent CPU usage To access this screen click Show dashboard rd gt CPU Usage 100 Z 90 80 70 60 50 40 30 20 10 16 41 Refresh Interval 5 minutes Last Update 2013
196. Pv6 network prefix from the router for the interface it generates another address which NXC Series User s Guide Appendix E IPv6 combines its interface ID and global and subnet information advertised from the router This is a routable global IP address DHCPv6 The Dynamic Host Configuration Protocol for IPv6 DHCPv6 RFC 3315 is a server client protocol that allows a DHCP server to assign and pass IPv6 network addresses prefixes and other configuration information to DHCP clients DHCPv6 servers and clients exchange DHCP messages using UDP Each DHCP client and server has a unique DHCP Unique IDentifier DUID which is used for identification when they are exchanging DHCPv6 messages The DUID is generated from the MAC address time vendor assigned ID and or the vendor s private enterprise number registered with the IANA It should not change over time even after you reboot the device Identity Association An Identity Association IA is a collection of addresses assigned to a DHCP client through which the server and client can manage a set of related IP addresses Each IA must be associated with exactly one interface The DHCP client uses the IA assigned to an interface to obtain configuration from a DHCP server for that interface Each IA consists of a unique IAID and associated IP information The IA type is the type of address in the IA Each IA holds one type of address IA NA means an identity association for non temp
197. RL you can use up to 511 of the following characters a zA Z0 9 7 _ CA Certificate This field applies when you select Create a certification request and enroll for a certificate immediately online Select the certification authority s certificate from the CA Certificate drop down list box You must have the certification authority s certificate already imported in the Trusted Certificates screen Click Trusted CAs to go to the Trusted Certificates screen where you can view and manage the NXC s list of certificates of trusted certification authorities Request When you select Create a certification request and enroll for a certificate Authentication immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certification authority uses the SCEP enrollment protocol For the reference number use 0 to 99999999 For the key use up to 31 of the following characters a zA Z0 9 amp 4M lt gt OK Click OK to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates screen If you configured the My Certificate Create screen to have the NXC enroll a certificate and the certifi
198. S server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of EAP Authentication 430 This section discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate also called digital IDs can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificat
199. S name server 28 6 4 PTR Record A PTR pointer record is also called a reverse record or a reverse lookup record It is a mapping of an IP address to a domain name NXC Series User s Guide Chapter 28 System 28 6 5 Adding an Address PTR Record Click the Add icon in the Address PTR Record table to add an address PTR record Figure 173 Configuration gt System gt DNS gt Add Address PTR Record Add Address PTR Record x FQDN Ls Sri rdirinds IP Address iQ PSA A AAAS ES Note Use as a prefix in the FQDN for a wildcard domain name for example example com m The following table describes the labels in this screen Table 157 Configuration gt System gt DNS gt Add Address PTR Record LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the third level domain com is the second level domain and tw is the top level domain Underscores are not allowed Use as a prefix in the FQDN for a wildcard domain name for example example com IP Address Enter the IP address of the host in dotted decimal notation OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving
200. Series User s Guide Chapter 13 IP MAC Binding Interfaces Used With IP MAC Binding IP MAC address bindings are grouped by interface You can use IP MAC binding with Ethernet and VLAN interfaces You can also enable or disable I P MAC binding and logging in an interface s configuration screen 13 2 IP MAC Binding Summary Click Configuration gt Network gt IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 86 Configuration gt Network gt IP MAC Binding gt Summary IP MAC Binding Summary J Edit Activate Inactivate Status Interface 4 Number of Binding ge2 ge3 ge4 ge5 ge6 0 0 0 vlan of 1 Show 50 items Displaying 1 7 of 7 The following table describes the labels in this screen Table 79 Configuration gt Network gt IP MAC Binding gt Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Interface This is the name of an
201. Status OK Active Sessions WA Extension Slot Extension Slot Device 1 USB 1 none l amp AP Information 2 USB 2 none All AP Online Mananement AP A Title Bar e B Navigation Panel e C Main Window NXC Series User s Guide Chapter 3 The Web Configurator 3 3 1 Title Bar The title bar provides some useful links that always appear over the screens below regardless of how deep into the Web Configurator you navigate Figure 9 Title Bar Welcome admin ccu p n About gs Map Object Reference ad Console Z CLI The icons provide the following functions Table9 Title Bar Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the NXC Site Map Click this to see an overview of links to the Web Configurator screens Object Click this to open a screen where you can check which configuration items reference an object Reference Console Click this to open the console in which you can use the command line interface CLI See the NXC CLI Reference Guide for details CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator About Click About to display basic information about the NXC Figure 10 About IZ About Nxc5500 Boot Module v1 Current Version Released D
202. System 28 1 Overview Use the system screens to configure general NXC settings 28 1 1 What You Can Do in this Chapter The Host Name screen Section 28 2 on page 286 configures a unique name for the NXC in your network The USB Storage screen Section 28 3 on page 286 configures the settings for the connected USB devices The Date Time screen Section 28 4 on page 287 configures the date and time for the NXC The Console Speed screen Section 28 5 on page 291 configures the console port speed when you connect to the NXC via the console port using a terminal emulation program The DNS screen Section 28 6 on page 291 configures the DNS Domain Name System server used for mapping a domain name to its corresponding IP address and vice versa The WWW screens Section 28 7 on page 298 configure settings for HTTP or HTTPS access to the NXC and how the login and access user screens look The SSH screen Section 28 8 on page 309 configures SSH Secure SHell for securely accessing the NXC s command line interface You can specify which zones allow SSH access and from which IP address the access can come The Telnet screen Section 28 9 on page 314 configures Telnet for accessing the NXC s command line interface Specify which zones allow Telnet access and from which IP address the access can come The FTP screen Section 28 10 on page 315 specifies from which zones FTP can be used to access the NXC You can also specify from whi
203. T AON aa ctc 341 30 11 What vou Can Doin Ms Chapter 15 podido nit pod aaa 341 30 1 2 What you Need to IUIS uscs etaed ade ienie anaa aca danish esenallial s ua lial AEAN EEEE iE 341 30 2 ConigWalion FIle risiini 343 EM NXC Series User s Guide Table of Contents Oe FINE FP c C M 347 KP ore ems po 350 Chapter 31 Blu e N 352 IESU M Pm 352 S1 Li Whai VOU Can Doin Is Chapter seusia pesi dU LEE BEN Fx eu ERR FA b LER FER UN LEE da UI Ge 352 Tke DRE E iuro eel reed R EFE D a EE FEN DAL RERO LEE URP naa eae Eada EUR CEDE RES 352 alu DIINOSICS Ties e entered e t e pda usd arr ia dox ca uc dem lo n n d i v d 353 R Ned ro ce GENUE alas asad rai Lisa o a o dae 354 21 3 1 Packet Capture FES cia sissies iniatccsiceanedesersegpeteersnbuceiasisensedencranues EE TA EO A eE AENA 356 31 3 2 Example of Viewing a Packet Capture File rrr daret E RI rh EHE ope Lern etia oso taz 357 Se IBI cc T 357 214 1 Core Dump MOS 22 nucepicii enc itdusa seca Love ria a ld o ibd elu paite kr UC ld HIR n ad dU Ru i da 358 dg ey LE adouisscnveduenaipasdipfiedu fen idddok EE 359 21 5 Wireless Frame C DUEB auixsssenieieiee iip E iio aue v qui uM TEE 360 319 1 Wireless Frame Capture Files d ete estt rH ALAAN 361 Chapter 32 lveildzi d dI MP 363 eM R
204. The NXC uses certificates based on public key cryptology to authenticate users attempting to establish a connection not to encrypt the data that you send after establishing a connection The method used to secure the data that you send through an established connection depends on the type of connection The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The NXC does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The NXC can check a peer s certificate against a directory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure Advantages of Certificates Certificates offer the following benefits The NXC only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit p
205. XC Series User s Guide 457 Index IP address 131 metric 131 MTU 132 overlapping IP address and subnet mask 131 static DHCP 132 subnet mask 131 types 110 VLAN see also VLAN interfaces Internet Control Message Protocol see ICMP Internet Explorer 28 Internet Protocol version 6 see IPv6 IP policy routing see policy routes IP protocols 241 ICMP see ICMP TCP see TCP UDP see UDP IP static routes see static routes IP MAC binding 156 exempt list 160 monitor 67 static DHCP 159 IPv6 436 addressing 436 EUI 64 438 global address 437 interface ID 438 link local address 436 Neighbor Discovery Protocol 436 ping 436 prefix 436 prefix length 436 stateless autoconfiguration 438 unspecified address 437 J Java permissions 28 JavaScripts 28 K key pairs 266 L lastgood conf 344 346 LDAP 251 and users 191 Base DN 254 Bind DN 254 258 directory 251 directory structure 253 Distinguished Name see DN DN 253 255 257 password 258 port 257 261 search time limit 258 SSL 257 license key 90 licensing 86 Lightweight Directory Access Protocol see LDAP local user database 252 log messages categories 333 334 337 338 339 debugging 81 regular 81 types of 81 logged in users 55 logout Web Configurator 31 logs descriptions 381 e mail profiles 328 e mailing log messages 83 332 formats 329 log consolidation 333 settings 328 syslog servers 328 system 328 types of 328 MAC addre
206. XC is sending or receiving packets to from a 1000 Mbps Ethernet network on this port Off There is no connection on this port 2 2 3 2 NXC5500 The following table describes the LEDs Table 8 Front Panel LEDs NXC5500 LED COLOR STATUS DESCRIPTION PWR Green Off The NXC is turned off On The NXC is turned on NXC Series User s Guide Chapter 2 Hardware Installation and Connection Table8 Front Panel LEDs NXC5500 continued LED COLOR STATUS DESCRIPTION SYS Green Off The NXC is not ready or has failed On The NXC is ready and running Blinking The NXC is booting P1 P6 Green On This port has a successful link to an Ethernet network Link Blinking The NXC is sending or receiving packets to from an Ethernet network on this port LEI off There is no connection on this port P1 P6 Green On This Ethernet connection speed is 100 Mbps on this port Speed Orange On This Ethernet connection speed is 1000 Mbps on this port Right Off This Ethernet connection speed is 10 Mbps on this port 2 3 Rear Panel The NXC2500 rear panel contains a console port a power switch and a connector for the power receptacle Figure 6 Rear Panel NXC2500 The NXC5500 rear panel contains a power switch a connector for the power receptacle and a fan module Figure 7 Rear Panel NXC5500 Console Port NXC2500 Only Connect this
207. XC s local user database MAC Role The MAC address user account to which the NXC maps the entry s MAC address or OUI Description This field displays the description for each mapping 17 5 1 Add Edit MAC Address Use the MAC Address Add Edit screen to map a wireless client s MAC address or OUI to a MAC role MAC address user account Figure 122 Configuration gt Object gt User Group gt MAC Address gt Add MAC Role Description Add MAC Auth Address X MAC Address OUI Save itinto local DataBase PAAA AA mac users S M e The following table describes the labels in this screen Table 109 Configuration gt Object gt User Group gt MAC Address gt Add Edit LABEL DESCRIPTION MAC Address Specify the wireless client s MAC address or OUI Organizationally Unique Identifier The OUI OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device MAC Role Select one of the MAC address user accounts that you have configured to which to map this entry s MAC address or OUI Save it into Local Select this option to save the mapping settings into the NXC s local user database and to Database have the NXC authenticate the MAC address or OUI using the local user database Description Enter the description of the mapping if any OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen wi
208. ZyXEL NXC Series Wireless LAN Controller Version 4 10 Edition 1 01 2014 User s Guide Default Login Details IP Address https 192 168 1 1 User Name admin Password 1234 Copyright 2014 ZyXEL Communications Corporation IMPORTANT READ CAREFULLY BEFORE USE KEEP THIS GUIDE FOR FUTURE REFERENCE Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system Every effort has been made to ensure that the information in this manual is accurate Related Documentation Quick Start Guide The Quick Start Guide is designed to show you how to make the NXC hardware connections and access the Web Configurator CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI and CLI commands to configure the NXC Note It is recommended you use the Web Configurator to configure the NXC Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information NXC Series User s Guide Contents Overview Contents Overview Usar DUIS r bivisdivrscbexadklexis vies ebbaruHa uel ves lat iwi EIU FATIATOR DRE SEREXEHERERER 15 ns Dee MEE oom 16 Hardware Installation and Connection ise n d teda li a RO UR XC RR Kex al o a aude 22 Te wob Pri MDC NUNT m T ek I I I I NN UT 28 Technical Ce lle me 45 LOS BERE a
209. a configuration mismatch between the AP and the NXC This could be the result of a number of things such as incorrect VLAN topology incorrect AP profiles incorrect security settings between the AP and the NXC and so on See Section 5 11 on page 71 for how to check if the AP s runtime management VLAN ID setting matches the NXC s management VLAN ID setting for the AP See Section 5 11 1 on page 73 for how to check if the AP s configuration is in conflict with the NXC s settings for the AP The wireless client s MAC address may be on the MAC filtering list See Section 18 3 3 on page 223 for details on managing the NXC MAC Filter NXC Series User s Guide 377 Chapter 35 Troubleshooting The wireless client may not be able to get an IP If the NXC is operating in bridge mode check the settings on the DHCP server associated with the network Check the wireless client s own network configuration settings to ensure that it is set up to receive its IP address automatically If the NXC or a connected Internet access device are managing the network with static IPs make sure that the server settings for issuing those IPs are properly configured Check the wireless client s own network settings to ensure it is already set up with its static IP address Authentication of the wireless client with the authentication server may have failed Ensure the AP profile assigned to the AP uses a security profile that is properly configured and
210. able list OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide Services 22 1 Overview Use service objects to define TCP applications UDP applications and ICMP messages You can also create service groups to refer to multiple service objects in other features 22 1 1 What You Can Do in this Chapter The Service screens Section 22 2 on page 242 display and configure the NXC s list of services and their definitions The Service Group screens Section 22 2 on page 242 display and configure the NXC s list of service groups 22 1 2 What You Need to Know The following terms and concepts may help as you read this chapter IP Protocols IP protocols are based on the eight bit protocol field in the IP header This field represents the next level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once the connection is established the computers exchange data If data a
211. ace Amount This field displays how much traffic was sent or received from the indicated service port If the Direction is Ingress a red bar is displayed if the Direction is Egress a blue bar is displayed The unit of measure is bytes Kbytes Mbytes Gbytes or Tbytes depending on the amount of traffic for the particular protocol or service port The count starts over at zero if the number of bytes passes the byte count limit See Table 28 on page 64 These fields are available when the report type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hits Web Site This field displays the domain names most often visited The NXC counts each page viewed on a Web site as another hit The maximum number of domain names in this report is indicated in Table 28 on page 64 Hits This field displays how many hits the Web site received The NXC counts hits by counting HTTP GET packets Many Web sites have HTTP GET references to other Web sites and the NXC counts these as hits too The count starts over at zero if the number of hits passes the hit count limit See Table 28 on page 64 The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit Table 28 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records 20 Byte Count Limit 264 bytes this is just less than 17 million terabytes Hit C
212. ach server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server If the AD or LDAP server has a backup server enter its address here Address Port Specify the port number on the AD or LDAP server to which the NXC sends authentication requests Enter a number between 1 and 65535 This port number should be the same on all AD or LDAP server s in this group Base DN Specify the directory up to 127 alphanumerical characters For example o ZyXEL c US Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server s NXC Series User s Guide 257 Chapter 24 AAA Server Table 137 Configuration gt Object gt AAA Server gt Active Directory or LDAP gt Add Edit LABEL DESCRIPTION Search time limit Specify the timeout period between 1 and 300 seconds before the NXC disconnects from the AD server In this case user authentication fails Search timeout occurs when either the user information is not in the AD or LDAP server or the AD or LDAP server is down Case sensitive Select this if the server checks the case of the usernames User Names Bind DN Specify the bind DN for logging into the AD or LDAP server Enter up to 127 alphanumerical characters For example cn zyAdmin specifies zyAdmin as the user name Password If required enter the password up to 15 alphanumerical charact
213. activities like video conferencing WMM BEST EFFORT All wireless traffic to the SSID is tagged as best effort meaning the data travels the best route it can without displacing higher priority traffic This is good for activities that do not require the best bandwidth throughput such as surfing the Internet WMM BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one If traffic from an SSID does not have strict throughput requirements then this access category is recommended For example an SSID that only has network printers connected to it Rate Limiting Downlink Define the maximum incoming transmission data rate either in mbps or kbps on a per station basis Uplink Define the maximum outgoing transmission data rate either in mbps or kbps on a per station basis Band Select To improve network performance and avoid interference in the 2 4 GHz frequency band you can enable this feature to use the 5 GHz band first You should set 2 4GHz and 5 GHz radio profiles to use the same SSID and security settings Select standard to have the AP try to connect the wireless clients to the same SSID using the 5 GHZ band Connections to an SSID using the 2 4GHz band are still allowed Select force to have the wireless clients always connect to an SSID using the 5 GHZ band Connections to an SSID using the 2 4GHz b
214. al Syst D SA Distr i m arted Automatic ocal System Ba Distributed Transaction Coordinator Coordinate Manual Network S Description Dns Client Resolves a Started Automatic Network 5 Dibbler a portable DHCPv6 Ba Error Reporting Service Allows erro Started dotum Local System E A Event Log Enables ev Started Automatic Local System This is DHCPv6 cient ME Sy Extensible Authentication Protocol Provides wi Manual Local System 0 7 2 By Fast User Switching Compatibility Provides m Manual Local System SiaFLEXnet Licensing Service This servic Manual Local System E 5 z 2 E x Extended 5 Click Start and then OK Dibbler a DHCPv6 client Properties Local Computer General Log On Recovery Dependencies Service name DHCPvBClient Display name Dibbler a DHCPV6 client Description Dibbler a portable DHCPv6 This is DHCPvS5 client 3 version 0 7 2 Path to executable C Program FilesNDHCPv amp Client dibblersdibbler client exe service d C NPr Startup type Automatic x Service status Stopped You can specify the start parameters that apply when you start the service from here Start parameters Di 6 Now your computer can obtain an IPv6 address from a DHCPv6 server Example Enabling IPv6 on Windows 7 Windows 7 supports IPv6 by default DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer To enable IPv6 in Windows 7 1 Select Control Panel
215. al logs green check mark create log messages and alerts for all categories for the system log If e mail server 1 or 2 also has normal logs enabled the NXC will e mail logs to them enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories The NXC does not e mail debugging information even if this setting is selected USB Storage Use the USB Storage drop down list to change the log settings for saving logs to a connected USB storage device disable all logs red X do not log any information for any category to a connected USB storage device enable normal logs green check mark create log messages and alerts for all categories and save them to a connected USB storage device enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories and save them to a connected USB storage device E mail Server 1 Use the E Mail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E mail Server 2 Use the E Mail Server 2 drop down list t
216. amic Channel Selection DCS Time Interval 720 10 1440 minutes 7 Enable DCS Client Aware 2 4 GHz Settings 2 4 GHz Channel Selection Method auto M 2 4 GHz Channel Deployment Three Channel Deployme Y 5 GHz Settings v Enable 5 GHz DFS Aware 5 GHz Channel Selection Method manual x B Available channels Channels selected 36 40 44 48 Apply Reset Each field is described in the following table Table 57 Configuration gt Wireless gt DCS LABEL DESCRIPTION General Settings Select Now Click this to have the managed APs scan for and select an available channel immediately Enable Dynamic Select this to turn on dynamic channel selection for the APs that the NXC manages Channel Selection DCS Time Interval Enter a number of minutes This regulates how often the NXC surveys the other APs within its broadcast radius If the channel on which it is currently broadcasting suddenly comes into use by another AP the NXC will then dynamically select the next available clean channel or a channel with lower interference Enable DCS Client Select this to have the AP wait until all connected clients have disconnected before Aware switching channels If you disable this then the AP switches channels immediately regardless of any client connections In this instance clients that are connected to the AP when it switches channels are dropped 2 4 GHz Settings NXC Series User s Guide
217. and are not allowed It is recommanded you select this option when the AP and wireless clients can function in either frequency band Otherwise select disable to turn off this feature Forwarding Mode Select a forwarding mode for traffic from this SSID VLAN ID If you selected the Local Bridge forwarding mode enter the VLAN ID that will be used to tag all traffic originating from this SSID if the VLAN is different from the native VLAN VLAN If you selected the Tunnel forwarding mode select a VLAN interface Interface NXC Series User s Guide 217 Chapter 18 AP Profile Table 113 Configuration gt Object gt AP Profile gt Add Edit SSID Profile continued LABEL DESCRIPTION Hidden SSID Select this if you want to hide your SSID from wireless clients This tells any wireless clients in the vicinity of the AP using this SSID profile not to display its SSID name as a potential connection Not all wireless clients respect this flag and display it anyway When an SSID is hidden and a wireless client cannot see it the only way you can connect to the SSID is by manually entering the SSID name in your wireless connection setup screen s these vary by client client connectivity software and operating system Enablelntra BSS Select this option to prevent crossover traffic from within the same SSID Traffic Blocking Note If you associate a layer 2 isolation profile with the SSID thi
218. and domain name 286 and interfaces 132 client list 54 pool 132 static DHCP 132 diagnostics 352 357 Digital Signature Algorithm public key algorithm see DSA directory 251 directory service 251 file structure 253 disclaimer 451 Distinguished Name DN 253 255 257 DN 253 255 257 DNS 291 address records 294 domain name forwarders 296 domain name to IP address 294 IP address to domain name 294 Mail eXchange MX records 297 pointer PTR records 294 DNS servers 292 296 and interfaces 133 documentation related 2 domain name 286 Domain Name System see DNS DSA 272 DSCP 366 dynamic guest 69 dynamic guest account 69 191 Dynamic Host Configuration Protocol see DHCP dynamic WEP key exchange 431 E EAP Authentication 430 Ekahau RTLS 178 e mail daily statistics report 327 encryption 432 RSA 275 ESS 425 Ethernet interfaces 110 and routing protocols 111 Ethernet ports 16 default settings 24 Extended Service Set Dentification 209 Extended Service Set See ESS 425 F FCC interference statement 451 file extensions configuration files 341 shell scripts 341 file manager 341 Firefox 28 firewall 181 actions 186 and address groups 186 and address objects 186 and NAT 183 NXC Series User s Guide Index and schedules 185 and service groups 186 and services 186 and user groups 186 189 and users 186 189 and zones 181 184 asymmetrical routes 182 184 global rules 182 priority 184 rule
219. ant to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you set the Interface Type to internal or you select Use Fixed I P Address Enter the IP address for this interface NXC Series User s Guide Chapter 8 Interfaces Table 60 Configuration gt Network gt Interface gt Ethernet gt Edit continued LABEL DESCRIPTION Subnet Mask This field is enabled if you set the Interface Type to internal or you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address is the same for all computers in the network Gateway This field is enabled if you select Use Fixed IP Address Enter the IP address of the gateway The NXC sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface Metric This field is enabled if you set the Interface Type to external or general and select Get Automatically Enter the priority of the gateway if any on this interface The NXC decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first IPv6 Address Assignment These IP address fields configure an IPv6 address on the interface itself Enable Stateless
220. antined AP cannot grant access to any network services Any stations that attempt to connect to a quarantined AP are disconnected automatically Dis Containment Click this button to take the selected AP out of quarantine An unquarantined AP has normal access to the network This field is a sequential value and it is not associated with any interface Containment This field indicates the selected AP s containment status Role This field indicates whether the selected AP is a rogue ap or a friendly ap To change the AP s role click the Edit button MAC Address This field indicates the AP s radio MAC address Description This field displays the AP s description You can modify this by clicking the Edit button Rogue Friendly AP List I mporting Exporting These controls allow you to export the current list of rogue and friendly APs or import existing lists NXC Series User s Guide Chapter 7 Wireless Table 54 Configuration gt Wireless gt MON Mode continued LABEL DESCRIPTION File Path Browse Enter the file name and path of the list you want to import or click the Browse Importing button to locate it Once the File Path field has been populated click Importing to bring the list into the NXC Exporting Click this button to export the current list of either rogue APs or friendly APS Apply Click Apply to save your changes back to the NXC R
221. apability List INTERNAL AUTHENTICATION METHOD EE NAE AD LDAP RADIUS EAP TLS O O 5 EAP TTLS OA o o Mschapv2 Mschap EAP TTLS X X x 5 eap EAP TTLS O O 7 pap EAP PEAP OA O 5 5 Mschapv2 EAP PEAP X X x TLS EAP MD5 X X x 5 A Must set domain authentication AAA Servers Supported by the NXC The following lists the types of authentication server the NXC supports e Local user database The NXC uses the built in local user database to authenticate administrative users logging into the NXC s Web Configurator or network access users logging into the network through the NXC c NXC Series User s Guide Chapter 24 AAA Server Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server RADIUS authentication allows you to validate a large number of users from a central location Note Because the NXC has an internal authentication database you can create local login account
222. aps the header less payload in a single 802 11n MAC header This method is useful for increasing bandwidth throughput It is also more efficient than A MPDU except in environments that are prone to high error rates A MSDU Limit Enter the maximum frame size to be aggregated RTS CTS Use RTS CTS to reduce data collisions on the wireless network if you have wireless Threshold clients that are associated with the same AP but out of range of one another When enabled a wireless client sends an RTS Request To Send and then waits for a CTS Clear To Send before it transmits This stops wireless clients from transmitting packets at the same time and causing data collisions A wireless client sends an RTS for all packets larger than the number of bytes that you enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Beacon Interval When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon A high value helps save current consumption of the access point DTIM Delivery Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can
223. as an AP and also supports the wireless connections with other APs in repeater mode to form a ZyMesh WDS to extend its wireless network Repeater AP means the radio can establish a wireless connection with other APs in either root AP or repeater mode Note To prevent bidge loops do NOT set both radios on a managed AP to Repeater AP mode Note Ensure you restart the managed AP after you change its operating mode Radio 1 2 AP Profile Select an AP profile from the list If no profile exists you can create a new one through the Create new Object menu Radio 1 2 Profile Select a monitor mode profile profile from the list If no profile exists you can create a new one through the Create new Object menu Radio 1 2 ZyMesh Profile This field is available only when the radio is in Root AP or Repeater AP mode Select the ZyMesh profile the radio uses to connect to a root AP or repeater Force Overwrite VLAN Config Select this to have the NXC change the AP s management VLAN to match the configuration in this screen Management VLAN ID Enter a VLAN ID for this AP As Native VLAN Select this option to treat this VLAN ID as a VLAN created on the NXC and not one assigned to it from outside the network Port Setting This is the port s index number in this list Status This displays whether or not the port is activated Port This shows the name of the physical Ethernet port on the
224. as successful mem NXC Series User s Guide 41 5 Appendix C Importing Certificates 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information E Website Identification 172 20 37 202 has identified this site as 172 20 37 202 This connection to the server is encrypted Should I trustthis site View certificates Installing a Stand Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file au 2 In the security warning dialog box click Open Open File Security Warning Do you want to open this file Name CA cer zzzi Publisher Unknown Publisher Type Security Certificate From D Documents and Settings 13435 Desktop Always ask before opening this file While files from the Intemet can be useful this file type can potentially harm your computer If you do not trust the source do not open this software What s the risk 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 412 to complete the installation process 41 6 NXC Series User s Guide Appendix C Importing Certificates Removing a Certificate in In
225. assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP address fields for which the ISP does not assign an IP address Note If all interfaces are static then this field is hidden Select Public DNS Server if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right The NXC must be able to connect to the DNS server The DNS server could be on the Internet or one of the NXC s local networks You cannot use 0 0 0 0 Use the Query via field to select the interface through which the NXC sends DNS queries to a DNS server OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving NXC Series User s Guide Chapter 28 System 28 6 8 MX Record A MX Mail eXchange record indicates which host is responsible for the mail for a particular domain that is controls where mail is sent for that domain If you do not configure proper MX records for your domain or other domain external e mail from other mail servers will not be able to be delivered to your mail server and vice versa Each host or domain can have only one MX record that is one domain is mapping
226. at 246 2045 GOROQUIE UNI e ENEE E A E AOIN ER DA iix kei b EMI QUEE o CEU ragaauia centibbn A R EX EAM MUT 247 23 2 1 Add Edit Schedule One Time Rule 5 rper rr eR EFE NS EEREREN a Ese EPIRI aa 248 23 2 2 Add Edit Schedule Recuning RUIS pie en tO qu n dax rn aa a o a n aa KR 249 Chapter 24 T Notes const cuales E E E E T A E E S 251 EET p O N E T 251 24 1 3 What You Can Do in this Chapter ccc cies cccacicocis seed coor ce ceanots sestincdesemlvoncsnecinnsaaianietesiensieis 251 Zale What rou Need TO KOW sali dede te EPOR wud da ERN aa aa a i A 251 aie ss Dreco LDAP mmm 254 24 2 1 Add Edit Active Directory LDAP Servet 1 isesscccsx asset rage s ni Y EHE Fa p tk EE KR 256 ES NU IIR M PR RUPES 259 aco AOO EOE PADIUT v E 260 Chapter 25 Authentication MEO iuis iaa oerte aep mRYRka Kan ka KR RR KRRRR TAS ERR aaia a An ROR aieka ai Aaii A 263 CHER I Meer S 263 29 1 1 What you Can De pns Napier cic iier Ert H EIS rEE ERE ges NER Enea abes qu obe Aaa 263 EORNM eee OE OU s sss saya ers tats vos hs ddd ps da aes Saas deen waa asda ads ena uaa 263 29 PURE AUG Method ad cans pcan ea as eh heath Mas tata pede y eode bah coon Ra ace ER tips bara Mab ee 263 25 2 1 Add Authentication Method 2ccicascerestasvusicacrsusinseebncanteersenaustensranued aN A aS 264 NXC Series User s Guide Table of Contents Chapter 26 ee 64 Lore e e gene ener Orr eee E ERRARE A UOSEAR VUES RCEC S Peery reer een E ere rere E 266 NN RU a fa lS a T TER NOE NEN THREE KPE
227. at you typed This is the index number of the domain zone forwarder record The ordering of your rules is important as rules are applied in sequence A hyphen displays for the default domain zone forwarder record The default record is not configurable The NXC uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records Domain Zone A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name A means all domain zones Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually User Defined DNS Server This is the IP address of a DNS server This field displays N A if you have the NXC get a DNS server IP address from the ISP dynamically but the specified interface is not active Query Via This is the interface through which the NXC sends DNS queries to the entry s DNS server MX Record for My FQDN A MX Mail eXchange record identifies a mail server that handles the mail for a particular domain Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so
228. ate x NXC5500 Did you check www zyxel com today 03 4 10 AA08 0 2013 11 01 05 38 38 The following table describes labels that can appear in this screen Table 10 About LABEL DESCRIPTION Boot Module This shows the version number of the software that handles the booting process of the NXC Current Version This shows the firmware version of the NXC NXC Series User s Guide Chapter 3 The Web Configurator Table 10 About continued LABEL DESCRIPTION Released Date This shows the date yyyy mm dd and time hh mm ss when the firmware is released OK Click this to close the screen Site Map Click Site MAP to see an overview of links to the Web Configurator screens Click a screen s link to go to that screen Figure 11 Site Map 4 Site Map E Monitor System Status Wireless Log o Port Statistics o AP Information o Interface Status o ZyMesh Link Info o Traffic Statistics o Station Info o Session Monitor o Roque AP o IP MAC Binding o Login Users o Dynamic Guest o USB Storage Gy Configuration i Maintenance Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object Figure 12 Object Reference f Object References Object Type Please select one Y Object Name Please select Service P
229. ate OK A firmware update was successful Problematic configuration after firmware update The application of the configuration failed after a firmware upgrade System default configuration The NXC successfully applied the system default configuration This occurs when the NXC starts for the first time or you intentionally reset the NXC to the system default settings Fallback to lastgood configuration The NXC was unable to apply the startup config conf configuration file and fell back to the lastgood conf configuration file Fallback to system default configuration The NXC was unable to apply the lastgood conf configuration file and fell back to the system default configuration file system default conf Booting in progress The NXC is still applying the system configuration Licensed Service Status This shows how many licensed services there are Status This is the current status of the license Name This identifies the licensed service Version This is the version number of the service Expiration If the service license is valid this shows when it will expire n a displays if the service license does not have a limited period of validity O displays if the service is not licensed or has expired Count This field displays how many managed APs the NXC can support with your current license This field does not apply to the other services Extension Slot This section of the screen displays t
230. ate without its private key Click this button Only and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Password If you want to export the certificate with its private key create a password and type it here Make sure you keep this password in a safe place You will need to use it if you import the certificate to another device Export Certificate with Private Key Use this button to save a copy of the certificate with its private key Type the certificate s password and click this button Click Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save OK Click OK to save your changes back to the NXC You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen 26 2 3 Import Certificates Click Configuration gt Object gt Certificate gt My Certificates gt I mport to open the My Certificate I mport screen Follow the instructions in this screen to save an existing certificate to the NXC Note You can import a certificate that matches a corresponding certification request that was generated by the NXC You can also import a certificate in PKCS 12 format including the certificate s public and private keys The certificate you import replaces the corresponding request in the My Certificates screen 276 NXC Series User s
231. ation servers you specify the NXC does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server OK Click OK to save the changes Cancel Click Cancel to discard the changes NXC Series User s Guide Certificates 26 1 Overview The NXC can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication 26 1 1 What You Can Do in this Chapter The My Certificate screens Section 26 2 on page 269 generate and export self signed certificates or certification requests and import the NXC s CA signed certificates The Trusted Certificates screens Section 26 3 on page 277 save CA certificates and trusted remote host certificates to the NXC The NXC trusts any valid certificate that you have imported as a trusted certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 26 1 2 What You Need to Know The following terms and concepts may help as you read this chapter When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept s
232. ation to AP MAC 02x 02x 02x2 02x 02x 02x Name s Model s Receiving Send Updating Configuration Response from an AP in the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name 8th s Managed AP Description Send Retransmit Configuration Lo APs MAC 02x 02x 02x 02x 02x 02x Name s Retry Count d Model s Retransmit Configuration to an AP in the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Description 8th s Managed AP Model Name 9th d Retry count AP SSID Stop MAC 02x 02x 502x 02x 02x 02x Radio d SSID s Stop A Managed AP s stops broadcasting the SSID due to DTLS Datagram Transport Layer Security is disabled 1st 02x 6th 02x Managed AP MAC Address 7th d Managed AP s Radio Number 8th s Managed AP Stop SSID Name NXC Series User s Guide Appendix A Log Descriptions Table 212 CAPWAP Server Logs LOG MESSAGE DESCRIPTION VLAN setting is conflict MAC 02x 02x 02x 02 S02x 502x Model s Mgnt VID AC 3d VID AP 3d s M s Mgnt The VLAN ID of the AC is not the same as the VLAN ID of the AP 1st 02x 6th 02x Managed AP MAC Address 7th 96s Managed AP Description 8th 96d VID 9th 96s tag or untag 10th 96d VID 11th 96s tag or untag AP doesn t support s feature MAC 02x 02x 02x 02x 5 02x 0 2x AP s An AP doesn t suppor
233. authentication 433 vs WPA PSK 433 wireless client supplicant 433 with RADIUS application example 434 WPA2 209 432 user authentication 433 vs WPA2 PSK 433 wireless client supplicant 433 with RADIUS application example 434 WPA2 Pre Shared Key WPA2 PSK 432 WPA2 PSK 432 433 application example 434 WPA PSK 432 433 application example 434 WWW 300 and address groups 303 and address objects 303 and authentication method objects 302 and certificates 301 and zones 303 see also HTTP HTTPS 300 Z zones 16 144 and firewall 181 184 and FTP 316 and interfaces 16 144 and SNMP 320 and SSH 312 and Telnet 314 and VPN 16 and WWW 303 block intra zone traffic 146 183 default 17 extra zone traffic 144 inter zone traffic 144 intra zone traffic 144 types of traffic 144 ZyMesh 232 auto provision 232 profile 234 repeater 232 root AP 232 security 235 SSID 235 WDS 232 NXC Series User s Guide 463
234. ay reject B Black hole L Loop Destination Gateway Interface Metric Flags Persist 0 0 0 0 0 192 168 1 254 0 ASG 127 0 0 0 8 0 0 0 0 lo 0 ACG 192 168 1 0 24 0 0 0 0 avlan 0 ACG Page 1 of 1 Show 50 v items Displaying 1 3 of 3 The following table describes the labels in this screen Table 192 Maintenance gt Packet Flow Explore gt Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the NXC determines where to route a packet Click a function box to display the related settings in the Routing Table section Routing Table This section shows the corresponding settings according to the function box you click in the Routing Flow section The following fields are available if you click Direct Route or Main Route in the Routing Flow section This field is a sequential value and it is not associated with any entry Destination This is the destination IP address of a route Gateway This is the IP address of the next hop gateway or the interface through which the traffic is routed Interface This is the name of an interface associated with the route Metric This is the route s priority among the displayed routes Flags This indicates additional information for the route The possible flags are A this route is currently activated S this is a static route e C this is a direct connected route e O this is a dynamic route learned through OSPF
235. ber given by the certification authority Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field NXC Series User s Guide Chapter 26 Certificates Table 147 Configuration gt Object gt Certificate gt Trusted Certificates gt Edit continued LABEL DESCRIPTION Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 shal RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities may use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm
236. ble describes the labels in this screen Table 155 Configuration gt System gt Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your NXC supports 9600 19200 38400 57600 and 115200 bps default for the console port The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the NXC Web Configurator Status screen Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 6 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it NXC Series User s Guide 201 Chapter 28 System 28 6 1 DNS Server Address Assignment The NXC can get the DNS server addresses in the following ways The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses manually enter them in the DNS server fields f your ISP dynamically assigns the DNS server IP addresses along with the NXC s WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 28 6 2 Co
237. blic and private keys 2 You must remove any spaces from the certificate s filename before you can import the certificate 3 Any certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses lowercase letters uppercase letters and numerals to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The NXC currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS Z7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form e Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the NXC NXC Series User s Guide 375 Chapter 35 Troubleshooting Note Be careful not t
238. built in diagnostic tools and CLI console to get CAPWAP debug messages which can later be sent to customer service for analysis See Chapter 3 on page 28 for more information A wireless client cannot be authenticated through the Captive Portal 378 If the Captive Portal redirects a wireless client to a failed login page or an internal server error page then the authentication server may not be reachable Make sure that the NXC can reach it if is external to the LAN by opening the Console Window and pinging the server s IP address If Captive Portal is using the external web portal Make sure the Captive Portal configuration pointing to it is correct You must configure the Login URL field Check that the external Web server is configured properly NXC Series User s Guide Chapter 35 Troubleshooting t is recommended to have the external web server on the same subnet as the login users The NXC sends wireless clients the default logout page instead of a login page Make sure you have configured the Captive Portal external web portal s Login URL field correctly Wireless clients are not being load balanced among my APs Make sure that all the APs used by the wireless clients in question share the same SSID security and radio settings Make sure that all the APs are in the same broadcast domain Make sure that the wireless clients are in range of the other APs if they are only in range
239. by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority eo The security certificate date is valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed View Certificate NXC Series User s Guide Chapter 28 System 28 7 6 2 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the NXC s HTTPS server certificate and what you can do to avoid seeing the warnings The issuing certificate authority of the NXC s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the NXC s factory default certificate is the NXC itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix C on page 411 for details 28 7 6 3 Login Screen After you accept the certificate the NXC login screen appears The lock displayed in the bottom of the browser status bar denotes a secure connection Note 1 Turn on Javascript and Cookie setting in your web browser
240. cal route topology on the network not reset the connection However allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NXC NXC Series User s Guide Chapter 16 Firewall 16 2 Firewall The following describes the firewall screen functions Click Configuration gt Firewall to open the Firewall screen Use this screen to enable or disable the firewall and asymmetrical routes and display the configured firewall rules Specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction Note the following f you enable intra zone traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices The NXC applies NAT Destination NAT settings before applying the firewall rules So for example if you configure a NAT entry that sends WAN traffic to a LAN IP address when you configure a corresponding firewall rule to allow the traffic you need to set the LAN IP address as the destination The ordering of your rules is very important as rules are applied in sequence Figure 106 Configuration gt Firewall Global Setting V Enable Firewall IPv4 Rule Summary 7 Allow Asymmetr
241. can have Default Session per Host This field is configurable only when you enable session limit Use this field to set a common limit to the number of concurrent NAT firewall sessions each client computer can have If only a few clients use peer to peer applications you can raise this number to improve their performance With heavy peer to peer application use lower this number to ensure no single client uses too many of the available NAT sessions Create rules below to apply other limits for specific users or addresses NXC Series User s Guide 187 Chapter 16 Firewall Table 95 Configuration gt Firewall gt Session Control continued LABEL DESCRIPTION Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click I nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of yo
242. captive portal N A displays for logins that do not use the captive portal and RADIUS server authentication Refresh Click this button to update the information in the screen NXC Series User s Guide Chapter 5 Monitor 5 9 Dynamic Guest A dynamic guest account has a dynamically created user name and password that allows a guest user to access the Internet or the NXC s services in a specified period of time Multiple dynamic guest accounts can be automatically generated at one time for guest users by using the web configurator and the guest manager account Guest users can log in with the dynamic accounts when connecting to an SSID for a specified time unit Use this screen to look at a list of dynamic guest user accounts on the NXC s local database To access this screen click Monitor System Status Dynamic Guest Figure 31 Monitor gt System Status gt Dynamic Guest Dynamic Guest List Status Ipwazu 2 UserID Reaut Expirat IP Addr Group 2013 Cafe 1 Guest Phone Email Address Comp Other yopvcnll 2013 Cafe 1 iapkubal 2013 Cafe 1 y Show 50 Page 1 of 1 items Displaying 1 3 of 3 The following table describes the labels in this screen Table 32 Monitor gt System Status gt Dynamic Guest LABEL DESCRIPTION Remove Select an entry and click this button to remove it from the list Note If you delete a valid user acc
243. cast address has a predefined prefix of fe80 10 The link local unicast address format is as follows Table 224 Link local Unicast Address Format 1111 1110 10 0 Interface ID 10 bits 54 bits 64 bits NXC Series User s Guide Appendix E IPv6 Global Address A global address uniquely identifies a device on the Internet It is similar to a public IP address in IPv4 A global unicast address starts with a 2 or 3 Unspecified Address An unspecified address 0 0 0 0 0 0 0 0 or is used as the source address when a device does not have its own address It is similar to 0 0 0 0 in IPv4 Loopback Address A loopback address 0 0 0 0 0 0 0 1 or 1 allows a host to send packets to itself It is similar to 127 0 0 1 in IPv4 Multicast Address In IPv6 multicast addresses provide the same functionality as IPv4 broadcast addresses Broadcasting is not supported in IPv6 A multicast address allows a host to send packets to all hosts in a multicast group Multicast scope allows you to determine the size of the multicast group A multicast address has a predefined prefix of ff00 8 The following table describes some of the predefined multicast addresses Table 225 Predefined Multicast Address MULTICAST ADDRESS DESCRIPTION FF01 0 0 0 0 0 0 1 All hosts on a local node FF01 0 0 0 0 0 0 2 All routers on a local node FF02 0 0 0 0 0 0 1 All hosts on a local connected
244. cate enrollment is not successful you see a screen with a Return button that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NXC to enroll a certificate online NXC Series User s Guide 273 Chapter 26 Certificates 26 2 2 Edit My Certificates Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 160 Configuration gt Object gt Certificate gt My Certificates gt Edit Edit My Certificates 2x Configuration Name example Certification Path CN example example com Certificate Information Type Self signed x 509 Certificate Version v3 Serial Number 1258090745 Subject CN example example com Issuer CN example example com Signature Algorithm rsa pkcs1 shal Valid From 2009 11 13 05 39 05 GMT Valid To 2012 11 12 05 39 05 GMT Key Algorithm rsaEncryption 512 bits Subject Alternative Name example example com Key Usage DigitalSignature KeyEncipherment KeyCertSign Basic Constraint Subject Type CA Path Length Constraint 1 MDS Fingerprint 77 cd 59 cd 35 22 9a 57 8e c4 b9 1b 1c b2 e8 3b SHA1 Fingerprint a5 f3
245. ce should have a unique interface ID The EUI 64 Extended Unique Identifier defined by the IEEE Institute of Electrical and Electronics Engineers is an interface ID format designed to adapt with IPv6 It is derived from the 48 bit 6 byte Ethernet MAC address as shown next EUI 64 inserts the hex digits fffe between the third and fourth bytes of the MAC address and complements the seventh bit of the first byte of the MAC address See the following example Table 227 MAC 00 13 49 12 34 56 Table 228 EUI 64 02 13 49 FF FE 12 34 56 Stateless Autoconfiguration With stateless autoconfiguration in IPv6 addresses can be uniquely and automatically generated Unlike DHCPv6 Dynamic Host Configuration Protocol version six which is used in IPv6 stateful autoconfiguration the owner and status of addresses don t need to be maintained by a DHCP server Every IPv6 device is able to generate its own and unique IP address automatically when Pv6 is initiated on its interface It combines the prefix and the interface ID generated from its own Ethernet MAC address see Interface ID and EUI 64 to form a complete IPv6 address When IPv6 is enabled on a device its interface automatically generates a link local address beginning with fe80 When the interface is connected to a network with a router and the NXC is set to automatically obtain an I
