NWA-3500/NWA-3550 802.11a/g Dual Radio Wireless Business AP 802.11a/g Dual Radio Outdoor WLAN Business AP Default Login Details IP Address http://192.168.1.2 Password 1234 Firmware Version 3.7 Edition 2, 8/2009 www.zyxel.com www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the NWA using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation • Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.
About This User's Guide Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. See http://www.zyxel.com/ web/contact_us.php for contact information. Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your NWA. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The NWA-3500 or the NWA-3550 may be referred to as the “NWA”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The NWA icon is not an exact representation of your NWA.
Safety Warnings Safety Warnings • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on top of the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device. • ONLY qualified service personnel should service or disassemble this device. • Make sure to connect the cables to the correct ports.
Safety Warnings 8 NWA-3500/NWA-3550 User’s Guide
Contents Overview Contents Overview Introduction ............................................................................................................................ 21 Introducing the NWA ................................................................................................................. 23 The Web Configurator ............................................................................................................... 37 Tutorial ....................................................
Contents Overview 10 NWA-3500/NWA-3550 User’s Guide
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 5 Safety Warnings........................................................................................................................ 7 Contents Overview .......................................................
Table of Contents 2.3.1 Methods of Restoring Factory-Defaults ...................................................................... 38 2.4 Navigating the Web Configurator ........................................................................................ 39 Chapter 3 Tutorial..................................................................................................................................... 41 3.1 Overview ...............................................................................
Table of Contents 3.6.4.2 Primary AP Controller ..................................................................... 75 3.6.5 Setting Your NWA in Managed AP Mode .................................................................. 75 3.6.6 Configuring the Managed Access Points List ............................................................. 76 3.6.7 Checking your Settings and Testing the Configuration .............................................. 79 Part II: The Web Configurator .........................
Table of Contents 7.1 Overview ............................................................................................................................ 109 7.1.1 What You Can Do in the System Screens ............................................................... 109 7.1.2 What You Need To Know About the System Screens ............................................. 110 7.2 General Screen .................................................................................................................
Table of Contents 9.3.3.2 ATC+WMM from WLAN to LAN ................................................... 152 9.3.4 Type Of Service (ToS) ............................................................................................. 152 9.3.4.1 DiffServ ......................................................................................... 152 9.3.4.2 DSCP and Per-Hop Behavior ....................................................... 153 9.3.4.3 ToS (Type of Service) and WMM QoS ................................
Table of Contents Chapter 14 IP Screen................................................................................................................................ 183 14.1 Overview .......................................................................................................................... 183 14.1.1 What You Can Do in the IP Screen ........................................................................ 183 14.1.2 What You Need To Know About IP ............................................
Table of Contents Chapter 18 Certificates ............................................................................................................................ 217 18.1 Overview .......................................................................................................................... 217 18.1.1 What You Can Do in the Certificates Screen ......................................................... 217 18.1.2 What You Need To Know About Certificates .......................................
Table of Contents 20.3.3.2 Configuring Remote Access Policies .......................................... 255 20.3.4 Second Rx VLAN ID Example ................................................................................ 263 20.3.4.1 Second Rx VLAN Setup Example .............................................. 263 Chapter 21 Load Balancing ..................................................................................................................... 265 21.1 Overview .................................
Table of Contents 24.6 Wireless Router/AP Troubleshooting .............................................................................. 295 Chapter 25 Product Specifications ......................................................................................................... 297 Part IV: Appendices and Index ........................................................... 303 Appendix A Setting Up Your Computer’s IP Address...........................................................
Table of Contents 20 NWA-3500/NWA-3550 User’s Guide
P ART I Introduction Introducing the NWA (23) The Web Configurator (37) Status Screens (83) Management Mode (87) Tutorial (41) 21
CHAPTER 1 Introducing the NWA Note: This User’s Guide includes the NWA-3500 and the NWA-3550. Illustrations used throughout this book are based on the NWA-3500 (unless otherwise stated). The Web Configuration screens are based on the NWA-3500 (unless otherwise stated). 1.1 Overview This chapter introduces the main applications and features of the NWA. It also introduces the ways you can manage the NWA.
Chapter 1 Introducing the NWA 1.2 Applications for the NWA The NWA can be configured to use the following WLAN operating modes: • Access Point (AP) • Bridge / Repeater • AP + Bridge • MBSSID Applications for each operating mode are shown below. Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference. 1.2.1 Access Point The NWA is an ideal access solution for wireless Internet connection.
Chapter 1 Introducing the NWA 1.2.2 Bridge / Repeater The NWA can act as a wireless network bridge and establish wireless links with other APs. In the figure below, the two NWAs (A and B) are connected to independent wired networks and have a bridge connection (A can communicate with B) at the same time. A NWA in repeater mode (C in Figure 3) has no Ethernet connection. When the NWA is in bridge mode, you should enable Spanning Tree Protocol (STP) to prevent bridge loops.
Chapter 1 Introducing the NWA Figure 3 Repeater Application 1.2.2.1 Bridge / Repeater Mode Example In the example below, when both NWAs are in Bridge / Repeater mode, they form a WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2. Figure 4 Bridging Example Be careful to avoid bridge loops when you enable bridging in the NWA.
Chapter 1 Introducing the NWA • If two or more NWAs (in bridge mode) are connected to the same hub. Figure 5 Bridge Loop: Two Bridges Connected to Hub • If your NWA (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN.
Chapter 1 Introducing the NWA 1.2.3 AP + Bridge In AP + Bridge mode, the NWA supports both AP and bridge connection at the same time. In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode. When the NWA is in AP + Bridge mode, security between APs (WDS) is independent of the security between the wireless stations and the AP. If you do not enable WDS security, traffic between APs is not encrypted.
Chapter 1 Introducing the NWA provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile. You can configure up to sixteen SSID profiles, and have up to eight active at any one time. You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs.
Chapter 1 Introducing the NWA 1.2.5 Pre-Configured SSID Profiles The NWA has two pre-configured SSID profiles. • VoIP_SSID. This profile is intended for use by wireless clients requiring the highest QoS level for VoIP telephony and other applications requiring low latency. The QoS level of this profile is not user-configurable. • Guest_SSID.
Chapter 1 Introducing the NWA 1.3 CAPWAP The NWA supports Control And Provisioning of Wireless Access Points (CAPWAP). This is ZyXEL’s implementation of the Internet Engineering Task Force’s (IETF) CAPWAP protocol. ZyXEL’s CAPWAP allows a single access point to manage up to eight other access points. The managed APs receive all their configuration information from the controller AP. The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS).
Chapter 1 Introducing the NWA 1.4 Ways to Manage the NWA Use any of the following methods to manage the NWA. • Web Configurator. This is recommended for everyday management of the NWA using a (supported) web browser. • Command Line Interface (CLI). Line commands are mostly used for troubleshooting by service engineers. • File Transfer Protocol (FTP). This protocol can be used for firmware upgrades and configuration backup and restore. • Simple Network Management Protocol (SNMP).
Chapter 1 Introducing the NWA 1.6.1 Control Access to Your Device Ensure only people with permission can access your NWA. • Control physical access by locating devices in secure areas, such as locked rooms. Most NWAs have a reset button. If an unauthorized person has access to the reset button, they can then reset the device’s password to its default password, log in and reconfigure its settings.
Chapter 1 Introducing the NWA 1.7 Hardware Connections See your Quick Start Guide for information on making hardware connections. 1.7.1 Antennas Your NWA has two wireless LAN adaptors, WLAN1 and WLAN2. WLAN1 uses the RF1 antenna or the antenna on the right (when facing the device). WLAN2 uses the RF2 antenna or the antenna on the left. If you connect only one antenna, you can use only the associated wireless LAN adaptor. 1.8 LEDs This section applies to the NWA-3500 only.
Chapter 1 Introducing the NWA The following table describes the behavior of the device LEDs. LABEL LED COLOR STATUS DESCRIPTION 1 Green On The wireless adaptor WLAN1 is active. Blinking The wireless adaptor WLAN1 is active, and transmitting or receiving data. Off The wireless adaptor WLAN1 is not active. Green On The NWA is in AP + Bridge or Bridge/ Repeater mode, and has successfully established a Wireless Distribution System (WDS) connection. Red Flashing The NWA is starting up.
Chapter 1 Introducing the NWA LABEL LED COLOR STATUS DESCRIPTION 5 Green On The NWA has a 10 Mbps Ethernet connection. Blinking The NWA has a 10 Mbps Ethernet connection and is sending or receiving data. On The NWA has a 100 Mbps Ethernet connection. Blinking The NWA has a 100 Mbps Ethernet connection and is sending/receiving data. Off The NWA does not have an Ethernet connection.
CHAPTER 2 The Web Configurator 2.1 Overview This chapter describes how to access the NWA’s web configurator and provides an overview of its screens. 2.2 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the NWA (refer to the Quick Start Guide). 2 Launch your web browser. 3 Type "http://192.168.1.2" as the URL (default). 4 Type "1234" (default) as the password and click Login.
Chapter 2 The Web Configurator 6 Click Apply in the Replace Certificate screen to create a certificate using your NWA’s MAC address that will be specific to this device. You should now see the Status screen. See Chapter 2 on page 37 for details about the Status screen. Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the NWA if this happens. 2.
