Home

ZyXEL NWA3550 User's Manual

Contents

1. 190 Figure 112 Trusted CA Detalls asics prac en nda Ee pad eda la peak ln dt c Gad a dad UA Kd as Naa E 191 sl el ROS 57 mm 195 2s qa itp i n 197 Foue Tio wireless VLAN Mr 205 Figure 116 RADIUS VLAN scssssccscccssscesiavvsbarcduersenecadervvaccadivesenescqy E aia 206 Figure 117 Management VLAN Configuration Example eese eene nnne nnn nnn 208 Figure 119 VLAN Aware Switch Statie VLAN 2 genie bereen term viam ordi rto venei vene ole tnos a pE TER E RURUN 208 Figure T19 VLAN Aware GWION e 208 Figure 120 VLAN Aware Switch VLAN Status 0 0 0 0 0cccccccceeeescccceeneneecceeeneeeeceeeeneeaseeaeneseccaeeeeeeaenaeenees 209 i i a age Bra p eere Tm 209 Figure 122 New Global Secuniy OU cucoaisxxniibsadt pti en osten ecu op ta a ARR Ld b ea lads 241 Figure 123 Add Group Members 3 eo eddic optado ina Ker a e EPI ERR ERR PERI RE BER EPA Ripa a ede 211 Figure 124 New Remote Access Policy for VLAN Group cccsccccccecetessscceeseees cesses seeecenenneneecdeneneeeceennenes 212 NWA3550 User s Guide 21 List of Figures Figure 125 Specifying Windows Group Condition iiic ropa port rre hr rex yet ote 212 Figure 120 Adding VLAN Group e 213 Figure 127 Granting Permissions and User Profile Screens nnne nnns 213 Figure T29 Authentication Tab Sells cus a
2. 152 13 4 SSH Implementation on the ZyXEL Device ssssssiiisisssssidiiisiiisssnrsai tt tnnt inna 153 1243 1 Requirements tor Using SSH aisdexse vete ete beu a EpEVA Tn E Rbe v Hex EF RI VE EPI TRO ERN da EanEN 153 123 COMNQUIING TOWAGT m 153 esta UN FIP e RET I LU T 155 TEC ROA ARO TUES dquiaustvdqussusidestutai ie oir Ea sn RAE 156 Tas SIGUE WY e 157 ea a EAEE e E ENEE I VE A AA OEE I T T N EA N EN E 158 13 9 1 Internet Explorer Warning Messages eeeeiseeee seinen een nnt n annt hh a kannte 158 13 9 2 Netscape Navigator Warning Messages ccccssssccceeessnceceeeesseeeeeeetstaneeeeesanes 159 13 9 3 Avoiding the Browser Warning Messages essent nnne nennen nn nnns 159 1304 LOO DOBOT e 160 eE PES sc rset aces A petita a A MET IIE ETEA A EE EENEN 162 7310 1 Supported MIBE airis E ae 164 Meg We UD TADS dronin anA ar eh Rae eat as 164 13 11 SNMP Trap Interface Deo scissiscspueduntenpiedinaennpatiisidneecabuh aaa a naaa a aaa i P E 165 13 11 61 SNMP WS and SECU m einun caguetennd 165 NWA3550 User s Guide 15 Table of Contents emspmssilsiup L e MM 165 13 11 2 1 The SNMP v3 User Profile SCAN iuusesniesacexipaasedkctin bj radiata repo kay bo paci piia 167 Chapter 14 Internal RADIUS Server visi inva ronis oe E iu P Esn NU SES Re Xie pel P rat
3. SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Subnet Planning The following table is a summary for subnet planning on a network with a 24 bit network number Table 98 24 bit Network Number Subnet Planning NO BORROWED SUBNET MASK NO SUBNETS NO NOSTS PER 1 255 255 255 128 25 126 2 255 255 255 192 26 62 3 255 255 255 224 27 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 255 255 255 252 30 64 7 255 255 255 254 31 128 1 The following table is a summary for subnet planning on a network with a 16 bit network number Table 99 16 bit Network Number Subnet Planning NOST SIRROWED SUBNET MASK NO SUBNETS NO HOSTS PER 1 255 255 128 0 17 32766 2 255 255 192 0 18 16382 3 255 255 224 0 19 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 NWA3550 User s Guide Appendix E IP Addresses and Subnetting Table 99 16 bit Network Number Subnet Planning continued NO BORROWED NO HOSTS PER HOST
4. 121 S amp uluxSILI x cajspps ec 129 xci ies cc wcceica an bosenid cu case S 141 Dre ME 145 Remote Management Screens eiiis siied esee eene head anth NENNE NEN RAN ARA RE ARR E RR RA RARE RR Ad 151 merna RADU See ccsccieonsiemieninmeneacrienanie aaa cas 169 Ro TUNG ssie 177 Peake ei 1 EAT EAE OAE TE IOE AEA AA A E EEE E NO E c 195 MEAN siniori ni n e e Aa a a E aa 203 E E E A EE E A O E A E E Peet T A E E EY 221 Troubleshooting and Specifications caci ccs cscscsssssseassiaaessscnsasessassensasacestsensnsnsusienassenraanense 231 TOOLI SNOOT aS aansaaeisanastiaaes 233 Product Spacie IUoNE gebe ET 237 Appendices and MER 2 dites d rana RAE XEE aaia Eaa ENEE eiA 243 NWA3550 User s Guide 9 Contents Overview NWA3550 User s Guide Table of Contents Table of Contents About This Vs rs cnl toe m 3 rere dr pid n E 4 Saroy Orc Sao PT 6 CONSE COVE POW occu iaa A A A A 9 Table of COMENS M 11 stor ROWO Sonna a aa 19 Hst of Tables MT 27 Part l Introduction E 31 Chapter 1 Introducing the ZyXEL DEVICE sicrie nisnin eE ERE aaa aaaeaii aek 33 UN SUDO thie ZyXEL DOCO sunar eenairdeaiiodeaxinens eo eeweaes 33 1 2 Applications Tor Die ZyXEL DOVICE srania p E R EEE EENAA 33 ANI X10 e M 34 Dee ea cde e saan na tat etu d upra etus aaa adc Ea Ga nacre a
5. SPECIFICATION DESCRIPTION Dimensions 256 W x 246 D x 82 H mm Weight 2000 g Power PoE draw 48V 20W at least Ethernet Port ee al 10 Mbps or 100 Mbps in either half duplex or full duplex mode Auto crossover Use either crossover or straight through Ethernet cables Power over Ethernet IEEE 802 3af compliant PoE Antenna Specifications Two external antenna connectors N Type Output Power IEEE 802 11b g 17 dBm IEEE 802 11a 14 dBm Operating Environment Temperature 35 C 55 C Humidity 10 90 RH NWA3550 User s Guide 237 Chapter 20 Product Specifications Table 79 Hardware Specifications SPECIFICATION DESCRIPTION Storage Environment Temperature 40 C 60 C Humidity 5 95 RH Approvals Radio USA FCC Part 15C 15 247 FCC Part 15E 15 407 FCC OET65 EU ETSI EN 300 328 V1 7 1 ETSI EN 301 893 V1 2 3 Taiwan DGT LP0002 Canada Industry Canada RSS 210 Australia AS NZS 4268 EMC EMI USA FCC Part 15 Subpart B EU EN 301 489 17 V1 2 1 08 2002 EN 55022 2006 Canada ICES 003 Australia AS NZS CISPR22 EMC EMS EU EN 301 489 1 V1 5 1 11 2004 Environmental 2002 95 EC RoHS Restriction of Hazardous Substances Directive 2002 96 EC WEEE Waste Electrical and Electronic Equipment Directive European Parliament and Council Directive 94 62 EC of 20 December 1994 on packaging and packaging waste
6. cccccceeeeeeeeeeeeeeees 283 Appendix D Importing CertifiCalem 1iiii iu asse gesta na mhi dao pana ERA LEE RR ER ARKAA EBEN GU da 289 Appendix E IP Addresses and Subnetting cccccccccccsccceecceecceecceccceceeeeeeeececeeeeeeseeeeeeeess 313 Appendix F Text File Based Auto Configuration ccccccccccccccceccecccetececeeeeeeeeeeeeeseeteeneeess 321 Appendix G Legal Information c ccccsccsecccecceaeeaeceseceaeececccecccecccecececeeceeeseeeeeeeeeeseeeeeeeess 329 Appendix H Customer SUPPO c seeria ae ae aa EE AEE A EREE EEEE EA E 333 i E E SE E E E E A E A an T 339 NWA3550 User s Guide List of Figures List of Figures Figure T Access Paint ADOOS 5 edi aaa For asd i aes 34 Figure 2 Bridge ApPpicaAtOm MR T T e CES 35 Figure 9 Repeater re Dells T 35 Figure AP NCGS ADNAN p 36 eRe eo RUDE rene etr e rer ence tr tere 37 Figure 6 Dual WLAN Adaptors EXemple gecscciosscesacusaisescontea diss ski MODE EERY cats oa oria FE vedi E ERR eV Eo Sa I UV PEU Erde 38 Figure 7 CAPWAP Network EXBITIDIO 122 see chorda eint d ES PA RR X Exo KR RE RR PRA RAE EXE REX edad demu ER AE aa 39 gsicmiei ha Ng trisIehcei m 44 a i flfject EW ype 1 44 Figure 10 The Status Screen of the Web Configurator eeeeeeeeeeeeeccieeeseec een ta kann hinh annua itane 45 x mu RIDES c
7. 78 Figure 42 Tutorial Layer 2 Isolation Edit auo ono eit sth see ia Tati ones Aia AR OR LERRA Rp RR 79 Figure 43 Tons MAC Filler Edit SER VER 1 1ocascerite bo etat beret ao P rest b ue obo retta pp Er RE bbs 79 Figure 44 Tutorial SSID Profiles Activated 1uuessccseceeceeest successi roves ee trr eter erri tein a rob turpe ee an 81 Figure 45 Tutorial SSID Tab Correct Settings ausa eter rn tb c rk a Rc eR LL KE Pd 81 gd A uet ret heme aaa 85 Figuie dr SYSTEMS Password oiii odd ead idi en px Let i a DR Da RO i es o eR X RS 87 Figure 48 SYSTEM gt Time Sey isccunticseanisdetute orte arce uh ER HE NUA E ER MTM ER UESNAR pA nA Rec iE 88 Figure 49 Example of a Wireless NetWork 1o oisi cci cetero eter tetro reta erinin pecu nup PE VO RE EEEn reri 91 Figure 50 DiffServ Differentiated Service Field 2 5 errat ertt prr pna S PPRLEEN ER P HE EXXE PR M ASENRRRRL AERA R EM ERE 95 Figure 931 Vreless Access PON iu cie RE ERE PR THEEEREN ON PAPE DIR EPOD MEER IDEAE a ERR NU ERE AM BRRATEUE 99 Figure 52 Bridging EXample e ainia an 102 Figure 53 Bridge Loop Two Bridges Connected to Hub eeeeee esee entran nna 102 Figure 54 Bridge Loop Bridge Connected to Wired LAN occorre ane rape he eth epa aeterne de nh eirnns 103 Figure 55 Wireless Bridge Sepala 12 mcd a rbd ci ada Ea rbi o Reb bl dot a d de 104 Figure 56 Wireless pocius CT 107 Figure 57 Wireless DOGUIE casi sascie race isp spat sdb rr CLE Tre A EA E E G NSA 112 Figure 36 WIRELES
8. NWA3550 User s Guide Chapter 18 Maintenance The following table describes the labels in this screen Table 74 System Status Show Statistics LABEL DESCRIPTION Port This is the Ethernet port LAN or wireless LAN adaptor WLAN1 or WLAN2 Status This shows the port speed and duplex setting if you are using Ethernet encapsulation for the Ethernet port Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to send and receive simultaneously while half duplex indicates that traffic can flow in only one direction at a time The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect This shows the transmission speed only for the wireless adaptors TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Collisions This is the number of collisions on this port Tx B s This shows the transmission speed in bytes per second on this port Rx B s This shows the reception speed in bytes per second on this port Up Time This is total amount of time the line has been up WLAN1 This section displays only when wireless LAN adaptor WLAN1 is in AP Bridge or Bridge Repeater mode WLAN2 This section displays only when wireless LAN adaptor WLAN2 is in AP Bridge or Bridge Repeater mode Index This is the index number of the bridge con
9. 172 20 37 202 172 20 37 202 This connection to the server is encrypted Should I trustthis site View certificates Installing a Stand Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 216 Internet Explorer 7 Public Key Certificate File 2 Inthe security warning dialog box click Open NWA3550 User s Guide Appendix D Importing Certificates Figure 217 Internet Explorer 7 Open File Security Warning Open File Security Warning Do you want to open this file Name CA cer Publisher Unknown Publisher Type Security Certificate From D Documents and Settings 13435 Desktop v Always ask before opening this file While files from the Intemet can be useful this file type can potentially harm your computer If you do not trust the source do not open this software What s the risk 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 289 to complete the installation process Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7 1 Open Internet Explorer and click Tools gt Internet Options Figure 218 Internet Explorer 7 Tools Menu Atc o Delete Browsing Hist
10. Power Current 400 mA maximum Table 84 Power over Ethernet Injector RJ 45 Port Pin Assignments PIN NO RJ 45 SIGNAL ASSIGNMENT Output Transmit Data Output Transmit Data Receive Data Power Power Receive Data Power COV NI OD om BI Ww N gt Power NWA3550 User s Guide Chapter 20 Product Specifications NWA3550 User s Guide PART IV Appendices and Index Setting Up Your Computer s IP Address 245 Wireless LANs 269 Pop up Windows JavaScripts and Java Permissions 283 Importing Certificates 289 IP Addresses and Subnetting 313 Text File Based Auto Configuration 321 Legal Information 329 Customer Support 333 Index 339 Setting Up Your Computer s IP Address Your specific ZyXEL device may not support all of the operating systems described in this appendix See the product specifications for more information about which operating systems are supported This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network Windows Vista XP 2000 Mac OS 9 OS X and all versions of UNIX LINUX include the software components you need to use TCP IP on your computer If you manually assign IP information instead of using a dynamic IP make sure that your network s computers have I
11. 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platforms 1 Ifyour device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 233 Opera 9 Certificate signer not found Certificate signer not found The root certificate for this server is not registered You may install this certificate Accept install The root certificate from 172 20 37 202 is not known to Opera Opera cannot decide if this certificate can be trusted 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details NWA3550 User s Guide Appendix D Importing Certificates Figure 234 Opera 9 Security information a Secure site The connection to 172 20 37 202 is secure Certificate summary Holder 172 20 37 202 ZyXEL Issuer 172 20 37 202 ZyXEL Expires 05 21 2011 Encryption protocol TLS v1 0 256 bit AES 1024 bit DHE RSA SHA Installing a Stand Alone Certificate File in Opera Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certifi
12. S 0 XXX M 47 Figure 12 CAP WAP Mebwoik Exaile spedire ia RU tied Lei nonin Pd d a a PR RE asus 51 Figure T3 CAPWAP ahd DHCP CODO ES iu ccsuobdtecutenpPr p opp tate tob vec epos ett esp eta e lu ese ao vna i Cub 53 Figure 14 The Management Mode Stren 12i tete essai ttes tu nue i eter ep uasa aep EE E 53 Figure 19 Configuring Wireless LAN 57 Figure 16 Tutorial Example MBSSID Sel p 1 ia x RR FEE Eb nn a E EE EU Pie ge 59 Figure 17 Tutonab Wireless LAN Belone Loosciber aun dune e do o eco eed sd pia P a ERE i RS 60 Figure 18 Tutorial Wireless LAN Change Mode cccccceseseceeeeeseeeeceeeeeeeeceeeesneeaeeeeenseeeseeeenseaes 60 Figure 19 Tutorial WIRELESS gt SSID 2255 cte erar b toti o inna ed oEx eae o rr Tb va euer ede Ro eee rre eer ae nuenness 61 Figure 20 Tutors Vel SSID Prola EOI 2sccsie ret I Ye Py ERI PELLIS REPAS S FPRLA ERO MERO F EB PR PLA RP RL AE ME ES 62 Figure 21 Toral Val Att Tm 63 Figure 22 Tutorial VolP Security Promle Edil cisessesriiderssstivcdasssvicasmneriussnnwinedvevaatinadeninedurnreds 63 Figure 23 Tutorial VolP Security Updated uei prie aided enue Rupe rbi etra dena dd ta ir eani etn 64 Figure 24 Tutorial Activate VolP PEG aseo teer en erepto bu ete rep et ene Pr aspe utl bee EAD RE PNK GEM AN UR 64 Figure 25 Tona GQUbSE EMIL 1issoisisextbi esrtis Uo pr OUS ER Re rHLin e o GRE DASS HP LH ORE R AE ARM AES EAD RU ROAAS 65 Figure 26 Tutorial Guest Security Profile Edit uisiue ets c
13. IUE voir security O wars O 5 2 2 2 Activate the VolP Profile You need to activate the VoIP_SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the VoIP_SSID profile s Active checkbox and click Apply Figure 24 Tutorial Activate VoIP Profile ut Power 100 s Select SSID Profile Profile VoIP_SSID Index Active Profile M ssipo3 L Guest SSID a ssipo3 j Iv 551004 j L 551003 j L ssibos Em L ssibos x Enable Spanning Tree Protoco Your VoIP wireless network is now ready to use Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network 5 2 3 Configure the Guest Network When you are setting up the wireless network for guests to your office your primary concern is to keep your network secure while allowing access to certain resources such as a network printer or the Internet For this reason the pre configured Guest SSID profile has layer 2 isolation and intra BSS traffic blocking enabled by default Layer 2 isolation means that a client accessing the network via the Guest SSID profile can access only certain pre defined devices on the network see Section 10 1 on page 129 and intra BSS traffic blocking means that the client cannot access other clients on the same wireless network see Section 9 2 on page 125 Click WIRELESS gt SSID
14. NWA3550 User s Guide Chapter 5 Tutorial Figure 17 Tutorial Wireless LAN Before Layer 2 Isolation MAC Filter Select MBSSID from the Operating Mode drop down list box The screen displays as follows Figure 18 Tutorial Wireless LAN Change Mode RADIUS Layer 2 Isolation MAC Filter NWA3550 User s Guide Chapter 5 Tutorial This Select SSID Profile table allows you to activate or deactivate SSID profiles Your wireless network was previously using the SSID04 profile so select SSID04 in one of the Profile list boxes number 3 in this example Select the Active box for the entry and click Apply to activate the profile Your standard wireless network SSID04 is now accessible to your wireless clients as before You do not need to configure anything else for your standard network 5 2 2 Configure the VoIP Network Next click WIRELESS gt SSID The following screen displays Note that the SSID04 SSID profile the standard network is using the security01 security profile You cannot change this security profile without changing the standard network s parameters so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles Figure 19 Tutorial WIRELESS gt SSID Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name S810 Secuiy napu
15. O N Advanced Suggestions Try to access the ZyXEL Device using another service such as Telnet If you can access the ZyXEL Device check the remote management settings to find out why the ZyXEL Device does not respond to HTTP e can see the Login screen but cannot log in to the ZyXEL Device 1 Make sure you have entered the user name and password correctly The default password is 1234 This fields are case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using the SMT or Telnet to access the ZyXEL Device Log out of the ZyXEL Device in the other session or ask the person who is logged in to log out 3 Disconnect and re connect the power adaptor or cord to the ZyXEL Device NWA3550 User s Guide Chapter 19 Troubleshooting 4 Ifthis does not work you have to reset the device to its factory defaults Contact your vendor e cannot access the SMT See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser e cannot use FTP to upload download the configuration file cannot use FTP to upload new firmware See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser 19 3 Internet Access e cannot access the Internet 1 Check the hardware conn
16. Table 80 Firmware Specifications Default IP Address 192 168 1 2 Default Subnet Mask 255 255 255 0 24 bits Default Password 1234 Wireless LAN Standards IEEE 802 11a IEEE 802 11b IEEE 802 119 Wireless security WEP WPA 2 WPA 2 PSK IEEE 802 1x Layer 2 isolation Prevents wireless clients associated with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network Multiple BSSID MBSSID MBSSID mode allows the ZyXEL Device to operate up to 8 different wireless networks BSSs simultaneously each with independently configurable wireless and security settings Rogue AP detection Rogue AP detection detects and logs unknown access points APs operating in the area Internal RADIUS server PEAP 32 entry Trusted AP list 128 entry Trusted Users list VLAN 802 1Q VLAN tagging NWA3550 User s Guide Chapter 20 Product Specifications Table 80 Firmware Specifications STP Spanning Tree Protocol RSTP Rapid STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service allows you to prioritize wireless traffic Certificates The ZyXEL De
17. Disabled Disabled Click the links on the left of the screen to configure advanced features such as MGNT MODE Standalone AP or Managed AP SYSTEM General Password and Time Setting WIRELESS Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter IP ROGUE AP Configuration Friendly AP Rogue AP REMOTE MGNT Telnet FTP WWW and SNMP AUTH SERVER Setting Trusted AP Trusted Users CERTIFICATES My Certificates Trusted CAs LOGS View Log and Log Settings and VLAN Wireless VLAN and RADIUS VLAN Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware files Maintenance features include Status Statistics Association List Channel Usage F W firmware Upload Configuration Backup Restore and Default and Restart NWA3550 User s Guide Chapter 2 Introducing the Web Configurator NWA3550 User s Guide Status Screens The Status screen displays when you log into the ZyXEL Device or click STATUS in the navigation menu Use the Status screens to look at the current status of the device system resources interfaces and SSID status The Status screen also provides detailed information about associated wireless clients channel usage logs and detected rogue APs 3 1 The Status Screen Cluck Status The following screen displays Figure 11 The Status Screen Automatic Refresh Interval None x Refresh System Information SystemResour
18. EN 98 88 77 56 55 SERVER_ 1 vm 00 00 00 00 00 ENS 4 GATEWAY BEB fo0 00 00 00 00 00 Enter the network switch s MAC Address and add a Description NET SWITCH in this case in Set 1 s entry Enter server 1 s MAC Address and add a Description SERVER 1 in this case in Set 2 s entry Change the Profile Name to L 2 ISO SERVER 1 and click Apply You have restricted users on the SERVER 1 network to access only the devices with the MAC addresses you entered 4 Click the MAC Filter tab When the MAC Filter screen appears select macfilter03 s entry and click Edit Enter the MAC address of the device Alice uses to connect to the network in Index 1 s MAC Address field and enter her name in the Description field as shown in the following figure Change the Profile Name to MacFilter SERVER 1 Select Allow Association from the Filter Action field and click Apply Figure 43 Tutorial MAC Filter Edit SERVER 1 Wireless SSID Security RADIUS Layer Isolation MAC Filter MAC Address Filter Profile Name MacFilter SERVER_1 Filter Action Allow Association TEEST EN 1 22 33 44 55 66 Alice BA fo0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 You have restricted access to the SERVER_1 network to only the networking device whose MAC address you entered The SERVER_1 network is now configured 5 4 5 Configure the SERVER_2 Network Next you
19. Refresh Click Refresh to reload the screen 18 5 F W Upload Screen Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension for example NWA Series bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot See the Firmware and Configuration File Maintenance chapter for upgrading firmware using FTP TFTP commands Click MAINTENANCE gt F W Upload Follow the instructions in this screen to upload firmware to your ZyXEL Device NWA3550 User s Guide 225 Chapter 18 Maintenance Figure 142 Firmware Upload Status Association List Channel Usage FAW Upload Configuration Restart To upgrade the internal device firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure File Path Browse Upload The following table describes the labels in this screen Table 77 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them
20. Security Settings Settings Q Disable 9 Enable es Font download Q Disable 9 Enable a Prompt 3 Microsoft VM Java permissions Q Custom Q Disable Jav 9 High safety Q Low safety Reset custom settings Reset to Medium Reset ced NWA3550 User s Guide 287 Appendix C Pop up Windows JavaScripts and Java Permissions JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 203 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling HTTP 1 1 settings v Use HTTP 1 1 gH Use HTTP 1 1 through proxy connections amp Java ee Use Java 2 v1 4 1_07 fr lt appleb eques estan gt Java 2 v1 4 1 07 for Use Java 2 v1 4 1_07 fr lt appleb eques esar requires restart 3 Microso O Java ae enabled requires restart O Java logging enabled JIT compiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Automatic Image Resizing xf gt Restore Defaults 288 NWA3550 User s Guide Importing Certificates This appendix shows you h
21. 13 9 4 Login Screen After you accept the certificate the ZyXEL Device login screen appears The lock displayed in the bottom right of the browser status bar denotes a secure connection NWA3550 User s Guide Chapter 13 Remote Management Screens Figure 93 Example Lock Denoting a Secure Connection NWA3550 Enter Password and click Login Password rr Click Login and you then see the next screen The factory default certificate is a common default certificate for all ZyXEL Device models Figure 94 Replace Certificate Replace Factory Default Certificate The factory default certificate is common to all NWA models Click Apply to create a certificate using your NWA s MAC address that will be specific to this device Pv m Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure NWA3550 User s Guide Chapter 13 Remote Management Screens Figure 95 Device specific Certificate My Certificates Setting mu emet Type Subject Issuer Valid From Valid To To es Click Ignore in the Replace Certificate screen to use the common ZyXEL Device certificate You will then see this information in the My Certificates screen Figure 96 Common ZyXEL Device Ce
22. 15 9 My Certificate Details Click CERTIFICATES gt My Certificates to open the My Certificates screen Figure 106 on page 180 Chick the details button to open the My Certificate Details screen You can use this screen to view in depth certificate information and change the certificate s name In the case of a self signed certificate you can set it to be the one that the ZyXEL Device uses to sign the trusted remote host certificates that you import to the ZyXEL Device NWA3550 User s Guide Chapter 15 Certificates Figure 109 My Certificate Details Certificate Path Certificate Information Certificate in PEM Base 64 Encoded Format eUFJUiBHLTEwMDBOIEZhY3RvcnkgRGVmYXVsdCBDZXJOaWZpYZFOZTAeFwOwMDAx MDEwMDAwMDBaFwOzMDAxMDEwMDAwMDBaMDOxMjAwBgNVBAMTKVpSQUISIECCMT w MFAgRmFjdG9yeSBEZWZhdWxOIENlcnRpZmljYXRl1MFwwDQYJKOoZIhvcNAQEBBQAD SwAwSAJBANB1YebOCBx9tjUjVLZVOIFvlWBrQM613TF1WOoOHKQtSFywWdFNnXXS5L qXfXlYHFgoO8MnC6cJGUGGhd5pWAuBSMCAwEAAaN MHkwDgYDVROPAQEABAQDAGKk MCAGA1UdEQOZMBeBFWZhY3RvcnlAYXVOby5nZW4uYZVydDASBgNVHRMBAQAECDAG AQH AgEBMDEGA1UdJQOqMCQgGCCSGAQUFCAICBggrBgEFBOcDAQYIKwYBBQUHAwOG CCSGAQUFBwMCMAOGCSqGSID3DQEBBQUAAOEAk 6Zai UjL 4WZkiE h6UmGJYT gG DOyeDwtMOzydOZRn3dDLGISQJUtZwJrD8njPGv3oR7 ZrcwlTZVQKkASFA9g The following table describes the labels in this screen Table 60 My Certificate Details Default self signed certificate which signs the imported remote host certificates LABEL DES
23. 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting NWA3550 User s Guide Chapter 7 Wireless Configuration Table 22 Wireless Access Point LABEL DESCRIPTION Disable channel switching for DFS This field displays only when you select 802 11a in the 802 11 Mde field Select this if you do not want to use DFS Dynamic Frequency Selection Choose Set the operating frequency channel depending on your particular region Channel ID To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the ZyXEL Device automatically select a channel click Scan instead Scan Click this button to have the ZyXEL Device automatical
24. Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information NWA3550 User s Guide Chapter 15 Certificates Table 57 My Certificates continued LABEL DESCRIPTION Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Details Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one or more features is configured to use Do the following to delete a certificate that shows SE
25. This displays the current configuration file version Troubleshooting Via SNMP If you have any difficulties with the configuration file upload you can try using the following MIB 10 to 20 seconds after using SNMP to have the AP download the configuration file Table 104 Displaying the File Version ITEM OBJECT ID DESCRIPTION pwTftpOpStatus 1 3 6 1 4 1 890 1 9 1 6 This displays the current operating status of the TFTP client Configuration File Format The text based configuration file must use the following format Figure 256 Configuration File Format ZYXEL PROWLAN VERSION 12 wcfg security 1 xxx wcfg security save wcfg ssid 1 xxx wcfg ssid save The first line must be ZYXEL PROWLAN The second line must specify the file version The AP compares the file version with the version of the last configuration file that it downloaded If the version of the downloaded file is the same or smaller older the AP ignores the file If the version of the downloaded file is larger newer the AP uses the file NWA3550 User s Guide 323 Appendix F Text File Based Auto Configuration Configuration File Rules You can only use the wlan and wc g commands in the configuration file The AP ignores other ZyNOS commands but continues to check the next command The AP ignores any improperly formatted commands and continues to check the next line Ifthere are any errors
26. Upload Click Upload to begin the upload process This process may take up to two minutes gt Do not turn off the ZyXEL Device while firmware upload is in progress After you see the Firmware Upload in Process screen wait two minutes before logging into the ZyXEL Device again Figure 143 Firmware Upload In Process Firmware Upload In Process Warning Do Not Turn Off the Device Please wait for the device to finish restarting This should take about two minutes To access the device after a successful firmware upload you need to login again Check you new firmware version in the system status menu The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop NWA3550 User s Guide Chapter 18 Maintenance Figure 144 Network Temporarily Disconnected D Local Area Connection Network cable unplugged After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 145 Firmware Upload Error Firmware upload error The uploaded file was not accepted by the device Please return to the previous page and select a valid upgrade file Return 18 6 Configuration Screen See Chapter 24 on page 251 for inf
27. is Us ner 9 Click Finish to save your settings and close the window Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP IP properties From the Options sub menu select Show Connection Information Figure 188 openSUSE 10 3 KNetwork Manager i Disable Wireless 4 KNetworkManager a Wired Devices X Wired Network Dial Up Connections v 3 Switch to Offline Mode 4 Show Connection Information When the Connection Status KNetwork Manager window opens click the Statistics tab to see if your connection is working properly NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 189 openSUSE Connection Status KNetwork Manager Connection Status KNetworkManager a Device Bytes MBytes Packets Errors Dropped KBytes s Received 2317441 2 2 3621 0 0 0 0 CH Statistics Transmitted 841875 0 8 3140 0 0 0 0 NWA3550 User s Guide 267 Appendix A Setting Up Your Computer s IP Address NWA3550 User s Guide Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless adapters A B C Any time two or more wireless adapters are within range of each other they can set
28. mimm mina a Umm s M JM a i 2 Inthe Control Panel click the Network and Internet icon Figure 158 Windows Vista Control Panel Control Panel p G Edit View Tools Help Control Panel Home System and Maintenance Get started with Windows Back up your computer Classic View Security Check for updates 8 e Allow a program through Windows Firewall etwork and Internet Connect to the Internet View network status and tasks Set up file sharing User Accounts e Change account type Appearance and Personalization Change desktop background Change the color scheme Adjust screen resolution Clock Language and Region Change keyboards or other input methods Change display language 3 Click the Network and Sharing Center icon Figure 159 Windows Vista Network And Internet CION GP p Control Panel p Network and Internet File Edit View Tools Help Control Panel Home System and Maintenance Security Network and Internet View network computers and devices Internet Options Connect to the Internet Change your homepage Delete browsing history and cookies Hardware and Sound Programs Add a device to the network v 5 Search p EN Network and Sharing Center ase nnect to a network Set up file sharing Manage browser add ons 4 Click Manage network connections NWA3550 User s Guide Appendix A Setting Up Your C
29. 222 ce euidenter tucked tado ti etd dud tbi Ide vei did a 141 U b mra rae E 142 Table 43 ROGUE AP gt D DBIIUEAUOEI 2uscrksdsntkk pedea REPE RR EK eRPE E RRK HEU Nu EN REFER A ERE Mun b PR RE SERE T RERKdIR 148 Table 44 ROGUE AP gt Frendly AP 11 ccce miniin semita ducta serta ab ata co dato E N 149 Ta ROGUE AP gt ROUE AP iuuuiGaiceBeniraczis ov dat toa Easan M9 po taa Pop et LK paa EL LEN Ld bia REA NK odd 150 Table 46 Remote Management Overview w iiscccscccessseesseessseessserssceesseneddecessnendueenssesueeensenegdensszneeasaneaanes 151 Table 47 Remote Managements Tent uires redii o erc odds ea dada RR d nba dad 154 Table 48 Remote Management FTP 12 lieeceeciiaeeee dnte hh eux ehh d nk n RP ARRA ERR A RAE Rr d Add 155 Table 49 Remote Management VAR iie cicecisemis terrena otra rua iiin SER bere Fue a Sk REIS vanes MH a ER bl sd qu E ven 157 CHITI MI cca 164 Table 51 SNMP Interface Index to Physical and Virtual Port Mapping ee 165 Tablo 52 Remote Management SNMP 1 crise redo herr dae e bbb edunt Eb b La s P bti a sae eR ubl aaa 166 Table 53 Remote Management SNMP User Profile sse nennen 167 Table 54 Internal RADIUS Server Setting Screen Setting nnns 170 Tee o EBU AP Zi 173 DEO M SMEIES DATO RT 174 table SY My CertiicalesS e 180 Table S8 My CPC IMPOR osi co podes el o
30. Allow Association or exclude devices from accessing the ZyXEL Device Deny Association Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of each device to configure MAC filtering on the ZyXEL Device The MAC filter profile is a user configured list of MAC addresses Each SSID profile can reference one MAC filter profile The ZyXEL Device provides 16 MAC Filter profiles each of which can hold up to 32 MAC addresses Click WIRELESS gt MAC Filter The screen displays as shown NWA3550 User s Guide Chapter 10 Other Wireless Configuration Figure 75 WIRELESS gt MAC Filter Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index Profile Name FilterAction EE EE macfilter01 Deny Association macfilter02 Deny Association macfilter03 Deny Association macfilter 4 Deny Association macfilter05 Deny Association macfilter06 Deny Association macfilter 7 Deny Association macfilter 8 Deny Association macfilter 9 Deny Association macfilter1 Deny Association macfilter11 Deny Association macfilter12 Deny Association macfilter13 Deny Association macfilter14 Deny Association macfilter15 Deny Association macfilter16 Deny Association Es The following table
31. Repeater The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs In the figure below the two ZyXEL Devices A and B are connected to independent wired networks and have a bridge connection A can communicate with B at the same time A ZyXEL Device in repeater mode C has no Ethernet connection When the ZyXEL Device is in bridge mode you should enable STP to prevent bridge loops When the ZyXEL Device is in Bridge Repeater mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key See Section 7 7 2 on page 101 for more details Once the security settings of peer sides match one another the connection between devices is made At the time of writing WDS security is compatible with other ZyXEL access points only Refer to your other access point s documentation for details NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Figure 2 Bridge Application z tN Ethernet 1 Ethernet 2 Figure 3 Repeater Application Ethernet 2 1 2 3 AP Bridge 3 Ethernet 1 A E Hoc In AP Bridge mode the ZyXEL Device supports both AP and bridge connection at the same time In the figure below A and B use X as an
32. Select Guest SSID s entry in the list and click Edit The following screen appears NWA3550 User s Guide Chapter 5 Tutorial Figure 25 Tutorial Guest Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name Guest SSID SSID Guest SSID Example Hide Name SSID Disable Security security03 RADIUS radius QoS NONE L2 Isolation l2isolationg1 gt Intra BSS Traffic blocking Enable MAC Filtering Disable Apply Reset Choose a new SSID for the guest network In this example enter Guest SSID Example Note that although the SSID changes the SSID profile name Guest SSID remains the same as before Select Disable from the Hide Name SSID list box This makes it easier for guests to configure their own computers wireless clients to your network s settings The standard network SSID04 is already using the security01 profile and the VoIP network is using the security02 profile renamed VoIP Security so select the security03 profile from the Security field Leave all the other fields at their defaults and click Apply 5 2 3 1 Set Up Security for the Guest Profile Now you need to configure the security settings to use on the guest wireless network Click the Security tab You already chose to use the security03 profile for this network so select security03 s entry in the list and click Edit The following screen appears Figur
33. WPA2 PSK WPA2 For example if the wireless network has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no security Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest encryption that every device in the wireless network supports For example suppose you have a wireless network with the ZyXEL Device and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A only supports WEP and device B supports WEP and WPA Therefore you should set up WEP in the wireless network BS It is recommended that wireless networks use WPA PSK WPA or stronger encryption The other types of encryption are better than none at all but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly NWA3550 User s Guide Chapter 8 Wireless Security Configuration When you use WPA2 or WPA2 PSK in your ZyXEL Device you can select WPA2 MIX or WPA2 PSK MIX to support WPA as well In this case if some of the devices support WPA and some support WPA2 you should set up WPA2 PSK MIX or WPA2 MIX depending on the type of wireless network login in the ZyXEL Device Many types of encryption use a key to protect the information in the wireless network The longer the key the stronger the encryption Every device in the same wireless network must have the s
34. WPA2 PSK or WPA2 PSK MIX in this field Pre Shared Key The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Specify how often wireless stations have to resend usernames and passwords in Timer order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key The Group Key Update Timer is the rate at which the AP sends a new group key Update Timer out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device s default is 1800
35. gt Setting screen displays information about certificates The certificates are used by wireless clients to authenticate the RADIUS server Information matching the certificate is held on the wireless client s utility A password and user name on the utility must match the Trusted Users list so that the RADIUS server can be authenticated NWA3550 User s Guide Chapter 14 Internal RADIUS Server BS The internal RADIUS server does not support domain accounts DOMAIN user When you configure your Windows XP SP2 Wireless Zero Configuration PEAP MS CHAPv2 settings deselect the Use Windows logon name and password check box When authentication begins a pop up dialog box requests you to type a Name Password and Domain of the RADIUS server Specify a name and password only do not specify a domain Click AUTH SERVER gt Setting The screen appears as shown Figure 100 Internal RADIUS Server Setting Screen Setting id UI ENTE 2000 2030 CN NWA3550 CN NWA3550 Jan 1st Jan 1st generated sell signed ws aa 01349000001 001349000001 00 00 m 00 00 Trusted AP Trusted Users M Active GMT GMT Apply Reset The following table describes the labels in this screen Table 54 Internal RADIUS Server Setting Screen Setting LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device use its internal RADIUS server to authenticate wireless clients or ot
36. however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the information that is sent in the wireless network 8 1 2 MAC Address Filter Every device that can use a wireless network has a unique identification number called a MAC address A MAC address is usually written using twelve hexadecimal characters for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other documentation You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network If a device is allowed to use the wireless network it still has to have the correct information SSID channel and security If a device is not allowed to use the wireless network it does not matter if it has the correct information This type of security does not protect the information that is sent in the wireless network Furthermore there are ways for unauthorized wireless devices to get the MAC address of an authorized device Then they can use that MAC address to use the wireless network 1 Some wireless devices such as scanners can detect wireless networks but cannot use wireless networks These kinds of wireless devices might not have MAC addresses 2 Hexadecimal characters are 0 1 2 3 4 5 6 7 8 9 A B C D E and F NWA3550 Use
37. one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and private keys see Chapter 15 on page 177 for more information HTTPS on the ZyXEL Device is used so that you may securely access the ZyXEL Device using the web configurator The SSL protocol specifies that the SSL server the ZyXEL Device must always authenticate itself to the SSL client the computer which requests the HTTPS connection with the ZyXEL Device whereas the SSL client only should authenticate itself when the SSL server requires it to do so select Authenticate Client Certificates in the REMOTE MGMT gt WWW screen Authenticate Client Certificates is optional and if selected means the SSL client must send the ZyXEL Device a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyXEL Device Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyXEL Device s WS web server 2 HTTP connection requests from a web browser go to port 80 by default on the ZyXEL Device s WS web server Figure 88 HTTPS Implementation WS If you disable the HTTP service in the REMOTE MGMT WWW screen then the ZyXEL Device blocks all HTTP connection attempts NWA3550 User s Guide Chapter 13 Remote Management Screens 13 8 Configuring WWW To change your ZyXE
38. s coverage area which can cause delays to time sensitive applications the AP and the client can store or cache and use information about their previous authentication Select Enable to allow PMK caching or Disable to switch this feature off Pre Pre authentication allows a wireless client to perform authentication with a Authentication different AP from the one to which it is currently connected before moving into the new AP s coverage area This speeds up roaming Select Enable to allow pre authentication or Disable to switch it off Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 8 Wireless Security Configuration 8 3 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX Select WPA PSK WPA2 PSK or WPA2 PSK MIX in the Security Mode field to display the following screen Figure 63 Security WPA PSK WPA2 PSK or WPA2 PSK MIX Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode WPA2 PSK MIX Pre Shared Key ReAuthentication Timer o seconds 0 means no Refuthentication Idle Timeout 3600 seconds Group Key Update Timer 1800 seconds The following table describes the labels not previously discussed Table 32 Security WPA PSK WPA2 PSK or WPA2 PSK MIX LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose WPA PSK
39. tend to have smaller packet sizes than non time sensitive applications such as FTP File Transfer Protocol The following table shows some common applications their time sensitivity and their typical data packet sizes Note that the figures given are merely examples sizes may differ according to application and circumstances Table 15 Typical Packet Sizes TIME TYPICAL PACKET SIZE cir iste SENSITIVITY BYTES Voice over IP SIP High lt 250 Online Gaming High 60 90 Web browsing http Medium 300 600 FTP Low 1500 When ATC is activated the device sends traffic with smaller packets before traffic with larger packets if the network is congested ATC assigns priority to packets as shown in the following table Table 16 Automatic Traffic Classifier Priorities PACKET SIZE BYTES ATC PRIORITY 1 250 ATC High 250 1100 ATC Medium 1100 ATC Low NWA3550 User s Guide Chapter 7 Wireless Configuration You should activate ATC on the ZyXEL Device if your wireless network includes networking devices that do not support WMM QoS or if you want to prioritize traffic but do not want to configure WMM QoS settings 7 3 3 ATC WMM The ZyXEL Device can use a mapping mechanism to use both ATC and WMM QoS The ATC WMM function prioritizes all packets transmitted onto the wireless network using WMM Qos and prioritizes all packets transmitted onto the wired network using ATC S
40. 1 2 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling You can change the timeout period in the System screen 13 2 SSH You can use SSH Secure SHell to securely access the ZyXEL Device s SMT or command line interface Specify which interfaces allow SSH access and from which IP address the access can come Unlike Telnet or FTP which transmit data in plaintext clear or unencrypted text SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 13 3 How SSH Works The following table summarizes how a secure connection is established between two remote hosts Figure 85 How SSH Works Encryption method to use De E Password User name 1 Host Identification 152 NWA3550 User s Guide Chapter 13 Remote Management Screens The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server publ
41. 110 WLS SCTE WIGS 111 Tobe 20 WIRELESS CMI sasinan aoao tamiun ons eraiudantaarel seeeueden E EE AANEEN E EEEN EEA 112 Table 27 Secun WEP 1 ceics ise pir ainiaan a T i SEE 113 THD 2 e QUE m eec 114 Table 29 Security 802 1x Static 64 bit 802 1x Static 128 bit ccccsccescindsesnesscenesarescnaaseereysvanetaressscataanenons 115 Table 30 Secun WPA P M 116 Tabe 31 Secunty VIPAZ D WPAZMIX uusesuasskietuxk un ru bubCEN REA CEDERE Pas by E EERFxx Dara ENa aiaa ANONA R 117 Table 32 Security WPA PSK WPA2 PSK or WPA2 PSK MIX eeeeseseeeeesesennn ennemi nnne 118 VS 23 RADIUS ueussosit xerionp o ERR GERD I FO DU REOR CD cs nw Pata Ds c C 120 Table 34 Wireless Multiple BSS arusini pee pra erbe eret ek sanpndebas Lue Ek nma GR paa da eR REEL Lp sa inane 123 WARE 25 SSID er 126 Table aA pgIIMEls x 127 Table or WIRELESS Layers Boal aiousadeunsddsse ENS cud HR pex ee uS pexb ior qb Iu seix Pre Iq tamed 131 Table 38 WIRELESS gt Layer 2 Isolation Configuration eeeesiieeeeeeieieeee eiit tna ntis 132 NWA3550 User s Guide List of Tables Tate S9 WIRELESS MAG FING aiupnestsscakilex asd tek daqk ko des suvo p geh resa dena ec ba haad 135 jte lg erc c c owl Me ened 136 Table 41 Private IP Address Ranges
42. 15 255 255 255 0 10 0 2 255 IPv6 fe80 a00 27ff fe30 el6c 64 Link Interface Information Interface Statistics Hardware address 08 00 27 30 e1 6c seeeytes 684 6 KiB Multicast Enabled Transmitted packets 1425 MTU 1500 Transmission errors 0 Link speed not available Received bytes 219 5 KiB State Active Received packets 1426 Reception errors 0 Collisions 0 inei itid Linux openSUSE 10 3 KDE This section shows you how to configure your computer s TCP IP settings in the K Desktop Environment KDE using the openSUSE 10 3 Linux distribution The procedure screens and file locations may vary depending on your specific distribution release version and individual configuration The following screens use the default openSUSE 10 3 installation NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address LES Make sure you are logged in as the root administrator Follow the steps below to configure your computer IP address in the KDE 1 Click K Menu gt Computer gt Administrator Settings YaST Figure 182 openSUSE 10 3 K Menu gt Computer Menu searen C eR Applications a Administrator Settings Install Software a System Information System Folders Home Folder My Documents rv Network Folders me 2 46 Media 2 0 GB available Favorites Applications Computer History User zyxel on linux h20z openSUSE 2 When the Ru
43. 209 Internet Explorer 7 Certificate Import Wizard sss 292 Figure 210 Internet Explorer 7 Certificate Import Wizard ssssssssssseeeeeneree 292 NWA3550 User s Guide 23 List of Figures Figure 211 Internet Explorer 7 Select Certificate Store eeeeseeeeeeeeee nennen nnne nnnne 292 Figure 212 Internet Explorer 7 Certificate Import Wizard esssssssssseeeeeennenee 293 Figure 213 Internet Explorer 7 Security Warning uuiiseaseus sette tratti Eta tbid ade sienna ia ba thx itd dde abu 293 Figure 214 Internet Explorer 7 Certificate Import Wizard sess 293 Figure 215 Internet Explorer 7 Website Identification iuc ssec ttr petri tape Re atr eet tle ean oak Run 294 Figure 216 Internet Explorer 7 Public Key Certificate File eieeesceceseeeeeeen eee 294 Figure 217 Internet Explorer 7 Open File Security Warning eese eene ntn nnn 295 Figure 218 Internet Explorer T Tools MGR 22auaseni aa irpoc pAEEMM DU PARE CHIEN EH ER UD pe rp pDM Be M INE PRpUDNEREQu S 295 Figure 219 Internet Explorer 7 Intemet Options uineis o e PR E tr aded tx M pao ru bab re diis loans 296 Figure 220 Internet Explorer 7 Certificates eeeee ees euus cse rni th nana anota a A Rua uo REA Ra Ra nee 296 Figure 221 Internet Explorer 7 Cortifi gatos 1 iieecceemsesse etui e bre tata teo pesi du REENA II ER PEE Lr Pre a 297 Figure 222 Int