246. ch IP addresses the access can come You can upload and download the NXC s firmware and configuration files using FTP Please also see Chapter 30 on page 341 for more information about firmware and configuration files The SNMP screen Section 28 11 on page 317 configures the device s SNMP settings including from which zones SNMP can be used to access the NXC You can also specify from which IP addresses the access can come The Auth Server screen Section 28 12 on page 321 configures the device to operate as a RADIUS server The Language screen Section 28 13 on page 324 sets the user interface language for the NXC s Web Configurator screens The I Pv6 screen Section 28 14 on page 324 enables or disables IPv6 support on the NXC NXC Series User s Guide Chapter 28 System 28 2 Host Name A host name is the unique name by which a device is known on a network Click Configuration gt System Host Name to open this screen Figure 167 Configuration gt System gt Host Name General Settings System Name Domain Name a Note In windows AD suthentication case please make sure the system name is shorter than 15 characters The long system name will make AD suthenticstionn fail Optional Optional The following table describes the labels in this screen Table 151 Configuration gt System gt Host Name LABEL DESCRIPTION System Name Choose a descriptive name to identify your NXC devic
247. cipher based on the cipher in use by the wireless client that is attempting to make a connection e tkip This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption protocol to further secure Not all wireless clients may support this e aes This is the Advanced Encryption Standard encryption method It is a more recent development over TKIP and considerably more robust Not all wireless clients may support this Group Key Update Timer Enter the interval in seconds at which the AP updates the group WPA encryption key Pre Authentication This field is available only when you set Security Mode to wpa2 or wpa2 mix and enable 802 1x authentication Enable or Disable pre authentication to allow the AP to send authentication information to other APs on the network allowing connected wireless clients to switch APs without having to re authenticate their network connection OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide Chapter 18 AP Profile 18 3 3 MAC Filter List This screen allows you to create and manage MAC filtering profiles that can be used by your SSIDs To access this screen click Configuration Object AP Profile SSI D MAC Filter List Note You can have a maximum of 32 MAC filtering profiles on the NXC Figure 129 Configuration gt Object
248. ck Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings use Reference the entry This field is a sequential value and it is not associated with a specific service Name This field displays the name of each service Content This field displays a description of each service 22 2 1 Add Edit Service Rule The Add Edit Service Rule screen allows you to create a new service or edit an existing one To access this screen go to the Service screen and click either the Add icon or an Edit icon Figure 143 Configuration gt Object gt Service gt Service gt Add Edit Add Service Rule X Name t IP Protocol TCP v Starting Port 1 65535 Ending Port 1 65535 cancel The following table describes the labels in this screen Table 129 Configuration gt Object gt Service gt Service gt Add Edit LABEL DESCRIPTION Name Type the name used to refer to the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service uses that port
249. ck this icon to end a user s session This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the NXC Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 17 on page 190 Type This field displays the way the user logged in to the NXC IP address This field displays the IP address of the computer used to log in to the NXC MAC For an IEEE 802 1x or MAC authentication login this field displays the MAC address of the user s computer A displays for other types of login User Info This field displays the types of user accounts the NXC uses If the user type is ext user external user this field will show its external group information when you move your mouse over it If the external user matches two external group objects both external group object names will be shown Acct Status For a captive portal login this field displays the accounting status of the account used to log into the NXC Accounting on means accounting is being performed for the user login Accounting off means accounting has stopped for this user login A displays if accounting is not enabled for this login RADIUS Profile Name This field displays the name of the RADIUS profile used to authenticate the login through the
250. cking 2 X mbps 0 160 0 is unlimited kbps 0 160000 0 is unlimited disable v Lacal bridge v 1 1 4094 a The following table describes the labels in this screen Table 113 Configuration gt Object gt AP Profile gt Add Edit SSID Profile LABEL DESCRIPTION Create new Select an object type from the list to create a new one associated with this SSID profile Object Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed SSID Enter the SSID name for this profile This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed Security Profile Select a security profile from this list to associate with this SSID If none exist you can use the Create new Object menu to create one Note It is highly recommended that you create security profiles for all of your SSIDs to enhance your network security MAC Filtering Profile Select a MAC filtering profile from the list to associate with this SSID If none exist you can sue the Create new Object menu to create one MAC filtering allows you to limit the wireless clients connecting to your network through a particular SSID by wireless client MAC addresses Any clients that have MAC addresses not in the MAC filtering profile of allow
251. connect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning The PoE Power over Ethernet devices that supply or receive power and their connected Ethernet cables must all be completely indoors This product is for indoor use only utilisation int rieure exclusivement Your product is marked with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and Electrical Equipment It means that used electrical and electronic products should not be mixed with general waste Used electrical and electronic equipment should be treated separately INFORMAZI ONI AGLI UTENTI Ai sensi dell art 13 del Decreto Legislativo 25 luglio 2005 n 151 Attuazione delle Direttive 2002 95 CE 2002 96 CE e 2003 108 CE re
252. continued LABEL DESCRIPTION Create a certification Select this to have the NXC generate a request for a certificate and apply to a request and enroll for certification authority for a certificate a certificate immediately online You must have the certification authority s certificate already imported in the Trusted Certificates screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop down list boxes and enter the certification authority s server address You also need to fill in the Reference Number and Key if the certification authority requires them Enrollment Protocol This field applies when you select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online Enter the IP address or URL of the certification authority server For a U
253. criteria 182 session limits 182 187 stateful inspection 181 triangle routes 182 184 firmware and restart 347 boot module see boot module current version 48 348 getting updated 347 uploading 347 348 uploading with FTP 315 flash usage 50 FQDN 294 fragmentation threshold 428 front panel ports 16 FTP 315 additional signaling port 155 ALG 154 and address groups 316 and address objects 316 and certificates 315 and zones 316 signaling port 155 with Transport Layer Security TLS 315 Fully Qualified Domain Name see FQDN G ge 16 Gigabit Ethernet 16 ports 16 Guide CLI Reference 2 Quick Start 2 H hidden node 427 HTTP over SSL see HTTPS redirect to HTTPS 301 vs HTTPS 299 HTTPS 299 and certificates 299 authenticating clients 299 avoiding warning messages 304 example 303 vs HTTP 299 with Internet Explorer 303 HyperText Transfer Protocol over Secure Socket Layer see HTTPS IBSS 424 ICMP 241 IEEE 802 11g 428 IEEE 802 1q VLAN IEEE 802 1x 209 Independent Basic Service Set See IBSS 424 initialization vector IV 433 interface mapping 16 status 50 60 types 17 interfaces 16 110 and DNS servers 133 and NAT 150 and physical ports 16 110 and policy routes 139 and static routes 141 and zones 16 110 as DHCP relays 132 as DHCP servers 132 286 bandwidth management 131 default configuration 17 DHCP clients 131 Ethernet see also Ethernet interfaces gateway 131 general characteristics 110 N
254. ct this to use a custom login page instead of the default one built into the NXC Once this option is selected the custom login page controls below become active Use uploaded file Select this to upload a web portal file with custom html pages to the NXC and use it Once this option is selected the screen changes Logo File This section allows you to choose and upload a custom logo image for the customized login page This corresponds to the ZyXEL logo image in the default page File Path Browse for the image file or enter the file path in the available input box then click the Once Upload button to put it on the NXC Once uploaded this image file replaces the default ZyXEL logo on the login page You can use the following image file formats GIF PNG or JPG Customized Login Page This section allows you to customize the other elements on the captive portal login page Title Enter 1 64 characters for the page title Spaces are allowed This corresponds to the NXC title in the default page Title Color Select a font color for the page title You can use the color palette chooser or enter a color value of your own Message Color Specify the color of the screen s text Note Message Enter a note to display below the title Use up to 1024 printable ASCII characters Spaces are allowed Background Set how the window s background looks To use a graphic select Picture and upload a g
255. cters You can use alphanumeric characters the hyphen and the underscore Country Identify the nation where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Key Type Select RSA to use the Rivest Shamir and Adleman public key algorithm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use The longer the key the more secure it is A longer key also uses more PKI storage space These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select this to have the NXC generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later manual enrollment Select this to have the NXC generate and store a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen and then send it to the certification authority NXC Series User s Guide Chapter 26 Certificates Table 143 Configuration gt Object gt Certificate gt My Certificates gt Add
256. ctive Profile Name Enter up to 31 alphanumeric characters to be used as this profile s name Spaces and underscores are allowed 802 11 Band Select the wireless band which this radio profile should use 2 4 GHz is the frequency used by IEEE 802 11b g n wireless clients 5 GHz is the frequency used by IEEE 802 11a n wireless clients Mode Select how to let wireless clients connect to the AP When using the 2 4 GHz band select b g to let IEEE 802 11b and IEEE 802 11g compliant WLAN devices associate with the AP When using the 2 4 GHz band select b g n to let IEEE 802 11b IEEE 802 11g and IEEE 802 11n compliant WLAN devices associate with the AP When using the 5 GHz band select a to let only IEEE 802 11a compliant WLAN devices associate with the AP When using the 5 GHz band select a n to let IEEE 802 11a and IEEE 802 11n compliant WLAN devices associate with the AP Channel Select the wireless channel which this radio profile should use It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned Some 5 GHz channels include the label indoor use only These are for use with an indoor AP only Do not use them with an outdoor AP Advanced Settings Channel Width Select the channel bandwidth you want to use for you
257. cy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN NXC Series User s Guide Chapter 8 Interfaces Table 65 Configuration gt Network gt Interface gt VLAN gt Add Edit continued LABEL DESCRIPTION OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving 8 4 Technical Reference The following section contains additional technical information about the features described in this chapter IP Address Assignment Most interfaces have an IP address and a subnet mask This information is used to create an entry in the routing table In most interfaces you can enter the IP address and subnet mask manually In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client In general the IP address and subnet mask of each interface should not overlap though it is possible for this to happen with DHCP clients In the example above if the NXC gets a packet with a destination address of 5 5 5 5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the NXC should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 20
258. d activity The faster and more frequently an LED flashes the faster the data connection Before you use the Console ensure that Your web browser of choice allows pop up windows from the IP address assigned to your NXC Your web browser allows Java programs You are using the latest version of the Java program http www java com To login in through the Console 1 Click the Console button on the Web Configurator title bar Help Z About E Site Map QObject Reference a Conso Show tonsole Window NXC Series User s Guide Chapter 3 The Web Configurator 2 Enter the IP address of the NXC and click OK L yent yx eb pages idee board conecle hte LLLI kc or ko EIN BENA X admin 4 You may be prompted to authenticate your account password depending on the type of device that you are logging into Enter the password and click OK NXC Series User s Guide Chapter 3 The Web Configurator 5 If your login is successful the command line appears and the status bar at the bottom of the Console updates to reflect your connection state BLEU Ai ymae guages jim ooa d cone ted CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator These commands appear in a popup window such as the following Figure 14 CLI Messages 32 CLI Ng Clear CLI start 0 show capwap station all CLI End 0 show rogue ap detection monitori
259. d process This process may take up to two minutes 30 3 Firmware Package Click Maintenance File Manager Firmware Package to open this screen Use the Firmware Package screen to check your current firmware version and upload firmware to the NXC Note The Web Configurator is the recommended method for uploading firmware You only need to use the command line interface if you need to recover the firmware See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example nxc bin NXC Series User s Guide 347 Chapter 30 File Manager The firmware update can take up to five minutes Do not turn off or reset the NXC while the firmware update is in progress Figure 207 Maintenance gt File Manager gt Firmware Package Configuration File Version Boot Module Current Version Released Date Upload File Firmware Package Shell Script v1 03 V4 10 AAOS 1 2013 12 10 16 03 25 To upload firmware browse to the location ofthe file bin and then click Upload File Path Browse Upload Firmware Status The uploaded firmware will be clear away once device reboot Version Released Date n a n a Firmware Update Schedule 7 Schedule Time hh mm 16 36 Date yyyy mm dd 2013 12 13 3
260. data 33 These include internal reviews of our data collection storage and processing practices and security measures as well as physical security measures to guard against unauthorized access to systems where we store personal data We Iv Ek Tur AEROS eee aen 1 SEX m aii i x i ema V I accept the terms in the Privacy Policy NXC Series User s Guide 87 Chapter 6 Registration The following table describes the labels in this screen Table 45 Configuration gt Licensing gt Registration LABEL DESCRIPTION General Settings If you select existing myZyXEL com account only the User Name and Password fields are available new myZyXEL com If you haven t created an account at myZyXEL com select this option and configure account the following fields to create an account and register your NXC existing myZyXEL com If you already have an account at myZyXEL com select this option and enter your account user name and password in the fields below to register your NXC UserName Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user name you entered has not been used Password Enter a password of between six and 20 alphanumeric characters and the underscore Spaces are not allowed Confirm Password
261. ddress gt Address Group Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 140 Configuration gt Object gt Address gt Address Group Address IPv4 Address Group Configuration Q Add i Name Page 1 of 1 Description Show 50 v items No data to display NXC Series User s Guide Chapter 21 Addresses The following table describes the labels in this screen Table 126 Configuration gt Object gt Address gt Address Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings use Reference the entry This field is a sequential value and it is not associated with a specific address group Name This field displays the name of each address group Description This field displays the description of each address group if any 21 3 1 Add Edit Address Group Rule The Add Edit Address Group Rule screen allows you to create a new address group or edit an existing one To access this screen go to the Address Group screen and click either the Add icon or an Edit icon
262. ddress network address last address broadcast address and the interface s IP address First DNS Specify the IP addresses up to three DNS servers for the DHCP clients to use Use one DNS Server of the following ways to specify these IP addresses Third DNS Custom Defined enter a static IP address Server From I SP select the DNS server that another interface received from its DHCP server EnterpriseWLAN the DHCP clients use the IP address of this interface and the NXC works as a DNS relay First WINS Type the IP address of the WINS Windows Internet Naming Service server that you Mme eos want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can either select gex I P where x is the interface number to use the interface s IP address or use another IP address as the default router This default router will become the DHCP clients default gateway To use another IP address as the default router select Custom Defined and enter the IP address Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Extended This tabl
263. dds DNS server s failed because Zon Forwarder numbers hav reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured 96s is IP address of the DNS server Access control rules of s have reached the maximum number of u The maximum number of allowable rules has been reached s is HTTP HTTPS SSH SNMP FTP TELNET u is the maximum number of access control rules Access control rule u A new built in service access control rule was appended of ER was appended u is the index of the access control rule s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule u An access control rule was inserted successfully QE NOV Pee COD u is the index of the access control rule 96s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule u An access control rule was modified successfully of Pe was Duae u is the index of the access control rule 96s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule u An access control rule was removed successfully SECHS NES qose 96u is the index of the access control rule 96s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule d An access control rule was moved successfully of s was moved to d 1st 96d is the previous index 96s is HTTP HTTPS SSH SNMP FTP TELNET 2nd 96d is current previous index SNMP trap can not be sent successfully Cannot send a SNMP trap to
264. dentify the parts you can customize in the login and access pages Figure 95 Login Page Customization Logo Title Message Color color of all text Background Note Message last line of text Figure 96 Access Page Customization Logo Title Message Color color of all text Background Note Message last line of text 172 NXC Series User s Guide Chapter 14 Captive Portal Figure 97 User Logout Page Customization Logo Title Message Color color of all text Note Message last line of text Background You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Enter rgb followed by red green and blue values in parenthesis and separate by commas For example use rgb 0 0 0 for black Your desired color should display in the preview screen on the right after you click in another field click Apply or press ENTER If your desired color does not display your browser may not support it Try selecting another color NXC Series User s Guide 173 Chapter 14 Captive Portal 14 3 2 External or Uploaded Web Portal Details You can also configure the look and feel of the web portal page if you use an external web portal o
265. des an additional layer of security for an SSID allowing you to block access or allow access to that SSID based on wireless client MAC addresses If a client s MAC address is on the list then it is either allowed or denied depending on how you set up the MAC Filter profile You can have a maximum of 32 MAC filtering profiles on the NXC Layer 2 Isolation This profile can be used to prevent connected wireless clients from communicating with each other in the NXC s wireless network s on which layer 2 isolation is enabled except the devices in the layer 2 isolation list NXC Series User s Guide Chapter 18 AP Profile SSID The SSID Service Set IDentifier is the name that identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID In other words it is the name of the wireless network that clients use to connect to it WEP WEP Wired Equivalent Privacy encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private Both the wireless stations and the access points must use the same WEP key for data encryption and decryption WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key diffe
266. dwidth to the point where each connecting device receives a meager trickle the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity There are two kinds of wireless load balancing available on the NXC Load balancing by station number limits the number of devices allowed to connect to your AP If you know exactly how many stations you want to let connect choose this option For example if your company s graphic design team has their own AP and they have 10 computers you can load balance for 10 Later if someone from the sales department visits the graphic design team s offices for a meeting and he tries to access the network his computer s connection is delayed giving it the opportunity to connect to a different neighboring AP If he still connects to the AP regardless of the delay then the AP may boot other people who are already connected in order to associate with the new connection Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available If you are uncertain as to the exact number of wireless connections you will have then choose this option By setting a maximum bandwidth cap you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting Once the cap is hit any new connections are rejected or delayed provided that there are other APs in range
267. e Remove Click a configuration file s row to select it and click Remove to delete it from the NXC You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file Download Click a configuration file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplicate of a configuration file on the NXC Click a configuration file s row to select it and click Copy to open the Copy File screen 5 Copy File lx Source File startup config conf Target file OK Cancel Specify a name for the duplicate configuration file Use up to 25 characters including a ZA Z0 9 amp _ 1 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file NXC Series User s Guide 345 Chapter 30 File Manager Table 180 Maintenance gt File Manager gt Configuration File continued LABEL DESCRIPTION Apply Use this button to have the NXC use a specific configuration file Click a configuration file s row to select it and click Apply to have the NXC use that configuration file
268. e zysh need to catch MyZyXEL com agent s return code this log will be shown when timeout Send update request to update server has failed The device could not send an update message to the update server Update has failed Because of lack must fields The device received an incomplete response from the update server and it caused a parsing error for the device Update server is busy now File download after d seconds The update server was busy so the device will wait for the specified number of seconds and send the download request to the update server again Device has latest file No need to update The device already has the latest version of the file so no update is needed Device has latest signature file no need to update The device already has the latest version of the signature file so no update is needed Connect to update server has failed The device cannot connect to the update server Wrong format for packets received The device cannot parse the response returned by the server Maybe some required fields are missing Server setting Update stop rror The device could not resolve the update server s FQDN to an IP address through gethostbyname The update process stopped Build query message failed Some information was missing in the packets that the device sent to the server System protect signature download has succeeded The device
269. e Error Console Page Info Clear Private Data Ctrl Shift Del Options N 2 In the Options dialog box click Advanced gt Encryption gt View Certificates Qe 5 S s Main Tabs Content Feeds Privacy Security Advanced General Network Updafe Encryption Protocols Use SSL 3 0 Use TLS 1 0 Certificates When a web site requires a certificate Select one automatically Ask me every time View Gertfcates Revocation sts 420 NXC Series User s Guide Appendix C Importing Certificates 3 In the Certificate Manager dialog box click Web Sites gt Import Certificate Manager DER Your Certificates Other Peopld You have certificates on file that identify these web sites Certificate Name X My Computer Ge My Documents 3 My Network Places Files of type 5 The next time you visit the web site click the padlock in the address bar to open the Page I nfo Security window to see the web page s security information NXC Series User s Guide 421 Appendix C Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools gt Options Web Search Ctrl K Downloads Ctrl J Add ons Java Console Error Console Page Info Clear Private Data Ctrl Shift Del X Options
270. e Send log when full USB Status none System Log Internal USB Storage Internal VRPT Syslog Server Address Log Facility Local 1 Remote Server 1 Server Address Log Facility Local 1 Server Address Log Facility Local 1 Remote Server 2 VRPT Syslog Remote Server3 X VRPT Syslog Remote Server 4 VRPT Syslog Server Address Log Facility Local 1 Displaying 1 7 of 7 of 1 Show 50 v items Log Category Settings Apply The following table describes the labels in this screen Table 174 Configuration gt Log amp Report gt Log Settings LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the log system log or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This field is a summary of the settings for
271. e This name can be up to 64 alphanumeric characters long Spaces are not allowed but dashes underscores and periods are accepted Domain Name Enter the domain name if you know it here This name is propagated to DHCP clients connected to interfaces with the DHCP server enabled This name can be up to 254 alphanumeric characters long Spaces are not allowed but dashes are accepted Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 3 USB Storage The NXC can use a connected USB device to store the system log and other diagnostic information Use this screen to turn on this feature and set a disk full warning limit Note Only connect one USB device It must allow writing it cannot be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next NXC Series User s Guide Chapter 28 System Figure 168 Configuration gt System gt USB Storage Settings General V Activate USB storage service Disk full warning when remaining space is less than The following table describes the labels in this screen Table 152 Configuration gt System gt USB Storage LABEL DESCRIPTION Activate USB Select this if you want to use the connected USB device s storage service Disk full warning Set a number and sel
272. e owner NXC Series User s Guide Appendix D Wireless LANs EAP MD5 Message Digest Algorithm 5 MD5 authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless client The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text However MD5 authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the sender s identity Howeve
273. e 2009 125 EC Name ttie Raymond Huang Quality amp Customer Service Division Assistant VP Signature Date dd mmiyyyy Q 01 10 2013 Italiano Italian Dichiarazione ambientale di prodotto RoHS Direttiva 2011 65 UE Direttiva 2012 19 UE Direttiva 94 62 CE REGOLAMENTO CE n 1907 2006 Direttiva 2009 125 CE Nome ttle gt Raymond Huang Quality amp Customer Naam titel Unterschrift Produkt Umweltdeklaration Richtinie 2011 65 EU Richtlinie 2012 19 EU Richtinie 94 62 EG VERORDNUNG EG Nr 1907 2006 Richtinie 2009 125 EG Name Stet Raymond Huang Quality amp Customer Service Division Assistant VP Datum jij mm t 2013 10 01 Nederlands Dutch Milieuproductverklaring Richtlijn 2011 65 EU Richtlijn 2012 19 EU Richtlijn 94 62 EG Verordening EG nr 1907 2006 Richtlijn 2009 125 EG Raymond Huang Quality amp Customer Service Division Assistant VP Datum ddimm aar Declaraciones Ambientales de Producto Directiva 2011 65 UE Directiva 2012 19 UE Directiva 94 62 CE REGLAMENTO CE n 1907 2006 Directiva 2009 125 CE Raymond Huang Quality amp Customer Service Division Assistant VP Fecha aaaamm dd Svenska Swedish Milj produktdeklaration RoHS Owektiv2011 65 EU WEEE Direktiv 2012 19 EU PPW Dwektiv 94 62 EG REACH F rordning EG nr 1907 2006 ErP Direktiv 2009 125 EG Namn titel Raymond Huang Quality amp Customer Service Division Ass
274. e Last Modified Page i of 1 50 items No data to display NXC Series User s Guide Chapter 31 Diagnostics The following table describes the labels in this screen Table 188 Maintenance gt Diagnostics gt Core Dump gt Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NXC Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each core dump file entry The total number of core dump files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file Size This column displays the size in bytes of a file Last Modified This column displays the date and time that the individual files were saved 31 5 System Log Click Maintenance gt Diagnostics gt System Log to open the system log files screen This screen lists the files of system logs stored on a connected USB storage device The files are in comma separated value csv format You can download them to your computer and open them in a tool like Microsoft s Excel Figure 219 Maintenance gt Diagnostics gt System Log Diagnostics Packet Capture Core Dump System Log Wireless Frame Capture System Log Archives in USB Sto
275. e RADI US screen Section 24 3 on page 259 configures the default external RADIUS server to use for user authentication 24 1 2 What You Need To Know The following terms and concepts may help as you read this chapter Directory Service AD LDAP LDAP AD allows a client the NXC to connect to a server to retrieve information from a directory A network example is shown next Figure 149 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The NXC tries to bind or log in to the LDAP AD server 3 When the binding process is successful the NXC checks the user information in the directory against the user name and password pair NXC Series User s Guide 251 Chapter 24 AAA Server If it matches the user is allowed access Otherwise access is blocked RADIUS Server RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external server instead of or in addition to an internal device user database that is limited to the memory capacity of the device In essence RADIUS authentication allows you to validate a large number of users from a central location Figure 150 RADIUS Server Network Example Authentication Capability List This list displays the NXC s authentication capabilities Table 135 Authentication C
276. e Show Memory Usage icon that takes you to a chart of the NXC s recent memory usage Flash Usage This field displays what percentage of the NXC s onboard flash memory is currently being used USB Storage Usage This field shows how much storage in the USB device connected to the NXC is in use Active Sessions This field displays how many traffic sessions are currently open on the NXC These are the sessions that are traversing the NXC Hover your cursor over this field to display icons Click the Detail icon to go to the Session Monitor screen to see details about the active sessions Click the Show Active Sessions icon to display a chart of NXC s recent session usage Interface Status Summary Name This field displays the name of each interface Status This field displays the current status of each interface The possible values depend on what type of interface it is I nactive The Ethernet interface is disabled Down The Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half Zone This field displays the zone to which the interface is currently assigned IP Addr This field displays the current IP address and subnet mask assigned to the interface If Netmask the IP address is 0 0 0 0 the interface is disabled or did not receive an IP address and subnet mask via DHCP
277. e Specify the year month and day when the schedule ends Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 NXC Series User s Guide Chapter 23 Schedules Table 133 Configuration gt Object gt Schedule gt Add Edit One Time continued LABEL DESCRIPTION StopTime Specify the hour and minute when the schedule ends Hour 0 23 Minute 0 59 OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 23 2 2 Add Edit Schedule Recurring Rule The Add Edit Schedule Recurring Rule screen allows you to define a recurring schedule or edit an existing one To access this screen go to the Schedule screen and click either the Add icon or an Edit icon in the Recurring section Figure 148 Configuration gt Object gt Schedule gt Add Edit Recurring C Add Schedule Recurring Rule X Configuration Name v Day Time StartTime 20 StopTime Weekly Week Days 4 Monday v Tuesday 4 Wednesday 4 Thursday 4 Friday v Saturday 4 Sunday al The Year Month and Day columns are not used in recurring schedules and are disabled in this screen The following table describes the remaining labels in this screen Table 134 Configuration gt Object gt Schedule gt Add Edit Recurring LABEL DESCRIPTION Configuration Name T
278. e based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first DHCPv6 Setting DHCPv6 Select N A to not use DHCPv6 Select Client to set this interface to act as a DHCPv6 client DUID This field displays the DHCP Unique IDentifier DUID of the interface which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others See Appendix E on page 436 for more information DUID as MAC Select this if you want the DUID to be generated from the interface s default MAC address Customized DUID If you want to use a customized DUID enter it here for the interface Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps This function helps reduce heavy network traffic load Note Make sure you also enable this option in the DHCPv6 server to make rapid commit work Request Address Select this to get an IPv6 address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server Add Click this to create an entry in this table See Section 8 2 3 on page 11
279. e is available if you selected DHCP server Options Configure this table if you want to send more information to DHCP clients through DHCP packets Add Click this to create an entry in this table See Section 8 2 4 on page 120 NXC Series User s Guide 117 Chapter 8 Interfaces Table 60 Configuration gt Network gt Interface gt Ethernet gt Edit continued LABEL DESCRIPTION Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to delete it This field is a sequential value and it is not associated with any entry Name This is the name of the DHCP option Code This is the code number of the DHCP option Type This is the type of the set value for the DHCP option Value This is the value set for the DHCP option Enable IP MAC Select this option to have this interface enforce links between specific IP addresses and Binding specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for 1P MAC Binding Select this option to have the NXC generate a log if a device connected to this interface attempts to use an IP address that is bound to another device s MAC address Violation Static DHCP Configure a list of static IP addresses the NXC assign
280. e name of the service the user is using HTTP HTTPS FTP Telnet SSH or console Console has been put into lockout state Too many failed login attempts were made on the console port so the NXC is blocking login attempts on the console port Address u u u u has been put into lockout state Too many failed login attempts were made from an IP address so the NXC is blocking login attempts from that IP address 96 u 96 u 96 u 9ou the source address of the user s login attempt Failed login attempt to EnterpriseWLAN from s login on a lockout address A login attempt came from an IP address that the NXC has locked out 96 u 96 u 96 u 96u the source address of the user s login attempt Failed login attempt to EnterpriseWLAN from s the max number reach of user The NXC blocked a login because the maximum login capacity for the particular service has already been reached 96s service name Failed login attempt to EnterpriseWLAN from s the max number reach of simultaneous logon The NXC blocked a login because the maximum simultaneous login capacity for the administrator or access account has already been reached 96s service name NXC Series User s Guide 383 Appendix A Log Descriptions 384 Table 195 User Logs continued LOG MESSAGE DESCRIPTION User s has been denied access from s The NXC blocked a login according to the
281. e s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage Q9 Continue to this website not recommended More information 2 Click Continue to this website not recommended 3 In the Address Bar click Certificate Error gt View certificates v a Certificate Error Q Certificate Invalid The security certificate presented by this website has errors This problem may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage About certificate errors View certificates 41 2 NXC Series User s Guide Appendix C Importing Certificates 4 In the Certificate dialog box click Install Certificate Certificate General Details Certification Path Certificate Information This CA Root certificate is not trusted To enable trust install this certificate in the Trusted Root Certification Authorities store Issued to nsa2401 Issued by nsa2401 Valid from 5 20 2008 to 5 20 2011 Install Rene ds 5 Inthe Certificate Impor
282. e starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The at field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday October The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 Offset Specify how much the clock changes when daylight saving begins and ends Enter a number from 1 to 5 5 by 0 5 increments For example if you set this field to 3 5 a
283. e the capture screen s Number Of Bytes To Capture Per Packet field was set to 1500 bytes Figure 216 Packet Capture File Example lan1 packet capture cap Wireshark File Edit View Go Capture Analyze Statistics Telephony Tools Help Bweaeae SHXPSSE Q 89OF Z QQQH 8USRX B Filter Expression Clear Apply No Source Destination Protocol Info 33 TLSv1 Application De t T72 B TLSv1 Enc 002680 nmsigport ht 002939 Encrypted Aler nms 1G tox Gals gii 002448 ERSTE i SiE nmsigport gt ht calis od 066840 zron LAR TCP rmlnk gt https 067182 Ense Gals SSL Client Hello 067591 E palicyali TCP https gt rmlnk TLSv1 Server Hello TLSVL Change Cipher pals alee TLSv1 Ignored Unknow 072944 HENE siod TCP httos gt rmlnk gt as Frame 15 1514 bytes on wire 1500 by ptured cs ne src G Procom 1e 4a e0 00 0f Fa e0 Dst Zyxelcom 00 30 59 00 13 49 00 30 59 Internet Protocol Src 172 16 1 33 172 16 1 33 Dst 172 16 1 1 172 16 1 1 amp Transmission control Protocol src Port rmlnk 2818 Dst Port https 443 seq 173 Ack 139 Len amp Secure Socket Layer amp Unreassembled Packet S8 000000000000 a a O1 00 Packets 1794 Displayed 1794 Marked 0 Profile Default 31 4 Core Dump Use the Core Dump screen to have the NXC save a process s core dump to an attached USB storage device if the process terminates abnormally crashes You
284. e the network number to be identical to the host ID Subnet Mask Enter the IP subnet mask here Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your NXC s interface s The gateway helps forward packets to their destinations Interface Select the radio button and a predefined interface through which the traffic is sent Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the cost for this link The number need not be precise but it must be 0 127 In practice 2 or 3 is usually a good number OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving NXC Series User s Guide Chapter 9 Policy and Static Routes 9 4 Technical Reference The following section contains additional technical information about the features described in this chapter NAT and SNAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address in a packet in one network to a different IP address in another network Use SNAT Source NAT to change the source IP address in one network to a different IP address in another network Assured Forwarding AF PHB for DiffServ Assured Forwarding AF b
285. e time 246 recurring 246 types of 246 screen resolution 28 Secure Socket Layer see SSL serial number 48 service control and users 299 limitations 298 timeouts 299 service groups 242 and firewall 186 service objects 241 Service Set 209 service subscription status 90 91 services 241 242 408 and firewall 186 and policy routes 242 session control 187 session limits 182 187 sessions 65 sessions usage 50 53 NXC Series User s Guide Index shell scripts 341 downloading 350 editing 350 how applied 342 managing 350 syntax 342 uploading 351 shutdown 21 371 Simple Certificate Enrollment Protocol SCEP 273 Simple Network Management Protocol see SNMP SNAT 142 SNMP 317 agents 317 and address groups 320 and address objects 320 and zones 320 Get 317 GetNext 317 Manager 317 managers 317 MIB 317 318 network components 317 Set 317 Trap 318 traps 318 versions 317 Source Network Address Translation see SNAT SSH 309 and address groups 312 and address objects 312 and certificates 312 and zones 312 client requirements 311 encryption methods 311 for secure Telnet 312 how connection is established 310 versions 311 with Linux 313 with Microsoft Windows 312 SSL 299 and AAA 257 and AD 257 and LDAP 257 starting the device 21 startup config conf 346 if errors 344 missing at restart 344 present at restart 344 startup config bad conf 344 static DHCP 159 static routes 134 and interfaces 141 metric 141
286. e when you are configuring a to NXC rule Select a user name or user group to which to apply the rule The firewall rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified a source IP address group instead of any in the field below the user s IP address should be within the IP address range Source Select a source address or address group for whom this rule applies Select any if the policy is effective for every source Destination Select a destination address or address group for whom this rule applies Select any if the policy is effective for every destination Service Select a service or service group from the drop down list box Access Use the drop down list box to select what the firewall is to do with packets that match this rule Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select reject to deny the packets and send a TCP reset packet to the sender Any UDP packets are dropped without sending a response packet Select allow to permit the passage of the packets Log Select whether to have the NXC generate a log log log and alert log alert or not no when the rule is matched OK Click OK to save your customized settings and exit this screen
287. eans all DSCP values or no DSCP marker default means traffic with a DSCP value of 0 This is usually best effort traffic The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences The wmm entries are for QoS For more information on QoS and WMM categories see page 143 Service This is the name of the service object any means all services Source Port This is the name of a service object The NXC applies the policy route to the packets sent from the corresponding service port any means all service ports Next Hop This is the next hop to which packets are directed It helps forward packets to their destinations and can be a router or outgoing interface DSCP Marking This is how the NXC handles the DSCP value of the outgoing packets that match this route If this field displays a DSCP value the NXC applies that DSCP value to the route s outgoing packets preserve means the NXC does not modify the DSCP value of the route s outgoing packets default means the NXC sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences The wmm entries are for QoS For more information on QoS and WMM categories see page 143 SNAT This is the source IP address that the route uses It displays
288. eas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the NXC a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the NXC Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the NXC s web server 2 HTTP connection requests from a web browser go to port 80 by default on the NXC s web server Figure 178 HTTP HTTPS Implementation Web Server 443 80 HTTPS HTTP NXC Series User s Guide Chapter 28 System Note If you disable HTTP in the WWW screen then the NXC blocks all HTTP connection attempts 28 7 4 Configuring WWW Service Control Click Configuration System WWW to open the WWW screen Use this screen to specify from which zones you can access the NXC using HTTP or HTTPS You can also specify which IP addresses the access can come from Note Admin Service Control deals with management access to the Web Configurator User Service Control deals with user access to the NXC Figure 179 Configuration gt System gt WWW gt Service Control Service Control HTTPS 7 Enable Server Port 443 E Authenticate Client Certificates See Trusted CAs Server Certificate default Y V Redirect HTTP t
289. eated and stored on the NXC are authenticated locally 25 1 1 What You Can Do in this Chapter The Auth Method screens Section 25 2 on page 263 create and manage authentication method objects 25 1 2 Before You Begin Configure AAA server objects before you configure authentication method objects 25 2 Authentication Method Click Configuration Object Auth Method to display this screen Note You can create up to 16 authentication method objects Figure 157 Configuration gt Object gt Auth Method Authentication Method Configuration add 7 Method Name Method List 1 default local Page 1 of 1 Show 50 items Displaying 1 1of 1 NXC Series User s Guide Chapter 25 Authentication Method The following table describes the labels in this screen Table 140 Configuration gt Object gt Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field displays the index number Method Name This field displays a descriptive name for identification purposes Method List This field displays the authen
290. ect a unit MB or 96 to have the NXC send a warning message when remaining when the remaining USB storage space is less than the value you set here space is less than Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 4 Date and Time For effective scheduling and logging the NXC system time must be accurate The NXC s Real Time Chip RTC keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server NXC Series User s Guide 287 Chapter 28 System To change your NXC s time based on your local time zone and date click Configuration System gt Date Time The screen displays as shown You can manually set the NXC s time and date or have the NXC get the date and time from a time server Figure 169 Configuration gt System gt Date Time Date Time Current Time and Date Current Time Current Date Time and Date Setup Manual New Time hh mm ss 11 36 31 GMT 00 00 2013 04 09 11 36 New Date yyyy mm dd 2013 04 08 3 D Getfrom Time Server Time Server Address Optional There is a pre defined NTP time server list Time Zone Setup Time Zone GMT 00 00 Greenwich Mean Time Dublin Edinburgh Li v V Enable Daylight Savings Start Date End Date Offset Monday Y of January M
291. ect button The destination address is an IP address for which the captive portal intercepts all network traffic toward Schedule Select a schedule from the list If none are available you can create one in Configuration Object Schedule Authentication Select whether authentication is required or not necessary for this rule NXC Series User s Guide 167 Chapter 14 Captive Portal Table 86 Configuration gt Captive Portal gt Auth Policy Add Edit LABEL DESCRIPTION Force User Select this option to redirect HTTP traffic to the login screen if the user has not logged in Authentication yet OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving 168 NXC Series User s Guide Chapter 14 Captive Portal 14 3 Login Page The login page appears whenever the captive portal intercepts network traffic preventing unauthorized users from gaining access to the network Use this page to select the default login page or customize it Click Configuration Captive Portal Login Page to display it Figure 94 Configuration gt Captive Portal gt Login Page Select Type Use Default Login Page Use Customized Login Page Use uploaded file Logo File To upload a logo file gifipng jpg browse to the location of the file and then click Upload support format gifipng pg maximum size 100K suggest pixel size
292. ecure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital signature and your public key allows people to verify whether data was signed by you or by someone else This process works as follows 1 Tim wants to send a message to Jenny He needs her to be sure that it comes from him and that the message content has not been altered by anyone else along the way Tim generates a public key pair one public key and one private key 2 Tim keeps the private key and makes the public key openly available This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not 3 Tim uses his private key to sign the message and sends it to Jenny 4 Jenny receives the message and uses Tim s public key to verify it Jenny knows that the message is from Tim and that although other people may have been able to read the message no one can have altered it because they cannot re sign the message with Tim s private key NXC Series User s Guide Chapter 26 Certificates 5 Additionally Jenny uses her own private key to sign a message and Tim uses Jenny s public key to verify the message
293. ed wirelessly SSID Name This indicates the name of the wireless network SSID the managed AP uses to associated with another managed AP Signal Strength This is the signal strength of the wireless connection between the managed AP and a root AP or repeater Tx Rate This is the maximum transmission rate of the root AP or repeater to which the managed AP is connected Rx Rate This is the maximum reception rate of the root AP or repeater to which the managed AP is connected Link Up Time This displays the time the managed AP first associated with the root AP or repeater 5 14 Station List Use this screen to view statistics pertaining to the associated stations or wireless clients Click Monitor gt Wireless gt Station Info gt Station List to access this screen Figure 38 Monitor gt Wireless gt Station Info gt Station List Station List Station List MAC Addr Asso SSIDName Secur Signal Str Chan IP Ad T R Tx Rx Associatio 3 SSID Name ZyXEL 1 Station 1 00 19 CB AP B ZyXEL NONE 192 1 46M 53M 1 2 2013 12 1 50dBm willl The following table describes the labels in this screen Table 41 Monitor gt Wireless gt Station Info gt Station List LABEL DESCRIPTION SSID Name This field displays the SSID name with which at least one station is associated Click or to display or hide details about wireless s
294. ed Publ gt Issued To Issued By Expiratio Friendly Name ES 172 20 37 202 172 20 37 202 5 21 2011 EJAaBa Ecom RootCA ABA ECOM Root CA 7 10 2009 DST ABA ECOM EAutoridad Certifica Autoridad Certificador 6 29 2009 Autoridad Certifi Jautoridad Certifica Autoridad Certificador 6 30 2009 Autoridad Certifi EBaltimore Ez byDST Baltimore EZ by DST 7 4 2009 DST Baltimore E JBelgacom E TrustP BelgacomE TrustPrim 1 21 2010 Belgacom E Trus E caw HKTSecureN C amp W HKTSecureNet 10 16 2000 CW HKT Secure BEJcaw HKT SecureN C amp W HKT SecureNet 10 16 2009 CW HKT Secure Gcaw HKT SecureN C amp W HKT SecureNet 10 16 2010 CW HKT Secure me Bear f Certificate intended purposes lt All gt 4 Inthe Certificates confirmation click Yes Certificates Deleting system root certificates might prevent some Windows components from working properly If Update Root Certificates is installed any deleted third party root certificates will be restored automatically but the system root certificates will not Do you want to delete the selected certificate s 5 Inthe Root Certificate Store dialog box click Yes Root Certificate Store EN Do you want to DELETE the following certificate from the Root Store Subject 172 20 37 202 ZyXEL Issuer Self Issued Time Validity Wednesday May 21 2008 through Saturday May 21 2011 Serial Number 00846BC7 4BBF7C2E
295. ed addresses are denied connections The disable setting means no MAC filtering is used NXC Series User s Guide Chapter 18 AP Profile Table 113 Configuration gt Object gt AP Profile gt Add Edit SSID Profile continued LABEL DESCRIPTION Layer 2 Isolation Profile Select a layer 2 isolation profile from the list to associate with this SSID If none exist you can sue the Create new Object menu to create one The disable setting means no layer 2 isolation is used QoS Select a Quality of Service QoS access category to associate with this SSID Access categories minimize the delay of data packets across a wireless network Certain categories such as video or voice are given a higher priority due to the time sensitive nature of their data packets QoS access categories are as follows disable Turns off QoS for this SSID All data packets are treated equally and not tagged with access categories WMM Enables automatic tagging of data packets The NXC assigns access categories to the SSID by examining data as it passes through it and making a best guess effort If something looks like video traffic for instance it is tagged as such WMM VOICE All wireless traffic to the SSID is tagged as voice data This is recommended if an SSID is used for activities like placing and receiving Vol P phone calls WMM VIDEO All wireless traffic to the SSID is tagged as video data This is recommended for
296. ed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent NXC Series User s Guide 31 7 Chapter 28 System 28 11 1 28 11 2 Trap Used by the agent to inform the manager of some events Supported MIBs The NXC supports MIB II that is defined in RFC 1213 and RFC 1215 The NXC also supports private MI Bs z
297. ed to port s Q An administrator changed the port number for TELNET 96s is port number assigned by user TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certificate s does not exist An administrator assigned a nonexistent certificate to FTP 96s is certificate name assigned by user FTP port has been changed to port s An administrator changed the port number for FTP 96s is port number assigned by user P port has been hanged to default An administrator changed the port number for FTP back to the default 21 P port has been F c port S changed to port s An administrator changed the port number for SNMP 96s is port number assigned by user SNMP port has been changed to default port An administrator changed the port number for SNMP back to the default 161 Console baud has been changed to s An administrator changed the console port baud rate 96s is baud rate assigned by user Console baud has been reset to d An administrator changed the console port baud rate back to the default 115200 d is default baud rate DHCP Server on Interface s will not work due to Device HA status is Stand By If interface is stand by mode for device HA DHCP server can t be run Otherwise it has conflict with the interface in master mode 96s is int