Chapter 2 The Web Configurator 2.4 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen. Click LOGOUT at any time to exit the web configurator. Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated.
Chapter 2 The Web Configurator 40 NWA-3500/NWA-3550 User’s Guide
CHAPTER 3 Tutorial 3.1 Overview This chapter first provides a basic overview of how to configure the wireless LAN on your NWA, and then gives step-by-step guidelines showing how to configure your NWA for some example scenarios. 3.2 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the NWA, and the steps you should take to set up the wireless LAN in each wireless mode. See Section 3.2.3 on page 43 for links to more information on each step.
Chapter 3 Tutorial 3.2.2 Wireless LAN Configuration Overview The following figure shows the steps you should take to configure the wireless settings according to the operating mode you select. Use the Web Configurator to set up your NWA’s wireless network (see your Quick Start Guide for information on setting up your NWA and accessing the Web Configurator). Figure 13 Configuring Wireless LAN Select Operating Mode. Access Point Mode. Bridge / Repeater Mode. Select 802.11 Mode and Channel ID. Select 802.
Chapter 3 Tutorial 3.2.3 Further Reading Use these links to find more information on the steps: • Choosing 802.11 Mode: see Section 8.2.1 on page 120. • Choosing a wireless Channel ID: see Section 8.2.1 on page 120. • Selecting and configuring SSID profile(s): see Section 8.2.1 on page 120 and Section 9.2 on page 151. • Configuring and activating WDS Security: see Section 8.2.2 on page 127. • Editing Security Profile(s): see Section 10.2 on page 161. • Configuring an external RADIUS server: see Section 11.
Chapter 3 Tutorial The following figure shows the multiple networks you want to set up. Your NWA is marked Z, the main network router is marked A, and your network printer is marked B. Figure 14 Tutorial: Example MBSSID Setup B A Z The standard network (SSID04) has access to all resources. The VoIP network (VoIP_SSID) has access to all resources and a high QoS setting. The guest network (Guest_SSID) has access to the Internet and the network printer only, and a low QoS setting.
Chapter 3 Tutorial 3.3.1 Change the Operating Mode Log in to the NWA (see Section 2.2 on page 37). Click Wireless > Wireless. The Wireless screen appears. 3.3.1.1 Access Point Set the NWA’s WLAN Interface WLAN1 is set to Access Point operating mode, and is currently using the SSID03 profile.
Chapter 3 Tutorial 3.3.1.2 MBSSID Select MBSSID from the Operating Mode drop-down list box. The screen displays as follows. Figure 16 Tutorial: Wireless LAN: Change Mode This Select SSID Profile table allows you to activate or deactivate SSID profiles. Your wireless network was previously using the SSID03 profile, so select SSID04 in one of the Profile list boxes (number 3 in this example). Select the Index box for the entry and click Apply to activate the profile.
Chapter 3 Tutorial 3.3.2 Configure the VoIP Network Next, click Wireless > SSID. The following screen displays. Note that the SSID03 SSID profile (the standard network) is using the security01 security profile. You cannot change this security profile without changing the standard network’s parameters, so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles.
Chapter 3 Tutorial 1 Choose a new SSID for the VoIP network. In this example, enter VOIP_SSID_Example. Note that although the SSID changes, the SSID profile name (VoIP_SSID) remains the same as before. 2 Select Enable from the Hide Name (SSID) list box. You want only authorized company employees to use this network, so there is no need to broadcast the SSID to wireless clients scanning the area.
Chapter 3 Tutorial You already chose to use the security02 profile for this network, so select the radio button for security02 and click Edit. The following screen appears. Figure 20 Tutorial: VoIP Security Profile Edit 1 Change the Name field to “VoIP_Security” to make it easier to remember and identify. 2 In this example, you do not have a RADIUS server for authentication, so select WPA2-PSK in the Security Mode field.
Chapter 3 Tutorial 3.3.2.2 Activate the VoIP Profile You need to activate the VoIP_SSID profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the VoIP_SSID profile’s Active checkbox and click Apply. Figure 22 Tutorial: Activate VoIP Profile Your VoIP wireless network is now ready to use. Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network. 3.3.
Chapter 3 Tutorial Click Wireless > SSID. Select Guest_SSID’s entry in the list and click Edit. The following screen appears. Figure 23 Tutorial: Guest Edit 1 Choose a new SSID for the guest network. In this example, enter Guest_SSID_Example. Note that although the SSID changes, the SSID profile name (Guest_SSID) remains the same as before. 2 Select Disable from the Hide Name (SSID) list box. This makes it easier for guests to configure their own computers’ wireless clients to your network’s settings.
Chapter 3 Tutorial 3.3.3.1 Set Up Security for the Guest Profile Now you need to configure the security settings to use on the guest wireless network. Click the Security tab. You already chose to use the security03 profile for this network, so select security03’s entry in the list and click Edit. The following screen appears. Figure 24 Tutorial: Guest Security Profile Edit 1 Change the Name field to “Guest_Security” to make it easier to remember and identify.
Chapter 3 Tutorial 3.3.3.2 Set up Layer 2 Isolation Configure layer 2 isolation to control the specific devices you want the users on your guest network to access. Click WIRELESS > Layer-2 Isolation. The following screen appears. Figure 26 Tutorial: Layer 2 Isolation The Guest_SSID network uses the l2isolation01 profile by default, so select its entry and click Edit. The following screen displays.
Chapter 3 Tutorial 3.3.3.3 Activate the Guest Profile You need to activate the Guest_SSID profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the check box for the Guest_SSID profile and click Apply. Figure 28 Tutorial: Activate Guest Profile Your guest wireless network is now ready to use. 3.3.4 Testing the Wireless Networks To make sure that the three networks are correctly configured, do the following.
Chapter 3 Tutorial 3.4 How to Set Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the NWA. A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network. The example also shows how to set the NWA to send out e-mail alerts whenever it detects a rogue wireless access point. See Chapter 15 on page 187 for background information on the rogue AP function and security considerations.
Chapter 3 Tutorial marked E, and a computer, marked F, connected to the wired network. The coffee shop’s access point is marked 1. Figure 29 Tutorial: Wireless Network Example In the figure, the solid circle represents the range of your wireless network, and the dashed circle represents the extent of the coffee shop’s wireless network. Note that the two networks overlap. This means that one or more of your APs can detect the AP (1) in the other wireless network.
Chapter 3 Tutorial Note: The NWA can detect the MAC addresses of APs automatically. However, it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually. For example, an attacker’s AP mimicking the correct SSID could be placed on the friendly AP list by accident, if selected from the list of auto-detected APs. In this example you have spoken to the coffee shop’s owner, who has told you the correct MAC address of his AP.
Chapter 3 Tutorial MAC ADDRESS DESCRIPTION 0A:A0:0A:A0:0A:A0 My Access Point _D_ AF:AF:AF:FA:FA:FA Coffee Shop Access Point _1_ Note: You can add APs that are not part of your network to the friendly AP list, as long as you know that they do not pose a threat to your network’s security. The Friendly AP screen now appears as follows.
Chapter 3 Tutorial 4 Click Export. If a window similar to the following appears, click Save. Figure 33 Tutorial: Warning 5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network. In this example, save it on the network file server (E in Figure 29 on page 56). The default filename is “Flist”.
Chapter 3 Tutorial 3.4.2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your NWAs. 1 In the ROGUE AP > Configuration screen, select Enable from the Rogue AP Period Detection field. Figure 35 Tutorial: Periodic Rogue AP Detection 60 2 In the Period field, enter how often you want the NWA to scan for rogue APs. You can have the NWA scan anywhere from once every ten minutes to once every hour. In this example, enter “10”.
Chapter 3 Tutorial 3.4.3 Set Up E-mail Logs In this section, you will configure the first of your four APs to send a log message to your e-mail inbox whenever a rogue AP is discovered in your wireless network’s coverage area. 1 Click LOGS > Log Settings. The following screen appears. Figure 36 Tutorial: Log Settings 2 In this example, your mail server’s IP address is 192.168.1.25. Enter this IP address in the Mail Server field. 3 Enter a subject line for the alert e-mails in the Mail Subject field.
Chapter 3 Tutorial 5 In the Send Immediate Alert section, select the events you want to trigger immediate e-mails. Ensure that Rogue AP Detection is selected. 6 Click Apply. 3.4.4 Configure Your Other Access Points Access point A is now configured to do the following. • Scan for access points in its coverage area every ten minutes. • Recognize friendly access points from a list. • Send immediate alerts to your email account if it detects an access point not on the list.
Chapter 3 Tutorial 3.4.5 Test the Setup Next, test your setup to ensure it is correctly configured. • Log into each AP’s Web configurator and click ROGUE AP > Rogue AP. Click Refresh. If any of the MAC addresses from Section 3.4.1 on page 57 appear in the list, the friendly AP function may be incorrectly configured - check the ROGUE AP > Friendly AP screen. If any entries appear in the rogue AP list that are not in Section 3.4.
Chapter 3 Tutorial NWA is marked Z. C is a workstation on your wired network, D is your main network switch, and E is the security gateway you use to connect to the Internet. Figure 37 Tutorial: Example Network 3.5.2 Your Requirements 1 You want to set up a wireless network to allow only Alice to access Server 1 and the Internet. 2 You want to set up a second wireless network to allow only Bob to access Server 2 and the Internet. 3.5.