44. 50 50 50 50 Ohm Connector N type N type N type N type RP SMA N type N type female female female female plug female female Survival 216 216 216 180 216 216 Wind Speed km hr Temperature 40 C 40 C 40 C 40 C 10 C 40 C 40 C 80 C 80 C 80 C 80 C 55 C 80 C 80 C Humidity 95 at 25 C 95 at 55 C 95 at 55 C 95 at 55 C 95 at 55 C 95 at 55 C 95 at 55 C Weight 337 gw 107 gw 407 g 1 6 kg 110g 206 g 640 gw Compatible ZyXEL Antenna Cables The following table shows you the cables you can use in the ZyXEL Device to extend your connection to antennas at the time of writing Table 82 ZyXEL Device Compatible Antenna Cables MODEL NAME PART NUMBER P N LENGTH LMR 400 91 005 075001G N PLUG to N PLUG for 6M 91 005 075002G N PLUG to N PLUG for 9M 91 005 075003G N PLUG to N PLUG for 12M 91 005 075004G N PLUG to N PLUG for 1M LMR 200 91 005 074001G N PLUG to RP SMA PLUG for 3M 91 005 074002G N PLUG to RP SMA PLUG for 6M 91 005 074003G N PLUG to RP SMA PLUG for 9M EXT 300 91 005 082001B Jumper Cable Surge Arrstor NWA3550 User s Guide Chapter 20 Product Specifications Power over Ethernet PoE Specifications You can use a power over Ethernet injector to power this device The injector must comply to IEEE 802 3af Table 83 Power over Ethernet Injector Specifications Power Output 15 4 Watts maximum
45. 97 pEqu le a A 97 T O Wireless SONGS Eu m 98 7 7 Configuring Wireless Settings ANM 98 rA e a e rm 98 Tle Bidga Repeater Mole C aaa 101 NWA3550 User s Guide 13 Table of Contents E OT D TEI MOUT E NOs 106 FAS dU znoviBg iv AM CP 108 Chapter 8 Wireless Security Configuration ioecoo reno o ion rro rne o rro proe Vo Pero keu PER ere P Oa Fo VR Fa Vo CHE Pep ek YR EFE V PM FEX YN 109 8 1 Wireless Security OVOIVIDW eesczctr s emessuu et eee satur ere urtbt s Fuson ESE RE 109 Ww Ba E Je M M H 109 3 LANAC Address FOF iui odes RETE dne A ERE 109 B s GL Eover gt S170 G1 211 32 112 1 eee ee ener er Pere bt a pa Du o vd eet bodas 110 NEA URS MNT T T I S TT 110 6 2 Secult MIDI SS M 111 ocd LIEU OOUT 111 E MD NEP EET 112 eMe eI CHE DPA SEI c 113 8 3 3 Security 802 1x Static 64 bit 802 1x Static 128 bit essssssssesss 114 BO d SECUN XII E renner O E EE eet err ret or etree E rrr errr eer tre E r sou utn in 116 8 3 5 Secumoc WPAZ or VIPPCA TUE 1scsicisppptit d vn ELE SUAE ERU RPC RS EHE CH RD A IR SES a Le ote 116 8 3 6 Security WPA PSK WPA2 PSK WPA2 PSK MIX sssssseeeee 118 84 Introduction to RADIUS inisesin testen di n ipd pP i EXE HII E S iiai raen 119 po Donguins RAD cn aint leno i ee Rp tat o dn i ss ERES FR Fas EC SR 119 Chapter 9 M
46. Choosing a wireless Channel ID see Section 7 7 1 on page 98 Selecting and configuring SSID profile s see Section 7 7 1 on page 98 and Section 9 2 1 on page 125 Configuring and activating WDS Security see Section 7 7 2 on page 101 Editing Security Profile s see Section 8 3 on page 111 Configuring an external RADIUS server see Section 8 5 on page 119 Configuring and activating the internal AUTH SERVER see Section 8 4 on page 119 and Chapter 14 on page 169 Configuring Layer 2 Isolation see Section 10 3 on page 131 Configuring MAC Filtering see Section 10 4 on page 134 5 2 How to Configure Multiple Wireless Networks In this example you have been using your ZyXEL Device as an access point for your office network See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode Now your network is expanding and you want to make use of the MBSSID feature see Section 9 1 on page 121 to provide multiple wireless networks Each wireless network will cater for a different type of user You want to make three wireless networks one standard office wireless network with all the same settings you already have another wireless network with high Quality of Service QoS settings for Voice over IP users and a guest network that allows visitors to your office to access only the Internet and the network printer To do this you will take the following steps 1 Change the operating m
47. DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it The default setting is None Apply Click Apply to save your changes Reset Click Reset to reload the previous configuration for this screen 6 3 Administrator Authentication on RADIUS The administrator authentication on RADIUS feature lets a external or internal RADIUS server authenticate management logins to the ZyXEL Device This is useful if you need to regularly change a password that you use to manage several ZyXEL Devices Activate administrator authentication on RADIUS in the SYSTEM gt Password screen and configure the same user name password and RADIUS server information on each ZyXEL Device Then whenever you want to change the password just change it on the RADIUS server 6 3 1 Configuring the Password Itis strongly recommended that you change your ZyXEL Device s password Click SYSTEM 7 Password The screen appears as shown If you forget your ZyXEL Device s password or IP address you will need to reset the device
48. Del X Options 2 Inthe Options dialog box click Advanced gt Encryption gt View Certificates NWA3550 User s Guide Appendix D Importing Certificates Figure 226 Firefox 2 Options v d amp Le Main Tabs Content Feeds Privacy Security Advanced General Network Update Encryption Protocols Use SSL 3 0 Use TLS 1 0 r Certificates When a web site requires a certificate Select one automatically Ask me every time 3 Inthe Certificate Manager dialog box click Web Sites gt Import Figure 227 Firefox 2 Certificate Manager Certificate Manager Your Certificates Other Perl orien You have certificates on file that identify these web sites Certificate Name Purposes 4 Use the Select File dialog box to locate the certificate and then click Open NWA3550 User s Guide Appendix D Importing Certificates Figure 228 Firefox 2 Select File Select File containing Web Site certificate to import Look in c Desktop dX My Computer my Documents my Network Places File name CA cer Files of type Cettficate Files 5 The next time you visit the web site click the padlock in the address bar to open the Page Info gt Security window to see the web page s security information Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox
49. Device must match the version on the SNMP manager Choose SNMP version 1 SNMPv1 SNMP version 2 SNMPv2 or SNMP version 3 SNMPv3 Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests This field is available only when SNMPv1 or SNMPv2 is selected in the SNMP Version field User Profile This field is available only when you select SNMPv3 in the SNMP Version field When sending SNMP v3 traps messages sent independently by the SNMP agent the agent must authenticate the SNMP manager If the SNMP manager does not provide the correct security details the agent does not send the traps The ZyXEL Device has two SNMP version 3 login accounts User and Admin Each account has different security settings You can use either account s security settings for authenticating SNMP traps Select User to have the ZyXEL Device use the User account s security settings or select Admin to have the ZyXEL Device use the Admin account s security settings Use the Configure SNNMPv3 User Profile link to set up each account s security settings Configure SNMPv3 User Profile Click this to go to the SNMPv3 User Profile screen where you can configure administration and user login details NWA3550 User s Guide Chapter 13 Remote Management Screens Table 52 Remote Management SNMP LABEL DESCRIPTION SNMP Service
50. Disable Intra BSS Traffic blocking Disable gt MAC Filtering Disable gt Reset e e Choose a new SSID for the VoIP network In this example enter VOIP_SSID_Example Note that although the SSID changes the SSID profile name VoIP_SSID remains the same as before Select Enable from the Hide Name SSID list box You want only authorized company employees to use this network so there is no need to broadcast the SSID to wireless clients scanning the area The standard network SSID04 is currently using the security01 profile so use a different profile for the VoIP network If you used the security01 profile anyone who could access the standard network could access the VoIP wireless network Select security02 from the Security field Leave all the other fields at their defaults and click Apply 5 2 2 1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network Click the Security tab NWA3550 User s Guide Chapter 5 Tutorial Figure 21 Tutorial VoIP Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter C index Profile Name Security Mode a 1 p itv MPA PSH security02 security04 fo 5 security05 None 6 security06 None fo 7 security07 None fo 8 security08 None fT 39 security09 None wo security10 None feo n sec
51. If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Rates Configuration This section controls the data rates permitted for clients For each Rate select an option from the Configuration list The options are Basic 1 11 Mbps only Clients can always connect to the access point at this speed Optional Clients can connect to the access point at this speed when permitted to do so by the AP Disabled Clients cannot connect to the access point at this speed Enable Spanning Tree Control STP R STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select this to activate STP on the ZyXEL Device Enable Roaming allows wireless stations to switch from one access point to another as Roaming they move from one coverage area to another Select this to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet Note All APs on the same subnet and the wireless stations must have the same SSID to allow roaming App
52. Issuer OU Secure Server Certification Authority O RSA Data Security Inc C US Signature Algorithm rsa pkes1 md2 Valid From 1994 Nov 9th 00 00 00 GMT Valid To 2010 Jan 7th 23 59 59 GMT Key Algorithm rsaEncryption 1000 bits MD5 Fingerprint 74 7b 82 03 43 10 00 9e bb b3 ec 47 bf 85 a5 93 SHA1 Fingerprint 44 B3 c5 31 d7 cc c1 00 57 94 51 2b b6 56 d3 bf 82 57 84 6f Certificate in PEM Base 64 Encoded Format MIICNDCCAaECEAKtZn5ORfSeV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAKG A1UEBhMHCVVMxIDAeBgNVBAOTF1JTQSBEYXRhIFNI1Y3VyaXRSLCBJbmlfuMS4uLAYD NOOLEyVTZWNi1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXVO0aGSyaXRSMBAXDTkO MTEwOTAwMDAwMFoXDTEwMDEwNzIZzNTkiOVowXzELMAKkGA1UEBhMCVVIxIDAeBgNV BAoTF1JTQSBEYXRhIFNlY3VyaXRSLCBJbmMuMS4wLAYDVQOLEyVTZWNicmUgU2Vy duVyIENlenRpZmljYXRpb24gQXVOaG9yaXRSMIGbMAOGCSqGSIb3DQEBAQUAAAGJ ADCBhQJ AJLOesGugzSaqomDV6wlAXYMraGOLDfO6zVAZFQDSYRAUcm jwjiioII OhaGNiXpsSECrXZogZoFokvJSyVmIlZsiAePO4FZbYOHZXATCXY4m3dMA1CJVphI uR2nKROTLkoRUZweFdVJVCxzOmmCsZc5nGlwZ0j13S3WyBS7AgMBAAEwDQYJKOZI v Export Apply Cancel The following table describes the labels in this screen Table 63 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Select this check box to have the ZyXEL Device check incoming certificates
53. MAC Addresses USER MAC ADDRESS Alice 11 22 33 44 55 66 Bob 22 33 44 55 66 77 5 4 4 Configure the SERVER_1 Network First you will set up the SERVER_1 network which allows Alice to access secure server 1 via the network switch You will configure the MAC filter to restrict access to Alice alone and then configure layer 2 isolation to allow her to access only the network switch the file server and the Internet security gateway Take the following steps to configure the SERVER_1 network 1 Log into the ZyXEL Device s Web Configurator and click WIRELESS gt SSID The following screen displays showing the SSID profiles you already configured NWA3550 User s Guide Chapter 5 Tutorial Figure 40 Tutorial SSID Profile Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter SERVER 1 EZLTCINCEETIECINCHE 3E3 VoIP SSID ZyXELO1 SNR ul radius01 VoIP Disable Disable Guest_SSID ZyXELO2 Disable SERVER_1 SSIDU3 security03 radius01 Disable Disable SERVER_2 SSIDO4 security04 i i Disable siD05 ZyXELOU5 security03 radiusi 1 NONE Disable Disable SSID06 ZyXELO6 security01 radiusi 1 NONE Disable Disable SSID07 ZyXELO7 security01 radius NONE Disable Disable SSID08 ZyXEL08 security 1 radius NONE Disable Disable SSID09 ZyXELO9 security01 radius01 NONE Disable Disable SSID10 ZyXEL10 security01 radiusi 1 NONE D
54. Manually n the IP Address field type your IP address NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address n the Subnet Mask field type your subnet mask nthe Router field type the IP address of your device Figure 168 Mac OS X 10 4 Network Preferences Ethernet eoo Network Show All Q Location Automatic HJ Show Built in Ethernet HJ f TCP IP PPPoE AppleTalk Proxies Ethernet Configure IPv4 IP Address 0 0 0 0 Subnet Mask 0 0 0 0 Router 0 0 0 0 DNS Servers Search Domains Optional IPv6 Address TTA Configure IPv6 Click the lock to prevent further changes Assist me Apply Now 6 Click Apply Now and close the window Verifying Settings Check your TCP IP properties by clicking Applications gt Utilities gt Network Utilities and then selecting the appropriate Network Interface from the Info tab Figure 169 Mac OS X 10 4 Network Utility eoe Network Utility Netstat AppleTalk Ping Lookup Traceroute Whois Finger PortScan Please gterface for information Network Interface en0 E3 Transfer Statistics Hardware Address 00 16 cb 8b 50 2e Sent Packets 20607 IP Address es 118 169 44 203 Send Errors 0 Link Speed 100 Mb Recv Packets 22626 Link Status Active Recv Errors 0 Vendor Marvell Collisions 0 Model Yukon Gigabit Adapter 88E8053 NWA3550 User
55. PSK 278 wireless client supplicant 279 with RADIUS application example 279 WPA2 Pre Shared Key 277 WPA2 PSK 277 278 application example 279 WPA PSK 277 278 application example 279 NWA3550 User s Guide Index NWA3550 User s Guide Index NWA3550 User s Guide
56. Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 13 11 2 1 The SNMPv3 User Profile Screen Use this screen to set up the details of SNMPv3 users Click Configure SNMPv3 User Profile in the REMOTE MGNT gt SNMP screen The following screen displays Figure 99 Remote Management SNMPv3 User Profile Iv Enable SNMPy3Admin User Name SNMPviAdmin Password RI Confirm Password pee 7 Access Type se Authentication Protocol JMD5 gt Privacy Protocol None Iv Enable SNMPv3User User Name SNMPv3User Password ERR Confirm Password pee Access Type cet Authentication Protocol MD5 v Privacy Protocol None Reset The following table describes the labels in this screen Table 53 Remote Mana
57. SSID appears to be a different access point As in any wireless network clients can associate only with the SSIDs for which they have the correct security settings For example you might want to set up a wireless network in your office where Internet telephony Voice over IP or VoIP users have priority You also want a regular wireless network for standard users as well as a guest wireless network for visitors In the following figure VoIP SSID users have Quality of Service QoS priority SSIDO3 is the wireless network for standard users and Guest SSID is the wireless network for guest users In this example the guest user is forbidden access to the wired LAN behind the AP and can access only the Internet NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Figure 5 Multiple BSSs Guest SSID 1 2 5 Pre Configured SSID Profiles The ZyXEL Device has two pre configured SSID profiles 1 VoIP SSID This profile is intended for use by wireless clients requiring the highest QoS Quality of Service level for VoIP Voice over IP telephony and other applications requiring low latency The QoS level of this profile is not user configurable See Chapter 7 on page 91 for more information on QoS 2 Guest SSID This profile is intended for use by visitors and others who require access to certain resources on the network an Internet gateway or a network printer for example but must not have access to the rest of the n
58. Security RADIUS Layer 2 Isolation MAC Filter WLAN Interface WLAN1 Operating Mode MBSSID gt 802 11 Mode 802 11b g Iv Super Mode Choose Channel ID EIE 2437 MHz j or Scan RTS CTS Threshold 256 2346 Fragmentation Threshold 256 2346 Fragmentation threshold shall be an even number Output Power 10096 Select SSID Profile Index Active _____Profile______ Index Active Profile _ VoIP SSID r SERVER 1 SERVER 1 v SERVER 1 gt sERvER 1 gt Guest SSID sERvER 1 gt SERVER 2 gt mmm 2 Next click the SSID tab Check that each configured SSID profile uses the correct Security Layer 2 Isolation and MAC Filter profiles as shown in the following figure Figure 45 Tutorial SSID Tab Correct Settings Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Layer i TS ES voir SSID ZyXELO1 security01 radiust 1 VoIP Disable Disable Guest SSID ZyXEL02 security 1 radius 1 NONE I2isolation 1 Disable SSID S1 security03 radius 1 NONE MacFilter SERVER SERVER 2 SSID S2 security04 radius 1 NONE ZyXELO5 security01 Disable ZyXELO6 security01 radiust 1 NONE Disable Disable XELO NO 5 ISO SERVER 1 jas MacFilter SERVER 2 e If the settings are not as shown follow the steps in the
59. See the section on resetting the ZyXEL Device for details BES Regardless of how you configure this screen you still use the local system password to log in via the console port for internal use only NWA3550 User s Guide Chapter 6 System Screens Figure 47 SYSTEM gt Password General Password Time Setting Iv Enable Admin at Local C Use old setting Use new setting Old Password New Password Retype to Confirm Enable Admin on RADIUS Use old setting C Use new setting User Name Password m RADIUS E Reset The following table describes the labels in this screen Table 11 Password LABEL DESCRIPTIONS Enable Admin at Local Select this check box to have the device authenticate management logins to the device Use old setting Select this to have the ZyXEL Device use the local management password already configured on the device 1234 is the default Use new setting Select this if you want to change the local management password Old Password Type in your existing system password 1234 is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays an asterisk for each character you type Retype to Confirm Retype your new system password for confirmation Enable Admin on Select this and configure the other fields in this section to have a RADIUS RADIUS server auth
60. Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub networks Introduction to IP Addresses One part of the IP address is the network number and the other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four parts written in dotted decimal notation for example 192 168 1 1 Each of these four parts is known as an octet An octet 1s an eight digit binary number for example 11000000 which is 192 in decimal notation Therefore each octet has a possible range of 00000000 to 11111111 1n binary or 0 to 255 in decimal The following figure shows an example IP address in which the first three octets 192 168 1 are the network number and the fourth octet 16 is the host ID NWA3550 User s Guide Appendix E IP Addresses and Subnetting Figure 252 Network Number and Host ID 192 168 1 16 i TERAS i at i i i M mmmh i I L I L L I L I i I L I L L 7 U anm m m m m m m m 9 How mu
61. TLS digital certifications are needed by both the server and the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP LEAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as EAP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authenti
62. The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment To enable roaming on your ZyXEL Device click WIRELESS gt Wireless The screen appears as shown NWA3550 User s Guide Chapter 10 Other Wireless Configuration Figure 78 Roaming Layer 2 Isolation MAC Filter 80211a X v Channel 036 5180MHz Configuration Optional Select the Enable Roaming check box and click Apply NWA3550 User s Guide Chapter 10 Other Wireless Configuration NWA3550 User s Guide IP Screen This chapter discusses how to configure IP settings on the ZyXEL Device 11 1 Factory Ethernet Defaults The Ethernet parameters of the ZyXEL Device are preset in the factory with the following values 1 IP address of 192 168 1 2 2 Subnet mask of 255 255 255 0 24 bits These parameters should work for the majority of installations 11 2 TCP IP Parameters 11 2 1 WAN IP Address Assignment Every computer on the Internet must have a unique IP address If your networks are isolated from the Internet only between your two branch offices for instance you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks Table 41 Private IP Address Ranges 10 0 0 0 10 255 255 255 172 16
63. User s Guide Chapter 4 Management Mode Figure 13 CAPWAP and DHCP Option 43 SUBNET1 7 7 L lt _ SUBNET2 7 x s d s s j DHCP s N j f SERVER N j F OPTION43 CAPWAP I TRAFFIC I I 3 l l I 1 AP I CONTROLLER A I STATIC IP pov j MANAGED N 4 N AP 7 s 4 N DYNAMIC s M 1P bi di we m 0 Sa 0o 4 1 4 Notes on CAPWAP This section lists some additional features of ZyXEU s implementation of the CAPWAP protocol When the AP controller uses its internal RADIUS server managed APs also use the AP controller s authentication server to authenticate wireless clients Only one AP controller can exist in any single broadcast domain fa managed AP s link to the AP controller is broken the managed AP continues to use the wireless settings with which it was last provided 4 2 The Management Mode Screen Use this screen to configure the ZyXEL Device as a CAPWAP managed AP or to use it in its default standalone mode Click MGNT MODE in the ZyXEL Device s navigation menu The following screen displays Figure 14 The Management Mode Screen MGNT Mode Management Mode Standalone AP Managed AP Apply Reset NWA3550 User s Guide 53 Chapter 4 Management Mode The following table describes the labels in this screen Table 2 The Management Mode Screen LABEL DESCRIPTION Standalone AP Selec
64. ZyXEL Device again Use fixed IP address Select this option if your ZyXEL Device is using a static IP address When you select this option fill in the fields below IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Note If you change the ZyXEL Device s IP address you must use the new IP address if you want to access the web configurator again IP Subnet Mask Type the subnet mask Gateway IP Address Type the IP address of the gateway The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyXEL Device over the WAN the gateway must be the IP address of one of the remote nodes NWA3550 User s Guide Chapter 11 IP Screen Table 42 IP Setup LABEL DESCRIPTION Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 11 IP Screen NWA3550 User s Guide Rogue AP This chapter discusses rogue wireless access points APs and how to configure the ZyXEL Device s rogue AP detection feature 12 1 Rogue AP Introduction A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network Rogue APs are not under the control of the network s administrators and can open up holes in a
65. a wireless function take the following measures to improve wireless security Enable wireless security on your ZyXEL Device Choose the most secure encryption method that all devices on your network support See Section 8 3 on page 111 for directions on configuring encryption If you have a RADIUS server enable IEEE 802 1x or WPA 2 user identification on your network so users must log in This method 1s more common in business environments Hide your wireless network name SSID The SSID can be regularly broadcast and unauthorized users may use this information to access your network See Section 9 2 on page 125 for directions on using the web configurator to hide the SSID Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address See Section 10 4 on page 134 for directions on configuring the MAC filter e 1 6 Maintaining Your ZyXEL Device Do the following things regularly to keep your ZyXEL Device running Check the ZyXEL website www zyxel com tw regularly for new firmware for your ZyXEL Device Ensure you download the correct firmware for your model Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the ZyXEL Device to its factory default settings If you backed up an
66. address automatically Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses 6 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically Select Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP You may also have to enter a Preferred DNS server and an Alternate DNS server if that information was provided 7 Click OK to close the Internet Protocol TCP IP Properties window 8 Click OK to close the Local Area Connection Properties window Verifying Settings 1 Click Start gt All Programs gt Accessories gt Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also go to Start gt Control Panel gt Network Connections right click a network connection click Status and then click the Support tab to view your IP address and connection information Windows Vista This section shows screens from Windows Vista Professional NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address 1 Click Start gt Control Panel Figure 157 Windows Vista Start Menu Dr eye 7 0 Professional Connect To g Media Player Classic gt Control Panel Default Pro Help and Support All Programs
67. authentication Access Request Sent by an access point requesting authentication Access Reject Sent by a RADIUS server rejecting access Access Accept Sent by a RADIUS server allowing access Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of EAP Authentication This section discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server an access point help
68. browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name and or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority Cancel Click Cancel to quit and return to the Trusted CAs screen NWA3550 User s Guide Chapter 15 Certificates NWA3550 User s Guide Log Screens This chapter contains information about configuring general log settings and viewing the ZyXEL Device s logs 16 1 Configuring View Log The web configurator allows you to look at all of the ZyXEL Device s logs in one location Click LOGS gt View Log Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Figure 114 on page 197 Options include logs about system maintenance system errors and access control You can view logs and alert messages in this page Once the log entries are all used the log will wrap around and the old logs will be deleted Click a column heading to sort the entries A triangle indicates the direction of the sort order Figure 113 View Log View Log Log Settings Display Aut Logs Email Log Now Refresh Clear Log 1 Rogue AP Detection 1 34 51 Index Time A Message Source Destination Notes 1 01 2000 MAC 00 13 a6 10 1b c1 Channe
69. can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help fa FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter For operation within 5 15 5 25GHz frequency range it is restricted to indoor environment JEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons c TEX EM TE muy i T WIR ETHER PETERE me SSR RUNE AS RE ES JERSE HT gt ZR AE HANE
70. certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 15 3 on page 178 for how to verify a remote host s certificate before you import it into the ZyXEL Device NWA3550 User s Guide Chapter 15 Certificates Table 63 Trusted CA Details continued LABEL DESCRIPTION SHA Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Section 15 3 on page 178 for how to verify a remote host s certificate before you import it into the ZyXEL Device Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As Screen opens
71. characters 0 9 A F If you chose 152 bit WEP then enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F You must configure all four keys but only one key can be activated at any one time The default key is key 1 Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 8 3 2 Security 802 1x Only Select 8021x Only in the Security Mode field to display the following screen NWA3550 User s Guide 113 Chapter 8 Wireless Security Configuration Figure 59 Security 802 1x Only Wireless Profile Name Security Mode 8021 x Only ReAuthentication Timer p seconds 0 means no Re uthentication Idle Timeout 3600 seconds SSID Security RADIUS Layer 2 Isolation MAC Filter Jsecurity01 Apply Reset The following table describes the labels in this screen Table 28 Security 802 1x Only LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose 8021x Only in this field ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication
72. coverage area The following diagram shows the wireless networks in your area Your access points are marked A B C and D You also have a network mail file server marked E and a computer marked F connected to the wired network The coffee shop s access point is marked 1 Figure 31 Tutorial Wireless Network Example In the figure the solid circle represents the range of your wireless network and the dashed circle represents the extent of the coffee shop s wireless network Note that the two networks overlap This means that one or more of your APs can detect the AP 1 in the other wireless network When configuring the rogue AP feature on your ZyXEL Devices in this example you will need to use the information in the following table You need the IP addresses of your APs to access their Web configurators and you need the MAC address of each AP to configure the friendly AP list You need the IP address of the mail server to set up e mail alerts Table 4 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point A 192 168 1 1 00 AA 00 AA 00 AA Access Point B 192 168 1 2 AA 00 AA 00 AA 00 Access Point C 192 168 1 3 A0 0A A0 0A A0 0A NWA3550 User s Guide Chapter 5 Tutorial Table 4 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point D 192 168 1 4 0A A0 0A A0 0A A0 File Mail Server E 192 168 1 25 N A Access Point 1 UNKNOWN
73. different security or QoS settings from other groups of users See Section 1 2 4 on page 36 for details NWA3550 User s Guide 55 Chapter 5 Tutorial 5 1 1 1 Configuring Dual WLAN Adaptors The ZyXEL Device is equipped with dual wireless adaptors This means you can configure two different wireless networks to operate simultaneously See Section 1 2 6 on page 37 for details You can configure each wireless adaptor separately in the WIRELESS gt Wireless screen To configure the first wireless network select WLANI in the WLAN Interface field and follow the steps in Section 5 1 2 on page 56 Then select WLAN2 in the WLAN Interface field and follow the same procedure to configure the second network 5 1 2 Wireless LAN Configuration Overview The following figure shows the steps you should take to configure the wireless settings according to the operating mode you select Use the Web Configurator to set up your ZyXEL Device s wireless network see your Quick Start Guide for information on setting up your ZyXEL Device and accessing the Web Configurator NWA3550 User s Guide Chapter 5 Tutorial Figure 15 Configuring Wireless LAN Select the WLAN Interface you want to configure Select Operating Mode Y Access Point Mode Select 802 11 Mode and Channel ID Y Select SSID Profile Y Configure SSID Profile Y Edit Security Pr
74. earlier configuration file you would not have to totally re configure the ZyXEL Device You could simply restore your last configuration 1 7 Hardware Connections See your Quick Start Guide for information on making hardware connections NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Your ZyXEL Device has two wireless LAN adaptors WLAN1 and WLAN2 WLAN 1 uses the RF1 antenna and WLAN2 uses the RF2 antenna If you connect only one antenna you can use only the associated wireless LAN adaptor NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device NWA3550 User s Guide Introducing the Web Configurator This chapter describes how to access the ZyXEL Device s web configurator and provides an overview of its screens 2 1 Accessing the Web Configurator 1 C Make sure your hardware is properly connected and prepare your computer or computer network to connect to the ZyXEL Device refer to the Quick Start Guide Launch your web browser Type 192 168 1 2 as the URL default Type 1234 default as the password and click Login In some versions the default password appears automatically if this 1s the case click Login You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm then click Apply Alternatively click Ignore BES If you do not change the password the following screen app
75. ed 3d Device Name eth etho Started automatically at boot IP address assigned using DHCP d Configure Delete Abort 5 When the Network Card Setup window opens click the Address tab NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 186 openSUSE 10 3 Network Card Setup O YaST 2 linux h2o0z Address Setup Select No Address Setup if you do not want any IP address for this device This is particularly useful for bonding ethernet devices Select Dynamic address if you do not have a static IP address assigned by the system administrator or your cable or DSL provider You can choose one of the dynamic address assignment method Select DHCP if you have a DHCP server running on your local network Network addresses are then obtained automatically from the server To automatically search for free IP and then assign it statically select B Zeroconf To use iy Network Card Setup General configuration Name Ethernet x No IP Address for Bonding Devices J Dynamic Address DHCP Statically assigned IP Address Subnet Mask Hostname Cancel 6 Select Dynamic Address DHCP if you have a dynamic IP address Select Statically assigned IP Address if you have a static IP address Fill in the IP address Subnet mask and Hostname
76. fields 7 Click Next to save the changes and close the Network Card Setup window 8 Ifyou know your DNS server IP address es click the Hostname DNS tab in Network Settings and then enter the DNS server information in the fields provided NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 187 openSUSE 10 3 Network Settings B YasT2Glinux h2oz Enter the name for this computer and the DNS domain that it belongs to Optionally enter the name server list and domain search list Note that the hostname is global it applies to all interfaces not just this one The domain is especially important if this computer is a mail server If you are using DHCP to get an IP address check whether to get a hostname via DHCP The hostname of your host which can be Network Settings Global Options Overview Hostname DNS J Routing m Hostname and Domain Name Hostname Domain Name linux h2oz m site _ Change Hostname via DHCP _ Write Hostname to etc hosts X Change etc resolv conf manually Name Servers and Domain Search List Name Server 1 Domain Search 10 0 2 3 Name Server 2 Name Server 3 C Update DNS data via DHCP seen by issuing the hostname command will be set automatically by the DHCP client You may want to disable this option if you connect to different networks
77. incorrect security settings attempt to associate with the SERVER 2 network You should be unable to do so If you can do so security is misconfigured Using another computer and wireless client but with the correct security settings attempt to associate with the SERVER_2 network You should be unable to do so If you can do so MAC filtering is misconfigured If you cannot do something that you should be able to do check the settings as described in Section 5 4 6 1 on page 80 and in the individual Security layer 2 isolation and MAC filter profiles for the relevant network If this does not help see the Troubleshooting chapter in this User s Guide NWA3550 User s Guide PART II The Web Configurator System Screens 85 Wireless Configuration 91 Wireless Security Configuration 109 MBSSID and SSID 121 Other Wireless Configuration 129 IP Screen 141 Rogue AP 145 Remote Management Screens 151 Internal RADIUS Server 169 Certificates 177 Log Screens 195 VLAN 203 Maintenance 221 System Screens 6 1 System Overview This section provides information on general system setup 6 2 Configuring General Setup Click SYSTEM gt General Figure 46 System General General Password Time Setting System Name NWA Series Domain Name Administrator Inactivity Timer fio minutes 0 means no timeout System DNS Servers OOO OER First DNS Server From DHCP o 0 0 0 S
78. itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that can be assigned to an actual host for subnet A is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet a host ID of all zeroes is the subnet itself all ones is the subnet s broadcast address Table 93 Subnet 1 LAST OCTET BIT IP SUBNET MASK NETWORK NUMBER VALUE IP Address Decimal 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 1 192 168 1 0 Broadcast Address Highest Host ID 192 168 1 62 192 168 1 63 NWA3550 User s Guide 317 Appendix E IP Addresses and Subnetting Table 94 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Bi
79. last updated date from the time server or the last date yyyy mm dd configured manually When you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specify below Auto Select this to have the ZyXEL Device use the predefined list of time servers User Defined Time Server Address Enter the IP address or URL of your time server Check with your ISP network administrator if you are unsure of this information Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Select this option if you use daylight savings time Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Start Date Configure the day and time when Daylight Saving Time starts if you selected Daylight Savings The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the o clock field Dayli
80. looking for an AP in CAPWAP AP controller mode 3 Ifthere is an AP controller on the network it receives the management request If the AP controller is in Manual mode it adds the details of the AP to its Unmanaged Access Points list and you decide which available APs to manage If the AP is in Always Accept mode it automatically adds the AP to its Managed Access Points list and provides the managed AP with default configuration information as well as securely transmitting the DTLS Datagram Transport Layer Security pre shared key The managed AP is ready for association with wireless clients 4 1 2 CAPWAP and DHCP CAPWAP managed APs must be DHCP clients supplied with an IP address by a DHCP server on your network Furthermore the AP controller must have a static IP address it cannot be a DHCP client 4 1 3 CAPWAP and IP Subnets By default CAPWAP works only between devices with IP addresses in the same subnet see the appendices for information on IP addresses and subnetting However you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following Activate DHCP option 43 on your network s DHCP server Configure DHCP option 43 with the IP address of the CAPWAP AP controller on your network DHCP Option 43 allows the CAPWAP management request from the AP in managed AP mode to reach the AP controller in a different subnet as shown in the following figure 52 NWA3550
81. make changes to your configuration unless you first enter your admin password Figure 176 Ubuntu 8 Network Settings gt Connections Location ES 1 Connections General DNS Hosts E Point to point connec This network interface is not c NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address 3 Inthe Authenticate window enter your admin account name and password then click the Authenticate button Figure 177 Ubuntu 8 Administrator Account Authentication Q Authenticate x System policy prevents NA modifying the configuration An application is attempting to perform an action that requires privileges Authentication as one of the users below is required to perform this action B cJ chris gt Details cancel 4 Authenticate gt 4 Inthe Network Settings window select the connection that you want to configure then click Properties Figure 178 Ubuntu 8 Network Settings gt Connections t5 Network Settings Location lt Connections General DNS Hosts s Properties m Point to point connec This network interface is not c 5 The Properties dialog box opens NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 179 Ubuntu 8 Network Settings Properties Ea etho Properties E Connection Settings IP a
82. not match the name of the site Do you want to proceed i View Certificate NWA3550 User s Guide Chapter 13 Remote Management Screens 13 9 2 Netscape Navigator Warning Messages When you attempt to access the ZyXEL Device HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyXEL Device If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyXEL Device s certificate into the SSL client Figure 91 Security Certificate 1 Netscape x Unable to verify the identity of xxx Factory Default Certificate as a trusted site Possible reasons For this error Your browser does not recognize the Certificate Authority that issued the site s certificate The site s certificate is incomplete due to a server misconfiguration You are connected to a site pretending to be xxx Factory Default Certificate possibly to obtain your confidential information Please notify the site s webmaster about this problem Before accepting this certificate you should examine this site s certificate carefully Are you willing to to accept this certificate For the purpose of identifying the web site xxx Factory Default Certificate Accept this certificate permanently A
83. on page 289 Firefox on page 297 Opera on page 302 Konqueror on page 308 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional however they can also apply to Internet Explorer on Windows Vista 1 Ifyour device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error NWA3550 User s Guide Appendix D Importing Certificates Figure 204 Internet Explorer 7 Certification Error 9 There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage Continue to this website not recommended More information 2 Click Continue to this website not recommended Figure 205 Internet Explorer 7 Certification Error Continue to this website not recommended 3 Inthe Address Bar click Certificate Error gt View certificates Figure 206 Internet Explorer 7 Certificate Error v al Certificate Error Q Certificate Invalid The security c
84. relevant section of this tutorial again 5 4 6 2 Testing the Configuration Before you allow employees to use the network you need to thoroughly test whether the setup behaves as it should Take the following steps to do this 1 Testthe SERVER 1 network Using Alice s computer and wireless client and the correct security settings do the following Attempt to access Server 1 You should be able to do so NWA3550 User s Guide Chapter 5 Tutorial Attempt to access the Internet You should be able to do so Attempt to access Server 2 You should be unable to do so If you can do so layer 2 Isolation is misconfigured Using Alice s computer and wireless client and incorrect security settings attempt to associate with the SERVER 1 network You should be unable to do so If you can do so security is misconfigured Using another computer and wireless client but with the correct security settings attempt to associate with the SERVER 1 network You should be unable to do so If you can do so MAC filtering is misconfigured 2 Testthe SERVER 2 network Using Bob s computer and wireless client and the correct security settings do the following Attempt to access Server 2 You should be able to do so Attempt to access the Internet You should be able to do so Attempt to access Server 1 You should be unable to do so If you can do so layer 2 Isolation is misconfigured Using Bob s computer and wireless client and
85. seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 8 Wireless Security Configuration 8 4 Introduction to RADIUS RADIUS is based on a client sever model that supports authentication and accounting where the access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity The ZyXEL Device is equipped with an internal RADIUS server See Section 14 1 on page 169 for more details 8 5 Configuring RADIUS Use RADIUS if you want to authenticate wireless users using the internal authentication server see Section 14 1 on page 169 or an external server You can configure up to four RADIUS server profiles Each profile also has one backup authentication server and a backup accounting server These profiles can be assigned to an SSID profile in the SSID configuration screen To set up your ZyXEL Device s RADIUS server settings click WIRELESS gt RADIUS The screen appears as shown Figure 64 RADIUS Wireless SSID Security RADIUS Layer Isolation Index 1 Profile Name fradius01 po Primary iBackup MAC Filter RADIUS Option C Internal External C Internal External Active Active RADIUS S
86. standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server e Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization 274 NWA3550 User s Guide Appendix B Wireless LANs Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user
87. tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions The NWA3550 may be referred to as the ZyXEL Device the device or the system in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e g is a Shorthand for for instance and i e means that is or in other words NWA3550 User s Guide Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your dev
88. the ZyXEL Device if possible and look around to see if there are any devices that might be interfering with the wireless network microwaves other wireless networks and so on 4 Reboot the ZyXEL Device 5 Ifthe problem continues contact the network administrator or vendor or try the advanced suggestions Advanced Suggestions Check the settings for QoS If it is disabled you might consider activating it If it is enabled you might consider raising or lowering the priority for some applications 19 4 Wireless Router AP Troubleshooting e cannot access the ZyXEL Device or ping any computer from the WLAN 1 Make sure the wireless LAN is enabled on the ZyXEL Device Make sure the wireless adapter on the wireless client is working properly 3 Make sure the wireless adapter installed on your computer is IEEE 802 11 compatible and supports the same wireless standard as the ZyXEL Device 4 Make sure your computer with a wireless adapter installed is within the transmission range of the ZyXEL Device 5 Check that both the ZyXEL Device and your wireless client are using the same wireless and wireless security settings 6 Make sure you allow the ZyXEL Device to be remotely accessed through the WLAN interface Check your remote management settings NWA3550 User s Guide Product Specifications The following tables summarize the ZyXEL Device s hardware and firmware features Table 79 Hardware Specifications
89. the ZyXEL Device is to send the logs and which logs and or immediate alerts it is to send An alert is a type of log that warrants more serious attention Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts are displayed in red and logs are displayed in black NWA3550 User s Guide Chapter 16 Log Screens Figure 114 Log Settings Address Info Syslog Logging al Send Log lt l AE SE SEXE SE SE SE SI 4 The following table describes the labels in this screen Table 65 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that you want to be in the subject line of the log e mail message that the ZyXEL Device sends Send Log to Logs are sent to the e mail address specified in this field If this field is left blank logs will not be sent via e mail Send Alerts to Enter the e mail address where the alert messages will be sent If this field is left blank alert messages will not be sent via e mail NWA3550 User s Guide Chapter 16 Log Screens Table 65 Log Settings LABEL DESCRIPTION SMTP Authentication If you use SMTP authentication the mai
90. the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Click Continue NWA3550 User s Guide Appendix D Importing Certificates Figure 244 Konqueror 3 5 Server Authentication X Server Authentication Konqueror The server certificate failed the authenticity test 172 20 37 202 3 Click Forever when prompted to accept the certificate Figure 245 Konqueror 3 5 Server Authentication 4 Server Authentication Konqueror lt Would you like to accept this certificate forever without being prompted Eorever 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 246 Konqueror 3 5 KDE SSL Information J amp KDE SSL Information Konqueror Current connection is secured with SSL Chain Peer certificate Issuer Organization ZyXEL Organization ZyXEL Organizational unit XYZ200 Organizational unit XYZ200 Country US Country US Common name 172 23 37 202 Common name 172 23 37 202 IP address 172 23 37 202 URL https 172 23 37 202 loginwrap html Certificate state Certificate is self signed and thus may not be trustworthy Valid from Wedne
91. the router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s web configurator interface WEB Login Fail Someone has failed to log on to the router s web configurator interface TELNET Login Someone has logged on to the router via telnet Successfully TELNET Login Fail Someone has failed to log on to the router via telnet FTP Login Successfully Someone has logged on to the router via FTP FTP Login Fail Someone has failed to log on to the router via FTP Table 67 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem NWA3550 User s Guide Chapter 16 Log Screens Table 67 ICMP Note
92. this security profile Security Mode Choose WPA2 or WPA2 MIX in this field ReAuthentication Specify how often wireless stations have to resend usernames and passwords in Timer order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key The Group Key Update Timer is the rate at which the AP sends a new group key Update Timer out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device s default is 1800 seconds 30 minutes PMK Cache When a wireless client moves from one AP s coverage area to another it performs an authentication procedure exchanging security information with the new AP Instead of re authenticating a client each time it returns to the AP
93. timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 8 3 3 Security 802 1x Static 64 bit 802 1x Static 128 bit Select 8021x Static64 or 8021x Static128 in the Security Mode field to display the following screen NWA3550 User s Guide Chapter 8 Wireless Security Configuration Figure 60 Security 802 1x Static 64 bit 802 1x Static 128 bit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name security04 Security Mode 8021x Statict 28 Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 ASCII C Hex Key1 C Key2 C Key3 C Key4 ReAuthentication Timer fisoo in seconds 0 mean no ReAuthentication Idle Timeout 3600 in seconds Apply Reset The following table describes the labels in this screen Table 29 Security 802 1x Static 64 bit 802 1x Static 128 bit LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose 8021x Static64 or 8021x Static128
94. uses the VLAN ID configured in the Wireless VLAN screen and the wireless station The VLAN ID in the Wireless VLAN screen is independent and hence different to the VLAN ID in the RADIUS VLAN screen 17 2 4 1 Configuring VLAN Groups To configure a VLAN group you must first define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group 1 Using the Active Directory Users and Computers administrative tool create the VLAN Groups that will be used for each VLAN ID One VLAN Group must be created for each VLAN defined on the ZyXEL Device The VLAN Groups must be created as Global Security groups Type a name for the VLAN Group that describes the VLAN Group s function Select the Global Group scope parameter check box Select the Security Group type parameter check box Click OK NWA3550 User s Guide Chapter 17 VLAN Figure 122 New Global Security Group New Object Group xj 66 Create in Group name vua Group 1d Group name ore Windows 2000 IVLAN Group 10 r Group scope Group type C Domainlocal Securty Global C Distribution Universal ten 2 In VLAN Group ID Properties click the Members tab The IAS uses group memberships to determine which user accounts belong to which VLAN groups Click the Add button and configure the VLAN group details 3 Repeat the previous step to add each VLAN group required Figure 123 Add Group Members Al xl
95. you can use the channel to communicate However a wireless LAN operating on the same frequency as an active radar system could disrupt the radar system Therefore if the ZyXEL Device detects radar activity on the channel you select it automatically instructs the wireless clients to move to another channel then resumes communications on the new channel NWA3550 User s Guide Chapter 7 Wireless Configuration 7 6 Wireless Screen Overview The following is a list of the wireless screens you can configure on the ZyXEL Device Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter 1 a kf WS ND Configure the ZyXEL Device to operate in AP Bridge Repeater AP Bridge or MBSSID mode in the Wireless screen You can also select an SSID Profile in the Wireless screen Use the SSID screens to view and edit SSID profiles Use the Security screen to configure wireless security profiles Use the RADIUS screen to configure RADIUS authentication and accounting settings Use the Layer 2 Isolation screen to prevent wireless clients associated with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network Use the MAC Filter screen to allow or restrict access to your wireless network based on a client s MAC address 7 7 Configuring Wireless Settings Click WIRELESS gt Wireless The screen varies depending upon the operating mode you select 7 7 1 Access Point Mode Select
96. zyxel cn Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www zyxel co cr Regular Mail ZyXEL Costa Rica Plaza Roble Escaz Etapa El Patio Tercer Piso San Jos Costa Rica Czech Republic E mail info cz zyxel com Telephone 420 241 091 350 Fax 420 241 091 359 Web www zyxel cz Regular Mail ZyXEL Communications Czech s r o Modransk 621 143 01 Praha 4 Modrany Cesk Republika Denmark Support E mail support zyxel dk Sales E mail sales zyxel dk Telephone 45 39 55 07 00 Fax 45 39 55 07 07 Web www zyxel dk Regular Mail ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark Finland Support E mail support zyxel fi Sales E mail sales zyxel fi Telephone 358 9 4780 8411 Fax 358 9 4780 8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France rue des Vergers Bat 1 C 69760 Limonest France NWA3550 User s Guide Appendix H Customer Support Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Regular Mail ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany Hungary Support E mail s
97. 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses NWA3550 User s Guide Chapter 11 IP Screen BS Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 11 3 Configuring IP Settings Click IP to display the screen shown next Figure 79 IP Setup IP IP Address IP Subnet Mask C Get automatically from DHCP Use fixed IP address Gateway IP Address 192 168 1 2 255 255 255 0 fo 0 0 0 Apply Reset Table 42 IP Setup The following table describes the labels in this screen LABEL DESCRIPTION IP Address Assignment Get automatically from DHCP Select this option if your ZyXEL Device is using a dynamically assigned IP address from a DHCP server each time Note You must know the IP address assigned to the ZyXEL Device by the DHCP server to access the
98. 18 ATC WMM Priority Assignment WLAN to LAN WMM VALUE ATC VALUE WMM VOICE ATC High WMM VIDEO ATC High WMM BEST EFFORT ATC Medium WMM BACKGROUND ATC Low NONE ATC Medium NWA3550 User s Guide Chapter 7 Wireless Configuration 7 3 4 Type Of Service ToS Network traffic can be classified by setting the ToS Type Of Service values at the data source for example at the ZyXEL Device so a server can decide the best method of delivery that is the least cost fastest route and so on 7 3 4 1 DiffServ DiffServ is a class of service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 7 3 4 2 DSCP and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The
99. 21 Transfer the configuration file to your ZyXEL Device using FTP See the section on SMT configuration for more information 2 3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen Click LOGOUT at any time to exit the web configurator Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated Figure 10 The Status Screen of the Web Configurator ZyXEL STATUS MGNT MODE SYSTEM WIRELESS IP ROGUE AP REMOTE MGNT AUTH SERVER CERTIFICATES LOGS VLAN MAINTENANCE LOGOUT Automatic Refresh Interval None z Refresh WLAN1 ZyXELO3 WLAN2 ZyXELO4 System Statu System Information System Resources System Name NWA Series Flash Zz j 2 4MB nein Naso Memory 20 22 me Firmware Version V3 60 AAM 1 bi 04 15 2008 aa gon me System UP Time 00 52 47 WLAN1 Associations 0 128 Current Date Time 00 52 44 2000 01 01 WLAN1 Operating Mode AP Bridge NEAN acres nar pons WLAN2 Operating Mode AP Managenent VLAN Disable Interface Status IP 192 168 1 2 Interface Status Rate LAN MAC 00 13 49 00 00 01 LAN Up 100M Full WLAN1 MAC 00 13 49 00 00 01 WLAN Up Ch6 54M WLAN2 MAC 00 13 49 00 00 02 WLAN2 Up Ch36 54M SSID Status Interface SSID BSSID Security LAN 06 13 49 00 00 01 None 00 13 49 00 00 02 None Show mE Association list Channel Usage Loss Rogue AP List
100. 248 3 bits 0925 6 Notation Since the mask 1s always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks using both notations Table 92 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION BINARY DECIMAL 255 255 255 0 24 0000 0000 0 255 255 255 128 25 1000 0000 128 NWA3550 User s Guide Appendix E IP Addresses and Subnetting Table 92 Alternative Subnet Mask Notation continued sumerweek AURA T ene SERRE 255 255 255 192 26 1100 0000 192 255 255 255 224 27 1110 0000 224 255 255 255 240 28 1111 0000 240 255 255 255 248 29 1111 1000 248 255 255 255 252 30 1111 1100 252 Subnetting You can use subnetting to divide one network into multiple sub networks In the following example a network administrator creates two sub networks to isolate a group of servers from the rest of the company network for security reasons In this example the company network address is 192 168 1 0 The
101. 3 49 00 00 01 Infra ZyXEL 00 13 49 00 00 05 6 82 5 Infra Wireless 00 A0 C5 00 07 77 6 425 Infra Wireless 00 A0 C5 5C AF 7A 11 25 h Infra 4 amp 3214 G3000 00 A0 C5 F5 02 06 11 22 Infra WEP Refresh The following table describes the labels in this screen Table 76 Channel Usage LABEL DESCRIPTION SSID This is the Service Set IDentification name of the AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network For our purposes we define an Infrastructure network as a wireless network that uses an AP and an Ad Hoc network also known as Independent Basic Service Set IBSS as one that doesn t See the chapter on wireless configuration for more information on basic service sets BSS and extended service sets ESS MAC Address This field displays the MAC address of the AP in an Infrastructure wireless network It is randomly generated so ignore it in an Ad Hoc wireless network Channel This is the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network Signal This field displays the strength of the AP s signal If you must choose a channel that s currently in use choose one with low signal strength for minimum interference Network Mode Network mode in this screen refers to your wireless LAN infrastructure refer to the Wireless LAN chapter and security setup
102. 4 hour format for example 23 00 equals 11 00 pm to send the logs Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e mail Log Select the categories of logs that you want to record Send Immediate Alert Select the categories of alerts for which you want the ZyXEL Device to immediately send e mail alerts Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to reconfigure all the fields in this screen 16 3 Example Log Messages This section provides descriptions of some example log messages Table 66 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time successful server Time calibration failed The router failed to get information from the time server NWA3550 User s Guide Chapter 16 Log Screens Table 66 System Maintenance Logs LOG MESSAGE DESCRIPTION DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to
103. 550 User s Guide t Chapter 8 Wireless Security Configuration Figure 57 Wireless Security Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter index ProfileName_ Security Mode ej 1 security01 None ERE security02 None 3 security03 None oe a4 security04 None e 5 security05 None 6 security06 None oe 7 security0 None 8s security08 None j 9 security09 None w security10 None s m security11 None o 2 security12 None mn security13 None Te u security14 None 6 security15 None w security16 None EM The following table describes the labels in this screen Table 26 WIRELESS gt Security LABEL DESCRIPTION Index This is the index number of the security profile Profile Name This field displays a name given to a security profile in the Security configuration screen Security Mode This field displays the security mode this security profile uses Edit ani an entry from the list and click Edit to configure security settings for that profile The next screen varies according to the Security Mode you select 8 3 1 Security WEP Select WEP in the Security Mode field to display the following screen 112 NWA3550 User s Guide Chapter 8 Wireless Security Configuration Figure 58 WIRELESS Security WEP Wireless SSID Se
104. 56 and 2346 This field is not available when Super Mode is selected Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power to reduce interference with other APs Select one of the following 100 50 25 12 5 or Minimum See the product specifications for more information on your ZyXEL Device s output power This field is not available when you select 802 11a in the 802 11 Mode field Rates Configuration This section controls the data rates permitted for clients For each Rate select an option from the Configuration list The options are Basic 1 11 Mbps only Clients can always connect to the access point at this speed Optional Clients can connect to the access point at this speed when permitted to do so by the AP Disabled Clients cannot connect to the access point at this speed NWA3550 User s Guide Chapter 9 MBSSID and SSID Table 34 Wireless Multiple BSS LABEL DESCRIPTION Select SSID Profile An SSID profile is the set of parameters relating to one of the ZyXEL Device s BSSs The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating with the access point AP must have the same SSID Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s
105. 6 Remote Management Telnet TENET Server Port Server Port TELNET Server Access WLAN amp LAN Secured Client IP Address AIC Selected 0 0 0 0 SSH Server Certificate auto_generated_self_signed_cert See My Certificates Server Access WLAN amp LAN Secured Client IP Address All C Selected 0 0 0 0 FTP WWW SNMP EN EE Reset The following table describes the labels in this screen Table 47 Remote Management Telnet LABEL DESCRIPTION TELNET Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s through which a computer may access the ZyXEL Device Access using Telnet Secured A secured client is a trusted computer that is allowed to communicate with the Client IP ZyXEL Device using this service Address Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SSH Server Select the certificate whose corresponding private key is to be used to identify the Certificate ZyXEL Device for SSH connections You must have certificates already configured in the CERTIFICATES gt My Certificates screen Server Port You can change the server port num
106. 7 202 0 CN 6R Ca 1 PN NAMEDISTINGUISHER 1 0 CN 6R Ca 1 PN NAME CN 7R CA 1 PN NAMEDISTINGUISHER 1 0 CN 7R CA 1 PN NAME CN 8R CA 1 PN O Regulierungsbeh rde f CN 8R CA 1 PN O Re 01 CN 9R CA 1 PN O Regulierungsbeh rde f CN29R CA 1 PN O Re 02 CN CA Cert Signing Authority EMAlL supp CN CA Cert Signing A 00 CN D TRUST Qualified Root CA 1 2006 PN CN D TRUST Qualifie O0B95F CN D TRUST Qualified Root CA 2 2006 PN CN D TRUST Qualifie OO0B9 CN S TRUST Qualified Root CA 2006 001 P CN S TRUST Qualifie OODF 3 The next time you visit the web site click the padlock in the address bar to open the KDE SSL Information window to view the web page s security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings gt Configure Konqueror NWA3550 User s Guide Appendix D Importing Certificates Figure 250 Konqueror 3 5 Settings Menu Settings Fa Hide Menubar Ctrl M Toolbars 3 Full Screen Mode Ctrl Shift F Load View Profile Save View Profile Web Browsing Configure View Profiles Configure Extensions E Configure Spell Checking Configure Shortcuts Configure Toolbars X Configure Konqueror 2 Inthe Configure dialog box select Crypto 3 Onthe Peer SSL Certificates tab select the certificate you want to delete and then cl
107. 8 1 2 See your Quick Start Guide for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 149 Configuration Upload Error Restore configuration error The configuration file was not accepted by the device Please return to the previous page and select a valid configuration file Click Help for more information Return NWA3550 User s Guide Chapter 18 Maintenance 18 6 3 Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the ZyXEL Device to its factory defaults as shown on the screen The following warning screen will appear Figure 150 Reset Warning Message AP back to factory defaults The device will now reboot As there will be no indication of when the process is complete please wait for one minute before attempting to access the device again You can also press the RESET button to reset your ZyXEL Device to its factory default settings Refer to Section 2 2 on page 44 for more information 18 7 Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off Click MAINTENANCE gt Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 151 Restart Screen Status Association L
108. A ee gt ARE aa SERIE STR SUPRA EMS eee COTES USES o KERN FSP ETRE gt Nee ETHEEISEUS GOHREREESR HH MANA a EKE ae EXE FEAR FES ENR BRATS SAAS eT BLE A ed a at ER 5250MHz 5350MHz HAr APE EZ REC each BRA EAE e ARREN TEN AEREN TEARRE ENEH e Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz and 5 GHz networks throughout the EC region and Switzerland with restrictions in France This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme la norme NMB 003 du Canada NWA3550 User s Guide Appendix G Legal Information Viewing Certifications 1 Go to http www zyxel com 2 Select your product on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective produc
109. A3550 User s Guide Appendix F Text File Based Auto Configuration Figure 260 WPA Configuration File Example ZYXEL PROWLAN d4VERSION 14 wcfg security 4 name Test wpa wcfg security 4 mode wpa wcfg security 4 reauthtime 1800 wcfg security 4 idletime 3600 wcfg security 4 groupkeytime 1800 wcfg security save wcfg radius 4 name radius rdl wcfg radius 4 primary 172 0 20 38 1812 20 enable wcfg radius 4 backup 172 0 20 39 1812 20 enable wcfg radius save wcfg ssid 4 name ssid wpa wcfg ssid 4 security Test wpa wcfg ssid 4 qos 4 wcfg ssid 4 12isolation disable wcfg ssid 4 macfilter disable wcfg ssid save Wlan Command Configuration File Example This example configuration file uses the wlan command to configure the AP to use the security and SSID profiles from the wc g command configuration file examples and general wireless settings You could actually combine all of this chapter s example configuration files into a single configuration file Remember that the commands are applied in order So for example you would place the commands that create security and SSID profiles before the commands that tell the AP to use those profiles NWA3550 User s Guide Appendix F Text File Based Auto Configuration Figure 261 Wlan Configuration File Example ZYXEL PROWLAN fVERSION 15 wcfg ssid 1 name ssid wep wcfg ssid 1 wcfg ssid 2 wcfg ssid 2 wcfg ssid 2 wcfg ssid 3 name ssid wpapsk wcfg ssid 3 wcfg ss
110. AF AF AF FA FA FA BS The ZyXEL Device can detect the MAC addresses of APs automatically However it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually For example an attacker s AP mimicking the correct SSID could be placed on the friendly AP list by accident if selected from the list of auto detected APs In this example you have spoken to the coffee shop s owner who has told you the correct MAC address of his AP In this example you will do the following things 1 Set up and save a friendly AP list Activate periodic Rogue AP Detection Set up e mail alerts Configure your other access points Test the setup a c0 N 5 3 1 Set Up and Save a Friendly AP list Take the following steps to set up and save a list of access points you want to allow in your network s coverage area 1 Onacomputer connected to the wired network F in the previous figure open your Internet browser and enter the URL of access point A 192 168 1 1 Login to the Web configurator and click ROGUE AP gt Friendly AP The following screen displays Figure 32 Tutorial Friendly AP Before Data Entry Configuration Friendly AP Rogue AP Add Friendly AP MACAddress Description a Add Friendly AP List MAC Address SSID ___ ChannellSecurity _Description NWA3550 User s Guide Chapter 5 Tutorial 2 Fillin the MAC A
111. AP to access the wired network while X and Y communicate in bridge mode When the ZyXEL Device is in AP Bridge mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key See Section 7 7 3 on page 106 for more details Unless specified the term security settings refers to the traffic between the wireless stations and the ZyXEL Device NWA3550 User s Guide ci Chapter 1 Introducing the ZyXEL Device Figure 4 AP Bridge Application JH Ethernet rad Sy P d bh i MM 1 2 4 MBSSID A BSS Basic Service Set is the set of devices forming a single wireless network usually an access point and one or more wireless clients An SSID Service Set IDentifier is the name of a BSS In MBSSID Multiple BSS mode the ZyXEL Device provides multiple virtual APs each forming its own BSS and using its own individual SSID profile You can configure up to sixteen SSID profiles and have up to eight active at any one time You can assign different wireless and security settings to each SSID profile This allows you to compartmentalize groups of users set varying access privileges and prioritize network traffic to and from certain BSSs To the wireless clients in the network each
112. Access Point as the Operating Mode to display the screen shown next NWA3550 User s Guide Chapter 7 Wireless Configuration Figure 51 Wireless Access Point Wireless SSID Security RADIUS Layer Isolation MAC Filter WLAN Interface WLAN Operating Mode Access Point 802 11 Mode 802 118 j iv Super Mode I Disable channel switching for DFS Choose Channel ID Channel 036 5180MHz RTS CTS Threshold 346 256 2348 Fragmentation Threshold 2 346 256 2346 Fragmentation threshold shall be an even number Beacon Interval fi 00 20ms 1000ms DTIM fi 1 100 Output Power 100 SSID Profile ssipo3 Rates Configuration Rate Configuration Rate Configuration 6 Mbps Basic 9 Mbps Optional v 12 Mbps Basic j 18 Mbps Optional 24 Mbps Basic 36 Mbps Optional 48 Mbps Optional 54 Mbps Optional Iv Enable Spanning Tree Protocol STP Enable Roaming STP and Roaming are common settings The changes are for both WLAN Interfaces Apply Reset The following table describes the general wireless LAN labels in this screen Table 22 Wireless Access Point LABEL DESCRIPTION WLAN Interface Select which WLAN adapter you want to configure use the second WLAN adapter for bridge functions It is recommended that you configure the first WLAN adapter for AP functions and Operating Mode Select Access Point from the drop down list
113. Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses The following examples show the binary and decimal notation for 8 bit 16 bit 24 bit and 29 bit subnet masks Table 90 Subnet Masks BINARY DECIMAL octet OCTET OCTET SCTE 8 bit mask 11111111 00000000 00000000 00000000 255 0 0 0 16 bit mask 11111111 11111111 00000000 00000000 255 255 0 0 24 bit mask 11111111 11111111 11111111 00000000 255 255 255 0 29 bit mask 11111111 11111111 11111111 11111000 255 255 255 248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones 1s the broadcast address for that network 192 168 1 255 with a 24 bit subnet mask for example As these two IP addresses cannot be used for individual hosts calculate the maximum number of possible hosts in a network as follows Table 91 Maximum Host Numbers SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS 8bits 255 0 0 0 24 bits 242 16777214 16 bits 255 255 0 0 16 bits 216_2 65534 24 bits 255 255 255 0 8 bits 28 2 254 29 bits 255 255 255
114. Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and only allows it to join the network if the password matches 3 The AP and wireless clients use the pre shared key to generate a common PMK Pairwise Master Key NWA3550 User s Guide 279 Appendix B Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them Figure 195 WPA 2 PSK Authentication A Dyo Internet Y Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method key management protocol type MAC address filters are not dependent on how you configure these security features Table 88 Wireless Security Relational Matrix METHOD KEY ENCRYPTIO ENTER IEEE 802 1X MANAGEMENT PROTOCOL Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP AES No Enable WPA PSK TKIP AES Yes Disable WPA2 TKIP AES No Enable WPA2 PSK TKI
115. BITS SUBNET MASK NO SUBNETS SUBNET 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask Ifthe ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 The Internet Assigned Number Authority LANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise You must also enable Network Address Translation NAT on the ZyXEL Device Once you have decided on the network number pick an IP address for your ZyXEL Device that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Ever
116. CRIPTION Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this certificate You may use any character not including spaces Property Select this check box to have the ZyXEL Device use this certificate to sign the trusted remote host certificates that you import to the ZyXEL Device This check box is only available with self signed certificates If this check box is already selected you cannot clear it in this screen you must select this check box in another self signed certificate s details screen This automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates NWA3550 User s Guide Chapter 15 Certificates Table 60 My Certificate Details continued LABEL DESCRIPTION Certificate Path Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The ZyXEL Device does not trust the certificate and displays Not trusted in this field if
117. Chapter 5 Tutorial Figure 30 Tutorial Activate Guest Profile owe 100 Select SSID Profile e VoIP SSID a ssip03 gt SSIDU3 v r tf a ssipo3 ES n ssipo3 EE LI ssipo3 QU Oe Your guest wireless network is now ready to use 5 2 4 Testing the Wireless Networks To make sure that the three networks are correctly configured do the following Onacomputer with a wireless client scan for access points You should see the Guest SSID network but not the VoIP SSID network If you can see the VoIP SSID network go to its SSID Edit screen and make sure Hide Name SSID is set to Enable Whether or not you see the standard network s SSID SSID04 depends on whether hide SSID is enabled Try to access each network using the correct security settings and then using incorrect security settings such as the WPA PSK for another active network If the behavior is different from expected for example if you can access the VoIP wireless network using the security settings for the Guest SSID wireless network check that the SSID profile is set to use the correct security profile and that the settings of the security profile are correct Access the Guest SSID network and try to access other resources than those specified in the Layer 2 Isolation I2isolation01 profile screen You can use the ping utility to do this Click Start gt Run and enter cmd in
118. DST amp Belgacom E Trust P Belgacom E Trust Prim E c amp W HKT SecureN C amp W HKT SecureNet c amp w HKT SecureN C amp W HKT SecureNet c amp w HKT SecureN C amp W HKT SecureNet Expiratio 5 21 2011 7 10 2009 6 29 2009 6 30 2009 7 4 2009 1 21 2010 10 16 2009 10 16 2009 10 16 2010 Friendly Name lt None gt DST ABA ECOM Autoridad Certifi Autoridad Certifi DST Baltimore E Belgacom E Trus CW HKT Secure CW HKT Secure CW HKT Secure Export A Remove Certificate intended purposes lt All gt 4 Inthe Certificates confirmation click Yes NWA3550 User s Guide Appendix D Importing Certificates Figure 221 Internet Explorer 7 Certificates Certificates Deleting system root certificates might prevent some Windows components from working properly If Update Root Certificates is installed any deleted third party root certificates will be restored automatically but the system root certificates will not Do you want to delete the selected certificate s 5 Inthe Root Certificate Store dialog box click Yes Figure 222 Internet Explorer 7 Root Certificate Store Root Certificate Store Do you want to DELETE the following certificate from the Root Store Subject 172 20 37 202 ZyXEL Issuer Self Issued Time Validity Wednesday May 21 2008 through Saturday May 21 2011 Serial Number 00846BC7 4BBF7C2E CB Thum
119. EEER EU REA TED EA Pu pP HALE KERERUE UN 71 Table 6 Tutorial SSID Profile Security Setll gs uccisi iie tertias ti dud cand rua de ide ter tiec vende 76 Table 7 Tutorial Example Network MAC Addresses sss nnne nnne 77 Table 8 Tutorial Example User MAC Addresses niscenire anian eene entren nennen nnne 77 Table 9 Tutorial SERVER 2 Network Information 2isssscivo rrr ett RH EIE I DIE Ex nanana 80 Toe T Sr put n Maven CT 85 TEST PRSS o e E ETT E N E E A E E E T AETA 87 THe IZ oro TEM TMo SONN c 89 Table 13 Default Tine Somers oucssdaccui ere ec pb P re E 90 TANE TA WMM QOS mt METTRE IIT 93 Tabe To Typical Fokel SPES RN T TO 93 Table 16 Automatic Traffic Classifier Priores ccisuaccacncscccneccacaniosianrtuenuangaimesciusmn canine 93 Table 17 ATC WMM Priority Assignment LAN to WLAN seem 94 Table 18 ATC WMM Priority Assignment WLAN to LAN esm mmm 94 Table 19 ToS and IEEE 802 1d to WMM QoS Priority Level Mapping eemm 96 TADS ZU S TP PRSIDLONIS aaiosdussiers i EEA EIU e SER od ea E Eta e v ER dep RETE PII EROR SANDER 96 Table cT ETE Pom IAS dadesssssitheutsd M es OP MERE RI DE M ce ee 97 Table 22 Wireless Access POU uuanienciecie ive eoe eci e eue Eid a vll vier a bas VR Ee DUE EUR MINER pe tU EVE FEET E E aiai 99 Table 23 Wireless Bridge Repeater eee einen n nhanh nh had dn RR Ada d REL RN AREE R Rudd 104 Table 24 Types of Encryption for Each Type of Authentication
120. EM Base 64 encoded X 509 Binary PKCS27 PEM Base 64 encoded PKCS Apply Cancel The following table describes the labels in this screen Table 62 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the ZyXEL Device Cancel Click Cancel to quit and return to the Trusted CAs screen 15 12 Trusted CA Certificate Details Click CERTIFICATES gt Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority NWA3550 User s Guide Chapter 15 Certificates Figure 112 Trusted CA Details Name VeriSign cer Property Check incoming certificates issued by this CA against a CRL Certificate Path Refresh Certificate Information Type Selfsigned X 509 Certificate Version V1 Serial Number 355880216084885406223240701 1527417280 Subject OU Secure Server Certification Authority O RSA Data Security Inc C US
121. EO HEP Te ERE Pep ERR T Re ExPOR Ve ERIR EA FERRUDN 305 Figure 240 Opera 9 Install authority certificate iius senes teorema sth ra du aii aba denne nerina 306 Figura 241 Opera 9 Tools Menu sescent erui anaa M da addu Ub ERR RR RR ER E iD 306 Figure 242 e cR Hii pe e conten iraa ni aG NRN 307 Figure 243 Opera 9 Corliliicato Manag iuisecnasepeex ix radqek xk bac Ia kg dtu rad E E rad da had daa add dS als 308 Figure 244 Konqueror 3 5 Server Authentication eeeeeeceiese ee eenna n rtt ku ne h kan n a ana 309 Figure 245 Konqueror 3 5 Server Authenticatior iescese sensa ser ritate bbb be Eb b eI bbb d dna bad da 309 Figure 245 Kongusror 3 5 KDE SSL INEO uiubseeee tse egeta go ic Ra aod a i pe dx a ss 309 Figure 247 Konqueror 3 5 Public Key Certificate Fig trennen terrea ene eene neb eren eeho eee epe abris 310 Figure 245 Kondgueror 3 5 Certificate Import RESUME 12 eiiis eere tacto baee tomba ERE tni x pEP GP a Cen eo seunentens 310 Roure 249 Kongueror q 5 MIB DANES iana rna coU HH LE ra iR CEP Pea ea UL EE RN ER aa HERUM R todas 310 Figure 250 Konqueror 3 5 Settings Menu 4 uiecict eiie ee UEr Ri ErbEr HI EHE nde ase dae NIAE REI des 311 Figure 251 Fongur 3 5 CODE sqq eene er e SN ird abb io Ser con enue cia Rec ia d eco ed 311 Figure 252 Network Number and Host ID uiuis tti tha hb ttn da eR kk Etha gua Ent adn A 314 Figure 253 Subnetting Example Before Subnetting 4 irr tratte ep rh epa ui n appa aura tuve iirinn 316 N
122. ES applies a 128 bit key to 128 bit blocks of data None no encryption is used Enable Select this box to activate the SNMPv3 user account The SNMPv3 user can SNMPv3User issue GET commands to the ZyXEL Device User Name Enter a username for the SNMPv3 user Only SNMP commands carrying this username are allowed to get details about the ZyXEL Device Password Enter a password for the SNMPv3 administrator Only SNMP commands carrying this password are allowed to get details about the ZyXEL Device Confirm Re enter the Password Password Access Type For the administrator this is always Get SNMP Get commands allow the user to make see configuration details about the ZyXEL Device Authentication Select an authentication algorithm MD5 Message Digest 5 and SHA Secure Protocol Hash Algorithm are hash algorithms used to authenticate SNMP data SHA authentication is generally considered stronger than MD5 but is slower Privacy Protocol Specify the encryption method for SNMP communication with this user You can choose one of the following DES Data Encryption Standard is a widely used but breakable method of data encryption It applies a 56 bit key to each 64 bit block of data AES Advanced Encryption Standard is another method for data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data None no encryption is used Apply Click Apply to save your customiz
123. ESSID and hI DY ER 121 9T Vilreless LAN lafrsstpu CER occa tees cto SEE ER N EC RUG cna RO TUE pH Gd uae 121 9 1 3 MESSIEE Laetus ced P a a ed va ic aa Fco Er d Fac E c Ro 121 g 12 Noles on Multiple BSS RET 121 9 1 2 M ltiple BSS EXOMpPle e M 121 9 1 4 Mattiple BSS with VLAN EXEC 5a ti rnt Yo PLI bet 19H HR E EE SEE AERE poH ES rnt 121 9 1 0 Coniguring Multiple BOSS xiu En EH FRE EHHP ERE EUMIN ERR PIQUE A 122 chc pe c 125 22r me SSD i e TOO OL 125 2 2 COUN UL ae S 127 Chapter 10 Other Wireless ConfiqUEGAEIOIL sissaccssiiccasaicasencaasannavonssenacnasantannacnavasnaveasiekactesssnaekonsonisnebientes 129 wT Layer bdation Inroduchon T D 129 10 2 The Layar 2 Isolation SOFBO narea oan EESE E 130 10 3 Configuring Layer2 o irr er eia 131 10 3 1 Layer 2 Isolation EXSHTYNNQE suu ce ctp cand aa ERR da Epub lt ERR a edat tci KR Ca ka 133 19 211 Layer 2 olain EXSIDBIS T icissassppenso dnt PPE I NO RERO IIR EPA DL RO E RP E Qe EH NMa ERN 133 10 3 12 Ley er z Ioladon Example 2 25 rp pH GO RR S Rp eid at Hn e Ut 134 LUI 3i Pag Eri ooo OT 134 10 4 1 Configuring MAC FIOPDQ uccisi riter rterre terit tto pertes orti deed texere tek Eos 135 NWA3550 User s Guide Table of Contents QUE SOUT ROIM NT OD EET 137 10 5 1 Reguirements for ROMIN sees sik uid kar bd rp d X quzx et rieden K ERR S2RMLIU REA K ist Ade bin ERA 138 Chapter 11 lai
124. Figure 162 Windows Vista Local Area Connection Properties eeeeeseeeeseeenenee 251 Figure 163 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties sssssssss 252 Figure 164 Mac OS X 10 4 Anple Monu usaseieb orae ERE UHR AERERIUM N ERR NS a NEAR Er eo E a A 253 Figure 165 Mac OS X 10 4 System PIefel el el uio eer cic e te baci ta ope a t Rd 253 Figure 166 Mac OS X 10 4 Network Preferences esses esses nennen anna ninth anna nnn th nana n 254 Figure 167 Mac OS X 10 4 Network Preferences gt TCP IP Tab escena ect 254 22 NWA3550 User s Guide List of Figures Figure 168 Mac OS X 10 4 Network Preferences gt Ethernet cccsscccccccssesceceeessaceceestsnsceeeeentanes 255 Figura 109 Mac OS X TO A Notwork UD Lusia tta rta hrs RR Et Ree RE semanas seandecarsnneedectsstenncunlentec 255 Figure 170 MacOS X TU S Apple MEMU iskecaia pedazo p rubo FL E Ev pe I uno Eb SENE tances ANE En a eH Y kv bbb UI iria 256 Figure 171 Mac OS X 10 5 Systems Preferences 4 ige tod eter enema oa dod od d itu P S d AS n 256 Figure 172 Mac OS X 10 5 Network Preferences gt Ethernet iuuat tenerae nth ena RRn nan 257 Figure 173 Mac OS X 10 5 Network Preferences gt Ethernet eeueseeeeeeesecsie necem 258 Figure 174 Mac OS X 10 5 Notwork LUI 1uueuccensxconiiss pice et stra ird anta nk cn 258 Figure 175 Ubuntu 8 System gt Administration ME 12 ci er
125. Friendly AP MACAddress _ Description and EST Friendly AP List DC ELT IET UN een Bos 19 cb 51 ef d ZyXELO04 6 A2 9 59 26 te The following table describes the labels in this screen Table 44 ROGUE AP gt Friendly AP LABEL DESCRIPTION Add Friendly AP Use this section to manually add a wireless access point to the list You must know the device s MAC address MAC Address Enter the MAC address of the AP you wish to add to the list Description Enter a short explanatory description identifying the AP with a maximum of 32 alphanumeric characters Spaces underscores _ and dashes are allowed Add Click this button to include the AP in the list Friendly AP List This is the list of safe wireless access points you have already configured This is the index number of the AP s entry in the list MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Security This field displays the type of wireless encryption the AP is currently using Last Seen This field displays the last time the ZyXEL Device scanned for the AP Description This is the description you ente
126. Geneial Members Member Of Managed By Members Name Active Directory Folder test 002 1x OK Cancel Apply 17 2 4 2 Configuring Remote Access Policies Once the VLAN Groups have been created the IAS Remote Access Policy needs to be defined This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group 1 Using the Remote Access Policy option on the Internet Authentication Service management interface create a new VLAN Policy for each VLAN Group defined in the previous section The order of the remote access policies is important The most specific policies should be placed at the top of the policy list and the most general at the bottom For example if the Day And Time Restriction policy is still present it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence Right click Remote Access Policy and select New Remote Access Policy NWA3550 User s Guide 211 Chapter 17 VLAN Enter a Policy friendly name that describes the policy Each Remote Access Policy will be matched to one VLAN Group An example may be Allow VLAN 10 Policy Click Next Figure 124 New Remote Access Policy for VLAN Group Add Remote Access Policy x Policy Name Specify a hiendy name f the policy A Remote Access Poicy iz a set of actions which can he apnled to a group of users meeting ceitain conditions Analogou
127. IPTION Status This field indicates whether or not the ZyXEL Device is using the interface For each interface this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface Rate For the LAN port this displays the port speed and duplex setting For the WLAN1 and WLAN interfaces it displays the downstream and upstream transmission rate or N A if the interface is not in use SSID Status Interface This column displays each of the ZyXEL Device s wireless interfaces WLAN 1 and WLAN2 SSID This field displays the SSID s currently used by each wireless module BSSID This field displays the MAC address of the wireless adaptor Security This field displays the type of wireless security used by each SSID VLAN This field displays the VLAN ID of each SSID in use or Disabled if the SSID does not use VLAN System Status Show Statistics Click this link to view port status and packet specific statistics See Section 18 2 1 on page 222 Association List Click this to see a list of wireless clients currently associated to each of the ZyXEL Device s wireless modules See Section 18 3 on page 223 Channel Usage Click this to see which wireless channels are currently in use in the local area See Section 18 4 on page 224 Logs Click this to see a list of logs produced by the ZyXEL Device See Section 16 1 on page 195 Rogue AP List Click this to see a
128. KIP TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael They both include a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that 1s wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet 1s dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break int
129. L 13 security01 radius01 NONE Disable Disable SSID14 ZyXEL 14 security01 radius01 NONE Disable Disable SSID15 ZyXEL 15 security01 radiust 1 NONE Disable Disable SSID16 ZyXEL 16 security01 radiust 1 NONE Disable Disable esi The following table describes the labels in this screen Table 35 SSID LABEL DESCRIPTION Index This field displays the index number of each SSID profile Name This field displays the identification name of each SSID profile on the ZyXEL Device SSID This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates which security profile is currently associated with each SSID profile See Section 8 3 on page 111 for more information RADIUS This field displays which RADIUS profile is currently associated with each SSID profile if you have a RADIUS server configured QoS This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile Layer 2 Isolation This field displays which layer 2 isolation profile is currently associated with each SSID profile or Disable if Layer 2 Isolation is not configured on an SSID profile MAC Filter This field displays which MAC filter profile is currently associated with each SSID profile or Disable if MAC filtering is not configu
130. L Device s World Wide Web settings click REMOTE MGNT gt WWW Figure 89 Remote Management WWW Server Port feo Server Access WLAN amp LAN Secured Client IP Address ANC Selected 0 0 0 0 tru m Server Certificate auto generated self signed cert See My Certificates Authenticate Client Certificates See Trusted CAs Server Port 443 Server Access WLAN amp LAN Secured Client IP Address AIC Selected o 0 0 0 Reset The following table describes the labels in this screen Table 49 Remote Management WWW LABEL DESCRIPTION WWW Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service HTTPS Server Certificate Select the Server Certificate that the ZyXEL Device will use to identify itself The ZyXEL Device is the SSL server and must always authenticate itself to the SSL clie
131. LF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can delete it now Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL Device Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click Refresh to display the current validity status of the certificates 15 6 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats f
132. NWA3550 IEEE 802 11a b g Outdoor WLAN Access Point User s Guide Version 3 60 6 2008 Edition 2 DEFAULT LOGIN IP Address http 192 168 1 2 Password 1234 ZyXEL www zyxel com About This User s Guide About This User s Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator You should have at least a basic knowledge of TCP IP networking concepts and topology Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains information on setting up your network and configuring for Internet access Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw NWA3550 User s Guide 3 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide lt gt Warnings tell you about things that could harm you or your device BS Notes
133. ON System Name This is the System Name you can configure in the SYSTEM General screen It is for identification purposes ZyNOS Firmware This is the ZyNOS Firmware version and date created ZyNOS is ZyXEL s Version proprietary Network Operating System design IP Address This is the Ethernet port IP address IP Subnet Mask This is the Ethernet port subnet mask NWA3550 User s Guide 221 Chapter 18 Maintenance Table 73 System Status LABEL DESCRIPTION DHCP This is the Ethernet port DHCP role Client or None Show Statistics Click Show Statistics to see router performance statistics such as number of packets sent and number of packets received for each port 18 2 1 System Statistics Click Maintenance gt Show Statistics Read only information here includes port status packet specific statistics and bridge link status Also provided are system up time and poll interval s The Poll Interval field is configurable The fields in this screen vary according to the current wireless mode Figure 139 System Status Show Statistics Port Status TxPkts_ RxPkts Collisions TxB s_ RxBis Uptime EN 3 26 29 KNEE o aoo 0o 0 00 45 EXE s 00 00 WLAN1 0 00 14 Index Active __ Remote Bridge MAC Status TxPkts__ _RxPkts No 000000000000 Poll Interval s 00 00 00 00 00 00 5 sec Set Interval
134. P computer or router that you want to allow the associated wireless clients to have access to in these address fields Type the MAC address in a valid MAC address format six hexadecimal character pairs for example 12 34 56 78 9a bc Description Type a name to identify this device Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 10 Other Wireless Configuration 10 3 1 Layer 2 Isolation Examples The following section shows you example layer 2 isolation configurations on the ZyXEL Device A BES When configuring remember to select the correct layer 2 isolation profile in the WIRELESS gt SSID gt Edit screen of the relevant SSID profile Figure 72 Layer 2 Isolation Example Configuration 00 00 c5 00 00 66 C i 00 00 c5 00 00 cc T _ A uU 11 22 33 44 55 66 10 3 1 1 Layer 2 Isolation Example 1 In the following example wireless clients 1 and 2 can communicate with network router B and file server C but not access point D or wireless client 3 Enter B s MAC address in the MAC Address field and enter Network Router B in B s Description field Enter C s MAC address in the MAC Address field and enter File Server C in C s Description field Figure 73 Layer 2 Isolation Example 1 Wireless SSID Profile Name Layer 2 Isolation Configuration Allow devices with these MAC addresses Index MAC Addr
135. P AES Yes Disable Antenna Overview An antenna couples RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air NWA3550 User s Guide Appendix B Wireless LANs Positioning the antennas properly increases the range and coverage area of a wireless LAN Antenna Characteristics Frequency An antenna in the frequency of 2 4GHz IEEE 802 11b or SGHz IEEE 802 11a is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna 1s a theoretical perfect antenna that sends out radio signals equally well in all directions dBi rep
136. P addresses that place them in the same subnet In this appendix you can set up an IP address for Windows XP NT 2000 on page 245 Windows Vista on page 248 Mac OS X 10 3 and 10 4 on page 252 Mac OS X 10 5 on page 256 Linux Ubuntu 8 GNOME on page 259 Linux openSUSE 10 3 KDE on page 262 Windows XP NT 2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT 1 Click Start gt Control Panel NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 152 Windows XP Start Menu e Internet Explorer 7 My Documents 3 Outlook Express V Paint 2 My Recent Documents gt re i My Pictures Files and Settings Transfer W c D z BY Command Prompt c My Music E Acrobat Reader 4 0 My Computer Tour Windows xP Wl Windows Movie Maker tg Printers and Faxes Q9 Help and Support All Programs gt 177 Run B Log Off Io Turn Off Computer untitled Paint 2 Inthe Control Panel click the Network Connections icon Figure 153 Windows XP Control Panel Control Panel File Address Edit View Favorites Tools Help d x Search E Folders ii G Control Panel Vg Control Panel A Qe Switch to Category view See Also Game Controllers Ab Windows Update 3 Right click Local Area Connection and then select Properties Fig
137. P the alerts come from ALERT Access Point B etc 5 3 5 Test the Setup Next test your setup to ensure it is correctly configured Log into each AP s Web configurator and click ROGUE AP gt Rogue AP Click Refresh If any of the MAC addresses from Table 5 on page 71 appear in the list the friendly AP function may be incorrectly configured check the ROGUE AP gt Friendly AP screen If any entries appear in the rogue AP list that are not in Table 5 on page 71 write down the AP s MAC address for future reference and check your e mail inbox If you have received a rogue AP alert email alerts are correctly configured on that ZyXEL Device f you have another access point that is not used in your network make a note of its MAC address and set it up next to each of your ZyXEL Devices in turn while the network is running Either wait for at least ten minutes to ensure the ZyXEL Device performs a scan in that time or login to the ZyXEL Device s Web configurator and click ROGUE AP gt Rogue AP gt Refresh to have the ZyXEL Device perform a scan immediately Check the ROGUE AP gt Rogue AP screen You should see an entry in the list with the same MAC address as your rogue AP Check the LOGS gt View Logs screen You should see a Rogue AP Detection entry in red text including the MAC address of your rogue AP Check your e mail You should have received at least one e mail alert your other ZyXEL Devices may also hav
138. Ra Rau nee 159 Figure 92 Security Certificate 2 NetScape 22 e retten p prr tt epos tty ERE bete dE E Sore LI ER PUOI ML Ebr i 159 Figure 93 Example Lock Denoting a Secure Connection eee enne re nn nana 161 Figure 94 Replace aN AU mec t 161 Figure 95 Device specific Certificate cc tcscciscacidccestvasrgiasseuniabecssaseugediessuad gies rrini iaa Paidi a danian iaaiiai 162 Figure 96 Common ZyXEL Device Cor fioala isuiiiie ee epe tnr n pc ak tala X P RAE SR a 162 Figur 97 SNMP Management Modal cM 163 Figure 98 Remote Management SNMP i ettet a LEER DR EEVREE NEL E A a 166 Figure 99 Remote Management SNMPv3 User Profile eese esee einn tnnn naa nn 167 Figure 100 Internal RADIUS Server Setting Screen oeeesseeesesse mener kite tna tta nana tau 170 Figure TOT Tr sted Ar CIVOION ssicatit Gd eed cedendo dco isd i uae a RR o ea i nt 172 Fouw T02 Triste AP STOE aa N 173 Figure 103 Trusted Users GOGO 174 Figure 104 Certificates on Your CONNIE eno canton uita ea Cen Rb Leal ld tt an xb kc raa 178 Foue 109 Cornia DoS eT 179 Foe To My OE llc a A 180 Figure 107 My Certificate IMPON M PT T 182 Figure 108 My GeriniGate Create V V V 183 igure TOS My Cerca DaS 186 gl aaa i Coat cR ew UT 188 Figure TIT Trusted CA MPOT me
139. S A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or wireless gateway but out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other NWA3550 User s Guide 271 Appendix B Wireless LANs BS Figure 193 RTS CTS pron CTS Range it ath O nn om pent RR ARI ER RR je ma aene P mra Station AP E oss iia j A Data E Mr Pi Ce r m DC Ke EH NR Stations A and B do not FN 7 pee Station A D hear each other They f Station B m t m can hear the AP When station A sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To