298. ehavior is defined in RFC 2597 The AF behavior group defines four AF classes Inside each class packets are given a high medium or low drop precedence The drop precedence determines the probability that routers in the network will drop packets when congestion occurs If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Table 72 Assured Forwarding AF Behavior Group Class 1 Class 2 Class 3 Class 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 NXC Series User s Guide Chapter 9 Policy and Static Routes WMM Wi Fi Multimedia WMM provides basic Quality of Service QoS features to wireless networks The four categories of QoS described by WMM are voice VO video VI best effort BE and background BK These categories known as a access categories AC are mapped to 802 1D priority values which can then be mapped to their corresponding DSCP hex values Table 73 WMM to DiffServ Conversion on the NXC Priority WMM AC 802 1D Priority DSCP Hex Value Lowest BK 1 0x08 BK 2 0x10 BE 0 0x00 BE 3 0x18 VI
299. eld is described in the following table Table 49 Configuration gt Wireless gt AP Management LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties Remove Select an AP and click this button to remove it from the list Note If in the Configuration Wireless Controller screen you set the Registration Type to Always Accept then as soon as you remove an AP from this list it reconnects Reboot Select an AP and click this button to force it to restart This field is a sequential value and it is not associated with any interface IP Address This field displays the IP address of the AP MAC Address This field displays the MAC address of the AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the NXC and the information is unavailable as a result R1 Mode AP Profile ZyMesh Profile This field displays the operating mode AP MON root or repeater AP radio profile name and ZyMesh profile name for Radio 1 It displays n a for the AP profile for a radio not using an AP profile or for the ZyMesh profile for a radio not using a ZyMesh profile R2 Mode AP Profile ZyMesh Profile This field displays the operating mode AP MON root or repeater AP radio profile name and ZyMesh profile name for Radio 2 It displays n a for the AP radio profile for a radio not using an AP radio
300. eld is described in the following table Table 59 Configuration gt Network gt Interface gt Ethernet LABEL DESCRIPTION Configuration l Pv6 Configuration Use the Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your NXC to an IPv6 network Both sections have similar fields as described below Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the interface IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 in the IPv4 network or in the IPv6 network the interface does not have an IP address yet In the IPv4 network this screen also shows whether the IP address is a static IP address STATI C or dynamically assigned DHCP In the IPv6 network this screen also shows whether the IP address is a static IP address STATI C link l
301. ember Ta Tagg ne no no no no no n m ress Aulo confiuration SL AAC NXC Series User s Guide Chapter 8 Interfaces Each field is explained in the following table Table 65 Configuration gt Network gt Interface gt VLAN gt Add Edit LABEL DESCRIPTION IPv4 IPv6 View IPv4 View IPv6 View Use this button to display both IPv4 and IPv6 IPv4 only or IPv6 only configuration fields Show Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 request object that you may use for the DHCPv6 settings in this screen General Settings Enable Select this to turn this interface on Clear this to disable this interface Interface Properties Interface Name This field is read only if you are editing an existing VLAN interface Enter the number of the VLAN interface You can use a number from 0 4094 For example vlanO vlan8 and so on Automatically VID Enter the VLAN ID This 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Zone Select the zone to which the VLAN interface belongs Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and S_ characters and it can be up to 60 characters long Member Use
302. en Limit for access account is checked Type the number per maximum number of simultaneous logins by each access user access account User Lockout Settings Enable logon Select this check box to set a limit on the number of times each user can login retry limit unsuccessfully for example wrong password before the IP address is locked out for a specified amount of time Maximum retry This field is effective when Enable logon retry limit is checked Type the maximum count number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period The number must be between 1 and 99 Lockout period This field is effective when Enable logon retry limit is checked Type the number of minutes the user must wait to try to login again if logon retry limit is enabled and the maximum retry count is reached This number must be between 1 and 65 535 about 45 5 days Dynamic Guest Settings Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Removing a group does not remove the user accounts in the group Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field i
303. en with an in depth list of information about the certificate Remove The NXC keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Subsequent certificates move up by one when you take this action Object Reference You cannot delete certificates that any of the NXC s features are configured to use Select an entry and click Object Reference to open a screen that shows which settings use the entry This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable Valid To This
304. enabled it is not necessary to configure a default encryption key in the wireless security configuration screen You may still configure and store keys but they will not be used while dynamic WEP is enabled Note EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical The following table is a comparison of the features of authentication types Table 222 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS ser
305. ense please go to portal myzyxelcom NXC Series User s Guide Chapter 6 Registration The following table describes the labels in this screen Table 47 Configuration gt Licensing gt Registration gt Service LABEL DESCRIPTION License Status This is the entry s position in the list Service This lists the services that are available on the NXC Status This field displays whether this is a default service Default or an activated license upgrade Licensed Registration Type This field displays standard when you registered a service with your iCard s PIN number Expiration Date This field displays the date your service expires Count This field displays how many managed APs the NXC can support with your current license This field does not apply to the other services License Refresh Service License Refresh Click this button to renew service license information such as the registration status and expiration day NXC Series User s Guide 7 Wireless T 1 Overview Use the Wireless screens to configure how the NXC manages the Access Point that are connected to it 7 1 1 What You Can Do in this Chapter The Controller screen Section 7 2 on page 93 sets how the NXC allows new APs to connect to the network The AP Management screen Section 7 3 on page 93 manages all of the APs connected to the NXC The MON Mode screen Sectio
306. entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Removing a group does not remove the user accounts in the group Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific user group Group Name This field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma NXC Series User s Guide Chapter 17 User Group 17 3 1 Add Edit Group This screen allows you to add a new user group or edit an existing one To access this screen go to the Group screen and click either the Add icon or an Edit icon Figure 113 Configuration gt User Group gt Group gt Add Edit Group amp J Add Group Configuration Name Description Member List Available ad users Idap users mac test mac users radius users Object 1x je Optional Member e Jemen The following table describes the labels in this screen Table 101 Configuration gt User Group gt Group gt Add Edit Group LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric characters underscores or dashes
307. ents the number of connected wireless clients x axis The x axis shows the time over which a wireless client was connected Last Update This field displays the date and time the information in the window was last updated OK Click this to close this window Cancel Click this to close this window 5 13 ZyMesh Link Info Use this screen to view the ZyMesh WDS traffic statistics between the managed APs Click Monitor gt Wireless gt All ZyMesh AP gt ZyMesh Link Info to access this screen Figure 37 Monitor gt Wireless gt All ZyMesh AP gt ZyMesh Link Info ZyMesh Link Info ZyMesh Link Info IP Add MAC Ad Root AP M Uplink A Uplink AP Info SSID Signa Tx Rx LinkUpTi NXC Series User s Guide Chapter 5 Monitor The following table describes the labels in this screen Table 40 Monitor gt Wireless gt All ZyMesh AP gt ZyMesh Link Info LABEL DESCRIPTION This is the index number of the managed AP in this list IP Address This is the IP address of the managed AP MAC Address This is the MAC address of the managed AP Root AP MAC This is the MAC address of the root AP to which the managed AP is connected wirelessly Uplink AP Role This shows whether the managed AP to which this managed AP is connected wirelessly is acting as a root AP or repeater in a ZyMesh Uplink AP Info This shows the information about the managed AP to which this managed AP is connect
308. er added a new ISP account profile 1st 96s profile type 2nd 96s profile name Table 207 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled Force user authentication will be turned on because HTTP server was turned on Force User Authentication will be disabled due to http server is disabled Force user authentication will be turned off because HTTP server was turned off Force User Authentication may not work properly NXC Series User s Guide Appendix A Log Descriptions Table 208 File Manager Logs LOG MESSAGE DESCRIPTION ERROR S s Apply configuration failed this log will be what CLI command is and what error message is 1st s is CLI command 2nd 96s is error message when apply CLI command WARNING S s Apply configuration failed this log will be what CLI command is and what warning message is 1st s is CLI command 2nd s is warning message when apply CLI command ERROR S S Run script failed this log will be what wrong CLI command is and what error message is 1st s is CLI command 2nd 96s is error message when apply CLI command WARNING S s Run script failed this log will be what wrong CLI command is and what warning message is 1st s is CLI command 2nd s is warning message when apply CLI command Reset
309. er defined lease time field in this screen Lease time field in the User Add Edit screen Lease time field in the Setting Edit screen Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen Access users can select this check box to reset the lease time automatically 30 seconds before it expires Otherwise access users have to click the Renew button to reset the lease time Remaining time before lease timeout This field displays the amount of lease time that remains though the user might be able to reset it Remaining time before auth timeout This field displays the amount of time that remains before the NXC automatically logs the access user out regardless of the lease time Remaining time before session timeout This field displays how much longer the user can use the session before the NXC automatically logs the access user out NXC Series User s Guide Chapter 17 User Group 17 4 4 Guest Manager Login Example To create dynamic guest accounts enter the guest manager account information in the Web Configurator login screen After you log in successfully the following guest manager screen appears Figure 118 Guest Manager Login 2011 05 04 08 21 16 2011 05 04 4 afe eo E x lt The following table describes the labels in this screen Table 106 Guest Manager Login
310. er oenn aanta aah iaaiiai eean an inas 363 pics y ETE tka EET AAA S E A RR EET N TEAN 370 SOON aasan E A a A 371 TOUDE SHINE sairone new ihienyM ayaa aenees sR NeIINE 372 NXC Series User s Guide Table of Contents Table of Contents Lontents OVErVIEW auscraeldkveupiastbnend Ue pg PRU Rip Dad Pul pud FIR E EAA DU ELA FE FDUU X AUR ERA Dad u FUA TOC qu a 3 Table Gf COMO E oaa eMe FER CRUOERUYKRR RCAEANTEREEXARY MEER RYEKABRTRAAEFERENUERAR OXEREXSLXE SIR RERUM ETIN S ROCKY ARERMT ET AME 4 Pant E Users GUNE MITES 15 Chapter 1 MOONE UOD iniaa a RENE 16 QE S T E UU TT eee 16 LZ Zones Interaces and Physical POTE uai eese cedes prb penali eo Pha ELLE Hrs SE RR PRX ERE pha v ER paa uh bia 16 jurare scq 17 1 2 2 Interface and Zone Configuratio 4 4 porci oye dares bof aad qal a da eda Rao d e s n M 17 TOANE ON ANNE UU I Imm 18 JEEP ari A ATA 18 To AES sg mm 18 Tas CPN FOUN arisa E es 19 JE Load Balane ensidis a H 19 13 95 RS Elo edP Iberi MN P 19 1 3 9 Ugar Puware Access Control uie ie ve eibi p Der EPI PETERE HRS ERI Dv PEE PM MM M A 19 Tenong me NON E esia yere bacca dic tna ann id et nanan lod Eid de 20 15 Obiectbasod Dok jl allo 22 22x 5 0 Spare tats odd ex Vyasa SUMAR eR a ERE E E ON ada Eel pd e BUY UA ed 20 10 Saring nd Stopping Wie rs P rii 21 Chapter 2 Hardware Installation and Connection cc cccccescssesecseeeuseeeeeeeesseeeuseeeuseeanauseeaueeanauseauuseanausenaueees 22 2 PRackm
311. er or ext group user type Group This field is available for a ext group user type user account Identifier Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which this user belongs Associated This field is available for a ext group user type user account Select the AAA server to use to AAA Server authenticate this account s users Object Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descriptions are provided Authenticati If you want to set authentication timeout to a value other than the default settings select Use on Timeout Manual Settings then fill your preferred values in the fields that follow Settings Lease Time Enter the number of minutes this user has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen refreshes in the Web Configurator Access users can renew the session by clicking the Renew button on their screen If you allow access users to renew time automatically the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentic ation Time Type the number of minutes this user can be logged into the NXC in one session before the user has to log i
312. er the device Service View the licensed service status and upgrade licensed services Wireless Controller Configuration Configure how the NXC handles APs that newly connect to the network AP Management Mgnt AP List Edit wireless AP information remove APs and reboot them AP Policy Configure the AP controller s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails MON Mode Rogue Friendly AP List Configure how the NXC monitors for rogue APs Load Balancing Configure load balancing for traffic moving to and from wireless clients DCS Configure dynamic wireless channel selection Auto Healing Enable auto healing to extend the wireless service coverage area of the managed APs when one of the APs fails Network Interface Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Routing Policy Route Create and manage routing policies Static Route Create and manage IP static routing information Zone Configure zones used to define various policies NAT Set up and manage port forwarding rules ALG Configure FTP pass through settings IP MAC Binding Summary Configure IP to MAC address bindings for devices connected to each supported interface Exempt List Configure ranges of IP addresses to which the NXC does n
313. er the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allow users connected to any interface instead of just the specified Incoming I nterface to use the NAT rule s specified Original I P address to access the Mapped I P device For users connected to the same interface as the Mapped IP device the NXC uses that interface s IP address as the source address for the traffic it sends from the users to the Mapped IP device For example if you configure a NAT rule to forward traffic from the WAN to a LAN server enabling NAT loopback allows users connected to other interfaces to also access the server For LAN users the NXC uses the LAN interface s IP address as the source address for the traffic it sends to the LAN server If you do not enable NAT loopback this NAT rule only applies to packets received on the rule s specified incoming interface OK Click OK to save your changes back to the NXC Cancel Click Cancel to return to the NAT summary screen without creating the NAT rule if it is new or saving any changes if it already exists NXC Series User s Guide Chapter 11 NAT 11 3 Technical Reference The following section contains additional technical information about the features described in this chapter NAT Loopback Suppose a NAT 1 1 r
314. er up to 16 characters a Z A Z 0 9 and _ with no spaces allowed The first character must be alphabetical a z A Z Code This field displays the code number of the selected DHCP option If you selected User Defined in the Option field enter a number for the option This field is mandatory Type This is the type of the selected DHCP option If you selected User Defined in the Option field select an appropriate type for the value that you will enter in the next field Only advanced users should configure User Defined Misconfiguration could result in interface lockout NXC Series User s Guide Chapter 8 Interfaces Table 62 Configuration gt Network gt Interface gt Ethernet gt Edit gt Add Edit Extended Options LABEL DESCRIPTION Value Enter the value for the selected DHCP option For example if you selected TFTP Server Name 66 and the type is TEXT enter the DNS domain name of a TFTP server here This field is mandatory First IP Address Second IP Address Third IP Address If you selected Time Server 4 NTP Server 42 SIP Server 120 CAPWAP AC 138 or TFTP Server 150 you have to enter at least one IP address of the corresponding servers in these fields The servers should be listed in order of your preference First Enterprise ID Second Enterprise ID If you selected VIVC 124 or VIVS 125 you have to enter at least one vendor s 32
315. erface name DHCP Server on Interface s will be reapplied due to Device HA status is Active When an interface has become the HA master the DHCP server needs to start operating 96s is interface name NXC Series User s Guide Appendix A Log Descriptions Table 199 Built in Services Logs continued LOG MESSAGE DESCRIPTION DHCP s DNS option s has changed DHCP pool s DNS option support from WAN interface If this interface is unlink disconnect or link connect this log will be shown 96s is interface name The DNS option of DHCP pool has retrieved from it s Set timezone to An administrator changed the time zone 96s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight saving Disable daylight saving An administrator turned off daylight saving DNS access control rules have been reached the maximum number An administrator tried to add more than the maximum number of DNS access control rules 64 rule u has been moved to d DNS access control An administrator added a new rule rule u of DNS has NR Jo u is rule number been appended DNS access control An administrator inserted a new rule rule u has been 96 u is rule number inserted DNS access control An administrator a
316. erfaces Figure 71 Configuration gt Network gt Interface gt VLAN gt Add Edit S Add Vian PvaiPv view Cde Ax General Settings Enable interface Properues Interface Name Member Configuration PotName 1 o 2 ga 003 ge ges ges IP Address Assignment Cet Automatically D Address Stret Mae Gate Mete Enable Stateless Acc Connectivity Check Ce Metres Cm im Check Timeout Check Fal Tolerance Related Setting Configure Policy Route Use Fined IP Access IPv6 Address Assignment Lrkiocs Adress i 196 Address Prefix Lengt Omens Gatensy Mete cary DHCP Ys Setting wot Oct lt DUI 7 OUO as tac Enable Rapid Commit Request Adres DHCP Request Options Que a 3 Nme Twe Value Pali lofi Som O s Interface Parametore Lgress bandman 1048576 Ingress fardssdi 1044578 ita mu 1500 Bytes DHCP Setting DHT DHCP Server DP Pood Surt address Optonal fe or Fest ONG Server Otona Curso Defined x Secr CH Server Optra Custom Detnes Thed ONS Server Optanal Cantor Defined Fest WINS Server 0 Second WINS Server Optonal Lesse Te ir nite 3 days 0 o renin Opec Enable IPAMAC Binding Enable Logs tor IPMAC Binding Viclation Static DHCP Table ou 2 Paides MAC Descrpton Pee lofi Show S0 v tems o date to depay Enable Connecty Check Check Default Gateway Check tis address Tx anced Settings LI Create new Object 9 Pf u Ostona M
317. ers for the NXC to bind or log in to the AD or LDAP server Retype to Confirm Retype your new password for confirmation Login Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in enter it here For example name or e mail address Group Membership Attribute Enter the name of the attribute that the NXC is to check to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create a ext group user user object for each group One with sales as the group identifier another for RD and a third for management Enable Select this to enable domain authentication for MSChap MS CHAP Microsoft CHAP Challenge Handshake Authentication Protocol uses a challenge response mechanism where the response is encrypted Note This is only for Active Directory User Name Enter the user name for the user who has rights to add a machine to the domain Note This is only for Active Directo
318. erver uses LDAP Lightweight Directory Access Protocol LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates Address Type the IP address in dotted decimal notation of the directory server Port Use this field to specify the LDAP server port number You must use the same server port number that the directory server uses 389 is the default server port number for LDAP The NXC may need to authenticate itself in order to assess the CRL directory server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the CRL directory server usually a certification authority Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification num
319. es disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific address Log Category This field displays each category of messages It is the same value used in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open source software Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to save your changes and return to the previous screen Cancel Click this to return to the previous screen without saving your changes 29 3 5 Log Category Settings This screen allows you to view and to edit what information is included in the system log USB storage e mail profiles and remote servers at the same time It does not let you chan
320. es uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This Class B digital apparatus complies with Canadian I CES 003 Cet appareil num rique de la classe B est conforme la norme NMB 003 du Canada Viewing Certifications Go to http www zyxel com to view this product s documentation and certifications ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in material or workmanship for a specific period the Warranty Period from the date of purchase The Warranty Period varies by region Check with y
321. eset Click Reset to return the screen to its last saved settings 7 4 1 Add Edit Rogue Friendly List Select an AP and click the Edit button in the Configuration gt Wireless gt MON Mode table to display this screen Figure 54 Configuration gt Wireless gt MON Mode gt Add Edit Rogue Friendly MAC Address Description Role Edit Rogue Friendly AP List 21x s s s s edeeSdS SISSE PSI SISSE Optional Q9 Rogue AP Friendly AP mue erm Each field is described in the following table Table 55 Configuration gt Wireless gt MON Mode gt Add Edit Rogue Friendly LABEL DESCRIPTION MAC Address Enter the MAC address of the AP you want to add to the list A MAC address is a unique hardware identifier in the following hexadecimal format xx xx Xx XX Xx xx where xx is a hexadecimal number separated by colons Description Enter up to 60 characters for the AP s description Spaces and underscores are allowed Role Select either Rogue AP or Friendly AP for the AP s role OK Click OK to save your changes back to the NXC Cancel Click Cancel to close the window with changes unsaved NXC Series User s Guide Chapter 7 Wireless 7 5 Load Balancing Use this screen to configure wireless network traffic load balancing between the APs on your network Click Configuration Wireless Load Balancing to access this screen Figure 55 Configuration gt Wirele
322. et IDentifier is basically the name of the wireless network to which a wireless client can connect The SSID appears as readable text to any device capable of scanning for wireless frequencies such as the WiFi adapter in a laptop and is displayed as the wireless network name when a person makes a connection to it To access this screen click Configuration Object AP Profile SSID NXC Series User s Guide Chapter 18 AP Profile Note You can have a maximum of 32 SSID profiles on the NXC Figure 125 Configuration gt Object gt AP Profile gt SSID List SSID List Security List MAC Filter List Layer 2 Isolation List SSID Summary Q Add Y Profile Na SSID Security Pr QoS Forwardin MAC Filteri Layer 21s VLAN ID 1 default ZyXEL default VM localbridge disable disable 1 Page 1 i of 1 Show 50 v items Displaying 1 1 of 1 The following table describes the labels in this screen Table 112 Configuration gt Object gt AP Profile gt SSID List LABEL DESCRIPTION Add Click this to add a new SSID profile Edit Click this to edit the selected SSID profile Remove Click this to remove the selected SSID profile Object Reference Click this to view which other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned t
323. ettings V Enable FTP ALG V Enable FTP Transformations FTP Signaling Port 1 65535 Additional FTP Signaling Port for Transformations 1 65535 Optional The following table describes the labels in this screen Table 78 Configuration gt Network gt ALG LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP File Transfer Program traffic and help build FTP sessions through the NXC s NAT Enable FTP Transformations Select this option to have the NXC modify IP addresses and port numbers embedded in the FTP data payload to match the NXC s NAT environment Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the NXC s NAT environment FTP Signaling Port If you are using a custom TCP port number not 21 for FTP traffic enter it here Additional FTP Signaling Port for Transformations If you are also using FTP on an additional TCP port number enter it here Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 12 3 Technical Reference The following section contains additional technical information about the features described in this chapter FTP File Transfer Protocol FTP is an Internet file transfer service that operates on the Internet and over TCP IP networks A system runn
324. eturn the screen to its last saved settings NXC Series User s Guide Chapter 28 System 28 11 4 Adding or Editing an SNMPv3 User Profile This screen allows you to add or edit an SNMPv3 user profile To access this screen click the Configuration gt System gt SNMP screen s Add button or select a SNMPv3 user profile from the list and click the Edit button Figure 194 Configuration gt System gt SNMP gt Add User Authentication Privacy Privilege Q Add SNMPv3 User xXx admin v MD5 25 NONE v Read Write M The following table describes the labels in this screen Table 168 Configuration gt System gt SNMP LABEL DESCRIPTION User Name Select the user name of the user account for which this SNMPv3 user profile is configured Authentication Select the type of authentication the SNMPv3 user must use to connect to the NXC using this SNMPv3 user profile Select MD5 to require the SNMPv3 user s password be encrypted by MD5 for authentication Select SHA to require the SNMPv3 user s password be encrypted by SHA for authentication Privacy Select the type of encryption the SNMPv3 user must use to connect to the NXC using this SNMPv3 user profile Select NONE to not encrypt the SNMPv3 communications Select DES to use DES to encrypt the SNMPv3 communications Select AES to use AES to encrypt the SNMPv3 communications Privilege Select whether the SNMP
325. evice started device registration Do trial service activation The device started trail service activation Do standard service activation The device started standard service activation Do expiration check The device started the service expiration day check Build query message Some information was missing in the packets that the device sent to the has failed MyZyXEL com server Parse receive messag The device cannot parse the response returned by the MyZyXEL com server has failed Maybe some required fields are missing Resolve server IP has failed Update stop The update has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped NXC Series User s Guide 385 Appendix A Log Descriptions 386 Table 196 Registration Logs continued LOG MESSAGE DESCRIPTION Send download request to update server has failed The device s attempt to send a download message to the update server failed Get server respons has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server respons
326. ew AP Log venari Hide Filter AP Selection Select an AP A Log Query Status init Log Query Information AP Information N A Log File Status Empty Last Log Query Time N A Logs Display All Logs M Priority any M Source Address Destination Address Source Interface any Y Destination Interface any Y Service any NA Keyword Protocol any v Time Pri Cat Message Source Destination Note Page 1 of i Show 50 v items No data to display The following table describes the labels in this screen Table 44 Monitor gt Log gt View AP Log LABEL DESCRIPTION Show Hide Filter Click this to show or hide the AP log filter Select an AP Select an AP from the list and click Query to view its log messages Log Query This indicates the current log query status Status init Indicates the query has not been initialized querying Indicates the query is in process fail Indicates the query failed success Indicates the query succeeded AP Information This displays the MAC address for the selected AP Log File Status This indicates the status of the AP s log messages Last Log Query This indicates the last time the AP was queried for its log messages Time Display Select the log file from the specified AP that you want displayed Note This criterion only appears when you Show Filter NXC Series User s Guide Chapter 5 Monitor Table 44 Monitor
327. example from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN From any displays all the firewall rules for traffic going to the selected To Zone To any displays all the firewall rules for traffic coming from the selected From Zone From any to any displays all of the firewall rules To EnterpriseWLAN rules are for traffic that is destined for the NXC and control which computers can manage the NXC Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click I nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering selected packet dir The following read only fields summarize the rules you have created that apply to traffic traveling in the ection Status This icon is lit
328. f minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen refreshes in the Web Configurator Access users can renew the session by clicking the Renew button on their screen If you allow access users to renew time automatically the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires NXC Series User s Guide Chapter 17 User Group Table 103 User Group gt Setting gt Edit User Authentication Timeout Settings continued LABEL DESCRIPTION Reauthentication Type the number of minutes this type of user account can be logged into the NXC in one Time session before the user has to log in again You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 17 4 2 Add Edit Dynamic Guest Group This screen allows you to create a dynamic guest group or edit an existing one To access this screen go to the Configuration gt Object gt User Group gt Setting screen and click either the Add icon
329. face s MAC Ss A wireless client used an incorrect WPA or WPA2 user password and failed authentication by the NXC s local user database while trying to connect to the specified WLAN interface first s The MAC address of the wireless client is listed second s NXC Series User s Guide 399 Appendix A Log Descriptions Table 205 WLAN Logs continued LOG MESSAGE DESCRIPTION Incorrect username or password for WPA or WPA2 enterprise internal authentication Interface s MAC s A wireless client used an incorrect WPA or WPA2 user name or user password and failed authentication by the NXC s local user database while trying to connect to the specified WLAN interface first 96s The MAC address of the wireless client is listed second 96s System internal error Ss STA s could not extract EAP Message from RADIUS message There was an error when attempting to extract the EAP Message from a RADIUS message The first s is the WLAN interface The second 96s is the MAC address of the wireless client Table 206 Account Logs LOG MESSAGE DESCRIPTION Account s s has been deleted A user deleted an ISP account profile lst 96s profile type 2nd se profile name Account s s has been changed A user changed an ISP account profile s options 1st 96s profile type 2nd 96s profile name Account s s has been added A us
330. fault configuration 34 2 Shutdown To access this screen click Maintenance gt Shutdown Figure 231 Maintenance gt Shutdown Shutdown Shutdown Click the Shutdown button to shutdown the device Shutdown Click the Shutdown button to shut down the NXC Wait for the device to shut down before you manually turn off or remove the power It does not turn off the power You can also use the CLI command shutdown to shutdown the NXC NXC Series User s Guide 371 35 Troubleshooting 35 1 Overview This chapter offers some suggestions to solve problems you might encounter 35 1 1 General This section provides a broad range of troubleshooting tips for your device None of the LEDs turn on Make sure that you have the power cord connected to the NXC and plugged in to an appropriate power source Make sure that you have both power cords connected to the NXC and plugged into appropriate power sources Make sure you have both of the NXC s power switches turned on Make sure you have the NXC turned on Check all cable connections If the LEDs still do not turn on you may have a hardware problem In this case you should contact your local vendor Cannot access the NXC from the LAN Check the cable connection between the NXC and your computer or switch Ping the NXC from a LAN computer Make sure your computer s Ethernet card is installed and functioning properly Also make sure that its IP addre
331. fe80 2d0 59 6e5b8 103c 4 Default Gateway 10 1 1 254 IPv6 is installed and enabled by default in Windows Vista Use the ipconfig command to check your automatic configured IPv6 address as well You should see at least one IPv6 address available for the interface on your computer Example Enabling DHCPv6 on Windows XP Windows XP does not support DHCPv6 If your network uses DHCPv6 for IP address assignment you have to additionally install a DHCPv6 client software on your Windows XP Note If you use static IP addresses or Router Advertisement for IPv6 address assignment in your network ignore this section This example uses Dibbler as the DHCPv6 client To enable DHCPv6 client on your computer 1 Install Dibbler and select the DHCPv6 client option on your computer 2 After the installation is complete select Start gt All Programs gt Dibbler DHCPv6 gt Client Install as service 3 Select Start gt Control Panel gt Administrative Tools gt Services 4 Double click Dibbler a DHCPv6 client NXC Series User s Guide Appendix E IPv6 amp Services File Action View Help msaoBSm Sy Services Local M ce IE Local Dibbler a DHCPv6 client Name Description Status Startup Type Log On As SRy DCOM Server Process Launcher Provides la Started Automatic Local System x D Manages n arted Automati oca Start the service t Dibbler a DHCPv6 client SESS Automatic Loc
332. fic profile MAC This field specifies a MAC address associated with this profile Description This field displays a description for the MAC address associated with this profile You can click the description to make it editable Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide MON Profile 19 1 Overview This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity Once detected you can use the MON Mode screen Chapter 7 on page 92 to classify them as either rogue or friendly and then manage them accordingly 19 1 1 What You Can Do in this Chapter The MON Profile screen Section 19 2 on page 228 creates preset monitor mode configurations that can be used by the APs 19 1 2 What You Need To Know The following terms and concepts may help as you read this chapter Active Scan An active scan is performed when an 802 11 compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802 11 frequencies by sending probe request frames Passive Scan A passive scan is performed when an 802 11 compatible monitoring device is set to periodically listen to a specified channel or number of channels fo
333. field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the NXC Refresh Click this button to display the current validity status of the certificates 278 NXC Series User s Guide Chapter 26 Certificates 26 3 1 Edit Trusted Certificates Click Configuration gt Object gt Certificate gt Trusted Certificates and then a certificate s Edit icon to open the Trusted Certificates Edit screen Use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the NXC to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 163 Configuration gt Object gt Certificate gt Trusted Certificates gt Edit Configuration Name Certification Path Certificate Validation E OCSP Server LDAP Server a Address Certificate Information Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate Edit Trusted Certificates CN Mydevice amp example com Validation Result self signed Subject
334. figurator 4 Click Login If you logged in using the default user name and password the Update Admin I nfo screen appears Otherwise the dashboard appears This screen appears every time you log in using the default user name and default password If you change the password for the default user account this screen does not appear anymore 3 3 The Main Screen This guide uses the NXC5500 screens as an example The screens may vary slightly for different models NXC Series User s Guide Chapter 3 The Web Configurator The Web Configurator s main screen is divided into these parts Figure8 The Web Configurator s Main Screen _ Welcome admin PHelp ZAbout f Map object Reference ZyXEL n g PASHBOARD EZ Virtual Device 10 100 1000 CONSOLE P2 P P4 P5 PE i 1 wn sYs m 0 m PUR 45 Device Information The Latest Alert Logs System Name NXCSSO0 Time Priorty Category Message Source Destin Model Name NxC5500 1 2013 11 1 alert policy r Interface v Serial Number 132Y38000010 MAC Address Range B0 B2 DC 07 41 74 B0 B2 DC 07 A1 79 System Resources CPU Usage Firmware Version V4 10 AAOS O IT 20131101045615 V1 03 2013 11 01 05 38 39 4 System Status Memory Usage System Uptime 04 16 47 Current Date Time 2013 11 14 15 03 38 GMT 00 00 Flash Usage DHCP Table Current Login User admin unlimited 00 30 00 USB Storage Usage Number of Login Users 1 Boot
335. figured in this screen You can configure the NXC while a packet capture is in progress although you cannot modify the packet capture settings The NXC s throughput or performance may be affected while a packet capture is in progress After the NXC finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click this button to stop a currently running packet capture and generate a separate capture file for each selected interface Reset Click this button to return the screen to its last saved settings 31 3 1 Packet Capture Files Click Maintenance gt Diagnostics gt Packet Capture gt Files to open the packet capture files screen This screen lists the files of packet captures stored on the NXC or a connected USB storage device You can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as Wireshark Figure 215 Maintenance gt Diagnostics gt Packet Capture gt Files Capture Packet Capture Core Dump System Log Wireless Frame Capture Captured Packet Files File Name Page 1 Last Modified ofi Show 50 v items No data to display Captured Packet Files in USB storage u 8
336. firewall 186 and FTP 316 and NAT 140 150 and policy routes 139 and SNMP 320 and SSH 312 and Telnet 314 and WWW 303 HOST 236 RANGE 236 SUBNET 236 types of 236 address record 294 admin users 190 multiple logins 200 see also users 190 Advanced Encryption Standard see AES AES 432 alerts 328 332 333 334 337 338 339 ALG 154 and NAT 154 FTP 154 AP Access Point 426 Application Layer Gateway see ALG applications 18 asymmetrical routes 182 allowing through the firewall 184 authentication LDAP AD 253 server 251 authentication method objects 263 and users 191 and WWW 302 create 264 Authentication server NXC Series User s Guide Index RADIUS client 323 authentication server 321 Authentication Authorization Accounting servers see AAA server authorization server 251 B backing up configuration files 343 Base DN 254 Basic Service Set See BSS 424 Bind DN 254 258 boot module 348 BSS 424 C CA 431 and certificates 267 CA Certificate Authority see certificates Calling Station ID 221 captive portal 161 authentication 161 page 161 type 162 CEF Common Event Format 329 337 cellular status 70 Certificate Authority CA 431 see certificates Certificate Management Protocol CMP 273 Certificate Revocation List CRL 267 vs OCSP 282 certificates 266 advantages of 267 and CA 267 and FTP 315 and HTTPS 299 and SSH 312 and WWW 301 certification path 267 275 280 expired 267 facto
337. fore making further configuration changes The backup configuration file will be useful in case you need to return to your previous settings 343 NXC Series User s Guide Chapter 30 File Manager 344 Configuration File Flow at Restart e If there is not a startup config conf when you restart the NXC whether through a management interface or by physically turning the power off and back on the NXC uses the system default conf configuration file with the NXC s default settings e If there is a startup config conf the NXC checks it for errors and applies it If there are no errors the NXC uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the NXC generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the NXC applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The NXC ignores any errors in the startup config conf file and applies all of the valid commands The NXC still generates a log for any errors Figure 206 Maintenance File Manager Configuration File Configuration File Firmware Package Shell Script Configuration Files Wu B File Name Size Last Modified s
338. g Consolidation Active Select this to activate log consolidation Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation I nterval In the View Log tab the text count x where x is the number of original log messages is appended at the end of the Message field when multiple log messages were aggregated Log Consolidation Type how often in seconds to consolidate log information If the same log message Interval appears multiple times it is aggregated into one log message with the text countzx where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cancel Click this to return to the previous screen without saving your changes 29 3 3 Edit USB Storage Log Settings The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device Go to the Log Settings Summary screen and click the USB storage Edit icon NXC Series User s Guide 333 Chapter 29 Log and Report 334 Figure 202 Configuration gt Log amp Report gt Log Settings gt Edit USB Storage USB Storage Active Log P Selection Log Category 1 Account CAPWAP 1 File Manager Interface Page 1 Edit Log on USB Storage Setting xX 7 Duplicate logs to USB storage if ready E 2 Captive
339. g an existing VLAN Enter the number of the VLAN You can use a number from 0 4095 For example vlanO vlan8 and so on VID Enter the VLAN ID This 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Member Use these settings to assign ports to this VLAN as members Configuration Edit Click this to edit the selected port s membership values This is sequential indicator of the port number Port Name This indicates the port name Member This indicates whether the selected port is a member or not of the VLAN which is currently being edited Click this field to edit the value Tx Tagging This indicates whether the selected port tags outbound traffic with this VLAN s ID Click this field to edit the value OK Click OK to save your changes back to the NXC Cancel Click Cancel to close the window with changes unsaved NXC Series User s Guide Chapter 7 Wireless 7 3 4 AP Policy Use this screen to configure the AP controller s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails Click Configuration gt Wireless gt AP Management gt AP Policy to access this screen Figure 52 Configuration gt Wireless gt AP Management gt AP Policy Mgnt AP List General Settings V Force Override AC IP Config on AP Override Type Primary Controller Secondary Controlle
340. g data the collection period displays to the right The progress is not tracked here real time but you can click the Refresh button to update it Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings Statistics Interface Select the interface from which to collect information You can collect information from Ethernet or VLAN interfaces Sort By Select the type of report to display Choices are Host I P Address User displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one Service Port displays the most used protocols or service ports and the amount of traffic for each one Web Site Hits displays the most visited Web sites and how many times each one has been visited Each type of report has different information in the report below Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display These fields are available when the report type is Host IP Address User NXC Series User s Guide Chapter 5 Monitor Table 27 Monitor gt System Status gt Traffic Statistics continued LABEL DESCRIPTION This field is the rank of each record The IP addresses and users are sorted by the amount of traffic Direction This field indicates whether the IP address or user is sending or receiving t
341. ge other log settings for example where and how often log information is e mailed or remote server names NXC Series User s Guide 337 Chapter 29 Log and Report To access this screen go to the Log Settings Summary screen and click the Log Category Settings button Figure 204 Configuration gt Log amp Report gt Log Settings gt Log Category Settings 1 2 3 4 5 6 7 Log Category Settings Log Category Settings AC System Log USB Storage E mail Serve E mail Serve Remote Serv Remote Serv Remote Serv Remote Serv Syslog Logcaepy GOO GO Account oco Captive Portal oco Authenticatio 5 O BuitinSe O O CAPWAP Occo Connectiviy O O Daily Report oco Default 008 DHCP 060 Page e of1 Show 50 Log Category Settings AP System Log E mail Log Category eoo Account oco0o Built in Service oco CAPWAP oco 0 Daily Report oc 0 Default 0o00 DHCP oco0 File Manager oco0 Page 1 ofi Show 50 o0 Ooo0o0 0 00 00 0000 o o v items E Mail oo E Mail eo E Mail E Mail eo eo E items eoo e e 9 0000 Syslog eoo oo0 o Oo Oo o o o O Oo O0 o 00 0 Syslog eoo 00
342. gned to physical port 1 the second MAC address is assigned to physical port 2 and so on Firmware This field displays the version number and date of the firmware the NXC is currently Version running Click the link to open the screen where you can upload firmware System Status System Uptime This field displays how long the NXC has been running since it last restarted or was turned on Current Date This field displays the current date and time in the NXC The format is yyyy mm dd Time hh mm ss Click the link to open the screen where you can configure the NXC s date and time DHCP Table This field displays the number of IP addresses the NXC has assigned via DHCP Click the link to look at the IP addresses currently assigned to the NXC s DHCP clients and the IP addresses reserved for specific MAC addresses Current Login User This field displays the user name used to log in to the current session the amount of reauthentication time remaining and the amount of lease time remaining Number of Login Users This field displays the number of users currently logged in to the NXC Click the link to pop open a list of the users who are currently logged in to the NXC NXC Series User s Guide Chapter 4 Dashboard Table 18 Dashboard continued LABEL DESCRIPTION Boot Status This field displays details about the NXC s startup state OK The NXC started up successfully Firmware upd
343. gt Network and Sharing Center gt Local Area Connection 2 Select the I nternet Protocol Version 6 TCP IPv6 checkbox to enable it 3 Click OK to save the change NXC Series User s Guide 443 Appendix E IPv6 Networking Connect using xr Broadcom NetXtreme Gigabit Ethemet This connection uses the following items iv 0 Client for Microsoft Networks v aos Packet Scheduler iv for Microsoft Networks Install Uninstall Properties Description TCP IP version amp The latest version of the intemet protocol that provides communication across diverse interconnected networks xm as 4 Click Close to exit the Local Area Connection Status screen 5 Select Start gt All Programs gt Accessories gt Command Prompt 6 Use the ipconfig command to check your dynamic IPv6 address This example shows a global address 2001 b021 2d 1000 obtained from a DHCP server C gt ipconfig Windows IP Configuration Ethernet adapter Local Area Connection Connection specific DNS Suffix IPv6 Address s 2001 b6b021 2d 1000 Link local IPv6 Address fe80 25d8 dcab c80a 5189 11 IPv4 Address s e e a a o9 e 1 72 16 100 61 Subnet Mask s o0 e wx t 295 255 255 0 Default Gateway e80 213 49 eaa 7125 11 172 16 100 254 444 NXC Series User s Guide
344. guration Enable Select this to activate the policy Description Enter a descriptive name of up to 60 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent NXC Series User s Guide Chapter 9 Policy and Static Routes Table 69 Configuration gt Network gt Routing gt Policy Route gt Add Edit continued LABEL DESCRIPTION Incoming Select where the packets are coming from any an interface or the NXC itself EnterpriseWLAN For an interface you also need to select the individual interface Please select one member This field displays only when you set Incoming to Interface Select an interface from which the packets are sent Source Address Select a source IP address object from which the packets are sent Destination Select a destination IP address object to which the traffic is being sent Address DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Defined to specify another DSCP code point The lower the number the higher the priority with the exception of O which is usually given only best effort treatment any means all DSCP value or no DSCP marker default means traffic with a DSCP value of 0 This is usually best effort traffic The af choices stand for Assured Forwarding The number following the af identifies one of fou
345. h Target file OK Cancel Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 19s 6 amp 10 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to select it and click Delete to delete the shell script file from the NXC A pop up window asks you to confirm that you want to delete the shell script file Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer NXC Series User s Guide Chapter 30 File Manager Table 182 Maintenance gt File Manager gt Shell Script continued LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the NXC Click a shell script file s row to select it and click Copy to open the Copy File screen 1 Copy File x Source file wWiz VPN 2 zysh Target File OK Cancel Specify a name for the duplicate file Use up to 25 characters including a zA ZO 9 19s 96 amp 10 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Apply Use this button to have the NXC use a specific shell script file Click
346. h NXC zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with a hyphen instead of a number is the NXC s non configurable default policy The NXC applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny Apply Click Apply to save your changes back to the NXC Reset Click Reset to r
347. hat control when users have to log in to the NXC before the NXC routes traffic for them 17 1 1 What You Can Do in this Chapter The User screen see Section 17 2 on page 193 lets you see add and edit user accounts The Group screen see Section 17 3 on page 196 provides a summary of all user groups In addition this screen allows you to add edit and remove user groups User groups may consist of access users and other user groups You cannot put admin users in user groups The Setting screen see Section 17 4 on page 197 controls default settings login settings lockout settings and other user settings for the NXC You can also use this screen to specify when users must log in to the NXC before it routes traffic for them The MAC Address screen see Section 17 5 on page 206 lists all the mappings of MAC addresses to MAC address user accounts MAC roles 17 1 2 What You Need To Know The following terms and concepts may help as you read this chapter User Account A user account defines the privileges of a user logged into the NXC User accounts are used in controlling access to configuration and services in the NXC User Types These are the types of user accounts the NXC uses Table 97 Types of User Accounts TYPE ABILITIES LOGIN METHOD S Admin Users admin Change NXC configuration web CLI WWW TELNET SSH FTP Console limited admin Look at NXC configuration web CL
348. hat shows which settings use the entry Move To change an entry s position in a numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed For example if you type 6 the entry you are moving becomes number 6 and the previous entry 6 if there is one gets pushed up or down one Working with Lists When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other In some lists you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 17 Working with Lists Set Scan Channel List 2 4 G Available channels Channels selected 1 2 3 4 7 8 9 10 M ER NXC Series User s Guide PART Il Technical Reference Dashboard 4 1 Overview Use the Dashboard screens to check status information about the NXC 4 1 1 What You Can Do in this Chapter The main Dashboard screen Section 4 2 on page 47 displays the NXC s general device information system status system resource usage licensed service status and interface status You can also display other status screens for more information The DHCP Table screen Section 4 2 4 on page 54 displays the IP addresses currently assigned to DHCP clients and
349. hat the individual files were saved 362 NXC Series User s Guide 32 Packet Flow Explore 32 1 Overview Use this to get a clear picture on how the NXC determines where to forward a packet and how to change the source IP address of the packet according to your current settings This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems 32 1 1 What You Can Do in this Chapter The Routing Status screen Section 32 2 on page 363 displays the overall routing flow and each routing function s settings The SNAT Status screen Section 32 3 on page 366 displays the overall source IP address conversion SNAT flow and each SNAT function s settings 32 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance gt Packet Flow Explore The order of the routing flow may vary depending on whether you select use policy route to override direct route in the CONFIGURATION gt Network gt Routing Policy Route screen use policy routes to control 1 1 NAT by using the policy control virtual server rules activate command NXC Series User s Guide 363 Chapter 32 Packet Flow Explore Note Once a packet