Chapter 3 Tutorial Each SSID profile already uses a different pre-shared key. In this example, you will configure access limitations for each SSID profile. To do this, you will take the following steps. 1 Configure the SERVER_1 network’s SSID profile to use specific MAC filter and layer-2 isolation profiles. 2 Configure the SERVER_1 network’s MAC filter profile. 3 Configure the SERVER_1 network’s layer-2 isolation profile. 4 Repeat steps 1 ~ 3 for the SERVER_2 network.
Chapter 3 Tutorial Take the following steps to configure the SERVER_1 network. 1 Log into the NWA’s Web Configurator and click Wireless > SSID. The following screen displays, showing the SSID profiles you already configured.
Chapter 3 Tutorial 2 Select SERVER_1’s entry and click Edit. The following screen displays. Figure 39 Tutorial: SSID Edit Select l2Isolation03 in the L2 Isolation field, and select macfilter03 in the MAC Filtering field. Click Apply. 3 Click the Layer-2 Isolation tab. When the Layer-2 Isolation screen appears, select L2Isolation03’s entry and click Edit. The following screen displays.
Chapter 3 Tutorial 8 Enter the MAC address of the device Alice uses to connect to the network in Index 1’s MAC Address field and enter her name in the Description field, as shown in the following figure. Change the Profile Name to “MacFilter_SERVER_1”. Select Allow Association from the Filter Action field and click Apply. Figure 41 Tutorial: MAC Filter Edit (SERVER_1) You have restricted access to the SERVER_1 network to only the networking device whose MAC address you entered.
Chapter 3 Tutorial Table 7 Tutorial: SERVER_2 Network Information MAC Filter (macfilter04) Edit Screen Profile Name MacFilter_SERVER_2 Set 1 MAC Address: 22:33:44:55:66:77 Description: Bob 3.5.6 Checking your Settings and Testing the Configuration Use the following sections to ensure that your wireless networks are set up correctly. 3.5.6.1 Checking Settings Take the following steps to check that the NWA is using the correct SSIDs, MAC filters and layer-2 isolation profiles.
Chapter 3 Tutorial 2 Next, click the SSID tab. Check that each configured SSID profile uses the correct Security, Layer-2 Isolation and MAC Filter profiles, as shown in the following figure. Figure 43 Tutorial: SSID Tab Correct Settings If the settings are not as shown, follow the steps in the relevant section of this tutorial again. 3.5.6.2 Testing the Configuration Before you allow employees to use the network, you need to thoroughly test whether the setup behaves as it should.
Chapter 3 Tutorial Attempt to access the Internet. You should be able to do so. Attempt to access Server 1. You should be unable to do so. If you can do so, layer-2 isolation is misconfigured. • Using Bob’s computer and wireless client, and incorrect security settings, attempt to associate with the SERVER_2 network. You should be unable to do so. If you can do so, security is misconfigured.
Chapter 3 Tutorial Additionally, you want a backup for this controller AP. You add another NWA (E) in the first floor of the building, which you will then set as a secondary controller AP. Figure 44 Tutorial: Controller AP with Backup and Managed APs Example Router with DHCP Server D You C B E A Managed APs 2nd, 3rd and 4th floors Secondary and Primary Controller APs 1st floor 3.6.2 Your Requirements 1 You want to manage the APs in your company using one controller AP’s Web Configurator.
Chapter 3 Tutorial 1 Assign one NWA AP (A) as the controller AP for your wireless NWA AP network. This will be your primary controller AP. Acquire another NWA with the same model and firmware version as A, to serve as the secondary controller AP (E). Both controller APs (A and E) are in the 1st floor of the building (recommended). The NWA APs (B, C and D) from the 2nd, 3rd and 4th floors are going to be your managed APs. Note: The controllers need to have static IP addresses in the same network.
Chapter 3 Tutorial 1 Access the Web Configurator of the NWA. Go to MGNT MODE to open the following screen. Figure 45 Tutorial: MGNT Mode (AP Controller) 2 Select AP Controller and click Apply. 3 The device reboots. You need to log in again to the Web Configurator. 3.6.4.1 Secondary AP Controller The secondary AP controller is simply a backup of the primary AP controller.
Chapter 3 Tutorial 2 Enable Redundancy. Then select Secondary AP Controller and click Apply. 3.6.4.2 Primary AP Controller The primary controller AP manages the NWA APs (in managed AP mode) in your network. Changes made in the Web Configurator of the NWA primary AP controller are synchronized automatically with the secondary controller AP (if there is one) and the members of the managed AP list.
Chapter 3 Tutorial 1 To set your NWA in managed AP mode, open the MGNT screen in the Web Configurator of the NWA that you want to serve as a managed AP. Figure 48 Tutorial: Managed AP 2 Select Managed AP and enter the IP addresses of the NWA primary and secondary controller AP (recommended). Click Apply. Note: DCHP Server Option 43 enables your managed AP to send a request to be managed to controller APs that are within range, even if the controller AP belongs to another network.
Chapter 3 Tutorial If the Registration Type is set to Manual, the controller AP add managed APs to a queue in the Un-Managed Access Points List in the Controller > AP Lists screen. If the Registration Type is set to Always Accept, the controller AP immediately adds the AP to the Managed Access Points List in the Controller > AP Lists screen. For this example, we set the Registration Type to Manual. 1 To add a managed AP to the controller AP’s coverage, go to Controller > AP Lists.
Chapter 3 Tutorial Turn on a WLAN Radio Profile by selecting the managed AP from the list and clicking Edit. Figure 51 Tutorial:AP List (Managed) 4 In the screen that opens, choose the radio profile for each WLAN radio and click Apply. Figure 52 Tutorial: Managed AP WLAN Radio Profile In this example, the 1st floor NWA managed AP uses radio06 for its WLAN1 Radio Profile. The WLAN2 radio is disabled. Refer to Section 8.
Chapter 3 Tutorial 3.6.7 Checking your Settings and Testing the Configuration The NWAs should be working at this point. You can configure the settings of each NWA unit by just opening the Web Configurator of the primary controller AP. One way to test if the setup is working is to use a wireless client to check if all the profiles you have set up in the managed APs and the controller APs are available for wireless connection.
Chapter 3 Tutorial 80 NWA-3500/NWA-3550 User’s Guide
P ART II The Web Configurator System Screens (109) Wireless Configuration (119) SSID Screen (145) Wireless Security Screen (155) RADIUS Screen (169) Layer-2 Isolation Screen (173) MAC Filter Screen (179) IP Screen (183) Rogue AP Detection (187) Remote Management Screens (195) Internal RADIUS Server (209) Certificates (217) Log Screens (235) VLAN (245) Maintenance (275) 81
CHAPTER 4 Status Screens 4.1 Overview The Status screen displays when you log into the NWA or click Status in the navigation menu. Use this screen to look at the current status of the device, system resources, and interfaces. The Status screen also provides detailed information about system statistics, associated wireless clients, and logs. 4.2 The Status Screen Use this screen to get a quick view of system, Ethernet, WLAN and other information regarding your NWA. Click Status.
Chapter 4 Status Screens The following table describes the labels in this screen. Table 8 The Status Screen LABEL DESCRIPTION Automatic Refresh Interval Enter how often you want the NWA to update this screen. Refresh Click this to update this screen immediately. System Information System Name This field displays the NWA system name. It is used for identification. You can change this in the System > General screen’s System Name field. Model This field displays the NWA’s exact model name.
Chapter 4 Status Screens Table 8 The Status Screen LABEL DESCRIPTION WLAN1 Associations This field displays the number of wireless clients currently associated with the first wireless module. It supports up to 128 concurrent associations. WLAN2 Associations This field displays the number of wireless clients currently associated with the second wireless module. It supports up to 128 concurrent associations. Interface Status Interface This column displays each interface of the NWA.
Chapter 4 Status Screens 4.2.1 System Statistics Screen Use this screen to view diagnostic information about the NWA. Click Show Statistics in the Status screen. The following screen pops up. Note: The Poll Interval field is configurable. The fields in this screen vary according to the current wireless mode of each WLAN adaptor. Figure 55 System Status: Show Statistics The following table describes the labels in this screen.
CHAPTER 5 Management Mode 5.1 Overview This chapter discusses using the NWA in management mode. This screen determines whether the NWA is used in its default standalone mode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network. 5.2 About CAPWAP The NWA supports CAPWAP. This is ZyXEL’s implementation of the IETF’s CAPWAP protocol (RFC 4118). The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS).
Chapter 5 Management Mode Note: The NWA can be a controller AP, standalone AP (default) or a CAPWAP managed AP. 5.2.1 CAPWAP Discovery and Management The link between CAPWAP-enabled access points proceeds as follows: 1 An AP in managed AP mode joins a wired network (receives a dynamic IP address). 2 The AP sends out a management request, looking for an AP in CAPWAP AP controller mode. 3 If there is an AP controller on the network, it receives the management request.
Chapter 5 Management Mode DHCP Option 43 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure. Figure 57 CAPWAP and DHCP Option 43 SUBNET 1 SUBNET 2 DHCP SERVER + OPTION 43 CAPWAP TRAFFIC AP CONTROLLER (STATIC IP) MANAGED AP (DYNAMIC IP) 5.2.4 Notes on CAPWAP This section lists some additional features of ZyXEL’s implementation of the CAPWAP protocol.