140. S Secu WEP ausa 113 Fone co cecu emp ex m 114 Figure 60 Security 802 1x Static 64 bit 802 1x Static 128 bit uei escis eese terere 115 PUI oT SOME WPA esis sass a nat ae Salata apr tiir Rn EAEE E E A E 116 Figure 62 Seca WPAZ or VEAZ MIX iiiidodsberele Ennn R 117 Figure 63 Security WPA PSK WPA2 PSK or WPA2 PSK MIX sssesesseeeenee nennen nnns 118 Figure ARADO eas cacrdca ete apna nha cat radia Pvp ita or e ba Uu ten n eU aa Vshedati opa c WAR 119 Figure 65 Multiple Bia with VLAN Example erar ert tto etes reine Euro Fe pue Eee rI Ade etaria penn FER E nnna ieia 122 Figure 66 Wireless Mullple BOS 5iecc id bet ROS ERROR ILU SER WIRD SEHR SSH OE RH SO KA 123 az 215 126 x iu ResDen gens 127 Figure 69 Layer 2 Isolation Application iesus sienne an anaiai eenaa EaR a eSEE 130 Figure TU WIRELESS Layar 2 BORON desides pe ed atte Ld serbe einer Pd ekiy bu bte Pu up A ER DU PHA RN 131 Figure 71 WIRELESS gt Layer 2 Isolation Configuration Screen eeeeeeeennnnee 132 Figure 72 Layer 2 Isolation Example Configuration 1 cccccccscccsssccscceessseeccceessecneceeessenecceearsnaneceeateenees 133 Figure 73 Layor 2 Isolation Example 1 12 osi ete teneat tienen ba rix Evtl EAEan i 133 Figure 74 Laygr Z isolation Example Z osse deccm Hd ota Maca cc Fato HA NUR FO LG RR cde en adn d 134 Figuig 7 gt NIRELE SS MAC FIle rauna rU Peeters et d gr bul adero bed ec cent i
141. SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Index This is the index number of the SSID profile Active Select the check box to activate an SSID profile Profile Select the profile s of the SSIDs you want to use in your wireless network You can have up to eight BSSs running on the ZyXEL Device simultaneously one of which is always the pre configured VoIP SSID profile and another of which is always the pre configured Guest SSID profile Configure SSID profiles in the SSID screen Enable Spanning Tree R STP detects and breaks network loops and provides backup links between Control STP Switches bridges or routers It allows a bridge to interact with other R STP compliant bridges in your network to ensure that only one path exists between any two stations on the network Select the check box to activate STP on the ZyXEL Device Enable Roaming Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another Select this checkbox to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet Note All APs on the same subnet and the wireless stations must have the same SSID to allow roaming Apply Click Apply to save your changes Reset Click Reset to begin c
142. Second Rx VLAN ID The following screen shows SSID03 tagged with a VLAN ID of 3 and a Second Rx VLAN ID of 4 Figure 137 Configuring SSID Second Rx VLAN ID Example VIRTUAL LAN Setup iv Wireless VIRTUAL LAN Setup Index Name SSID VLAN ID Second Rx VLAN ID 6 Click Apply to save these settings Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3 and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03 NWA3550 User s Guide Chapter 17 VLAN NWA3550 User s Guide Maintenance This chapter displays system information such as ZyNOS firmware port IP addresses and port traffic statistics 18 4 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your ZyXEL Device 18 2 System Status Screen Click MAINTENANCE to open the System Status screen where you can see information about your ZyXEL Device Note that the labels in this screen are READ ONLY and are meant to be used for diagnostic purposes Figure 138 System Status Status Association List Channel Usage FAW Upload Configuration Restart System Name NWA Series ZyNOS Firmware Version V3 60 AAM 0 b1 02 01 2008 IP Address 192 168 1 2 DHCP None IP Subnet Mask 255 255 255 0 Show Statistics The following table describes the labels in this screen Table 73 System Status LABEL DESCRIPTI
143. Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake Ifthe RTS CTS value is greater than the Fragmentation Threshold value see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interferenc
144. Server Port 21 Server Access WLAN amp LAN Secured Client IP Address AM C Selected 0 0 0 0 Reset The following table describes the labels in this screen Table 48 Remote Management FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide 155 Chapter 13 Remote Management Screens 13 7 WWW HTTP and HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication
145. Ss allowed on one AP simultaneously On the NWA 3160 and NWA 3163 a maximum of eight simultaneous BSSs are allowed On the NWA 3165 a maximum of four simultantious BSSs are allowed You must use different WEP keys for different BSSs If two stations have different BSSIDs they are in different BSSs but have the same WEP keys they may hear each other s communications but not communicate with each other MBSSID should not replace but rather be used in conjunction with 802 1x security 9 1 3 Multiple BSS Example Refer to the applications section for more information 9 1 4 Multiple BSS with VLAN Example In this example VLAN 1 includes the computers in BSS1 and LAN 1 Computers in BSS2 and LAN 2 belong to VLAN 2 Users in BSS1 are limited to accessing the resources on LAN 1 and similarly users in BSS2 may only access resources on LAN 2 VLAN 2 is the management VLAN NWA3550 User s Guide 121 Chapter 9 MBSSID and SSID The switch adds PVID Port VLAN IDentity tags to incoming frames that don t already have tags on switch ports where PVID is enabled Figure 65 Multiple BSS with VLAN Example LAN 1 PORT N PVID OFF VLAN 1 27 mE di E s N I NY l BSS1 9 1 5 Configuring Multiple BSSs Click WIRELESS gt Wireless and select MBSSID in the Operating Mode drop down list box to display the screen as shown 122 NWA3550 User s Guide Chapter 9 MBSSID and SSID Figure 66 Wireless Mult
146. This is the index number of the AP s entry in the list Active Use this check box to select the APs you want to move to the friendly AP list see Section 12 3 2 on page 148 MAC Address This field displays the Media Access Control MAC address of the AP All wireless devices have a MAC address that uniquely identifies them SSID This field displays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Security This field displays the type of wireless encryption the AP is currently using Last Seen This field displays the last time the ZyXEL Device scanned for the AP Description If you want to move the AP s entry to the friendly AP list enter a short explanatory description identifying the AP before you click Add to Friendly AP List A maximum of 32 alphanumeric characters are allowed in this field Spaces underscores and dashes are allowed Add to Friendly AP List If you know that the AP described in an entry is not a threat select the Active check box enter a short description in the Description field and click this button to add the entry to the friendly AP list see Section 12 3 2 on page 148 When the ZyXEL Device next scans for rogue APs the selected AP does not appear in the rogue AP list Reset Click Reset to return all fields in this screen to their default values NWA3550 User s Guide Remo
147. This is the name of the SSID profile SSID This is the SSID the profile uses VLAN ID Enter a VLAN ID number from 1 to 4094 Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the ZyXEL Device Different SSID profiles can use the same or different VLAN IDs This allows you to split wireless stations into groups using similar VLAN IDs Second Rx VLAN ID Enter a number from 1 to 4094 but different from the entry s VLAN ID Traffic received from the LAN that is tagged with this VLAN ID is sent to all SSIDs with this VLAN ID configured in the VLAN ID or Second Rx VLAN ID fields See Section 17 2 5 on page 218 for more information Apply Click this to save your changes to the ZyXEL Device Reset Click this to return this screen to its last saved settings 17 2 2 RADIUS VLAN Click VLAN gt RADIUS VLAN The following screen appears Figure 116 RADIUS VLAN Wireless VLAN RADIUS VLAN VLAN Mapping Table RADIUS VIRTUAL LAN Setup Block station if RADIUS server assigns VLAN name error lindex Activel VLAN ID Name MI MI WIN NI MI NI NI NI NI MI MI MI MI I NNNM zyxe Apply Reset NWA3550 User s Guide Chapter 17 VLAN The following table describes the labels in this screen Table 71 RADIUS VLAN LABEL DESCRIPTION Block station if RADIUS
148. Type ajx Attribute name Tunnel Mecium Type Attribute number 65 Attribute Format Enumerator Attribute value 802 includes all 802 media plus Ethemet canonical format Cancel 13 Return to the RADIUS Attribute Screen shown as Figure 131 on page 215 Select Tunnel Pvt Group ID Click Add 14 The Attribute Information screen displays nthe Enter the attribute value in field select String and type a number in the range 1 to 4094 or a Name for this policy This Name should match a name in the VLAN mapping table on the ZyXEL Device Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the ZyXEL Device VLAN table Click OK Figure 133 VLAN ID Attribute Setting for Tunnel Pvt Group ID Attribute name TannePvcGrouelD Attribute number jet Attribute format OctetStiing Enter the attribute valuein Sting C Hexadecimal fi 0 Cancel 15 Return to the RADIUS Attribute Screen shown as Figure 131 on page 215 Select Tunnel Type Click Add 16 The Enumerable Attribute Information screen displays Select Virtual LANs VLAN from the attribute value drop down list box Click OK NWA3550 User s Guide Chapter 17 VLAN Figure 134 VLAN Attribute Setting for Tunnel Type Enumerable Attribute Information 2 xj Attribute name Tunnel Type Attribute number g Attribute format Enumerator Attribute va
149. VLAN ID based on the settings in the Wireless VLAN screen See Section 17 2 4 on page 210 for more information BS To use RADIUS VLAN you must first select Enable VIRTUAL LAN and configure the Management VLAN ID in the VLAN gt Wireless VLAN screen 17 2 1 Wireless VLAN Click VLAN gt Wireless VLAN The following screen appears NWA3550 User s Guide Chapter 17 VLAN Figure 115 Wireless VLAN VIRTUAL LAN Setup Iv Wireless VIRTUAL LAN Setup Index Name SSID VLAN ID Second Rx VLAN ID VolP SSID _ The following table describes the labels in this screen Table 70 Wireless VLAN FIELD DESCRIPTION Enable VIRTUAL LAN Select this box to enable VLAN tagging Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group At least one device in your network must belong to this VLAN group in order to manage the ZyXEL Device Note Mail and FTP servers must have the same management VLAN ID to communicate with the ZyXEL Device See Section 17 2 3 on page 207 for more information VLAN Mapping Table Use this table to have the ZyXEL Device assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the ZyXEL Device Index This is the index number of the SSID profile NWA3550 User s Guide Chapter 17 VLAN Table 70 Wireless VLAN FIELD DESCRIPTION Name
150. WA3550 User s Guide List of Figures Figure 254 Subnetting Example After Subnetting 52 5 acra ty ren Ere kon e red ka hne d s sine 317 Figure 255 Text File Based Auto Configuration aeuum retina ES REP aka ERR ER aka ER nba kehrt ER idt 321 Figure 256 Configuration File FOTEBE iuuuiscue ctn erepta tit e cacu ia are cd ouai ger ttd yer etd Ek bci dy kr bete e pci Edda 323 Figure 257 WEP Gongurauon Filo Exam le cei sisssed dessus eedad decr boe a dg tei a aou etie d a toad 324 Figuie 259 907 T2 Coniiguraton File Example 2udeco niet pubetet ei etat vene bb eee ba ue e rta ve e t auqpls tad Ho ue 325 Figure 258 WPA PSK Configuration File Exempla 1 22 corren tet tnni itte tuni erro tmnin aar n 325 Figure 260 WPA Configuration File Example 15 ciascun ttn tbt nr E tht nth Rr kar Ren E ERR nau ik 326 Figure 261 Wian Configuration File Exaile uice ri pee e be ExRe n Ee ttini ninn CH RU PEE E ERI UR Pede dls 327 NWA3550 User s Guide 25 List of Figures NWA3550 User s Guide List of Tables List of Tables UC ajrefcueoteeeo NEU TP 47 Table 2 The Management Mode Screen ccccccccceceeeeeeeeeeececeeaneeceeeeeeeeeeeeeeeeeesaaeaaneeceeeeeeeeeeeteneeeees 54 Table 3 Tutonal Example GTORTIBHOR uisesei ene cese repas Entre bei e tbo eek E auro Meu eS eae oireena RE 59 Table 4 Tutorial Rogue AP Example Information isse rtt rette phe It prr eap hi ncn 69 Table o Tutenab Fhendiy AP niormaliol snneissssnenns iiinn inin M
151. WAP controller At the time of writing the following ZyXEL AP models can be CAPWAP managed APs NWA 3160 NWA 3163 NWA 3500 NWA 3550 NWA 8500 The following figure illustrates a CAPWAP wireless network The user U configures the controller AP C which then automatically updates the configurations of the managed APs M1 M4 NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Figure 7 CAPWAP Network Example Lm 1 4 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device Web Configurator This is recommended for everyday management of the ZyXEL Device using a supported web browser Command Line Interface Line commands are mostly used for troubleshooting by service engineers SMT System Management Terminal is a text based configuration menu that you can use to configure your device Use Telnet to access the SMT FTP for firmware upgrades and configuration backup and restore SNMP The device can be monitored by an SNMP manager See the SNMP chapter in this User s Guide 1 5 Configuring Your ZyXEL Device s Security Features Your ZyXEL Device comes with a variety of security features This section summarizes these features and provides links to sections in the User s Guide to configure security settings on your ZyXEL Device Follow the suggestions below to improve security on your ZyXEL Device and network 1 5 1 Control Access to Your Devic
152. WIRELESS gt Layer 2 Isolation Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Index UIT NN EINEN 2isolation01 2isolationd2 Guest Iso I2isolation 4 2isolation05 2isolation06 2isolationO I2isolation 8 I2isolation 9 2isolation10 2isolation11 I2isolation12 2isolation13 2isolation14 2isolation15 I2isolation16 Edit The following table describes the labels in this screen Table 37 WIRELESS gt Layer 2 Isolation LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a layer 2 isolation profile in the Layer 2 Isolation Configuration screen Edit Select an entry from the list and click Edit to configure settings for that profile 10 3 Configuring Layer 2 Isolation To configure layer 2 isolation click WIRELESS gt Layer 2 Isolation gt Edit The screen appears as shown BS If layer 2 isolation is enabled you need to know the MAC address of each wireless client AP computer or router that you want to allow to communicate with the ZyXEL Device s wireless clients NWA3550 User s Guide 131 Chapter 10 Other Wireless Configuration Figure 71 WIRELESS gt Layer 2 Isolation Configuration Screen Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name Layer 2 Isolation Configuration i2isolat
153. You have successfully completed the Certificate Import wizard You have specified the following settings na Certificate Store Selected Automatically determined by 1 Content Certificate 10 If you are presented with another Security Warning click Yes Figure 213 Internet Explorer 7 Security Warning Security Warning A You are about to install a certificate from a certification authority CA daiming to represent nsa2401 Windows cannot validate that the certificate is actually from nsa2401 You should confirm its origin by contacting nsa2401 The following number will assist you in this process Thumbprint sha1 35D1C9AC DBCOE654 FE327C71 464D154B 242E5B93 Warning If you install this root certificate Windows will automatically trust any certificate issued by this CA Installing a certificate with an unconfirmed thumbprint is a security risk If you dick Yes you acknowledge this risk Do you want to install this certificate 11 Finally click OK when presented with the successful certificate installation message Figure 214 Internet Explorer 7 Certificate Import Wizard NWA3550 User s Guide Appendix D Importing Certificates 12 The next time you start Internet Explorer and go to a ZyXEL web configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 215 Internet Explorer 7 Website Identification Website Identification
154. able 6 Tutorial SSID Profile Security Settings SSID Profile Name SERVER 1 SERVER 2 SSID SSID S1 SSID S2 Security Security Profile Security Profile security03 security04 WPA2 PSK WPA2 PSK Hide SSID Hide SSID Intra BSS traffic Enabled Enabled blocking Each SSID profile already uses a different pre shared key In this example you will configure access limitations for each SSID profile To do this you will take the following steps 1 Configure the SERVER 1 network s SSID profile to use specific MAC filter and layer 2 isolation profiles NWA3550 User s Guide Chapter 5 Tutorial 2 Configure the SERVER 1 network s MAC filter profile 3 Configure the SERVER 1 network s layer 2 isolation profile 4 Repeat steps 1 3 for the SERVER 2 network 5 Check your settings and test the configuration To configure layer 2 isolation you need to know the MAC addresses of the devices on your network which are as follows Table 7 Tutorial Example Network MAC Addresses DEVICE LABEL MAC ADDRESS ZyXEL Device Z BB AA 99 88 77 66 1 AA 99 88 77 66 55 Secure Server 2 2 99 88 77 66 55 44 Workstation C 88 77 66 55 44 33 D E Secure Server 1 Switch 77 66 55 44 33 22 66 55 44 33 22 11 Security gateway To configure MAC filtering you need to know the MAC addresses of the devices Alice and Bob use to connect to the network which are as follows Table 8 Tutorial Example User
155. aj Me PR 227 Figure 146 ConnguralOT e 228 Figure 147 Configuration Upload Successful 1st ter Exact niat Ee anta Elk d ci En Ha cc 229 Figure 148 Network Temporarily Disconnected iuuenes tei eisteseeerbeseietesr orte ete FERE UUM e PR E Raa 229 Figure 149 Comiguration Upload Enor eei c a tact gt ng dS onto duce dtd 229 Figure 150 Reset Warning Message 1i erret ene n a Eq ad en x Eon nda E a vad 230 Figure 151 Restart SGre D 230 Fiowe 192 Windows AP Stari MONU 246 Figure 193 ae AF Lene Panel ec 246 Figure 154 Windows XP Control Panel gt Network Connections gt Properties 246 Figure 155 Windows XP Local Area Connection Properties ssssseeen 247 Figure 156 Windows XP Internet Protocol TCP IP Properties eeeeeseee eene nennen hann 248 Figure 157 Windows Vista Sarl MOTU auis ect to abre HW CERO UN REL RIESULEREU EXSARH DERE SERM RO ORARE IR Led SERRE A 249 Figure 158 Windows Vista Control Panel auicuiszccisesi cene Exin Lnd tir aae ad C eben i nta d 249 Figure 159 Windows Vista Network And Internet aceite natant naaa 249 Figure 160 Windows Vista Network and Sharing Center eese eene nnne 250 Figure 161 Windows Vista Network and Sharing Center 1 ascertain borne nna pta e nk RRt una 250
156. alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the ZyXEL Device check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Details C
157. ame key 8 2 Security Modes The following table describes the security modes you can configure Table 25 Security Modes SECURITY MODE DESCRIPTION None Select this to have no data encryption WEP Select this to use WEP encryption 802 1x Only Select this to use 802 1x authentication with no data encryption 802 1x Static64 Select this to use 802 1x authentication with a static 64bit WEP key and an authentication server 802 1x Static128 Select this to use 802 1x authentication with a static 128bit WEP key and an authentication server WPA Select this to use WPA WPA PSK Select this to use WPA with a pre shared key WPA2 Select this to use WPA2 WPA2 MIX Select this to use either WPA2 or WPA depending on which security mode the wireless client uses WPA2 PSK Select this to use WPA2 with a pre shared key WPA2 PSK MIX Select this to use either WPA PSK or WPA2 PSK depending on which security mode the wireless client uses 8 3 Configuring Security BS The following screens are configurable only in Access Point AP Bridge and MBSSID operating modes only Use the Security screen to create secure profiles A security profile is a group of configuration settings which can be assigned to an SSID profile in the SSID configuration screen You can configure up to 16 security profiles To change your ZyXEL Device s wireless security settings click WIRELESS gt Security NWA3
158. and click Tools gt Options Figure 229 Firefox 2 Tools Menu Web Search Ctrl K Downloads Ctrl J Add ons Java Console Error Console Page Info Clear Private Data Ctrl Shift Del N Options 2 Inthe Options dialog box click Advanced gt Encryption gt View Certificates NWA3550 User s Guide Appendix D Importing Certificates Figure 230 Firefox 2 Options Main Tabs Content Feeds Privacy Security Advanced General Network Updale Encryption r Protocols Use SSL 3 0 Use TLS 1 0 Certificates When a web site requires a certificate Select one automatically Ask me every time Eor 3 Inthe Certificate Manager dialog box select the Web Sites tab select the certificate that you want to remove and then click Delete Figure 231 Firefox 2 Certificate Manager Certificate Manager Your Certificates Other Peopl s Web Sites A You have certificates on file that identify these web sites Certificate Name Purposes E ZyXEL 1 72 20 37 202 Client Server Status Responder 4 Inthe Delete Web Site Certificates dialog box click OK NWA3550 User s Guide Appendix D Importing Certificates Figure 232 Firefox 2 Delete Web Site Certificates Delete Web Site Certificates Are you sure you want to delete these web site certificates 172 20 37 202 If you delete a web site certificate you will be asked to accept it again the ne
159. any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the certificate Information Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated by the ZyXEL Device Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The ZyXEL Device uses rsa pkcs1 sha1 RSA public private key encryption algorithm and t
160. any of the imported trusted CA certificates 15 3 1 Checking the Fingerprint of a Certificate on Your Computer A certificate s fingerprints are message digests calculated using the MD5 or SHA algorithms The following procedure describes how to check a certificate s fingerprint to verify that you have the actual certificate 1 Browse to where you have the certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name extension Figure 104 Certificates on Your Computer a we z VeriSign cer CA Certificates 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields NWA3550 User s Guide Chapter 15 Certificates Figure 105 Certificate Details General Details Certification Path Show lt All gt bd Value Secure Server Certification Au Wednesday November 09 19 Friday January 08 2010 7 59 Secure Server Certification Au RSA 1000 Bits shal 4463 C531 D CC C100 6794 612B B656 D3BF 8257 846F Edit Properties Copy to File 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may vary according to your situation Possible examples would be over the telephone or through an HTTPS connection 15 4 Configurat
161. ape 51 4 1 1 CAPWAP Discovery and Management ssssssssseeeeneeeneneneen 52 41 2 CAP WEP Sd DACP e RR 52 Ae er atl IF SUD 1scierccn nra da ek pda t o dq SO ERE RR Serres 52 AL Notes ait aa VA c 53 4 2 The Management Mode SOIBBEI uiuiiescuciiiice iae messa nde asninn iesu eaii cad d dicke 53 Chapter 5 Her meeee 55 5 1 How to Configure the Wireless LAN 1i cera cii estandar p apa eda donald eS aka wha Earn ein E pA R HEURE Ad 55 5 1 1 Choosing the Wireless MOGOG iiiiscicissseette rti ssnin ii Ebr eoe aaepe b eran 55 5 1 1 1 Configuring Dual WLAN Adaplors cirdieciprt or rt rede e o RR Gon Dr OR rta 56 5 1 2 Wireless LAM Configuration QVervieW i25 daa certet rite risinn i ERE nN 56 3 lsd SUO Ics i P 58 5 2 How to Configure Multiple Wireless Networks seeeeeseseeeeesseeeee eene nth nnn na nnns 58 22 1 Change iho Operating Moda cec iopet eA NEEE Far tqMREEELU tpe sh NE ERE HUNE E PIE UTERE REPAIR 59 5 2 2 Longue te Vell NOIWOIK usu saec exa spe tr pe rt C LIA Rp alanis 61 5 2 2 1 Set Up Security tor the VolP Profile iere retra nha Lena hoa Luna 62 5 2 2 2 Activate the VolP Profile c ccscccscrrandeccvrecauctcssnniuncceiseaaiuerstvrsseencuarebiacessteemeesoraas 64 5429 Lionngure tie Guest NODWOIK 1 eot tert t da Rp LE ER LIS RH LEES ES UIS 64 5 2 3 1 Sat Up Security Tor the Guest PEOFIG seeserscocsn
162. at signs the imported trusted remote host certificates Cancel Click Cancel to quit and return to the My Certificates screen Click CERTIFICATES gt Trusted CAs to open the Trusted CAs screen This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certification authorities See the following figure Figure 110 Trusted CAs My Certificates Trusted CAs PKI Storage Space in Use oal 100 Trusted CA Certificates Lied ane st ime vonar vaare ce issuer Details Import Delete Refresh NWA3550 User s Guide Chapter 15 Certificates The following table describes the labels in this screen Table 61 Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device s PKI storage space that is Space in Use currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Index This field displays the certificate index number The certificates are listed in
163. ate Moderate Moderate Client Identity Protection No No Yes Yes No WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 111 standard WPA2 IEEE 802 111 is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 NWA3550 User s Guide 277 Appendix B Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA and WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than T
164. ate rate steps between the maximum and minimum data rates The IEEE 802 11g data rate and modulation are as follows Table 85 IEEE 802 11g DATA RATE MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5111 CCK Complementary Code Keying 6 9 12 18 24 36 48 54 OFDM Orthogonal Frequency Division Multiplexing Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients access points and the wired network NWA3550 User s Guide 273 Appendix B Wireless LANs BS Wireless security methods available on the ZyXEL Device are data encryption wireless client authentication restricting access by device MAC address and hiding the ZyXEL Device identity The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device Table 86 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA Most Secure WPA2 You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x
165. ately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol Just fill in the Key field if your certification authority uses the SECP enrollment protocol Key Type the key that the certification authority gave you Apply Click Apply to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates screen After you click Apply in the My Certificate Create screen you see a screen that tells you the ZyXEL Device is generating the self signed certificate or certification request After the ZyXEL Device successfully enrolls a certificate or generates a certification request or a self signed certificate you see a screen with a Return button that takes you back to the My Certificates screen If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful you see a screen with a Return button that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information 1s correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online
166. ber for a service if needed however you must use the same port number in order to use that service for remote management Server Select the interface s through which a computer may access the ZyXEL Device Access using SSH Secured A secured client is a trusted computer that is allowed to communicate with the Client IP ZyXEL Device using this service Address Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 13 Remote Management Screens 13 6 Configuring FTP You can use FTP File Transfer Protocol to upload and download the ZyXEL Device s firmware and configuration files please see the User s Guide chapter on firmware and configuration file maintenance for details To use this feature your computer must have an FTP client To change your ZyXEL Device s FTP settings click REMOTE MGNT gt FTP The screen appears as shown Use this screen to specify which interfaces allow FTP access and from which IP address the access can come BES It is recommended that you disable Telnet and FTP when you configure SSH for secure connections Figure 87 Remote Management FTP TELNET FTP Www SNMP
167. ble 80 Fiimware Sp cificatons risinn eX onan Cad eb a aadi ee pue e nrbe VEL Nada IE ERE EUR A 238 Table 81 ZyXEL Device Compatible Antennas 1 uiuuccsissce reset tani utra konnien 240 NWA3550 User s Guide List of Tables Table 82 ZyXEL Device Compatible Antenna Cables ccc ceccececceeceeeeeeeeeeeeeeeneeaeceeeeeeeeeeeeteeeeens 240 Table 83 Power over Ethernet Injector Specifications eeaeeeseieeseesiieseeeeee eene n nna n nhi natn na 241 Table 84 Power over Ethernet Injector RJ 45 Port Pin Assignments sss 241 gr pDesbidl oacny DES 273 Table e2sgcccEl e idR 0 o4 ee 274 Table 87 Comparison of EAP Authentication Types 1 iuieesisseeiecen ise seta inne ntt ttt stta nnn 277 Table 88 Wireless Security Relational Matrix 1 eects eeeeeeeeeee neces eeeeeeeanneaeeeeeantnaneennnneee 280 jr OS SUR EO eT 314 Tabie OU Subst WSS cosssciotedtiecdp po dd dde hdd tic n A anette Up d v wa irs d e pd aan dc aes 315 Table 91 Maximum FIOSEIBEB DOES 2a ceseicd s Dorada eo pedea Pp dea ipd ndn pad add elo dad cdi Pak edo 215 Table 92 Alternative Subnet Mask Notation i eiiieeiesesisee nested dotate ditta kat dead 315 WANS OS SUBNET 317 Pah e nLgpa em tenet aetna ene 318 Tape OS DUDES serranas 318 AUDIO SD MUS S gaa E N 318 Dec 4s mbi d 318 Table 98 24 bit Network Number Subnet Planning e
168. booting power on This trap is defined in RFC 1215 warmstart 1 3 6 1 6 3 1 1 5 2 This trap is sent after booting software reboot This trap is defined in RFC 1215 linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure defined in RFC 1215 1 3 6 1 6 3 1 1 5 5 The device sends this trap when it receives any SNMP get or set requirements with the wrong community password Note snmpEnableAuthenTraps OID 1 3 6 1 2 1 11 30 defined in RFC 1214 and RFC 1907 must be enabled on in order for the device to send authenticationFailure traps Use a MIB browser to enable or disable snmpEnableAuthenTraps Traps defined in the ZyXEL Private MIB whyReboot 1 3 6 1 4 1 890 1 5 13 0 1 This trap is sent with the reason for restarting before the system reboots warm start System reboot by user is added for an intentional reboot for example download new files Cl command sys reboot If the system reboots because of fatal errors a code for the error is listed pwTrapWirelessStatus 1 3 6 1 4 1 890 1 9 2 1 1 This is to enable or disable the wireless group trap pwWlanStaAssociation 1 3 6 1 4 1 890 9 2 3 1 1 This trap is sent when a wireless station associates with the ZyXEL Device pwWlanStaDisassociation 1 3 6 1 4 1 890 9 2 3 1 2 This trap is sent when a wireless sta
169. bprint sha1 DC44635D 10FE2D0D E76A72ED 00289AF7 677EBOE9 Thumbprint md5 65F5E948 F0BC9598 50803387 C6A 18384 vs no 6 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 Ifyour device s web configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 223 Firefox 2 Website Certified by an Unknown Authority Website Certified by an Unknown Authority 1 Unable to verify the identity of 172 20 37 202 as a trusted site Possible reasons for this error Your browser does not recognize the Certificate Authority that issued the site s certificate The site s certificate is incomplete due to a server misconfiguration You are connected to a site pretending to be 172 20 37 202 possibly to obtain your confidential information Please notify the site s webmaster about this problem Before accepting this certificate you should examine this site s certificate carefully Are you willing to to accept this certificate for the purpose of identifying the Web site 172 20 37 202 Accept this certificate permanently this session Do not accept this certificate and
170. c oo 141 11 1 Factory Ethemet Defaults A 141 TA TEPIP Parametr aei nied ty a EEA E SE EREA 141 11 2 1 WAN IP Address Assignment 1 5 coms EU CURE n ENS EUER RUD ERR ERN CHEAR UI UUQN 141 Tie Configuring TE Sate eicecobasecudduub r md decode in doc Ex tne doin etd a endo inicdount 142 Chapter 12 LCD Auc C 145 124 ssCrldueiec met 145 12 2 Rogue AP Examples iscscde kk a ke d ies cand det aai da 145 1252 ONS EN DITIONES ioncmsusatemdesittitupust pasen ce Maie pi tani ih cep abd aa e 146 12 3 Configuring Rogue AP Detecliol uci ceprec ee top et erbe pe v E MR EP Ra ya edant eet npe eR HER 147 123 1 Rogu AF COnRGUTAUON c 147 TSA Rogue AF Frondy AP 1iisicesd taba dixa t nrn REC oaa eE KEENAN EE MAR E EANN EARANN EREE 148 12 320 Rogue AP LIST e arii i pasion a 149 Chapter 13 Remote Management Screens use ien miia kid Rok aaa Ana pR a6 REGERE UOI R D ME QE UR a anakaa R E UE T n RR Ra UM E UMR 151 15 1 Remote Management CHVGIVEGW eden eser cnra eta dan ra eC cda nn EAR IL ERR 151 13 1 1 Remote Management Limitations 15 5 iso s eer rn daa B EFEd aq 3g qR E ins 151 12 1 2 y giom TIREDUE ane prem CrP a E e FU dd a Fin ado Gn tS ER 152 192 9I danatitzinsaiostopei Seti eimi Chuan ia tioni fos e ifii cen lU tasa eret ene 152 13 3 How SGH WOKS
171. cate file 1f one has been issued to you 1 Open Opera and click Tools gt Preferences Figure 235 Opera 9 Tools Menu Mail and chat accounts Delete private data Notes Ctrl Alt4E Transfers Ctrl Alt T Ctrl Alt H Links Ctrl Alt L Advanced gt Quick preferences F12 gt Appearance Shift F12 Preferences Ctrl F12 N 2 In Preferences click Advanced gt Security gt Manage certificates NWA3550 User s Guide Appendix D Importing Certificates Figure 236 Opera 9 Preferences Preferences Choose a master password to protect personal certificates Browsing Notifications Set master password Content Fonts Ask for password Downloads Programs Every time needed History Security Enable Fraud Protection Manage certificates 3 Inthe Certificates Manager click Authorities Import Figure 237 Opera 9 Certificate manager Certificate manager Certificate authorities Actalis Root CA AddTrust Class 1 CA Root AddTrust External CA Root AddTrust Public CA Root AddTrust Qualified CA Root Baltimore CyberTrust Code Signing Root Baltimore CyberTrust Mobile Root Baltimore CyberTrust Root Certum CA Certum CA Level I Certum CA Level II Certum CA Level III Certum CA Level IV Class 1 Public Primary Certification Authority Class 1 Public Primary Certification Authority G2 c 1998 VeriSig Class 2 Public Primary Certification Au
172. cation EAP GTC is implemented only by Cisco LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x 276 NWA3550 User s Guide Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic WEP is enabled EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair 1s more practical The following table is a comparison of the features of authentication types Table 87 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moder
173. ccept this certificate temporarily For this session Do not accept this certificate and do not connect to this web site ea oe Figure 92 Security Certificate 2 Netscape Security Error Domain Name Mismatch x You have attempted to establish a connection with 192 168 1 2 However the security certificate presented belongs to xxx Factory Default Certificate It is possible though unlikely that Meli may be trying to intercept your communication with this web site If you suspect the certificate shown does not belong to 192 168 1 2 please cancel the connection and notify the site administrator View Certificate Cancel Help 13 9 3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyXEL Device s HTTPS server certificate and what you can do to avoid seeing the warnings NWA3550 User s Guide Chapter 13 Remote Management Screens The issuing certificate authority of the ZyXEL Device s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyXEL Device s factory default certificate is the ZyXEL Device itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificate
174. ce interference with other APs Select from 100 50 25 12 5 and Minimum See the product specifications for more information on your ZyXEL Device s output power This field is not available when you select 802 11a in the 802 11 Mode field Enable WDS Security Select this to turn on security for the ZyXEL Device s Wireless Distribution System WDS A Wireless Distribution System is a wireless connection between two or more APs If you do not select the check box traffic between APs is not encrypted Note WDS security is independent of the security settings between the ZyXEL Device and any wireless clients When you enable WDS security also do the following Select the type of security you want to use TKIP or AES to secure traffic on your WDS Enter a pre shared key in the PSK field for each access point in your WDS Each access point can use a different pre shared key Configure WDS security and the relevant PSK in each of your other access point s Note Other APs must use the same encryption method to enable WDS security NWA3550 User s Guide Chapter 7 Wireless Configuration Table 23 Wireless Bridge Repeater LABEL DESCRIPTIONS TKIP ZyAIR Series Compatible Select this to enable Temporal Key Integrity Protocol TKIP security on your WDS This option is compatible with other ZyXEL access points including that support WDS security Use this if the other access points o
175. ces System Name NWA Series Flash Z 2 4MB Re MAS Memory um am Firmware Version V3 60 AAM 1 bi 04 15 2008 cpu g System UP Time 00 52 47 Current Date Time 00 52 44 2000 01 01 VASE IRI SES See WLAN1 Operating Mode AP Bridge MEE c JR LT UE WLAN2 Operating Mode AP Managenent VLAN Disable Interface Status IP 192 168 1 2 Interface Status Rate LAN MAC 00 13 49 00 00 01 US EE 100M Full WLAN1 MAC 00 13 49 00 00 01 USE Up ch6 225 WLAN2 MAC 00 13 49 00 00 02 WEAR Up Ch36 34M SSID Status Interface SSID BSSID Security LAN WLAN1 ZyXELO3 06 13 49 00 00 01 None Disabled WLAN2 ZyXELO4 00 13 49 00 00 02 None Disabled System Status Show Statistics Association List Channel Usage LOGS Rogue AP List The following table describes the labels in this screen Table 1 The Status Screen LABEL DESCRIPTION Automatic Refresh Enter how often you want the ZyXEL Device to update this screen Interval Refresh Click this to update this screen immediately NWA3550 User s Guide Chapter 3 Status Screens Table1 The Status Screen LABEL DESCRIPTION System Information System Name This field displays the ZyXEL Device system name It is used for identification You can change this in the System General screen s System Name field Model This field displays the ZyXEL Device s exact model name Firmware Version This field displays the current version of the firmware i
176. ch a session is to be assigned Tunnel ClentAuthtD RADIUS Standard Name used by the tunnel initiator during the authen Tunnel ClentEndpt RADIUS Standard IP address of the initiator end of the tunnel Tunnel Madium Type RADIUS Standard Trareport medium lo use when crealing a tunnel fo Tunnel Password RADIUS Standard Password for authenticating to a remote server Tunnel Prefeience RADIUS Standard Relative preference assigned to each tunnel when Tunnel Pvt Group ID RADIUS Standard Group ID fer a partcular tunneled session Tunnel Gerver amp uth ID RADIUS Standard Name used by the turnel terminator during the auth Tunnel Server F ndp RADIUS Standard IP address of the server end of the tunnel Tunnel Type RADIUS Standard Tunneling protocols to be used Vendor Spectic RADIUS Standard Used to support proprietary NAS features CiscoAY Pair Cisco Cisco AY Pair VSA Ignore Liser Dialin Properties Micrsoft Ignere the users dial in properties USR ACCM Type U S Robotics l Description not available USR AT Callnput Filter U S Robotics Description not available USR AT Call Output Filter U S Rebotics Description not available USR AT Input Fiker U S Rcbots l Description not available sil Add Clese 12 The Enumerable Attribute Information screen displays Select the 802 value from the Attribute value drop down list box Click OK NWA3550 User s Guide Chapter 17 VLAN Figure 132 802 Attribute Setting for Tunnel Medium
177. ch of the IP address is the network number and how much is the host ID varies according to the subnet mask Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal Table 89 Subnet Masks 92 es OCTET OCTET t EN 168 1 IP Address Binary 11000000 10101000 00000001 00000010 Subnet Mask Binary 11111111 11111114 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of the network number part the bits with a 1 value For example an 8 bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes NWA3550 User s Guide Appendix E IP
178. creens on your ZyXEL Device 10 1 Layer 2 Isolation Introduction Layer 2 isolation is used to prevent wireless clients associated with your ZyXEL Device from communicating with other wireless clients APs computers or routers in a network In the following example layer 2 isolation is enabled on the ZyXEL Device Z in the figure to allow a guest wireless client A to access the main network router B The router provides access to the Internet C and the network printer D while preventing the client from accessing other computers and servers on the network The client can communicate with other wireless clients only if Intra BSS Traffic blocking is disabled BS Intra BSS Traffic Blocking is activated when you enable layer 2 isolation NWA3550 User s Guide Chapter 10 Other Wireless Configuration Figure 69 Layer 2 Isolation Application MAC addresses that are not listed in the Allow devices with these MAC addresses table are blocked from communicating with the ZyXEL Device s wireless clients except for broadcast packets Layer 2 isolation does not check the traffic between wireless clients that are associated with the same AP Intra BSS Traffic allows wireless clients associated with the same AP to communicate with each other 10 2 The Layer 2 Isolation Screen Click WIRELESS Layer 2 Isolation The screen appears as shown next NWA3550 User s Guide Chapter 10 Other Wireless Configuration Figure 70
179. curity RADIUS Layer 2 Isolation MAC Filter Profile Name security01 Security Mode WEP X WEP Encryption 64 bit WEP 7 Authentication Method Auto 64 bit WEP Enter 5 ASCII characters or 10 hexadecimal characters 0 9 A F for each Key 1 4 128 bit WEP Enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F for each Key 1 4 152 bit WEP Enter 16 ASCII characters or 32 hexadecimal characters 0 9 A F for each Key 1 4 ASCII C Hex Key1 C Key2 C Key3 C Key4 Reset The following table describes the labels in this screen Table 27 Security WEP LABEL DESCRIPTION Profile Name Type a name to identify this security profile Security Mode Choose WEP in this field WEP Encryption Select 64 bit WEP 128 bit WEP or 152 bit WEP to enable data encryption Authentication Select Auto or Shared Key from the drop down list box Method The default setting is Auto ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding Ox is entered automatically Key 1 to The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless Key 4 stations must use the same WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP then enter 13 ASCII characters or 26 hexadecimal
180. d 2 e Internal Modem Q x Not Connected AirPort e Off DNS Server Search Domains 802 1X WPA ZyXELO4 id Click the lock to prevent further changes 4 From the Configure list select Using DHCP for dynamically assigned settings 5 For statically assigned settings do the following From the Configure list select Manually n the IP Address field enter your IP address n the Subnet Mask field enter your subnet mask n the Router field enter the IP address of your ZyXEL Device NWA3550 User s Guide 257 Appendix A Setting Up Your Computer s IP Address Figure 173 Mac OS X 10 5 Network Preferences gt Ethernet Show All Location Automatic E 3 e Internal Modem rm Not Connected Status Not Connected The cable for Ethernet is connected but PPPoE your computer does not have an IP address sh Not Connected S Ethernet UN P er Ceres G00 Configure Manually E Not Connected 2 rs Subnet Mask AirPort T 9 or Router DNS Server Search Domains 802 1X WPA ZyXELO4 ee M id Click the lock to prevent further changes 6 Click Apply and close the window Verifying Settings Check your TCP IP properties by clicking Applications gt Utilities gt Network Utilities and then selecting the appropriate Network interface from the Info tab Figure 174 Mac OS X 10 5 Network Utility x info Netstat AppleTalk Ping Lookup Trace
181. d by this profile No Encryption Basic Strong I Strongest Cancel Apply 9 Click the IP tab and select the Client may request an IP address check box for DHCP support 10 Click the Advanced tab The current default parameters returned to the ZyXEL Device should be Service Type and Framed Protocol Click the Add button to add an additional three RADIUS VLAN attributes required for 802 1X Dynamic VLAN Assignment NWA3550 User s Guide Chapter 17 VLAN Edit Dial in Profile Diakin Constraints IP Multilink Authentication Encryption Advanced Specify additional connection attributes to be retumed to the Remote Access Server Parameters Service T ype RADIUS Standard Framed Framed Protocol RADIUS Standard PPP te to 11 The RADIUS Attribute screen displays From the list three RADIUS attributes will be added Tunnel Medium Type Tunnel Pvt Group ID Tunnel Type Click the Add button Select Tunnel Medium Type Click the Add button Figure 131 RADIUS Attribute Screen Mii x To add an attrbute to the Profile select the attribute and click Add RADIUS attributes Login T CP Port RADIUS Standard TCP poit to which user should be connected Reply Message RADIUS Standard Message to be displayed lo user when authenticatiaal Service Type RADIUS Standard Type of service user has requested Tunnel Assignment ID RADIUS Standard Tunnel to whi
182. d logs 16 4 2 Displaying Logs Usethe sys logs display command to show all of the logs in the ZyXEL Device s log Usethe sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual ZyXEL Device log category Usethe sys logs clear command to erase all of the ZyXEL Device s logs NWA3550 User s Guide Chapter 16 Log Screens 16 5 Log Command Example This example shows how to set the ZyXEL Device to record the error logs and alerts and then view the results ras sys logs load ras sys logs category error 3 ras sys logs save ras sys logs display access f time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 1452 2222593 2555137 ACCESS BLOCK NWA3550 User s Guide 201 Chapter 16 Log Screens NWA3550 User s Guide VLAN This chapter discusses how to configure VLAN on the ZyXEL Device 17 1 VLAN A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple logical networks Stations on a logical network can belong to one or more groups Only stations within the same group can talk to each other 17 1 1 Management VLAN ID BS The Management VLAN ID identifies the management VLAN A device must be a member of this management VLAN in order to access and manage the ZyXEL Device If a device is not a m
183. ddress Subnet mask Gateway address l NES In the Configuration list select Automatic Configuration DHCP if you have a dynamic IP address nthe Configuration list select Static IP address if you have a static IP address Fill in the IP address Subnet mask and Gateway address fields 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen 7 Ifyouknow your DNS server IP address es click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided Figure 180 Ubuntu 8 Network Settings DNS E Rewok settings P Connections General DNS Hosts DNS Servers earch Domains 8 Click the Close button to apply the changes NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Verifying Settings Check your TCP IP properties by clicking System gt Administration gt Network Tools and then selecting the appropriate Network device from the Devices tab The Interface Statistics column shows data if your connection is working properly Figure 181 Ubuntu 8 Network Tools m Devices Network 100S ror Tool Edit Help Devices Ping Netstat Traceroute Port Scan Lookup Finger whois Network device XK Configure IP Information Protocol IP Address Netmask Prefix Broadcast Scope IPv4 10 0 2
184. ddress and Description fields as in the following table Click Add after you enter the details of each AP to include it in the list Table 5 Tutorial Friendly AP Information MAC ADDRESS DESCRIPTION 00 AA 00 AA 00 AA My Access Point A AA 00 AA 00 AA 00 My Access Point B A0 0A A0 0A A0 0A My Access Point C 0A A0 0A A0 0A A0 My Access Point _D_ AF AF AF FA FA FA Coffee Shop Access Point _1_ BES You can add APs that are not part of your network to the friendly AP list as long as you know that they do not pose a threat to your network s security The Friendly AP screen now appears as follows Figure 33 Tutorial Friendly AP After Data Entry Configuration Friendly AP Rogue AP Add Friendly AP MAC Address Description S d NN EST Friendly AP List a a a a oan een fo aa 00 aa 00 aa 4 00 02 My Access Point _A_ i 8a2 0 22 00 22 00 N A N A N A 4 00 02 My Access Point B G 8 20 02 20 02 20 0a N A N A N A 4 00 02 My Access Point Ej 802 20 02 20 02 a0 N A N A N A 4 00 00 My Access Point 5 af af af fa fa fa N A wa NA 3 50 09 Coffee Shop Access 3 Next you will save the list of friendly APs in order to provide a backup and upload it to your other access points Click the Configuration tab The following screen appears NWA3550 User s Guide Chapter 5 Tutorial 72 Figure 34 Tu
185. describes the labels in this screen Table 39 WIRELESS gt MAC Filter LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a MAC filter profile in the MAC Filter Configuration screen Filter Action This is the filter action for the list of MAC addresses in the profile Edit Select an entry from the list and click Edit to configure settings for that profile 10 4 1 Configuring MAC Filtering To change your ZyXEL Device s MAC filter settings click WIRELESS gt MAC Filter gt Edit The screen appears as shown NWA3550 User s Guide 135 Chapter 10 Other Wireless Configuration Figure 76 MAC Address Filter Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter MAC Address Filter Profile Name Filter Action Index MACAddress Description Index MAC Address Description macfilter 1 Deny Association Eio o0 0000 00 00 17 foo 00 00 00 00 00 Eoo Eoo 3 DINIGEGINEG BEB c0 00 00 00 00 00 Eoo Eo oo 00000000 Bio oo 0000 00 00 21 ooo Eio BM o0 00 00 00 00 0 Eoo Eoo Eio o0 00 00 00 00 BEosooooocoo 25 Eoo 25 Eoo EA o oo 0000 0000 EA io o0 0000 00 00 Eo oo 00000000 e 13 29 BB o0 00 00 00 00 00 FEB fo0 00 00 00 00 00 E