350. havior in order to send packets through the appropriate interface 9 1 1 What You Can Do in this Chapter The Policy Route screens Section 9 2 on page 135 list and configure policy routes The Static Route screens Section 9 3 on page 140 list and configure static routes 9 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Policy Routing Traditionally routing is based on the destination address only and the NXC takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing How You Can Use Policy Routing Source Based Routing Network administrators can use policy based routing to direct traffic from different users through different connections Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic e Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths Static Routes The NXC usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet To have the NXC send data to devices not reachable through the default gateway use static routes
351. he DHCP server s may be on another network DHCP Server the NXC assigns IP addresses and provides subnet mask gateway and DNS server information to the network The NXC is the DHCP server for the network These fields appear if the NXC is a DHCP Relay Relay Server 1 Enter the IP address of a DHCP server for the network Relay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the NXC is a DHCP Server IP Pool Start Enter the IP address from which the NXC begins allocating IP addresses If you want to Address assign a static IP address to a specific computer use the Static DHCP Table If this field is blank the Pool Size must also be blank In this case the NXC can assign every IP address allowed by the interface s IP address and subnet mask except for the first address network address last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the NXC can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If this field is blank the IP Pool Start Address must also be blank In this case the NXC can assign every IP address allowed by the interface s IP address and subnet mask except for the first a
352. he NXC will attempt to use the secondary RADIUS server For example you set this field to 3 If the NXC does not get a response from the primary RADIUS server it tries again up to three times If there is no response the NXC tries the secondary RADIUS server up to three times If there is also no response from the secondary RADIUS server the NXC stops attempting to authenticate the subscriber The subscriber will see a message that says the RADIUS server was not found Enable Accounting Interim update Select this to have the NXC send subscriber status updates to the RADIUS server at the interval you specify Interim Interval Specify the time interval for how often the NXC is to send a subscriber status update to the RADIUS server General Server Settings NXC Series User s Guide Chapter 24 AAA Server Table 139 Configuration gt Object gt AAA Server gt RADIUS gt Add Edit continued LABEL DESCRIPTION Timeout Specify the timeout period between 1 and 300 seconds before the NXC disconnects from the RADIUS server In this case user authentication fails Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down NAS IP Address If the RADIUS server requires the NXC to provide the Network Access Server IP address attribute with a specific value enter it here NAS Identifier If the RADIUS server requires the NXC
353. he Ww e Ww e Ww uw cc n Three channels are situated in such a way as to create almost no interference with one another if used exclusively 1 6 and 11 When an AP broadcasts on any of these three channels it should not interfere with neighboring APs as long as they are also limited to same trio Figure 61 An Example Four Channel Deployment 1 4 11 i N N N N NN RM M NN NN NN NN NN NN NN NN IN N PN FN ON e REARDAN EGU HBR GS BY e a E a a A SHR However some regions require the use of other channels and often use a safety scheme with the following four channels 1 4 7 and 11 While they are situated sufficiently close to both each other and the three so called safe channels 1 6 and 11 that interference becomes inevitable the severity of it is dependent upon other factors proximity to the affected AP signal strength activity and so on NXC Series User s Guide Chapter 7 Wireless Finally there is an alternative four channel scheme for ETSI consisting of channels 1 5 9 13 This offers significantly less overlap that the other one Figure 62 An Alternative Four Channel Deployment C Le SS S h N N N N PB NN NN ON ON NN NN NN NN NN NN NN ON SELEERRERREEREREREERREREEREESSE2 7 8 2 Load Balancing Because there is a hard upper limit on an AP s wireless bandwidth load balancing can be crucial in areas crowded with wireless users Rather than let every user connect and subsequently dilute the available ban
354. he labels in this screen Table 132 Configuration gt Object gt Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule E Day This field displays the date and time at which the schedule begins top Day This field displays the date and time at which the schedule ends Recurring Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule NXC Series User s Guide 247 Chapter 23 Sc
355. he multicast traffic although it also produces duplicate packets Select Fixed Multicast Rate to send wireless multicast traffic at a single data rate You must Know the multicast application s bandwidth requirements and set it in the following field Multicast Rate Mbps If you set the multicast transmission mode to fixed multicast rate set the data rate for multicast traffic here For example to deploy 4 Mbps video select a fixed multicast rate higher than 4 Mbps MBSSID Settings This section allows you to associate an SSID profile with the radio profile Edit Select and SSID and click this button to reassign it The selected SSID becomes editable immediately upon clicking SSID Profile Indicates which SSID profile is associated with this radio profile OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 18 3 SSID The SSID screens allow you to configure three different types of profiles for your networked APs an SSID list which can assign specific SSID configurations to your APs a security list which can assign specific encryption methods to the APs when allowing wireless clients to connect to them and a MAC filter list which can limit connections to an AP based on wireless clients MAC addresses 18 3 1 SSID List This screen allows you to create and manage SSID configurations that can be used by the APs An SSID or Service S
356. he status of the USB ports This field displays how many USB ports there are Extension Slot This field displays the name of each extension slot Device This field displays the name of the device connected to the extension slot or none if no device is detected Status Ready A USB storage device connected to the NXC is ready for the NXC to use none The NXC is unable to mount a USB storage device connected to the NXC Top 5 Station Displays the top 5 Access Points AP with the highest number of station aka wireless client connections This field displays the rank of the station AP MAC This field displays the MAC address of the AP to which the station belongs Max station This field displays the maximum number of wireless clients that have connected to this AP AP Description This field displays the AP s description The default description is AP followed by the AP s MAC address System Resources CPU Usage This field displays what percentage of the NXC s processing capability is currently being used Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the NXC s recent CPU usage NXC Series User s Guide Chapter 4 Dashboard Table 18 Dashboard continued LABEL DESCRIPTION Memory Usage This field displays what percentage of the NXC s RAM is currently being used Hover your cursor over this field to display th
357. hedules Table 132 Configuration gt Object gt Schedule continued LABEL DESCRIPTION Start Time This field displays the time at which the schedule begins Stop Time This field displays the time at which the schedule ends 23 2 1 Add Edit Schedule One Time Rule The Add Edit Schedule One Time Rule screen allows you to define a one time schedule or edit an existing one To access this screen go to the Schedule screen and click either the Add icon or an Edit icon in the One Time section Figure 147 Configuration gt Object gt Schedule gt Add Edit One Time Configuration Name Day Time StartDate StartTime StopDate StopTime 3 Add Schedule One Time Rule X DARA AAA AAA AAA AANA AAA Cancel The following table describes the labels in this screen Table 133 Configuration gt Object gt Schedule gt Add Edit One Time LABEL DESCRIPTION Configuration Name Type the name used to refer to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the schedule begins Hour 0 23 Minute 0 59 StopDat
358. hich the NXC does not apply IP MAC binding Figure 89 Configuration gt Network gt IP MAC Binding gt Exempt List OQ Add 2 Edt Jf Remove Page h of 1 Show 50 v items No data to display Summary Exempt List IP MAC Binding Exempt List Start IP End IP Apply The following table describes the labels in this screen Table 82 Configuration gt Network gt IP MAC Binding gt Exempt List LABEL DESCRIPTION Add Click this to create a new entry Edit Click an entry or select it and click Edit to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the NXC does not apply I P MAC binding End IP Enter the last IP address in a range of IP addresses for which the NXC does not apply I P MAC binding Apply Click Apply to save your changes back to the NXC NXC Series User s Guide Captive Portal 14 1 Overview A captive portal can intercepts network traffic according to the authentication policies until the user authenticates his or her connection usually through a specifically designated login web page As an added security measure the NXC contains captive
359. his field is blank the IP Pool Start Address must also be blank In this case the NXC can assign every IP address allowed by the interface s IP address and subnet mask except for the first address network address last address broadcast address and the interface s IP address First DNS Server Specify the IP addresses up to three DNS servers for the DHCP clients to use Use one Becone DNS of the following ways to specify these IP addresses Third DNS Custom Defined enter a static IP address Server From I SP select the DNS server that another interface received from its DHCP server EnterpriseWLAN the DHCP clients use the IP address of this interface and the NXC works as a DNS relay First WINS Type the IP address of the WINS Windows Internet Naming Service server that you gever second want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using NXC Series User s Guide Chapter 8 Interfaces 130 Table 65 Configuration gt Network gt Interface gt VLAN gt Add Edit continued LABEL DESCRIPTION Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid
360. his is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny Authentication Client Authentication Select a method the HTTPS or HTTP server uses to authenticate a client Method You must have configured the authentication methods in the Auth method screen Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 7 5 Service Control Rules Click Add or Edit in the Service Control table in a WWW SSH TELNET FTP or SNMP screen to add a service control rule Figure 180 Configuration gt System gt Service Control Rule gt Add Edit Create new Object v Address Object Zone Action ALL v ALL v Accept Y 302 NXC Series User s Guide Chapter 28 System The following table describes the labels in this screen Table 162 Configuration gt System gt Service Control Rule gt Add Edit LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen Object Address Object Select ALL to allow or deny any computer to communicate with the NXC using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified
361. ic between the APs OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide 235 Addresses 21 1 Overview Address objects can represent a single IP address or a range of IP addresses 21 1 1 What You Can Do in this Chapter The Address screen Section 21 2 on page 236 provides a summary of all addresses in the NXC The Address Group summary screen Section 21 3 on page 238 and the Address Group Add Edit screen maintain address groups in the NXC 21 1 2 What You Need To Know The following terms and concepts may help as you read this chapter Addresses Address objects and address groups are used in dynamic routes and firewall rules Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 21 2 Address Summary The address screens are used to create maintain and remove addresses There are the types of address objects HOST a host address is defined by an IP Address RANGE arange address is defined by a Starting I P Address and an Ending IP Address SUBNET a network address is defined by a Network IP address and Netmask subnet mask NXC Series User s Guide 236 Chapter 21 Addresses
362. ic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 28 System 28 11 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices Your NXC supports SNMP agent functionality which allows a manager station to manage and monitor the NXC through the network The NXC supports SNMP version one SNMPv1 version two SNMPv2c and version three SNMPv3 The next figure illustrates an SNMP management operation Figure 192 SNMP Management Model Managed Device Managed Device Managed Device MANAGER An SNMP managed network consists of two main types of component agents and a manager An agent is a management software module that resides in a managed device the NXC An agent translates the local management information from the manag
363. ical Route From Zone all To Zone QAdd oN St Priority From Schedule User IPv4 So IPv4 Destin Service Access Log Default any none any any any any allow no Page fi ofi Show 50 w items Displaying 1 1of 1 The following table describes the labels in this screen Table 93 Configuration gt Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check box to activate the firewall The NXC performs access control when the firewall is activated NXC Series User s Guide 183 Chapter 16 Firewall Table 93 Configur ation gt Firewall continued LABEL DESCRIPTION Allow Asymmetrical Route If an alternate gateway on the LAN has an IP address in the same subnet as the NXC s LAN IP address return traffic may not go through the NXC This is called an asymmetrical or triangle route This causes the NXC to reset the connection as the connection has not been acknowledged Select this check box to have the NXC permit the use of asymmetrical route topology on the network not reset the connection Note Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NXC From Zone To Zone This is the direction of travel of packets Select from which zone the packets come and to which zone they go Firewall rules are grouped based on the direction of travel of packets to which they apply For
364. icast packets and the IP addresses of multicast groups the hosts want to join on its network MLD snooping and MLD proxy are analogous to IGMP snooping and IGMP proxy in IPv4 MLD filtering controls which multicast groups a port can join MLD Messages A multicast router or switch periodically sends general queries to MLD hosts to update the multicast forwarding table When an MLD host wants to join a multicast group it sends an MLD Report message for that address An MLD Done message is equivalent to an IGMP Leave message When an MLD host wants to leave a multicast group it can send a Done message to the router or switch The router or switch then sends a group specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group NXC Series User s Guide Appendix E IPv6 Example Enabling IPv6 on Windows XP 2003 Vista By default Windows XP and Windows 2003 support IPv6 This example shows you how to use the ipv6 install command on Windows XP 2003 to enable IPv6 This also displays how to use the ipconfig command to see auto generated IP addresses C gt ipv6 install Installing Succeeded C NP ipconfig Windows IP Configuration Ethernet adapter Local Area Connection Connection specific DNS Suffix EP AddEessc Z ded ahh tee fw on BS AOS 11 AG Subnet Mask a hm var We Riu e wy P2529 9225560 IP Address e e e a o e a
365. icate itself to the NXC by sending the NXC a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the NXC Server Certificate Select a certificate the HTTPS server the NXC uses to authenticate itself to the HTTPS client You must have certificates already configured in the My Certificates screen Redirect HTTP to HTTPS To allow only secure Web Configurator access select this to redirect all HTTP connection requests to the HTTPS server Admin User Service Control Admin Service Control specifies from which zones an administrator can use HTTPS to manage the NXC using the Web Configurator You can also specify the IP addresses from which the administrators can manage the NXC User Service Control specifies from which zones a user can use HTTPS to log into the NXC You can also specify the IP addresses from which the users can access the NXC Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to
366. ich NXC zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with a hyphen instead of a number is the NXC s non configurable default policy The NXC applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the NXC zone s configured in the Zone field Accept or not Deny NXC Series User s Guide Chapter 28 System Table 164 Configuration gt System gt TELNET continued
367. ificate to HTTPS 96s is certificate name assigned by user HTTPS port has been An administrator changed the port number for HTTPS changed to port s 96s is port number HTTPS port has been An administrator changed the port number for HTTPS back to the default changed to default 443 port HTTP port has changed to port Ss An administrator changed the port number for HTTP 96s is port number assigned by user NXC Series User s Guide 389 Appendix A Log Descriptions 390 Table 199 Built in Services Logs continued LOG MESSAGE DESCRIPTION HTTP port has changed to default port An administrator changed the port number for HTTP back to the default 80 SSH port has been changed to port s An administrator changed the port number for SSH 96s is port number assigned by user SSH port has been changed to default port An administrator changed the port number for SSH back to the default 22 SSH certificate s does not exist SSH service will not work An administrator assigned a nonexistent certificate to SSH 96s is certificate name assigned by user SSH certificate s format is wrong SSH service will not work After an administrator assigns a certificate for SSH the device needs to convert it to a key used for SSH 96s is certificate name assigned by user TELNET port has been hang
368. iland Co Ltd http www zyxel co th Vietnam ZyXEL Communications Corporation Vietnam Office http www zyxel com vn vi Austria ZyXEL Deutschland GmbH http www zyxel de Belarus ZyXEL BY http www zyxel by NXC Series User s Guide Appendix F Customer Support Belgium ZyXEL Communications B V http www zyxel com be nl Bulgaria e ZyXEL B nrapna http www zyxel com bg bg Czech ZyXEL Communications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyxel fi France ZyXEL France http www zyxel fr Germany ZyXEL Deutschland GmbH http www zyxel de Hungary ZyXEL Hungary amp SEE http www zyxel hu Latvia ZyXEL Latvia e http www zyxel com lv lv homepage shtml NXC Series User s Guide 447 Appendix F Customer Support 448 Lithuania ZyXEL Lithuania http www zyxel com It It homepage shtml Netherlands ZyXEL Benelux http www zyxel nl Norway ZyXEL Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zyxel ru Slovakia ZyXEL Communications Czech s r o organizacna zlozka http www zyxel sk Spain ZyXEL Spain http www zyxe
369. iles are installed Logout URL Specify the logout page s URL for example http IIS server IP Address logout asp The Internet Information Server IIS is the web server on which the web portal files are installed Welcome Specify the welcome page s URL for example http IIS server IP Address welcome asp URL The Internet Information Server IIS is the web server on which the web portal files are installed Session URL Specify the session page s URL for example http 1IS server IP Address session asp This page records the lease timeout reauth timeout and session timeout for a user The user can also click a logout button to log out The Internet Information Server IIS is the web server on which the web portal files are installed Error URL Specify the error page s URL for example http IIS server IP Address error asp The Internet Information Server IIS is the web server on which the web portal files are installed User logout Specify the URL of the page from which users can terminate their sessions for example URL http 1IS server IP Address userlogout asp The Internet Information Server IIS is the web server on which the web portal files are installed Download Click this to download an example web portal file for your reference Authentication Method Select an authentication method for the captive portal page You can configure the authentication method in the Configuration gt Object gt Auth Meth
370. ime and date settings from the time server under the following circumstances e When the NXC starts up e When you click Apply or Synchronize Now in this screen e 24 hour intervals after starting up Time Server Address Enter the IP address or URL of your time server Check with your ISP network administrator if you are unsure of this information Sync Now Click this button to have the NXC get the time and date from a time server see the Time Server Address field This also saves your changes except the daylight saving settings Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving The at field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the at field Daylight Saving Tim
371. ime expires Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires Selecting this options makes the Scan Channel List options available NXC Series User s Guide Chapter 19 MON Profile Table 121 Configuration gt Object gt MON Profile gt Add Edit MON Profile continued LABEL DESCRIPTION Set Scan Channel List 2 4 GHz Move a channel from the Available channels column to the Channels selected column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual These channels are limited to the 2 GHz range 802 11 b g n Set Scan Channel Move a channel from the Available channels column to the Channels selected List 5 GHz column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual These channels are limited to the 5 GHz range 802 11 a n OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 19 3 Technical Reference The following section contains additional technical information about the features described in this chapter Rogue APs Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can open up holes in a network s security Attackers can take advantage of a rogue AP s weaker or non
372. in seconds that a client can be idle before authentication is discontinued Authentication Type Select a WEP authentication method Choices are Open or Share key NXC Series User s Guide Chapter 18 AP Profile Table 115 Configuration gt Object gt AP Profile gt SSID gt Security Profile gt Add Edit Security Profile LABEL DESCRIPTION Key Length Select the bit length of the encryption key to be used in WEP connections If you select WEP 64 Enter 10 hexadecimal digits in the range of A F a f and 0 9 for example 0x11AA22BB33 for each Key used or Enter 5 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey for each Key used If you select WEP 128 Enter 26 hexadecimal digits in the range of A F a f and 0 9 for example 0x00112233445566778899AABBCC for each Key used or Enter 13 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey12345678 for each Key used Key 1 4 Based on your Key Length selection enter the appropriate length hexadecimal or ASCII key PSK Select this option to use a Pre Shared Key with WPA encryption Pre Shared Key Enter a pre shared key of between 8 and 63 case sensitive ASCII characters including spaces and symbols or 64 hexadecimal characters Cipher Type Select an encryption cipher type from the list auto This automatically chooses the best available
373. ination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the NXC takes the action specified in the rule User Specific Firewall Rules You can specify users or user groups in firewall rules For example to allow a specific user from any computer to access a zone by logging in to the NXC you can set up a rule based on the user name only If you also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the NXC and will be disabled after the user logs out of the NXC Session Limits Accessing the NXC or network resources through the NXC requires a NAT session and corresponding firewall session Peer to peer applications such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the NXC The NXC lets you limit the number of concurrent NAT firewall sessions a client can use Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the NXC s LAN IP address return traffic may not go through the NXC This is called an asymmetrical or triangle route This causes the NXC to reset the connection as the connection has not been acknowledged You can have the NXC permit the use of asymmetri
374. increase in IPv6 address size to 128 bits from the 32 bit IPv4 address allows up to 3 4 x 1038 IP addresses IPv6 Addressing The 128 bit IPv6 address is written as eight 16 bit hexadecimal blocks separated by colons This is an example IPv6 address 2001 0db8 1a2b 0015 0000 0000 1a2 0000 IPv6 addresses can be abbreviated in two ways e Leading zeros in a block can be omitted So 2001 0db8 1a2b 0015 0000 0000 1a2f 0000 can be written as 2001 db8 1a25b 15 0 0 1a2 0 Any number of consecutive blocks of zeros can be replaced by a double colon A double colon can only appear once in an IPv6 address So 2001 0db8 0000 0000 1a2 0000 0000 0015 can be written as 2001 0db8 1a2 0000 0000 0015 2001 0db8 0000 0000 1a2 0015 2001 db8 1a2 0 0 15 or 2001 db8 0 0 1a2 15 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an address prefix to represent the network address An IPv6 prefix length specifies how many most significant bits start from the left in the address compose the network address The prefix length is written as x where x is a number For example 2001 db8 1a2b 15 1a2 0 32 means that the first 32 bits 2001 db8 is the subnet prefix Link local Address A link local address uniquely identifies a device on the local network the LAN It is similar to a private IP address in IPv4 You can have the same link local address on multiple interfaces on a device A link local uni
375. ing the FTP server accepts commands from a system running an FTP client The service allows users to send commands to the server for uploading and downloading files NXC Series User s Guide 13 IP MAC Binding 13 1 Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses The NXC uses DHCP to assign IP addresses and records to MAC address it assigned each IP address The NXC then checks incoming connection attempts against this list A user cannot manually assign another IP to his computer and use it to connect to the NXC Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 85 P MAC Binding Example MAC 12 34 56 78 90 AB IP 192 168 1 27 MAC AB CD EF 12 34 56 IP 192 168 1 27 13 1 1 What You Can Do in this Chapter The Summary and Edit screens Section 13 2 on page 157 bind IP addresses to MAC addresses The Exempt List screen Section 13 3 on page 160 configures ranges of IP addresses to which the NXC does not apply IP MAC binding 13 1 2 What You Need to Know The following terms and concepts may help as you read this chapter DHCP IP MAC address bindings are based on the NXC s dynamic and static DHCP entries NXC
376. interface gel ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode interface gel this interface is a DHCP client Lines 1 and 2 are comments Line 5 exits sub command mode this is from Joe on 2008 04 05 interface gel ip address dhcp Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script the NXC processes the file line by line The NXC checks the first line and applies the line if no errors are detected Then it continues with the next line If the NXC finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off in the configuration file or shell script The NXC ignores any errors in the configuration file or shell script and applies all of the valid commands The NXC still generates a log for any errors 30 2 Configuration File Click Maintenance gt File Manager gt Configuration File to open this screen Use the Configuration File screen to store run and name configuration files You can also download configuration files from the NXC to your computer and upload configuration files from your computer to the NXC Once your NXC is configured and functioning properly it is highly recommended that you back up your configuration file be
377. interface that supports I P MAC binding Number of Binding This field displays the interface s total number of IP MAC bindings and IP addresses that the interface has assigned by DHCP Apply Click Apply to save your changes back to the NXC NXC Series User s Guide 157 Chapter 13 IP MAC Binding 13 2 1 Edit IP MAC Binding Click Configuration gt Network gt IP MAC Binding gt Edit to open this screen Use this screen to configure an interface s IP to MAC address binding settings Figure 87 Configuration gt Network gt IP MAC Binding gt Edit Edit IP MAC Binding X IP MAC Binding Settings Interface Name ge1 0 0 0 0 0 0 0 0 Enable IP MAC Binding Enable Logs for IP MAC Binding Violation Static DHCP Bindings Add iu IP Address MAC Address Description Page 1 lofi Show 50 v items No data to display The following table describes the labels in this screen Table 80 Configuration gt Network gt IP MAC Binding gt Edit LABEL DESCRIPTION IP MAC Binding Settings Interface This field displays the name of the interface within the NXC and the interface s IP address Name and subnet mask Enable IP Select this option to have this interface enforce links between specific IP addresses and MAC Binding specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the
378. irewall WLAN NXC insert 4 sourceip TW TEAM management service TELNET action allow exit write While configuration files and shell scripts have the same syntax the NXC applies configuration files differently than it runs shell scripts This is explained below Table 179 Configuration Files and Shell Scripts in the NXC Configuration Files conf Shell Scripts zysh e Resets to default configuration Goesinto CLI Configuration mode e Goes into CLI Privilege mode Runs the commands in the shell script 342 Runs the commands in the configuration file You have to run the aforementioned example as a shell script because the first command is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode Comments in Configuration Files or Shell Scripts In a configuration file or shell script use or as the first character of a command line to have the NXC treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the NXC exit sub command mode Note exit or must follow sub commands if it is to make the NXC exit sub command mode NXC Series User s Guide Chapter 30 File Manager Line 3 in the following example exits sub command mode
379. is 1 to 50000 The NXC stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires File Prefix Specify text to add to the front of the file name in order to help you identify frame capture files You can modify the prefix to also create new frame capture files each time you perform a frame capture operation Doing this does no overwrite existing frame capture files The file format is file prefix cap For example monitor cap Capture Click this button to have the NXC capture frames according to the settings configured in this screen You can configure the NXC while a frame capture is in progress although you cannot modify the frame capture settings The NXC s throughput or performance may be affected while a frame capture is in progress After the NXC finishes the capture it saves a combined capture file for all APs The total number of frame capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more frame captures will fail Stop Click this button to stop a currently running frame capture and generate a combined capture file for all APs Reset Click this button to return the screen to its last saved settings 31 6 1 Wireless Frame Capture Files Click Maintenance gt Diagnostics gt Wireless Frame Capture gt Files to open this screen This screen lists the fi
380. is Chapter uniia daia aaa aada i 208 Uu What You Noad TO ENON S 208 Toa FAD in aasasaes asadbuzada acaalas aaaaaaeis mas maiseRAaRIaIIAAT 209 po E Seno cs dus Ar ccuatinareen Cab natin end KARAN E EA ENE AA EARN EAEAN Ea EE 211 ioco qe 214 Tooo OPE 214 p e e Dt nerremeneene E E E E E er ereetrr E E E rer erecr etre tren tear tte 218 Tes NAC FIE US ecu HN 223 10 524 Lavpi 2 ISOIGUON LIST ii ans caren pan ati eda een CDL Qe ONAE RENA Kk bndte ben SEEE 225 Chapter 19 snl meet caer ee ues eevee cee Ea 227 DRESS o 227 19 11 What Yos Can De m ihis Chaptal eos iie HERREN E e SH ERI eO HH SR e PDA Es 227 191 2 What You Need To KNOW deut e Rm 227 TEA RON i e oc ereatip vec adinnipoen cities minaineds iat atte daa india axaapbodietaaiauiea tama teociaas ni docaniatiapeeend nents 228 19 2 1 Add Edit MON Profile o Vana een ket et op a alld a BR Ke dena pii kg na inda aa aot eda lena d e E 229 19 3 Technica ROTI elTe ou cas iia diste perta CHR NRI RITE IE E I abes i 230 Chapter 20 Fat iip TET 232 NEP UC n 232 20 L1 What You Cam Do In tiis CRapIBE 2 sper eina Ee In E pP DPI ERE YEPEEAN SEE THEY RAE 233 PM ch e E 234 21 2 1 Add Edit ZyMesh IPEERBIG scares iiec et a Ed nene RR eabD Rn pa FoU Ee E C rM man iara e ULLAM kd a pa dn 234 Chapter 21 PIES SSS A 236 VRBES un A
381. is defined in IEEE 802 1q Note By default the NXC acts a bridge device This means all interfaces gel g6 are grouped together into a single VID vlanO Also note that vlanO cannot be removed and the VID cannot be changed Figure 68 Example Before VLAN In this example there are two physical networks and three departments A B and C The physical networks are connected to hubs and the hubs are connected to the router NXC Series User s Guide Chapter 8 Interfaces Alternatively you can divide the physical networks into three VLANs Figure 69 Example After VLAN VLAN ID 7 1 VLAN ID 2 A Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the switches are connected to the router If one switch has enough connections for the entire network the network does not need switches A and B Traffic inside each VLAN is layer 2 communication data link layer MAC addresses It is handled by the switches As a result the new switch is required to handle traffic inside VLAN 2 Traffic is only broadcast inside each VLAN not each physical network Traffic between VLANs or between a VLAN and another type of network is layer 3 communication network layer IP addresses It is handled by the router This approach provides a few adva
382. is policy route applies Next Hop Type This is the type of the next hop to which packets are directed Next Hop Info This is the main route if the next hop type is Auto This is the interface name and gateway IP address if the next hop type is Interface GW The following fields are available if you click 1 1 SNAT in the Routing Flow section This field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated 1 1 or Many 1 1 NAT rule in the NAT table Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address Outgoing This is the name of an interface which transmits packets out of the NXC Gateway This is the IP address of the gateway in the same network of the outgoing interface 32 3 The SNAT Status Screen The SNAT Status screen allows you to view and quickly link to specific source NAT SNAT settings Click a function box in the SNAT Flow section the related SNAT rules activated will display in the SNAT Table section To access this screen click Maintenance gt Packet Flow Explore gt SNAT 366 Status The order of the SNAT flow may vary depending on whether you use policy routes to control 1 1 NAT by using the policy control virtual server rules activate command NXC Series User s Guide Chapter 32 Packet Fl
383. is sicsctachne edad EERE ua ka a EU CKER ERU QU CHR pubdate adu U A adn ERR e UE DRE ME EUPDR DET EM LM GU ER 46 Pale DOE 2o cea edi valued E EHE rd E Leid Ebr E E A E Pb Fa be canny doen USE FU b E vaut Md Run da 56 sis Me 86 WUBI MC POTETE 92 USITITPTDE PP TETTE ET ODE DOLI ETIN 110 Fok a Sy ROOS mee T NP er 134 ZONES qe cct lee 144 rige 147 ta LE Teeter neat be em M x rot ony earn RR ee peter La DM aD EDI M E 154 xr edis eer M 156 iro Fona p M 161 pug E Re ERE P C E T T 178 d e TEE 181 LS USN o deserit ed visiten diei dota diem a cR lend apeliena i ue MURIS 190 BITES ceci mice nitent lude buuiemdci MEE EL D EE 208 MON Pron MERE T TT 227 SETI ROU e ons Pa ad road bx dad S D C Eabb a uU EUER PAPE I bet Gad t ERE OSIN EE T ERA ux RA Ma 232 PCS SSS aise eer Cmn 236 o ge cas Basie AA A A 241 PO NOUNS San ce E beluis eletti thia uo telae bei at ataque bat Api EE tue toii atn ee 246 PAA COIN ee M 251 farcies Method PN T TTE 263 CS ipe me P 266 DRC PIT ouo beu dried DLL LM LL MUR EI 283 EUSEB aodio OOOO CCR Oe reer EOP zen nuda PEA EEEE E od oan dotes ass tree tre rer E e td 285 Log ONE RE POM 326 z iu us n 341 B Ea E Re em 352 pd dx mcis mt
384. ish to import a different certificate Certificate Import Wizard E xj File to Import Specify the file you want to import Ese name Note More than one certificate can be stored in a single file in the Following Formats Personal Information Exchange PKCS 12 PFX P12 Cryptographic Message Syntax Standard PKCS 7 Certificates P7B Microsoft Serialized Certificate Store 55T NXC Series User s Guide Chapter 28 System 3 Enter the password given to you by the CA Certificate Import Wizard E B xd Password To maintain security the private key was protected with a password Type the password for the private key Password pe Enable strong private key protection You will be prompted every time the private key is used by an application if you enable this option Mark the private key as exportable 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location ic ii x Certificate Store Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for NXC Series User s Guide 307 Chapter 28 System 5 Click Finish to complete the wizard and begin the import process Certificate Import Wizard x Completing the Certificate Impo
385. ist gt Edit Port LABEL DESCRIPTION Enable Select this option to activate the port Otherwise deselect it Name This shows the name of the port Native VID PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines Enter the PVID from 1 to 4094 for this port OK Click OK to save your changes back to the NXC Cancel Click Cancel to close the window with changes unsaved 7 3 3 VLAN Add Edit Use this screen to create a new VLAN or configure an existing VLAN on the NXC NXC Series User s Guide Chapter 7 Wireless To access this screen click Add or select a VLAN and click the Edit button in the VLAN Member Configuration table of the Configuration Wireless AP Management Edit AP List screen Figure 51 Configuration gt Wireless gt AP Management gt Edit AP List gt Edit VLAN Add Vlan 7x General Settings J Enable Port Properties Name vlan ae i VID 4094 Member Configuration Port Name Member Tx Tagging 1 lani no no 2 lan2 no no lan3 no no Cancel Each field is described in the following table Table 52 Configuration gt Wireless gt AP Management gt Edit AP List gt Edit VLAN LABEL DESCRIPTION Enable Select this option to activate the VLAN Otherwise deselect it Name This field is read only if you are editin
386. istant VP Datum ddimm 01 10 2013 Qa Hag Ie Z Namnteckning Profil environnemental de produit Directive 2011 65 UE Directive 2012 19 UE Directive 94 62 CE R GLEMENT CE N 1907 2006 Directive 2009 125 CE Raymond Huang Quality amp Customer Service Division Assistant VP Date aana mm j Standardiin perustuva ymp rist tuoteseloste Direkti 2011 65 EU Direkti 2012 19 EU Direktwa 94 62 EY ASETUS EY N o 1907 2006 Direktivi 2009 125 EY Raymond Huang Quality amp Customer Service Division Assistant VP Paivamaara pp k veev NXC Series User s Guide Index AAA Base DN 254 Bind DN 254 258 directory structure 253 Distinguished Name see DN DN 253 255 257 password 258 port 257 261 search time limit 258 SSL 257 AAA server 251 AD 253 and users 191 directory service 251 LDAP 251 253 local user database 252 RADIUS 252 253 RADIUS default 259 RADIUS group 260 see also RADIUS access 28 access users 190 192 idle timeout 199 multiple logins 200 see also users 190 Web Configurator 203 account myZyXEL com 88 user 190 accounting server 251 Active Directory see AD active sessions 50 53 65 AD 251 253 254 255 257 258 directory structure 253 Distinguished Name see DN password 258 port 257 261 search time limit 258 SSL 257 address groups 236 Index and firewall 186 and FTP 316 and SNMP 320 and SSH 312 and Telnet 314 and WWW 303 address objects 236 and
387. ister myzyxel com please go to portal mvzyxel com 6 3 Service This screen varies depending on your NXC model 6 3 1 NXC2500 Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration gt Licensing gt Registration gt Service to open the screen as shown next Figure 45 Configuration gt Licensing gt Registration gt Service Registration Service License Status Service Status Registration Type Expiration Date Count Managed AP Service Default Standard 8 ZyMESH Default Standard NIA Page hj of 1 Show 50 items Displaying 1 2 of 2 License Activation License Key Service License Refresh Note Update device license information fram myZyXEL com server NXC Series User s Guide Chapter 6 Registration The following table describes the labels in this screen Table 46 Configuration gt Licensing gt Registration gt Service LABEL DESCRIPTION License Status This is the entry s position in the list Service This lists the services that are available on the NXC Status This field displays whether this is a default service Default or an activated license upgrade Licensed Registration Type This field displays standard when you registered a service with your iCard s PIN number
388. ithm Some certification authorities may use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable none displays for a certification request Valid To This field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the NXC uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path This field does not display for a certification request NXC Series User s Guide 275 Chapter
389. ity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate If the issuing certification authority is one that you have imported as a trusted certificate it may be the only certification authority in the list along with the end entity s own certificate The NXC does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Enable X 509v3 CRL Distribution Points and OCSP checking Select this check box to have the NXC check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL or an OCSP server You also need to configure the OSCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The NXC may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the OCSP server usually a certification authority LDAP Server Select this check box if the directory s
390. ize This is the size of the most recently created diagnostic file Copy the Select this to have the NXC create an extra copy of the diagnostic file to a connected USB diagnostic file storage device to USB storage if ready Apply Click Apply to save your changes Collect Now Click this to have the NXC create a new diagnostic file Download Click this to save the most recent diagnostic file to a computer 31 2 1 Diagnostics Files Click Maintenance Diagnostics Files to open the diagnostic files screen This screen lists the files of diagnostic information the NXC has collected and stored in a connected USB storage device You may need to send these files to customer support for troubleshooting Figure 213 Maintenance gt Diagnostics gt Files Diagnostics Packet Capture Core Dump System Log Wireless Frame Capture Collect Files Old archives in USB storage i B File Name Last Modified Page 1 of 1 Show 50 v items No data to display The following table describes the labels in this screen Table 184 Maintenance gt Diagnostics gt Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NXC Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file en
391. ject Use to configure any new settings objects that you need to use in this screen Enable Rule Select this check box to turn on this session limit rule Description Enter information to help you identify this rule Use up to 60 printable ASCII characters Spaces are allowed User Select a user name or user group to which to apply the rule The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be within the IP address range Address Select a source address or address group for whom this rule applies Select any if the policy is effective for every source address Session Limit per Use this field to set a limit to the number of concurrent NAT firewall sessions this rule s Host users or addresses can have For this rule s users and addresses this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving NXC Series User s Guide 17 1 Overview 17 User Group This chapter describes how to set up user accounts user groups and user settings for the NXC You can also set up rules t
392. ka aaa ak aa annexa a Ea ARR E AR PAN ER E RSEN ARMAR Ne MAR 451 n el e 454 NXC Series User s Guide PART User s Guide Introduction 1 1 Overview This User s Guide covers the following models NXC2500 and NXC5500 Table 1 NXC Series Comparison Table FEATURES NXC2500 NXC5500 Two USB Ports Yes Yes Console Port Serial Port DB 9 Connector RJ 45 Connector The NXC is a comprehensive wireless LAN controller Its flexible configuration helps network administrators set up wireless LAN networks and efficiently enforce security policies over them In addition the NXC provides excellent throughput making it an ideal solution for reliable secure service The NXC s security features include firewall and certificates It also provides captive portal configuration NAT port forwarding policy routing DHCP server extensive wireless AP control options and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently The front panel physical Gigabit Ethernet ports labeled P1 P2 P3 and so on are mapped to Gigabit Ethernet ge interfaces By default P1 is mapped to gel P2 is mapped to ge2 and so on The default LAN IP address is 192 168 1 1 The default administrator login user name and password are admin and 1234 respectively 1 2 Zones Interfaces and Physical Port
393. l AP cannot resume the connection For example here the AP has a balanced bandwidth allotment of 6 Mbps If laptop R connects and it pushes the AP over its allotment say to 7 Mbps then the AP delays the red laptop s connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare Figure 56 Delaying a Connection NXC Series User s Guide Chapter 7 Wireless The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment Figure 57 Kicking a Connection 1 Mbps G 6 Mbps 7 Mbps 9 V c amp CED Connections are kicked based on either idle timeout or signal strength The NXC first looks to see which devices have been idle the longest then starts kicking them in order of highest idle time If no connections are idle the next criteria the NXC analyzes is signal strength Devices with the weakest signal strength are kicked first 7 6 DCS Use DCS Dynamic Channel Selection in an environment where are many APs and there may be interference DCS allows APs to automatically find a less used channel in such an environment Use NXC Series User s Guide Chapter 7 Wireless this screen to configure dynamic radio channel selection on managed APs Click Configuration gt Wireless gt DCS to access this screen Figure 58 Configuration gt Wireless gt DCS General Settings Select Now E Enable Dyn
394. l Address Email Address E SMTP Authentication User Name Password Retype to Confirm Schedule Time For Sending Report 0 hours 0 minutes Report Items System Resource Usage V CPU Usage V Memory Usage V Port Usage Wireless Report Station Count 7 TX Statistics RX Statistics V Interface Traffic Statistics 7 Reset counters after sending report successfully Reset All Counters The following table describes the labels in this screen Table 173 Configuration gt Log amp Report gt Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e mail every day Daily Report Mail Server Type the name or IP address of the outgoing SMTP server NXC Series User s Guide 327 Chapter 29 Log and Report Table 173 Configuration gt Log amp Report gt Email Daily Report continued Authentication LABEL DESCRIPTION Mail Subject Type the subject line for the outgoing e mail Select Append system name to add the NXC s system name to the subject Select Append date time to add the NXC s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Select this check box if it is necessary to provide a user name and password to the SMTP
395. l a certificate with a certification authority or generate a certification request Figure 159 Configuration gt Object gt Certificate gt My Certificates gt Add Q Add My Certificates 21x Configuration Name io Subject Information HostIP Address KE Host Domain Name E Mail Organizational Unit Optional Organization Optional Town City Optional State Province Optional Country Optional Key Type RSA vB Key Length 1024 Y bits Create a self signed certificate Create a certification request and save it locally for later manual enrollment 9 Create a certification request and enroll for a certificate immediately online Enrollment Protocol Simple Certificate Enrollment protocol SCEP M CA Server Address 7 CA Certificate Please select one lv ee Trusted CAs Request Authentication Key L Cm NXC Series User s Guide 271 Chapter 26 Certificates 272 The following table describes the labels in this screen Table 143 Configuration gt Object gt Certificate gt My Certificates gt Add LABEL DESCRIPTION Name Type a name to identify this certificate You can use up to 31 alphanumeric and amp _ characters Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although you must specify a Host IP Address Host Domain Na
396. l es Sweden ZyXEL Communications http www zyxel se Switzerland Studerus AG http www zyxel ch NXC Series User s Guide Appendix F Customer Support Turkey ZyXEL Turkey A S http www zyxel com tr UK ZyXEL Communications UK Ltd http www zyxel co uk Ukraine ZyXEL Ukraine http www ua zyxel com Latin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Ecuador ZyXEL Communication Corporation http www zyxel com ec es Middle East Egypt ZyXEL Communication Corporation http www zyxel com homepage shtml Middle East ZyXEL Communication Corporation http www zyxel com homepage shtml North America USA ZyXEL Communications Inc North America Headquarters http www us zyxel com NXC Series User s Guide Appendix F Customer Support Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd e http www zyxel co za NXC Series User s Guide Copyright Legal Information Copyright 2014 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prio
397. l in your default e mail program with the selected log attached Refresh Click this to refresh the log table Clear Log Click this to clear the log on the specified AP This field is a sequential value and it is not associated with a specific log message Time This indicates the time that the log messages was created or recorded on the AP Priority This indicates the selected log message s priority Category This indicates the selected log message s category Message This displays content of the selected log message Source This displays the source IP address of the selected log message Destination This displays the source IP address of the selected log message Note This displays any notes associated with the selected log message NXC Series User s Guide Registration 6 1 Overview Use the Configuration Licensing Registration screens to register your NXC and manage its service subscriptions 6 1 1 What You Can Do in this Chapter The Registration screen Section 6 2 on page 87 registers your NXC with myZyXEL com The Service screen Section 6 3 on page 89 displays the status of your service registrations and upgrade licenses 6 1 2 What you Need to Know This section introduces the topics covered in this chapter myZyXEL com myZyXEL com is ZyXEL s online services center where you can register your NXC and manage subscription services available for the NXC T
398. lative alla riduzione dell uso di sostanze pericolose nelle apparecchiature elettriche ed elettroniche nonche allo smaltimento dei rifiuti II simbolo del cassonetto barrato riportato sull apparecchiatura o sulla sua confezione indica che il prodotto alla fine della propria vita utile deve essere raccolto separatamente dagli altri rifiuti La raccolta differenziata della presente apparecchiatura giunta a fine vita e organizzata e gestita dal produttore L utente che vorra disfarsi della presente apparecchiatura dovra quindi contattare il produttore e seguire il sistema che questo ha adottato per consentire la raccolta separata dell apparecchiatura giunta a fine vita L adeguata raccolta differenziata per l avvio successivo dell apparecchiatura dismessa al riciclaggio al trattamento e allo smaltimento ambientalmente compatibile contribuisce ad evitare possibili effetti negativi sull ambiente e sulla salute e favorisce il reimpiego e o riciclo dei materiali di cui e composta l apparecchiatura Lo smaltimento abusivo del prodotto da parte del detentore comporta l applicazione delle sanzioni amministrative previste dalla normativa vigente NXC Series User s Guide Appendix G Legal Information Environmental Product Declaration Engish Deutsch German Espa ol Spanish Environmental product declaration RoHS Directive 201 1 65 EU WEEE Directive 2012 19 EU PPW Directive 94 62 EC REACH Regulation EC No 1907 2006 ErP Directiv
399. lays the time a wireless station first associated with the AP Refresh Click this to refresh the items displayed on this page 5 15 Detected Device Use this screen to view information about wireless devices detected by the AP Click Monitor gt Wireless gt Detected Device to access this screen Note At least one radio of the APs connected to the NXC must be set to monitor mode in the Configuration Wireless AP Management screen in order to detect other wireless devices in its vicinity Figure 39 Monitor gt Wireless gt Detected Device Detected Device Detected Device Status Device Role v MAC Address SSID Name ChannellD 802 1 Security Description Last Seen Mark as Friendly AP 2 Q infras friendly ap 52 4A 03 79 ED 97 Test 6 WEP Fri Apr 29 3 Q infras 00 17 9A 50 24 9F Lab IEEE 8 WEP Fri Apr 29 E Q infras 52 67 F0 F7 71 04 ZyXEL_7104 E IEEE 8 WEP Fri Apr 29 Page 1 of 1 Show 50 v items Displaying 1 28 of 28 NXC Series User s Guide Chapter 5 Monitor The following table describes the labels in this screen Table 42 Monitor gt Wireless gt Rogue AP gt Detected Device LABEL DESCRIPTION Mark as Rogue Click this button to mark the selected AP as a rogue AP A rogue AP can be contained in the AP Configuration gt Wireless gt MON Mode screen Chapter 7 on page 92 Mark as Friendly
400. le time Schedule Select this option to turn on the firmware update scheduling feature Note To enable scheduling you have to select this option and click Apply before you upload a firmware package Otherwise the NXC installs the uploaded firmware package immediately Time hh mm Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to install the firmware Date yyyy mm Select or specify the day in year month date format to install the firmware dd Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings After you see the Firmware Upload in Process screen wait two minutes before logging into the NXC again Figure 208 Firmware Upload In Process Firmware upload is in progress n Note The NXC automatically reboots after a successful firmware update The NXC automatically restarts causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 209 Network Temporarily Disconnected D Local Area Connection Network cable unplugged S 10 44 After five minutes log in again and check your new firmware version in the Dashboard screen If the firmware update was not successful the following message appears in the screen Figure 210 Firmware Upload Error Error Message x errno 42007 errmsg Firmware content error