Chapter 5 Management Mode 5.3 The Management Mode Screen Use this screen to configure the NWA as a CAPWAP controller AP, a CAPWAP managed AP, or to use it in its default standalone mode. Click MGNT MODE in the NWA’s navigation menu. The following screen displays. Figure 58 Management Mode The following table describes the labels in this screen. Table 10 Management Mode LABEL DESCRIPTION AP Controller Select this option to have the NWA act as a managing device for other NWAs on your network.
Chapter 5 Management Mode Table 10 Management Mode LABEL DESCRIPTION Apply Click this to save your changes. If you change the mode in this screen, the NWA restarts. Wait a short while before you attempt to log in again. If you changed the mode to Managed AP, you cannot log in as the web configurator is disabled; you must manage the NWA through the management AP on your network. Reset NWA-3500/NWA-3550 User’s Guide Click this to return this screen to its previously-saved settings.
Chapter 5 Management Mode 92 NWA-3500/NWA-3550 User’s Guide
CHAPTER 6 AP Controller Mode 6.1 Overview This chapter discusses the Controller AP management mode. When the NWA is used as a CAPWAP (Control And Provisioning of Wireless Access Points) controller AP, the Web Configurator changes to reflect this by including the Controller and Profile Edit screens. Refer to Section 5.2 on page 87 for more information on CAPWAP. 6.1.1 What You Can Do in AP Controller Mode • Use the Navigation Menu (Section 6.2 on page 94) to manage settings across all connected APs.
Chapter 6 AP Controller Mode In the figure below, an administrator is able to manage the security settings of 5 APs (1 controller AP and 4 managed APs). He changes the security mode to WPAPSK just by accessing the Web Configurator of the controller AP (C). Figure 59 CAPWAP Controller Managed APs C Note: Be careful when configuring the controller AP as its managed APs automatically inherit some its settings.
Chapter 6 AP Controller Mode After logging in again, the navigation menu changes to include links for the Controller and Profile Edit screens. The items marked below are screens that can be configured for all APs managed by the NWA. Figure 61 Controller AP Navigation Links B A B In the figure above, changes made in the highlighted screens of the Controller AP (A) are automatically applied to all the Managed APs (B).
Chapter 6 AP Controller Mode Click Status. The following screen displays. Figure 62 Status Screen The following table describes the new labels in this screen. Table 11 Status Screen LABEL DESCRIPTION System Information Registration Type This field displays how the managed APs are registered with the NWA. Manual displays if you add unmanaged APs to the NWA’s list of managed APs manually.
Chapter 6 AP Controller Mode Table 11 Status Screen LABEL DESCRIPTION 802.11b/g This field displays the number of wireless clients associated with APs managed by the NWA (including the NWA itself) using 802.11b/g radio mode. Redundancy The table below shows when redundancy is enabled (see Section 6.6 on page 102) and the NWA acts as the primary AP controller. Redundancy Device This field displays the IP address of the secondary AP controller.
Chapter 6 AP Controller Mode Click Controller > AP Lists. The following screen displays. Figure 63 AP Lists Screen The following table describes the labels in this screen. Table 12 AP Lists Screen LABEL DESCRIPTION Managed Access Points List This section lists the access points currently controlled by the NWA. This always includes the NWA itself. Index This is the index number of the managed AP. Select Click the topmost box either to select or deselect all NWAs in the list.
Chapter 6 AP Controller Mode Table 12 AP Lists Screen LABEL DESCRIPTION Status This displays whether the managed AP is active, not active or upgrading its firmware. • • • Red: the AP is not active. Green: the AP is active. Yellow: the AP is upgrading its firmware. Note: You can still edit a managed AP’s settings even if it is offline. However, the changes only take effect when the NWA detects that the managed AP is online again.
Chapter 6 AP Controller Mode 6.4.1 The AP Lists Edit Screen Use this screen to change the description or radio profile of an AP managed by the NWA. Click Edit in the CONTROLLER > AP Lists screen. The following screen displays. Figure 64 AP Configuration Screen The following table describes the labels in this screen. Table 13 AP Configuration Screen LABEL DESCRIPTION Model This is the model number of the managed AP. MAC Address This is the MAC address of the managed AP.
Chapter 6 AP Controller Mode 6.5 Configuration Screen Use this screen to control the way in which the NWA accepts new APs to manage. You can also configure the pre-shared key (PSK) that is used to secure the data transmitted between the NWA and the APs it manages. When the NWA is in AP controller mode, click CONTROLLER > Configuration. The following screen displays. Figure 65 Configuration Screen The following table describes the labels in this screen.
Chapter 6 AP Controller Mode 6.6 Redundancy Screen Use this screen to set the controller AP as a primary or secondary controller. If you set your NWA as a primary controller AP, you can have a secondary controller AP to serve as a backup. All configurations are synchronized between the NWA and the secondary controller AP. When the NWA is in AP controller mode, click CONTROLLER > Redundancy. The following screen displays. Figure 66 Redundancy Screen The following table describes the labels in this screen.
Chapter 6 AP Controller Mode • The Profile Edit > SSID screen (see Section 9.2 on page 151). • The Profile Edit > Security screen (see Section 10.2 on page 161). • The Profile Edit > RADIUS screen (see Section 11.2 on page 175). • The Profile Edit > Layer-2 Isolation screen (see Section 12.2 on page 179). • The Profile Edit > MAC Filter screen (see Section 13.2 on page 184). 6.7.1 The Radio Profile Screen Use this screen to configure radio profiles.
Chapter 6 AP Controller Mode Table 16 Radio Screen LABEL DESCRIPTION Channel ID This field displays the wireless channel the radio profile uses. Edit Click the radio button next to the profile you want to configure and click Edit to go to the radio profile configuration screen. 6.7.2 The Radio Profile Edit Screen Use this screen to configure a specific radio profile. In the Profile Edit > Radio screen, select a profile and click Edit. The following screen displays.
Chapter 6 AP Controller Mode The following table describes the labels in this screen. Table 17 Radio Edit Screen LABEL DESCRIPTION Profile Name Enter a name identifying this profile. 802.11 Mode This makes sure that only compliant WLAN devices can associate with the NWA. Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the NWA. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the NWA. Select 802.11b/g to allow both IEEE802.
Chapter 6 AP Controller Mode Table 17 Radio Edit Screen LABEL DESCRIPTION RTS/CTS Threshold Use RTS/CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
Chapter 6 AP Controller Mode Table 17 Radio Edit Screen LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh.
Chapter 6 AP Controller Mode 108 NWA-3500/NWA-3550 User’s Guide
CHAPTER 7 System Screens 7.1 Overview This chapter provides information and instructions on how to identify and manage your NWA over the network. Figure 69 NWA Setup In the figure above, the NWA (ZyXEL Device) connects to a Domain Name Server (DNS) server to avail of a domain name. It also connects to an Network Time Protocol (NTP) server to set the time on the device. 7.1.1 What You Can Do in the System Screens • Use the General screen (see Section 7.
Chapter 7 System Screens 7.1.2 What You Need To Know About the System Screens The following terms and concepts may help as you read through the chapter. IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems.
Chapter 7 System Screens Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.2, for your device, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the device unless you are instructed to do otherwise.
Chapter 7 System Screens Table 19 System > General LABEL DESCRIPTION Administrator Inactivity Timer Type how many minutes a management session can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
Chapter 7 System Screens 7.3 Password Screen Use this screen to control access to your NWA by assigning a password to it. Click System > Password. The following screen displays. Figure 71 System > Password. Note: Even if you uncheck Enable Admin at Local, you still use the password set here to log in via the console port (not available on all models). The following table describes the labels in this screen.
Chapter 7 System Screens Table 20 System > Password LABEL DESCRIPTIONS Use new setting Select this if you want to change the RADIUS username and password the NWA uses to authenticate management logon. User Name Enter the username for this user account. This name can be up to 31 ASCII characters long, including spaces. Password Type a password (up to 31 ASCII characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type. Spaces are allowed.
Chapter 7 System Screens 7.4 Time Setting Screen Use this screen to change your NWA’s time and date, click System > Time Setting. The following screen displays. Figure 72 System > Time Setting The following table describes the labels in this screen. Table 21 System > Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your NWA. Each time you reload this page, the NWA synchronizes the time with the time server (if configured).
Chapter 7 System Screens Table 21 System > Time Setting LABEL DESCRIPTION New Date (yyyy:mm:dd) This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the NWA get the time and date from the time server you specify below. Auto Select this to have the NWA use the predefined list of time servers.
Chapter 7 System Screens Table 21 System > Time Setting LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, November and 2:00.
Chapter 7 System Screens The NWA continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 22 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.
CHAPTER 8 Wireless Configuration 8.1 Overview This chapter discusses the steps to configure the Wireless Settings screen on the NWA. It also introduces the wireless LAN (WLAN) and some basic scenarios. Figure 73 Wireless Mode In the figure above, the NWA (ZyXEL Device) allows access to another bridge device (A) and a notebook computer (B) upon verifying their settings and credentials. It denies access to other devices (C and D) with configurations that do not match those specified in your NWA. 8.