186. do not connect to this Web site NWA3550 User s Guide 297 Appendix D Importing Certificates 3 The certificate is stored and you can now connect securely to the web configurator A sealed padlock appears in the address bar which you can click to open the Page Info gt Security window to view the web page s security information Figure 224 Firefox 2 Page Info Page Info Web Site Identity Verified The web site 172 20 37 202 supports authentication for the page you are viewing The identity of this web site has been verified by ZyXEL a certificate authority you trust for this purpose View the security certificate that verifies this web site s buo identity Connection Encrypted High grade Encryption AES 256 256 bit The page you are viewing was encrypted before being transmitted over the Internet Encryption makes it very difficult for unauthorized people to view information traveling between computers It is therefore very unlikely that anyone read this page as it traveled across the network Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file 1f one has been issued to you 1 Open Firefox and click Tools gt Options Figure 225 Firefox 2 Tools Menu Web Search Downloads Add ons Java Console Error Console Page Info Clear Private Data Ctrl Shift
187. e 272 NWA3550 User s Guide Appendix B Wireless LANs If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and Long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11b g compliant wireless adapters support long preamble but not all support short preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support and to provide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have the AP automatically use short preamble when wireless adapters support it otherwise the AP uses long preamble LES The AP and the wireless adapters MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or lower depending on range IEEE 802 11g has several intermedi
188. e Table 20 STP Path Costs LINK SPEED Cr or oe P ONMENDED Bytes Path Cost 4Mbps 250 100 to 1000 1 to 65535 Path Cost 10Mbps 100 50 to 600 1 to 65535 Path Cost 16Mbps 62 40 to 400 1 to 65535 Path Cost 100Mbps 19 10 to 60 1 to 65535 Path Cost 1Gbps 4 3 to 10 1 to 65535 Path Cost 10Gbps 2 1to5 1 to 65535 On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network NWA3550 User s Guide Chapter 7 Wireless Configuration For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root among the bridges connected to the LAN 7 4 3 How STP Works After a bridge determines the lowest cost spanning tree with STP it enables the root port and the ports that are the designated ports for connected LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible network loops STP aware bridges exchange Bridge Protocol Data Units BPDUS periodically When the bridged LAN topology changes a new spanning tree is constructed Once a stable network topology has been established all bridges listen for Hello BPDUs Bridge Protocol Data Units transmitt
189. e Ensure only people with permission can access your ZyXEL Device Control physical access by locating devices in secure areas such as locked rooms Most ZyXEL Devices have a reset button If an unauthorized person has access to the reset button they can then reset the device s password to its default password log in and reconfigure its settings NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Change any default passwords on the ZyXEL Device such as the password used for accessing the ZyXEL Device s web configurator if it has a web configurator Use a password with a combination of letters and numbers and change your password regularly Write down the password and put it in a safe place Avoid setting a long timeout period before the ZyXEL Device s web configurator automatically times out A short timeout reduces the risk of unauthorized person accessing the web configurator while it is left idle See Chapter 6 on page 85 for instructions on changing your password and setting the timeout period Configure remote management to control who can manage your ZyXEL Device See Chapter 13 on page 151 for more information If you enable remote management ensure you have enabled remote management only on the IP addresses services or interfaces you intended and that other remote management settings are disabled 1 5 2 Wireless Security Wireless devices are especially vulnerable to attack If your ZyXEL Device has
190. e DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 100 Fragmentation The threshold number of bytes for the fragmentation boundary for directed Threshold messages It is the maximum data fragment size that can be sent Enter an even number between 256 and 2346 This field is not available when Super Mode is selected Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power of the ZyXEL Device to reduce interference with other APs Select one of the following 100 50 25 12 5 or Minimum See the product specifications for more information on your ZyXEL Device s output power This field is not available when you select 802 11a in the 802 11 Mode field NWA3550 User s Guide Chapter 7 Wireless Configuration Table 22 Wireless Access Point LABEL DESCRIPTION SSID Profile The SSID Service Set IDentifier identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID Select an SSID Profile from the drop down list box Configure SSID profiles in the SSID screen see Section 9 2 on page 125 for information on configuring SSID Note
191. e not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the certificate s issuing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities may use ras pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays
192. e 26 Tutorial Guest Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name Guest_Security Security Mode WPA PSK Pre Shared Key hisismyGuestWPApre shared key ReAuthentication Timer 1800 inseconds Idle Timeout 3600 in seconds Group Key Update Timer 1800 in seconds Reset e Change the Name field to Guest_Security to make it easier to remember and identify NWA3550 User s Guide Chapter 5 Tutorial Select WPA PSK in the Security Mode field WPA PSK provides strong security that is supported by most wireless clients Even though your Guest SSID clients do not have access to sensitive information on the network you should not leave the network without security An attacker could still cause damage to the network or intercept unsecured communications Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyGuestWPA pre sharedkey Click Apply The WIRELESS gt Security screen displays Ensure that the Profile Name for entry 3 displays Guest Security and that the Security Mode is WPA PSK Figure 27 Tutorial Guest Security Updated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter index Profile Name ej 1 security01 WPA2 PSK 2 VoIP Security WPA2 PSK 9 3 Guest Security WPA PSK D s 4 PCUTTtyU m mm 5 2 3 2 Set up Layer 2 Isolati
193. e ZyXEL Device uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Apply Click Apply to have the ZyXEL Device use certificates to authenticate wireless clients Reset Click Reset to start configuring this screen afresh 14 3 Trusted AP Overview A trusted AP is an AP that uses the ZyXEL Device s internal RADIUS server to authenticate its wireless clients Each wireless client must have a u
194. e following figure Figure 136 Second Rx VLAN ID Example os m m one SSIDO1 a Pd VLAN ID 1 v S Second Rx VLAN ID 2 4 ii T i x SSID02 d VLAN ID 2 af MT Second Rx VLAN ID 0 see 79 Packets sent from the server S back to the switch are tagged with a VLAN ID incoming VLAN ID These incoming VLAN packets are forwarded to the ZyXEL Device The ZyXEL Device compares the VLAN ID 1n the packet header with each SSID s configured VLAN ID and second Rx VLAN ID settings In this example SSIDOT s second Rx VLAN ID is set to 2 All incoming packets tagged with VLAN ID 2 are forwarded to SSID02 and also to SSID01 However SSID02 has no second Rx VLAN ID configured and the ZyXEL Device forwards only packets tagged with VLAN ID 2 to it 17 2 5 1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the ZyXEL Device 1 Log into the Web Configurator 2 Click VLAN gt Wireless VLAN 3 If VLAN is not already enabled click Enable VIRTUAL LAN and set up the Management VLAN ID see Section 17 2 3 on page 207 BS If no devices are in the management VLAN then no one will be able to access the ZyXEL Device and you will have to restore the default configuration file NWA3550 User s Guide Chapter 17 VLAN 4 Select the SSID profile you want to configure SSID03 in this example and enter the VLAN ID number between 1 and 4094 5 Entera
195. e on the ZyXEL Device 7 3 1 WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service ensures quality of service in wireless networks It controls WLAN transmission priority on packets to be transmitted over the wireless network WMM Qos prioritizes wireless traffic according to the delivery requirements of the individual and applications WMM QoS is a part of the IEEE 802 11e QoS enhancement to certified Wi Fi wireless networks On APs without WMM QoS all traffic streams are given the same access priority to the wireless network If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity then the new traffic stream reduces the throughput of the other traffic streams The ZyXEL Device uses WMM QoS to prioritize traffic streams according to the IEEE 802 1q or DSCP information in each packet s header The ZyXEL Device automatically determines the priority to use for an individual traffic stream This prevents reductions in data transmission for applications that are sensitive to latency and jitter variations in delay NWA3550 User s Guide Chapter 7 Wireless Configuration 7 3 1 1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the ZyXEL Device uses Table 14 WMM QoS Priorities PRIORITY LEVEL DESCRIPTION voice Typically used for traffic that is especially sensitive to jitter Use this priority WMM_VOICE to reduce lat
196. e security profiles allow you to easily assign different types of security to groups of users The ZyXEL Device controls network access with MAC address filtering rogue AP detection layer 2 isolation and an internal authentication server It also provides a high level of network traffic security supporting IEEE 802 1x Wi Fi Protected Access WPA WPA2 and WEP data encryption Your ZyXEL Device is easy to install configure and use The embedded Web based configurator enables simple straightforward management and maintenance See the Quick Start Guide for instructions on how to make hardware connections 1 2 Applications for the ZyXEL Device The ZyXEL Device can be configured to use the following WLAN operating modes 1 Access Point AP 2 Brdge Repeater 3 AP Bridge 4 MBSSID Applications for each operating mode are shown below A different channel should be configured for each WLAN interface to reduce the effects of radio interference NWA3550 User s Guide 33 Chapter 1 Introducing the ZyXEL Device 1 2 1 Access Point The ZyXEL Device is an ideal access solution for wireless Internet connection A typical Internet access application for your ZyXEL Device is shown as follows Clients A B and C can access the wired network through the ZyXEL Devices Figure 1 Access Point Application 7 d Ethernet ATUS 7 s m 4 N N N AP I D da K L i NN __ 7 Pd 1 2 2 Bridge
197. e sent alerts depending on their proximity and the output power of your rogue AP 5 4 Using Multiple MAC Filters and L 2 Isolation Profiles This example shows you how to allow certain users to access only specific parts of your network You can do this by using multiple MAC filters and layer 2 isolation profiles 5 4 1 Scenario In this example you run a company network in which certain employees must wirelessly access secure file servers containing valuable proprietary data NWA3550 User s Guide Chapter 5 Tutorial You have two secure servers 1 and 2 in the following figure Wireless user Alice A needs to access server 1 but should not access server 2 and wireless user Bob B needs to access server 2 but should not access server 1 Your ZyXEL Device is marked Z C is a workstation on your wired network D is your main network switch and E is the security gateway you use to connect to the Internet Figure 39 Tutorial Example Network A Ho 5 4 2 Your Requirements 1 You want to set up a wireless network to allow only Alice to access Server 1 and the Internet 2 You want to set up a second wireless network to allow only Bob to access Server 2 and the Internet 5 4 3 Setup In this example you have already set up the ZyXEL Device in MBSSID mode see Chapter 9 on page 121 It uses two SSID profiles simultaneously You have configured each SSID profile as shown in the following table T
198. ears every time you login NWA3550 User s Guide Chapter 2 Introducing the Web Configurator Figure 8 Change Password Screen Use this screen to change the password New Password CJ Retype ta pr Confirm 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device s MAC address that will be specific to this device Figure 9 Replace Certificate Screen Replace Factory Default Certificate The factory default certificate is common to all NWA models Click Apply to create a certificate using your NWA s MAC address that will be specific to this device You should now see the Status screen See Chapter 2 on page 43 for details about the Status screen BES The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyXEL Device if this happens 2 2 Resetting the ZyXEL Device This replaces the current configuration file with the factory default configuration file This means that you will lose all the settings you previously configured The password will be reset to 1234 NWA3550 User s Guide Chapter 2 Introducing the Web Configurator 2 2 1 Methods of Restoring Factory Defaults You can erase the current configuration and restore factory defaults in the following ways Use the web configurator to restore defaults refer to Chapter 18 on page 2
199. econd DNS Server Fram DHCP J o 0 0 0 Third DNS Server From DHCP o 0 0 0 Reset The following table describes the labels in this screen Table 10 System General LABEL DESCRIPTION General Setup System Name Type a descriptive name to identify the ZyXEL Device in the Ethernet network This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted Domain Name This is not a required field Leave this field blank or enter the domain name here if you know it Administrator Type how many minutes a management session either via the web Inactivity Timer configurator or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how NWA3550 User s Guide long it has been left idle not recommended Chapter 6 System Screens Table 10 System gt General LABEL DESCRIPTION System DNS Servers First DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server Second DNS Server information and the ZyXEL Device s Ethernet IP address The field to the Third DNS Server right displays the read only DNS server IP address that the DHCP assigns Select User Defined if you have the IP address of a
200. ections and make sure the ZyXEL Device is connected to a broadband modem or router that provides Internet access See the Quick Start Guide 2 Make sure your Internet account is activated and you entered your ISP account information correctly in the broadband modem or router to which the ZyXEL Device is connected These fields are case sensitive so make sure Caps Lock is not on 3 If you are trying to access the Internet wirelessly make sure the wireless settings on the wireless client are the same as the settings on the AP 4 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 5 Ifthe problem continues contact your ISP cannot access the Internet anymore had access to the Internet with the ZyXEL Device but my Internet connection is not available anymore 1 Check the hardware connections See the Quick Start Guide 2 Rebootthe ZyXEL Device 3 Ifthe problem continues contact your ISP NWA3550 User s Guide 235 Chapter 19 Troubleshooting e The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network If the ZyXEL Device is sending or receiving a lot of information try closing some programs that use the Internet especially peer to peer applications 2 Make sure the ZyXEL Device is installed in a position free of obstructions 3 Check the signal strength If the signal is weak try moving your computer closer to
201. ed from the root bridge If a bridge does not get a Hello BPDU after a predefined interval Max Age the bridge assumes that the link to the root bridge is down This bridge then initiates negotiations with other bridges to reconfigure the network to re establish a valid network topology 7 4 4 STP Port States STP assigns five port states see next table to eliminate packet looping A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops Table 21 STP Port States PORT STATES DESCRIPTIONS Disabled STP is disabled default Blocking Only configuration and management BPDUS are received and processed Listening All BPDUS are received and processed Learning All BPDUS are received and processed Information frames are submitted to the learning process but not forwarded Forwarding All BPDUs are received and processed All information frames are received and forwarded 7 5 DFS When you choose 802 11a in Access Point Bridge Repeater or AP Bridge mode the ZyXEL Device uses DFS Dynamic Frequency Selection to give you a wider choice of wireless channels DFS allows you to use channels in the frequency range normally reserved for radar systems Radar uses radio signals to detect the location of objects for military meteorological or air traffic control purposes As long as your ZyXEL Device detects no radar activity on the channel you select
202. ed on packet size See Section 7 3 2 on page 93 for more information on ATC e If you select ATC WMM from the QoS list the ZyXEL Device uses WMM on the wireless network and ATC on the wired network See Section 7 3 3 on page 94 for more information on ATC WMM If you select WMM VOICE WMM VIDEO WMM BEST EFFORT or WMM BACKGROUND the ZyXEL Device applies that QoS setting to all of that SSID s traffic If you select NONE the ZyXEL Device applies no priority to traffic on this SSID Note When you configure an SSID profile s QoS settings the ZyXEL Device applies the same QoS setting to all of the profile s traffic Layer 2 Isolation Select a layer 2 isolation profile from the drop down list box If you do not want to use layer 2 isolation on this profile select Disable See Section 10 1 on page 129 for more information Intra BSS Traffic Select Enable from the drop down list box to prevent wireless clients in this blocking profile s BSS from communicating with one another MAC Filtering Select a MAC filter profile from the drop down list box If you do not want to use MAC filtering on this profile select Disable See Section 10 4 on page 134 for more information Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Other Wireless Configuration This chapter describes how to configure the Layer 2 Isolation and MAC Filter s
203. ed settings and exit this screen Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Internal RADIUS Server The ZyXEL Device can use its internal RADIUS server to authenticate wireless clients It can also serve as a RADIUS server to authenticate other APs and their wireless clients For more background information on RADIUS see Section 8 4 on page 119 14 1 Internal RADIUS Overview The ZyXEL Device has a built in RADIUS server that can authenticate wireless clients or other trusted APs The ZyXEL Device can function as an AP and as a RADIUS server at the same time PEAP Protected EAP and MDS authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection See the appendices for more information on the types of EAP authentication and the internal RADIUS authentication method used in your ZyXEL Device Use the AUTH SERVER gt Setting screen to turn the ZyAIR s internal RADIUS server off or on and to view information about the ZyXEL Device s certificates Use the AUTH SERVER gt Trusted AP screen to specify APs as trusted Trusted APs can use the ZyAIR s internal RADIUS server to authenticate wireless clients Use the AUTH SERVER gt Trusted Users screen to configure a list of wireless client user names and passwords for the ZyAIR to authenticate 14 2 Internal RADIUS Server Setting The AUTH SERVER
204. ed to Wired LAN a i l DU P TE ENDE d E Bridge Bridge To prevent bridge loops ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN To have the ZyXEL Device act as a wireless bridge only click WIRELESS gt Wireless and select Bridge Repeater as the Operating Mode NWA3550 User s Guide Chapter 7 Wireless Configuration Figure 55 Wireless Bridge Repeater 00 00 00 00 00 00 00 00 00 00 00 The following table describes the bridge labels in this screen Table 23 Wireless Bridge Repeater LABEL DESCRIPTIONS WLAN Interface Select which WLAN adapter you want to configure It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions Operating Mode Select Bridge Repeater in this field NWA3550 User s Guide Chapter 7 Wireless Configuration Table 23 Wireless Bridge Repeater LABEL DESCRIPTIONS 802 11 mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL D
205. ed ub diua eda A EU PUn I HDG 135 Figure 76 MAU Address FIOI 1aisusseuseieeptasunieietbtasutcckbbs buic eee densa ES EpL SPPE SOR E E 136 Foure T7 Roaming ERIN Mr TT 138 a lc geod pee DU TS repre errr 7 renee TL 139 ee Xd uc 142 Figura 90 Rogue AP Example 2uitechacsidr tud aes ba eo abcr ape EFE Eaa Rd fb ipM beds HR ctu na 146 Figure 87 Honeypot ANaCK qe 147 NWA3550 User s Guide List of Figures Figure 02 ROGUE AP Configuratii 2312 adag kde tma ate g Lake I dtd di aab ga Rt 148 Figura 83 ROGUE AP gt Friendly AP rcs szcctadvnss oni tub in E ER MALE E ER REM eLn ERR EUER REM CO EU E ER EATER EE HUNE FREE PA ken IUE ud td 149 Figure 84 ROGUE AP gt ROQUG AP e 150 FRU Pow SSH VOIR a assis ena das a a ea aed edad ad end Ul a a AO 152 Figure ao Remote Management TENE uisenetenen serbpo Ia eet xis EeVEPeese RN 154 Figure 87 Remote Management FIP 12i iececesecieuec euni cue eneuc tue ina dna sese ppp gacssauien cosssanniacaaveenes 155 Figure 99 HT TPS n BIGETROEAIEICHY aiascxcede kx Fla bit ao Ple kd Eae RR Fe ka tcd bt nbn ELEME CO Rd 156 Figure B9 Remote Management WWW Leica n ER EOD riv E per lati en ap EI Se EF poDH eT UM er A IN EAFRRER 157 Figure 90 Security Alert Dialog Box Internet Explorer eese 158 Figure 91 Security Certificate 1 Netscape eese rene nnne en nhnanuannnth aa naa nea a Rua noo rR
206. ee Section 9 2 2 on page 127 for details of how to configure ATC WMM Use the ATC WMM function if you want to do the following enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already have one see Section 7 3 3 1 on page 94 automatically prioritize all packets going from your wireless network to the wired network see Section 7 3 3 2 on page 94 7 3 3 1 ATC WMM from LAN to WLAN ATC WMM from LAN the wired Local Area Network to WLAN the Wireless Local Area Network allows WMM prioritization of packets that do not already have WMM QoS priorities assigned The ZyXEL Device automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification The following table shows how priorities are assigned for packets coming from the LAN to the WLAN Table 17 ATC WMM Priority Assignment LAN to WLAN PACKET SIZE BYTES B ATC VALUE gt WMM VALUE 1 250 ATC High WMM VIDEO 250 1100 ATC Medium WMM BEST EFFORT 1100 ATC Low WMM BACKGROUND 7 3 3 2 ATC WMM from WLAN to LAN ATC WMM from WLAN to LAN automatically prioritizes assigns an ATC value to all packets coming from the WLAN Packets are assigned an ATC value based on their WMM value not their size The following table shows how priorities are assigned for packets coming from the WLAN to the LAN when using ATC WMM Table
207. eeeeeeeeeeeeeeeees 83 Chapter 6 System SOPBODS Lunieiiveibere Un LAU NUUAM FUE REG KN UD KI i GM RN Lim GR GO LA 85 Et ndi is OE SII N AA OD S 85 6 2 Coniig ring General SOUUPY e 85 6 2 Administrator Authentication on RADIUS ccc chic et aa uri Ehud tiene d a E nu EcL SERE dA 86 sm pesisigyrsbiig c 0s set c 86 o4 Conigunno Time Seting aasccecsasspaceesusetebitdxseecccti tees ce bhiasese ecu daas cocti Teva acta ques se tbi en aE LUI 88 6 5 Pre defined NTP Time Servers List uiu eus eesas sansa educta ad eUng Fork ua La iani eden eu REA d bua asii ER aad d 90 Chapter 7 bidldririse gp ee 91 PSEUD quai 4X4 s 91 Taa NESS LAN BoE 92 Pr OL eel j qe D 92 Ta ur OGG ET 92 LoT WMN QOS isi e 93 LILET N 93 Faa PTC AAN EE E OAA 94 PSO OP eI from LAN to WLAN asasinarii anaanakau iaaiiai anaa 94 Ta A ATCHANMM from WEAN to LAN iuueni oup rion peso Idea vti SD n ia 94 TATO TE T uissicctiidetdo eria ite ene iade ed need ax eats 95 HAN DIO anan E N E E 95 7 3 4 2 DSCP and Per Hop Bebawvigak ssevcsscscceciacesssetescauctneveconuteessaanurysacdiqunersescaeuweteaaie 95 1 3 0 TOS Type of Service and WMM QOS 2sisuea esa ka rre aat bat cna Edo atia i 95 TA Spanning Tee PROI SIF E 96 TARR STP aee meditata A eI E EM 96 prodr ot E E d T 96 ESO RU EVPlE V p T 97 TAA STE PON QUIE aiaa PER ad a ed ERA R pt I RE L a PER adt
208. eeiieeeeeeeeeeene eene tnnt tnnnnnns 319 Table 99 16 bit Network Number Subnet Planning eeeeeciceeeee eene netta hr nna h hana a dd 319 Table 100 Auto Configuration By DEG 1 cunis eerie ndo tendu itte A a 322 ji mutuel rs T 322 Table 102 Conigoraton vid SNMP senssa oie eee e pR etu da aeta ape PE RP TR OM RR eR b ERR IERI EP Iu IDEE 323 Table 1053 Displaying tie File VOEBIOII uicci iesscccco eiecit aiua te eertd dere rub 1 td qot td duck ESEE 323 Table 104 Displaying the File Version ausos toad n prb dt dee iba Cette bd a RED ERE t td Ch bad EC tua ttm 323 Table 105 Displaying the Auto Configuration Status eene teen nein nnno nnn tnn nnno nonna ann Re oan 324 NWA3550 User s Guide List of Tables NWA3550 User s Guide PART I Introduction Introducing the ZyXEL Device 33 Introducing the Web Configurator 43 Status Screens 47 Tutorial 55 Introducing the ZyXEL Device This chapter introduces the main applications and features of the ZyXEL Device It also introduces the ways you can manage the ZyXEL Device 1 1 Introducing the ZyXEL Device Your ZyXEL Device extends the range of your existing wired network without additional wiring providing easy network access to mobile users Itis highly versatile supporting multiple BSSIDs simultaneously The Quality of Service QoS features allow you to prioritize time sensitive or highly important applications such as VoIP Multipl
209. ember of this VLAN then that device cannot manage the ZyXEL Device If no devices are in the management VLAN then you will be able to access the ZyXEL Device only through the console port not through the network 17 1 2 VLAN Tagging The ZyXEL Device supports IEEE 802 1q VLAN tagging Tagged VLAN uses an explicit tag VLAN ID in the MAC header of a frame to identify VLAN membership The ZyXEL Device can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames You must connect the ZyXEL Device to a VLAN aware device that is a member of the management VLAN in order to perform management See the Configuring Management VLAN Example BEFORE you configure the VLAN screens NWA3550 User s Guide Chapter 17 VLAN 17 2 Configuring VLAN The ZyXEL Device allows you to configure VLAN based on SSID profile wireless VLAN and or based on your RADIUS server RADIUS VLAN When you use wireless VLAN the ZyXEL Device tags all packets from an SSID with the VLAN ID you set in the Wireless VLAN screen When you use RADIUS VLAN your RADIUS server assigns VLAN IDs to a user or user group s traffic based on the configuration in the RADIUS VLAN screen When you use wireless VLAN and RADIUS VLAN together the ZyXEL Device first tries to assign VLAN IDs based on RADIUS VLAN configuration If a client s user name does not match an entry in the RADIUS VLAN screen the ZyXEL Device assigns a
210. ency for improved voice quality video Typically used for traffic which has some tolerance for jitter but needs to be WMM_VIDEO prioritized over other data traffic best effort Typically used for traffic from applications or devices that lack QoS WMM_BEST_EFFORT capabilities Use best effort priority for traffic that is less sensitive to latency E but is affected by long delays such as Internet surfing background This is typically used for non critical traffic such as bulk transfers and print WMM BACKGROUND jobs that are allowed but that should not affect other applications and users Use background priority for applications that do not have strict latency and throughput requirements 7 3 2 ATC Automatic Traffic Classifier ATC is a bandwidth management tool that prioritizes data packets sent across the network ATC assigns each packet a priority and then queues the packet accordingly Packets assigned a high priority are processed more quickly than those with low priority if there is congestion allowing time sensitive applications to flow more smoothly Time sensitive applications include both those that require a low level of latency and a low level of jitter such as Voice over IP or Internet gaming and those for which jitter alone is a problem such as Internet radio or streaming video ATC assigns priority based on packet size since time sensitive applications such as Internet telephony Voice over IP or VoIP
211. ent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions This device may not cause harmful interference This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation NWA3550 User s Guide Appendix G Legal Information If this device does cause harmful interference to radio television reception which
212. enticate management logins to the ZyXEL Device Use old setting Select this to have a RADIUS server authenticate management logins to the ZyXEL Device using the RADIUS username and password already configured on the device Use new setting Select this if you want to change the RADIUS username and password the ZyXEL Device uses to authenticate management logon User Name Enter the username for this user account This name can be up to 31 ASCII characters long including spaces Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type Spaces are allowed Note If you are using PEAP authentication this password field is limited to 14 ASCII characters in length NWA3550 User s Guide Chapter 6 System Screens Table 11 Password LABEL DESCRIPTIONS RADIUS Select the RADIUS server profile of the RADIUS server that is to authenticate management logins to the ZyXEL Device The ZyXEL Device tests the user name and password against the RADIUS server when you apply your settings The user name and password must already be configured in the RADIUS server You must already have a RADIUS profile configured for the RADIUS server see Section 8 5 on page 119 The server must be set to Active in the profile Apply Click Apply to save your changes Reset Click Reset to re
213. ep key4 defgh wcfg security 1 wep keyindex 1 wcfg security save wcfg ssid 1 name ssid wep wcfg ssid 1 security Test wep wcfg ssid 1 l2iolation disable wcfg ssid 1 macfilter disable wcfg ssid save NWA3550 User s Guide Appendix F Text File Based Auto Configuration Figure 258 802 1X Configuration File Example ZYXEL PROWLAN I4 VERSION 12 wcfg security wcfg security wcfg security wcfg security name Test 8021x mode 8021x staticl128 wep keyl abcdefghijklm wep key2 bcdefghijklmn wcfg security wep keyindex 1 wcfg security reauthtime 1800 wcfg security 2 idletime 3600 wcfg security save wcfg radius 2 name radius rd wcfg radius 2 primary 172 23 3 4 1812 1234 enable wcfg radius 2 backup 172 23 3 5 1812 1234 enable wcfg radius save wcfg ssid 2 name ssid 8021x wcfg ssid 2 security Test 8021x wcfg ssid 2 radius radius rd wcfg ssid 2 qos 4 wcfg ssid 2 l2isolation disable wcfg ssid 2 macfilter disable wcfg ssid save Figure 259 WPA PSK Configuration File Example ZYXEL PROWLAN VERSION 13 wcfg security wcfg security wcfg security name Test wpapsk mode wpapsk passphrase qwertyuiop wcfg security reauthtime 1800 wcfg security idletime 3600 wcfg security 3 groupkeytime 1800 wcfg security save wcfg ssid 3 name ssid wpapsk wcfg ssid 3 security Test wpapsk wcfg ssid 3 qos 4 wcfg ssid 3 l2siolation disable wcfg ssid 3 macfilter disable wcfg ssid save CO CO CO CO CO NW
214. er of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations e Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events NWA3550 User s Guide Chapter 13 Remote Management Screens 13 10 1 Supported MIBs 13 10 2 The ZyXEL Device supports MIB II which is defined in RFC 1213 and RFC 1215 as well as the proprietary ZyXEL private MIB The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance SNMP Traps The ZyXEL Device can send the following traps to the SNMP manager Table 50 SNMP Traps TRAP NAME OBJECT IDENTIFIER OID DESCRIPTION Generic Traps coldStart 1 3 6 1 6 3 1 1 5 1 This trap is sent after
215. ernet Explorer 7 Root Certificate Store eese nennen hene nnn 297 Figure 223 Firefox 2 Website Certified by an Unknown Authority 0 cccesesescceeeeeeecaeeereeeeaeeetneenes 297 Figure predi A 298 Figure 225 Firefox 2 Tools M n idis bd ipod i pr edad paa ka pu od e d ad 298 Sg Cage OPOE M mm 299 Figure 227 Firefox 2 Cer ficate Manager M 299 Figure 226 Firefox 2 Select PING uo ieosct eir onto ib ced kno gek nena ESUN une chm ENEAS dhclient EEKEREN 300 Figure 229 Firelox 2 Toole M 300 Figure do Fr E OPIO ea a bg Cete tn a Fd BU b REL doc oc ed 301 Figure 231 Firefok Z Cerificate Managol 22 pince FER d b LIH eoa Hber ai p e aci E tei tops vedi bula Ue 301 Figure 232 Firefox 2 Delete Web Site Certificates cccccccci cosssastaacesseasses dba causa tuna te apta casseanens done a pU LAE E RpOE 302 Figure 233 Opera 9 Certificate signer not found uie essere ernannt kx ita Ek tkt ER RR Ra En PR Ra Ru Ek 302 gs Po Mes EHE ET ERIPUIT I 1 S 1o 1 EUER 303 Figue 225 Opara Uc Tools MENU atsciiodussiniaudiendsipsce avete cou a apto o tin M Ra b A 303 Figure 236 Opera 9 Preferentes i a i ena th ipti ec easel unde al eda ad Lote di E Ed e gaa nd 304 Figure 237 Opera 9 Certificate Manggar e 304 Figure 258 Opora 9 Import gerningi 3e ien p rh IRR PELLI pad EL p eR Ere c Eo E EE p PERRA OMS 305 Figure 239 Opera 9 Install authority certificate adios coetiv e PERRIN S
216. ertificate presented by this website has errors This problem may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage About certificate errors View certificates 4 Inthe Certificate dialog box click Install Certificate NWA3550 User s Guide Appendix D Importing Certificates Figure 207 Internet Explorer 7 Certificate Certificate General Details Certification Path Certificate Information This CA Root certificate is not trusted To enable trust install this certificate in the Trusted Root Certification Authorities store Issued to nsa2401 Issued by nsa2401 Valid from 5 20 2008 to 5 20 2011 5 Inthe Certificate Import Wizard click Next Figure 208 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from your disk to a certificate store A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue dick Next 6 Ifyou want Internet Explorer to Automatically select certificate store based on the type of certificate click Nex
217. ertificates Figure 242 Opera 9 Preferences Preferences Choose a master password to protect personal certificates Browsing Notifications Set master password Content Fonts Downloads Programs Ask for password Every time needed History Se _ Enable Fraud Protection Manage certificates Toolbars Shortcuts Voice 3 Inthe Certificates manager select the Authorities tab select the certificate that you want to remove and then click Delete NWA3550 User s Guide 307 Appendix D Importing Certificates Figure 243 Opera 9 Certificate manager Certificate manager Certificate authorities 172 20 37 202 AAA Certificate Services Actalis Root CA AddTrust Class 1 CA Root AddTrust External CA Root AddTrust Public CA Root AddTrust Qualified CA Root Baltimore CyberTrust Code Signing Root Baltimore CyberTrust Mobile Root Baltimore CyberTrust Root Certum CA Certum CA Level I Certum CA Level II Certum CA Level III Certum CA Level IV Class 1 Public Primary Certification Authority Class 1 Public Primary Certification Authority G2 c 1998 VeriSig Class 2 Public Primary Certification Authority 4 The next time you go to the web site that issued the public key certificate you just removed a certification error appears BES There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking
218. erver IP Address o 0 0 0 o 0 0 0 i812 fisi2 RADIUS Server Port m Active Active Accounting Server IP Address are Secre Se Accounting Server Port Se o 0 0 0 o 0 0 0 i813 i813 m Apply Reset NWA3550 User s Guide Chapter 8 Wireless Security Configuration The following table describes the labels in this screen Table 33 RADIUS LABEL DESCRIPTION Index Select the RADIUS profile you want to configure from the drop down list box Profile Name Type a name for the RADIUS profile associated with the Index number above Primary Configure the fields below to set up user authentication and accounting Backup If the ZyXEL Device cannot communicate with the Primary accounting server you can have the ZyXEL Device use a Backup RADIUS server Make sure the Active check boxes are selected if you want to use backup servers The ZyXEL Device will attempt to communicate three times before using the Backup servers Requests can be issued from the client interface to use the backup server The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen RADIUS Option Internal Select this check box to use the ZyXEL Device s internal authentication server The Active RADIUS Server IP Add
219. ess Description Index MAC Address Description Security RADIUS Layer 2 Isolation MAC Filter i2isolation01 11 22 33 44 55 66 Network Router B 7 foo 00 00 00 00 00 2 ng File Server C ES 00 00 00 00 00 00 3 EINEIGIGINEC 00 00 00 00 00 NWA3550 User s Guide Chapter 10 Other Wireless Configuration 10 3 1 2 Layer 2 Isolation Example 2 In the following example wireless clients 1 and 2 can communicate with access point D and file server C but not wireless client 3 Enter the router s server s and access point D s MAC addresses in the MAC Address fields Enter Network Router B in B s Description field enter File Server C in C s Description field and enter Access Point D in D s Description field Figure 74 Layer 2 Isolation Example 2 Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Layer2 Isolation Configuration Profile Name i2isolationO1 Allow devices with these MAC addresses Index MAC Address Description Index MACAddress Description EH 11 22 33 44 55 66 Network Router B 00 00 00 00 00 00 EB 00 00 c5 00 00 55 File Server C ES 00 00 00 00 00 00 EN 00 Access Point D E i00 00 00 00 00 00 In nn mn np 10 4 The MAC Filter Screen The MAC filter function allows you to configure the ZyXEL Device to give exclusive access to devices
220. etwork Layer 2 isolation is enabled see Section 10 1 on page 129 and QoS is set to NONE Intra BSS traffic blocking is also enabled see Section 9 2 on page 125 These fields are all user configurable 1 2 6 Configuring Dual WLAN Adaptors The ZyXEL Device is equipped with dual wireless adaptors This means you can configure two different wireless networks to operate simultaneously In the following example the ZyXEL Device Z uses WLANI in Access Point mode to allow IEEE 802 11b and IEEE 802 11g clients to access the wired network and WLAN2 in AP Bridge mode to allow an IEEE 802 11a AP to communicate with the wired network NWA3550 User s Guide Chapter 1 Introducing the ZyXEL Device Figure 6 Dual WLAN Adaptors Example pU tt pt e ra San 3 EET i F N y N 3 E d H I iz ul I T l i LY i PS Pi N E 7y N WLAN1 WLAN2 Ad Praia ye 802 11b g Ed Access Point ridge 1 3 CAPWAP The ZyXEL Device supports CAPWAP Control And Provisioning of Wireless Access Points This is ZyXEU S implementation of the IETF s Internet Engineering Task Force CAPWAP protocol ZyXEL s CAPWAP allows a single access point to manage up to eight other access points The managed APs receive all their configuration information from the controller AP The CAPWAP dataflow is protected by DTLS Datagram Transport Layer Security At the time of writing the NWA 3160 is the only ZyXEL AP model that can be a CAP
221. evice might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Disable channel This field displays only when you select 802 11a in the 802 11 Mde field switching for DFS Select this if you do not want to use DFS Dynamic Frequency Selection Choose Channel ID Set the operating frequency channel depending on your particular region To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network RTS CTS Threshold The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to zero turns on the RTS CTS handshake Enter a value between 256 and 2346 Fragmentation The threshold number of bytes for the fragmentation boundary for directed Threshold messages It is the maximum data fragment size that can be sent Enter an even number between 256 and 2346 Output Power Set the output power of the ZyXEL Device in this field If there is a high density of APs in an area decrease the output power of the ZyXEL Device to redu
222. face See command interface max age 97 MBSSID 33 36 Message Integrity Check MIC 278 mobile access 33 mode 33 MSDU 100 105 124 NWA3550 User s Guide Index N NAT 320 network 33 network access 33 network bridge 34 network traffic 33 O operating mode 33 out of band management 207 P Pairwise Master Key PMK 278 279 password 86 238 path cost 96 Per Hop Behavior 95 PHB Per Hop Behavior 95 PoE 241 power specification 237 power specifications 241 preamble mode 273 pre configured profiles 37 priorities 93 prioritization 33 private IP address 141 product registration 331 PSK 278 Q QoS 33 128 Quick Start Guide 43 R radio 33 RADIUS 274 message types 275 messages 275 shared secret key 275 rapid STP 96 reauthentication time 114 115 116 117 118 registration product 331 related documentation 3 remote management how SSH works 152 HTTPS 156 HTTPS example 158 SSH 152 SSH implementation 153 Telnet 153 remote management limitations 151 repeater 34 restore 228 RF interference 33 roaming 137 requirements 138 rogue AP 33 145 146 147 148 149 rogue AP list 149 root bridge 96 RTS Request To Send 272 threshold 271 272 RTS CTS handshake 100 105 124 S safety warnings 6 security 34 security profiles 33 server 33 Service Set 101 125 Service Set Identifier see SSID SNMP 162 239 manager 163 MIBs 164 traps 165 version 3 and security 165 Spanni
223. ffServ Code Points 95 DiffServ marking rule 95 disclaimer 329 DS field 95 DSCPs 95 Dynamic Frequency Selection 97 NWA3550 User s Guide Index dynamic WEP key exchange 277 E EAP authentication 275 encryption 35 278 ESS 270 ESSID 236 Extended Service Set see ESS Extended Service Set IDentification 101 125 F FCC interference statement 329 file version 323 filtering 33 firmware file maintenance 225 fragmentation threshold 272 friendly AP list 148 FTP 39 151 155 restrictions 151 G general setup 85 guest SSID 37 H hidden node 271 honeypot attack 146 host 87 HTTPS 156 example 158 humidity 237 IANA 320 IBSS 269 IEEE 802 11g 273 IEEE 802 1x 33 in band management 207 Independent Basic Service Set 225 see IBSS initialization vector IV 278 installation 33 interference 33 internal authentication server 33 Internet Assigned Numbers Authority See IANA Internet security gateway 33 Internet telephony 36 IP address 141 142 238 IPSec VPN capability 239 isolation 33 L layer 2 isolation 33 37 log descriptions 198 logs 195 M MAC address 33 134 MAC address filter action 135 136 MAC filter 37 134 MAC filtering 239 MAC service data unit 100 105 124 maintenance 33 management 33 Management Information Base MIB 163 management VLAN 207 managing the device good habits 40 using FTP See FTP using Telnet See command interface using the command inter
224. fies each ESS All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate 270 NWA3550 User s Guide Appendix B Wireless LANs Figure 192 Infrastructure WLAN Ethernet wow ORE Se S E x mE MUS NUN de ae ne ITI SmSm oe oe gt d Deos Ba Ds ary se ee ar XS AP 1 PN AP 2 soe s x m z Y 4 v En A a iic a i i H i H i b 2 BSS 2 2 A l EX E 3f E y Ne eet N ONE BSS 1 on t Mg B o or Ax C PAM Dan o aan oo mam dan ano 3 2 eee ser Snannnnonnnen ene ias ESS ae gt PSone ty ate se gt S eee Channel A channel is the radio frequency ies used by IEEE 802 11a b g wireless devices Channels available depend on your geographical area You may have a choice of channels for your region so you should use a different channel than an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CT
225. first three octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 2 2 or 254 possible hosts The following figure shows the company network before subnetting Figure 253 Subnetting Example Before Subnetting JM EB EM EN n i 8 I A E Uu a i 1 Internet t a H Ol I li I li I i I I I li y 192 168 1 0 24 4 r 4 LE E Amo m um um m um Um Um Em Em um um You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the company network after subnetting There are now two sub networks A and B NWA3550 User s Guide Appendix E IP Addresses and Subnetting Figure 254 Subnetting Example After Subnetting 1 A LE I B D P E3 mo SN i I LE CS hs 5 H P T Internet gt a n B TM P i P i i i 9 192 168 1 0 25 4 W192 168 1 128 ue a mumumumumum um eom um um um um um um In a 25 bit subnet the host ID has 7 bits so each sub network has a maximum of 27 2 or 126 possible hosts a host ID of all zeroes is the subnet s address itself all ones is the subnet s broadcast address 192 168 1 0 with mask 255 255 255 128 is subnet A
226. following figure illustrates the DS field Figure 50 DiffServ Differentiated Service Field DSCP Unused 6 bit 2 bit DSCP is backward compatible with the three precedence bits in the ToS octet so that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different priorities of forwarding Resources can then be allocated according to the DSCP values and the configured policies 7 3 5 ToS Type of Service and WMM QoS The DSCP value of outgoing packets is between 0 and 255 0 is the default priority WMM QoS checks the DSCP value in the header of data packets It gives the traffic a priority according to this number In order to control which priority level is given to traffic the device sending the traffic must set the DSCP value in the header If the DSCP value is not specified then the traffic is treated as best effort This means the wireless clients and the devices with which they are communicating must both set the DSCP value in order to make the best use of WMM QoS A Voice over IP VoIP device for example may allow you to define the DSCP value NWA3550 User s Guide Chapter 7 Wireless Configuration The following table lists which WMM QoS priority level the ZyXEL De
227. gement SNMP User Profile LABEL DESCRIPTION Enable Select this box to activate the SNMPv3 administration account The SNMPv3 SNMPv3Admin administrator can issue Get and Set commands to the ZyXEL Device User Name Enter a username for the SNMPv3 administrator Only SNMP commands carrying this username are allowed to administer the ZyXEL Device Password Enter a password for the SNMPv3 administrator Only SNMP commands carrying this password are allowed to administer the ZyXEL Device NWA3550 User s Guide Chapter 13 Remote Management Screens Table 53 Remote Management SNMP User Profile LABEL DESCRIPTION Confirm Re enter the Password Password Access Type For the administrator this is always Set SNMP Set commands allow the administrator to make configuration changes Authentication Select an authentication algorithm MD5 Message Digest 5 and SHA Secure Protocol Hash Algorithm are hash algorithms used to authenticate SNMP data SHA authentication is generally considered stronger than MD5 but is slower Privacy Protocol Specify the encryption method for SNMP communication with this user You can choose one of the following DES Data Encryption Standard is a widely used but breakable method of data encryption It applies a 56 bit key to each 64 bit block of data AES Advanced Encryption Standard is another method for data encryption that also uses a secret key A
228. ght Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Mar Last Sun The time you type in the o clock field depends on your time zone In Germany for instance you would type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Savings The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Oct Last Sun The time you type in the o clock field depends on your time zone In Germany for instance you would type 02 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 NWA3550 User s Guide Chapter 6 System Screens Table 12 SYSTEM gt Time Setting LABEL DESCRIPTION Apply Click Apply t
229. ging on the port you are using to connect to your computer 7 Under Control select Fixed to set the ports 1 and 2 in this example as a member of the VLAN a BR WN o Figure 118 VLAN Aware Switch Static VLAN Static VEAN aD VLAN Status ACTIVE Vv Name MIDT VLAN Group ID 10 Port Control Tagging 1 C Normal Fixed C Forbidden I Tx Tagging 2 C Normal Fixed Forbidden Iv TxTagging 8 Click Apply The following screen displays Figure 119 VLAN Aware Switch VID Active Name Delete 10 Yes VID1 ri 2 Yes 2 rj 3 Yes 3 4 Yes VLAN4 5 Yes cth test ri 9 Click VLAN Status to display the following screen NWA3550 User s Guide Chapter 17 VLAN Figure 120 VLAN Aware Switch VLAN Status OMEN The Number Of VLAN 5 Index VID 1 10 2 2 3 3 4 4 5 5 VLAN Port Setting Static VLAN Port Number 8 10 12 14 16 18 20 22 24 26 S2 Elapsed Time 7 9 11 413 15 17 19 21 23 25 81 To fe ee l e u 0 08 28 0 08 28 0 08 28 0 08 27 0 08 27 Status Static Static Static Static Static Follow the instructions in the Quick Start Guide to set up your ZyXEL Device for configuration The ZyXEL Device should be connected to the VLAN aware switch In the above example the switch is using port 1 to connect to your computer and port 2 to connect to the ZyXEL Device Figure 117 on page 208 1 Inthe ZyXEL Device web configurator c