401. led turned off on the NXC OutofSpace the available disk space is less than the disk space full threshold see Section 28 3 on page 286 for how to configure this threshold Mounting the NXC is mounting the USB storage device Removing the NXC is unmounting the USB storage device none the USB device is operating normally or not connected 70 NXC Series User s Guide Chapter 5 Monitor 5 11 AP List Use this screen to view which APs are currently connected to the NXC To access this screen click Monitor gt Wireless gt AP Information gt AP List Figure 33 Monitor gt Wireless gt AP Information gt AP List AP List AP List Status a Registration Mgnt AP 0 1 Page 1 Radio List of 1 Show 50 CPU IP Add MAC Add Mo Mgnt V Description 0 0 00 B0 B2 D gt s N 41 1 AP BOB2D 0 Last LE is er Station Rec 14 0 items Displaying 1 1 of 1 The following table describes the labels in this screen Table 34 Monitor gt Wireless gt AP Information gt AP List LABEL DESCRIPTION Add to Mgnt AP Click this to add the selected AP to the managed AP list List More Click this to view a daily station count about the selected AP The count records station Information activity on the AP over a consecutive 24 hour period This is the AP s index number in this list Status This visually displays the AP s connection status with ic
402. led or the radio is in monitor mode AP Description This displays the description of the AP to which the radio belongs Model This displays the model of the AP to which the radio belongs MAC Address This displays the MAC address of the radio Radio This indicates the radio number on the AP to which it belongs OP Mode This indicates the radio s operating mode Operating modes are AP access point MON monitor Root AP or Repeater AP ZyMesh This indicates the AP radio and ZyMesh profile names to which the radio belongs Profile Frequency Band This indicates the wireless frequency currently being used by the radio This shows when the radio is in monitor mode Channel ID This indicates the radio s channel ID Tx Power This shows the radio s output power in dBm Station This displays the number of stations aka wireless clients associated with the radio Rx PKT This displays the total number of packets received by the radio Tx PKT This displays the total number of packets transmitted by the radio Rx FCS Error Count This indicates the number of received packet errors accrued by the radio Tx Retry Count This indicates the number of times the radio has attempted to re transmit packets NXC Series User s Guide 75 Chapter 5 Monitor The following table describes the icons in this screen Table 38 Monitor gt Wireless gt AP
403. les of wireless frame captures the NXC has performed You can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as Wireshark Figure 221 Maintenance gt Diagnostics gt Wireless Frame Capture gt Files Diagnostics Packet Capture Core Dump System Log Wireless Frame Capture Capture Files Captured Packet Files L B File Name Page 1 Last Modified Show 50 items No data to display NXC Series User s Guide Chapter 31 Diagnostics The following table describes the labels in this screen Table 191 Maintenance gt Diagnostics gt Wireless Frame Capture gt Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NXC Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the size in bytes of a configuration file Last Modified This column displays the date and time t
404. link FF02 0 0 0 0 0 0 2 All routers on a local connected link FF05 0 0 0 0 0 0 2 All routers on a local site FF05 0 0 0 0 0 1 3 All DHCP severs on a local site The following table describes the multicast addresses which are reserved and can not be assigned to a multicast group Table 226 Reserved Multicast Address MULTICAST ADDRESS FF00 0 0 0 0 0 0 0 FF01 0 0 0 0 0 0 0 FF02 0 0 0 0 0 0 0 FF03 0 0 0 0 0 0 0 FF04 0 0 0 0 0 0 0 FF05 0 0 0 0 0 0 0 FF06 0 0 0 0 0 0 0 FF07 0 0 0 0 0 0 0 FF08 0 0 0 0 0 0 0 FF09 0 0 0 0 0 0 0 NXC Series User s Guide 437 Appendix E IPv6 Table 226 Reserved Multicast Address continued MULTICAST ADDRESS FF0A 0 0 0 0 0 0 0 FF0B 0 0 0 0 0 0 0 FF0C 0 0 0 0 0 0 0 FF0D 0 0 0 0 0 0 0 FF0E 0 0 0 0 0 0 0 FFOF 0 0 0 0 0 0 0 Subnet Masking Interface EUI 64 Both an IPv6 address and Pv6 subnet mask compose of 128 bit binary digits which are divided into eight 16 bit blocks and written in hexadecimal notation Hexadecimal uses four bits for each character 1 10 A F Each block s 16 bits are then represented by four hexadecimal characters For example FFFF FFFF FFFF FFFF FC00 0000 0000 0000 ID In IPv6 an interface ID is a 64 bit identifier It identifies a physical interface for example an Ethernet port or a virtual interface for example the management IP address for a VLAN One interfa
405. list Port This field displays the physical port number Status This field displays the current status of the physical port Down The physical port is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the NXC on the physical port since it was last connected RxPkts This field displays the number of packets received by the NXC on the physical port since it was last connected Collisions This field displays the number of collisions on the physical port since it was last connected Tx B s This field displays the transmission speed in bytes per second on the physical port in the one second interval before the screen updated Rx B s This field displays the reception speed in bytes per second on the physical port in the one second interval before the screen updated Up Time This field displays how long the physical port has been connected System Up Time This field displays how long the NXC has been running since it last restarted or was turned on NXC Series User s Guide Chapter 5 Monitor 5 3 1 Port Statistics Graph Use the port statistics graph to look at a line graph of packet statistics for each physical port To view click Monitor gt System Status gt Port Statistics and then the Switch to Graphic View Button Figure 25 Monitor gt System Status g
406. logs for what to fix Ignore errors and finish applying the configuration file and then roll back to the previous configuration this applies the valid parts of the configuration file generates error logs for all of the configuration file s errors and starts the NXC with a fully valid configuration file Click OK to have the NXC start applying the configuration file or click Cancel to close the screen This column displays the number for each configuration file entry This field is a sequential value and it is not associated with a specific address The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space File Name This column displays the label that identifies a configuration file You cannot delete the following configuration files or change their file names The system default conf file contains the NXC s default settings Select this file and click Apply to reset all of the NXC settings to the factory defaults This configuration file is included when you upload a firmware package The startup config conf file is the configuration file that the NXC is currently using If you make and save changes during your management session the changes are applied to this configuration file The NXC applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via com
407. ls in this screen Table 130 Configuration gt Object gt Service gt Service Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific service group Name This field displays the name of each service group Description This field displays the description of each service group if any 244 NXC Series User s Guide Chapter 22 Services 22 3 1 Add Edit Service Group Rule The Add Edit Service Group Rule screen allows you to create a new service group or edit an existing one To access this screen go to the Service Group screen and click either the Add icon or an Edit icon Figure 145 Configuration gt Object gt Service gt Service Group gt Add Edit Add Service Group Rule Configuration Name Description Member List Available Object Any LIDP Any TCP AH AIM NEW ICQ AUTH BGP BOOTP CLIENT BOOTP SERVER x Member A eal The following table describes the labels in this screen Table 131 Configuration gt Object gt Se
408. ls in this screen Table 185 Maintenance gt Diagnostics gt Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces appear under Available I nterfaces Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects packets for all types of traffic IP Version Select the version of the Internet Protocol IP by which traffic is routed across the networks and Internet Select any to capture packets for traffic sent by either IP version Protocol Type Select the protocol type of traffic for which to capture packets Select any to capture NXC Series User s Guide Chapter 31 Diagnostics Table 185 Maintenance gt Diagnostics gt Packet Capture continued LABEL DESCRIPTION Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defined to be able to enter an IP address Host Port This field is configurable when you set the Protocol Type to any tcp or udp Specify the port number of traffic to capture Continuously capture and overwrite old ones Select this to have the NXC keep capturing traffic and overwriting old packet capture entries when the available storage space runs out Save data to onboard storage only Select this to have the NXC only store packet capture entries on
409. lt 6 DHCP 7 File Manager 8 Force Authentication 20 ZySH Page 1 ofi Show 50 x items Log Consolidation E Active Log Consolidation Interval seconds 10 Outgoing SMTP Server Name or IP Address E Mail Address E Mail Address E Mail Address x E mail Server 1 eo E mail Server 1 10 600 A pe Pix E mail Server 2 oo Displaying 1 30 of 30 E mail Server 2 Displaying 1 20 of 20 mcum nm NXC Series User s Guide Chapter 29 Log and Report 332 The following table describes the labels in this screen Table 175 Configuration gt Log amp Report gt Log Settings gt Edit System Log LABEL DESCRIPTION E Mail Server 1 2 Active Select this to send log messages and alerts according to the information in this section You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section Mail Server Type the name or IP address of the outgoing SMTP server Mail Subject Type the subject line for the outgoing e mail Send From Type the e mail address from which the outgoing e mail is delivered This
410. ly connected to the NXC The Radio List screen Section 5 12 on page 75 displays statistics about the wireless radio transmitters in each of the APs connected to the NXC The ZyMesh Link Info screen Section 5 13 on page 78 displays statistics about the ZyMesh WDS connections between the managed APs The Station List screen Section 5 14 on page 79 displays statistics pertaining to the connected stations or wireless clients The Detected Device screen Section 5 15 on page 80 displays the wireless devices passively detected by the NXC The View Log screen Section 5 16 on page 81 displays the NXC s current log messages You can change the way the log is displayed you can e mail the log and you can also clear the log in this screen The View AP Log screen Section 5 17 on page 84 displays the NXC s current wireless AP log messages NXC Series User s Guide Chapter 5 Monitor 5 2 What You Need to Know The following terms and concepts may help as you read through the chapter Rogue AP Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can open up holes in a network s security See Chapter 19 on page 227 for details Friendly AP Friendly APs are other wireless access points that are detected in your network as well as any others that you know are not a threat those from neighboring networks for example See Chapter 19
411. m WI this session Do not accept this certificate and do not connect to this Web site 3 The certificate is stored and you can now connect securely to the Web Configurator A sealed padlock appears in the address bar which you can click to open the Page Info gt Security window to view the web page s security information al Page Info DER General Forms Links Media amp E Web Site Identity Verified The web site 172 20 37 202 supports authentication for the page you are viewing The identity of this web site has been verified by ZyXEL a certificate authority you trust for this purpose View the security certificate that verifies this web site s Mew identity Connection Encrypted High grade Encryption AES 256 256 bit The page you are viewing was encrypted before being transmitted over the Internet Encryption makes it very difficult for unauthorized people to view information traveling between computers It is therefore very unlikely that anyone read this page as it traveled across the network NXC Series User s Guide 41 9 Appendix C Importing Certificates Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Firefox and click Tools Options Web Search Ctrl4K Downloads Ctrl J Add ons Java Consol
412. main com is the second level domain and tw is the top level domain Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action This is the index number of the address PTR record FQDN This is a host s fully qualified domain name IP Address This is the IP address of a host Domain Zone This specifies a DNS server s IP address The NXC can query the DNS server to resolve Forwarder domain zones for features like the time server When the NXC needs to resolve a domain zone it checks it against the domain zone forwarder entries in the order that they appear in this list Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number th
413. manage ZyMesh files that can be associated with different APs Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedule Create one time and recurring schedules AAA Server Active Directory Configure the default Active Directory settings LDAP Configure the default LDAP settings RADIUS Configure the default RADIUS settings Auth Method Create and manage ways of authenticating users Certificate My Certificates Create and manage the NXC s certificates Trusted Certificates Import and manage certificates from trusted sources DHCPv6 Request Configure DHCPv6 request type objects System Host Name Configure the system and domain name for the NXC USB Storage Settings Configure the settings for the connected USB devices Date Time Configure the current date time and time zone in the NXC Console Speed Set the console speed DNS Configure the DNS server and address records for the NXC WWW Configure HTTP HTTPS and general authentication SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the NXC FTP Configure FTP server settings NXC Series User s Guide 39 Chapter 3 The Web Configurator Table 14 Configuration Menu
414. mands when you use the write command The lastgood conf is the most recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration 346 NXC Series User s Guide Chapter 30 File Manager Table 180 Maintenance gt File Manager gt Configuration File continued LABEL DESCRIPTION Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved Upload The bottom part of the screen allows you to upload a new or previously saved Configuration configuration file from your computer to your NXC File You cannot upload a configuration file named system default conf or lastgood conf If you upload startup config conf it will replace the current configuration and immediately apply the new settings File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the conf file you want to upload The configuration file must use a conf filename extension You will receive an error message if you try to upload a fie of a different format Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the uploa
415. mber of the Ekahau RTLS Controller Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Firewall 16 1 Overview Use the firewall to block or allow services that use static port numbers The firewall can also limit the number of user sessions 16 1 1 What You Can Do in this Chapter The Firewall screens Section 16 2 on page 183 enable or disable the firewall and asymmetrical routes and manage and configure firewall rules The Session Control screens Section 16 3 on page 187 limit the number of concurrent NAT firewall sessions a client can use 16 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Stateful Inspection The NXC has a stateful inspection firewall The NXC restricts access by screening data packets against defined access rules It also inspects sessions For example traffic from one zone is not allowed unless it is initiated by a computer in another zone first Zones A zone is a group of interfaces Group the NXC s interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces in a zone Default Firewall Behavior Firewall rules are grouped based on the direction of travel of packets to which they apply Here is the default firewall behavior for traffic goi
416. me The link status of s interface is inactive The specified interface failed a connectivity check Table 202 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP ALG has succeeded The FTP Application Layer Gateway ALG has been turned on or off s Enable or Disable Extra signal port of FTP ALG has been modified Extra FTP ALG port has been changed Signal port of FTP ALG has been modified Default FTP ALG port has been changed s H 323 ALG has succeeded The H 323 ALG has been turned on or off s Enable or Disable Extra signal port of H 323 ALG has been modified Extra H 323 ALG port has been changed Signal port of H 323 ALG has been modified Default H 323 ALG port has been changed s SIP ALG has succeeded The SIP ALG has been turned on or off 96s Enable or Disable Extra signal port of SIP ALG has been modified Extra SIP ALG port has been changed Signal port of SIP ALG has been modified Default SIP ALG port has been changed Register SIP ALG extra port d failed SIP ALG apply additional signal port failed 96d Port number Register SIP ALG signal port d failed SIP ALG apply signal port failed 96d Port number Register H 323 ALG extra port d failed H323 ALG apply additional signal port failed 96d Port number Register
417. me or E Mail The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any string A domain name can be up to 255 characters You can use alphanumeric characters the hyphen and periods An e mail address can be up to 63 characters You can use alphanumeric characters the hyphen the 9 symbol periods and the underscore Organizational Unit Identify the organizational unit or department to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore State Province Identify the state or province where the certificate owner is located You can use up to 31 chara
418. me from 1 to 31 characters The user name can only contain the following characters Alphanumeric A z 0 9 there is no unicode support e _ underscores e dashes The first character must be alphabetical A Z a z an underscore _ or a dash Other limitations on user names are e User names are case sensitive If you enter a user bob but use BOB when connecting via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names adm admin any e bin daemon e debug devicehaecived ftp games halt e Idap users Ip mail news nobody operator radius users root shutdown sshd e Sync e Uuucp e zyxel To access this screen go to the User screen and click Add or Edit Figure 111 Configuration gt User Group gt User gt Add Edit A User Q Add A User X User Configuration User Name D User Type user Y Password lo Retype Description Authentication Timeout Settings Q9 Use Default Settings Use Manual Settings Lease Time 1440 minutes Reauthentication Time 1440 minutes m 194 NXC Series User s Guide Chapter 17 User Group The following table describes the labels in this screen Table 99 Configuration gt User Group gt User gt Add Edit A User LABEL DESCRIPTION User Name Type the user name for this user acc
419. n Figure 93 Configuration gt Captive Portal gt Auth Policy Add Edit 3 Auth Policy Add x iS Create new Object General Settings J Enable Policy Description Optional User Authentication Policy Source Address any M Destination Address any M Schedule none E Authentication required M J Force User Authentication E The following table describes the labels in this screen Table 86 Configuration gt Captive Portal gt Auth Policy Add Edit LABEL DESCRIPTION Create New Select an object SSID Profile Address or Service from the list to create a new one You Object can then use the object with the authentication policy rule For example if you create a new SSID Profile called CoffeeBar then you can select it immediately from the SSID list in this screen Enable Policy Select this to enable the new authentication policy You can later edit the authentication policy and deselect it if you want to disable it Description Enter an optional description of the authentication policy You can enter up to 60 characters Source Address Select an address object from the list If none are available you can create a new one using the Create New Object button The source address is an IP address for which the captive portal intercepts all network traffic Destination Select an address object from the list If none are available you can create a new one Address using the Create New Obj
420. n Table 107 Guest Account List LABEL DESCRIPTION This is the rank of an account in the list Guest Name This is the descriptive name for an account User Name This is the user name of an account Password This is the password of an account Guest s Print Click this icon to print out the account information and the notes you specified in the User Group gt Setting screen for dynamic guests Return Click this icon to go back to the previous screen NXC Series User s Guide 205 Chapter 17 User Group The following figure shows the dynamic guest account printout example Figure 120 Preview of Dynamic Guest Account Printout Welcome Guest Here is your account information to access the WLAN Network Account MGMSVY7N Password F236SRMC Account Expiration Time 2013 04 08 23 59 SSID balabala Key 12345678 A uo Guest Dynamic Here is your account information to access the WLAN Network Guest Account LC7V6ZS3 Note Password 2C8U9FPC Account Expiration Time 2013 04 08 23 59 SSID balabala Key 12345678 17 5 MAC Address The MAC Address screen maps wireless client MAC addresses to MAC roles MAC address user accounts See MAC Address Accounts on page 192 for more on MAC address user accounts and MAC roles Click Configuration gt Object gt User Group gt MAC Address to open this screen Figure 121 Configuration gt Object gt User Group gt MAC Address MAC
421. n Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products Open Source Licenses This product contains in part some free software distributed under GPL license terms and or GPL like licenses Open source licenses are provided with the firmware package You can download the latest firmware at www zyxel com If you cannot find it there contact your vendor or ZyXEL Technical Support at support zyxel com tw To obtain the source code covered under those Licenses please contact your vendor or ZyXEL Technical Support at support zyxel com tw Safety Warnings Do NOT use this product near water for example in a wet basement or near a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device Do NOT open the device or unit Opening or removing covers can expose you to dangerous high voltage points or other risks ONLY qualified service personnel should service or disassemble this device Please contact your vendor for further information Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always dis
422. n 7 4 on page 99 allows you to assign APs either to the rogue AP list or the friendly AP list The Load Balancing screen Section 7 5 on page 102 configures network traffic load balancing between the APs and the NXC The DCS screen Section 7 6 on page 104 configures dynamic radio channel selection on managed APs The Auto Healing screen Section 7 7 on page 107 turns on the auto healing feature to extend the wireless service coverage area of the managed APs when one of the APs fails 7 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Station Wireless Client A station or wireless client is any wireless capable device that can connect to an AP using a wireless signal Dynamic Channel Selection DCS Dynamic Channel Selection DCS is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices Load Balancing Wireless Wireless load balancing is the process where you limit the number of connections allowed on an wireless access point AP or you limit the amount of wireless traffic transmitted and received on it so the AP does not become overloaded NXC Series User s Guide Chapter 7 Wireless 7 2 Controller Use this screen to set how the NXC allows new APs to connect to the network Click Configuration gt Wireless gt Controller
423. n Service Control specifies from which zones an administrator can use HTTP to Control manage the NXC using the Web Configurator You can also specify the IP addresses from which the administrators can manage the NXC User Service Control specifies from which zones a user can use HTTP to log into the NXC You can also specify the IP addresses from which the users can access the NXC Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the NXC s non configurable default policy The NXC applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address T
424. n again You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out Configuratio Use a user account from the group specified above to test if the configuration is correct Enter n Validation the account s user name in the User Name field and click Test OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide Chapter 17 User Group 17 3 Group Summary User groups consist of access users and other user groups You cannot put admin users in user groups The Group screen provides a summary of all user groups In addition this screen allows you to add edit and remove user groups To access this screen login to the Web Configurator and click Configuration Object User Group Group Figure 112 Configuration gt Object gt User Group gt Group Configuration QAdd s Group Name Description Member 1 fas 2 guest 3 qq aaa aaaaa d 4 Pagei ofi b b Show 50 v items Displaying 1 3 of 3 The following table describes the labels in this screen Table 100 Configuration gt Object gt User Group gt Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the
425. n it Virtual Device Hover your cursor over a LED or connected Ethernet port to view details about the status of the NXC s LEDs and connections See Section 2 2 3 on page 25 for LED descriptions An unconnected interface appears grayed out The following labels display when you hover your cursor over a connected interface Name This field displays the name of the interface or slot Status This field displays the current status of each interface or device installed in a slot The possible values depend on what type of interface it is I nactive The Ethernet interface is disabled Down The Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half Zone This field displays the zone to which the interface is currently assigned IP Address Mask This field displays the current IP address and subnet mask assigned to the interface Device Information System Name This field displays the name used to identify the NXC on any network Click the link to open the screen where you can change it Model Name This field displays the model name of this NXC Serial Number This field displays the serial number of this NXC MAC Address This field displays the MAC addresses used by the NXC Each physical port has one MAC Range address The first MAC address is assi
426. n to the neighbor cache prefix list and destination cache The NXC creates an entry in the default router list cache if the router can be used as a default router When the NXC needs to send a packet it first consults the destination cache to determine the next hop If there is no matching entry in the destination cache the NXC uses the prefix list to determine NXC Series User s Guide Appendix E IPv6 whether the destination address is on link and can be reached directly without passing through a router If the address is onlink the address is considered as the next hop Otherwise the NXC determines the next hop from the default router list or routing table Once the next hop IP address is known the NXC looks into the neighbor cache to get the link layer address and sends the packet when the neighbor is reachable If the NXC cannot find an entry in the neighbor cache or the state for the neighbor is not reachable it starts the address resolution process This helps reduce the number of IPv6 solicitation and advertisement messages Multicast Listener Discovery The Multicast Listener Discovery MLD protocol defined in RFC 2710 is derived from IPv4 s Internet Group Management Protocol version 2 IGMPv2 MLD uses I CMPv6 message types rather than IGMP message types MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3 MLD allows an IPv6 switch or router to discover the presence of MLD listeners who wish to receive mult
427. n will be terminated because the server did not send failed Peer not any LCP packets 96s interface name responding Interface s connect PAP authentication failed the server must support PAP and verify verify that failed PAP the authentication failed this does not include cases where the server does not authentication support PAP failed Interface s creat A bridge interface has no member 96s bridge interface name failed because has no NXC Series User s Guide Appendix A Log Descriptions Table 205 WLAN Logs LOG MESSAGE DESCRIPTION Wlan s is enabled The WLAN IEEE 802 11 b and or g feature has been turned on 96s is the slot number where the WLAN card is or can be installed Wlan s is disabled The WLAN IEEE 802 11 b and or g feature has been turned off 96s is the slot number where the WLAN card is or can be installed Wlan s has been The WLAN IEEE 802 11 b and or g feature s configuration has been configured changed 96s is the slot number where the WLAN card is or can be installed Interface s has been The configuration of the specified WLAN interface 96s has been changed configured Interface s has been The specified WLAN interface 96s has been removed deleted Create interface s The wireless device failed to create the specified WLAN interface 96s has failed Wlan device does not exist Remove the wireless device and reinstall it IEEE 80
428. naged APs ZyMesh is a ZyXEL proprietary feature In a ZyMesh multiple managed APs form a WDS Wireless Distribution System to expand the wireless network and provide services or forward traffic between the NXC and wireless clients ZyMesh also allows the NXC to use CAPWAP to automatically update the configuration settings on the managed APs in repeater mode through wireless connections The managed APs in repeater mode are provisioned hop by hop The managed APs in a WDS or ZyMesh must use the same SSID channel number and pre shared key A manged AP can be either a root AP or repeater in a ZyMesh Note All managed APs should be connected to the NXC directly to get the configuration file before being deployed to build a ZyMesh WDS Ensure you restart the managed AP after you change its operating mode using the Configuration gt Wireless gt AP Management screen see Section 7 3 on page 93 Root AP a managed AP that can transmit and receive data from the NXC via a wired Ethernet connection Repeater a managed AP that transmit and or receive data from the NXC via a wireless connection through a root AP Note When managed APs are deployed to form a ZyMesh WDS for the first time the root AP must be connected to an AP controller the NXC NXC Series User s Guide 232 Chapter 20 ZyMesh Profile In the following example managed APs 1 and 2 act as a root AP and managed APs A B and C are repeaters The maximum numbe
429. ncrypted communication between two hosts over an unsecured network In the NXC Series User s Guide Chapter 28 System following figure computer A on the Internet uses SSH to securely connect to the WAN port of the NXC for a management session Figure 184 SSH Communication Over the WAN Example 28 8 1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1 Figure 185 How SSH v1 Works Example Encryption meth od to use 1 9 Password User name aeae OA 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use NXC Series User s Guide Chapter 28 System 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information
430. nd address objects 139 and interfaces 139 and schedules 139 and user groups 138 139 and users 138 139 benefits 134 criteria 135 pop up windows 28 port mapping 16 ports 16 power off 21 power on 21 PPP interfaces subnet mask 131 preamble mode 428 NXC Series User s Guide Index product overview 16 product registration 452 PSK 433 PTR record 294 Public Key Infrastructure PKI 267 public private key pairs 266 Q QoS 135 Quick Start Guide 2 R RADIUS 252 253 429 advantages 252 and users 191 message types 430 messages 430 shared secret key 430 RADIUS server 321 reboot 21 370 vsreset 370 Reference Guide CLI 2 registration 86 product 452 related documentation 2 Relative Distinguished Name RDN 253 255 257 Remote Authentication Dial In User Service see RADIUS remote management FTP see FTP Telnet 314 WWW see WWW reports collecting data 63 daily 327 daily e mail 327 specifications 64 traffic statistics 62 reset 379 vs reboot 370 RESET button 21 379 RFC 1631 NAT 142 2131 DHCP 132 2132 DHCP 132 2510 Certificate Management Protocol or CMP 273 Rivest Shamir and Adleman public key algorithm RSA 272 routing protocols and Ethernet interfaces 111 RSA 272 275 281 RSSI threshold 213 RTLS 178 RTS Request To Send 427 threshold 427 S SCEP Simple Certificate Enrollment Protocol 273 schedules 246 and current date time 246 and firewall 185 and policy routes 139 on
431. network An IPv6 device uses the following ICMPv6 messages types Neighbor solicitation A request from a host to determine a neighbor s link layer address MAC address and detect if the neighbor is still reachable A neighbor being reachable means it responds to a neighbor solicitation message from the host with a neighbor advertisement message Neighbor advertisement A response from a node to announce its link layer address Router solicitation A request from a host to locate a router that can act as the default router and forward packets Router advertisement A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters IPv6 Cache An IPv6 host is required to have a neighbor cache destination cache prefix list and default router list The NXC maintains and updates its Pv6 caches constantly using the information from response messages In IPv6 the NXC configures a link local address automatically and then sends a neighbor solicitation message to check if the address is unique If there is an address to be resolved or verified the NXC also sends out a neighbor solicitation message When the NXC receives a neighbor advertisement in response it stores the neighbor s link layer address in the neighbor cache When the NXC uses a router solicitation message to query for a router and receives a router advertisement message it adds the router s informatio
432. nfiguring the DNS Screen Click Configuration System DNS to change your NXC s DNS settings Use the DNS screen to configure the NXC to use a DNS server to resolve domain names for NXC system features like the time server You can also configure the NXC to accept or discard DNS queries Use the Network Interface screens to configure the DNS server information that the NXC sends to the specified DHCP client devices Figure 172 Configuration gt System gt DNS DNS Address PTR Record Q add 2 Wu a FQDN IP Address Page tc of 1 Show 50 v items No data to display Domain Zone Forwarder Q add eat Wn Domain Zone Type DNS Server Query via uiu Default 10 5 5 1 wan2 Page i lofi Show 50 v items Displaying 1 1 of 1 MX Record for My FQDN Q Add 2 4 Domain Name IP FGDN Page fi of 1 Show 50 v items No data to display Service Control 43 Add w yN a Zone Address Action ALL ALL Accept Page c of 1 Show 50 v items Displaying 1 1 of 1 292 NXC Series User s Guide Chapter 28 System The following table describes the labels in this screen Table 156 Configuration gt System gt DNS LABEL DESCRIPTION Address PTR This record specifies the mapping of a Fully Qualified Domain Name FQDN to an IP Record address An FQDN consists of a host and domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the third level do
433. ng CLI End Cancel Click Clear to remove the currently displayed information See the Command Reference Guide for information about the commands NXC Series User s Guide Chapter 3 The Web Configurator 3 3 2 Navigation Panel Use the menu items on the navigation panel to open screens to configure NXC features Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them The following sections introduce the NXC s navigation panel menus and their screens Figure 15 Navigation Panel ZyXEL nxess00 Radio List Phe ZAbout Fsite map object Re MONITOR AP List Bie i AP List MI AP Information Ty Pane TE Status Regi CPU IP Address MAC Address Model Mgnt Description Station Page 1 j ofi gt gt i Show 50 items Pas 3 3 2 1 Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs For details on the Dashboard s features see Chapter 4 on page 46 3 3 2 2 Monitor Menu The monitor menu screens display status and statistics information Table 13 Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics Display packet statistics for each
434. ng 1 8 of 8 Select a column heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Configuration add j UserName 3 radius users 5 mac users 2 Idap users 6 guest 7 boss 1 admin 4 ad users 8 MACexample Page a of 1 Show 50 v9 Description Li tO User Type MAG ouierricauerr Cours External LDAP Users Local User Local User Administration account External AD Users Local User items User Type ext user mac address ext user guest guest manager admin ext user mac address Displaying 1 8 of 8 NXC Series User s Guide Chapter 3 The Web Configurator 5 Usethe icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Configuration Qd JW s se User Name User Type Description 1 admin admin Administration account 2 Idap users ext user External LDAP Users 3 radius users ext user External RADIUS Users 4 ad users ext user External AD Users 5 mac users mac address MAC Authentication Users 6 guest guest Local User 7 boss guest manager Local User 8 Page 1 of 1 Show 50 w items Displaying 1 8 of 8 Working with Table Entries The tables have icons for working with table entries A sample is shown next You can often use the Shift or Ctrl key to select multiple entries to remo
435. ng through the NXC in various directions Table 92 Default Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From ANY to ANY Traffic that does not match any firewall rule is allowed So for example LAN to WAN LAN to DMZ and LAN to WLAN traffic is allowed This also includes traffic to or from interfaces that are not assigned to a zone extra zone traffic NXC Series User s Guide Chapter 16 Firewall To NXC Rules Rules with EnterpriseWLAN as the To Zone apply to traffic going to the NXC itself By default The firewall allows any computers to access or manage the NXC When you configure a firewall rule for packets destined for the NXC itself make sure it does not conflict with your service control rule The NXC checks the firewall rules before the service control rules for traffic destined for the NXC You can configure a To NXC firewall rule with From Any To EnterpriseWLAN direction for traffic from an interface which is not in a zone Global Firewall Rules Firewall rules with from any and or to any as the packet direction are called global firewall rules The global firewall rules are the only firewall rules that apply to an interface that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Firewall Rule Criteria The NXC checks the schedule user name user s login name on the NXC source IP address dest
436. nitor how long each access user is logged in and idle in other words there is no traffic for this access user The NXC automatically logs out the access user once the User idle timeout has been reached NXC Series User s Guide Chapter 17 User Group Table 102 Configuration gt Object gt User Group gt Setting continued LABEL DESCRIPTION User idle This is applicable for access users timeout This field is effective when Enable user idle detection is checked Type the number of minutes each access user can be logged in and idle before the NXC automatically logs out the access user User Logon Settings Limit the Select this check box if you want to set a limit on the number of simultaneous logins by number of admin users If you do not select this admin users can login as many times as they uon want at the same time using the same or different IP addresses administration account Maximum This field is effective when Limit for administration account is checked Type the number per maximum number of simultaneous logins by each admin user administration account Limit the Select this check box if you want to set a limit on the number of simultaneous logins by number of non admin users If you do not select this access users can login as many times as simultaneous logons for they want as long as they use different IP addresses access account Maximum This field is effective wh
437. not an ARP response packet Receive an ARP response The device received an ARP response Receiv from ARP respons SS S The device received an ARP response from the listed source o The request IP is s sent from s The device accepted a request Received ARP response NOT for the request IP address The device received an ARP response that is NOT for the requested IP address Receive an ARP response from the client issuing the DHCP request The device received an ARP response from the client issuing the DHCP request Receive an ARP response from an unknown client The device received an ARP response from an unknown client In total received d arp response packets for the requested IP address The device received the specified total number of ARP response packets for the requested IP address NXC Series User s Guide 393 Appendix A Log Descriptions 394 Table 200 System Logs continued LOG MESSAGE DESCRIPTION Clear arp cache successfully The ARP cache was cleared successfully Client MAC address is not an Ethernet address A client MAC address is not an Ethernet address DHCP request received via interface s 8 S src mac s with requested IP SS The device received a DHCP request through the specified interface IP confliction is detected Send back DHCP NAK IP conflict was detected
438. not associated with a specific user User Name This field displays the user name of each user User Type This field displays the kind of account of each user These are the kinds of user account the NXC supports admin this user can look at and change the configuration of the NXC limited admin this user can look at the configuration of the NXC but not to change it e user this user has access to the NXC s services but cannot look at the configuration guest this user has access to the NXC s services but cannot look at the configuration e ext user this user account is maintained in a remote server such as RADIUS or LDAP e ext group user this user account is maintained in a remote server such as RADIUS or LDAP guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Master Manager screen that pops up mac address an external server authenticates wireless clients based on their MAC addresses After authentication the NXC maps a wireless client to a MAC address user account MAC role User aware features control MAC address user access to specific resources Description This field displays the description for each user NXC Series User s Guide Chapter 17 User Group 17 2 1 Add Edit User The User Add Edit screen allows you to create a new user account or edit an existing one 17 2 1 1 Rules for User Names Enter a user na
439. ns do not have to request a particular service or give advanced notice of where the traffic is going DSCP Marking and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following figure illustrates the DS field DSCP 6 bits Unused 2 bits DSCP is backward compatible with the three precedence bits in the ToS octet so that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies 9 2 Policy Route Click Configuration gt Network gt Routing to open this screen Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off A policy route defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria can include the user name source address and incoming interface destination address schedule IP protocol ICMP UDP TCP etc and port
440. nt IPAs get Down n a ge2 Down nia ge3 Down nia ge4 Down nia ge5 100M n a ge6 Down nia 0 0 0 0 0 0 0 0 Static 0 0 0 0 0 0 0 0 Static 0 0 0 0 0 0 0 0 Static 0 0 0 0 0 0 0 0 Static 0 0 0 0 0 0 0 0 Static 0 0 0 0 0 0 0 0 Static A The Latest Alert Logs Time 1 2013 12 alert policy System Resources CPU Usage Memory Usage E Flash Usage USB Storage Usage Priority Category Message Source Destin Active Sessions 9 1000000 amp AP Information All AP Online Management AP Offline Management AP Un Management AP All Station Station All Sensed Device Un Classified AP Rogue AP Friendly AP kt zyMesh AP Information All ZyMesh AP Online ZyMesh AP Root Repeater 0 0 Offline ZyMesh AP Root Repeater 9 0 NXC Series User s Guide 47 Chapter 4 Dashboard The following table describes the labels in this screen Table 18 Dashboard LABEL DESCRIPTION Widget Settings A Use this link to re open closed widgets Widgets that are already open appear grayed out Arrow B Click this to collapse or expand a widget Refresh Time Set the interval for refreshing the information displayed in the widget Setting C Refresh Now D Click this to update the widget s information immediately Close Widget E Click this to close the widget Use Widget Settings to re ope
441. nt lan2 lan3 Page 1 lofi Show 50 items Displaying 1 1 of 1 OK Cancel Each field is described in the following table Table 50 Configuration gt Wireless gt AP Management gt Edit AP List LABEL DESCRIPTION Create new Object Use this menu to create a new Radio Profile MON Profile or ZyMesh Profile object to associate with this AP MAC This displays the MAC address of the selected AP NXC Series User s Guide Chapter 7 Wireless Table 50 Configuration gt Wireless gt AP Management gt Edit AP List continued LABEL DESCRIPTION Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the NXC and the information is unavailable as a result Description Enter a description for this AP You can use up to 31 characters spaces and underscores allowed Radio 1 2 OP Mode Select the operating mode for radio 1 or radio 2 AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the NXC to be managed or subsequently passed on to an upstream gateway for managing MON Mode means the AP monitors the broadcast area for other APs then passes their information on to the NXC where it can be determined if those APs are friendly or rogue If an AP is set to this mode it cannot receive connections from wireless clients Root AP means the radio acts
442. ntages Increased performance In VLAN 2 the extra switch should route traffic inside the sales department faster than the router does In addition broadcasts are limited to smaller more logical groups of users Higher security If each computer has a separate physical connection to the switch then broadcast traffic in each VLAN is never sent to computers in another VLAN Better manageability You can align network policies more appropriately for users For example you can create different policy route rules for each VLAN each department in the example above and you can set different bandwidth limits for each VLAN These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN 1 Between the router and VLAN 2 Between the router and VLAN 3 NXC Series User s Guide Chapter 8 Interfaces 8 3 1 VLAN Summary This screen lists every VLAN interface If you enabled IPv6 in the Configuration System IPv6 screen you can also configure VLAN interfaces used for your IPv6 networks on this screen To access this screen click Configuration gt Network gt Interface gt VLAN Figure 70 Configuration gt Network gt Interface gt VLAN Ethernet Configuration QAdd 2 8 Status Name 1 Q Page 1 IPv6 Configuration Add Name
443. nterface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP This field is only available if the Address Type is RANGE This field cannot be blank Enter Address the beginning of the range of IP addresses that this address object represents Ending IP This field is only available if the Address Type is RANGE This field cannot be blank Enter Address the end of the range of IP address that this address object represents Network This field is only available if the Address Type is SUBNET in which case this field cannot be blank Enter the IP address of the network that this address object represents Netmask This field is only available if the Address Type is SUBNET in which case this field cannot be blank Enter the subnet mask of the network that this address object represents Use dotted decimal format Interface If you selected INTERFACE IP INTERFACE SUBNET or INTERFACE GATEWAY as the Address Type use this field to select the interface of the network that this address object represents OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 21 3 Address Group Summary The Address Group screen provides a summary of all address groups To access this screen click Configuration gt Object gt A
444. ntry select this field To remove a static DHCP entry clear this field NXC Series User s Guide Chapter 4 Dashboard 4 2 5 Number of Login Users Use this screen to look at a list of the users currently logged into the NXC To access this screen click the dashboard s Number of Login Users icon Figure 23 Dashboard Number of Login Users Number of Login Users UserlD Reauth Lease T Type IP Address User Info Force Logout 1 admin unlimited 00 30 00 http https 192 158 1 33 admin admin Brio od The following table describes the labels in this screen Table 23 Dashboard gt Number of Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the NXC Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user Type This field displays the way the user logged in to the NXC IP address This field displays the IP address of the computer used to log in to the NXC User Info This field displays the types and user names of user accounts the NXC uses If the user type is ext user external user this field will show its external group information when you move your mouse over it If the external user matches two external group objects both external group object names will be sho
445. o HTTPS Admin Service Control O Add 2 w E aj Zone Address Action ALL ALL accept Page 1 of 1 Show 50 items Displaying 1 1 of 1 User Service Control Q Add w n N Zone Address Action ALL ALL accept Page E of 1 Show 50 v items Displaying 1 1 of 1 HTTP V Enable Server Port 80 Admin Service Control Q Add X W pN itaj Zone Address Action ALL ALL accept Page 1 of 1 Show 50 v items Displaying 1 1 of 1 User Service Control add w E Jal Zone Address Action ALL ALL accept Page 1 of1 Show 50 v items Displaying 1 1 of 1 Authentication Client Authentication Method default v NXC Series User s Guide Chapter 28 System The following table describes the labels in this screen Table 161 Configuration gt System gt WWW gt Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NXC Web Configurator using secure HTTPs connections Server Port The HTTPS server listens on port 443 by default If you change the HTTPS server port to a different number on the NXC for example 8443 then you must notify people who need to access the NXC Web Configurator to use https NXC IP Address 8443 as the URL Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authent
446. o change the settings for e mailing logs to e mail server 2 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 2 settings enable normal logs green check mark e mail log messages for all categories to e mail server 2 enable alert logs red exclamation point e mail alerts for all categories to e mail server 2 Remote Server For each remote server use the Selection drop down list to change the log settings for all 1 4 of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific address Log Category This field displays each category of messages It is the same value used in the Display and Category fields in the View Log tab The Default category includes debugging messages generated by open source software NXC Series User s Guide 339 Chapter 29 Log and Report 340 Table 178 Configuration gt Log amp Report gt Log Settings gt Log Category Settings continued LABEL DESCRIPTION System log Select which events you want to log by Log
447. o convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default cannot access the NXC from a computer connected to the Internet Check the service control rules uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly Make sure the logo file is a GIF JPG or PNG of 100 kilobytes or less uploaded a logo to use as the screen or window background but it does not display properly Make sure the logo file is a GIF JPG or PNG of 100 kilobytes or less The NXC s traffic throughput rate decreased after started collecting traffic statistics Data collection may decrease the NXC s traffic throughput rate can only see newer logs Older logs are missing When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly e n a configuration file or shell script use or as the first character of a command line to have the NXC treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the NXC exit sub command mode Include write commands in your scripts Otherwise
448. o save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings NXC Series User s Guide Chapter 19 MON Profile 19 2 1 Add Edit MON Profile This screen allows you to create a new monitor mode profile or edit an existing one To access this screen click the Add button or select and existing monitor mode profile and click the Edit button Figure 134 Configuration gt Object gt MON Profile gt Add Edit MON Profile 3 Add MON Profile General Settings v Activate Profile Name Channel dwell time Scan Channel Made Set Scan Channel List 2 4 GHz Available channels oon O0 o WON um e Set Scan Channel List 5 GHz Available channels 36 40 44 48 149 153 157 161 o Deena 100 100ms 1000ms manual M Channels selected HE Channels selected am PIX v a The following table describes the labels in this screen Table 121 Configuration gt Object gt MON Profile gt Add Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile Profile Name This field indicates the name assigned to the monitor mode profile Channel dwell time Enter the interval in milliseconds before the AP switches to another channel for monitoring Scan Channel Mode Select auto to have the AP switch to the next sequential channel once the Channel dwell t
449. o the LDAP AD server using the user name of zyAdmin The bind DN is used in conjunction with a bind password When a bind DN is not specified the NXC will try to log in as an anonymous user If the bind password is incorrect the login will fail 24 2 Active Directory LDAP Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the NXC can use in authenticating users Note Both the Active Directory and LDAP screens while on separate tabs are identical in configuration This section applies to both equally Click Configuration Object AAA Server Active Directory LDAP to display the Active Directory LDAP screen Figure 152 Configuration gt Object gt AAA Server gt Active Directory LDAP AD Server Summary Qd Est p Name Server Address Base DN 1 ad Page 1 Show 50 items Displaying 1 1of 1 The following table describes the labels in this screen Table 136 Configuration gt Object gt AAA Server gt Active Directory LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry This field displays the index numbe
450. o the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Security Profile This field indicates which if any security profile is associated with the SSID profile QoS This field indicates the QoS type associated with the SSID profile Forwarding Mode This field indicates the forwarding mode local bridge or tunnel associated with the SSID profile MAC Filtering This field indicates which if any MAC filtering profile is associated with the SSID profile Profile Layer 2 Isolation This field indicates which if any layer 2 isolation profile is associated with the SSID Profile profile VLAN ID This field indicates the VLAN ID associated with the SSID profile NXC Series User s Guide Chapter 18 AP Profile 18 3 1 1 Add Edit SSID Profile This screen allows you to create a new SSID profile or edit an existing one To access this screen click the Add button or select an SSID profile from the list and click the Edit button Figure 126 Configuration gt Object gt AP Profile gt Add Edit SSID Profile Add SSID Profile Create new Object Downlink Q Uplink 0 Band Select Forwarding Mode VLAN ID Hidden SSID Profile Name epee eee SSID ZyXEL Security Profile default V MAC Filtering Profile disable M Layer 2 Isolation Profile disable X QoS WMM Y Rate Limiting Per Station Traffic Rate Enable Intra BSS Traffic blo