Chapter 8 Wireless Configuration 8.2.1 What You Need To Know About the Wireless Screen The following terms and concepts may help as you read through this chapter. BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless stations in the BSS.
Chapter 8 Wireless Configuration An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate. Figure 75 Extended Service Set Operating Mode The NWA can run in four operating modes as follows: • AP (Access Point). The NWA is a wireless access point that allows wireless communication to other devices in the network. • Bridge / Repeater.
Chapter 8 Wireless Configuration SSID The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Normally, the NWA acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the NWA does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.
Chapter 8 Wireless Configuration • MBSSID should not replace but rather be used in conjunction with 802.1x security. 8.3 The Wireless Screen Use this screen to choose the operating mode for your NWA. Click Wireless > Wireless. The screen varies depending upon the operating mode you select. Note: Some fields in this screen may not apply to your NWA model. 8.3.1 Access Point Mode Use this screen to use your NWA as an access point. Select Access Point as the Operating Mode. The following screen displays.
Chapter 8 Wireless Configuration The following table describes the general wireless LAN labels in this screen. Table 23 Wireless: Access Point LABEL DESCRIPTION WLAN Interface Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions. In addition, it is recommended that you set the WLAN interfaces into different 802.11 modes. For example, set WLAN1 to 802.11b/g (2.
Chapter 8 Wireless Configuration Table 23 Wireless: Access Point LABEL DESCRIPTION Disable DCS to unlock This appears if the DCS feature is enabled. Click this to disable DCS and select a channel ID manually. Note: DCS is Disabled by default Operating Channel This field displays only when you select 802.11a in the 802.11 Radio Mode field. This is the channel currently being used by your AP.
Chapter 8 Wireless Configuration Table 23 Wireless: Access Point LABEL DESCRIPTION SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Select an SSID Profile from the drop-down list box. Configure SSID profiles in the SSID screen (see Section 9.2 on page 147 for information on configuring SSID).
Chapter 8 Wireless Configuration Note: You can view an example of this setup in Section 8.4.3 on page 141. Figure 77 Wireless: Bridge / Repeater The following table describes the bridge labels in this screen. Table 24 Wireless: Bridge / Repeater LABEL DESCRIPTIONS WLAN Interface Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.
Chapter 8 Wireless Configuration Table 24 Wireless: Bridge / Repeater LABEL DESCRIPTIONS 802.11 mode This makes sure that only compliant WLAN devices can associate with the NWA. Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the NWA. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the NWA. Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA.
Chapter 8 Wireless Configuration Table 24 Wireless: Bridge / Repeater LABEL DESCRIPTIONS Output Power Set the output power of the NWA in this field. If there is a high density of APs in an area, decrease the output power of the NWA to reduce interference with other APs. Select from 100% (Full Power), 50%, 25%, 12.5% and Minimum. See the product specifications for more information on your NWA’s output power. Note: Reducing the output power also reduces the NWA’s effective broadcast radius.
Chapter 8 Wireless Configuration Table 24 Wireless: Bridge / Repeater 130 LABEL DESCRIPTIONS Remote Bridge MAC Type the MAC address of the peer device in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc. PSK Type a pre-shared key (PSK) from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). You must also set the peer device to use the same pre-shared key. Each peer device can use a different pre-shared key.
Chapter 8 Wireless Configuration 8.3.3 AP + Bridge Mode Use this screen to have the NWA function as a bridge and access point simultaneously. Select AP + Bridge as the Operating Mode. The following screen diplays.
Chapter 8 Wireless Configuration The following table describes the bridge labels in this screen. Table 25 Wireless: AP + Bridge LABEL DESCRIPTIONS WLAN Interface Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions. Operating Mode Select AP + Repeater in this field. 802.11 mode This makes sure that only compliant WLAN devices can associate with the NWA. Select 802.
Chapter 8 Wireless Configuration Table 25 Wireless: AP + Bridge LABEL DESCRIPTIONS RTS/CTS Threshold Use RTS/CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
Chapter 8 Wireless Configuration Table 25 Wireless: AP + Bridge LABEL DESCRIPTIONS Rates Configuration This section controls the data rates permitted for clients. For each Rate, select an option from the Configuration list. The options are: • • • Enable WDS Security (ZyAIR PRO Series Compatible) Basic (1~11 Mbps only): Clients can always connect to the access point at this speed. Optional: Clients can connect to the access point at this speed, when permitted to do so by the AP.
Chapter 8 Wireless Configuration Table 25 Wireless: AP + Bridge LABEL DESCRIPTIONS Enable Antenna Diversity Select this to use antenna diversity. Antenna diversity uses multiple antennas to reduce signal interference. Enable Breathing LED Select this box to disable the WLAN LED (light). Clear this box to enable the WLAN LED. Enable Spanning Tree Control (STP) (R)STP (Section 8.4.1 on page 139) detects and breaks network loops and provides backup links between switches, bridges or routers.
Chapter 8 Wireless Configuration 8.3.4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode. Select MBSSID as the Operating Mode. The following screen diplays. Figure 79 Wireless: MBSSID The following table describes the labels in this screen. Table 26 Wireless: MBSSID LABEL DESCRIPTION WLAN Interface Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.
Chapter 8 Wireless Configuration Table 26 Wireless: MBSSID LABEL DESCRIPTION 802.11 Mode This makes sure that only compliant WLAN devices can associate with the NWA. Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the NWA. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the NWA. Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA.
Chapter 8 Wireless Configuration Table 26 Wireless: MBSSID LABEL DESCRIPTION Fragmentation Threshold The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter an even number between 256 and 2346. Beacon Interval When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again.
Chapter 8 Wireless Configuration Table 26 Wireless: MBSSID LABEL DESCRIPTION Profile Select the profile(s) of the SSIDs you want to use in your wireless network. You can have up to eight BSSs running on the NWA simultaneously, one of which is always the pre-configured VoIP_SSID profile and another of which is always the preconfigured Guest_SSID profile. Configure SSID profiles in the SSID screen. Enable Antenna Diversity Select this to use antenna diversity.
Chapter 8 Wireless Configuration the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding. 8.4.1.2 STP Terminology The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address). Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the following table.
Chapter 8 Wireless Configuration 8.4.1.4 STP Port States STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops. Table 28 STP Port States PORT STATES DESCRIPTIONS Disabled STP is disabled (default). Blocking Only configuration and management BPDUs are received and processed. Listening All BPDUs are received and processed.
Chapter 8 Wireless Configuration The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the other access points on the LAN about the change. An example is shown in Figure 80 on page 142.
Chapter 8 Wireless Configuration 5 Access point AP 1 updates the new position of wireless station Y. 8.4.3.1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. • All the access points must be on the same subnet and configured with the same ESSID. • If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station.
Chapter 8 Wireless Configuration 144 NWA-3500/NWA-3550 User’s Guide
CHAPTER 9 SSID Screen 9.1 Overview This chapter describes how you can configure Service Set Identifier (SSID) profiles in your NWA. Figure 82 Sample SSID Profiles In the figure above, the NWA has three SSID profiles configured: a standard profile (SSID04), a profile with high QoS settings for Voice over IP (VoIP) users (VoIP_SSID), and a guest profile that allows visitors access only the Internet and the network printer (Guest_SSID). 9.1.
Chapter 9 SSID Screen 9.1.2 What You Need To Know About SSID The following terms and concepts may help as you read through this chapter. When the NWA is set to Access Point, AP + Bridge or MBSSID mode, you need to choose the SSID profile(s) you want to use in your wireless network (see Section 8.3 on page 123 for more information on operating modes). To configure the settings of your SSID profile, you need to know the Media Access Control (MAC) addresses of the devices you want to allow access to it.
Chapter 9 SSID Screen 9.2 The SSID Screen Use this screen to select the SSID profile you want to configure. Click Wireless > SSID to display the screen as shown. Figure 83 SSID The following table describes the labels in this screen. Table 29 SSID LABEL DESCRIPTION Index This field displays the index number of each SSID profile. Profile Name This field displays the identification name of each SSID profile on the NWA. SSID This field displays the name of the wireless profile on the network.
Chapter 9 SSID Screen Table 29 SSID LABEL DESCRIPTION Layer-2 Isolation This field displays which layer 2 isolation profile is currently associated with each SSID profile, or Disable if Layer 2 Isolation is not configured on an SSID profile. MAC Filter This field displays which MAC filter profile is currently associated with each SSID profile, or Disable if MAC filtering is not configured on an SSID profile.
Chapter 9 SSID Screen Table 30 Configuring SSID LABEL DESCRIPTION QoS Displays the Quality of Service priority for this BSS’s traffic. • • • • • • In the pre-configured VoIP_SSID profile, the QoS setting is VoIP. This is not user-configurable. The VoIP setting is available only on the VoIP_SSID profile, and provides the highest level of QoS. If you select WMM from the QoS list, the priority of a data packet depends on the packet’s IEEE 802.1q or DSCP header.
Chapter 9 SSID Screen On APs without WMM QoS, all traffic streams are given the same access priority to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams. The NWA uses WMM QoS to prioritize traffic streams according to the IEEE 802.1q or DSCP information in each packet’s header.