230. hanced by encrypting the SNMP messages sent from the managers Encryption protects the contents of the SNMP messages When the contents of the SNMP messages are encrypted only the intended recipients can read them 13 11 2 Configuring SNMP To change your ZyXEL Device s SNMP settings click REMOTE MGNT gt SNMP The screen appears as shown NWA3550 User s Guide Chapter 13 Remote Management Screens Figure 98 Remote Management SNMP TELNET FTP WWW SNMP Get Community public Set Community public Trap Destination 0 0 0 0 SNMP Version SNMPv2 Trap Community public User Profile MPv3Ad M Configure SNMPv3 User Profile Service Port 161 Service Access WLAN amp LAN Secured Client IP Address AIC Selected 0 0 0 0 Apply Reset Table 52 Remote M The following table describes the labels in this screen anagement SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set Community which is the password for incoming Set requests from the management station The default is public and allows all requests Trap Destination Type the IP address of the station to send your SNMP traps to SNMP Version Select the SNMP version for the ZyXEL Device The SNMP version on the ZyXEL
231. hanumeric characters long including spaces The wireless client s utility must use this name as its login name NWA3550 User s Guide Chapter 14 Internal RADIUS Server Table 56 Trusted Users LABEL DESCRIPTION Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type The password on the wireless client s utility must be the same as this password Note If you are using PEAP authentication this password field is limited to 14 ASCII characters in length Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 14 Internal RADIUS Server NWA3550 User s Guide Certificates This chapter gives background information about public key certificates and explains how to use them 15 1 Certificates Overview The ZyXEL Device can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You ca
232. he SHA1 hash algorithm Some certification authorities may use ras pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprin
233. her APs Index This field displays the certificate index number The certificates are listed in alphabetical order Use the CERTIFICATES screens to manage certificates The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client The exact certificate used depends on the certificate information configured on the wireless client Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name auto generated self signed cert is the factory default certificate common to all ZyXEL Devices that use certificates Note It is recommended that you replace the factory default certificate with one that uses your ZyXEL Device s MAC address Do this when you first log in to the ZyXEL Device or in the CERTIFICATES gt My Certificates screen NWA3550 User s Guide Chapter 14 Internal RADIUS Server Table 54 Internal RADIUS Server Setting Screen Setting continued LABEL DESCRIPTION Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which th
234. ic key is checked against the saved version on the client computer 2 Encryption Method Once the identification 1s verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 13 4 SSH Implementation on the ZyXEL Device Your ZyXEL Device supports SSH version 1 0 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the ZyXEL Device for remote SMT management and file transfer on port 22 Only one SSH connection is allowed at a time 13 4 1 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyXEL Device over SSH 13 5 Configuring Telnet You can use Telnet to access the ZyXEL Device s SMT or command line interface Specify which interfaces allow Telnet access and from which IP address the access can come Click the REMOTE MGNT gt TELNET The following screen displays BES It is recommended that you disable Telnet and FTP when you configure SSH for secure connections NWA3550 User s Guide 153 Chapter 13 Remote Management Screens Figure 8
235. ice ZyXEL Device Computer Notebook computer Server Telephone Switch Router d NWA3550 User s Guide a Safety Warnings Safety Warnings gt For your safety be sure to read and follow all warning notices and instructions Do NOT use this product near water for example in a wet basement or near a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device ONLY qualified service personnel should service or disassemble this device Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the power outlet Do NOT atte
236. ick Remove Figure 251 Konqueror 3 5 Configure Configure Konqueror ev Cookies SSL OpenSSL Your Certificates Qo Organization Common Name BY Proxy Stylesheets a Organization ZyXEL Organization ZyX4 a Organizational unit XYZ200 E panatane unit ae EE RAA A J KIL Valid from Wednesday 21 May 2008 06 42 35 am GMT d Valid until Saturday 21 May 2011 06 42 35 am GMT Browser Identification Cache Policy Y Permanently Accept A until Reject Plugins Prompt i MDS digest 3F 9A 76 6E A9 F5 07 41 BE 4C 8B 8B A2 D3 F0 2F Performance T Help Defaults w OK 3 cancel 4 The next time you go to the web site that issued the public key certificate you just removed a certification error appears There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button NWA3550 User s Guide Appendix D Importing Certificates 312 NWA3550 User s Guide IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts
237. id 4 4 Ww wW wW wW Ww w security name ssid 8021x security Test 8021x radius radius rd lest wep security Test wpapsk name ssid wpa2psk cfg ssid security cfg ssid save Test wpa2psk line starting with is comment change to channel 8 lan chid 8 change operating mode gt AP mode then select ssid wep as running WLAN profile lan opmode 0 lan ssidprofile ssid wep change operating mode gt MBSSID mode then select ssid wpapsk ssid wpa2psk as running WLAN profiles lan opmode 3 lan ssidprofile ssid wpapsk ssid wpa2psk set output power level to 50 lan output power 2 NWA3550 User s Guide 327 Appendix F Text File Based Auto Configuration NWA3550 User s Guide Legal Information Copyright Copyright O 2008 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its pat
238. iendly APs often especially if you have a network with a large number of access points You can choose to scan for rogue APs manually or to have the ZyXEL Device scan automatically at pre defined intervals You can also set the ZyXEL Device to email you immediately when a rogue AP is detected see Chapter 16 on page 195 for information on how to set up email logs 12 3 1 Rogue AP Configuration Click ROGUE AP gt Configuration The following screen appears NWA3550 User s Guide Chapter 12 Rogue AP Figure 82 ROGUE AP gt Configuration Configuration Period Expor File Friendly AP Rogue AP Period Detection Expiration Time Friendly AP List Path Browse Rogue AP Disable v 10 minutes 30 minutes Apply Reset The following table describes the labels in this screen Table 43 ROGUE AP gt Configuration LABEL DESCRIPTION Rogue AP Period Select Enable to turn rogue AP detection on You must also enter a time Detection value in the Period field Select Disable to turn rogue AP detection off Period minutes Enter the period you want the ZyXEL Device to wait between scanning for rogue APs between 10 and 60 minutes You must also select Enable in the Rogue AP Period Detection field Expiration Time minutes Specify how long between 30 and 180 minutes an AP s entry can remain in the Rogue AP List before the ZyXEL Device removes it from the list if
239. ifies the access point in this example ALERT Access Point A Enter the email address to which you want alerts to be sent myname myfirm com in this example n the Send Immediate Alert section select the events you want to trigger immediate e mails Ensure that Rogue AP Detection is selected Click Apply 5 3 4 Configure Your Other Access Points Access point A is now configured to do the following Scan for access points in its coverage area every ten minutes Recognize friendly access points from a list Send immediate alerts to your email account if it detects an access point not on the list NWA3550 User s Guide Chapter 5 Tutorial Now you need to configure the other wireless access points on your network to do the same things For each access point take the following steps 1 From a computer on the wired network enter the access point s IP address and login to its Web configurator See Table 4 on page 69 for the example IP addresses 2 Import the friendly AP list Click ROGUE AP gt Configuration gt Browse Find the Flist file where you previously saved it on the network and click Open 3 Click Import Check the ROGUE AP gt Friendly AP screen to ensure that the friendly AP list has been correctly uploaded 4 Activate periodic rogue AP detection See Section 5 3 2 on page 73 5 Setup e mail logs as in Section 5 3 3 on page 73 but change the Mail Subject field so you can tell which A
240. iguration screen select Enable from the Rogue AP Period Detection field Figure 37 Tutorial Periodic Rogue AP Detection Configuration Friendly AP Rogue AP Rogue AP Period Detection Enable j Period 10 minutes Expiration Time 30 minutes Friendly AP List Export File Path Browse Import Apply Reset 2 Inthe Period field enter how often you want the ZyXEL Device to scan for rogue APs You can have the ZyXEL Device scan anywhere from once every ten minutes to once every hour In this example enter 10 3 Inthe Expiration Time field enter how long an AP s entry can remain in the list before the ZyXEL Device discards it from the list when the AP is no longer active In this example enter 30 4 Click Apply 5 3 3 Set Up E mail Logs In this section you will configure the first of your four APs to send a log message to your e mail inbox whenever a rogue AP is discovered in your wireless network s coverage area 1 Click LOGS gt Log Settings The following screen appears NWA3550 User s Guide Chapter 5 Tutorial Figure 38 Tutorial Log Settings Syslog Logging LI Send Log a eee G E G Hi In this example your mail server s IP address is 192 168 1 25 Enter this IP address in the Mail Server field Enter a subject line for the alert e mails in the Mail Subject field Choose a subject that is eye catching and ident
241. in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate s owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You cannot use this value to verify that this is the remote host s actual
242. in this field ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding Ox is entered automatically Key 1 to Key 4 If you chose 802 1x Static 64 then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by Ox for each key If you chose 802 1x Static 128 bit then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F preceded by Ox for each key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations The preceding Ox is entered automatically You must configure all four keys but only one key can be activated at any one time The default key is key 1 ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wire
243. io o 0000 00 00 Eo oo 0000 0000 6 oo Eoo Apply Reset The following table describes the labels in this screen Table 40 MAC Address Filter LABEL DESCRIPTION Profile Name Type a name to identify this profile Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table Select Deny Association to block access to the router MAC addresses not listed will be allowed to access the router Select Allow Association to permit access to the router MAC addresses not listed will be denied access to the router Index This is the index number of the MAC address MAC Address Enter the MAC addresses in XX XX XX XX XX XX format of the wireless station to be allowed or denied access to the ZyXEL Device Description Type a name to identify this wireless station Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 10 Other Wireless Configuration LES To activate MAC filtering on an SSID profile select the correct filter from the Enable MAC Filtering drop down list box in the WIRELESS gt SSID gt Edit screen and click Apply 10 5 Configuring Roaming A wireless station is a device with an IEEE 802 11a b g compliant wireless interface An access point AP acts as a bridge between the wireless and wired networks An AP creates its own wireless cove
244. ion Summary This section summarizes how to manage certificates Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyXEL Devices CA signed certificates Use the Trusted CA screens to save CA certificates to the ZyXEL Device 15 5 My Certificates Click CERTIFICATES gt My Certificates to open the ZyXEL Device s summary list of certificates and certification requests Certificates display in black and certification requests display in gray See the following figure NWA3550 User s Guide Chapter 15 Certificates Figure 106 My Certificates _ My Certificates Trusted CAs PKI Storage Space in Use os 100 Replace Factory Default Certificate Factory Default Certificate Name auto_generated_self_signed_cert The factory default certificate is common to all NWA models Click Replace to create a certificate using your NWA s MAC address that will be specific to this device Replace Certificates Setting Type Subject Issuer _ Valid From CH NWA CN NWA 2000 Jan 2030 Jan auto generated self signed cert SELF Sisi Series Factory 1st 1st 9 Se l signec DROIT Default 00 00 00 00 00 00 k Certificate GMT GMT Certificate Details Create Import Delete Refresh The following table describes the labels in this screen Table 57 My Certificates LABEL DESCRIPTION PKI Storage This bar displays the pe
245. iont Allow devices with these MAC addresses Index MACAddress Descripiion Index MACAddress Description BE 00 00 00 00 00 00 17 oo 00 00 00 00 00 2 l BEB o0 00 00 00 00 00 Eo oorooo BREW 00 00 00 00 00 00 Eoo Eiooorooo0 s 21 Ei ooo Eoo EM io oo 0000 0000 F2Bijoo 00 00 00 00 00 e C Ego FEB c0 00 00 00 00 00 25 Eo oo 00000000 25 C BG fo0 00 00 00 00 00 2Ajo0 00 00 00 00 00 EA c0 00 0000 00 00 2s BREW o0 00 00 00 00 00 29 BW 00 00 00 00 00 00 FEBjo0 00 00 00 00 00 EA io o 0000 00 00 FEB fo0 00 00 00 00 00 16 fo0 00 00 00 00 00 Eoo Apply Reset The following table describes the labels in this screen Table 38 WIRELESS gt Layer 2 Isolation Configuration LABEL DESCRIPTION Profile Name Type a name to identify this layer 2 isolation profile Allow devices with These are the MAC address of a wireless client AP computer or router A these MAC wireless client associated with the ZyXEL Device can communicate with another addresses wireless client AP computer or router only if the MAC addresses of those devices are listed in this table Index This is the index number of the MAC address MAC Address Type the MAC addresses of the wireless client A
246. iple BSS RADIUS Layer 2 Isolation MAC Filter The following table describes the labels in this screen Table 34 Wireless Multiple BSS LABEL DESCRIPTION WLAN Interface Select which WLAN adapter you want to configure It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions Operating Mode Select MBSSID in this field to display the screen as shown NWA3550 User s Guide 123 Chapter 9 MBSSID and SSID Table 34 Wireless Multiple BSS LABEL DESCRIPTION 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting Choose Channel ID Set the operating frequency channel depending on your particular region To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to open
247. ireless LAN settings on multiple APs The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information Figure 255 Text File Based Auto Configuration TFTP o AP 1cfg txt P1 AP 2 AP2cfg txt AP3cfg txt AP 4cfg txt ii AP 3 AP 4 Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download You can have a different configuration file for each AP You can also have multiple APs use the same configuration file NWA3550 User s Guide 321 Appendix F Text File Based Auto Configuration BES If adjacent APs use the same configuration file you should leave out the channel setting since they could interfere with each other s wireless traffic Auto Configuration by DHCP A DHCP response can use options 66 and 67 to assign a TFTP server IP address and a filename If the AP is configured as a DHCP client these settings can be used to perform auto configuration Table 100 Auto Configuration by DHCP COMMAND DESCRIPTION wcfg autocfg dhcp enable Turn configuration of TFTP server IP address and disable filename through DHCP on or off If this feature is enabled and the DHCP response provides a TFTP server IP address and a filename the AP will try to download the file from the specified TFTP server The AP then uses the file t
248. ireless module WLAN1 is used on the LAN WLAN1 MAC This displays the MAC address of the first wireless module WLAN2 MAC This displays the MAC address of the second wireless module System Resources Flash This field displays the amount of the ZyXEL Device s flash memory currently in use The flash memory is used to store firmware and SSID profiles Memory This field displays what percentage of the ZyXEL Device s volatile memory is currently in use The higher the memory usage the more likely the ZyXEL Device is to slow down Some memory is required just to start the ZyXEL Device and to run the web configurator CPU This field displays what percentage of the ZyXEL Device s processing ability is currently being used The higher the CPU usage the more likely the ZyXEL Device is to slow down WLAN 1 Associations This field displays the number of wireless clients currently associated with the first wireless module Each wireless module supports up to 128 concurrent associations WLAN2 Associations This field displays the number of wireless clients currently associated with the second wireless module Each wireless module supports up to 128 concurrent associations Interface Status Interface This column displays each interface of the ZyXEL Device NWA3550 User s Guide Chapter 3 Status Screens Table1 The Status Screen LABEL DESCR
249. isable Disable SSID11 ZyXEL11 security01 radius01 NONE Disable Disable SSID12 ZyXEL12 security01 radius01 NONE Disable Disable SSID13 ZyXEL 13 security01 radius01 NONE Disable Disable SSID14 ZyXEL14 security 1 radius01 NONE Disable Disable SSID15 ZyXEL15 security01 radius01 NONE Disable Disable SSID16 ZyXEL16 security01 radius01 NONE Disable Disable 2 Select SERVER_1 s entry and click Edit The following screen displays Figure 41 Tutorial SSID Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name SERVER 1 SSID S5003 is Hide Name SSID Enable gt Security security03 RADIUS radius01 QoS L2 Isolation I2isolationO3 v Intra BSS Traffic blocking MAC Filtering Reset Select 12Isolation03 in the L2 Isolation field and select macfilter03 in the MAC Filtering field Click Apply 3 Click the Layer 2 Isolation tab When the Layer 2 Isolation screen appears select L2Isolation03 s entry and click Edit The following screen displays NWA3550 User s Guide Chapter 5 Tutorial Figure 42 Tutorial Layer 2 Isolation Edit Wireless SSID Security RADIUS Layer2 Isolation MAC Filter Layer 2 Isolation Configuration Profile Name L2 80 SERVER 1 Allow devices with these MAC addresses Index MAC Address METTE MAC Address Description EN 56 55 44 33 22 NET_ SWITCH i 00 00 00 00 00
250. ist Channel Usage FAW Upload Configuration Restart Click Restart to have the device perform a software restart The SYS LED blinks as the device restarts and then stays steady off if the restart is successful Wait a minute before logging into the device again Restart NWA3550 User s Guide PART Ill Troubleshooting and Specifications bleshooting 233 cifications 237 Troubleshooting This chapter offers some suggestions to solve problems you might encounter The potential problems are divided into the following categories Power and Hardware Connections ZyXEL Device Access and Login Internet Access Wireless Router AP Troubleshooting 19 1 Power and Hardware Connections e The ZyXEL Device does not turn on 1 Make sure you are using the PoE power injector included with the ZyXEL Device 2 Make sure the PoE power injector is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the PoE power injector to the ZyXEL Device 4 Ifthe problem continues contact the vendor 19 2 ZyXEL Device Access and Login e forgot the IP address for the ZyXEL Device 1 The default IP address is 192 168 1 2 2 Ifyou changed the static IP address and have forgotten it you have to reset the device to its factory defaults Contact your vendor If you set the ZyXEL Device to get a d
251. ith a powerful antenna By mimicking a legitimate company network AP the attacker tries to capture usernames passwords and other sensitive information from unsuspecting clients A and B who attempt to connect This is known as a honeypot attack If a rogue AP in this scenario has sufficient power and is broadcasting the correct SSID Service Set IDentifier clients have no way of knowing that they are not associating with a legitimate company AP The attacker can forward network traffic from associated clients to a legitimate AP creating the impression of normal service This is a variety of man in the middle attack This scenario can also be part of a wireless denial of service DoS attack in which associated wireless clients are deprived of network access Other opportunities for the attacker include the introduction of malware malicious software into the network NWA3550 User s Guide Chapter 12 Rogue AP Figure 81 Honeypot Attack 12 3 Configuring Rogue AP Detection You can configure the ZyXEL Device to detect rogue IEEE 802 11a 5 GHz and IEEE 802 11b g 2 4 GHz APs If you have more than one AP in your wireless network you must also configure the list of friendly APs Friendly APs are the other wireless access points in your network as well as any others that you know are not a threat those from neighboring networks for example It is recommended that you export save your list of fr
252. ker Prevent most pop up windows from appearing v Block pop ups 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 199 Pop up Blocker Settings Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 4 192 168 1 1 Add Allowed sites Notifications and Filter Level Play a sound when a pop up is blocked Show Information Bar when a pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAQ Close NWA3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 200 Internet Options Security General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings e Z o e Internet Local intranet Trusted sites Restricted sites Internet A This zone contains a
253. ker tite ec apt tin peer ton D deae irnir Fe anasan 259 Figure 176 Ubuntu 8 Network Settings gt Connections i eteod letta d en tei tet a eee E d 259 Figure 177 Ubuntu 8 Administrator Account Authentication sssssee 260 Figure 178 Ubuntu 8 Network Settings gt Connections oec ciento tn edant aaa 260 Figure 179 Ubuntu 8 Network Settings gt Properties 1 eene nme honra aa nennen 261 Figure 180 Ubuntu 8 Network Settings gt DNS unes tiere bestie honte rec nina Core ben prete HER Ra 261 Figure 181 Ubuntu 3 Network ao qe S S0 262 Figure 182 openSUSE 10 3 K Menu gt Computer Menu sse 263 Figure 183 openSUSE 10 3 K Menu gt Computer Menu sse 263 Figure 164 openSUSE 10 3 YaST Control Center 1c dut ertt npa E a Pa ES RU LEER LH ASA d 264 Figure 185 openSUSE 10 3 Network SOLDPIOS sicca esee entr od Ran i kan anh nk ni t 264 Figure 186 openSUSE 10 3 Network Card Setup ciini eie te on eae Epp xi HUP LE Pt XEM tenisin Vans 265 Figure 197 openSUSE 10 3 INGIWOTK SELDUS 46d edlen aceto etc d saddle da Lec a Ken ded Dus 266 Figur 188 openSUSE 10 3 KNetwork Manag r oussatetxendbccetut lcteset nba vesitktui vec vuLe ue ri meta 266 Figure 189 openSUSE Connection Status KNetwork Manager sse 267 Figure 190 Peer to Peer Communication in an Ad hoc Network sseeee 269 gi TIES EOUN e SL eT RN NAN 270 Figure 192 hoa
254. l 01 Security None ISSID testonly 1 01 2000 Cert trusted CN NWA3550 Biy 001349000001 E REE 3 Hat Successful HTTPS login 192 168 1 33 User admin Table 64 View Log The following table describes the labels in this screen LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category To view all logs select All Logs The number of categories shown in the drop down list box depends on the selection in the Log Settings page Time This field displays the time the log was recorded Message This field states the reason for the log NWA3550 User s Guide Chapter 16 Log Screens Table 64 View Log LABEL DESCRIPTION Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This field displays additional information about the log entry Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to clear all the logs 16 2 Configuring Log Settings To change your ZyXEL Device s log settings click LOGS gt Log Settings The screen appears as shown Use the Log Settings screen to configure to where and when
255. l receiver should be the owner of the SMTP account User Name If your e mail account requires SMTP authentication enter the username here Password Enter the password associated with the above username Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily Weekly Hourly When Log is Full None If the Weekly or the Daily option is selected specify a time of day when the E mail should be sent If the Weekly option is selected then also specify which day of the week the E mail should be sent If the When Log is Full option is selected an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log This field is only available when you select Weekly in the Log Schedule field Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 2
256. l se Sales E mail sales zyxel se Telephone 46 3 1 744 7700 Fax 46 31 744 7701 Web www zyxel se Regular Mail ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden Taiwan e Support E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 2 27399889 Fax 886 2 27353220 Web http www zyxel com tw Address Room B 21F No 333 Sec 2 Dunhua S Rd Da an District Taipei Thailand Support E mail support zyxel co th Sales E mail sales zyxel co th Telephone 662 831 5315 Fax 662 831 5395 Web http www zyxel co th Regular Mail ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand NWA3550 User s Guide 337 Appendix H Customer Support Turkey Support E mail cso zyxel com tr Telephone 90 212 222 55 22 Fax 90 212 220 2526 Web http www zyxel com tr Address Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N 14 13 K 6 Okmeydani Sisli Istanbul Turkey Ukraine United Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 1344 303044 0845 122 0301 UK only Fax 44 1344 303034 Web www zyxel co uk Regular Mail ZyXEL Communication
257. ld displays the MAC address of an associated wireless station Association Time This field displays the time a wireless station first associated with the ZyXEL Device SSID This field displays the SSID to which the wireless station is associated Signal This field displays the RSSI Received Signal Strength Indicator of the wireless connection WDS Link This section displays only when bridge mode is activated on one of the ZyXEL Device s WLAN adaptors Index This field displays the index number of a bridge connection on the WDS Remote Bridge MAC This field displays a remote bridge MAC address Link Time This field displays the WDS link up time Security This field displays whether traffic on the WDS is encrypted TKIP or AES or not None Refresh Click Refresh to reload the screen 18 4 Channel Usage The Channel Usage screen shows whether a channel is used by another wireless network or not If a channel is being used you should select a channel removed from it by five channels to completely avoid overlap Click MAINTENANCE gt Channel Usage to display the screen shown next Wait a moment while the ZyXEL Device compiles the information NWA3550 User s Guide Chapter 18 Maintenance Figure 141 Channel Usage Status Association List Channel Usage FAW Upload Configuration Restart EE ENNNNNNNENN MAC Address E RANET Network Mode ZyXEL 1237 00 1
258. less station needs to enter the user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide 115 Chapter 8 Wireless Security Configuration 8 3 4 Security WPA Select WPA in the Security Mode field to display the following screen Figure 61 Security WPA ReAuthentication Timer Idle Timeout Group Key Update Timer Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name securityo Security Mode WPA gt jo seconds 0 means no ReAuthentication 3600 seconds f 800 seconds Apply Reset The following table describes the labels in this screen Table 30 Security WPA LABEL DESCRIPTION Name Type a name to identify this security profile Security Mode Choose WPA in this field ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disco
259. lick Details to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyXEL Device Delete Click Delete to delete an existing certificate A window display asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action Refresh Click this button to display the current validity status of the certificates 15 11 Importing a Trusted CA s Certificate Click CERTIFICATES Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen Follow the instructions in this screen to save a trusted certification authority s certificate to the ZyXEL Device see the following figure NWA3550 User s Guide Chapter 15 Certificates BES You must remove any spaces from the certificate s filename before you can import the certificate Figure 111 Trusted CA Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats File Path Browse Binary X 509 P
260. lick VLAN to open the VLAN setup screen 2 Select the Enable VIRTUAL LAN check box and type a Management VLAN ID 10 in this example in the field provided 3 Click Apply Figure 121 VLAN Setup WIRELESS VLAN RADIUS VLAN M Enable VIRTUAL LAN Wireless VIRTUAL LAN Setup Management VLAN ID VLAN Mapping Table 10 4004 Index Name SSID VLANID SecondRxVLANID DNE voe ssi zyxeL0 noc ho Bb Guest sso zyxELo2 p p BS sspe zyxeLo3 B hp BE sso zyxuw B NN BS sspe zyxetos NN NN BEN sso zyxeLo6 EM p BEN ssow zyxeLo7 LU NN BD sso zyxeLos b p BS sspe zyxeLo9 B NN Bg ssww zyxevt0 fio NN BH sso zyxen TN NN BEN ssm zx o fiz hp BS ssm zyxel fis p BH sso zx amp u fia NN BS sss zyxeL5 fis am B ssie zyxeLe fis NN Reset 4 The ZyXEL Device attempts to connect with a VLAN aware device You can now access and mange the ZyXEL Device though the Ethernet switch BS If you do not connect the ZyXEL Device to a correctly configured VLAN aware device you will lock yourself out of the ZyXEL Device If this happens you must reset the ZyXEL Device to access it again NWA3550 User s Guide Chapter 17 VLAN 17 2 4 Configuring Microsoft s IAS Server Example Dynamic VLAN assignment can be used with the ZyXEL Device Dynamic VLAN assignment allows network administrators to assign a specific VLAN co
261. list of unauthorized access points in the local area See Section 12 3 3 on page 149 NWA3550 User s Guide Chapter 3 Status Screens NWA3550 User s Guide Management Mode This chapter discusses the MGNT MODE Management Mode screen This screen determines whether the ZyXEL Device is used in its default standalone mode or as part of a CAPWAP Control And Provisioning of Wireless Access Points network 4 1 About CAPWAP The ZyXEL Device supports CAPWAP Control And Provisioning of Wireless Access Points This is ZyXEU S implementation of the IETF s Internet Engineering Task Force CAPWAP protocol RFC 4118 The CAPWAP dataflow is protected by DTLS Datagram Transport Layer Security The following figure illustrates a CAPWAP wireless network You U configure the AP controller C which then automatically updates the configurations of the managed APs M1 M4 Figure 12 CAPWAP Network Example U once SERVER v oc C M1 M2 M3 M4 4 A a a gt m mou a a a a T E n BES The ZyXEL Device can be a standalone AP default or a CAPWAP managed AP It cannot be a CAPWAP AP controller NWA3550 User s Guide 51 Chapter 4 Management Mode 4 1 1 CAPWAP Discovery and Management The link between CAPWA P enabled access points proceeds as follows 1 An AP in managed AP mode joins a wired network receives a dynamic IP address 2 The AP sends out a management request
262. ll Web sites you Gites haven t placed in other zones m Security level for this zone Move the slider to set the security level for this zone E Medium Safe browsing and still functional a Prompts before downloading potentially unsafe content Unsigned Activex controls will not be downloaded Appropriate for most Internet sites C Custom Level D Default Level OK Cancel Apply Click the Custom Level button Scroll down to Scripting oa Ph WO ND Click OK to close the window Under Active scripting make sure that Enable is selected the default Under Scripting of Java applets make sure that Enable is selected the default NWA3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions Figure 201 Security Settings Java Scripting Security Settings Settings Scripting amp Active scripting Disan Q Pramp 3 Allow paste operations via script Q Disable 9 Enable Q Prompt amp Scripting of Java applets Q Disable OQ Prompt Lienas AukhSenkie Sion E b custom settings Reset to Medium Reset ced Java Permissions From Internet Explorer click Tools Internet Options and then the Security tab Click the Custom Level button Scroll down to Microsoft VM Under Java permissions make sure that a safety level is selected Click OK to close the window cO WN Figure 202 Security Settings Java
263. load the previous configuration for this screen 6 4 Configuring Time Setting To change your ZyXEL Device s time and date click SYSTEM gt Time Setting The screen appears as shown Use this screen to configure the ZyXEL Device s time based on your local time zone Figure 48 SYSTEM gt Time Setting General Current Time and Date Time and Date Setup Time and Date Setup 2000 01 01 GMT Greenwich Mean Time Dublin Edinburgh Lisbon London v Time Zone Setup a x P E NWA3550 User s Guide Chapter 6 System Screens The following table describes the labels in this screen Table 12 SYSTEM gt Time Setting LABEL DESCRIPTION Current Time This field displays the time of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the time with the time server if configured Current Date This field displays the last updated date from the time server Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered New Time This field displays the last updated time from the time server or the last time hh mm ss configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date This field displays the
264. lue Virtual LANs VLAN Cancel 17 Return to the RADIUS Attribute Screen shown as Figure 131 on page 215 Click the Close button The completed Advanced tab configuration should resemble the following screen Figure 135 Completed Advanced Tab X ax Sell nee aix Policy name Did in Constraints IP Multilink Authentication Encryption Advanced 5pecfy the condition ndows 3roups ma Specily additional cornection attributes to be returnad to the Remote Access Server Parameters Service Type RADIUS Standard Framed Framed Protecat RADIUS Standard PPP Tunrel Medium T ype RADIUS Standard 802 includes all 802 rr Tunrel Pvl GroupiD RADIUS Standard 1 Tunrel T ype RADIUS Standard Virtual LANs VLAN Add ll auser matches th Grant remote Dery remote e Access will be is overidden c j Edit Frotile Lou ETNE Ez E LES Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list NWA3550 User s Guide 217 Chapter 17 VLAN 17 2 5 Second Rx VLAN ID Example In this example the ZyXEL Device is configured to tag packets from SSID01 with VLAN ID 1 and tag packets from SSID02 with VLAN ID 2 VLAN 1 and VLAN 2 have access to a server S and the Internet as shown in th
265. ly Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 7 7 2 Bridge Repeater Mode The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs You need to know the MAC address of the peer device which also must be in bridge mode The ZyXEL Device can establish up to five wireless links with other APs In the example below when both ZyXEL Devices are in Bridge Repeater mode they form a WDS Wireless Distribution System allowing the computers in LAN 1 to connect to the computers in LAN 2 NWA3550 User s Guide Chapter 7 Wireless Configuration Figure 52 Bridging Example Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device Bridge loops cause broadcast traffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following examples show two network topologies that can lead to this problem Iftwo or more ZyXEL Devices in bridge mode are connected to the same hub Figure 53 Bridge Loop Two Bridges Connected to Hub ee T ee j JQ P d AP Bridge AP Bridge po 4 If your ZyXEL Device in bridge mode is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN NWA3550 User s Guide Chapter 7 Wireless Configuration Figure 54 Bridge Loop Bridge Connect
266. ly scan for and select the channel with the least interference Eis ut This field is available when you select 802 11a in the 802 11 Mode field channe switching for DFS DFS dynamic frequency selection allows an AP to detect other devices in the same channel If there is another device using the same channel the AP changes to a different channel so that it can avoid interference with radar systems or other wireless networks Select this option to disable DFS on the ZyXEL Device when 802 11 Mode is set to 802 11a RTS CTS Threshold The threshold number of bytes for enabling RTS CTS handshake Data with its frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to its smallest value 256 turns on the RTS CTS handshake Enter a value between 256 and 2346 This field is not available when Super Mode is selected Beacon Interval When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon This value can be set from 20ms to 1000ms A high value helps save current consumption of the access point DTIM Delivery Traffic Indication Messag
267. m Support Telephone 1 800 978 7222 Sales E mail sales zyxel com Sales Telephone 1 714 632 0882 Fax 1 714 632 0858 Web www zyxel com Regular Mail ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A Norway Support E mail support zyxel no Sales E mail sales zyxel no Telephone 47 22 80 61 80 Fax 47 22 80 61 81 Web www zyxel no Regular Mail ZyXEL Communications A S Nils Hansens vei 13 0667 Oslo Norway Poland E mail info pl zyxel com Telephone 48 22 333 8250 Fax 48 22 333 8251 Web www pl zyxel com Regular Mail ZyXEL Communications ul Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia NWA3550 User s Guide Appendix H Customer Support Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singapore Pte Ltd No 2 International Business Park The Strategy 03 28 Singapore 609930 Support E mail support zyxel es Sales E mail sales zyxel es Telephone 34 902 195 420 Fax 34 913 005 345 Web www zyxel es Regular Mail ZyXEL Communications Arte 21 5 planta 28033 Madrid Spain Sweden Support E mail support zyxe
268. mpt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning Antenna Warning This device meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s If you wall mount your device make sure that no electrical lines gas or water pipes will be damaged The PoE Power over Ethernet devices that supply or receive power and their connected Ethernet cables must all be completely indoors Please select an antenna that conforms with your local radio regulations ZyXEL bears no responsibility whatsoever for cases of illegal installation This product is recyclable Dispose of it properly NWA3550 User s Guide Safety Warnings NWA3550 User s Guide Safety Warnings NWA3550 User s Guide Contents Overview Contents Overview lisse eee 31 Iritrogdaging ihe Cy AL DOVE sieri OR RHOD HM ADURRHOLLESU AEN LANERO UA LR PRA GUN RR SR ORE 33 introducing the Web Configurator Mem 43 u s A ii O E A A i 47 Mana om i O qe tesla eins cies papain oad aaa enanas pops aea nouns Laden depen neeee eae eeu 51 Hc ect 55 The Web OCF m 83 eve elcDom e 85 n crpesajpetrp c 91 Wireless Security Configuration iiio enint nani ebat aka n RR Ra a ERA KR GRE FRA d Rd Ead 109 iuEURECDIEID Pe
269. n Restore configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device Table 78 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the file you want to upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click Upload to begin the upload process NWA3550 User s Guide Chapter 18 Maintenance 3 Do not turn off the ZyXEL Device while configuration file upload is in progress After you see a restore configuration successful screen you must then wait one minute before logging into the ZyXEL Device again Figure 147 Configuration Upload Successful Restore Configuration successful The Device Is Rebooting Now Please Wait After the device finishes rebooting the login screen displays The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 148 Network Temporarily Disconnected Local Area Connection Network cable unplugged If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address 192 16
270. n as Root KDE su dialog opens enter the admin password and click OK Figure 183 openSUSE 10 3 K Menu Computer Menu Run as root KDE su Please enter the Administrator root password to continue Command sbin yast2 Ignore X cancel 9 Ea 3 When the YaST Control Center window opens select Network Devices and then click the Network Card icon NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 184 openSUSE 10 3 YaST Control Center YaST Control Center linux h20z File Edit Help D Software al Network Services 49 Novell AppArmor 9 Y Security and Users uy Miscellaneous amp Network Card 4 When the Network Settings window opens click the Overview tab select the appropriate connection Name from the list and then click the Configure button Figure 185 openSUSE 10 3 Network Settings vasr2Glinux h2oz Network Card Overview Obtain an overview of installed network cards Additionally edit their configuration Adding a Network Card Press Add to configure a new network card manually Configuring or Deleting Choose a network card to change or remove Then press Configure or Delete as desired a Network Settings Global Options Overview Hostname DNS Routing d IP Address Name AMD PCnet Fast 79C971 DHCP AMD PCnet Fast 79C971 MAC 08 00 27 96
271. n sed er poa cea aan FAO a daa RU ac e aD c RR Ud d aa 214 Figure 129 Encrsp op Tob SANS adesso bou ee ete Eee ad mer Rd ser triad secs El oe gna bona eate iula ete tula pedea Un Lek an ON 214 Figure 130 Connection Attributes Srem 122ucsccce cendo ritu tacite tno ni i tort taa pu tpe Ine pe creta Es eub dus sou an Eaa 215 Figur 131 RADIUS Attribute Sereen ied occus tenen aesti ae Cia i HE b E ER EORR Ld d ed La E Ed 215 Figure 132 802 Attribute Setting for Tunnel Medium Type eese enne nnan enn nnntnn nn nnhnnnn 216 Figure 133 VLAN ID Attribute Setting for Tunnel Pvt Group ID ssseem 216 Figure 134 VLAN Attribute Setting for Tunnel Type sssesssseenem eee nennen 217 Figure 135 Completed Advanced TAR ccivsissizcsssssusiecesavsennecaneyeuvecauevsesne naar ernan usesaiuesaseecaerneumeaaarioeee 217 Figure 139 Second Rx VLAN ID EXBIDIGC enrii E 218 Figure 137 Configuring SSID Second Rx VLAN ID Example seccccocsiescincetsesasccrtinecsocenteedadederteensdaerhanede 219 Figure 139 System ecu A 221 Figure 139 System Status Show Statistics 11e eise erm red n a Ed x X pn a x d RE RR A a a A KR 222 gs WEE 8 eel 6 2 All e erm 224 Powe MI Lanai WS qr G S 225 Figure 142 Firmware IG T 226 Figure 143 Firmware Upload In Process cscsisisicionioniiaia iaia ia 226 Figure 144 Network Temporarily Disconnected 155 554 dde aee ort o sad dote de o et da eo d 227 gi WEM tp 35s coR
272. n to be successful a certification request corresponding to the imported certificate must already exist on NWA After the importation the certification request will automatically be deleted File Path Browse Apply Cancel NWA3550 User s Guide Chapter 15 Certificates The following table describes the labels in this screen Table 58 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the ZyXEL Device Cancel Click Cancel to quit and return to the My Certificates screen 15 8 Creating a Certificate Click CERTIFICATES gt My Certificates and then Create to open the My Certificate Create screen Use this screen to have the ZyXEL Device create a self signed certificate enroll a certificate with a certification authority or generate a certification request see the following figure Figure 108 My Certificate Create Subject Information Enrollment Options Simple Certificate Enrollment Protocol SCEP NWA3550 User s Guide Chapter 15 Certificates The following table describes the labels in this screen Table 59 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to ide
273. n use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other Tim keeps the private key and makes the public key openly available Tim uses his private key to encrypt the message and sends it to Jenny Jenny receives the message and uses Tim s public key to decrypt it a kk WS DN Additionally Jenny uses her own private key to encrypt a message and Tim uses Jenny s public key to decrypt the message The ZyXEL Device uses certificates based on public key cryptology to authenticate users attempting to establish a connection not to encrypt the data that you send after establishing a connection The method used to secure the data that you send through an established connection depends on the type of connection For example a VPN tunnel might use the triple DES encryption algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification pa
274. n your network support WDS security but do not have an AES option Note Check your other AP s documentation to make sure it supports WDS security Note At the time of writing this option is compatible with other ZyXEL NWA Series and G 3000 G 3000H access points only AES Select this to enable Advanced Encryption System AES security on your WDS AES provides superior security to TKIP Use AES if the other access points on your network support it for the WDS Note At the time of writing this option is compatible with other ZyXEL NWA Series access points only Index This is the index number of the bridge connection Active Select the check box to enable the bridge connection Otherwise clear the check box to disable it Remote Bridge MAC Address Type the MAC address of the peer device in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc PSK Type a pre shared key PSK from 8 to 63 case sensitive ASCII characters including spaces and symbols You must also set the peer device to use the same pre shared key Each peer device can use a different pre shared key See Table 22 on page 99 for information on the other labels in this screen 7 7 3 AP Bridge Mode Select AP Bridge as the Operating Mode in the WIRELESS gt Wireless screen to have the ZyXEL Device function as a bridge and access point simultaneously See the section on applicati
275. nary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Table 95 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 96 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create eight subnets 000 001 010 011 100 101 110 and 111 The following table shows IP address last octet values for each subnet Table 97 Eight Subnets SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 NWA3550 User s Guide Appendix E IP Addresses and Subnetting Table 97 Eight Subnets continued
276. ncscsensansuaneeinnsanneeenn sna Ee SVNMOL FS naaeneeeniaaays 198 pov cepe DIS MNT T 200 16 4 1 Configuring What You Want the ZyXEL Device to Log eeeeee 200 15 4 7 DISDEQHEIB LOS Lacer E A a ax Cove E i EU Ret do S Ln 200 To Log Command Ea Mov uet EC 201 Chapter 17 TLAN P 203 et S C ETE MTEUE 203 17 11 Management VLAN EC ss cedar creer epe EI REM ERR a tener men nat ren 203 VI AGZ VLAN Tagging 203 NWA3550 User s Guide Table of Contents UFZ OR IE M 204 MERE D coRUR i repr PUT E eH 204 172 2 RADIUS VLAN caisenpiutitebicksteidtid peto Pd tes br Iva Fin doa a beere PRU Ee a ia 206 17 2 3 Configuring Management VLAN Example seeeeeeeeee nennen entren nnns 207 17 2 4 Configuring Microsoft s JAS Server Example 1 5 erepta eed nene pHa d een REA 210 1752411 Contiguring VLAN GrouUDS uices tere pua tet se yea oann bt Pee ES 210 17 2 4 2 Configuring Remote Access Policies eeeeeesssseei sensnm eade 211 17 25 Second Rx VLAN ID Example uaeeei asia ben a dE Pbs E QUERIES e iE eens 218 17 2 5 1 Second Rx VLAN Seip Example 11 oo di vido edad kd a t an lends 218 Chapter 18 PANN i NO METRUM TP 221 T Pea SIRs CORI dete E 221 ipe curri 221 pov Ec ap cuir eM E 222 url cerno pH E A
277. nd ade ds ean T CERE RHOD EAM du 34 LASAP drj ER 35 je ricis PS 36 1 2 5 Fre ono SSID Prolls 15 ebbe PP bou ee De PRESE Ps bu indeed 37 1 2 0 Configuring Dual WLAN Adaptors a ierra rrr ne ert trade uar p mane eek d Fassa oet vaueteoonens 37 EUIS dc i rv 38 14 Ways to Manage the ZyXEL DS met 39 1 5 Configuring Your ZyXEL Device s Security Features eese 39 1 5 1 Control Access to Your Device iiu ied en cares pn dabunt ad edE uta Xu Eih KEKA LEM AM PRUE SERA dS 39 UTPauUi oe ejjm 40 Te cCUDESge 1285 m 40 17 Hardware Connections f M 40 Chapter 2 Introducing the Web Configurator LseeeeLeeeeLeLe ee eee c cec eeeeeeeeeee nennen nenne nnn 43 2 1 Accessing the Web Configurator M 43 2 2 R s tting Mo ZYXEL DEVICE aee ta ir bab bn Le p tein REEF TEIL ERR AEAEE AAAI KEES EEE ANNEES 44 2 2 1 Methods of Restoring Factory Defaults 1 sicci eee toot ei evo asi be o pte 45 NWA3550 User s Guide LE Table of Contents 25 Navigating tis Web CTI seated apr ptc ER FOC HN e ERA RREOOHI NR PRO AES OUR KIA UP RUA ERO N S 45 Chapter 3 SOUS SOTE Lenceria ag pA AR adn CRM nA UEFA MEUM dasa rca UA A AE E a 47 vl THE ets SONNY csset tuit iade iiulefe ba ud natehalvi ibn ufu aT D debes a meen e fa S NR 47 Chapter 4 Management oro T T 51 X3 ABOUEGSEWAP etico nba taedet a LM uu Dod t