451. o use a subscription service you have to register the NXC and activate the corresponding service at myZyXEL com through the NXC Note You need to create a myZyXEL com account before you can register your device and activate the services at myZyXEL com For the NXC2500 you can directly create a myZyXEL com account register your NXC and activate a service using the Registration screen Alternatively go to http www myZyXEL com with the NXC s serial number and LAN MAC address to register it Refer to the web site s on line help for details For the NXC5500 go to http portal myZyXEL com with the NXC s serial number and LAN MAC address to register it Refer to the web site s on line help for details Note To activate a service on a NXC you need to access myZyXEL com via that NXC Maximum Number of Managed APs The NXC2500 is initially configured to support up to 8 managed APs such as the NWA5123 NI You can increase this by subscribing to additional licenses As of this writing each license upgrade allows an additional 8 managed APs while the maximum number of APs a single NXC can support is 64 NXC Series User s Guide Chapter 6 Registration The NXC5500 is initially configured to support up to 64 managed APs such as the NWA512x series or NWA5301 NJ You can increase this by subscribing to additional licenses As of this writing a license upgrade allows an additional 8 or 64 managed APs while the maximum number of APs a
452. oadcast 2nd 96s WLAN Controller IP Address AP Receiving Complete ZySH Configuration from WLAN Controller WTP receiving total configuration from WLAN Controller during CAPWAP protocol handshaking Configuration Change State NXC Series User s Guide Appendix A Log Descriptions Table 213 CAPWAP Client Logs LOG MESSAGE DESCRIPTION Configuration from WLAN Controller AP Receiving Updating ZySH WTP receiving total configuration from WLAN Controller When AC changed configuration RUN State STA List Full STA List of AP s Number of stations connecting to the specified AP has reached is Full its upper limit lst 96s WTP s description DNS Query result is NULL A DNS query failed Table 214 AP Load Balancing Logs LOG MESSAGE DESCRIPTION kick station 02x 4 02x 02x 2 02x 0 2x 02x Indicates that the specified station was removed from an AP s wireless network because the AP became overloaded Table 215 Rogue AP Logs LOG MESSAGE DESCRIPTION rogue ap detection is enabled Indicates that rogue AP detection is enabled Table 216 Wireless Frame Capture Logs LOG MESSAGE DESCRIPTION Capture done check size amp d max file size dMn This message displays check size d and max file size d when the wireless frame capture has been completed 1st 96d total files size of directory 2nd d max files size
453. oaded until it can afford the bandwidth it requires or it transfers the connection to another AP within its broadcast radius The disassociation priority is determined automatically by the NXC and is as follows Idle Timeout Devices that have been idle the longest will be disassociated first If none of the connected devices are idle then the priority shifts to Signal Strength Signal Strength Devices with the weakest signal strength will be disassociated first Note If you enable this function you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded AP will be kicked continuously and never be allowed to connect NXC Series User s Guide Chapter 7 Wireless Table 56 Configuration gt Wireless gt Load Balancing continued LABEL DESCRIPTION Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 7 5 1 Disassociating and Delaying Connections When your AP becomes overloaded there are two basic responses it can take The first one is to delay a client connection This means that the AP withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another AP If the client is picked up by another AP then the origina
454. ocal IP address LINK LOCAL dynamically assigned DHCP or an IPv6 StateLess Address AutoConfiguration IP address SLAAC See Appendix E on page 436 for more information about IPv6 Mask This field displays the interface s subnet mask in dot decimal notation PVID This field indicates the interface s PVID Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 8 2 1 Edit Ethernet This screen lets you configure IP address assignment and interface parameters To access this screen select an interface and click its Edit icon in the Ethernet screen NXC Series User s Guide Chapter 8 Interfaces Note If you create IP address objects based on an interface s IP address subnet or gateway the NXC automatically updates every rule or setting that uses the object whenever the interface s IP address settings change For example if you change LAN s IP address the NXC automatically updates the corresponding interface based LAN subnet address object Figure 64 Configuration gt Network gt Interface gt Ethernet gt Edit general Fix TEAR erat ide Advances Settnos Create new Object PAseess Mc Desaiption Related Setting Tr NXC Series User s Guide Chapter 8 Interfaces This screen s fields are described in the table below Table 60 Configuration gt Network gt Interface gt Ethernet gt Edit LABEL
455. od screen Chapter 25 on page 263 This sets the default for all wireless clients interacting with the network through the captive portal page You can override this in the Auth Policy Edit screen Section 14 2 2 on page 167 Exceptional This table allows you to configure exceptions to the captive portal interception of network Services traffic Add Click to add a service that is allowed to by pass the captive portal This allows certain networking features such as being able to connect to a DNS server one of the pre configured default exceptions to remain unhindered NXC Series User s Guide Chapter 14 Captive Portal Table 84 Configuration gt Captive Portal continued LABEL DESCRIPTION Remove Select an exception from the table then click this button to remove it Once removed all traffic from the specified protocol goes back to being intercepted by the captive portal This is the index number of the Exceptional Services list entry Exceptional This column lists the services that you have flagged as exceptions to captive portal Services interception Authentication Policy Summary This table defines how captive portal interception is implemented using the source IPs and destination IPs that you specify Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the ent
456. of a single AP then load balancing may not be as effective In the Monitor gt Wireless gt AP Info gt AP List screen there is no load balancing indicator associated with any APs assigned to the load balancing task Check to be sure that the AP profile which contains the load balancing settings is correctly assigned to the APs in question The load balancing task may have been terminated because further load balancing on the APs in question is no longer required 35 2 Resetting the NXC If you cannot access the NXC by any method try restarting it by turning the power off and then on again If you still cannot access the NXC by any method or you forget the administrator password s you can reset the NXC to its factory default settings Any configuration files or shell scripts that you saved on the NXC should still be available afterwards Use the following procedure to reset the NXC to its factory default settings This overwrites the settings in the startup config conf file with the settings in the system default conf file Note This procedure removes the current configuration 1 Make sure the SYS LED is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the NXC to restart You should be able to access the NXC using the default settings NXC Series User s Guide 379 Chapter 35 Troublesho
457. of the Default Authentication Timeout Settings section s Edit icons Figure 115 User Group gt Setting gt Edit User Authentication Timeout Settings Edit User Authentication Timeout Settings x User Type admin Lease Time 1440 0 1440 minutes 0 is unlimited Reauthentication Time 1440 0 1440 minutes 0 is unlimited The following table describes the labels in this screen Table 103 User Group gt Setting gt Edit User Authentication Timeout Settings LABEL DESCRIPTION User Type This read only field identifies the type of user account for which you are configuring the default settings e admin this user can look at and change the configuration of the NXC limited admin this user can look at the configuration of the NXC but not to change it user this user has access to the NXC s services but cannot look at the configuration guest this user has access to the NXC s services but cannot look at the configuration e ext user this user account is maintained in a remote server such as RADIUS or LDAP ext group user this user account is maintained in a remote server such as RADIUS or LDAP guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Master Manager screen that pops up dynamic guest this user has access to the NXC s services within a given period of time but cannot look at the configuration Lease Time Enter the number o
458. og amp Report gt Log Settings gt Edit USB Storage continued LABEL DESCRIPTION Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to save your changes and return to the previous screen Cancel Click this to return to the previous screen without saving your changes NXC Series User s Guide 335 Chapter 29 Log and Report 29 3 4 Edit Remote Server Log Settings This screen controls the settings for each log in the remote server syslog Go to the Log Settings Summary screen and click a remote server Edit icon Figure 203 Configuration gt Log amp Report gt Log Settings gt Edit Remote Server Edit Remote Server 1 Log Settings for Remote Server 7 Active Log Format VRPT Sysog v Server Address Log Facility Local 1 M Active Log AC D Selection v Log Category 1 Account 2 Captive Portal 3 Authentication Server 4 Euiltin Service 5 CAPWAP 6 Connectivity Check 7 Daily Report 8 Default 9 DHCP 33 ZySH Page 1 of 1 Show 50 v items Active Log AP gt Selection
459. on gt Network gt I P MAC Binding gt Edit to open this screen Click the Add or Edit icon to open the following screen Use this screen to configure an interface s IP to MAC address binding settings Figure 88 Configuration gt Network gt IP MAC Binding gt Edit gt Add Edit Add Static DHCP Rule xX Interface Name ge1 0 0 0 0 0 0 0 0 IP Address L MAC Address mmm Description Optional mmm mm The following table describes the labels in this screen Table 81 Configuration gt Network gt IP MAC Binding gt Edit gt Add Edit LABEL DESCRIPTION Interface Name This field displays the name of the interface within the NXC and the interface s IP address and subnet mask IP Address Enter the IP address that the NXC is to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the NXC assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to list the computer s owner OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving NXC Series User s Guide 159 Chapter 13 IP MAC Binding 13 3 IP MAC Binding Exempt List Click Configuration gt Network gt IP MAC Binding gt Exempt List to open the I P MAC Binding Exempt List screen Use this screen to configure ranges of IP addresses to w
460. on IP address this NAT rule forwards packets User Defined this NAT rule supports a specific IP address specified in the User Defined field HOST address the drop down box lists all the HOST address objects in the NXC If you select one of them this NAT rule supports the IP address specified by the address object User Defined This field is available if Mapped IP is User Defined Type the translated destination IP Original IP address that this NAT rule supports Mapped IP This field displays for Many 1 1 NAT Select to which translated destination IP address Subnet Range subnet or IP address range this NAT rule forwards packets The original and mapped IP address subnets or ranges must have the same number of IP addresses NXC Series User s Guide Chapter 11 NAT Table 77 Configuration gt Network gt NAT gt Add Edit continued LABEL DESCRIPTION Port Mapping Type Use the drop down list box to select how many original destination ports this NAT rule supports for the selected destination IP address Original I P Choices are Any this NAT rule supports all the destination ports Service this NAT rule supports the destination port s used by the specified service s Port this NAT rule supports one destination port Ports this NAT rule supports a range of destination ports You might use a range of destination ports for unknown services or when one server supports more than one
461. on keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a network Other WPA2 authentication features that are different from WPA include key caching and pre authentication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again Pre authentication enables fast roaming by allowing the wireless client already connecting to an AP to perform IEEE 802 1x authentication with another AP before connecting to it Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows
462. on page 145 manage the NXC s zones 10 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types intra zone traffic inter zone traffic and extra zone traffic which are affected differently by zone based security and policy settings Intra zone Traffic ntra zone traffic is traffic between interfaces in the same zone n each zone you can either allow or prohibit all intra zone traffic You can also set up firewall rules to control intra zone traffic but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces in different zones Extra zone Traffic Extra zone traffic is traffic to or from any interface that is not assigned to a zone Some zone based security and policy settings may apply to extra zone traffic especially if you can set the zone attribute in them to Any or All See the specific feature for more information NXC Series User s Guide Chapter 10 Zones 10 2 Zone The Zone screen provides a summary of all zones In addition this screen allows you to add edit and remove zones To access this screen click Configuration Network Zone Figure 76 Configuration gt Network gt Zone User Configuration add Z Edt Y Name Block Intra zone Member
463. onfiguration gt System gt Language to open this screen Use this screen to select a display language for the NXC s Web Configurator screens Figure 197 Configuration gt System gt Language Language Setting Language Setting English The following table describes the labels in this screen Table 171 Configuration gt System gt Language LABEL DESCRIPTION Select a display language for the NXC s Web Configurator screens You also need to open a new browser session to display the screens in the new language Language Setting Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 28 14 IPv6 Click Configuration gt System gt I Pv6 to open the following screen Use this screen to enable IPv6 support on the NXC Figure 198 Configuration gt System gt IPv6 Global Setting V Enable IPv6 The following table describes the labels in this screen Table 172 Configuration gt System gt IPv6 LABEL DESCRIPTION Enable IPv6 Select this to have the NXC support I Pv6 and make IPv6 settings be available on the screens that the functions support such as the Configuration Network Interface Ethernet and VLAN screens The NXC discards all IPv6 packets if you clear this check box 324 NXC Series User s Guide Chapter 28 System Table 172 Configuration gt System gt IPv6
464. onnects a set of computers with wireless adapters A B C Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 232 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless clients in the BSS When Intra BSS is enabled wireless client A and B can access the wired network and communicate with each other When Intra BSS is NXC Series User s Guide Appendix D Wireless LANs disabled wireless client A and B can still access the wired network but cannot communicate with each other Figure 233 Basic Service Set ESS An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate
465. ons For details on the different Status states see the next table Registration This indicates whether the AP is registered with the managed AP list CPU Usage This displays what percentage of the AP s processing capability is currently being used IP Address This displays the AP s IP address MAC Address This displays the AP s MAC address Model This displays the AP s model number Mgnt VLAN This displays the Access Controller the NXC management VLAN ID setting for the AP and ID AC AP the runtime management VLAN ID setting on the AP VLAN Conflict displays if the AP s management VLAN ID does not match the NXC s management VLAN ID setting for the AP This field displays n a if the NXC cannot get VLAN information from the AP Description This displays the AP s associated description The default description is AP the AP s MAC Address Station This displays the number of stations aka wireless clients associated with the AP Recent On line This displays the most recent time the AP came on line N A displays if the AP has not Time come on line since the NXC last started up Last Off line This displays the most recent time the AP went off line N A displays if the AP has either Time not come on line or gone off line since the NXC last started up NXC Series User s Guide 71 Chapter 5 Monitor 72 The following table describes the icons in this screen
466. or an Edit icon in the Dynamic Guest Group section Figure 116 User Group gt Setting gt Add Edit Dynamic Guest Group Add Group Configuration Name Description Penni Optional m e The following table describes the labels in this screen Table 104 User Group gt Setting gt Add Edit Dynamic Guest Group LABEL DESCRIPTION Name Specify the name used to identify the dynamic guest group Description Enter a description for the dynamic guest group OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide Chapter 17 User Group 17 4 3 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the NXC Instead after access users log into the NXC the following user aware login screen appears Figure 117 User Aware Login The following table describes the labels in this screen Table 105 User Aware Login LABEL DESCRIPTION User defined lease time max minutes Access users can specify a lease time shorter than or equal to the one that you specified The default value is the lease time that you specified Renew Access users can click this button to reset the lease time the amount of time remaining before the NXC automatically logs them out The NXC sets this amount of time according to the Us
467. or hide details about a source IP address s sessions Destination This field displays the destination IP address and port in each active session If you are looking at the sessions by destination I P report click or to display or hide details about a destination IP address s sessions Rx This field displays the amount of information received by the source in the active session Tx This field displays the amount of information transmitted by the source in the active session Duration This field displays the length of the active session in seconds NXC Series User s Guide Chapter 5 Monitor 5 7 IP MAC Binding Monitor Click Monitor gt System Status gt I P MAC Binding to display the following screen This screen lists the devices that have received an IP address from NXC interfaces with IP MAC binding enabled and have ever established a session with the NXC Devices that have never established a session with the NXC do not display in the list Figure 29 Monitor gt System Status gt IP MAC Binding IP MAC Binding Monitor Table Interface none Y IP Address Host Name MAC Address Last Access Description ofi Show 50 wv items No data to display Page a The following table describes the labels in this screen Table 30 Monitor gt System Status gt IP MAC Binding LABEL DESCRIPTION Interface Select a NXC interface that has IP MAC binding enabled to show to which devices i
468. orary addresses and IA TA is an identity association for temporary addresses An IA NA option contains the T1 and T2 fields but an IA TA option does not The DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to extend the lifetimes on any addresses in the IA NA before the lifetimes expire After T1 the client sends the server S1 from which the addresses in the IA NA were obtained a Renew message If the time T2 is reached and the server does not respond the client sends a Rebind message to any available server S2 For an A TA the client may send a Renew or Rebind message at the client s discretion T2 Tl OO l l Re Ren Re i pae to S2 ew Renew new l jo quc deed ha to S DHCP Relay Agent A DHCP relay agent is on the same network as the DHCP clients and helps forward messages between the DHCP server and clients When a client cannot use its link local address and a well known multicast address to locate a DHCP server on its network it then needs a DHCP relay agent to send a message to a DHCP server that is not attached to the same network The DHCP relay agent can add the remote identification remote ID option and the interface ID option to the Relay Forward DHCPv6 messages The remote ID option carries a user defined string 2 n IPv6 all network interfaces can be associated with several addresses NXC Series User s Guide Appendix E IPv6
469. orded in the System log Remote Server 1 4 For each remote server select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category OK Click this to save your changes and return to the previous screen Cancel Click this to return to the previous screen without saving your changes NXC Series User s Guide 30 File Manager 30 1 Overview Configuration files define the NXC s settings Shell scripts are files of commands that you can store on the NXC and run when you need them You can apply a configuration file or run a shell script without the NXC restarting You can store multiple configuration files and shell script files on the NXC You can edit configuration files or shell scripts in a text editor and upload them to the NXC Configuration files use a conf extension and shell scripts use a zysh extension 30 1 1 What You Can Do in this Chapter The Configuration File screen Section 30 2 on page 343 stores and names configuration files You can also download and upload configuration files The Firmware Package screen Section 30 3 on page 347 checks y
470. ore SNAT Status View a clear picture on how the NXC converts a packet s source IP address and check the related settings Reboot Restart the NXC Shutdown Turn off the NXC 3 3 3 Warning Messages Warning messages such as those resulting from misconfiguration display in a popup window Figure 16 Warning Message Error Message cha errno 48001 errmsg Invalid network netrnask NXC Series User s Guide Chapter 3 The Web Configurator 3 3 4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables 1 Click a column heading to sort the table s entries according to that column s criteria Configuration Add 8 MACexample 4 ad users 1 admin 7 boss 6 guest 2 ldap users 5 mac users 3 radius users Page 1 of 1 user Type mac address ext user admin guest manager guest ext user mac address ext user Description Local User External AD Users Administration account Local User Local User External LDAP Users MAC Authentication Users External RADIUS Users Show 50 w items Displaying 1 8 of 8 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are
471. ot apply IP MAC binding Captive Portal Captive Portal Assign the captive portal web page to various network services Login Page Assign and customize the login page user s see when they hit the captive portal NXC Series User s Guide Chapter 3 The Web Configurator Table 14 Configuration Menu Screens Summary continued FOLDER OR LINK TAB FUNCTION RTLS Real Time Location System Use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi Fi tags Firewall Firewall Enable or disable the firewall and asymmetrical routes and configure firewall rules Session Control Limit the number of concurrent NAT firewall sessions a client can use Object User Group User Create and manage users Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication MAC Address Map wireless client MAC addresses to MAC roles MAC address user accounts AP Profile Radio Create and manage wireless radio settings files that can be associated with different APs SSID Create and manage wireless SSID security MAC filtering and Layer 2 isolation settings files that can be associated with different APs MON Profile Create and manage rogue AP monitoring files that can be associated with different APs ZyMesh Profile ZyMesh Create and
472. ot important 22 2 Service Summary The Service summary screen provides a summary of all services and their definitions In addition this screen allows you to add edit and remove services To access this screen log in to the Web Configurator and click Configuration Object Service gt Service Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 142 Configuration gt Object gt Service gt Service Service Service Group Configuration Q add EI Name a Content 1 AH Protocol 51 2 AIM TCP 5190 3 AUTH TCP 113 4 Any_TCP TCP 65535 5 Any_UDP 6 BGP 7 BOOTP_CLIENT 8 BOOTP SERVER g CU_SEEME_TCP1 10 CU_SEEME_TCP2 11 CU_SEEME_UDP1 12 CU_SEEME_UDP2 UDP 1 65535 TCP 178 UDP 68 UDP 67 TCP 7648 TCP 24032 UDP 7648 UDP 24032 13 DNS TCP TCP 53 14 DNS_UDP UDP 53 15 ESP Protocol 50 16 FINGER TCP 78 17 FTP TCP 20 21 18 H323 TCP 1720 19 HTTP TCP 80 20 HTTPS TCP 443 Page 1 lof4 Displaying 1 20 of 72 242 NXC Series User s Guide Chapter 22 Services The following table describes the labels in this screen Table 128 Configuration gt Object gt Service gt Service LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and cli
473. oting 35 3 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions 380 NXC Series User s Guide Log Descriptions This appendix provides descriptions of example log messages The ZySH logs deal with internal system errors Table 194 ZySH Logs instructed to reset by Sd LOG MESSAGE DESCRIPTION Invalid message queue Maybe someone starts another zysh daemon ZySH daemon is 1st pid num System integrity error Group OPS cannot close property group cannot close group Ss cannot get size of group 1st zysh group name Ss cannot specify properties for entry s 1st zysh group name 2st zysh entry name s cannot join group s loop detected lst zysh group name 2st zysh group name cannot create too many groups d lst max group num oe oe S cannot find entry S 1st zysh group name 2st zysh entry name oe oe S cannot remove entry S lst zysh group name 2st zysh entry name List OPS o can t alloc entry s lst zysh entry name can t retrieve entry s 1st zysh entry name o can t get entry s 1st zysh entry name o can t print entry s lst zysh entry name Ss cannot retrieve entries from list lst zysh list name can t get name for entry d 1st zysh entry index
474. ou create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings This field is a sequential value and it is not associated with a specific entry User Type These are the kinds of user account the NXC supports e admin this user can look at and change the configuration of the NXC limited admin this user can look at the configuration of the NXC but not to change it user this user has access to the NXC s services but cannot look at the configuration guest this user has access to the NXC s services but cannot look at the configuration e ext user this user account is maintained in a remote server such as RADIUS or LDAP e ext group user this user account is maintained in a remote server such as RADIUS or LDAP guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Master Manager screen that pops up e dynamic guest this user has access to the NXC s services within a given period of time but cannot look at the configuration mac address an external server authenticates wireless clients based on their MAC addresses After authentication the NXC maps a wireless client to a M
475. ouned ns alali ria osea Fore ede s loea cl el ee utu a pt P th dad Y Ee d tuse ge ea 22 21 1 Rackdlounted Installation Procedure aiia Ere bee ea e bebat s bep dade R babent Ere ean a bed aane ads 22 DeF ON PONE aoa E a aE 23 C TRE 2o PERO NERONE SNR 23 CPC IIMU LI due x LI LL ME I M ULM 23 x20 FONC PNA LEDS eiecti Ha cet R Esa aod a nr ds 25 2 X cies a onm exeun Ee IER PEN ENC EIC dcl p LIU DH DESCR Tn rR HEN MSN Moe IRAE 26 Chapter 3 The Web Conigurator e 28 dT OVENAEIN racons n O EE vas AES A AEE E 28 EC MID aa a a aaa r a MU ALIN A 28 3 9 This TOU CS ONY aaan a A a O 29 4 NXC Series User s Guide Table of Contents CORN S L E 31 ok PA vive TIPP 37 S9 Wamng MESSAJES m M 40 daat Taos aU a A end el T nl EAT ORA 41 Part Il Technical Reference 111 esee naaa AAA RaKa ainina 45 Chapter 4 Beto gle er iae PA te M 46 ZANESS 1 E 04 cr Uem S A N IAN OET 46 di1 What You Can Do n his Chapter iouis tois eub cid re Ee ena anii DR Een Led M Ek 46 Z2 DASDBOOE oii ose ditate pine c d HM Le axe cmd 47 AET OPU LB es e T 51 AZ cus USAGE 52 LEUGER LE o TT 53 LX IGS Vea Se PQ 54 x25 Number er LOS USOS iocis te poda dex etn ue Laban cii dte d exc o RC Rr MU RR 55 Chapter
476. ount You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive User names have to be different than user group names and some words are reserved User Type Select what type of user this is Choices are admin this user can look at and change the configuration of the NXC limited admin this user can look at the configuration of the NXC but not to change it user this user has access to the NXC s services but cannot look at the configuration e guest this user has access to the NXC s services but cannot look at the configuration e ext user this user account is maintained in a remote server such as RADIUS or LDAP e ext group user this user account is maintained in a remote server such as RADIUS or LDAP guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Master Manager screen that pops up mac address an external server authenticates wireless clients based on their MAC addresses After authentication the NXC maps a wireless client to a MAC address user account MAC role User aware features control MAC address user access to specific resources Password This field is not available if you select the ext user or ext group user type Enter the password of this user account It can consist of 4 31 alphanumeric characters Retype This field is not available if you select the ext us
477. ount Limit 264 hits this is over 1 8 x 1029 hits NXC Series User s Guide Chapter 5 Monitor 5 6 Session Monitor This screen displays information about active sessions for debugging or statistical analysis It is not possible to manage sessions in this screen The following information is displayed User who started the session Protocol or service port used Source IP address Destination IP address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monitor System Status Session Monitor to display the following screen Figure 28 Monitor gt System Status gt Session Monitor Session Monitor Session View User Source Address User unknown unknown unknown unknown Page 1 of 1 all sessions Service SIP Any_UDP SSDP lt seien Source 172 16 30 3 2048 172 16 30 217 51 SNMP TRAPS UDP 192 168 0 10 162 172 16 30 6 53979 Show 50 v items Service Destination Address Destination 224 0 1 75 5060 224 0 0 252 5355 192 168 0 10 162 239 255 255 250 Rx 0 Bytes 0 Bytes 198 940 KBytes 0 Bytes Tx 934 Bytes 100 Bytes 140
478. ount which is in use the NXC ends the user session This field is a sequential value and is not associated with any entry Status This field displays whether an account expires or not User ID This field displays the user name of the user account Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 17 on page 190 Expiration Time This field displays the date and time the user account becomes invalid IP address This field displays the IP address of the computer used to log in to the NXC Group This field displays the name of the dynamic guest group to which the account belongs Guest Name This field displays the name of the person that uses the account Phone This field displays the telephone number for the user account Email This field displays the E mail address for the user account Address This field displays the geographic address for the user account Company This field displays the company name for the user account Other This field displays the additional information for the user account Refresh Click this button to update the information in the screen NXC Series User s Guide Chapter 5 Monitor 5 10 USB Storage This screen displays information about a connected USB storage device Click Monitor gt System Status gt USB Storage to display this screen Figure 32 Monito
479. our current firmware version and uploads firmware to the NXC The Shell Script screen Section 30 4 on page 350 stores names downloads uploads and runs shell script files 30 1 2 What you Need to Know The following terms and concepts may help as you read this chapter Configuration Files and Shell Scripts When you apply a configuration file the NXC uses the factory default settings for any features that the configuration file does not include When you run a shell script the NXC only applies the commands that it contains Other settings do not change NXC Series User s Guide 341 Chapter 30 File Manager These files have the same syntax which is also identical to the way you run CLI commands manually An example is shown below Figure 205 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 16 37 240 255 255 255 0 ip gateway 172 16 37 254 metric 1 exit create address objects for remote management use the address group in case we want to open up remot address object TW SUBNET 172 16 37 0 24 object group address TW TEAM management later address object TW SUBNE exit enable Telnet access not enabled by default unlike other services ip telnet server open WLAN to NXC firewall for TW TEAM for remot f
480. our vendor and or the authorized ZyXEL local distributor for details about the Warranty Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support warranty info php NXC Series User s Guide Appendix G Legal Information Registratio
481. outing gt Static Route continued LABEL DESCRIPTION This is the number of an individual static route Destination This is the destination IP address Subnet Mask This is the IP subnet mask Next Hop This is the IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your NXC s interface s The gateway helps forward packets to their destinations Metric This is the route s priority among the NXC s routes The smaller the number the higher priority the route has 9 3 1 Static Route Setting Select a static route index number and click Add or Edit The screen shown next appears Use this screen to configure the required information for a static route Figure 75 Configuration gt Network gt Routing gt Static Route gt Add Edit IPv4 Static Route Setting 2x Destination IP Subnet Mask Gateway IP Interface Metric E vies BAAI o crea The following table describes the labels in this screen Table 71 Configuration gt Network gt Routing gt Static Route gt Add Edit LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to forc
482. ow If you applied changes in the Web configurator these were saved automatically and do not change when you reboot If you made changes in the CLI however you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset reset returns the device to its default configuration 33 2 Reboot This screen allows remote users can restart the device To access this screen click Maintenance gt Reboot Figure 230 Maintenance gt Reboot Reboot Click the Reboot button to reboot the device Please wait a few minutes until the login screen appears If the login screen does not appear type the IP address of the device in your Web browser Click the Reboot button to restart the NXC Wait a few minutes until the login screen appears If the login screen does not appear type the IP address of the device in your Web browser You can also use the CLI command reboot to restart the NXC NXC Series User s Guide 370 34 Shutdown 34 1 Overview Use this screen to shutdown the device Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the NXCor remove the power Not doing so can cause the firmware to become corrupt 34 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes Shutdown is different to reset reset returns the device to its de
483. ow Explore Note Once a packet matches the criteria of an SNAT rule the NXC takes the corresponding action and does not perform any further flow checking Figure 226 Maintenance gt Packet Flow Explore gt SNAT Status Policy Route SNAT Routing Status SNAT Status SNAT Flow In Out SNAT Table Q Note If you want to configure Policy Route SNAT please go to Policy Route PR Outgoing SNAT 4 4 Page i of1 gt i Show 50 tems No data to display In Out SNAT Table Note If you want to configure 1 1 SNAT please go to NAT NAT Rule Source Destination Outgoing SNAT Id 4 Page 1 jofi gt Pj Show S0 items No data to display SNAT Table Note If you want to configure loopback SNAT please go to NAT Loopback SNAT will be only applied only when the initiator is located atthe network which the server locates at NATRule Source Destination SNAT gt Show 50 items No data to display NXC Series User s Guide 367 Chapter 32 Packet Flow Explore Figure 229 Maintenance gt Packet Flow Explore gt SNAT Status Default SNAT Routing Status SNAT Flow SNAT Table Incoming 1 z Internal Interface Page 1 ofi Show 50 items Outgoing SNAT a External Interface Outgoing Interface IP Displaying 1 1of 1 The following table describes the labels in this screen Table 193 Maintenance gt Packet Flow Explore gt SNAT S
484. owing in order of priority User role setting in ext user User role setting in ext group user User role setting in default user Idap users ad users radius users NXC Series User s Guide Chapter 17 User Group 17 2 User Summary The User screen provides a summary of all user accounts To access this screen click Configuration gt Object gt User Group Figure 110 Configuration gt Object gt User Group gt User Configuration QQ Add X Edit fif Remove ig Object Reference UserName User Type Description admin admin Administration account Idap users ext user External LDAP Users radius users ext user External RADIUS Users ad users ext user External AD Users mac users mac address MAC Authentication Users guest guest Local User Andrea limited admin Local User Page 1 of 1 Show 50 items Displaying 1 8 of 8 The following table describes the labels in this screen Table 98 Configuration gt Object gt User Group gt User LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry This field is a sequential value and it is
485. pe This field displays the type of the object Value This field displays the IPv6 address that the NXC obtained from an uplink router Interface Parameters Egress Enter the maximum amount of traffic in kilobits per second the NXC can send through Bandwidth the interface to the network Allowed values are 0 1048576 Ingress This is reserved for future use Bandwidth Enter the maximum amount of traffic in kilobits per second the NXC can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the NXC divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 Connectivity Check These fields appear when you set the Interface Type to External or General The interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the NXC stops routing to the gateway The NXC resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have
486. phanumeric characters hyphens and underscores and it can be up to 11 characters long Port This indicates the port that you are currently editing PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines Enter the PVID for this port 1 4094 Zone Select a zone with which to associate this port MAC Address This field is read only This is the MAC address that the Ethernet interface uses Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment These IP address fields configure an IP address on the interface itself If you change this IP address on the interface you may also need to change a related address object for the network connected to the interface For example if you use this screen to change the IP address of your LAN interface you should also change the corresponding LAN subnet address object Get Automatically This option appears when you set the Interface Type to external or general Select this to make the interface a DHCP client and automatically get the IP address subnet mask and gateway address from a DHCP server Use Fixed IP This option appears when you set the Interface Type to external or general Select Address this if you w
487. port to your computer using an RS 232 cable if you want to configure the NXC using the command line interface CLI via the console port For local management you can use a computer with terminal emulation software configured to the following parameters VT100 terminal emulation 115200 bps No parity 8 data bits 1 stop bit No flow control EB NXC Series User s Guide Chapter 2 Hardware Installation and Connection Connect the male 9 pin end of the RS 232 console cable to the console port of the NXC Connect the female end to a serial port COM1 COM2 or other COM port of your computer NXC Series User s Guide 3 The Web Configurator 3 1 Overview The NXC Web Configurator allows easy management using an Internet browser In order to use the Web Configurator you must Use Internet Explorer 7 0 and later versions Mozilla Firefox 9 0 and later versions Safari 4 0 and later versions or Google Chrome 10 0 and later versions Allow pop up windows Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels and higher 3 2 Access 1 Make sure your NXC hardware is properly connected See the Quick Start Guide 2 Browse to http 192 168 1 1 The Login screen appears 3 Enter the user name default admin and password default 1234 NXC Series User s Guide Chapter 3 The Web Con
488. ppended a new rule rule u has been u is rule number appended DNS access control An administrator modified the rule u rule u has been ee u is rule number modified DNS access control An administrator removed the rule u rule u has been u is rule number deleted DNS access control An administrator moved the rule u to index d u is previous index 96d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers The default record DNS servers is more than 128 Interface s ping check is successful Zone Forwarder adds DNS servers in records Ping check ok add DNS servers in bind 96s is interface name Interface s ping check is failed Zone Forwarder removes DNS Servers in records Ping check failed remove DNS servers from bind 96s is interface name NXC Series User s Guide 391 Appendix A Log Descriptions Table 199 Built in Services Logs continued LOG MESSAGE DESCRIPTION Interface s ping check is disabled Zone Forwarder adds DNS servers in records Ping check disabled add DNS servers in bind 96s is interface name Wizard apply DNS server failed Wizard apply DNS server failed Wizard adds DNS server s failed because DNS zone setting has conflictd Wizard apply DNS server failed because DNS zone conflicted 96s is the IP address of the DNS server Wizard a
489. print algorithm shal SJ Thumbprint BOA7 22B6 7960 FF92 52F4 6B4C A2 v 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection NXC Series User s Guide Chapter 26 Certificates 26 2 My Certificates Click Configuration Object Certificate My Certificates to open this screen This is the NXC s summary list of certificates and certification requests Figure 158 Configuration gt Object gt Certificate gt My Certificates My Certificates Trusted Certificates PKI Storage Space in Use My Certificates Setting Add ZEdt Y Name a 1 default Page 1 Type SELF of 1 Show 50 0 035 used Valid To 2033 09 12 13 37 Valid From 2013 09 17 13 37 Issuer CNznxc5500 BOB Subject CN nxc5500 BOB x items Displaying 1 1 of 1 Import Refresh The following table describes the labels in this screen Table 142 Configuration gt Object gt Certificate gt My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the NXC s PKI storage space that is currently in use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates
490. profile or for the ZyMesh profile for a radio not using a ZyMesh profile Mgnt VLAN ID AC This displays the Access Controller the NXC management VLAN ID setting for the AP Mgnt VLAN ID AP This displays the runtime management VLAN ID setting on the AP VLAN Conflict displays if the AP s management VLAN ID does not match the Mgnt VLAN ID AC This field displays n a if the NXC cannot get VLAN information from the AP Description This field displays the AP s description which you can configure by selecting the AP s entry and clicking the Edit button NXC Series User s Guide Chapter 7 Wireless 7 3 1 Edit AP List Select an AP and click the Edit button in the Configuration Wireless AP Management table to display this screen Figure 49 Configuration gt Wireless gt AP Management gt Edit AP List x 2 Edit AP List 5Create new Object Configuration MAC BDO B2 DC 71 AF 18 Model NWAS301 NJ Description AP BOB2DC714F18 Radio 1 OP Mode 5 AP Mode MON Mode RootAP RepeaterAP fg Radio 1 AP Profile default M Radio 1 ZyMesh Profile zyMesh AP M VLAN Settings 7 Force Overwrite VLAN Config Management VLAN ID 1 1 4094 4 As Native VLAN Port Settings Port Setting ug Status Port PVID 1 g uplink nia 2 Q lani 1 3 9g lan2 1 4 Q lan3 1 Page 1 ofi Show 50 v items Displaying 1 4 of 4 VLAN Configuration Add L Status Name VID Member 1 9 vlan 1 la
491. r 9 Auto 2 Manual J Fall back to Primary Controller when possible Fall Back Check Interval 30 30 86400 seconds Apply Reset Each field is described in the following table Table 53 Configuration gt Wireless gt AP Management gt AP Policy LABEL DESCRIPTION Force Override AC IP Config on AP Select this to have the NXC change the AP controller s IP address on the managed AP s to match the configuration in this screen Override Type Select Auto to have the managed AP s automatically send broadcast packets to find any other available AP controllers Select Manual to replace the AP controller s IP address configured on the managed AP s with the one s you specified below Primary Controller Specify the IP address of the primary AP controller if you set Override Type to Manual Secondary Controller Specify the IP address of the secondary AP controller if you set Override Type to Manual Fall back to Primary Controller when possible Select this option to have the managed AP s change back to associate with the primary AP controller as soon as the primary AP controller is available Fall Back Check Interval Set how often the managed AP s check whether the primary AP controller is available Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 7 4 MON Mode Use this
492. r Name This is the name that you specified to identify the server 254 NXC Series User s Guide Chapter 24 AAA Server Table 136 Configuration gt Object gt AAA Server gt Active Directory LDAP continued LABEL DESCRIPTION Server Address This is the address of the AD or LDAP server Base DN This specifies a directory For example o ZyXEL c US NXC Series User s Guide 255 Chapter 24 AAA Server 24 2 1 Add Edit Active Directory LDAP Server Click Object AAA Server Active Directory LDAP to display the Active Directory or LDAP screen Click the Add icon or an Edit icon to display the following screen Use this screen to create a new entry or edit an existing one Note The Active Directory and LDAP server setup screens are almost identical so the features for both screens are described in this section Figure 153 Configuration gt Object gt AAA Server gt Active Directory gt Add Edit General Settings Name New Description Optional Server Settings Server Address or Fann Backup Server Address IP or FQDN Optional Port 389 1 65535 Base DN 1 Use SSL Search time limit 5 1 300 seconds 4 Case sensitive User Names E Server Authentication Bind DN Password Retype to Confirm User Login Settings Login Name Attribute sAMAccountName Alternative Login Name Attribute Optional Group Membership Attribute
493. r gt System Status gt USB Storage Storage Information Information Device Description Usage File System Speed Status Detail The following table describes the labels in this screen Table 33 Monitor gt System Status gt USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device Usage This field displays how much of the USB storage device s capacity is currently being used out of its total capacity and what percentage that makes File System This field displays what file system the USB storage device is formatted with This field displays Unknown if the file system of the USB storage device is not supported by the NXC such as NTFS Speed This field displays the connection speed the USB storage device supports Status Ready you can have the NXC use the USB storage device Click Remove Now to stop the NXC from using the USB storage device so you can remove it Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the NXC cannot mount it Click Use I t to have the NXC mount a connected USB storage device This button is grayed out if the file system is not supported unknown by the NXC none no USB storage device is connected Detail This field displays any other information the NXC retrieves from the USB storage device Deactivated the use of a USB storage device is disab
494. r to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as EAP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authentication EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed NXC Series User s Guide 431 Appendix D Wireless LANs If this feature is
495. r upload a web portal file to the NXC Here are some examples Figure 98 External Web Portal Login Page Example ZyXEL Enter user name Password and click to login Username Ed Password Figure 99 External Web Portal Welcome Page Example ZyXEL Welcome Ce Your Internet is safer faster and smarter because you re using portal Think you 174 NXC Series User s Guide Chapter 14 Captive Portal Figure 100 External Web Portal Session Page Example radius3 You now have logged in Click the logout button to terminate the access session You could renew your lease time by clicking the Renew button For security reason you must login again after 24 hours minutes 0 second Remaining time before lease timeout hh mm ss 23 59 43 Renew Remaining time before auth timeout hh mm ss 23 59 43 Remaining time before session timeout hh mm ss 00 09 43 Figure 101 External Web Portal Logout Page Example ZyXEL Thank you for choosing to use the portal Your Internet is safer faster and smarter because you re using portal Think you NXC Series User s Guide 175 Chapter 14 Captive Portal Figure 102 External Web Portal User Logout Page Example ZyXEL Click the logout button to terminate the access session Your Internet is safer faster and smarter because you re using portal Think you Figure 103 External Web Portal Error Page Example ZyXEL Valida
496. r classes and one of three drop preferences The wmm entries are for QoS For more information on QoS and WMM categories see page 143 User Defined Use this field to specify a custom DSCP code point DSCP Code Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy route applies Source Port Select a service or service group to identify the source port of packets to which the policy route applies Next Hop Type Select Auto to have the NXC use the routing table to find a next hop and forward the matched packets automatically Select Gateway to route the matched packets to the next hop router or switch you specified in the Gateway field You have to set up the next hop router or switch as a HOST address object first Select Interface to route the matched packets through the specified outgoing interface to a gateway which is connected to the interface Gateway This field displays when you select Gateway in the Type field Select a HOST address object The gateway is an immediate neighbor of your NXC that will forward the packet to the destination The gateway must be a router or switch on the same segment as your NXC s interface s Interface This field displays when you select I nterface in the Type field Select an interface
497. r of hops the repeaters beteen a wireless client and the root AP you can have in a ZyMesh varies according to how many wireless clients a managed AP can support Note A ZyMesh WDS link with more hops has lower throughput Note When the wireless connection between the root AP and the repeater is up in order to prevent bridge loops the repeater would not be able to transmit data through its Ethernet port s The repeater then could only receive power from a PoE device if you use PoE to provide power to the managed AP via an 8 ping Etherent cable 20 1 1 What You Can Do in this Chapter The ZyMesh Profile screen Section 20 2 on page 234 creates preset ZyMesh configurations that can be used by the NXC NXC Series User s Guide 233 Chapter 20 ZyMesh Profile 20 2 ZyMesh Profile This screen allows you to manage and create ZyMesh profiles that can be used by the APs To access this screen click Configuration Object ZyMesh Profile Figure 136 Configuration gt Object gt ZyMesh Profile ZyMesh Summary add 2 i Profile Name ZyMesh SSID 1 ZyMesh AP ZyMesh ap Page 1 lofi Show 50 items Displaying 1 1 of 1 The following table describes the labels in this screen Table 122 Configuration gt Object gt ZyMesh Profile LABEL DESCRIPTION Add Click this to add a new profile Edit Click this to edit the selected profile Remove Click this to remove the selected profile
498. r other wireless devices broadcasting on the 802 11 frequencies NXC Series User s Guide 227 Chapter 19 MON Profile 19 2 MON Profile This screen allows you to create monitor mode configurations that can be used by the APs To access this screen login to the Web Configurator and click Configuration Object MON Profile Figure 133 Configuration gt Object gt MON Profile MON Profile MON Mode Profile Summary Q add X Edt Q Activate Inactivate 38 Object Reference Status Profile Name Page 1 of 1 Show 50 v items Displaying 1 1 of 1 The following table describes the labels in this screen Table 120 Configuration gt Object gt MON Profile LABEL DESCRIPTION Add Click this to add a new monitor mode profile Edit Click this to edit the selected monitor mode profile Remove Click this to remove the selected monitor mode profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected monitor mode profile for example an AP management profile This field is a sequential value and it is not associated with a specific user Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the monitor profile Apply Click Apply t
499. r s Guide Chapter 18 AP Profile Table 114 Configuration gt Object gt AP Profile gt SSID gt Security List continued LABEL DESCRIPTION Profile Name This field indicates the name assigned to the security profile Security Mode This field indicates this profile s security mode if any NXC Series User s Guide Chapter 18 AP Profile 18 3 2 1 Add Edit Security Profile This screen allows you to create a new security profile or edit an existing one To access this screen click the Add button or select a security profile from the list and click the Edit button Note This screen s options change based on the Security Mode selected Only the default screen is displayed here Figure 128 Configuration gt Object gt AP Profile gt SSID gt Security Profile gt Add Edit Security Profile Add Security Profile General Settings Profile Name Security Mode Radius Settings Radius Server Type E Primary Radius Server Activate Radius Server IP Address Radius Server Port Radius Server Secret Secondary Radius Server Activate Radius Server IP Address Radius Server Port Radius Server Secret MAC Authentication Setting V MAC Authentication Delimiter Account Case Account Delimiter Calling Station ID Case Calling Station ID Authentication Settings 802 1X ReAuthentication Timer PSK Pre Shared Key Cipher Type