Chapter 9 SSID Screen typical data packet sizes. Note that the figures given are merely examples - sizes may differ according to application and circumstances. Table 32 Typical Packet Sizes APPLICATION TIME SENSITIVITY TYPICAL PACKET SIZE (BYTES) Voice over IP (SIP) High < 250 Online Gaming High 60 ~ 90 Web browsing (http) Medium 300 ~ 600 FTP Low 1500 When ATC is activated, the device sends traffic with smaller packets before traffic with larger packets if the network is congested.
Chapter 9 SSID Screen 9.3.3.1 ATC+WMM from LAN to WLAN ATC+WMM from LAN (the wired Local Area Network) to WLAN (the Wireless Local Area Network) allows WMM prioritization of packets that do not already have WMM QoS priorities assigned. The NWA automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification. The following table shows how priorities are assigned for packets coming from the LAN to the WLAN.
Chapter 9 SSID Screen based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. 9.3.4.
Chapter 9 SSID Screen The following table lists which WMM QoS priority level the NWA uses for specific DSCP values. Table 36 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping DSCP VALUE WMM QOS PRIORITY LEVEL 224, 192 voice 160, 128 video 96, 0 A besteffort 64, 32 background A. The NWA also uses best effort for any DSCP value for which another WMM QoS priority is not specified (255, 158 or 37 for example).
CHAPTER 10 Wireless Security Screen 10.1 Overview This chapter describes how to use the Wireless Security screen. This screen allows you to configure the security mode for your NWA. Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network. Figure 86 Securing the Wireless Network In the figure above, the NWA (ZyXEL Device) checks the identity of devices (A and B) before giving them access to the network.
Chapter 10 Wireless Security Screen 10.1.2 What You Need To Know About Wireless Security The following terms and concepts may help as you read through this chapter. User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. However, every device in the wireless network has to support IEEE 802.1x to do this.
Chapter 10 Wireless Security Screen • 802.1x-Static64. This provides 802.1x-Only authentication with a static 64bit WEP key and an authentication server. • 802.1x-Static128. This provides 802.1x-Only authentication with a static 128bit WEP key and an authentication server. • WPA. Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. • WPA2. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. • WPA2-MIX.
Chapter 10 Wireless Security Screen Use this screen to choose and edit a security profile. Click Wireless > Security. The following screen displays. Figure 87 Wireless Security The following table describes the labels in this screen. Table 38 Wireless Security 158 LABEL DESCRIPTION Index This is the index number of the security profile. Profile Name This field displays a name given to a security profile in the Security configuration screen.
Chapter 10 Wireless Security Screen After selecting the security profile you want to edit, the following screen appears. Enter the name you want to call this security profile in the Profile Name field. Figure 88 Security Profile The next screen varies according to the Security Mode you select. 10.2.1 Security: WEP Use this screen to set the selected profile to Wired Equivalent Privacy (WEP) security mode. Select WEP in the Security Mode field to display the following screen.
Chapter 10 Wireless Security Screen Table 39 Security: WEP LABEL DESCRIPTION Authentication Method There are two types of WEP authentication namely, Open System and Shared Key. Open system is implemented for ease-of-use and when security is not an issue. The wireless station and the AP or peer computer do not share a secret key. Thus the wireless stations can associate with any AP or peer computer and listen to any transmitted data that is not encrypted.
Chapter 10 Wireless Security Screen 10.2.2 Security: 802.1x Only Use this screen to set the selected profile to 802.1x Only security mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 90 Security: 802.1x Only The following table describes the labels in this screen. Table 40 Security: 802.1x Only LABEL DESCRIPTION Profile Name Type a name to identify this security profile. Security Mode Choose 802.1x Only in this field.
Chapter 10 Wireless Security Screen 10.2.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit Use this screen to set the selected profile to 802.1x Static 64 or 802.1x Static 128 security mode. Select 802.1x Static 64 or 802.1x Static 128 in the Security Mode field to display the following screen. Figure 91 Security: 802.1x Static 64-bit, 802.1x Static 128-bit The following table describes the labels in this screen. Table 41 Security: 802.1x Static 64-bit, 802.
Chapter 10 Wireless Security Screen Table 41 Security: 802.1x Static 64-bit, 802.1x Static 128-bit LABEL DESCRIPTION ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected. The default value is 0, which means the reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Chapter 10 Wireless Security Screen Table 42 Security: WPA LABEL DESCRIPTION ReAuthentication Timer Specify how often wireless stations have to resend user names and passwords in order to stay connected. The default value is 0, which means the reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Chapter 10 Wireless Security Screen The following table describes the labels not previously discussed Table 43 Security: WPA2 or WPA2-MIX LABEL DESCRIPTIONS Profile Name Type a name to identify this security profile. Security Mode Choose WPA2 or WPA2-MIX in this field. ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected. The default value is 0, which means the reauthentication off.
Chapter 10 Wireless Security Screen 10.2.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Use this screen to set the selected profile to WPA-PSK, WPA2-PSK or WPA2-PSKMIX security mode. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen.
Chapter 10 Wireless Security Screen Table 44 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX LABEL DESCRIPTION Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK mode. The NWA’s default is 1800 seconds (30 minutes).
Chapter 10 Wireless Security Screen 168 NWA-3500/NWA-3550 User’s Guide
CHAPTER 11 RADIUS Screen 11.1 Overview This chapter describes how you can use the Wireless > RADIUS screen. Remote Authentication Dial In User Service (RADIUS) is a protocol that can be used to manage user access to large networks. It is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server.
Chapter 11 RADIUS Screen 11.1.1 What You Can Do in the RADIUS Screen Use the Security > RADIUS screen (see Section 11.2 on page 171) if you want to authenticate wireless users using a RADIUS Server and/or Accounting Server. 11.1.2 What You Need To Know About RADIUS The RADIUS server handles the following tasks: • Authentication which determines the identity of the users. • Authorization which determines the network services available to authenticated users once they are connected to the network.
Chapter 11 RADIUS Screen 11.2 The RADIUS Screen Use this screen to set up your NWA’s RADIUS server settings. Click Wireless > RADIUS. The screen appears as shown. Figure 96 RADIUS The following table describes the labels in this screen. Table 45 RADIUS LABEL DESCRIPTION Index Select the RADIUS profile you want to configure from the drop-down list box. Profile Name Type a name for the RADIUS profile associated with the Index number above.
Chapter 11 RADIUS Screen Table 45 RADIUS LABEL DESCRIPTION Internal Select this check box to use the NWA’s internal authentication server. The Active, RADIUS Server IP Address, RADIUS Server Port and Share Secret fields are not available when you use the internal authentication server. External Select this check box to use an external authentication server. The NWA does not use the internal authentication server when this check box is enabled.
CHAPTER 12 Layer-2 Isolation Screen 12.1 Overview Layer-2 isolation is used to prevent wireless clients associated with your NWA from communicating with other wireless clients, APs, computers or routers in a network. In the following figure, layer-2 isolation is enabled on the NWA (Z) to allow a guest wireless client (A) to access the main network router (B).
Chapter 12 Layer-2 Isolation Screen communicating with the NWA’s wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP. Intra-BSS Traffic allows wireless clients associated with the same AP to communicate with each other. 12.1.1 What You Can Do in the Layer-2 Isolation Screen Use the Wireless > Layer-2 Isolation screen (see Section 12.
Chapter 12 Layer-2 Isolation Screen 12.2 The Layer-2 Isolation Screen Use this screen to select and configure a layer-2 isolation profile. Click Wireless > Layer-2 Isolation. The screen appears as shown next. Figure 98 Layer 2 Isolation The following table describes the labels in this screen. Table 46 Layer-2 Isolation LABEL DESCRIPTION Index This is the index number of the profile.
Chapter 12 Layer-2 Isolation Screen 12.2.1 Configuring Layer-2 Isolation Use this screen to specify the configuration for your layer-2 isolation profile. Select a layer-2 isolation profile in Wireless > Layer-2 Isolation and click Edit to display the following screen. Note: When configuring this screen, remember to select the correct layer-2 isolation profile in the Wireless> SSID > Edit screen of the relevant SSID profile.
Chapter 12 Layer-2 Isolation Screen Table 47 Layer-2 Isolation Configuration LABEL DESCRIPTION Set This is the index number of the MAC address. MAC Address Type the MAC addresses of the wireless client, AP, computer or router that you want to allow the associated wireless clients to have access to in these address fields. Type the MAC address in a valid MAC address format (six hexadecimal character pairs, for example 12:34:56:78:9a:bc). Description Type a name to identify this device.
Chapter 12 Layer-2 Isolation Screen Example 1: Restricting Access to Server In the following example wireless clients 1 and 2 can communicate with file server C, but not access point B or wireless client 3. • Enter C’s MAC address in the MAC Address field, and enter “File Server C” in the Description field.
CHAPTER 13 MAC Filter Screen 13.1 Overview This chapter discusses how you can use the Wireless > MAC Filter screen. The MAC filter function allows you to configure the NWA to grant access to devices (Allow Association) or exclude devices from accessing the NWA (Deny Association). Figure 102 MAC Filtering In the figure above, wireless client U is able to connect to the Internet because its MAC address is in the allowed association list specified in the NWA (ZyXEL Device).