278. nection Remote Bridge MAC This is the MAC address of the peer device in bridge mode Status This shows the current status of the bridge connection which can be Up or Down TxPkts This is the number of transmitted packets on the wireless bridge RxPkts This is the number of received packets on the wireless bridge Poll Interval s Enter the time interval for refreshing statistics Set Interval Click this button to apply the new poll interval you entered above Stop Click this button to stop refreshing statistics 18 3 Association List View the wireless stations that are currently associated with the ZyXEL Device in the Association List screen Click MAINTENANCE gt Association List to display the screen as shown next NWA3550 User s Guide Chapter 18 Maintenance Figure 140 Association List Status WLAN1 Stations Association List Channel Usage Index MAC Address___ Association Time SSID Signal FAN Upload Configuration Restart WDS Link Index Remote Bridge MAC ____LinkTime Security Signal WLAN2 WDS Link _Index_ Remote Bridge MAC ___LinkTime___ __Security _ _ Signal Refresh The following table describes the labels in this screen Table 75 Association List LABEL DESCRIPTION Stations Index This is the index number of an associated wireless station MAC Address This fie
279. network s security Attackers can take advantage of arogue AP s weaker or non existent security to gain access to the network or set up their own rogue APs in order to capture information from wireless clients If a scan reveals a rogue AP you can use commercially available software to physically locate it Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker In this case any AP detected can be classified as rogue 12 2 Rogue AP Examples In the following example a corporate network s security is compromised by a rogue AP R set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly A The company s legitimate wireless network the dashed ellipse B is well secured but the rogue AP uses inferior security that is easily broken by an attacker X running readily available encryption cracking software In this example the attacker now has access to the company network including sensitive data stored on the file server C NWA3550 User s Guide Chapter 12 Rogue AP Figure 80 Rogue AP Example X l N p N a P atii o 12 2 1 Honeypot Attack Rogue APs need not be connected to the legitimate network to pose a severe security threat In the following example an attacker X is stationed in a vehicle outside a company building using a rogue access point equipped w
280. nfigured on the ZyXEL Device to an individual s Windows User Account When a wireless station is successfully authenticated to the network it is automatically placed into it s respective VLAN ZyXEL uses the following standard RADIUS attributes returned from Microsoft s IAS Internet Authentication Service RADIUS service to place the wireless station into the correct VLAN Table 72 Standard RADIUS Attributes ATTRIBUTE NAME TYPE VALUE Tunnel Type 064 13 decimal VLAN Tunnel Medium Type 065 6 decimal 802 Tunnel Private Group ID 081 lt vlan name gt string either the Name you enter in the ZyXEL Device s VLAN gt RADIUS VLAN screen or the number See Figure 133 on page 216 The following occurs under Dynamic VLAN Assignment 1 C When you configure your wireless credentials the ZyXEL Device sends the information to the IAS server using RADIUS protocol Authentication by the RADIUS server is successful The RADIUS server sends three attributes related to this feature The ZyXEL Device compares these attributes with the VLAN screen mapping table 4a Ifthe Name for example VLAN 20 is found the mapped VLAN ID is used 4b If the Name is not found in the mapping table the string in the Tunnel Private Group ID attribute is considered as a number ID format for example 2493 The range of the number ID Name string is between 1 and 4094 4c Ifa or b are not matched the ZyXEL Device
281. ng Tree Protocol 96 specifications 241 SSH 152 how SSH works 152 implementation 153 SSID 36 SSID profile 127 pre configured 36 SSID profiles 36 37 STP 96 NWA3550 User s Guide Index STP how it works 97 STP Spanning Tree Protocol 239 STP path costs 96 STP port states 97 STP terminology 96 subnet 313 subnet mask 238 314 subnetting 316 syntax conventions 4 system name 85 system timeout 152 T tagged VLAN example 207 Telnet 153 telnet 153 temperature 237 Temporal Key Integrity Protocol TKIP 278 text file based auto configuration 239 321 TFTP restrictions 151 time setting 88 time sensitive 33 ToS 95 trademarks 329 traffic security 33 Type of Service 95 use 33 V Virtual Local Area Network 203 VLAN 203 VoIP 33 36 128 VoIP SSID 37 W warranty 331 note 331 wcfg command 324 WDS 34 35 101 web 157 web configurator 33 43 45 WEP 33 WEP encryption 113 Wi Fi Multimedia QoS 92 Wi Fi Protected Access 33 277 wired network 33 34 wireless channel 236 wireless client WPA supplicants 279 Wireless Distribution System WDS 35 wireless Internet connection 34 wireless LAN 236 wireless security 36 236 273 WLAN interference 271 security parameters 280 WLAN interface 33 WMM 128 WPA 33 277 key caching 278 pre authentication 278 user authentication 278 vs WPA PSK 278 wireless client supplicant 279 with RADIUS application example 279 WPA2 33 277 user authentication 278 vs WPA2
282. nnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key The Group Key Update Timer is the rate at which the AP sends a new group key Update Timer out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device default is 1800 seconds 30 minutes Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh 8 3 5 Security WPA2 or WPA2 MIX Select WPA2 or WPA2 MIX in the Security Mode field to display the following screen NWA3550 User s Guide Chapter 8 Wireless Security Configuration Figure 62 Security WPA2 or WPA2 MIX Wireless SSID Security RADIUS Layer Isolation MAC Filter Profile Name security01 Security Mode WPA2 MIX ReAuthentication Timer jo seconds 0 means no Refuthentication Idle Timeout 3600 seconds Group Key Update Timer 1800 seconds PMK Cache Enable Pre Authentication Disable gt Apply Reset The following table describes the labels not previously discussed Table 31 Security WPA2 or WPA2 MIX LABEL DESCRIPTIONS Profile Name Type a name to identify
283. nside the device It also shows the date the firmware version was created You can change the firmware version by uploading new firmware in Maintenance F W Upload System Up Time This field displays the elapsed time since the ZyXEL Device was turned on Current Date Time This field displays the date and time configured on the ZyXEL Device You can change this in the System gt Time Setting screen WLAN 1 Operating Mode This field displays the current operating mode of the first wireless module AP Bridge Repeater AP Bridge or MBSSID You can change the operating mode in the Wireless Wireless screen WLAN 2 Operating Mode This field displays the current operating mode of the second wireless module AP Bridge Repeater AP Bridge or MBSSID You can change the operating mode in the Wireless gt Wireless screen Management VLAN This field displays the management VLAN ID if VLAN is active or Disabled if itis not active You can enable or disable VLAN or change the management VLAN ID in the VLAN Wireless VLAN screen IP This field displays the current IP address of the ZyXEL Device on the network LAN MAC This displays the MAC Media Access Control address of the ZyXEL Device on the LAN Every network device has a unique MAC address which identifies it across the network Your ZyXEL Device features dual wireless module and has two MAC addresses The MAC address of the first w
284. nsnennnoennns niniin 65 5 2 3 2 Sot up Layer 2 ISO lE serotina 66 5 2 3 2 Activate The Guest PEOMIG irse ordei ebd n paa BEKK n Eua a DOE Ru PAR UBER e Aa dE Kuba 67 5 2 4 Tesling the Wireless us RE TE m 68 5 3 How to Set Up and Use Rogue AP Detection ences eene kesni nno raa aka annua 68 5 3 1 Set Up and Save a Friendly AP SE 1 rmn rn ta tk ta kn rna Rd and ced 70 5 3 2 Activate Periodic Rogue AP Detection cues rendere rennen enata 73 Doo qur Enel LUIS Janie minuets 79 5 94 Coniigure Your Other Access FOIS oodd buie arbere ve ptio ren E RA 74 eds WESEUNE DOWN ee 75 5 4 Using Multiple MAC Filters and L 2 Isolation Profiles sessee 75 S T SOBNBIER auibdaniitidis Mus center EP PETUNT EM REM AE ME ME er tterrer cere Terry 76 247 Vol BROSIIOImbHI s iie e cbe ode en E e ER pet DR t a bert Dot 76 ma E opo ia Metu nd n tarde te eed a MEE 76 5 4 4 Contigure tha SERVER 1 MODNOIK 1 ecccaesisiccescsacseo tod aut eee rrt anus an a y 12 NWA3550 User s Guide Table of Contents 5 1 5 L onngure tho SERVER 2 NEDVDIK siii sse pris ertt rr pEL AS Y RPREL Aa 79 5 4 6 Checking your Settings and Testing the Configuration sessessss 80 E Madsen e 80 546 2 Testing tie COBIIGUESUUOR cciusccclenasexeite duse d partite phun bx avenues 81 Part Il The Web Configurator Leeee
285. nt the computer which requests the HTTPS connection with the ZyXEL Device Authenticate Select Authenticate Client Certificates optional to require the SSL client to Client Certificates authenticate itself with the ZyXEL Device by sending the ZyXEL Device a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device see the appendix on importing certificates for details Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyXEL Device for example 8443 then you must notify people who need to access the ZyXEL Device web configurator to use https ZyXEL Device IP Address 8443 as the URL NWA3550 User s Guide Chapter 13 Remote Management Screens Table 49 Remote Management WWW LABEL DESCRIPTION Server Access Select a ZyXEL Device interface from Server Access on which incoming HTTPS access is allowed You can allow only secure web configurator access by setting the WWW Server Access field to Disable and setting the HTTPS Server Access field to an interface s Secured Client IP A secure client is a trusted computer that is allowed to communicate with the Address ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with
286. ntify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name is mandatory The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that each certificate have unique subject information Common Name Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address can be up to 31 ASCII characters The domain name or e mail address is for identification purposes only and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You may use any character including spaces but the ZyXEL Device drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You may use any character including spaces but the ZyXEL Device drops trailing spaces Country Type up to 127 characters to identify the nation where the certificate owner is located You may use any character including spaces but the ZyXEL Device drops trailing spaces Key Length Select a number from the dr
287. o close the Local Area Connection Properties window Verifying Settings 1 Click Start gt All Programs gt Accessories gt Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also go to Start gt Control Panel gt Network Connections right click a network connection click Status and then click the Support tab to view your IP address and connection information Mac OS X 10 3 and 10 4 The screens in this section are from Mac OS X 10 4 but can also apply to 10 3 252 NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address 1 Click Apple gt System Preferences Figure 164 Mac OS X 10 4 Apple Menu Qj Finder File Edit Vie About This Mac Software Update Mac OS X Software System Preferences Dock Location Recent Items Force Quit Sleep Restart Shut Down 2 Inthe System Preferences window click the Network icon Figure 165 Mac OS X 10 4 System Preferences eo System Preferences 4 Show All ral Personal gs LD w amp M E o Appearance Dashboard amp Desktop amp Dock International Security Expos Screen Saver Hardware he uu Q 9y Zz V CA Lm Bluetooth CDs amp DVDs Displays Energy Keyboard amp Print amp Fax Saver Mouse Internet amp Ne Mac QuickTime Sharing System L d i 74i 4i 00 Accounts Date amp Time Software Speech Startup Disk Universal Update Access v Sp
288. o configure wireless LAN settings ES Not all DHCP servers allow you to specify options 66 and 67 Manual Configuration Use the following command to manually configure a TFTP server IP address and a file name for the AP to use for auto provisioning whenever the AP starts up See Section 25 1 on page 257 for how to access the Command Interpreter CT Table 101 Manual Configuration COMMAND DESCRIPTION wcfg autocfg server IP Specify the TFTP server IP address and file name from filename which the AP is to download a configuration file whenever the AP starts up Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP 322 NWA3550 User s Guide Appendix F Text File Based Auto Configuration Use the following procedure to have the AP download the configuration file Table 102 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server Step 2 pwTftpFileName Set the file name for example g3000hcfg txt Step 3 pwTftpFileType Set to 3 text configuration file Step 4 pwTftpOpCommand Set to 2 download Verifying Your Configuration File Upload Via SNMP You can use SNMP management software to display the configuration file version currently on the device by using the following MIB Table 103 Displaying the File Version ITEM OBJECT ID DESCRIPTION pwCfgVersion 1 3 6 1 4 1 890 1 9 1 2
289. o save your changes Reset Click Reset to reload the previous configuration for this screen 6 5 Pre defined NTP Time Servers List When you turn on the ZyXEL Device for the first time the date and time start at 2000 01 01 00 00 00 When you select Auto in the SYSTEM Time Setting screen the ZyXEL Device then attempts to synchronize with one of the following pre defined list of NTP time servers The ZyXEL Device continues to use the following pre defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified Table 13 Default Time Servers ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu tock usno navy mil ntp3 cs wisc edu ntp cs strath ac uk ntp1 sp se time1 stupi se tick stdtime gov tw tock stdtime gov tw time stdtime gov tw When the ZyXEL Device uses the pre defined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the ZyXEL Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried NWA3550 User s Guide Wireless Configuration This chapter discusses how to configure the ZyXEL Device s Wireless screens 7 1 Wireless Network Overview The following figure provides an example of a wireless network Figure 49 E
290. o the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs a consistent single alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication 278 WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a network Other WPA2 authentication features that are different from WPA include key caching and pre authentication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again Pre authentication enables fast roaming by allowing the wireless client already connecting to an AP to perform IEEE 802 1x authentication with ano
291. ode from Access Point to MBSSID and reactivate the standard network 2 Configure a wireless network for Voice over IP users 3 Configure a wireless network for guests to your office The following figure shows the multiple networks you want to set up Your ZyXEL Device is marked Z the main network router is marked A and your network printer is marked B NWA3550 User s Guide Chapter 5 Tutorial Figure 16 Tutorial Example MBSSID Setup VoIP SSID The standard network SSID04 has access to all resources The VoIP network VoIP SSID has access to all resources and a high Quality of Service QoS setting see Chapter 7 on page 91 for information on QoS The guest network Guest SSID has access to the Internet and the network printer only and a low QoS setting To configure these settings you need to know the MAC Media Access Control addresses of the devices you want to allow users of the guest network to access The following table shows the addresses used in this example Table 3 Tutorial Example Information Network router A MAC address 00 AA 00 AA 00 AA Network printer B MAC address AA 00 AA 00 AA 00 5 2 1 Change the Operating Mode Log in to the ZyXEL Device see Section 2 1 on page 43 Click WIRELESS gt Wireless The Wireless screen appears In this example the ZyXEL Device is using WLAN Interface 1 in Access Point operating mode and is currently set to use the SSID04 profile
292. ofile Y Configure RADIUS authentication optional Y Configure internal AUTH SERVER optional Configure Layer 2 Isolation optional Y Configure MAC Filter optional Y i Bridge AP Bridge MBSSID Repeater Mode Mode Mode Select 802 11 Select 802 11 We ier A Mod and Mode and f Channel ID Channel ID Configure WDS Security Select SSID Configure d S Profiles WDS Security y Select SSID Profile Configure each SSID Profile Y Y Configure SSID Profile Configure each i Security Profile Edit S ity Profile Pees Configure RADIUS authentication optional Configure RADIUS Y authentication optional j Configure internal AUTH SERVER Configure internal AUTH optional SERVER optional Y Configure Layer 2 Configure Layer 2 Isolation optional Isolation optional Y Y Configure MAC Filter Configure MAC Filter optional optional Y Y Check your settings and test raa NWA3550 User s Guide Chapter 5 Tutorial 5 1 3 Further Reading Use these links to find more information on the steps Choosing 802 11 Mode see Section 7 7 1 on page 98
293. omputer s IP Address Figure 160 Windows Vista Network and Sharing Center File Edit View Tools Help Tasks View computers and devices Connect to a network ranna tian nr network Manage network connections Diagnose ana repair GU Network and Internet Network and Sharing Center Network and Sharing Center Ws i TWPC99111 This computer Internet a gt Not connected 5 Right click Local Area Connection and then select Properties Figure 161 Windows Vista Network and Sharing Center LAN or High Sesadlntametili left hace Tncal Collapse group A ok x 7 2 W iwq Expand all groups Inte Collapse all groups Disable Status Diagnose Bridge Connections Create Shortcut Delete Rename During this procedure click Continue whenever Windows displays a screen saying that it needs your permission to continue 6 Select Internet Protocol Version 4 TCP IPv4 and then select Properties NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 162 Windows Vista Local Area Connection Properties Networking Connect using EP Intel R PRO 1000 MT Desktop Connection This connection uses the following items M o Client for Microsoft Networks vi d Network Monitor3 Driver ivi 5 File and Printer Sharing for Microsoft Networks M Discovery Mapper 1 0 Driver M Link Layer Topology Discove
294. on Configure layer 2 isolation to control the specific devices you want the users on your guest network to access Click WIRELESS gt Layer 2 Isolation The following screen appears Figure 28 Tutorial Layer 2 Isolation Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Profile Name 2isolation01 I2isolation 2 I2isolation03 I2isolation 4 lat ae eS me emn mrem I2isolation15 Eh Sas I2isolationt Ed The Guest SSID network uses the Disolation01 profile by default so select its entry and click Edit The following screen displays NWA3550 User s Guide Chapter 5 Tutorial Figure 29 Tutorial Layer 2 Isolation Profile Wireless SSID Security MAC Filter Layer 2 Isolation Configuration 2isolationO1 MAC Address Description ndex MAC Address network router LEAD O0 00 00 00 00 a C EOD 00 00 00 00 00 ea 00 00 00 00 00 00 Enter the MAC addresses and descriptions of the two network devices you want users on the guest network to be able to access the main network router 00 AA 00 AA 00 AA and the network printer AA 00 AA 00 AA 00 Click Apply 5 2 3 3 Activate the Guest Profile You need to activate the Guest SSID profile before it can be used Click the Wireless tab In the Select SSID Profile table select the check box for the Guest SSID profile and click Apply NWA3550 User s Guide
295. onfiguring this screen afresh When the ZyXEL Device is set to Access Point AP Bridge or MBSSID mode you need to choose the SSID profile s you want to use in your wireless network see Section 7 6 on page 98 for more information on operating modes Use the WIRELESS gt SSID screen to see information about the SSID profiles on the ZyXEL Device and use the WIRELESS gt SSID gt Edit screen to configure the SSID profiles 9 2 1 The SSID Screen Click WIRELESS gt SSID to display the screen as shown NWA3550 User s Guide 125 Chapter 9 MBSSID and SSID Figure 67 SSID Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter es TENTER E EB vor SSID ZyXELO1 security01 radius01 VoIP Disable Disable Guest SSID ZyXELU2 security01 radius01 NONE I2isolation 1 Disable SSIDO3 ZyXELO3 security01 radius01 NONE Disable Disable SSID04 ZyXELO4 security01 radius01 NONE Disable Disable SSID0S ZyXEL05 security01 radius01 NONE Disable Disable SSID06 ZyXELO6 security01 radius01 NONE Disable Disable SSIDO7 ZyXELO security01 radius01 NONE Disable Disable SSID08 ZyXEL08 security01 radius01 NONE Disable Disable SSID0S ZyXEL0S security01 radius01 NONE Disable Disable SSID10 ZyXEL 10 security01 radius01 NONE Disable Disable SSID11 ZyXEL 11 security01 radius01 NONE Disable Disable SSID12 ZyXEL 12 security01 radius01 NONE Disable Disable SSID13 ZyXE
296. ons for more information NWA3550 User s Guide Chapter 7 Wireless Configuration Figure 56 Wireless AP Bridge Layer 2 Isolation MAC Filter AP Bidge 802 11b g Channel 06 2437MHz v __Rate_ Configuration Rate Configuration Cel PONI ENSE EN ERN NN LL EmSE o EEE LC e 3 EE EN cl EN oo EN oo EN Bonn See the tables describing the fields in the Access Point and Bridge Repeater operating modes for descriptions of the fields in this screen NWA3550 User s Guide Chapter 7 Wireless Configuration 7 7 4 MBSSID Mode Select MBSSID as the Operating Mode Refer to Chapter 9 on page 121 for configuration instructions and detailed information See Chapter 8 on page 109 for details on the security settings NWA3550 User s Guide Wireless Security Configuration This chapter describes how to use the Security and RADIUS screens to configure wireless security on your ZyXEL Device 8 1 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network 8 1 1 SSID Normally the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area You can hide the SSID instead in which case the ZyXEL Device does not broadcast the SSID In addition you should change the default SSID to something that 1s difficult to guess This type of security is fairly weak
297. op down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen Section 15 9 on page 185 and then send it to the certification authority Create a certification request and enroll for a certificate immediately online Select Create a certification request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this op
298. or X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The ZyXEL Device currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form NWA3550 User s Guide Chapter 15 Certificates 15 7 Importing a Certificate Click CERTIFICATES gt My Certificates and then Import to open the My Certificate Import screen Follow the instructions in this screen to save an existing certificate to the ZyXEL Device You can import only a certificate that matches a corresponding certification request that was generated by the ZyXEL Device The certificate you import replaces the corresponding request in the My Certificates screen You must remove any spaces from the certificate s filename before you can import it Figure 107 My Certificate Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS e PEM Base 64 encoded PKCS 7 For my certificate importatio
299. ormation on how to transfer configuration files using FTP TFTP commands Click MAINTENANCE gt Configuration Information related to factory defaults backup configuration and restoring configuration appears as shown next NWA3550 User s Guide 227 Chapter 18 Maintenance Figure 146 Configuration Status Association List Channel Usage FAN Upload Configuration Restart Backup Configuration Click Backup to save the current configuration of your system to your computer Backup Restore Configuration To restore a previously saved configuration file to your system browse to the location of the configuration file and click Upload File Path Browse Upload Back to Factory Defaults Click Reset to clear all user entered configuration information and return to factory defaults After resetting the Password will be 1234 This device can be reached by IP address 192 168 1 2 Reset 18 6 1 Backup Configuration Backup configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the ZyXEL Device s current configuration to your computer 18 6 2 Restore Configuratio
300. ory Pop up Blocker Phishing Filter Manage Add ons Work Offline Windows Update Full Screen Menu Bar Toolbars Windows Messenger Diagnose Connection Problems Sun Java Console Internet Options 2 Inthe Internet Options dialog box click Content gt Certificates NWA3550 User s Guide Appendix D Importing Certificates Figure 219 Internet Explorer 7 Internet Options Internet Options General Security Priva Content Advisor viewed on this computer Certificates Use certificates for encrypted connections and identification Clear SSL state V Certificates AutoComplete on webpages and suggests matches for you Feeds provide updated content from websites that can be read in Internet Explorer and other programs Ratings help you control the Internet content that can be AutoComplete stores previous entries 3 In the Certificates dialog box click the Trusted Root Certificates Authorities tab select the certificate that you want to delete and then click Remove Figure 220 Internet Explorer 7 Certificates Certificates Intended purpose lt All gt v Intermediate Certification Authoritil Trusted Root Certification Authorities T listed Publ Issued By 172 20 37 202 EJABA ECOM RootCA ABA ECOM Root CA Autoridad Certifica Autoridad Certificador JAutoridad Certifica Autoridad Certificador Baltimore EZ by DST Baltimore EZ by
301. otlight A Sound 3 When the Network preferences pane opens select Built in Ethernet from the network connection type list and then click Configure NWA3550 User s Guide EJ Appendix A Setting Up Your Computer s IP Address Figure 166 Mac OS X 10 4 Network Preferences eo Network 4 gt ShowAll Q 5 Location Automatic R Show Network Status d Built in Ethernet is currently active and has the IP address Built in Ethernet 10 0 1 2 You are connected to the Internet via Built in Ethernet 1 Internet Sharing is on and is using AirPort to share the 6 AirPort connection 1 m il Click the lock to prevent further changes Assist me Apply Now 4 For dynamically assigned settings select Using DHCP from the Configure IPv4 list in the TCP IP tab Figure 167 Mac OS X 10 4 Network Preferences gt TCP IP Tab e eo Network lt gt Show all Q Location Automatic HJ Show Built in Ethernet Hj 1 PPPoE AppleTalk Proxies Ethernet Configure IPv4 Using DHCP HJ IP Address 0 0 0 0 Renew DHCP Lease Subnet Mask DHCP Client ID i B If required Router DNS Servers Search Domains Optional IPv6 Address Configure IPv6 1 id Click the lock to prevent further changes Assist me 3 Apply Now 5 For statically assigned settings do the following From the Configure IPv4 list select
302. ow to import public key certificates into your web browser Public key certificates are used by web browsers to ensure that a secure web site is legitimate When a certificate authority such as VeriSign Comodo or Network Solutions to name a few receives a certificate request from a website operator they confirm that the web domain and contact information in the request match those on public record with a domain name registrar If they match then the certificate is issued to the website operator who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate Many ZyXEL products such as the NSA 2401 issue their own public key certificates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a trusted authority You can see if you are browsing on a secure website if the URL in your web browser s address bar begins with nttps orthere is a sealed padlock icon amp somewhere in the main browser window not all browsers show the padlock in the same location In this appendix you can import a public key certificate for nternet Explorer
303. perform this 802 1x authentication information is not exchanged at the time of writing NWA3550 User s Guide Chapter 10 Other Wireless Configuration Figure 77 Roaming Example ORE R x a Y Das pr eye We A Ethernet x am EN x Co qo CN S N AP 1 n AP2 I Sy N M Y V T an amc The steps below describe the roaming process 1 Co Wireless station Y moves from the coverage area of access point AP 1 to that of access point AP 2 Wireless station Y scans and detects the signal of access point AP 2 Wireless station Y sends an association request to access point AP 2 Access point AP 2 acknowledges the presence of wireless station Y and relays this information to access point AP 1 through the wired LAN Access point AP 1 updates the new position of wireless station Y 10 5 1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas 1 2 3 4 5 All the access points must be on the same subnet and configured with the same ESSID If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station The adjacent access points should use different radio channels when their coverage areas overlap All access points must use the same port number to relay roaming information
304. plays Click the Authentication tab and select the Extensible Authentication Protocol check box Select an EAP type depending on your authentication needs from the drop down list box Clear the check boxes for all other authentication types listed below the drop down list box NWA3550 User s Guide Chapter 17 VLAN Figure 128 Authentication Tab Settings Dialin Constraints IP Multilink Authentication Encryption Advanced Check the authentication methods which are allowed for this connection v Extensible Authentization Protocol Select the EAP type which is acceptable for this policy MD5 Challenge z Microsoft Encrypted Authentication version 2 MS CHAP v2 Microsoft Encrypted Authentication MS CHAP Encrypted Authentization CHAP Unenctypted Authentication P amp P SPAP Unauthenticated Access Allow remote PPP clients to connect without negotiating any authentication method Cancel Apply 8 Click the Encryption tab Select the Strongest encryption option This step is not required for EAP MDS but is performed as a safeguard Figure 129 Encryption Tab Settings Diakin Constraints IP Multilink Authentication Encryption Advanced NOTE These ericiypliuri sellirius apply urily lu the Wirmduws 2000 Ruutiniy and Remote Access Service Select the level s of encryption that should be allowe
305. r eani ek reta erc rr ta Brit a di rra entan Kod 65 Figure 27 Tutorial Guest Security Updated 12s ciii er irbrri hebr dit rade er rai tL dtr rr Ebr geet dc pL e prd 66 Figure 29 Tutorial Laver 2 Shan cases na coa RE tA UE LORD eb io recon er D a asia D Rea nde na RR 66 Figure 29 Thlorial Layer 2 Isolation Pri 1ucaaa occi it tero Ete E ob ct RN rk olov atre eee ata 67 Figure 30 Tutorial Activate Guest Profle M R 68 Figure 31 Tutorial Wireless Network Example 1 4 eei eere rati ko rk ttd d bk FER a ERE Rua E ERR MM EXE LE baa 69 Figure 32 Tutorial Friendly AP Before Data EDBVE 15er ater Er er niter E HERPES PEP Hd E n ae 70 Figure 33 Tutorial Friendly AP After Data Entry 1rd eorr ore aia rd ia are iaa oe a RE i e 71 Figure 34 Tutorial enpwi lr T iania aa eaaa RENE E aN E EAEN Ea a Na ENN 72 Figure 39 Tutoriale Warming e 2 Figure 36 Tutorial Save Friendly AP GE coe iier et IIR Pre HIS EIER RECO nrn E FEY H ERIS e PC S SR Prc E ep KS T2 Figure 37 Tutorial Periodic Rogue AP Detection iuuusaicieerer pt tio ere e PH AREE EUH ER EERRUDE MR BREEFEDER REP EI NDSRRREULOA T3 Figure 30 Tutorial Eee m 74 NWA3550 User s Guide List of Figures Figure 29 Tutorial Example Wer wont panienki LA IS P LHP op Epio PPOK IRE VEROAERRS NOR AXES RR PLA BAR RM A SR 76 Figure 40 Tutorial SSID Prole vc 78 Figure 41 Tutorial SSID Edil C
306. r s Guide Chapter 8 Wireless Security Configuration 8 1 3 User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network You can make every user log in to the wireless network before they can use it However every device in the wireless network has to support IEEE 802 1x to do this For wireless networks you can store the user names and passwords for each user in a RADIUS server This is a server used in businesses more than in homes If you do not have a RADIUS server you cannot set up user names and passwords for your users Unauthorized wireless devices can still see the information that is sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network 8 1 4 Encryption Wireless networks can use encryption to protect the information that 1s sent in the wireless network Encryption is like a secret code If you do not know the secret code you cannot understand the message The types of encryption you can choose depend on the type of authentication See Section 8 1 3 on page 110 for information about this Table 24 Types of Encryption for Each Type of Authentication NO AUTHENTICATION RADIUS SERVER Weakest No Security Static WEP 1 WPA PSK WPA Strongest
307. rage area A wireless station can associate with a particular access point only if it is within the access point s coverage area In a network environment with multiple access points wireless stations are able to switch from one access point to another as they move between the coverage areas This is known as roaming As the wireless station moves from place to place it is responsible for choosing the most appropriate access point depending on the signal strength network utilization or other factors The roaming feature on the access points allows the access points to relay information about the wireless stations to each other When a wireless station moves from a coverage area to another it scans and uses the channel of a new access point which then informs the other access points on the LAN about the change An example is shown in Figure 77 on page 138 With roaming a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas Wireless stations can still associate with other APs even if you disable roaming Enabling roaming ensures correct traffic forwarding bridge tables are updated and maximum AP efficiency The AP deletes records of wireless stations that associate with other APs Non ZyXEL APs may not be able to
308. rcentage of the ZyXEL Device s PKI storage space that is Space in Use currently in use When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyXEL Device has the factory default certificate The factory default certificate is common to all ZyXEL Devices that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyXEL Device s MAC address Index This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the ZyXEL Device uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority
309. red on an SSID profile Edit Click the radio button next to the profile you want to configure and click Edit to go to the SSID configuration screen NWA3550 User s Guide Chapter 9 MBSSID and SSID 9 2 2 Configuring SSID Each SSID profile references the settings configured in the following screens WIRELESS gt Security one of the security profiles WIRELESS gt RADIUS one of the RADIUS profiles WIRELESS gt MAC Filter the MAC filter list if activated in the SSID profile WIRELESS gt Layer 2 Isolation the layer 2 isolation list if activated in the SSID profile Also use the VLAN screen to set up wireless VLANs based on SSID Configure the fields in the above screens to use the settings in an SSID profile Select an SSID profile in the WIRELESS gt SSID screen and click Edit to display the following screen Figure 68 Configuring SSID Wireless Profile Name SSID Security RADIUS QoS SSID Security Hide Name SSID Layer Isolation Intra BSS Traffic blocking Disable j MAC Filtering Disable RADIUS Layer 2 Isolation MAC Filter ssiD04 TA PoM Disable security01 radius01 gt NONE gt Disable gt Apply Reset The following table describes the labels in this screen Table 36 Configuring SSID LABEL DESCRIPTION Profile Name Enter a name identifying this profile SSID When a wireless client scans for an AP to associate with
310. red when adding the AP to the list Delete Click this button to remove an AP s entry from the list 12 3 3 Rogue AP List This list displays details of all IEEE 802 11a b g wireless access points within the ZyXEL Device s coverage area except for the ZyXEL Device itself and the access points included in the friendly AP list see Section 12 3 2 on page 148 You can set how often you want the ZyXEL Device to scan for rogue APs in the ROGUE AP 7 Configuration screen see Section 12 3 1 on page 147 Click ROGUE AP gt Rogue AP The following screen displays NWA3550 User s Guide Chapter 12 Rogue AP Figure 84 ROGUE AP Rogue AP Rogue AP List Configuration Friendly AP Rogue AP Rogue AP List Refresh gz MAC Address Se 00 13 49 AF A9 0F USG200_FieldTrial_01 None 17 04 wo 4 06 13 49 AF A9 0F USG200 FieldTrial 02 6 err 17 04 16 4 00 13 49 00 00 01 ZyXELO3 6 None 17 04 16 1 00 19 CB 51 EF CF pmtest LA era 17 04 16 Add To Friendly AP List Reset The following table describes the labels in this screen Table 45 ROGUE AP gt Rogue AP LABEL DESCRIPTION Rogue AP List This displays details of access points in the ZyXEL Device s coverage area that are not listed in the friendly AP list see Section 12 3 2 on page 148 Refresh Click this button to have the ZyXEL Device scan for rogue APs
311. resents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus shaped like a donut which makes these antennas ideal for a room environment With a wide coverage area it is possible to make circular overlapping coverage areas with multiple access points Directional antennas concentrate the RF signal in a beam like a flashlight does with the light from its bulb The angle of the beam determines the width of the coverage pattern Angles typically range from 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performance NWA3550 User s Guide Appendix B Wireless LANs For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point
312. ress RADIUS Server Port and Share Secret fields are not available when you use the internal authentication server External Select this check box to use an external authentication server The ZyXEL Device does not use the internal authentication server when this check box is enabled Active Select the check box to enable user authentication through an external authentication server This check box is not available when you select Internal RADIUS Server IP Address Enter the IP address of the external authentication server in dotted decimal notation This field is not available when you select Internal RADIUS Server Port Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so This field is not available when you select Internal Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on the external authentication server and your ZyXEL Device The key is not sent over the network This field is not available when you select Internal Active Select the check box to enable user accounting through an external authentication server Accounting Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Acco
313. rmation SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your ZyXEL Device supports SNMP agent functionality which allows a manger station to manage and monitor the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 and version two c SNMPv2c The NWA 3165 also supports version 3 SNMPv3 DFS DFS Dynamic Frequency Selection allows a wider choice of 802 11a wireless channels CAPWAP Control and Provisioning of Wireless Access Points The ZyXEL Device can be managed via CAPWAP which allows multiple APs to be configured and managed by a single AP controller NWA3550 User s Guide Chapter 20 Product Specifications Compatible ZyXEL Antennas At the time of writing you can use the following antennas in your ZyXEL Device Table 81 ZyXEL Device Compatible Antennas MODEL EXT 108 EXR 109 EXT 114 EXT 118 ANT2206 ANT3108 ANT3218 FEATURES Frequency 2400 2500 2400 2500 2400 2500 2400 2500 2400 4900 5150 5875 4900 5875 Band MHz B 2500 5875 Gain dBi 8 9 14 18 6 8 8 18 Max VSWR 2 0 1 1 5 1 1 5 1 1 5 1 2 0 1 2 0 1 2 0 1 2 0 1 HPBW 360 65 30 15 65 50 360 18 Horizontal HPBW 15 60 30 5 759 50 20 18 Vertical Impedance 50 50 50
314. route Whois Finger PortScan Please selected ackinterface for information Network Interface en1 B SS Interface Transfer Statistics Hardware Address 00 30 65 25 6a b3 Sent Packets 1230 IP Address es 10 0 2 2 Send Errors 0 Link Speed 11 Mbit s Recv Packets 1197 Link Status Active Recv Errors 0 Vendor Apple Collisions 0 Model Wireless Network Adapter 802 11 A NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Linux Ubuntu 8 GNOME This section shows you how to configure your computer s TCP IP settings in the GNU Object Model Environment GNOME using the Ubuntu 8 Linux distribution The procedure screens and file locations may vary depending on your specific distribution release version and individual configuration The following screens use the default Ubuntu 8 installation ES Make sure you are logged in as the root administrator Follow the steps below to configure your computer IP address in GNOME 1 Click System gt Administration gt Network Fi gure 175 Ubuntu 8 System gt Administration Menu XK Preferences E Hardware Drivers o Help and Support bout GNOME G About Ubuntu Hardware Testing i Language Support EF Login Window Quit C E Network Tools 2 When the Network Settings window opens click Unlock to open the Authenticate window By default the Unlock button is greyed out until clicked You cannot
315. rtificate Replace Factory Default Certificate My Certificates Setting 13 10 SNMP Simple Network Management Protocol SNMP is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your ZyXEL Device supports SNMP agent functionality which allows a manager station to manage and monitor the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 version two SNMPv2c and version 3 SNMPv3 at the time of writing The next figure illustrates an SNMP management operation NWA3550 User s Guide Chapter 13 Remote Management Screens BS SNMP is available only if TCP IP is configured Figure 97 SNMP Management Model MANAGER Managed Device Managed Device Managed Device An SNMP managed network consists of two main types of component agents and a manager An agent is a management software module that resides in a managed device the ZyXEL Device An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as numb
316. ry Responder a gt Uninstall Properties J Description Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks 7 The Internet Protocol Version 4 TCP IPv4 Properties window opens NWA3550 User s Guide 251 Appendix A Setting Up Your Computer s IP Address Figure 163 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 TCP IPv4 Properties 9 x General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings rre er Rr reir eret I2 5 Use the following IP address Obtain DNS server address automatically Use the Following DNS server addresses Advanced 9 ees 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically Select Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP You may also have to enter a Preferred DNS server and an Alternate DNS server if that information was provided Click Advanced 9 Click OK to close the Internet Protocol TCP IP Properties window 10 Click OK t
317. s aos 8E53 VoIP_SSID ZyXELO01 security01 radius01 VoIP Disable Disable Guest_SSID ZyXELU2 security01 radius01 NONE I2isolation 1 Disable DEB ss ZyXELO3 security 1 radius 1 NONE Disable Disable nm d SSID04 ZyXELUA security01 radius01 NONE Disable Disable m SSID0S ZyXELO5 security01 radius01 NONE Disable Disable IE ssis ZyXELOG securit l radius 1 NONE Disable Disable DEMO sso ZyXELO7 security radius NONE Disable Disable DEJ ssivos ZyXELOB security08 radius 1 NONE Disable Disable IE ssp ZyXELO9 security radius01 NONE Disable Disable DEJ ssiv10 ZyXEL10 security01 radius01 NONE Disable Disable DOE ssni ZyXEL11 security01 radius01 NONE Disable Disable IE sso ZyXEL12 security radius NONE Disable Disable DES sso ZyXEL13 security radius 1 NONE Disable Disable DEIN ssp ZyXEL14 security01 radius 1 NONE Disable Disable DEA sso ZyXEL 15 security01 radius 1 NONE Disable Disable DEN SSID16 ZyXEL 16 security01 radius01 NONE Disable Disable The Voice over IP VoIP network will use the pre configured SSID profile so select VoIP_SSID s radio button and click Edit The following screen displays NWA3550 User s Guide Chapter 5 Tutorial Figure 20 Tutorial VoIP SSID Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter SSID VoIP SSID Example Hide Name SSID Enable Security security02 RADIUS radius 1 QoS VoIP L2 Isolation
318. s continued TYPE CODE DESCRIPTION 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 68 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname This message is sent by the RAS when this syslog is src srclP srcPort generated The messages and notes are defined in this dst lt dstIP dstPort gt appendix s other charts msg msg note lt note gt 16 4 Log Commands Go to the command interpreter interface see Chapter 25 on page 257 for how to access and use the commands 16 4 1 Configuring What You Want the ZyXEL Device to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record Use sys logs category followed by a log category and a parameter to decide what to record Table 69 Log Categories and Available Settings Example LOG CATEGORIES AVAILABLE PARAMETERS error 0 1 2 3 mten 0 1 Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Use the sys logs save command to store the settings in the ZyXEL Device you must do this in order to recor
319. s Guide Appendix A Setting Up Your Computer s IP Address Mac OS X 10 5 The screens in this section are from Mac OS X 10 5 1 Click Apple gt System Preferences Figure 170 Mac OS X 10 5 Apple Menu Finder File Edit Vie About This Mac Software Update Mac OS X Software Recent Items Force Quit X38 Sleep Restart Shut Down 2 In System Preferences click the Network icon Figure 171 Mac OS X 10 5 Systems Preferences eo System Preferences Personal c w M dB uu o Q Appearance Desktop amp Expos amp International Security Spotlight Screen Saver Spaces Hardware Q tt 3 gt aM YY V 4 CDs amp DVDs Displays Energy Keyboard amp Print amp Fax Sound Saver Mouse Internet amp N e eyyqQq Mac QuickTime Sharing System Q J z2 GG 9e OO B o Accounts Date amp Time Parental Software Speech Startup Disk Time Machine Universal Controls Update Access 3 When the Network preferences pane opens select Ethernet from the list of available connection types NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address Figure 172 Mac OS X 10 5 Network Preferences Ethernet eoo Network Location Automatic re Status Not Connected The cable for Ethernet is connected but e PPPoE 9 your computer does not have an IP address Not Connected Ethernet IN Not Connected WF Configure Using DHCP e FireWire Not Connecte
320. s UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK NWA3550 User s Guide Index A access 34 access point 34 access privileges 36 address assignment 141 address filtering 33 administrator authentication on RADIUS 86 Advanced Encryption Standard See AES AES 278 alternative subnet mask notation 315 antenna 237 directional 281 gain 281 omni directional 281 AP 33 34 35 145 271 AP Bridge 33 35 applications 33 Access Point 34 AP Bridge 35 Bridge Repeater 34 MBSSID 36 ATC 93 128 ATC WMM 128 ATM 93 authentication server 33 auto configuration 321 auto configuration status 324 B backup 228 Basic Service Set see BSS bridge 34 35 Bridge Protocol Data Units BPDUs 97 Bridge Repeater 33 34 BSS 36 269 BSSID 33 Index C CA 276 CAPWAP 51 Certificate Authority See CA certificates 170 thumbprint algorithms 178 thumbprints 178 verifying fingerprints 178 certifications 329 notices 330 viewing 331 channel 33 271 interference 271 Class of Service CoS 95 command interface 39 configuration 33 configuration file examples 324 format 323 configuration file rules 324 contact information 333 Control and Providioning of Wireless Access Points See CAPWAP copyright 329 CoS 95 CTS Clear to Send 272 customer support 333 D default 230 DFS 97 Differentiated Services 95 DiffServ 95 DiffServ Code Point DSCP 95 Di
321. s a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x NWA3550 User s Guide 275 Appendix B Wireless LANs For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate also called digital IDs can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner EAP MD5 Message Digest Algorithm 5 MDS authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless client The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text However MD authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MDS authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP
322. s issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix D on page 289 for details The actual IP address of the HTTPS server the IP address of the ZyXEL Device s port that you are trying to access does not match the common name specified in the ZyXEL Device s HTTPS server certificate that your browser received Do the following to check the common name specified in the certificate that your ZyXEL Device sends to HTTPS clients 2a Click REMOTE MGMT Write down the name of the certificate displayed in the Server Certificate field 2b Click CERTIFICATES Find the certificate and check its Subject column CN stands for certificate s common name see Figure 95 on page 162 for an example Use this procedure to have the ZyXEL Device use a certificate with a common name that matches the ZyXEL Device s actual IP address You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address 2a Create a new certificate for the ZyXEL Device that uses the IP address of the ZyXEL Device s port that you are trying to access as the certificate s common name For example to use HTTPS to access a LAN port with IP address 192 168 1 2 create a certificate that uses 192 168 1 2 as the common name 2b Go to the remote management WWW screen and select the newly created certificate in the Server Certificate field Click Apply
323. s te mes you can apply to ncoming mail in an a mail zpolication you can spacty a cet cf condiliors that must be matched for the Remote Access Policy to apply You can then specify actions to be taken when the condtions are met Policy Iriendly name low VLAN 10 Pelicy tee 2 The Conditions window displays Select Add to add a condition for this policy to act on 3 In the Select Attribute screen click Windows Groups and the Add button Figure 125 Specifying Windows Group Condition Add Rernobe Access Policy E xl Conditions Determine the condtons io match Sect the condo na ixi Condkens Select the type cf attnbute to add ard then click the Add bulton Atirbuta tyoss Deserption Laled Stabiondd Phone number dled by user Caling Starioe Ic Fere number Irom rich call o1iginsted Chent Frendy Name Friendly name for the RADIUS cient 145 only ClentIPAdcess IP address of RADIUS clizri IAS oriy ClentN endor Manufacturer of RADIUS proxy or NAS 145 onl DayAnd TimeReetne Time penods and days of weak during which use Framed tolecol The piotoccl to be used NAS Icerther Sting idenlihang the MAS ongnating Ihe requact NAS IP Acdress IP address of the NAS criginaling the request l Adi NAS Pott Type Type o physical per used by the NAS onginstn Senice Type Tyne of sewice user hat requested TunneH ppe Tunneling pictazcls to be used Ronee Windows groups that user belongs to 4 The Select Groups window displa
324. saat sald br Er ae ote D saad desea ba o tad nents goes 183 Tabie 59 My apes m 184 Table GO My CEHINGAIS Delas M 186 TASOT TEI E E a AEE ENO RR AEE 189 Ern S PANDA Pire dee u N R ee 190 Tablo 83 Vested OA DIIS codi e ERR FILINS RUE p b Lon Fa et Oa don d Ra Re d 191 0 1 Bey d ee M ETIN 195 Table GS LOG SSMINGS 197 Table 66 System Maintenance LOGS ciceiinesssscesssivssacetasardvasssmannizeaisonsssesanseonvseas VR HEAR RA A 198 Es Se Tel o aaa me eae heer ce eee 199 BE pur 200 Table 69 Log Categories and Available Settings Example cccecceceeeeeeeeeeeeeeeeecneecaeeaeeeeeeeeees 200 Bo NEU VEAN ec ET 205 Table 7 I PRAVUS YLAN E H 207 Table 72 Standard RADIUS Fis uercessieoa eei rrr a Rede era Ad ear ienaa RR RE ERR A enun kirad Ia RE ERR EAE RE UM Rd Rad d 210 toble 73 System SUMS c 221 Table 74 System Status Show SIIISIES 12i ope E RA bre bla oes eio sound b on euer etu eevee de 223 Wale Foes rcu cB er ancora eoenetaniies 224 PARIS FE Chonnal Usage c a 225 Table c FM TE UNIE Lussdiskgpvestc ted aAA EAAS S RE NE Ra REESE S UAR E REA 226 Table F8 Resors COBIDUUOE Suiten ssnediqeden Iv e apet v ext eter er NN UR seein eect 228 Table 79 Hardware Sp eCiCANONS 2 edi e arde boa pln o o e aed do dea RR 237 Ta
325. sday 21 May 2008 06 42 35 am GMT Valid until Saturday 21 May 2011 06 42 35 am GMT Serial number 11139321193569894228 MD5 digest 3F 9A 76 6E A9 F5 07 41 BE 4C 8B 8B A2 D3 F0 2F Cipher in use DHE RSA AES256 SHA Details DHE RSA AES256 SHA SSLv3 Kx DH Au RSA Enc AES 256 Mac SHA1 SSL version TLSv1 SSLv3 Cipher strength 256 bits used of a 256 bit cipher Cryptography Configuration 3 Installing a Stand Alone Certificate File in Konqueror Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file NWA3550 User s Guide Appendix D Importing Certificates Figure 247 Konqueror 3 5 Public Key Certificate File 2 Inthe Certificate Import Result Kleopatra dialog box click OK Figure 248 Konqueror 3 5 Certificate Import Result lg Certificate Import Result Kleop Detailed results of importing CA der ed Total number processed 1 Imported 1 The public key certificate appears in the KDE certificate manager Kleopatra Figure 249 Konqueror 3 5 Kleopatra Kleopatra File View Certificates CRLs Tools Settings Help Subject Issuer Serial CN 10R CA 1 PN O Bundesnetzagentur C CN 10R CA 1 PN O B 2A CN 11R CA 1 PN O Bundesnetzagentur C CN 11R CA 1 PN O B 2D CN 172 20 37 202 0U XYZ200 0 ZyXEL CN 172 20 3
326. ser name and password configured in the AUTH SERVER gt Trusted Users screen The following figure shows how this is done in two phases NWA3550 User s Guide Chapter 14 Internal RADIUS Server Figure 101 Trusted AP Overview ZyXEL RADIUS Server Trusted APs Wireless clients m ah E J 1 Configure an IP address and shared secret in the Trusted AP database to authenticate an AP as a trusted AP 2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the ZyXEL Device s internal RADIUS server and the wireless clients The wireless clients can then be authenticated by the ZyXEL Device s internal RADIUS server 14 4 Configuring Trusted AP To specify trusted APs click the AUTH SERVER link under ADVANCED and then the Trusted AP tab The screen appears as shown NWA3550 User s Guide Chapter 14 Internal RADIUS Server Figure 102 Trusted AP Screen Index Active IP Address Shared Secret 1 The following table describes the labels in this screen Table 55 Trusted AP LABEL DESCRIPTION Index This field displays the trusted AP index number Active Select this check box to have the ZyXEL Device use the IP Address and Shared Secret to authenticate a trusted AP IP Address Type the IP address of the trusted AP in dotted decimal notation Shared Secret Enter a password up to 31 alphan
327. server assigns VLAN name error Select this to have the ZyXEL Device forbid access to wireless clients when the VLAN attributes sent from the RADIUS server do not match a configured Name field When you select this check box only users with names configured in this Screen can access the network through the ZyXEL Device VLAN Mapping Table Use this table to map names to VLAN IDs so that the RADIUS server can assign each user or user group a mapped VLAN ID See your RADIUS server documentation for more information on configuring VLAN ID attributes See Section 17 2 4 on page 210 for more information Index This is the index number of the VLAN mapping profile Active Select a check box to enable the VLAN mapping profile VLAN ID Type a VLAN ID Incoming traffic from the WLAN is authorized and assigned a VLAN ID before it is sent to the LAN Name Type a name to have the ZyXEL Device check for specific VLAN attributes on incoming messages from the RADIUS server Access accept packets sent by the RADIUS server contain VLAN related attributes The configured Name fields are checked against these attributes If a configured Name field matches these attributes the corresponding VLAN ID is added to packets sent from this user to the LAN If the VLAN related attributes sent by the RADIUS server do not match a configured Name field a wireless station is assigned the wireless VLAN ID associated with its SSID unless
328. siruelule WLAN sodes t std iod incti caine nn eran FR t d 271 Foue ORTS Pap mT MT TT 212 Figure 194 WPA 2 with RADIUS Application Example sse 279 Figure 195 RAZ EP Sie FUG UM sarreria nn E STER E EESEH HIE LI LEX OL ESL REL EO n do d 280 Figure 196 Ops BIOCKOF caucokassaieauespierivp mi nU ETE ERE Ud ER Mq cbe MU M NEM Ee 283 Figure 197 Internet Optons ue qe 284 Figure 198 Intemeot Options PETVEG Lusussuseagessien etai enn d cdi x En EAR sn oda RD NAR ER RR cea KS bedi a n 285 gre TOS Popup Blocker OEIL aci rep etxe ondan Soto teem aan appara adamantane REA ons riv us aru LO va d bene 285 Figure 200 menet OBS BOGUS uicucisesset cid pectet yugadz ES n A IA ELE RUM A EXER RU ENERO Fou RUE MU 286 Figure 201 Security Settings Java Scripting ucc sse mascara cine ERR tI a nte d td a 287 Figure 202 Security Selings RAVE D 287 Figure 20s aval p Nm 288 Figure 204 Internet Explorer T Certification Emor sccccesnnsadecsssepssudasianndssaarsnousuaetiveauasiatnianecc daneiweamniens 290 Figure 205 internet Explorer 7 Certification EIFOF 222222 sess acescdeoseceaavsenenecaerivenna donee nei Pumas aed denar 290 Figure 206 internet Explorer 7 Certificate EEFOF uui erre san kk a hi ar Rb nn ERR ER dn e 290 Figure 207 Internet Explorer 7 uper nn 291 Figure 208 Internet Explorer 7 Certificate Import Wizard sss 291 Figure
329. t This is the certificate s message digest that the ZyXEL Device calculated using NWA3550 User s Guide the MD5 algorithm Chapter 15 Certificates 15 10 Trusted CAs Table 60 My Certificate Details continued LABEL DESCRIPTION SHA Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download screen The Save As Screen opens browse to the location that you want to use and click Save Apply Click Apply to save your changes You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate th
330. t again and then go to step 9 NWA3550 User s Guide Appendix D Importing Certificates Figure 209 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Certificate Store Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for Automatically select the certificate store based on the type of certificate Place all certificates in the following store 7 Otherwise select Place all certificates in the following store and then click Browse Figure 210 Internet Explorer 7 Certificate Import Wizard Place all certificates in the following store Certificate store 8 Inthe Select Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 211 Internet Explorer 7 Select Certificate Store Select Certificate Store Select the certificate store you want to use s C3 Trusted Root Certification Authorities a Enterprise Trust Intermediate Certification Authorities H Active Directory User Object OA Triieted Piihlichers i Show physical stores Coox J ee 9 Inthe Completing the Certificate Import Wizard screen click Finish NWA3550 User s Guide Appendix D Importing Certificates Figure 212 Internet Explorer 7 Certificate Import Wizard Certificate Import Wizard Completing the Certificate Import Wizard
331. t this to manage the ZyXEL Device using its own web configurator neither managing nor managed by other devices Managed AP Select this to have the ZyXEL Device managed by another ZyXEL Device on your network When you do this the ZyXEL Device can be configured ONLY by the management AP If you do not have an AP controller on your network and want to return the ZyXEL Device to standalone mode you must use its physical RESET button All settings are returned to their default values Note When you set the ZyXEL Device to Managed AP mode it becomes a DHCP client To discover its new IP address check the DHCP server on your network If your network has no DHCP server the ZyXEL Device s IP address remains the same You can also check the Controller gt AP Lists screen of the AP controller on your network Apply Click this to save your changes Note If you change the mode in this screen the ZyXEL Device restarts Wait a short while before you attempt to log in again If you changed the mode to Managed AP you cannot log in as the web configurator is disabled you must manage the ZyXEL Device through the management AP on your network Reset Click this to return this screen to its previously saved settings NWA3550 User s Guide Tutorial This chapter first provides an overview of how to configure the wireless LAN on your ZyXEL Device and then gives step by step guidelines showing how to config
332. te Management Screens This chapter provides information on the Remote Management screens 13 1 Remote Management Overview Remote management allows you to determine which services protocols can access which ZyXEL Device interface if any from which computers You may manage your ZyXEL Device from a remote location via Table 46 Remote Management Overview WLAN ALL LAN and WLAN LAN only Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows 1 Console port 2 SSH 3 Telnet 4 HTTPS and HTTP 13 1 1 Remote Management Limitations Remote management over LAN or WLAN will not work when 1 You have disabled that service in one of the remote management screens 2 TheIP address in the Secured Client IP Address field does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately 3 There is already another remote management session with an equal or higher priority running You may only have one remote management session running at one time NWA3550 User s Guide 151 Chapter 13 Remote Management Screens 13
333. th is the hierarchy of certification authority certificates that validate a certificate The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked NWA3550 User s Guide Chapter 15 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The ZyXEL Device can check a peer s certificate against a directory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure 15 1 1 Advantages of Certificates Certificates offer the following benefits The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 15 2 Self signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates 15 3 Verifying a Certificate Before you import a trusted CA certificate into the ZyXEL Device you should verify that you have the actual certificate This is especially important since the ZyXEL Device also trusts any valid certificate signed by
334. that Check incoming are issued by this certification authority against a Certificate Revocation List certificates issued CRL by this CA against a Clear this check box to have the ZyXEL Device not check incoming certificates CRL that are issued by this certification authority against a Certificate Revocation List CRL Certificate Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the end entity s own certificate The ZyXEL Device does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path NWA3550 User s Guide Chapter 15 Certificates Table 63 Trusted CA Details continued LABEL DESCRIPTION Certificate These read only fields display detailed information about the certificate Information Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificat
335. the AP is no longer active Friendly AP List Export Click this button to save the current list of friendly APs MAC addresses and descriptions as displayed in the ROGUE AP gt Friendly AP screen to your computer File Path Enter the location of a previously saved friendly AP list to upload to the ZyXEL Device Alternatively click the Browse button to locate a list Browse Click this button to locate a previously saved list of friendly APs to upload to the ZyXEL Device Import Click this button to upload the previously saved list of friendly APs displayed in the File Path field to the ZyXEL Device Apply Click Apply to save your settings Reset Click Reset to return all fields in this screen to their previously saved values 12 3 2 Rogue AP Friendly AP The friendly AP list displays details of all the access points in your area that you know are not a threat If you have more than one AP in your network you need to configure this list to include your other APs If your wireless network overlaps with that of a neighbor for example you should also add these APs to the list as they do not compromise your own network s security If you do not add them to the friendly AP list these access points will appear in the Rogue AP list each time the ZyXEL Device scans NWA3550 User s Guide Chapter 12 Rogue AP Figure 83 ROGUE AP gt Friendly AP Configuration Friendly AP Rogue AP Add
336. the Block station if RADIUS server assigns VLAN error check box is selected Apply Click Apply to save your changes to the ZyXEL Device Reset Click Reset to begin configuring this screen afresh 17 2 3 Configuring Management VLAN Example BS This section shows you how to create a VLAN on an Ethernet switch By default the port on the ZyXEL Device is a member of the management VLAN VLAN ID 1 The following procedure shows you how to configure a tagged VLAN Use the out of band management port or console port to configure the switch if you misconfigure the management VLAN and lock yourself out from performing in band management On an Ethernet switch create a VLAN that has the same management VLAN ID as the ZyXEL Device The following figure has the ZyXEL Device connected to port 2 of the switch and your computer connected to port 1 The management VLAN ID is ten NWA3550 User s Guide 207 Chapter 17 VLAN Figure 117 Management VLAN Configuration Example MVID 10 Port 1 Perform the following steps in the switch web configurator This example uses the ZyXEL switch screenshots 1 Click VLAN under Advanced Application Click Static VLAN Select the ACTIVE check box Type a Name for the VLAN ID Type a VLAN Group ID This should be the same as the management VLAN ID on the ZyXEL Device Enable Tx Tagging on the port which you want to connect to the ZyXEL Device Disable Tx Tag
337. the Channel Usage screen to make sure the channel is not already used by another AP or independent peer to peer wireless network To have the ZyXEL Device automatically select a channel click Scan instead Scan Click this button to have the ZyXEL Device automatically select the wireless channel with the lowest interference Disable channel switching for DFS This field is available when you select 802 11a in the 802 11 Mode field DFS dynamic frequency selection allows an AP to detect other devices in the same channel If there is another device using the same channel the AP changes to a different channel so that it can avoid interference with radar systems or other wireless networks Select this option to disable DFS on the ZyXEL Device when 802 11 Mode is set to 802 11a RTS CTS Threshold The threshold number of bytes for enabling RTS CTS handshake Data with a frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attribute to its lowest value 256 turns on the RTS CTS handshake Enter a value between 256 and 2346 This field is not available when Super Mode is selected Fragmentation Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter an even number between 2
338. the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh 13 9 HTTPS Example If you haven t changed the default HTTPS port on the ZyXEL Device then in your browser enter https ZyXEL Device IP Address as the web site address where ZyXEL Device IP Address is the IP address or domain name of the ZyXEL Device you wish to access 13 9 1 Internet Explorer Warning Messages When you attempt to access the ZyXEL Device HTTPS server a Windows dialog box pops up asking if you trust the server certificate Click View Certificate if you want to verify that the certificate is from the ZyXEL Device You see the following Security Alert screen in Internet Explorer Select Yes to proceed to the web configurator login screen if you select No then web configurator access is blocked Figure 90 Security Alert Dialog Box Internet Explorer Security Alert x Information you exchange with this site cannot be viewed or ie changed by others However there is a problem with the site s security certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority o The security certificate date is valid A The name on the security certificate is invalid or does
339. the Open field Click OK At the e V prompt enter ping 192 168 1 10 substitute the IP address of a real device on your network that is not on the layer 2 isolation list If you receive a reply check the settings in the WIRELESS gt Layer 2 Isolation gt Edit screen and ensure that the correct layer 2 isolation profile is enabled in the Guest SSID profile screen 5 3 How to Set Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the ZyXEL Device A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network The example also shows how to set the ZyXEL Device to send out e mail alerts whenever it detects a rogue wireless access point See Chapter 12 on page 145 for background information on the rogue AP function and security considerations In this example you want to ensure that your company s data is not accessible to an attacker gaining entry to your wireless network through a rogue AP NWA3550 User s Guide Chapter 5 Tutorial Your wireless network operates in an office building It consists of four access points all ZyXEL Devices and a variable number of wireless clients You also know that the coffee shop on the ground floor has a wireless network consisting of a single access point which can be detected and accessed from your floor of the building There are no other static wireless networks in your
340. the antenna in the direction of the desired coverage area NWA3550 User s Guide Pop up Windows JavaScripts and Java Permissions In order to use the web configurator you need to allow Web browser pop up windows from your device JavaScripts enabled by default Java permissions enabled by default BS Internet Explorer 6 screens are used here Screens for other Internet Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 196 Pop up Blocker Mail and News Pop up Blocker urn Off Pop up Blocker Manage Add ons Pop up Blocker Setting Synchronize f windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy NWA3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 197 Internet Options Privac
341. ther AP before connecting to it NWA3550 User s Guide Appendix B Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example You need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients Figure 194 WPA 2 with RADIUS Application Example SES did a NIC NR brem J m x Ne WPA 2 PSK
342. this is the name that is broadcast and seen in the wireless client utility Hide Name SSID Select Disable if you want the ZyXEL Device to broadcast this SSID a wireless client scanning for an AP will find this SSID Alternatively select Enable to have the ZyXEL Device hide this SSID a wireless client scanning for an AP will not find this SSID Security Select a security profile to use with this SSID profile See Section 8 3 on page 111 for more information RADIUS Select a RADIUS profile from the drop down list box if you have a RADIUS server configured If you do not need to use RADIUS authentication ignore this field See Section 8 5 on page 119 for more information NWA3550 User s Guide Chapter 9 MBSSID and SSID Table 36 Configuring SSID LABEL DESCRIPTION QoS Select the Quality of Service priority for this BSS s traffic Inthe pre configured VoIP SSID profile the QoS setting is VoIP This is not user configurable The VoIP setting is available only on the VoIP SSID profile and provides the highest level of QoS Ifyou select WMM from the QoS list the priority of a data packet depends on the packet s IEEE 802 1q or DSCP header See Section 7 3 1 on page 92 for more information on WMM and WMM priorities If a packet has no WMM value assigned to it it is assigned the default priority e Ifyou select ATC from the QoS list the ZyXEL Device automatically assigns priority bas
343. thority Class 2 Public Primary Certification Authority G2 c 1998 VeriSig bdl NWA3550 User s Guide Appendix D Importing Certificates 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 238 Opera 9 Import certificate Import certificate 5 Inthe Install authority certificate dialog box click Install Figure 239 Opera 9 Install authority certificate Install authority certificate Install this certificate authority s certificate chain in the database 172 20 37 202 6 Next click OK NWA3550 User s Guide Appendix D Importing Certificates Figure 240 Opera 9 Install authority certificate Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 1 Open Opera and click Tools gt Preferences Figure 241 Opera 9 Tools Menu Mail and chat accounts Delete private data Notes Ctrl Alt4E Transfers Ctrl Alt T History Ctrl Alt H Links Ctrl Alt L Advanced gt Quick preferences F12 gt Appearance Shift F 12 Preferences Ctrl F12 2 In Preferences Advanced gt Security gt Manage certificates NWA3550 User s Guide Appendix D Importing C
344. tion disconnects from the ZyXEL Device pwTrapSecurityStatus 1 3 6 1 4 1 890 1 9 2 1 2 This is to enable or disable the security group trap pwWlanStaAuthFail 1 3 6 1 4 1 890 9 2 3 2 1 This trap is sent when a wireless station fails to authenticate with the ZyXEL Device NWA3550 User s Guide Chapter 13 Remote Management Screens Table 50 SNMP Traps TRAP NAME OBJEC TIDENTIFIER DESCRIPTION OID pwTrapTFTPStatus 1 3 6 1 4 1 890 1 9 2 1 3 This is to enable or disable the TFTP group trap pwTFTPStatus 1 3 6 1 4 1 890 9 2 3 3 1 This trap is sent to indicate the status and result of a TFTP client session that has ended 13 11 SNMP Trap Interface Index Some traps include an SNMP interface index The following table maps the SNMP interface indexes to the ZyXEL Device s physical and virtual ports Table 51 SNMP Interface Index to Physical and Virtual Port Mapping TYPE INTERFACE PORT Physical enetO Wireless LAN adaptor WLAN1 enet1 Ethernet port LAN enet2 Wireless LAN adaptor WLAN2 Virtual enet3 enet9 WLAN1 in MBSSID mode enet10 enet16 WLAN 2 in MBSSID mode enet17 enet21 WLAN 1 in WDS mode enet22 enet26 WLAN2 in WDS mode 13 11 14 SNMP v3 and Security SNMP v3 enhances security for SNMP management SNMP managers can be required to authenticate with agents before conducting SNMP management sessions Security can be further en
345. tion you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop down list boxes and enter the certification authority s server address You also need to fill in the Reference Number and Key if the certification authority requires them Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 NWA3550 User s Guide Chapter 15 Certificates Table 59 My Certificate Create continued LABEL DESCRIPTION CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the certification authority s certificate from the CA Certificate drop down list box You must have the certification authority s certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the ZyXEL Device s list of certificates of trusted certification authorities Request When you select Create a certification request and enroll for a certificate Authentication immedi
346. torial Configuration Configuration Friendly AP Rogue AP Rogue AP Period Detection Enable Period fi D minutes Expiration Time sn minutes Friendly AP List Export File Path Browse Import Apply Reset 4 Click Export If a window similar to the following appears click Save Figure 35 Tutorial Warning File Download x P Some files can harm your computer If the file information below looks suspicious or you do not fully trust the source do not open or save this file File name Flist data File type From 122 33 37 212 Would you like to open the file or save it to your computer Cancel More Info IV Always ask before opening this type of file Open 5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network In this example save it on the network file server E in Figure 31 on page 69 The default filename is Flist Figure 36 Tutorial Save Friendly AP list Save As 2 x Save in E My Computer e er EA 315 Floppy A Win2K HD C DY TIERE R E P FILE_SERVER E File name Fist My Network P Save as type Microsoft Word Document Cancel ZA NWA3550 User s Guide Chapter 5 Tutorial 5 3 2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your ZyXEL Devices 1 Inthe ROGUE AP gt Conf
347. trie A I E E E Teer terrer 223 TA Clete WSS 224 Heiss FAV WGI GREED pvssia naa cicronvatacsrasbnisismanclicadeen mara TUE 225 18 6 Configuration cei m 227 1905 Backup GO RUD o is ey ee o bc Peer per rere d Fear retry en Terry ac ada Fee tert 228 19 5 2 Pastore C ODIO OF caseaunignciieni si aN NO 228 19 6 3 Back to Factory Delfaulis A 230 Wd c E E APER 230 Part Ill Troubleshooting and Specifications 231 Chapter 19 TiDubles BOOHBO auis E E XE MR RERUM XU n CIERRE E EE NACE RRLEMA EA 233 19 1 Power and Hardware CONTIONE iacta in tcn vise otat da bebe cvad ab bin e uc cordes kal epum 233 19 2 ZyXEL Device Access ard LOGIT 1222 orte iter ttn toner ttr pe trt ttu pepe tu nitas E 233 p eln ip p 07 e TT 235 19 4 Wireless Router AP Troubleshooting 2 oaccierniadarise teca darker itg da ER preda e Ret anann nenna 236 Chapter 20 rese jle crm 237 Part IV Appendices and Index eeeeeeeeeeeeeee 243 Appendix A Setting Up Your Computer s IP Address RR 245 Appendix B Wireless LANS uo quete eben Pp topi pa EUR TENE CARERE PAARE ERRARE LES ER RE EE UE 269 NWA3550 User s Guide Table of Contents Appendix C Pop up Windows JavaScripts and Java Permissions
348. ts or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty 1s the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support warranty info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products NWA3550 User s Guide 331 Appendix G Legal Information 332 NWA3550 User s Guide Customer Support In the event of problems that cannot be solved by using this manual you sho
349. uld contact your vendor If you cannot contact your vendor then contact a ZyXEL office for the region in which you bought the device Regional offices are listed below see also http www zyxel com web contact us php Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it is the prefix number you dial to make an international telephone call Corporate Headquarters Worldwide Support E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan China ZyXEL Communications Beijing Corp Support E mail cso zycn zyxel cn Sales E mail sales zyxel cn Telephone 86 010 82800646 Fax 86 010 82800587 Address 902 Unit B Horizon Building No 6 Zhichun Str Haidian District Beijing Web http www zyxel cn China ZyXEL Communications Shanghai Corp e Support E mail cso zycn zyxel cn Sales E mail sales zyxel cn Telephone 86 021 61199055 Fax 86 021 52069033 NWA3550 User s Guide 333 Appendix H Customer Support Address 1005F ShengGao International Tower No 137 XianXia Rd Shanghai Web http www
350. umeric characters no spaces as the key for encrypting communications between the AP and the ZyXEL Device The key is not sent over the network This key must be the same on the AP and the ZyXEL Device Both the ZyXEL Device s IP address and this shared secret must also be configured in the external RADIUS server fields of the trusted AP Note The first trusted AP fields are for the ZyXEL Device itself Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide Chapter 14 Internal RADIUS Server 14 5 Configuring Trusted Users A trusted user entry consists of a wireless client user name and password To configure trusted user entries click AUTH SERVER gt Trusted Users The screen appears as shown Figure 103 Trusted Users Screen Index Active _UserName__ __Password__ ENS E ENFIN WM A 9 NM ENFIN NN A Nw ENFIN WA BW 5 m NM N ENS T ENFIN NN e 2WN The following table describes the labels in this screen Table 56 Trusted Users LABEL DESCRIPTION Index This field displays the trusted user index number Active Select this check box to have the ZyAIR authenticate wireless clients with the same user name and password activated on their wireless utilities User Name Enter the user name for this user account This name can be up to 31 alp
351. unting Server Port Enter the port number of the external accounting server The default port number is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Share Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external accounting server and the ZyXEL Device The key must be the same on the external accounting server and your ZyXEL Device The key is not sent over the network Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NWA3550 User s Guide MBSSID and SSID This chapter describes how to configure and use your ZyXEL Device s MBSSID mode and configure SSID profiles 9 1 Wireless LAN Infrastructures See the Wireless LAN chapter for some basic WLAN scenarios and terminology 9 1 1 MBSSID Traditionally you needed to use different APs to configure different Basic Service Sets BSSs As well as the cost of buying extra APs there was also the possibility of channel interference The ZyXEL Device s MBSSID Multiple Basic Service Set IDentifier function allows you to use one access point to provide several BSSs simultaneously You can then assign varying levels of privilege to different SSIDs Wireless stations can use different BSSIDs to associate with the same AP 9 1 2 Notes on Multiple BSS There is a maximum number of BS
352. up an independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 190 Peer to Peer Communication in an Ad hoc Network _ _ A s rape i BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless clients in the BSS When Intra BSS is enabled wireless client A and B can access the wired network and communicate with each other When Intra BSS is disabled wireless client A and B can still access the wired network but cannot communicate with each other NWA3550 User s Guide Appendix B Wireless LANs ESS Figure 191 Basic Service Set a a o een An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identi
353. upport zyxel hu Sales E mail info zyxel hu Telephone 36 1 3361649 Fax 36 1 3259100 Web www zyxel hu Regular Mail ZyXEL Hungary 48 Zoldlomb Str H 1025 Budapest Hungary India Support E mail support zyxel in Sales E mail sales zyxel in Telephone 91 11 30888144 to 91 11 30888153 Fax 91 11 30888149 91 11 26810715 Web http www zyxel in Regular Mail India ZyXEL Technology India Pvt Ltd II Floor F2 9 Okhla Phase 1 New Delhi 110020 India Support E mail support zyxel co jp Sales E mail zyp zyxel co jp Telephone 81 3 6847 3700 Fax 81 3 6847 3705 Web www zyxel co jp Regular Mail ZyXEL Japan 3F Office T amp U 1 10 10 Higashi Gotanda Shinagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan NWA3550 User s Guide 335 Appendix H Customer Support Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web http www zyxel com my Regular Mail ZyXEL Malaysia Sdn Bhd 1 02 amp 1 03 Jalan Kenari 17F Bandar Puchong Jaya 47100 Puchong Selangor Darul Ehsan Malaysia North America Support E mail support zyxel co
354. ure 154 Windows XP Control Panel gt Network Connections gt Properties ocal Area Connection nabled Standard PCI Fast Ethernet Adapte Disable Status Repair Bridge Connections Create Shortcut Rename NWA3550 User s Guide Appendix A Setting Up Your Computer s IP Address 4 Onthe General tab select Internet Protocol TCP IP and then click Properties Figure 155 Windows XP Local Area Connection Properties 4 Local Area Connection Properties General Authentication Advanced Connect using E Accton EN1207D TX PCI Fast Ethernet Adapter This connection uses the following items v E Client for Microsoft Networks v amp File and Printer Sharing for Microsoft Networks Instal ninst Description Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected 5 The Internet Protocol TCP IP Properties window opens NWA3550 User s Guide 247 Appendix A Setting Up Your Computer s IP Address Figure 156 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties General Alternate Configuration Y ou can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP
355. ure your ZyXEL Device for some example scenarios 5 1 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the ZyXEL Device and the steps you should take to set up the wireless LAN in each wireless mode See Section 5 1 3 on page 58 for links to more information on each step LES This section describes how to use the ZyXEL Device in standalone mode For information on using the ZyXEL Device in a CAPWAP network see Chapter 4 on page 51 5 1 1 Choosing the Wireless Mode Use Access Point operating mode if you want to allow wireless clients to access your wired network all using the same security and Quality of Service QoS settings See Section 1 2 1 on page 34 for details Use Bridge Repeater operating mode if you want to use the ZyXEL Device to communicate with other access points See Section 1 2 2 on page 34 for details The ZyXEL Device is a bridge when other APs access your wired Ethernet network through the ZyXEL Device The ZyXEL Device is a repeater when it has no Ethernet connection and allows other APs to communicate with one another through the ZyXEL Device Use AP Bridge operating mode if you want to use the ZyXEL Device as an access point see above while also communicating with other access points See Section 1 2 3 on page 35 for details Use MBSSID operating mode if you want to use the ZyXEL Device as an access point with some groups of users having
356. urity11 None fe 2 security12 None fe 2B security13 None sj u security14 None fo 5 security15 None 6 security16 None You already chose to use the security02 profile for this network so select the radio button for security02 and click Edit The following screen appears Figure 22 Tutorial VoIP Security Profile Edit Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter Name VolP_Security Security Mode WPA2 PSK Pre Shared Key ThisismyWPA2 PSKpre sharedkey Idle Timeout 3600 in seconds Group Key Update Timer fi 800 in seconds Reset Change the Name field to VoIP Security to make it easier to remember and identify n this example you do not have a RADIUS server for authentication so select WPA2 PSK in the Security Mode field WPA2 PSK provides strong security that anyone with a compatible wireless client can use once they know the pre shared key PSK Enter the PSK you want to use in your network in the Pre Shared Key field In this example the PSK is ThisismyWPA2 PSKpre sharedkey NWA3550 User s Guide Chapter 5 Tutorial Click Apply The WIRELESS gt Security screen displays Ensure that the Profile Name for entry 2 displays VoIP Security and that the Security Mode is WPA2 PSK Figure 23 Tutorial VoIP Security Updated Wireless SSID Security RADIUS Layer 2 Isolation MAC Filter a index Profile Name
357. us Ne eo ecu PUR Sa VP EnCURS FREUE EOS ERE DR VEM SEE VR 169 14 1 intemal RI ce s 169 14 2 Internal RADIUS Server Setting iusiosessigiuecct gkro de red nir neci t editi etri aded 169 14 9 THUS AP OVENI ROTE E 171 14 5 Configuring Tested AP ouo pce ode e ood Hie ode eS 172 14 5 CGO Trusted USES neirinnen aandaa iaaiiai i aadi aaa aaa anaa aad alps 174 Chapter 15 Cortical riisiin ine aa a m 177 15 1 Certificates OVerviEW Mn 177 15 1 1 Advantages of Certificates 1slisane ce aded bd apa Nea wan nennen anura aka aaan a aaa eons 178 jac lisa qe fe 178 IR qiie 178 15 3 1 Checking the Fingerprint of a Certificate on Your Computer susuusse 178 15 4 Reese R 179 19 8 Nh TOES aa i in ai o Mp fep Up ddl ad tia RU di ust rv d ad 179 15 6 Ceribeate File Foma G arses FoDI EU EPI pr PHP TENE y RE ER OMM Iu te ride luca Ete m RE EE P EMI 181 13 eu uei e 182 RE CPR Ve COON er TT 183 psrE UR dg e e Poa eer T 185 ow TUSTA CAS Pc 188 15 11 Importing a Trusted CAS Certificate 1i iut irae eh dh dk toda 189 15 12 Trusted CA Cerificate Details e 190 Chapter 16 Blut METER UU 195 TO COmigunng VIEN LOG a m TS m TU UE T 195 16 2 Connadning Log SeINGS emm 196 15 2 Example Log SSRIS Sass sssscxesxinssaecassrasanaxaevinn
358. vice can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs Certificates provide a way to exchange public keys for use in authentication SSL Passthrough SSL Secure Sockets Layer uses a public key to encrypt data that s transmitted over an SSL connection Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to obtain confidential user information such as credit card numbers By convention URLs that require an SSL connection start with https instead of http The ZyXEL Device allows SSL connections to take place through the ZyXEL Device MAC Address Filter Your ZyXEL Device checks the MAC address of the wireless station against a list of allowed or denied MAC addresses Wireless Association List With the wireless association list you can see the list of the wireless stations that are currently using the ZyXEL Device to access your wired network Logging and Tracing Built in message logging and packet tracing Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Auto Configuration Administrators can use text configuration files to configure the wireless LAN settings for multiple APs The AP can automatically get a configuration file from a TFTP server at start up or after renewing DHCP client info
359. vice uses for specific DSCP values Table 19 ToS and IEEE 802 1d to WMM QoS Priority Level Mapping DSCP VALUE WMM QOS PRIORITY LEVEL 224 192 voice 160 128 video 96 0 besteffort 64 32 background A The ZyXEL Device also uses best effort for any DSCP value for which another WMM QoS priority is not specified 255 158 or 37 for example 7 4 Spanning Tree Protocol STP STP detects and breaks network loops and provides backup links between switches bridges or routers It allows a bridge to interact with other STP compliant bridges in your network to ensure that only one route exists between any two stations on the network 7 4 1 Rapid STP The ZyXEL Device uses IEEE 802 1 w RSTP Rapid Spanning Tree Protocol that allow faster convergence of the spanning tree while also being backwards compatible with STP only aware bridges Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database In RSTP the port states are Discarding Learning and Forwarding 7 4 2 STP Terminology The root bridge is the base of the spanning tree it is the bridge with the lowest identifier value MAC address Path cost is the cost of transmitting a frame onto a LAN through that port It is assigned according to the speed of the link to which a port is attached The slower the media the higher the cost see the following tabl
360. while processing the configuration file the AP generates a message with the line number and reason for the first error subsequent errors during the processing of an individual configuration file are not recorded You can use SNMP management software to display the message by using the following MIB Table 105 Displaying the Auto Configuration Status ITEM OBJECT ID DESCRIPTION pwAutoCfgMessage 1 3 6 1 4 1 890 1 9 1 9 Auto configuration status message string The commands will be executed line by line just like if you entered them in a console or Telnet CI session Be careful to ensure the integrity of the whole AP configuration If there are existing settings in the AP the newly loaded configuration file will either coexist with the previous settings or replace them You can zip each configuration file You must use the store compression method and a zip file extension When zipping a configuration file you can also add password protection using the same password that you use to log into the AP Wcfg Command Configuration File Examples These example configuration files use the wc g command to configure security and SSID profiles Figure 257 WEP Configuration File Example ZYXEL PROWLAN d4VERSION 11 wcfg security 1 name Test wep wcfg security 1 security wep wcfg security 1 wep keysize 64 ascii wcfg security 1 wep keyl abcde wcfg security 1 wep key2 bcdef wcfg security 1 wep key3 cdefg wcfg security 1 w
361. will configure the SERVER 2 network that allows Bob to access secure server 2 and the Internet NWA3550 User s Guide Chapter 5 Tutorial To do this repeat the procedure in Section 5 4 4 on page 77 substituting the following information Table 9 Tutorial SERVER 2 Network Information SSID Screen Index 4 Profile Name SERVER 2 SSID Edit SERVER 2 Screen L2 Isolation L2lsolation04 MAC Filtering macfilter04 Layer 2 Isolation L2Isolation04 Screen Profile Name L 2 ISO_SERVER 2 Set 1 MAC Address 77 66 55 44 33 22 Description NET SWITCH Set 2 MAC Address 99 88 77 66 55 44 Description SERVER 2 Set 3 MAC Address 66 55 44 33 22 11 Description GATEWAY MAC Filter macfilter04 Edit Screen Profile Name MacFilter SERVER 2 Set 1 MAC Address 22 33 44 55 66 77 Description Bob 5 4 6 Checking your Settings and Testing the Configuration 5 4 6 1 Checking Settings Use the following sections to ensure that your wireless networks are set up correctly Take the following steps to check that the ZyXEL Device is using the correct SSIDs MAC filters and layer 2 isolation profiles 1 Click WIRELESS gt Wireless Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated as shown in the following figure NWA3550 User s Guide Chapter 5 Tutorial Figure 44 Tutorial SSID Profiles Activated Wireless SSID
362. xample of a Wireless Network S 4 Ethernet di g l bb S a E d AP Y I l I i _ J UD bi S z B e e e The wireless network is the part in the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set IDentity Iftwo wireless networks overlap they should use a different channel NWA3550 User s Guide Chapter 7 Wireless Configuration Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every device in the same wireless network must use security compatible with the AP Security stops unauthorized devices from using the wireless network It can also protect the information that is sent in the wireless network 7 2 Wireless LAN Basics See the Wireless LANs Appendix for information on the following Wireless LAN Topologies Channel RTS CTS Fragmentation Threshold IEEE 802 1x RADIUS Types of Authentication WPA Security Parameters Summary 7 3 Quality of Service This section discusses the Quality of Service QoS features availabl
363. y Internet Options General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Internet gt zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable LC information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing Block pop ups 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen NWA3550 User s Guide Appendix C Pop up Windows JavaScripts and Java Permissions Figure 198 Internet Options Privacy Internet Options PR Settings Move the slider to select a privacy setting for the Internet MER zone Medium privacy policy Blocks third party cookies that use personally identifiable tj information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Blocks third party cookies that do not have a compact Pop up Bloc
364. y machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space NWA3550 User s Guide Text File Based Auto Configuration This chapter describes how administrators can use text configuration files to configure the wireless LAN settings for multiple APs Text File Based Auto Configuration Overview You can use plain text configuration files to configure the w
365. ynamically assigned IP address from a DHCP server check your DHCP server for the IP address assigned to the ZyXEL Device NWA3550 User s Guide 233 Chapter 19 Troubleshooting e forgot the password 1 The default password is 1234 2 Ifthis does not work you have to reset the device to its factory defaults Contact your vendor e cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 2 f you changed the IP address Section 11 3 on page 142 use the new IP address f you changed the IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device Check the hardware connections See the Quick Start Guide Make sure your Internet browser does not block pop up windows and has JavaScripts and Java enabled See Section 19 1 on page 233 4 Make sure your computer is in the same subnet as the ZyXEL Device If you know that there are routers between your computer and the ZyXEL Device skip this step Ifthere is no DHCP server on your network make sure your computer s IP address is in the same subnet as the ZyXEL Device 5 Reset the device to its factory defaults and try to access the ZyXEL Device with the default IP address Contact your vendor 6 Ifthe problem continues contact the network administrator or vendor or try the advanced suggestions
366. ys Select a remote access policy and click the Add button The policy is added to the field below Only one VLAN Group should be associated with each policy 5 Click OK and Next in the next few screens to accept the group value NWA3550 User s Guide Chapter 17 VLAN Figure 126 Adding VLAN Group a Look i n Folder Doman Guests Ci Greup Policy Creator Owners Ei onu prateProny T Fconcr VLAN Group 10 Ci Founchy VLAN Gp 5 VLAN Group 10 Ad Check Names NLAN Group 19 tees 6 When the Permissions options screen displays select Grant remote access permission Click Next to grant access based on group membership Click the Edit Profile button Figure 127 Granting Permissions and User Profile Screens Add Remote Access Policy x Permissions Determine whelher lo grant or deny emate access peimission You can use a Remote Access Policy eil Iser Profle group o users er 10 act as a fiter and dery Specify the user profile If a user matches the soecilied conditions Grant remote access permission You can now specify the prolila for users who matched the condkions you have T spectied Dery remote access permission Note Even though pou may have specified thet users should be denied access the profile can slill be used if this paicy s comdtions ars ovairidden on a per user basie E dit Profile lt Back Finish Cancel 7 The Edit Dial in Profile screen dis

Download Pdf Manuals

Related Search

Related Contents

Hampton Bay EC2300BA Use and Care Manual    Télécharger  Gamber-Johnson 7160-0402 holder  Wholehog v2.2.1 Release Notes New Features  Projektdokumentation  LS135 Examination Light User Manual  Hampton Bay 51564 Use and Care Manual  Portable MiniDisc Recorder  

Copyright © All rights reserved. Failed to retrieve file