500. r wireless network Select Auto to allow the NXC to adjust the channel bandwidth to 40 MHz or 20 MHz depending on network conditions Select 20 MHz if you want to lessen radio interference with other wireless devices in your neighborhood Guard Interval Set the guard interval for this radio profile to either short or long The guard interval is the gap introduced between data transmission from users in order to reduce interference Reducing the interval increases data transfer rates but also increases interference Increasing the interval reduces data transfer rates but also reduces interference Enable A MPDU Aggregation Select this to enable A MPDU aggregation Message Protocol Data Unit MPDU aggregation collects Ethernet frames along with their 802 11n headers and wraps them in a 802 11n MAC header This method is useful for increasing bandwidth throughput in environments that are prone to high error rates A MPDU Limit Enter the maximum frame size to be aggregated NXC Series User s Guide Chapter 18 AP Profile Table 111 Configuration gt Object gt AP Profile gt Add Edit Radio Profile continued LABEL DESCRIPTION A MPDU Enter the maximum number of frames to be aggregated each time Subframe Enable A MSDU Aggregation Select this to enable A MSDU aggregation Mac Service Data Unit MSDU aggregation collects Ethernet frames without any of their 802 11n headers and wr
501. r written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the NXC is subject to the terms and conditions of any related service providers Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications A amp oNA Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions This device may not cause harmful interference This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generat
502. raffic Rx From traffic is coming from the IP address or user to the NXC Tx To traffic is going from the NXC to the IP address or user IP Address User This field displays the IP address or user in this record The maximum number of IP addresses or users in this report is indicated in Table 28 on page 64 Amount This field displays how much traffic was sent or received from the indicated IP address or user If the Direction is Rx From a red bar is displayed if the Direction is Tx To a blue bar is displayed The unit of measure is bytes Kbytes Mbytes or Gbytes depending on the amount of traffic for the particular IP address or user The count starts over at zero if the number of bytes passes the byte count limit See Table 28 on page 64 These fields are available when the report type is Service Port This field is the rank of each record The protocols and service ports are sorted by the amount of traffic Service Port This field displays the service and port in this record The maximum number of services and service ports in this report is indicated in Table 28 on page 64 Protocol This field indicates what protocol the service was using Direction This field indicates whether the indicated protocol or service port is sending or receiving traffic Ingress traffic is coming into the NXC through the interface Egress traffic is going out from the NXC through the interf
503. rage uj El File Name Page 1 Last Modified of 1 Show 50 v items No data to display The following table describes the labels in this screen Table 189 Maintenance gt Diagnostics gt System Log LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NXC Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name This column displays the label that identifies the file Size This column displays the size in bytes of a file Last Modified This column displays the date and time that the individual files were saved NXC Series User s Guide 359 Chapter 31 Diagnostics 31 6 Wireless Frame Capture Use this screen to capture wireless network traffic going through the AP interfaces connected to your NXC Studying these frame captures may help you identify network problems Click Maintenance Diagnostics Wireless Frame Capture to display this screen Note New capture files overwrite existing files of the same name Change the File Prefix field s setting to avoid this Figure 220 Maintenance gt Diagnostics gt Wireless Frame Capture gt
504. ragments sent and the more work required to re assemble packets correctly On the other hand some communication channels such as Ethernet over ATM might not be able to handle large data packets DHCP Settings Dynamic Host Configuration Protocol DHCP RFC 2131 RFC 2132 provides a way to automatically set up and maintain IP addresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a computer a DHCP client joins the network it submits a DHCP request The DHCP servers get the request assign an IP address and provide the IP address subnet mask gateway and available network information to the DHCP client When the DHCP client leaves the network the DHCP servers can assign its IP address to another DHCP client In the NXC some interfaces can provide DHCP services to the network In this case the interface can be a DHCP relay or a DHCP server As a DHCP relay the interface routes DHCP requests to DHCP servers on different networks You can specify more than one DHCP server If you do the interface routes DHCP requests to all of them It is possible for an interface to be a DHCP relay and a DHCP client simultaneously As a DHCP server the interface provides the following information
505. raphic Specify the location and file name of the logo graphic or click Browse to locate it You can use the following image file formats GIF PNG or JPG To use a color select Color and specify the color Customized This section allows you to customize elements on the access page that appears upon Access Page successful login Title Enter 1 64 characters for the page title Spaces are allowed Message Color Specify the color of the screen s text Note Message Enter a note to display below the title Use up to 1024 printable ASCII characters Spaces are allowed Background Set how the window s background looks To use a graphic select Picture and upload a graphic Specify the location and file name of the logo graphic or click Browse to locate it You can use the following image file formats GIF PNG or JPG To use a color select Color and specify the color Customized User logout Page This section allows you to customize elements on the user logout page that appears upon successful login Title Enter 1 64 characters for the page title Spaces are allowed Message Color Specify the color of the screen s text NXC Series User s Guide Chapter 14 Captive Portal Table 87 Configuration gt Captive Portal gt Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title Use up to 1024 printable ASCII characters Spaces are allowed
506. rd is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the NXC Note Be careful not to convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default 26 1 3 Verifying a Certificate Before you import a trusted certificate into the NXC you should verify that you have the correct certificate You can do this using the certificate s fingerprint A certificate s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm The following procedure describes how to check a certificate s fingerprint to verify that you have the actual certificate 1 Browse to where you have the certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension amp London office cer kd L La office crt Remote Host Certificates 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Certificate ET Ax General Details certification Path Show lt ai gt Field Value E Subject Glenn E Public key RSA 1024 Bits Eslkey Usage Digital Signature Certificate Signing DNS Names Glenn Basic Constraints Subject Type CA Path Length Cons C I Thumb
507. rences between WPA 2 and WEP are improved data encryption and user authentication IEEE 802 1x The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication is done using an external RADIUS server 18 2 Radio This screen allows you to create radio profiles for the APs on your network A radio profile is a list of settings that a supported managed AP NWA5121 N for example can use to configure either one of its two radio transmitters To access this screen click Configuration Object AP Profile Note You can have a maximum of 32 radio profiles on the NXC Figure 123 Configuration gt Object gt AP Profile gt Radio Radio Summary Q Add 2 Edit Jy Activate Inactivate gg Object Reference Status Profile Name Frequency Band Channel ID 2 9 default2 5G 36 Page i of 1 Show 50 v items Displaying 1 20f 2 NXC Series User s Guide Chapter 18 AP Profile The following table describes the labels in this screen Table 110 Configuration gt Object gt AP Profile gt Radio LABEL DESCRIPTION Add Click this to add a new radio profile Edit Click this to edit the selected radio profile Remove Click this to remove the selected radio profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this
508. resses represented by each address object If the object s settings are based on one of the NXC s interfaces the name of the interface displays first followed by the object s current address settings 21 2 1 Add Edit Address The Add Edit Address screen allows you to create a new address or edit an existing one To access this screen go to the Address screen and click either the Add icon or an Edit icon Figure 139 Configuration gt Object gt Address gt Address gt Add Edit Q Add Address Rule Name Address Type IP Address 2 X o O HOST v 0 0 0 0 Cancel NXC Series User s Guide 237 Chapter 21 Addresses The following table describes the labels in this screen Table 125 Configuration gt Object gt Address gt Address gt Add Edit LABEL DESCRIPTION Name Type the name used to refer to the address You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Address Type Select the type of address you want to create Choices are HOST RANGE SUBNET INTERFACE IP INTERFACE SUBNET and INTERFACE GATEWAY Note The NXC automatically updates address objects that are based on an interface s IP address subnet or gateway if the interface s IP address settings change For example if you change ge1 s IP address the NXC automatically updates the corresponding i
509. rface it is For Ethernet interfaces I nactive The Ethernet interface is disabled Down The Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For VLAN interfaces Up The VLAN interface is enabled and one of its member Ethernet interfaces is connected Down The VLAN interface is enabled but none of its member Ethernet interfaces is connected Inactive The VLAN interface is disabled TxPkts This field displays the number of packets transmitted from the NXC on the interface since it was last connected RxPkts This field displays the number of packets received by the NXC on the interface since it was last connected Tx B s This field displays the transmission speed in bytes per second on the interface in the one second interval before the screen updated Rx B s This field displays the reception speed in bytes per second on the interface in the one second interval before the screen updated 5 5 Traffic Statistics Click Monitor gt System Status gt Traffic Statistics to display this screen This screen provides basic information about the different kinds of data traffic moving through the NXC For example Most visited Web sites and the number of times each one was visited This count may not be accurate in some cases because the NXC counts HTTP
510. riction on the services Original Port This field displays the original destination port s of packets for the NAT entry This field is blank if there is no restriction on the original destination port Mapped Port This field displays the new destination port s for the packet This field is blank if there is no restriction on the original destination port Apply Click this button to save your changes to the NXC Reset Click this button to return the screen to its last saved settings NXC Series User s Guide Chapter 11 NAT 11 2 1 Add Edit NAT This screen lets you create new NAT rules and edit existing ones To open this window open the NAT summary screen Then click on an Add icon or Edit icon to open the following screen Figure 80 Configuration gt Network gt NAT gt Add Edit Q Add NAT G5 Create new Object General Settings V Enable Rule Rule Name Port Mapping Type Classification Mapping Rule Incoming Interface Original IP Mapped IP Port Mapping Type Protocol Type Original Start Port Original End Port Mapped Start Port Mapped End Port Related Settings Configure Firewall l User Defined Original IP User Defined Mapped IP V Enable NAT Loopback E L t PPS Q9 Virtual Server 1 1 NAT Many 1 1NAT gei M User Defined 2 Q Address User Defined Qr Address Ports Mi any M Cancel
511. riority Name Page 1 of 1 Show 50 v items v Description No data to display NXC Series User s Guide Chapter 3 The Web Configurator The fields vary with the type of object The following table describes labels that can appear in this screen Table 11 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies the configuration item that references the object Description If the referencing configuration item has a description configured it displays here Refresh Click this to update the information in this screen Cancel Click Cancel to close the screen Console The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program In addition to logging in directly to the NXC s CLI you can also log into other devices on the network th
512. rity policies that restrict access to sensitive information and shared resources based on the user who is trying to access it NXC Series User s Guide Chapter 1 Introduction 1 4 Management Overview You can use the following ways to manage the NXC Web Configurator The Web Configurator allows easy NXC setup and management using an Internet browser This User s Guide provides information about the Web Configurator Command Line Interface CLI The CLI allows you to use text based commands to configure the NXC You can access it using remote management for example SSH or Telnet or via the physical or Web Configurator console port See the Command Reference Guide for CLI details The default settings for the console port are as follows Table 4 Console Port Default Settings SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off 1 5 Object based Configuration The NXC stores information or settings as objects You use these objects to configure many of the NXC s features and settings Once you configure an object you can reuse it in configuring other features When you change an object s settings the NXC automatically updates all the settings or rules that use the object You can create address objects based on an interface s IP address subnet or gateway The NXC automatically updates every rule or setting that uses these objects whenever the interface s
513. rivate keys Self signed Certificates You can have the NXC act as a certification authority and sign its own certificates Factory Default Certificate The NXC generates its own unique self signed certificate when you first turn it on This certificate is referred to in the GUI as the factory default certificate Certificate File Formats Any certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses lowercase letters uppercase letters and numerals to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The NXC currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS Z7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form NXC Series User s Guide 267 Chapter 26 Certificates e Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s passwo
514. rough this Console It uses SSH to establish a connection Note To view the functions in the Web Configurator user interface that correspond directly to specific NXC CLI commands use the CLI Messages window see CLI Messages on page 36 in tandem with this one Figure 13 Console re terminal IQ 122 165 1 1 22 Done NXC Series User s Guide 33 Chapter 3 The Web Configurator The following table describes the elements in this screen Table 12 Console LABEL DESCRIPTION Command Line terminal Enter commands for the device that you are currently logged into here If you are logged into the NXC see the CLI Reference Guide for details on using the command line to configure it Device IP Address 9 192 168 1 1 22 This is the IP address of the device that you are currently logged into Logged In User fadmin This displays the username of the account currently logged into the NXC through the Console Window Note You can log into the Web Configurator with a different account than used to log into the NXC through the Console Connection Status This displays the connection status of the account currently logged in If you are logged in and connected then this displays Connected If you lose the connection get disconnected or logout then this displays Not Connected Tx RX Activity Monitor jee This displays the current upload downloa
515. rrives out of sequence or is missing TCP puts it in sequence or waits for the data to be re transmitted Then the connection is terminated In contrast computers use UDP to send short messages to each other There is no guarantee that the messages arrive in sequence or that the messages arrive at all Both TCP and UDP use ports to identify the source and destination Each port is a 16 bit number Some port numbers have been standardized and are used by low level system processes many others have no particular meaning Unlike TCP and UDP Internet Control Message Protocol I CMP IP protocol 1 is mainly used to send error messages or to investigate problems For example ICMP is used to send the response if a computer cannot be reached Another use is ping ICMP does not guarantee delivery but networks often treat ICMP messages differently sometimes looking at the message itself to decide where to send it NXC Series User s Guide Chapter 22 Services Service Objects and Service Groups Use service objects to define IP protocols TCP applications UDP applications CMP messages user defined services for other types of IP protocols These objects are used in policy routes Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence of members in the service group is n
516. rt Wizard honte successfully completed the Certificate Import wi You have specified the Following settings Certificate Store Selected Automatically determined by t D Projects_2003 10 CPE2 cp 6 You should see the following screen when the certificate is correctly installed on your computer Certificate Import Wizar xj G The import was successful 28 7 6 7 Using a Certificate When Accessing the NXC 1 To access the NXC via HTTPS Enter https NXC IP Address in your browser s web address field E about blank Microsoft Internet Explorer Eile Edit view Favorites Tools Help Back gt gt A Asearch GgFavorites History Eh Gm EO lt Address amp https 192 168 1 1 NXC Series User s Guide Chapter 28 System 2 When Authenticate Client Certificates is selected on the NXC the following screen asks you to select a personal certificate to send to the NXC This screen displays even if you only have a single certificate as in the example Client Authentication Identification Web site you want to view requests identification used 28 8 SSH You can use SSH Secure SHell to securely access the NXC s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure e
517. rt preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode other wireless devices on the network support and to provide more reliable communications in busy wireless networks Use short preamble if you are sure all wireless devices on the network support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the NXC uses short preamble Note The wireless devices MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or lower depending on range IEEE 802 11g has several intermediate rate steps between the maximum and minimum data rates The IEEE 802 11g data rate and modulation are as follows Table 220 IEEE 802 11g DATA RATE MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5 11 CCK Complementary Code Keying 6 9 12 18 24 36 48 54 OFDM Orthogonal Frequency Division Multiplexing Wireless Security Overview Wireless
518. rtal gt Captive Error Portal Default Login Page Internal N A Customized Login Internal Login Access Captive Portal gt Login Page Page Uploaded Web Portal Internal Login Logout Welcome Session File Error 14 1 2 What You Can Do in this Chapter The Captive Portal screen Section 14 2 on page 163 configures which HTTP based network services default to the captive portal page when a client makes an initial network connection The Login Page screen Section 14 3 on page 169 assigns a default login page or create a customized one NXC Series User s Guide Chapter 14 Captive Portal 14 2 Captive Portal This screen allows you to configure which HTTP based network services default to the captive portal page when client makes an initial network connection Click Configuration gt Captive Portal to access this screen Note You can configure the look and feel of the captive portal web page on the Login Page screen see Section 14 3 on page 169 for details Figure 91 Configuration gt Captive Portal General Settings E Enable Captive Portal 9 Internal Web Portal External Web Portal Login URL Logout URL Welcome URL Session URL Error URL User logout URL Downlosd the external web ports example Authentication Method default Exceptional Services Qu Add JN Exceptional Services 1 BOOTP_CLIENT 2 DNS Page 1 of 1 Show 50 items Authentication Policy Summary
519. rtificate Verification of a server s certificate failed because it is self signed Self signed certificate in certificate chain Verification of a server s certificate failed because there is a self signed certificate in the server s certificate chain Verify peer certificates has succeeded The device verified a server s certificate while processing an HTTPS connection NXC Series User s Guide 387 Appendix A Log Descriptions Table 196 Registration Logs continued LOG MESSAGE DESCRIPTION Certification verification failed Depth d Error Number d s Verification of a server s certificate failed while processing an HTTPS connection This log identifies the reason for the failure 1st d certificate chain level 2nd d error number 96s error message Certificate issuer name s Verification of the specified certificate failed because the device could not get the certificate s issuer name s is the certificate name The wrong format for HTTP header The header format of a packet returned by a server is wrong Timeout for get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed
520. rvice gt Service Group gt Add Edit LABEL DESCRIPTION Name Enter the name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes NXC Series User s Guide 23 Schedules 23 1 Overview Use schedules to set up one time and recurring schedules for policy routes The NXC supports one time and recurring schedules One time schedules are effective only once while recurring schedules usually repeat Both types of schedules are based on the current date and time in the NXC Note Schedules are based on the NXC s current date and time 23 1 1 What You Can Do in this Chapter
521. ry User Password Enter the password for the associated user name Note This is only for Active Directory Retype to Confirm Retype your new password for confirmation Realm Enter the AD server s realm network domain Note This is only for Active Directory NetBIOS Name Enter the NetBIOS name of the AD or LDAP server If you enter this the NXC uses it with the user name in the format NetBIOS USERNAME to do authentication If you do not configure this the NXC uses the format USERNAME realm to do authentication Configuration Use a user account from the server specified above to test if the configuration is correct Validation Enter the account s user name in the Username field and click Test OK Click OK to save the changes Cancel Click Cancel to discard the changes NXC Series User s Guide Chapter 24 AAA Server 24 3 RADIUS Use the RADI US screen to manage the list of RADIUS servers the NXC can use in authenticating users Click Configuration Object AAA Server RADIUS to display the RADIUS screen Figure 155 Configuration gt Object gt AAA Server gt RADIUS Active Directory uae RADIUS RADIUS Server Summary Add ect y Name Server Address 1 radius Page 1 of i Show 50 v items Displaying 1 1of 1 The following table describes the labels in this screen Table 138 Configuration gt Object gt AAA Server gt RADIUS
522. ry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move Click this to assign the selected policy a new Priority When you click the button an entry box opens beside it Enter the priority value then press Enter Status This indicates whether a policy is active or inactive Priority This indicates the priority of a policy Priority values are unique to each policy If you want to adjust the priority use the Move button Source This indicates the source IP address to be monitored by the policy All traffic from the source IP has the policy applied to it Destination This indicates the destination IP address to be monitored by the policy All traffic going to the destination IP has the policy applied to it Schedule This indicates which Schedule objects if any is applied to the policy A schedule object allows you to configure which times the rule is in effect Authentication This indicates whether authentication is required for the policy Description This displays the description of the policy It has no intrinsic value to the system Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 14 2 1 Add Exceptional Services This screen allows
523. ry default 267 file formats 267 fingerprints 276 281 importing 270 not used for encryption 267 revoked 267 self signed 267 272 serial number 275 280 storage space 269 278 thumbprint algorithms 268 thumbprints 268 used for authentication 267 verifying fingerprints 268 certification requests 272 273 certifications 451 notices 451 viewing 451 channel 426 interference 426 CLI 20 36 button 36 messages 36 popup window 36 Reference Guide 2 cold start 21 commands 20 sent by Web Configurator 36 Common Event Format CEF 329 337 common services 408 comparison table 16 computer names 117 129 133 configuration information 352 357 object based 20 configuration files 341 at restart 344 backing up 343 downloading 345 356 362 downloading with FTP 315 editing 341 how applied 342 lastgood conf 344 346 managing 343 startup config conf 346 startup config bad conf 344 syntax 342 system default conf 346 uploading 347 uploading with FTP 315 use without restart 341 NXC Series User s Guide Index connectivity check 116 130 console port speed 291 contact information 445 cookies 28 copyright 451 CPU usage 49 51 CTS Clear to Send 427 current date time 48 287 and schedules 246 daylight savings 289 setting manually 290 time server 291 customer support 445 D date 287 daylight savings 289 default interfaces and zones 17 port mapping 16 device introduction 16 DHCP 132 286 and DNS servers 133
524. s Here is an overview of zones interfaces and physical ports in the NXC Table2 Zones Interfaces and Physical Ethernet Ports Zones A zone is a group of interfaces Use zones to apply security settings such as firewall LAN I nterfaces Interfaces are logical entities that layer 3 packets pass through Use interfaces in configuring zones policy routes static routes and NAT Ethernet VLAN Port combine physical ports into interfaces Physical Ethernet The physical port is where you connect a cable Ports P1 P2 P3 and so on NXC Series User s Guide EN Chapter 1 Introduction 1 2 1 Interface Types There are two types of interfaces in the NXC In addition to being used in various features interfaces also describe the network that is directly connected to it Ethernet interfaces are the foundation for defining other interfaces and network policies VLAN interfaces recognize tagged frames The NXC automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Note By default all Ethernet interfaces are placed into vlanO allowing the NXC to function as a bridge device 1 2 2 Interface and Zone Configuration This section introduces the NXC s default zone member physical interfaces and the default configuration of those interfaces This section uses the NXC500 drawings as an example Figure 1 Default Network Topology
525. s gt Auto Healing to access this screen Figure 59 Configuration gt Wireless gt Auto Healing Auto Healing Auto Healing Configuration 7 Enable Auto Healing Save Current State Auto Healing Interval 5 30minutes Power Threshold dBm 50 80 Note When deployment is complete changed admin should make sure the parameters are ok all WWTP in online status and click Save Current Status button Apply Reset Each field is described in the following table Table 58 Configuration gt Wireless gt Auto Healing LABEL DESCRIPTION Enable Auto Select this option to turn on the auto healing feature Healing Save Current Click this button to have all manged APs immediately scan their neighborhoods three State times in a row and update their neighbor lists to the AP controller NXC Auto Healing Set the time interval in minutes at which the managed APs scan their neighborhoods Interval and report the status of neighbor APs to the AP controller NXC An AP is considered failed if the AP controller obtains the same scan result that the AP is missing from the neighbor list of other APs three times Power Threshold Set the power level in dBm to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas When the failed AP is working again its neighbor APs return their output power to the original level Apply Click
526. s a sequential value and it is not associated with a specific user group Group Name This field displays the name of each dynamic guest group Description This field displays the description for each dynamic guest group Account Deleted Select this check box to remove the dynamic guest accounts from the Monitor gt After Expiration System Status gt Dynamic Guest screen when they expire Dynamic Guest Enter the notes such as the SSID and security key the dynamic guests can use to Note access the network services you wan to display in the paper along with the account information you print out for dynamic guest users You can enter up to 1024 ASCII characters NXC Series User s Guide Chapter 17 User Group Table 102 Configuration gt Object gt User Group gt Setting continued LABEL DESCRIPTION Apply Click Apply to save the changes Reset Click Reset to return the screen to its last saved settings 17 4 1 Edit User Authentication Timeout Settings This screen allows you to set the default authentication timeout settings for the selected type of user account These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings To access this screen go to the Configuration gt Object gt User Group gt Setting screen and click one
527. s identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies the configuration item that references the object Description If the referencing configuration item has a description configured it displays here Refresh Click this to update the information in this screen Cancel Click Cancel to close the screen 8 2 3 Add DHCPv6 Request Options When you configure an interface as a DHCPv6 client you can additionally add DHCPv6 request options which have the NXC to add more information in the DHCPv6 packets To open the screen click Configuration Network Interface Ethernet Edit set DHCPv6 to Client in the DHCPv6 Setting section and then click Add in the DHCPv6 Request Options table Select a DHCPv6 request object in the Select one object field and click OK to save it Click Cancel to exit without saving the setting NXC Series User s Guide wes Chapter 8 Interfaces Figure 66 Configuration gt Ne
528. s in the private network available by using ports to forward packets to the appropriate private IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 78 Multiple Servers Behind NAT Example 192 168 1 1 C 192 168 1 35 D 192 168 1 36 11 1 1 What You Can Do in this Chapter The NAT screens see Section 11 2 on page 147 display and manage the list of NAT rules and see their configuration details You can also create new NAT rules and edit or delete existing ones 11 2 NAT Summary The NAT summary screen provides a summary of all NAT rules and their configuration In addition this screen allows you to create new NAT rules and edit and delete existing NAT rules To access this NXC Series User s Guide 147 Chapter 11 NAT screen login to the Web Configurator and click Configuration Network NAT The following screen appears providing a summary of the existing NAT rules Figure 79 Configuration gt Network gt NAT Configuration NI Note If you want to configure SNAT please go to Policy Route add Status Name Page 1 Q Mapping Type interface Original IP Mapped IP Protocol Original Po
529. s not associated with any entry NAT Rule This is the name of an activated NAT rule which uses SNAT and enables NAT loopback Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface I P means that the NXC uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule The following fields are available if you click Default SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry Incoming This indicates internal interface s on which the packets are received NXC Series User s Guide Chapter 32 Packet Flow Explore Table 193 Maintenance gt Packet Flow Explore gt SNAT Status continued LABEL DESCRIPTION Outgoing This indicates external interface s from which the packets are transmitted SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface I P means that the NXC uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule NXC Series User s Guide 369 Reboot 33 1 Overview Use this to restart the device 33 1 1 What You Need To Kn
530. s of the packets that matches this route If you select outgoing interface you can also configure port trigger settings for this interface Otherwise select a pre defined address group to use as the source IP address es of the packets that match this route Use Create new Object if you need to configure a new address group to use as the source IP address es of the packets that match this route OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving 9 3 Static Route Click Configuration Network Routing Static Route to open the Static Route screen This screen displays the configured static routes Figure 74 Configuration gt Network gt Routing gt Static Route Policy Route IPv4 Configuration Q3 Add gt Uu Destination Page 1 of 1 Show 50 Subnet Mask Metric items No data to display The following table describes the labels in this screen Table 70 Configuration gt Network gt Routing gt Static Route LABEL DESCRIPTION Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so NXC Series User s Guide Chapter 9 Policy and Static Routes Table 70 Configuration gt Network gt R
531. s on it without needing to rely on an external authentication server The built in authentication server supports PEAP EAP TLS EAP TTLS Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure Normally the directory structure reflects the geographical or organizational boundaries The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals Figure 151 Basic Directory Structure Countries c Organizations Organization Units Unique Common Name cn Distinguished Name DN A DN uniquely identifies an entry in a directory A DN consists of attribute value pairs separated by commas The leftmost attribute is the Relative Distinguished Name RDN This provides a unique name for entries that have the same parent DN cn domainl com ou Sales o MyCompany in the following examples cn domainl com ou Sales o MyCompany c US cn domainl com ou Sales o MyCompany c JP NXC Series User s Guide 253 Chapter 24 AAA Server Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zyAdmin allows the NXC to log int
532. s option will be selected automatically and cannot be configured OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 18 3 2 Security List This screen allows you to manage wireless security configurations that can be used by your SSIDs Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it To access this screen click Configuration gt Object gt AP Profile gt SSID gt Security List Note You can have a maximum of 32 security profiles on the NXC Figure 127 Configuration gt Object gt AP Profile gt SSID gt Security List SSID List Security List MAC Filter List Layer 2 Isolation List Security Summary Qa 2o z Profile Name Security Mode 1 default none Page 1 of1 Show 50 items Displaying 1 1 of 1 The following table describes the labels in this screen Table 114 Configuration gt Object gt AP Profile gt SSID gt Security List LABEL DESCRIPTION Add Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile Object Reference Click this to view which other objects are linked to the selected security profile for example SSID profile This field is a sequential value and it is not associated with a specific profile EJ NXC Series Use
533. s the configuration to its default values and then reboots Clicking Maintenance Shutdown Shutdown or using the shutdown command Clicking Maintenance gt Shutdown gt Shutdown or using the shutdown command writes all cached data to the local storage and stops the system processes Wait for the device to shut down and then manually turn off or remove the power It does not turn off the power Disconnecting the power Power off occurs when you turn off the power to the NXC The NXC simply turns off It does not stop the system processes or write cached data to local storage The NXC does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources NXC Series User s Guide Hardware Installation and Connection 2 1 Rack mounted Installation Note ZyXEL provides a sliding rail accessory for your use with your device Please contact your local vendor for details The NXC can be mounted on an EIA standard size 19 inch rack or in a wiring closet with other equipment Follow the steps below to mount your NXC on a standard EIA rack using a rack mounting kit Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the NXC does not make the rack unstable or top heavy Take all necessary precautions to anchor the rack securely before installing the unit
534. s to computers connected to the Table interface Otherwise the NXC assigns an IP address dynamically using the interface s I P Pool Start Address and Pool Size Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use alphanumeric and _ characters and it can be up to 60 characters long MAC Address Setting These fields appear when you set the I nterface Type to External or General Have the interface use either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Select this option to have the interface use the factory assigned default MAC address Address By default the NXC uses the factory assigned MAC address to identify itself Overwrite Select this option to have the interface use a different MAC address Either enter the poradit MAC MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning Once it is successfully configured
535. screen to assign APs either to the rogue AP list or the friendly AP list A rogue AP is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security NXC Series User s Guide Chapter 7 Wireless Click Configuration gt Wireless gt MON Mode to access this screen Figure 53 Configuration gt Wireless gt MON Mode Rogue Friendly AP List General Settings 7 Enable Rogue AP Containment Rogue Friendly AP List Add X Edit ff Remove GJ Containment 5j Dis Containment Contain Role friendly ap MAC Address Description 00 A0 C5 01 23 45 Page 1 ofi Rogue AP List Importing Exporting File Path Select a file path for R Friendly AP List Importing Exporting File Path Select a file path for Fr Show 50 v items Displaying 1 2 of 2 Each field is described in the following table Table 54 Configuration gt Wireless gt MON Mode LABEL DESCRIPTION General Settings Enable Rogue AP Containment Select this to enable rogue AP containment Rogue Friendly AP List Add Click this button to add an AP to the list and assign it either friendly or rogue status Edit Select an AP in the list to edit and reassign its status Remove Select an AP in the list to remove Containment Click this button to quarantine the selected AP A quar
536. server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Retype to Retype your new password for confirmation Confirm Send Report Now Click this button to have the NXC send the daily e mail report immediately Time for sending report Select the time of day hours and minutes when the log is e mailed Use 24 hour notation Report Items Select the information to include in the report Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period Reset All Click this to discard all report data and start all of the counters over at zero Counters Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 29 3 Log Settings 328 These screens control log messages and alerts A log message stores the information for viewing for example in the View Log tab or regular e mailing later and an alert is e mailed immediately Usually alerts are used for events that require more serious attention such as system errors and attacks The NXC provides a system log and supports e mail profiles and remote syslog servers The
537. some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filter by mathematical operators lt gt or or searching for text Configuration Qi Add n UserName MACexample ad users admin N d CO boss guest Idap users mac users w t N om radius users Page 1 of 1 er Type Description 2 Sort Ascending Local User External AD Users ieee as ae account Columns bim sz Z Sort Descending wis Iser Il E Group By This Field v User Name lser F Show in Groups v User Type il LDAP Users v Description 7 Filters Show 50 items thentication Users RADIUS Users Displaying 1 8 of 8 NXC Series User s Guide 41 Chapter 3 The Web Configurator 42 3 4 Select a column heading cell s right border and drag to re size the column Configuration QAdd A n El User Name 1 admin 2 Idap users 3 radius users 4 ad users 5 mac users 6 guest 7 boss 8 MACexample Page 1 of 1 Sh User Type dmin xt user xt user xt user ac address uest uest manager mac address 1 50 v items Description Administration account External LDAP Users External RADIUS Users External AD Users MAC Authentication Users Local User Local User Local User Displayi
538. sponse NXC Series User s Guide DHCPv6 27 1 Overview This chapter describes how to configure DHCPv6 request type objects 27 1 1 What You Can Do in this Chapter The Request screen Section 27 2 on page 283 allows you to configure DHCPv6 request type objects 27 2 DHCPv6 Request The Request screen allows you to add edit and remove DHCPv6 request type objects To access this screen click Configuration Object DHCPv6 Request Figure 165 Configuration gt Object gt DHCPv6 gt Request Configuration QAdd 2 u Name Type Interface example1 DNS Server n a Page 1 of 1 Show 50 v items Displaying 1 1of 1 The following table describes the labels in this screen Table 149 Configuration gt Object gt DHCPv6 gt Request LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Note You cannot delete an entry which is in use NXC Series User s Guide Chapter 27 DHCPv6 Table 149 Configuration gt Object gt DHCPv6 gt Request continued LABEL DESCRIPTION Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry
539. ss gt Load Balancing Load Balancing Configuration V Enable Load Balancing Mode By Station Number Max Station Number 10 Disassociate station when overloaded Each field is described in the following table Table 56 Configuration gt Wireless gt Load Balancing LABEL DESCRIPTION Enable Load Select this to enable load balancing on the NXC Balancing Mode Select a mode by which load balancing is carried out Select By Station Number to balance network traffic based on the number of specified stations connect to an AP Select By Traffic Level to balance network traffic based on the volume generated by the stations connected to an AP Once the threshold is crossed either the maximum station numbers or with network traffic then the AP delays association request and authentication request packets from any new station that attempts to make a connection This allows the station to automatically attempt to connect to another less burdened AP if one is available Max Station Enter the threshold number of stations at which an AP begins load balancing its Number connections Traffic Level Select the threshold traffic level at which the AP begins load balancing its connections low medium high Disassociate Select this option to disassociate wireless clients connected to the AP when it becomes station when overloaded If you do not enable this option then the AP simply delays the connection overl
540. ss 206 and VLAN 123 Ethernet interface 114 range 48 MAC authentication 221 NXC Series User s Guide Index Calling Station ID 221 case 221 delimiter 221 mac role 206 Management Information Base MIB 317 318 mapping ports 16 memory usage 50 52 message bar 40 Message Integrity Check MIC 432 messages CLI 36 warning 40 metrics see reports model name 48 multicast 214 multicast rate 214 My Certificates see also certificates 269 myZyXEL com 86 accounts creating 86 N NAT 142 147 ALG see ALG and address objects 140 and address objects HOST 150 and ALG 154 and firewall 183 and interfaces 150 and policy routes 140 NAT example 147 NBNS 117 129 133 NetBIOS Name Server see NBNS NetBIOS name 258 Netscape Navigator 28 Network Address Translation see NAT Network Time Protocol NTP 290 O object based configuration 20 objects 20 AAA server 251 addresses and address groups 236 authentication method 263 certificates 266 for configuration 20 introduction to 20 schedules 246 services and service groups 241 users user groups 190 Online Certificate Status Protocol OCSP 282 vs CRL 282 other documentation 2 OUI 207 P Pl 16 packet statistics 57 59 packet capture files 353 358 packet captures downloading files 353 359 Pairwise Master Key PMK 433 434 physical ports 16 and interfaces 16 packet statistics 57 59 pointer record 294 policy routes 134 actions 135 a
541. ss is in the same subnet as the NXC s In the computer click Start gt Programs gt Accessories and then Command Prompt In the Command Prompt window type ping followed by the NXC s LAN IP address 192 168 1 1 is the default and then press ENTER The NXC should reply If you ve forgotten the NXC s password use the RESET button Press the button in for about 5 seconds or until the PWR LED starts to blink then release it It returns the NXC to the factory defaults password is 1234 LAN IP address 192 168 1 1 etc see your User s Guide for details If you ve forgotten the NXC s IP address you can use the commands through the console port to check it Connect your computer to the CONSOLE port using a console cable Your computer should have a terminal emulation communications program such as HyperTerminal set to VT100 terminal emulation no parity 8 data bits 1 stop bit no flow control and 115200 bps port speed NXC Series User s Guide 372 Chapter 35 Troubleshooting cannot access the Internet Check the NXC s connection to the Ethernet jack with Internet access Make sure the Internet gateway device such as a DSL modem is working properly f the NXC is operating in its default bridge mode ensure that the DHCP server to which the NXC is connected is properly configured to assign IP addresses Check the NXC s security settings and or interface and VLAN settings to ensure you have not inadvertently e
542. st u physical port Tx packets 2nd u physical port Rx packets 3rd u physical port packets collisions 4th u physical port Tx Bytes s 5th u physical port Rx Bytes s 3rd 96s physical port up time name s status s TxP Interface statistics log This log will be sent to the VRPT server member Cini Unida hsc Ist 96s interface name 2nd 96s interface status 1st u variable interface ii dud aren eae Tx packets 2nd u variable interface Rx packets 3rd u interface packets xB s u collisions 4th u interface Tx Bytes s 5th u interface Rx Bytes s RxB s u Interface s connect MS CHAPv2 authentication failed the server must support mS CHAPv2 and failed MS CHAPv2 verify that the authentication failed this does not include cases where the mutual authentication Servers does not support MS CHAPv2 96s interface name failed Interface s connect MS CHAP authentication failed the server must support MS CHAP and verify failed MS CHAP that the authentication failed this does not include cases where the server authentication does not support MS CHAP 96s interface name failed Interface s connect CHAP authentication failed the server must support CHAP and verify that the failed CHAP authentication failed this does not include cases where the server does not authentication support CHAP CHAP interface name failed Interface s connect The interface s connectio
543. system log is available on the View Log tab the e mail profiles are used to mail log messages to the specified destinations and the other four logs are stored on specified syslog servers The Log Settings tab also controls what information is saved in each log For the system log you can also specify which log messages are e mailed where they are e mailed and how often they are e mailed For alerts the Log Settings tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Log Category Settings screen to edit this information for all logs at the same time NXC Series User s Guide Chapter 29 Log and Report 29 3 1 Log Settings Summary To access this screen click Configuration Log amp Report Log Settings Figure 200 Configuration gt Log amp Report gt Log Settings Log Settings Log Settings Page 1 Name Log Format Summary E mail Server 1 Mail Server Mail Subject Send From Send Log to Send Alert to Schedule Send log when full System Log Internal E mail Server 2 Mail Server Mail Subject Send From Send Log to Send Alert to Schedul
544. t UserType Lease Time Reauthentication Time user guest ext user limited admin ext group user guest manager dynamic guest mac address Page 1 of 1 o On DO WD Miscellaneous Settings Enable user idle detection User idle timeout User Logon Settings Maximum number per access account User Lockout Settings Enable logon retry limit Maximum retry count Lockout period Dynamic Guest Settings Dynamic Guest Group QAdd Group Name 1 Cafe Page 1 of 1 Miscellaneous Settings Dynamic Guest Note Allow renewing lease time automatically Maximum number per administration account V Account Deleted After Expiration 1440 1440 1440 1440 1440 1440 1440 7 Limit the number of simultaneous logons for administration account 1 Limitthe number of simultaneous logons for access account 1 items 1 60 minutes 1 1024 1 1024 1 99 1 865535 minutes Description 1440 1440 1440 1440 1440 1440 1440 Displaying 1 9 of 9 Displaying 1 1of 1 NXC Series User s Guide Chapter 17 User Group The following table describes the labels in this screen Table 102 Configuration gt Object gt User Group gt Setting Authentication Timeout Settings LABEL DESCRIPTION User Default Settings Default These authentication timeout settings are used by default when y
545. t Port Statistics gt Switch to Graphic View General Settings Refresh Interval 5 minutes Mi Refresh Now Port Usage Port Selection v Switch To Grid View 1 bps Last Update 2013 01 05 15 41 19 90 9 ee 222 2222 272 2272 2 2 2 224 4 4 2 4 9 2 19 41 23 41 03 41 07 41 11 41 15 41 The following table describes the labels in this screen Table 25 Monitor gt System Status gt Port Statistics gt Switch to Graphic View LABEL DESCRIPTION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid Click this to display the port statistics as a table View Mbps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the NXC on the physical port since it was last connected RX This line represents the traffic received by the NXC on the physical port since it was last connected Last Update This field displays the date and time the information in the window was last updated NXC Series User s Guide Chapter 5 Monitor 5 4 Interface Status This screen lists all of the NXC s interfaces and gives packet sta
546. t policy The NXC applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the NXC will not have to use the default policy Zone This is the zone on the NXC the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to send DNS queries Action This displays whether the NXC accepts DNS queries from the computer with the IP address specified above through the specified zone Accept or discards them Deny 28 6 3 Address Record An address record contains the mapping of a Fully Qualified Domain Name FQDN to an IP address An FQDN consists of a host and domain name For example www zyxel com is a fully qualified domain name where www is the host zyxel is the second level domain and com is the top level domain mail myZyXEL com tw is also a FQDN where mail is the host myZyXEL is the third level domain com is the second level domain and tw is the top level domain The NXC allows you to configure address records about the NXC itself or another device This way you can keep a record of DNS names and addresses that people on your network may use frequently If the NXC receives a DNS query for an FQDN for which the NXC has an address record the NXC can send the IP address in a DNS response without having to query a DN
547. t Hu IU Sbotent etl asm 89 NE c 89 Ae ASU T M m 89 cC ricco gene E 90 Chapter 7 Pn PR 92 ERIS 92 zd Wheat Yeu Can Doin iis Chapter soriana E EAR EU LENS IINE NER NEEUEEREN PORE RERO T DOR DEAE 92 71 2 What You Need to KNOW mm 92 Fe MVM aasia RE 93 Tac UP vica O aa A 93 EE E E E E E EE 95 E AE e e NER THUS 97 Re VLAN AAIE dil e NRA A 97 Tod ca I A E herd lea E E E cu Eoo AE E E A I A 99 Ta NNO E aaa e a e Wintec Sela ested el whanau 99 TAA Add Edit Rogue Fnendiy LIST 101 To ad Ban eri E 102 7 5 1 Digassociating and Delaying Connections scuise siii e err extr E e ERR nnani 103 70 DOG acca ali ea cere chp acai aca chai e aa Genta gah aaa a a a i sexeligeadiant sonics 104 FP iin MR UU T NT T TT 107 f m bacheca FIERCE uos ttiv eo dina ae a E br deoa pui PEE Drm IURI MODEM UR EU pO NEMO 108 TS 1 Dynamit Chamel Soloco T 108 To EX E an E RN o o RASS 109 Chapter 8 DAE TRAC SS sioi a A ESE 110 Ol Interface OVEIMIOW M 110 8 1 1 What You Can Do in this Chapter seconicisccawiansiswcvnins naaien aAA aiaia EP Fe EU LEGE 110 8 1 2 What You Need te KOON acueducto edaseb aa a 110 62 Ehemel SUID acstixtesdaate d atepivr ted m eden da c a pa e e o pc e rd ee T BW TUN MET ERR a D a abies 112 GN MEL
548. t Mapped Port Show 50 v items No data to display Apply Reset The following table describes the labels in this screen Table 76 Configuration gt Network gt NAT LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this entry performs Virtual Server 1 1 NAT or Many 1 1 NAT Interface This field displays the interface on which packets for the NAT entry are received Original IP This field displays the original destination IP address or address object of traffic that matches this NAT entry It displays any if there is no restriction on the original destination IP address Mapped IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no rest
549. t Wizard click Next Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from your disk to a certificate store A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue dick Next NXC Series User s Guide 413 Appendix C Importing Certificates 414 6 7 8 If you want Internet Explorer to Automatically select certificate store based on the type of certificate click Next again and then go to step 9 Certificate Import Wizard Certificate Store Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for Automatically select the certificate store based on the type of certificate CO Place all certificates in the following store Otherwise select Place all certificates in the following store and then click Browse Place all certificates in the following store Certificate store Browse In the Select Certificate Store dialog box choose a location in which to save the certificate and then click OK z Select Certificate Store Select the certificate store you want to use s
550. t a feature lst 96s feature name 2st 02x 7th 02x Managed AP MAC Address 8th 96s Managed AP Description Table 213 CAPWAP Client Logs LOG MESSAGE DESCRIPTION AP Start Discovery Type s Start the CAPWAP Client service 1st 96s Discovery type Static DHCP DNS Broadcast AP Reset Discovery Type s Reset the CAPWAP Client service 1st 96s Discovery type Static DHCP DNS Broadcast Connect to WLAN Controller IP S CAPWAP Client connected to the WLAN Controller 1st 96s WLAN Controller IP Address Disconnect from WLAN Controller IP s CAPWAP Client disconnected from to the WLAN Controller 1st 96s WLAN Controller IP Address Updated Configuration by a WLAN Controller Success Partial Update Configuration upgraded success by WLAN Controller Updated Configuration by a WLAN Controller Fail Configuration upgraded fail by WLAN Controller ReBoot by a WLAN Controller IP s Reboot the WTP by WLAN Controller 1st 96s WLAN Controller IP Address Firmware Upgraded by WLAN Controller IP s Firmware upgraded by WLAN Controller 1st 96s WLAN Controller IP Address Apply Configuration by a WLAN Controller Success s Configuration apply success by WLAN Controller 1st 96s Complete Update WLAN Controller IP Changed New Discovery Type s WLAN Controller IP SS Changed WTP s AC IP 1st s Discovery type Static DHCP DNS Br