Chapter 13 MAC Filter Screen characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of each device to configure MAC filtering on the NWA. 13.2 The MAC Filter Screen The MAC filter profile is a user-configured list of MAC addresses. Each SSID profile can reference one MAC filter profile. The NWA provides 16 MAC Filter profiles, each of which can hold up to 128 MAC addresses. Click Wireless > MAC Filter. The screen displays as shown. 13.2.
Chapter 13 MAC Filter Screen The following table describes the labels in this screen. Table 48 Wireless > MAC Filter > Edit LABEL DESCRIPTION Profile Name Type a name to identify this profile. Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny Association to block access to the router. MAC addresses not listed will be allowed to access the router. Select Allow Association to permit access to the router.
Chapter 13 MAC Filter Screen 182 NWA-3500/NWA-3550 User’s Guide
CHAPTER 14 IP Screen 14.1 Overview The Internet Protocol (IP) address identifies a device on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Figure 104 IP Setup The figure above illustrates one possible setup of your NWA. The gateway IP address is 192.168.1.1 and the IP address of the NWA is 192.168.1.2 (default).
Chapter 14 IP Screen These parameters should work for the majority of installations. 14.2 The IP Screen Use this screen to configure the IP address for your NWA. Click IP to display the following screen. Figure 105 IP Setup The following table describes the labels in this screen. Table 49 IP Setup LABEL DESCRIPTION IP Address Assignment Get automatically from DHCP Select this option if your NWA is using a dynamically assigned IP address from a DHCP server each time.
Chapter 14 IP Screen 14.3 Technical Reference This section provides technical background information about the topics covered in this chapter. 14.3.1 WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet (only between your two branch offices, for instance) you can assign any IP addresses to the hosts without problems.
Chapter 14 IP Screen 186 NWA-3500/NWA-3550 User’s Guide
CHAPTER 15 Rogue AP Detection 15.1 Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can open up holes in a network’s security. Attackers can take advantage of a rogue AP’s weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients.
Chapter 15 Rogue AP Detection In the example above, a corporate network’s security is compromised by a rogue AP (R) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company’s legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software.
Chapter 15 Rogue AP Detection The friendly AP list displays details of all the access points in your area that you know are not a threat. If you have more than one AP in your network, you need to configure this list to include your other APs. If your wireless network overlaps with that of a neighbor (for example) you should also add these APs to the list, as they do not compromise your own network’s security.
Chapter 15 Rogue AP Detection This scenario can also be part of a wireless denial of service (DoS) attack, in which associated wireless clients are deprived of network access. Other opportunities for the attacker include the introduction of malware (malicious software) into the network. 15.2 Configuration Screen Use this screen to enable your NWA’s Rogue AP detection settings. Click Rogue AP > Configuration.
Chapter 15 Rogue AP Detection Table 51 Rogue AP Configuration LABEL Import DESCRIPTION Click this button to upload the previously-saved list of friendly APs displayed in the File Path field to the NWA. Apply Click Apply to save your settings. Reset Click Reset to return all fields in this screen to their previouslysaved values. 15.2.1 Friendly AP Screen Use this screen to specify APs as trusted. Click Rogue AP > Friendly AP.
Chapter 15 Rogue AP Detection Table 52 Rogue AP Friendly AP LABEL DESCRIPTION Radio Mode The field displays the radio mode the AP is currently using. Security This field displays the type of wireless encryption the AP is currently using. Last Seen This field displays the last time the NWA scanned for the AP. Description This is the description you entered when adding the AP to the list. Delete Click this button to remove an AP’s entry from the list. 15.2.
Chapter 15 Rogue AP Detection Table 53 Rogue AP LABEL DESCRIPTION MAC Address This field displays the Media Access Control (MAC) address of the AP. All wireless devices have a MAC address that uniquely identifies them. SSID This field displays the Service Set IDentifier (also known as the network name) of the AP. Channel This field displays the wireless channel the AP is currently using. Radio Mode The field displays the radio mode the AP is currently using.
Chapter 15 Rogue AP Detection 194 NWA-3500/NWA-3550 User’s Guide
CHAPTER 16 Remote Management Screens 16.1 Overview This chapter shows you how to enable remote management of your NWA. It provides information on determining which services or protocols can access which of the NWA’s interfaces. Remote Management allows a user to administrate the device over the network.
Chapter 16 Remote Management Screens 16.1.1 What You Can Do in the Remote Management Screens • Use the Telnet screen (see Section 16.2 on page 198) to configure through which interface(s) and from which IP address(es) you can use Telnet to manage the NWA. A Telnet connection is prioritized by the NWA over other remote management sessions. • Use the FTP screen (see Section 16.
Chapter 16 Remote Management Screens Note: SNMP is only available if TCP/IP is configured. Figure 112 SNMP Management Mode An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the NWA). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 16 Remote Management Screens System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The NWA automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the SYSTEM screen. 16.2 The Telnet Screen Use this screen to configure your NWA for remote Telnet access.
Chapter 16 Remote Management Screens Table 54 Remote Management: Telnet LABEL Secured Client IP Address DESCRIPTION A secured client is a “trusted” computer that is allowed to communicate with the NWA using this service. Select All to allow any computer to access the NWA using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service.
Chapter 16 Remote Management Screens To change your NWA’s FTP settings, click REMOTE MGMT > FTP. The following screen displays. Figure 114 Remote Management: FTP The following table describes the labels in this screen. Table 55 Remote Management: FTP LABEL DESCRIPTION Server Port This is set to port 21 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 16 Remote Management Screens To change your NWA’s WWW settings, click REMOTE MGNT > WWW. The following screen shows. Figure 115 Remote Management: WWW The following table describes the labels in this screen. Table 56 Remote Management: WWW LABEL DESCRIPTION WWW Server Port This is set to port 80 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 16 Remote Management Screens Table 56 Remote Management: WWW LABEL DESCRIPTION Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the NWA, for example 8443, then you must notify people who need to access the NWA web configurator to use "https://NWA IP Address:8443" as the URL. Server Access Select a NWA interface from Server Access on which incoming HTTPS access is allowed.
Chapter 16 Remote Management Screens 16.5 The SNMP Screen Use this screen to have a manager station administrate your NWA over the network. To change your NWA’s SNMP settings, click REMOTE MGMT > SNMP. The following screen displays. Figure 116 Remote Management: SNMP The following table describes the labels in this screen.
Chapter 16 Remote Management Screens Table 57 Remote Management: SNMP LABEL DESCRIPTION SNMP Version Select the SNMP version for the NWA. The SNMP version on the NWA must match the version on the SNMP manager. Choose SNMP version 1 (SNMPv1), SNMP version 2 (SNMPv2) or SNMP version 3 (SNMPv3). Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. The default is “public” and allows all requests.
Chapter 16 Remote Management Screens 16.5.1 SNMPv3 User Profile Use this screen to configure the SNMPv3 profile. Click Configure SNMPv3 User Profile in the REMOTE MGMT > SNMP screen, the following screen displays. Figure 117 Remote Management: SNMPv3 User Profile The following table describes the labels in this screen. Table 58 Remote Management: SNMPv3 User Profile LABEL DESCRIPTION SNMPv3Admin Enable SNMPv3Admin Click this to activate the security settings for this Admin account.
Chapter 16 Remote Management Screens Table 58 Remote Management: SNMPv3 User Profile LABEL Privacy Protocol DESCRIPTION Select the encryption method for SNMP communication from this user. You can choose one of the following: • • DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key.
Chapter 16 Remote Management Screens device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP itself is a simple request/response protocol based on the manager/ agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent.
Chapter 16 Remote Management Screens Table 59 SNMP Traps OBJECT IDENTIFIER # (OID) TRAP NAME authenticationFailure (defined in RFC-1215) 1.3.6.1.6.3.1.1.5.5 DESCRIPTION The device sends this trap when it receives any SNMP get or set requirements with the wrong community (password). Note: snmpEnableAuthenTraps, OID 1.3.6.1.2.1.11.30 (defined in RFC 1214 and RFC 1907) must be enabled on in order for the device to send authenticationFailure traps.
CHAPTER 17 Internal RADIUS Server 17.1 Overview This chapter describes how the NWA can use its internal RADIUS server to authenticate wireless clients. Remote Authentication Dial In User Service (RADIUS) is a protocol that enables you to control access to a network by authenticating user credentials. The following figure shows the NWA (Z) using its internal RADIUS server to control access to a wired network. A wireless notebook (A) requests access by sending its credentials.
Chapter 17 Internal RADIUS Server 17.1.1 What You Can Do in this Chapter • Use the Setting screen (see Section 17.2 on page 210) to turn the NWA’s internal RADIUS server off or on and to view information about the NWA’s certificates. • Use the Trusted AP screen (see Section 17.3 on page 212) to specify APs as trusted. Trusted APs can use the NWA’s internal RADIUS server to authenticate wireless clients. • Use the Trusted Users screen (see Section 17.
Chapter 17 Internal RADIUS Server The following table describes the labels in this screen. Table 61 Internal RADIUS Server Setting LABEL DESCRIPTION Active Select this to have the NWA use its internal RADIUS server to authenticate wireless clients or other APs. # This field displays the certificate index number. The certificates are listed in alphabetical order. Use the CERTIFICATES screens to manage certificates.