551. t has assigned an IP address This is the index number of an IP MAC binding entry IP Address This is the IP address that the NXC assigned to a device Host Name This field displays the name used to identify this device on the network the computer name The NXC learns these from the DHCP client requests MAC Address This field displays the MAC address to which the IP address is currently assigned Last Access This is when the device last established a session with the NXC through this interface Description This field displays the descriptive name that helps identify the entry Refresh Click this button to update the information in the screen NXC Series User s Guide Chapter 5 Monitor 5 8 Login Users Use this screen to look at a list of the users currently logged into the NXC To access this screen click Monitor System Status Login Users Figure 30 Monitor gt System Status gt Login Users Current User List Note MAC information is just for login users by 802 1X and MAC auth 6 amp 1 admin Page 1 UserID Reauth Leas Type unlimited 0 IP Address MAC 192 168 126 Acct Status admin admi RADIUS Pr NIA User Info http https of 1 Show 50 items Displaying 1 10f 1 The following table describes the labels in this screen Table 31 Monitor gt System Status gt Login Users LABEL DESCRIPTION Force Logout Select a user ID and cli
552. t the DUID to be generated from the interface s default MAC address Customized DUID If you want to use a customized DUID enter it here for the interface Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps This function helps reduce heavy network traffic load Note Make sure you also enable this option in the DHCPv6 server to make rapid commit work Request Address Select this to get an IPv6 address for this interface from the DHCP server Clear this to not get any IP address information through DHCPv6 DHCPv6 Request Options If this interface is a DHCPv6 client use this section to configure DHCPv6 request settings that determine what additional information to get from the DHCPv6 server NXC Series User s Guide Chapter 8 Interfaces Table 60 Configuration gt Network gt Interface gt Ethernet gt Edit continued LABEL DESCRIPTION Add Click this to create an entry in this table See Section 8 2 3 on page 119 for more information Remove Select an entry and click this to delete it from this table Object Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry See Section 8 2 2 on page 119 for an example This field is a sequential value and it is not associated with any entry Name This field displays the name of the DHCPv6 request object Ty
553. t the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 NAT rule works like multiple 1 1 NAT rules but it eases configuration effort since you only create one rule Incoming Select the interface on which packets for the NAT rule must be received It can be an Interface Ethernet or VLAN interface Original IP Specify the destination IP address of the packets received by this NAT rule s specified incoming interface any Select this to use all of the incoming interface s IP addresses including dynamic addresses User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP Host address select a host address object to use the IP address it specifies The list also includes address objects based on interface IPs So for example you could select an address object based on a WAN interface even if it has a dynamic IP address User Defined This field is available if Original IP is User Defined Type the destination IP address that Original IP this NAT rule supports Original IP This field displays for Many 1 1 NAT Select the destination IP address subnet or IP address Subnet Range range that this NAT rule supports The original and mapped IP address subnets or ranges must have the same number of IP addresses Mapped IP Select to which translated destinati
554. t the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs a consistent single alphanumeric password to derive a PMK which is used to generate unique temporal encrypti
555. tations that connected to the SSID This is the station s index number in this list NXC Series User s Guide 79 Chapter 5 Monitor Table 41 Monitor gt Wireless gt Station Info gt Station List continued LABEL DESCRIPTION MAC Address This is the station s MAC address Associated AP This indicates the AP through which the station is connected to the network SSID Name This indicates the name of the wireless network to which the station is connected A single AP can have multiple SSIDs or networks Security Mode This indicates which secure encryption methods is being used by the station to connect to the network Signal Strength This indicates the strength of the signal The signal strength mainly depends on the antenna output power and the distance between the station and the AP Channel This indicates the number the channel used by the station to connect to the network IP Address This is the station s IP address An 169 x x x IP address is a private IP address that means the station didn t get the IP address from a DHCP server Tx Rate This indicates the current data transmission rate of the station Rx Rate This indicates the current data receiving rate of the station TX This field displays the number of packets transmitted from the station Rx This field displays the number of packets received by the station Association Time This disp
556. tatus LABEL DESCRIPTION SNAT Flow This section shows you the flow of how the NXC changes the source IP address for a packet according to the rules you have configured in the NXC Click a function box to display the related settings in the SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click Policy Route SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route which uses SNAT Outgoing This is the outgoing interface that the route uses to transmit packets SNAT This is the source IP address es that the SNAT rule uses finally The following fields are available if you click 1 1 SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated NAT rule which uses SNAT Source This is the original source IP address es Destination This is the original destination IP address es Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets SNAT This is the source IP address es that the SNAT rule uses finally The following fields are available if you click Loopback SNAT in the SNAT Flow section This field is a sequential value and it i
557. te user has failed Login failure Please click Retry to login again Here are the error codes the NXC sends to the External Web Portal Error page Table 88 External Web Portal Error Page Error Codes ERROR CODE TITLE MESSAGE 1 Login denied Validation failed 2 Login denied Login attempt from a locked out address 3 Login denied Simultaneous admin access logons or users have reached the maximum number 176 NXC Series User s Guide Chapter 14 Captive Portal Here are the HTTP parameters the NXC uses with the external URL Table 89 HTTP Parameters for External URL PARAMETER DESCRIPTION LOGIN WELCOME SESSION LOGOUT ERROR gw addr NXC IP Address V V V V error num Login error code V auth hour The remaining hours before V authentication timeout auth min The remaining minutes before V authentication timeout auth sec The remaining seconds before V authentication timeout lease time Total remaining seconds before lease V timeout username Login username V cgi str The CGI for user login The admin V type is admin cgi and the user related type is login cgi Ses time Accounting session timeout V NXC Series User s Guide 177 RTLS 15 1 Overview Ekahau RTLS Real Time Location Service tracks battery powered Wi Fi tags attached to APs managed by the NXC to create maps alerts and reports The Ekahau RTLS Controller
558. ternet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP 1 Open Internet Explorer and click Tools gt Internet Options fpc dA Page p Delete Browsing History Pop up Blocker gt Phishing Filter L Manage Add ons Work Offline Windows Update Full Screen F11 Menu Bar Toolbars gt Windows Messenger Diagnose Connection Problems Sun Java Console Internet Options k 2 Inthe Internet Options dialog box click Content gt Certificates Internet Options General Security Priva nections Programs Advanced Content Advisor Ratings help you control the Internet content that can be viewed on this computer Use certificates for encrypted connections and identification Certificates Clear SSL state V Certificates Publishers AutoComplete AutoComplete stores previous entries on webpages and suggests matches for you Feeds provide updated content from websites that can be read in Internet Explorer and other programs NXC Series User s Guide 41 7 Appendix C Importing Certificates 3 In the Certificates dialog box click the Trusted Root Certificates Authorities tab select the certificate that you want to delete and then click Remove Certificates Intended purpose lt All gt v Intermediate Certification Authoritiks Trusted Root Certification Authorities TJist
559. the address will be copied to the configuration file It will not change unless you change the setting or upload a different configuration file Related Setting Configure Policy Route Click Policy Route to go to the policy route summary screen where you can manually associate traffic with this interface You must manually configure a policy route to add routing and SNAT settings for an interface with the I nterface Type set to General You can also configure a policy route to override the default routing and SNAT behavior for an interface with the I nterface Type set to I nternal or External OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving NXC Series User s Guide Chapter 8 Interfaces 8 2 2 Object References When a configuration screen includes an Object Reference icon select a configuration object and click Object Reference to open the Object References screen This screen displays which configuration settings reference the selected object The fields shown vary with the type of object Figure 65 Object References E3 Object References x Object Name gei Service Priority Name Description Page 1 of 1 Show 50 v items No data to display Refresh Cancel The following table describes labels that can appear in this screen Table 61 Object References LABEL DESCRIPTION Object Name Thi
560. the changes will be lost when the NXC restarts You could use multiple write commands in a long script Note exit or must follow sub commands if it is to make the NXC exit sub command mode 376 NXC Series User s Guide Chapter 35 Troubleshooting cannot get the firmware uploaded using the commands The Web Configurator is the recommended method for uploading firmware You only need to use the command line interface if you need to recover the firmware See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it My packet capture captured less than wanted or failed The packet capture screen s File Size sets a maximum size limit for the total combined size of all the capture files on the NXC including any existing capture files and any new capture files you generate If you have existing capture files you may need to set this size larger or delete existing capture files The NXC stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires My earlier packet capture files are missing New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this 35 1 2 Wireless This section provides troubleshooting for wireless devices connected the NXC Wireless clients cannot connect to an AP There may be
561. this screen also shows whether the IP address is a static IP address STATI C link local IP address LINK LOCAL dynamically assigned DHCP or an IPv6 StateLess Address AutoConfiguration IP address SLAAC See Appendix E on page 436 for more information about IPv6 IP Assignment This field displays how the interface gets its IP address Static This interface has a static IP address DHCP Client This interface gets its IP address from a DHCP server Services This field lists which services the interface provides to the network Examples include DHCP relay and DHCP server This field displays n a if the interface does not provide any services to the network Action Use this field to get or to update the IP address for the interface Click Renew to send a new DHCP request to a DHCP server Click Connect to try to connect the interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Interface This table provides packet statistics for each interface Statistics Refresh Click this button to update the information in the screen Name This field displays the name of each interface NXC Series User s Guide Chapter 5 Monitor Table 26 Monitor gt System Status gt Interface Status continued LABEL DESCRIPTION Status This field displays the current status of each interface The possible values depend on what type of inte
562. thout saving your changes NXC Series User s Guide 207 AP Profile 18 1 Overview This chapter shows you how to configure preset profiles for the Access Points APs connected to your NXC s wireless network 18 1 1 What You Can Do in this Chapter The Radio screen Section 18 2 on page 209 creates radio configurations that can be used by the APs The SSI D screen Section 18 3 on page 214 configures three different types of profiles for your networked APs 18 1 2 What You Need To Know The following terms and concepts may help as you read this chapter Wireless Profiles At the heart of all wireless AP configurations on the NXC are profiles A profile represents a group of saved settings that you can use across any number of connected APs You can set up the following wireless profile types Radio This profile type defines the properties of an AP s radio transmitter You can have a maximum of 32 radio profiles on the NXC SSID This profile type defines the properties of a single wireless network signal broadcast by an AP Each radio on a single AP can broadcast up to 8 SSIDs You can have a maximum of 32 SSID profiles on the NXC Security This profile type defines the security settings used by a single SSID It controls the encryption method required for a wireless client to associate itself with the SSID You can have a maximum of 32 security profiles on the NXC MAC Filtering This profile provi
563. tication method s for this entry 25 2 1 Add Authentication Method Follow the steps below to create an authentication method object 1 Click Configuration gt Object gt Auth Method 2 Click Add 3 Specify a descriptive name for identification purposes in the Name field You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive For example My Device 4 Click Add to insert an authentication method in the table 5 Select a server object from the Method List drop down list box 6 You can add up to four server objects to the table The ordering of the Method List column is important The NXC authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the NXC does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server 264 NXC Series User s Guide Chapter 25 Authentication Method 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen OQ Add Authentication Method General Settings Name j He Q Add ZZ Edt lf Remove 4M Move Method List r 1 local mM The following
564. ting system Before apply configuration file System resetted Now apply s After the system reset it started to apply the configuration file 96s is configuration file name Running s An administrator ran the listed shell script 96s is script file name Table 209 DHCP Logs LOG MESSAGE DESCRIPTION Can t find any lease for this client DHCP pool full o s All of the IP addresses in the DHCP pool are already assigned to DHCP clients so there is no IP address to give to the listed DHCP client DHCP server offered s to s s The DHCP server feature gave the listed IP address to the computer with the listed hostname and MAC address Requested s from s S The NXC received a DHCP request for the specified IP address from the computer with the listed hostname and MAC address o applicable lease found for DHCP request Us There is no matching DHCP lease for a DHCP client s request for the specified IP address DHCP released s with s SS A DHCP client released the specified IP address The DHCP client s hostname and MAC address are listed Sending ACK to s The DHCP server feature received a DHCP client s inform packet and is sending an ACK to the client DHCP server assigned Ss to s s The DHCP server feature assigned a client the IP address that it requested The DHCP client s hostname and MAC address are listed
565. tistics for them If you enabled I Pv6 in the Configuration System IPv6 screen you can also view your IPv6 interface status on this screen Click Monitor System Status Interface Status to access this screen Figure 26 Monitor gt System Status gt Interface Status Interface Summary Interface Status D i gt P1 P2 P3 P4 P5 P6 n a IPv6 Interface Status Name get ge2 ge3 ge4 ged ge amp IE D I lo Interface Statistics Name gel ge2 Status Down Down Down 100M Full Down Down Up Status Down Down Down 100M Full Down Down Up Status Down Down Down 100M Full Down Down Up Zone n a n a n a nia nia nia IP Addr Netmask 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 168 1 1 255 255 25 IP Address IP Assign Static Static Static Static Static Static Static LINK LOCAL fe80 b2b2 dcfffe07 a177 64 LINK LOCAL fe80 b2b2 dcfffe07 a17 4 64 Each field is described in the following table Table 26 Monitor gt System Status gt Interface Status Services n a n a n a nia nia nia nia Services nia nia nia nia nia Action nia nia nia nia nia nia nia Action nia nla nia nia nia nia nia LABEL DESCRIPTION IPv6 Interface Interface Status Use the Interface Status section for IPv4 network settings Use the IPv6 Interface Sta
566. to DHCP clients P address If the DHCP client s MAC address is in the NXC s static DHCP table the interface assigns the corresponding IP address If not the interface assigns IP addresses from a pool defined by the starting address of the pool and the pool size Table 67 Example Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50 50 50 33 5 50 50 50 33 50 50 50 37 75 75 75 1 200 75 75 75 1 75 75 75 200 99 99 1 1 1023 99 99 1 1 99 99 4 255 120 120 120 100 100 120 120 120 100 120 120 120 199 The NXC cannot assign the first address network address or the last address broadcast address in the subnet defined by the interface s IP address and subnet mask For example in the first entry if the subnet mask is 255 255 255 0 the NXC cannot assign 50 50 50 0 or 50 50 50 255 If the subnet mask is 255 255 0 0 the NXC cannot assign 50 50 0 0 or 50 50 255 255 Otherwise it can assign every IP address in the range except the interface s IP address If you do not specify the starting address or the pool size the interface the maximum range of IP addresses allowed by the interface s IP address and subnet mask For example if the interface s IP address is 9 9 9 1 and subnet mask is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 1 At the time of writing the NXC does not support ingress bandwidth management 1
567. to access the NXC using this service Zone Select ALL to allow or prevent any NXC zones from being accessed using this service Select a predefined NXC zone on which a incoming service is allowed or denied Action Select Accept to allow the user to access the NXC from the specified computers Select Deny to block the user s access to the NXC from the specified computers OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving 28 7 6 HTTPS Example If you haven t changed the default HTTPS port on the NXC then in your browser enter https NXC IP Address as the web site address where NXC IP Address is the IP address or domain name of the NXC you wish to access 28 7 6 1 Internet Explorer Warning Messages When you attempt to access the NXC HTTPS server a Windows dialog box pops up asking if you trust the server certificate Click View Certificate if you want to verify that the certificate is from the NXC You see the following Security Alert screen in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 181 Security Alert Dialog Box Internet Explorer Security Alert Information you exchange with this site cannot be viewed or F changed by others However there is a problem with the site s security certificate The security certificate was issued
568. to access this screen Figure 47 Configuration gt Wireless gt Controller Controller Setting Registration Type 5 Manual Always Accept Each field is described in the following table Table 48 Configuration gt Wireless gt Controller LABEL DESCRIPTION Registration Select Manual to add each AP to the NXC for management or Always Accept to Type automatically add APs to the NXC for management Note Select the Manual option for managing a specific set of APs This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs For details on how to handle rogue APs see Section 5 15 on page 80 APs must be connected to the NXC by a wired connection or network Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 7 3 AP Management Use this screen to manage all of the APs connected to the NXC Click Configuration gt Wireless gt AP Management to access this screen Figure 48 Configuration gt Wireless gt AP Management Mont AP List AP Policy Mgnt AP List edt W Remove IP Address MAC Address Model R1 Mode AP Profile Zy Mont V Mgnt V Description 1 0 0 0 0 B0 B2 DC 71 NW A53 root default ZyMesh_AP 1 1 AP BOB2DC7 Page 1 of 1 Show 50 items Displaying 1 1 of 1 NXC Series User s Guide EB Chapter 7 Wireless Each fi
569. to have the NXC send traffic that matches the policy route through the specified interface Auto Disable This field displays when you select Interface in the Type field Select this to have the NXC automatically disable this policy route when the next hop s connection is down DSCP Marking NXC Series User s Guide 139 Chapter 9 Policy and Static Routes Table 69 Configuration gt Network gt Routing gt Policy Route gt Add Edit continued LABEL DESCRIPTION DSCP Marking Set how the NXC handles the DSCP value of the outgoing packets that match this route Select one of the pre defined DSCP values to apply or select User Defined to specify another DSCP value The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences Select preserve to have the NXC keep the packets original DSCP value Select default to have the NXC set the DSCP value of the packets to 0 The wmm entries are for QoS For more information on QoS and WMM categories see page 143 User Defined Use this field to specify a custom DSCP value DSCP Code Address Use this section to configure NAT for the policy route Translation Source Network Select none to not use NAT for the route Address ME Translation Select outgoing interface to use the IP address of the outgoing interface as the source IP addres
570. to one host 28 6 9 Add MX Record 28 6 10 Click the Add icon in the MX Record table to add a MX record Figure 175 Configuration gt System gt DNS gt Add MX Record Q Add MX Record x Domain Name TA IP Address FQDN Deseret crite 9 cn The following table describes the labels in this screen Table 159 Configuration gt System gt DNS gt Add MX Record LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Add Service Control Click the Add icon in the Service Control table to add a service control rule Figure 176 Configuration gt System gt DNS gt Add Service Control Rule Q Add Service Control 2x i Create new Object Address Object ALL v Zone ALL v Action Accept v NXC Series User s Guide 297 Chapter 28 System The following table describes the labels in this screen Table 160 Configuration gt System gt DNS gt Add Service Control Rule LABEL DESCRIPTION Create new Use this to configure any new settings objects that you need to use in this screen Object Address Object Select ALL to allow or deny
571. tocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP TUNNEL User Defined 47 PPTP Point to Point Tunneling Protocol enables GRE secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 NXC Series User s Guide Appendix B Common Services Table 219 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers SSH TCP UDP 2
572. try The total number of files that you can save depends on the file sizes and the available storage space File Name This column displays the label that identifies the file Size This column displays the size in bytes of a file Last Modified This column displays the date and time that the individual files were saved NXC Series User s Guide 353 Chapter 31 Diagnostics 31 3 Packet Capture Use this screen to capture network traffic going through the NXC s interfaces Studying these packet captures may help you identify network problems Click Maintenance Diagnostics Packet Capture to open the packet capture screen Note New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this Figure 214 Maintenance gt Diagnostics gt Packet Capture gt Capture Packet Capture Core Dump System Log Wireless Frame Capture Capture Files Interfaces Available Interfaces Capture Interfaces gei ge2 ge3 ge4 ge5 Filter IP Version Protocol Type Host IP Host Port Misc setting L Continuously capture and overwrite old ones 9 Save data to onboard storage only available 470 MB Save data to USB storage status none Captured Packet Files 10 MB Split threshold 2 MB Duration 0 0 unlimited File Suffix packet capture Number Of Bytes To Capture Per Packet 1500 eme Reset The following table describes the labe
573. tus section for IPv6 network settings if you connect your NXC to an IPv6 network Both sections have similar fields as described below Status Name This field displays the name of each interface Port This field displays the physical port number NXC Series User s Guide Chapter 5 Monitor Table 26 Monitor gt System Status gt Interface Status continued LABEL DESCRIPTION Status This field displays the current status of each interface The possible values depend on what type of interface it is For Ethernet interfaces I nactive The Ethernet interface is disabled Down The Ethernet interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For VLAN interfaces Up The VLAN interface is enabled and one of its member Ethernet interfaces is connected Down The VLAN interface is enabled but none of its member Ethernet interfaces is connected I nactive The VLAN interface is disabled Zone This field displays the zone to which the interface is assigned IP Addr Netmask IP Address This field displays the current IP address and subnet mask of the interface If the IP address and subnet mask are 0 0 0 0 in the IPv4 network or the IP address is in the IPv6 network the interface is disabled or does not have an IP address yet In the IPv6 network
574. twork gt Interface gt Ethernet gt Edit gt Add DHCPv6 Request Options lt Add Request Object Select one object x 8 2 4 Add Edit DHCP Extended Options When you configure an interface as a DHCPV4 server you can additionally add DHCP extended options which have the NXC to add more information in the DHCP packets The available fields vary depending on the DHCP option you select in this screen To open the screen click Configuration gt Network gt Interface gt Ethernet gt Edit select DHCP Server in the DHCP Setting section and then click Add or Edit in the Extended Options table Figure 67 Configuration gt Network gt Interface gt Ethernet gt Edit gt Add Edit Extended Options Add DHCP Option Option Name Code Type Value 2X User Defined M User Defined BOOLEAN v je bannnnnannnnnddncdnnnemimes ed Cancel The following table describes labels that can appear in this screen Table 62 Configuration gt Network gt Interface gt Ethernet gt Edit gt Add Edit Extended Options LABEL DESCRIPTION Option Select which DHCP option that you want to add in the DHCP packets sent through the interface See Table 63 on page 121 for more information Name This field displays the name of the selected DHCP option If you selected User Defined in the Option field enter a descriptive name to identify the DHCP option You can ent
575. ule maps a public IP address to the private IP address of a LAN SMTP e mail server to give WAN users access NAT loopback allows other users to also use the rule s original IP to access the mail server For example a LAN user s computer at IP address 192 168 1 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 81 LAN Computer Queries a Public DNS Server INTERNEJ xxx LAN SMTP com DNS xxx LAN SMTP com 1 1 1 1 192 168 1 21 152 NXC Series User s Guide Chapter 11 NAT The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the NXC s LAN interface 192 168 1 1 as the source address of the traffic going from the LAN users to the LAN SMTP server Figure 82 LAN to LAN Traffic 192 168 1 21 The LAN SMTP server replies to the NXC s LAN IP address and the NXC changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 83 LAN to LAN Return Traffic 192 168 1 21 NXC Series User s Guide 153 ALG
576. umber on the RADIUS server to which the NXC sends authentication requests Enter a number between 1 and 65535 Key Enter a password up to 15 alphanumeric characters as the key to be shared between the external authentication server and the NXC The key is not sent over the network This key must be the same on the external authentication server and the NXC Accounting Server Settings Server Address Enter the IP address or Fully Qualified Domain Name FQDN of the RADIUS accounting server Accounting Port Specify the port number on the RADIUS server to which the NXC sends accounting information Enter a number between 1 and 65535 Backup Server Address If the RADIUS server has a backup accounting server enter its address here Backup Accounting Port Specify the port number on the RADIUS server to which the NXC sends accounting information Enter a number between 1 and 65535 Key Enter a password up to 15 alphanumeric characters as the key to be shared between the external authentication server and the NXC The key is not sent over the network This key must be the same on the external authentication server and the NXC Maximum Retry Count At times the NXC may not be able to use the primary RADIUS accounting server Specify the number of times the NXC should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server This also sets how many times t
577. update the log table Clear Log Click this button to clear the whole log regardless of what is currently displayed on the screen This field is a sequential value and it is not associated with a specific log message Time This field displays the time the log message was recorded Priority This field displays the priority of the log message It has the same range of values as the Priority field above Category This field displays the log that generated the log message It is the same value used in the Display and other Category fields Message This field displays the reason the log message was generated The text countzx where x is a number appears at the end of the Message field if log consolidation is turned on and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destination This field displays the destination IP address and the port number of the event that generated the log message Note This field displays any additional information about the log message The Web Configurator saves the filter settings if you leave the View Log screen and return to it later NXC Series User s Guide 83 Chapter 5 Monitor 5 17 View AP Log Use this screen to view the NXC s current wireless AP log messages Click Monitor Log View AP Log to access this screen Figure 41 Monitor gt Log gt Vi
578. ur rules is important as they are applied in order of their numbering Status This icon is lit when the entry is active and dimmed when the entry is inactive This is the index number of a session limit rule It is not associated with a specific rule User This is the user name or user group name to which this session limit rule applies IPv4 Address This is the address object to which this session limit rule applies Description This is the description for the rule Limit This is how many concurrent sessions this user or address is allowed to have Apply Click Apply to save your changes back to the NXC Reset Click Reset to return the screen to its last saved settings 16 3 1 Add Edit Session Limit 188 Click Configuration gt Firewall gt Session Limit and the Add or Edit icon to display the Firewall Session Limit Edit screen Use this screen to configure rules that define a session limit for specific users or addresses Figure 109 Configuration gt Firewall gt Session Limit gt Add Edit D Add Session Limit Create new Object 4 Enable Rule Description User Address Session Limit per Host 2X Optional any v any v 0 0 8192 D is unlimited OK Cancel NXC Series User s Guide Chapter 16 Firewall The following table describes the labels in this screen Table 96 Configuration gt Firewall gt Session Limit gt Add Edit LABEL DESCRIPTION Create new Ob
579. user name and password to the server to log in to the server 28 8 2 SSH Implementation on the NXC Your NXC supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the NXC for management using port 22 by default 28 8 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the NXC over SSH 28 8 4 Configuring SSH Click Configuration System SSH to change your NXC s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the NXC You can also specify from which IP addresses the access can come Note It is recommended that you disable Telnet and FTP when you configure SSH for secure connections Figure 186 Configuration gt System gt SSH SSH General Settings 7 Enable 7 Version 1 Server Port 22 Server Certificate default Y Service Control Q Add Wu N Ra Zone Address Action ALL ALL Accept Page 1 of 1 Show 50 v items Displaying 1 1 of 1 NXC Series User s Guide att Chapter 28 System The following table describes the labels in this screen Table 163 Configuration gt System gt SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to
580. user type from the external server If the external server does not have the information the NXC sets the user type for this session to User Ext Group User Accounts Ext Group User accounts work are similar to ext user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server Ext Server Accounts Ext Server accounts are admin accounts that can log into the NXC from the WAN and which are authenticated by an associated RADIUS server Dynamic Guest Accounts Dynamic guest accounts are guest accounts but are created dynamically with the guest manager account and stored in the NXC s local user database A dynamic guest account has a dynamically created user name and password A dynamic guest account user can access the NXC s services only within a given period of time and will become invalid after the expiration date time You cannot modify or edit a dynamic guest account NXC Series User s Guide EB Chapter 17 User Group MAC Address Accounts Use an external server to authenticate wireless clients by MAC address After authentication the NXC maps the wireless client to a mac address user account MAC role Configure user aware features to control MAC address user access to network services For example do the following to give a notebook access to a network printer Configure the external server to authenticate the notebook s wireless client MAC address Click
581. users admin type 190 admin see also admin users and AAA servers 191 and authentication method objects 191 and firewall 186 189 and LDAP 191 and policy routes 138 139 and RADIUS 191 and service control 299 attributes for Ext User 191 currently logged in 48 55 default lease time 199 201 default reauthentication time 199 202 default type for Ext User 191 ext group user type 191 Ext User type 191 ext user type 191 groups see user groups guest type 191 guest manager type 191 lease time 195 limited admin type 190 lockout 200 mac address type 191 192 reauthentication time 195 types of 190 user type 191 user names 194 V Vantage Report VRPT 329 337 virtual interfaces not DHCP clients 131 Virtual Local Area Network see VLAN VLAN 122 advantages 123 and MAC address 123 ID 123 VLAN interfaces 110 VRPT Vantage Report 329 337 W warm start 21 warning message popup 40 warranty 451 note 451 Web Configurator 20 28 access 28 access users 203 requirements 28 supported browsers 28 WEP Wired Equivalent Privacy 209 NXC Series User s Guide Index Wi Fi Protected Access 209 432 Windows Internet Naming Service see WINS Windows Internet Naming Service see WINS WINS 117 129 133 WINS server 117 wireless client WPA supplicants 433 wireless security 428 WLAN interference 426 security parameters 435 WPA 209 432 key caching 433 pre authentication 433 user
582. ust fields The device received an incomplete response to the daily service expiration check and the packets caused a parsing error for the device Server setting error The device could not retrieve the server s IP address or FQDN from local Do expiration daily check has failed The daily check for service expiration failed Do expiration daily check has succeeded The daily check for service expiration was successful System bootup Do expiration daily check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has failed Open proc MRD has failed This error message is shown when getting MAC address Unknown TLS SSL version d The device only supports SSLv3 protocol 96d SSL version assigned by client Load trusted root certificates has failed The device needs to load the trusted root certificate before the device can verify a server s certificate This log displays if the device failed to load it Certificate has expired Verification of a server s certificate failed because it has expired Self signed ce
583. v3 user can have read only or read and write access to the NXC using this SNMPv3 user profile OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 28 12 Authentication Server You can set the NXC to work as a RADIUS server to exchange messages with a RADIUS client such as an AP for user authentication and authorization Click Configuration gt System gt Auth NXC Series User s Guide 321 Chapter 28 System Server tab The screen appears as shown Use this screen to enable the authentication server feature of the NXC and specify the RADIUS client s IP address Figure 195 Configuration gt System gt Auth Server General Settings Trusted Client qd test V Enable Authentication Server Authentication Server Certificate Authentication Method Add Status Profile Name default NA default v g IP Address Mask Description 172 16 1 11 255 255 255 0 Show 50 wv items Displaying 1 10f 1 The following table describes the labels in this screen Table 169 Configuration gt System gt Auth Server LABEL DESCRIPTION Enable Select the check box to have the NXC act as a RADIUS server Authentication Select the certificate whose corresponding private key is to be used to identify the NXC to Server the RADIUS client You must have certificates already configured in the
584. ve activate or deactivate Table 16 Common Table Icons IPv4 Configuration Add 2 Edit ff Remove Activate j Inactivate Move St Us Sched Incomi Source Destin DSCP Service Sourc Next H DSCP SNAT Page 1 of 1 Show 50 v items Displaying 1 1of 1 Here are descriptions for the most common table icons Table 17 Common Table Icons LABEL DESCRIPTION Add Click this to create a new entry For features where the entry s position in the numbered list is important features where the NXC applies the table s entries in order you can select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate NXC Series User s Guide 43 Chapter 3 The Web Configurator Table 17 Common Table Icons continued LABEL DESCRIPTION Object Reference Select an entry and click Object Reference to open a screen t
585. ve To remove an entry select it and click Remove The NXC confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click I nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This is the number of an individual policy route Status This icon is lit when the entry is active and dimmed when the entry is inactive User This is the name of the user group object from which the packets are sent any means all users Schedule This is the name of the schedule object none means the route is active at all times if enabled Incoming This is the interface on which the packets are received Source This is the name of the source IP address group object any means all IP addresses Destination This is the name of the destination IP address group object any means all IP addresses NXC Series User s Guide Chapter 9 Policy and Static Routes Table 68 Configuration gt Network gt Routing gt Policy Route continued LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies any m
586. ve and send tagged frames The NXC automatically adds or removes the tags as needed 8 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Interface Characteristics Interfaces generally have the following characteristics although not all characteristics apply to each type of interface An interface is a logical entity through which layer 3 packets pass An interface is bound to a physical port or another interface Many interfaces can share the same physical port An interface belongs to at most one zone Many interfaces can belong to the same zone Types of Interfaces You can create several types of interfaces in the NXC Ethernet interfaces are the foundation for defining other interfaces and network policies VLAN interfaces receive and send tagged frames The NXC automatically adds or removes the tags as needed NXC Series User s Guide Chapter 8 Interfaces 8 2 Ethernet Summary This screen lists every Ethernet interface If you enabled IPv6 in the Configuration System I Pv6 screen you can also configure VLAN interfaces used for your IPv6 networks on this screen To access this screen click Configuration gt Network gt Interface Unlike other types of interfaces you cannot create new Ethernet interfaces nor can you delete any of them If an Ethernet interface does not have any physical ports assigned to it it is effectively removed from the
587. ver use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 Encryption 432 Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA and WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKI P TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm NXC Series User s Guide Appendix D Wireless LANs called Rijndael They both include a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism WPA and WPA2 regularly change and rotate the encryption keys so tha
588. voked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the certificate Information Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated by the NXC Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O State ST and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field none displays for a certification request Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The NXC uses rsa pkcs1 shal RSA public private key encryption algorithm and the SHA1 hash algor
589. wn Force Logout Click this icon to end a user s session NXC Series User s Guide Monitor 5 1 Overview Use the Monitor screens to check status and statistics information 5 1 1 What You Can Do in this Chapter The Port Statistics screen Section 5 3 on page 57 displays packet statistics for each physical port The Port Statistics Graph screen Section 5 3 1 on page 59 displays a line graph of packet statistics for each physical port The I nterface Status screen Section 5 4 on page 60 displays all of the NXC s interfaces and their packet statistics The Traffic Statistics screen Section 5 5 on page 62 allows you to start or stop data collection and view statistics The Session Monitor screen Section 5 6 on page 65 displays sessions by user or service The I P MAC Binding screen Section 5 7 on page 67 displays lists of the devices that have received an IP address from NXC interfaces with IP MAC binding enabled The Login Users screen Section 5 8 on page 68 displays a list of the users currently logged into the NXC The Dynamic Guest screen Section 5 9 on page 69 displays a list of the guest user accounts which are created automatically and allowed to access the NXC s services for a certain period of time The USB Storage screen Section 5 10 on page 70 displays information about a connected USB storage device The AP List screen Section 5 11 on page 71 displays which APs are current
590. word matches The AP and wireless clients generate a common PMK Pairwise Master Key The key itself is not sent over the network but is derived from the PSK and the SSID NXC Series User s Guide Appendix D Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process the PMK and information exchanged in a handshake to create temporal encryption keys They use these keys to encrypt data exchanged between them Figure 237 WPA 2 PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each INTERNE authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 223 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY ENCRYPTION ENTER IEEE 802 1X MANAGEMENT METHOD MANUAL KEY PROTOCOL Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP AES No Enable WPA PSK TKIP AES Yes Disable WPA2 TKIP AES No Enable WPA2 PSK TKIP AES Yes Disable NXC Series User s Guide Overview IPv6 IPv6 Internet Protocol version 6 is designed to enhance IP address size and features The
591. xcluded your client device from accessing the network or the Internet The NXC is not applying the custom policy route configured The NXC checks the policy routes in the order that they are listed So make sure that your custom policy route comes before any other routes that the traffic would also match can t enter the interface name want The format of interface names other than the Ethernet interface names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlanO vlan1 vlan2 and so on My rules and settings that apply to a particular interface no longer work The interface s IP address may have changed To avoid this create an IP address object based on the interface This way the NXC automatically updates every rule or setting that uses the object whenever the interface s IP address settings change For example if you change gel s IP address the NXC automatically updates the corresponding interface based gel subnet address object Hackers have accessed my WEP encrypted wireless LAN WEP is extremely insecure Its encryption can be broken by an attacker using widely available software It is strongly recommended that you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support WPA2 or WPA2 PSK
592. xternal server to authenticate wireless clients by their MAC addresses Users cannot get an IP address if the MAC authentication fails See page 192 for information on MAC address user accounts An external server can use the wireless client s account username password or Calling Station ID for MAC authentication Configure the ones the external server uses Auth Method This field is available only when you set the RADIUS server type to I nternal Select an authentication method if you have created any in the Configuration Object Auth Method screen Delimiter Account Select the separator the external server uses for the two character pairs within account MAC addresses Case Account Select the case upper or lower the external server requires for letters in the account MAC addresses Delimiter Calling RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute Station ID Select the separator the external server uses for the pairs in calling station MAC addresses Case Calling Select the case upper or lower the external server requires for letters in the calling Station ID station MAC addresses Authentication Settings 802 1X Select this to enable 802 1x secure authentication Reauthentication Timer Enter the interval in seconds between authentication requests Enter a 0 for unlimited requests Idle Timeout Enter the idle interval
593. y check process can t get IP address of interface 96s interface name Can t get flags of s interface The connectivity check process can t get interface configuration 96s interface name Can t get NETMASK address of s interface The connectivity check process can t get netmask address of interface 96s interface name Can t get BROADCAST address of s interface The connectivity check process can t get broadcast address of interface 96s interface name Can t use MULTICAST IP for destination The connectivity check process can t use multicast address to check link status The destination is invalid because destination IP is broadcast IP The connectivity check process can t use broadcast address to check link status Can t get MAC address of s interface The connectivity check process can t get MAC address of interface 96s interface name To send ARP REQUEST error The connectivity check process can t send ARP request packet NXC Series User s Guide 395 Appendix A Log Descriptions 396 Table 201 Connectivity Check Logs continued LOG MESSAGE DESCRIPTION The s routing status seted to DEAD by connectivity check The interface routing can t forward packet 96s interface name The s routing status seted ACTIVATE by connectivity check The interface routing can forward packet 96s interface na
594. yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password 3 The CLI screen displays next NXC Series User s Guide Chapter 28 System 28 9 Telnet You can use Telnet to access the NXC s command line interface Specify which zones allow Telnet access and from which IP address the access can come Click Configuration System TELNET to configure your NXC for remote Telnet access Use this screen to specify from which zones Telnet can be used to manage the NXC You can also specify from which IP addresses the access can come Figure 190 Configuration gt System gt TELNET General Settings Enable Server Port Service Control Add ta Page 1 of 1 Show 50 items Displaying 1 1 of 1 TELNET 23 Zone Address Action ALL ALL Accept The following table describes the labels in this screen Table 164 Configuration gt System gt TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NXC CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access wh
595. you specified to make sure it is still available You specify how often to check the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the NXC stops routing to the gateway The NXC resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the NXC regularly ping the gateway you specify to make sure it is still available Select tcp to have the NXC regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Enter the number of consecutive failures before the NXC stops routing through the Tolerance gateway Check Default Select this to use the default gateway for the connectivity check Gateway Check this Select this to specify a domain name or IP address for the connectivity check Enter address that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number to use for a TCP connectivity check Related Setting Configure Poli
596. you to manage exceptions to captive portal interception Click the Add button in the Exceptional Services table on the Captive Portal screen to access this screen NXC Series User s Guide Chapter 14 Captive Portal Note If you want 802 1x to work properly you must set BOOTP Client and DNS as exceptional services Figure 92 Configuration gt Captive Portal gt Add Exceptional Services Q Edit Exceptional Services List x Available Member Object Object AH BOOTP_CLIENT AIM Group DNS gt AUTH Any TCP Any UDP BGP BOOTP SERVER CU SEEME TCP1 CU SEEME TCP2 Y The following table describes the labels in this screen Table 85 Configuration gt Captive Portal gt Add Exceptional Services LABEL DESCRIPTION Available This lists all available network services eligible for being excepted from captive portal interception Member This lists all networks services currently assigned to the Exceptional Services table OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving 166 NXC Series User s Guide Chapter 14 Captive Portal 14 2 2 Auth Policy Add Edit This screen allows you to add authentication policies to captive portal interception Click the Add or Edit button for an existing policy in the Authentication Policy Summary table on the Captive Portal screen to access this scree
597. ype the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends each day Hour 0 23 Minute 0 59 NXC Series User s Guide 249 Chapter 23 Schedules Table 134 Configuration gt Object gt Schedule gt Add Edit Recurring continued LABEL DESCRIPTION Weekly Week Days Select each day of the week the recurring schedule is effective OK Click OK to save your changes back to the NXC Cancel Click Cancel to exit this screen without saving your changes 250 NXC Series User s Guide AAA Server 24 1 Overview You can use a AAA Authentication Authorization Accounting server to provide access control to your network The AAA server can be a Active Directory LDAP or RADIUS server Use the AAA Server screens to create and manage objects that contain settings for using AAA servers You use AAA server objects in configuring ext group user user objects and authentication method objects 24 1 1 What You Can Do in this Chapter The Active Directory LDAP screens Section 24 2 on page 254 configure Active Directory or LDAP server objects e Th
598. ys when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message NXC Series User s Guide Chapter 5 Monitor Table 43 Monitor gt View Log continued LABEL DESCRIPTION Service This displays when you show the filter Select the service whose log messages you would like to see The Web Configurator uses the protocol and destination port number s of the service to select which log messages you see Keyword This displays when you show the filter Type a keyword to look for in the Message Source Destination and Note fields If a match is found in any field the log message is displayed You can use up to 63 alphanumeric characters and the underscore as well as punctuation marks 9 the period double quotes and brackets are not allowed Protocol This displays when you show the filter Select a service protocol whose log messages you would like to see Search This displays when you show the filter Click this button to update the log using the current filter settings Email Log Now Click this button to send log messages to the Active e mail addresses specified in the Send Log To field on the Log Settings page Refresh Click this button to
599. ystem default conf 8323 2013 12 10 02 20 08 startup config bad conf 9090 2013 12 11 18 35 55 startup config conf 9204 2013 12 13 13 45 08 htm default conf 40 2013 12 10 02 20 08 lastgood conf 9114 2013 12 13 09 12 44 Page 1 ofi Show 50 v items Displaying 1 5 of 5 Upload Configuration File To upload a configuration file browse to the location ofthe file conf and then click Upload File Path upload Do not turn off the NXC while configuration file upload is in progress NXC Series User s Guide Chapter 30 File Manager The following table describes the labels in this screen Table 180 Maintenance gt File Manager gt Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the NXC You can only rename manually saved configuration files You cannot rename the lastgood conf system default conf and startup config conf files You cannot rename a configuration file to the name of another configuration file in the NXC Click a configuration file s row to select it and click Rename to open the Rename File screen 1 Rename 2 x Source file startup config back conf Target file OK Cancel Specify the new name for the configuration file Use up to 25 characters including a zA Z0 9 amp _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration fil
600. ywall mib and zyxel zywall ZLD Common mib to collect information about CPU and memory usage The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the NXC s MIBs from www zyxel com SNMP Traps The NXC will send traps to the SNMP manager when any one of the following events occurs Table 166 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when an agent reinitialized its configuration tables linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNMP request comes from non authenticated hosts 318 NXC Series User s Guide Chapter 28 System 28 11 3 Configuring SNMP Your NXC can act as an SNMP agent which allows a manager station to manage and monitor the NXC through the network To change your NXC s SNMP settings click Configuration System SNMP tab The screen appears as shown Use this screen to configure your SNMP settings including from which zones SNMP can be used to access the NXC You can also specify from which IP addresses the access can come and configure user profiles that define allowed SNMPv3 access Figure 193 Configuration gt System gt SNMP General Settings
Download Pdf Manuals
Related Search