Chapter 17 Internal RADIUS Server 17.3 The Trusted AP Screen Use this screen to specify APs as trusted. Click AUTH. SERVER > Trusted AP. The following screen displays. Figure 120 Trusted AP Screen The following table describes the labels in this screen. Table 62 Trusted AP Screen LABEL DESCRIPTION # This field displays the trusted AP index number. Active Select this check box to have the NWA use the IP Address and Shared Secret to authenticate a trusted AP.
Chapter 17 Internal RADIUS Server Table 62 Trusted AP Screen LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 17.4 The Trusted Users Screen Use this screen to configure trusted user entries. Click AUTH. SERVER > Trusted Users. The following screen displays. Figure 121 Trusted Users The following table describes the labels in this screen.
Chapter 17 Internal RADIUS Server Table 63 Trusted Users LABEL DESCRIPTION Password Type a password (up to 31 ASCII characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type. The password on the wireless client’s utility must be the same as this password. Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length. Apply Click Apply to save your changes.
Chapter 17 Internal RADIUS Server Take the following steps to set up trusted APs and trusted users. 1 Configure an IP address and shared secret in the Trusted AP database to specify an AP as trusted. 2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the NWA’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the NWA’s internal RADIUS server.
Chapter 17 Internal RADIUS Server 216 NWA-3500/NWA-3550 User’s Guide
CHAPTER 18 Certificates 18.1 Overview This chapter describes how your NWA can use certificates as a means of authenticating wireless clients. It gives background information about public-key certificates and explains how to use them. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. Figure 123 Certificates Example 18.1.
Chapter 18 Certificates 18.1.2 What You Need To Know About Certificates The following terms and concepts may help as you read through this chapter. The NWA also trusts any valid certificate signed by any of the imported trusted CA certificates. The certification authority certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.
Chapter 18 Certificates The following table describes the labels in this screen. Table 64 Certificates > My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the NWA’s PKI storage space that is currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 18 Certificates Table 64 Certificates > My Certificates (continued) LABEL DESCRIPTION Delete Click Delete to delete an existing certificate. A window display asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features is configured to use. Do the following to delete a certificate that shows *SELF in the Type field. 1. Make sure that no other features, such as HTTPS, VPN, SSH are configured to use the *SELF certificate. 2.
Chapter 18 Certificates Note: You must remove any spaces from the certificate’s filename before you can import it. Figure 125 Certificates > My Certificates Import The following table describes the labels in this screen. Table 65 Certificates > My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Chapter 18 Certificates 18.2.2 My Certificates Create Screen Use this screen to have the NWA create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Click Certificates > My Certificates and then Create to open the My Certificate Create screen. The following figure displays. Figure 126 Certificates > My Certificate Create The following table describes the labels in this screen.
Chapter 18 Certificates Table 66 Certificates > My Certificate Create (continued) LABEL DESCRIPTION Common Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address can be up to 31 ASCII characters. The domain name or e-mail address is for identification purposes only and can be any string.
Chapter 18 Certificates Table 66 Certificates > My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.
Chapter 18 Certificates 18.2.3 My Certificates Details Screen Use this screen to view in-depth certificate information and change the certificate’s name. In the case of a self-signed certificate, you can set it to be the one that the NWA uses to sign the trusted remote host certificates that you import to the NWA. Click Certificates > My Certificates to open the My Certificates screen (Figure 124 on page 218). Click the details button to open the My Certificate Details screen.
Chapter 18 Certificates The following table describes the labels in this screen. Table 67 Certificates > My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces). Property Default selfsigned certificate which signs the imported remote host certificates.
Chapter 18 Certificates Table 67 Certificates > My Certificate Details (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Chapter 18 Certificates 18.3 Trusted CAs Screen Use this screen to view the list of trusted certificates. The NWA accepts any valid certificate signed by a certification authority on this list as being trustworthy. You do not need to import any certificate that is signed. Click Certificates > Trusted CAs to open the Trusted CAs screen. The following figure displays. Figure 128 Certificates > Trusted CAs The following table describes the labels in this screen.
Chapter 18 Certificates Table 68 Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the NWA check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No.
Chapter 18 Certificates The following table describes the labels in this screen. Table 69 Certificates > Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the NWA. Cancel Click Cancel to quit and return to the Trusted CAs screen. 18.3.
Chapter 18 Certificates The following table describes the labels in this screen. Table 70 Certificates > Trusted CAs Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 18 Certificates Table 70 Certificates > Trusted CAs Details (continued) LABEL DESCRIPTION Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the NWA uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Chapter 18 Certificates 18.4 Technical Reference This section provides technical background information about the topics covered in this chapter. 18.4.1 Private-Public Certificates When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”).
Chapter 18 Certificates 18.4.3 Checking the Fingerprint of a Certificate A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a “.cer” or “.crt” file name extension.
CHAPTER 19 Log Screens 19.1 Overview This chapter provides information on viewing and generating logs on your NWA. Logs are files that contain recorded network activity over a set period. They are used by administrators to monitor the health of the computer system(s) they are managing. Logs enable administrators to effectively monitor events, errors, progress, and so on. When network problems or system failures occur, the cause or origin can be traced.
Chapter 19 Log Screens • Use the Log Settings screen (Section 19.3 on page 238) to configure where and when the NWA will send the logs, and which logs and/or immediate alerts it will send. 19.1.2 What You Need To Know About Logs The following terms and concepts may help as you read through this chapter. Alerts and Logs An alert is a type of log that warrants more serious attention. Some categories such as System Errors consist of both logs and alerts.
Chapter 19 Log Screens Click Logs > View Log. The following screen displays. Figure 134 Logs > View Log The following table describes the labels in this screen. Table 71 Logs > View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category. To view all logs, select All Logs. The number of categories shown in the drop down list box depends on the selection in the Log Settings page. Index This field displays the log entry index number.
Chapter 19 Log Screens 19.3 The Log Settings Screen Use this screen to configure where and when the NWA will send the logs, and which logs and/or immediate alerts to send. Click Logs > Log Settings. The following screen displays.
Chapter 19 Log Screens The following table describes the labels in this screen. Table 72 Logs > Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the email addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the NWA sends.
Chapter 19 Log Screens Table 72 Logs > Log Settings LABEL DESCRIPTION Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e-mail. Log Select the categories of logs that you want to record. Send Immediate Alert Select the categories of alerts for which you want the NWA to immediately send e-mail alerts. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to reconfigure all the fields in this screen.
Chapter 19 Log Screens Table 74 ICMP Notes TYPE CODE DESCRIPTION Echo Reply 0 0 Echo reply message Destination Unreachable 3 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed Source Quench 4 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the
Chapter 19 Log Screens 19.4.2 Log Commands Go to the command interpreter interface (refer to Appendix E on page 357 for a discussion on how to access and use the commands). 19.4.3 Configuring What You Want the NWA to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the NWA is to record.
Chapter 19 Log Screens 19.4.5 Log Command Example This example shows how to set the NWA to record the error logs and alerts and then view the results. ras> ras> ras> ras> sys sys sys sys logs logs logs logs load category error 3 save display access #. time source destination notes message 0 | 11/11/2002 15:10:12 | 172.22.3.80:137 | 172.22.255.
Chapter 19 Log Screens 244 NWA-3500/NWA-3550 User’s Guide
CHAPTER 20 VLAN 20.1 Overview This chapter discusses how to configure VLAN on the NWA. A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network can belong to one or more groups. Only stations within the same group can talk to each other. Figure 136 VLAN Example NWA Server In the figure above, the NWA allows station A to connect to the internet but not to the server.
Chapter 20 VLAN 20.1.2 What You Need To Know About VLAN The following terms and concepts may help as you read through this chapter. When you use wireless VLAN and RADIUS VLAN together, the NWA first tries to assign VLAN IDs based on RADIUS VLAN configuration. If a client’s user name does not match an entry in the RADIUS VLAN screen, the NWA assigns a VLAN ID based on the settings in the Wireless VLAN screen. See Section 20.3.3 on page 253 for more information.
Chapter 20 VLAN 20.2 Wireless VLAN Screen Use this screen to enable and configure your Wireless Virtual LAN setup. Click VLAN > Wireless VLAN. The following screen appears. Figure 137 VLAN > Wireless VLAN The following table describes the labels in this screen Table 77 VLAN > Wireless VLAN FIELD DESCRIPTION VIRTUAL LAN Setup Enable VIRTUAL LAN Select this box to enable VLAN tagging. Wireless VIRTUAL LAN Setup Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group.
Chapter 20 VLAN Table 77 VLAN > Wireless VLAN FIELD DESCRIPTION Native VLAN Check this to assign the Management VLAN ID as a Native VLAN. Leave this blank if you do not know the native VLAN ID assigned by the network administrator. A native VLAN is the default VLAN where untagged traffic can pass through between two switches. Note: The Native VLAN assignment must be the same on two switches for it to work.
Chapter 20 VLAN Click VLAN > RADIUS VLAN. The following screen appears. Figure 138 VLAN > RADIUS VLAN The following table describes the labels in this screen. Table 78 VLAN > RADIUS VLAN LABEL DESCRIPTION Block station if RADIUS server assign VLAN name error Select this to have the NWA forbid access to wireless clients when the VLAN attributes sent from the RADIUS server do not match a configured Name field.
Chapter 20 VLAN Table 78 VLAN > RADIUS VLAN LABEL DESCRIPTION Name Type a name to have the NWA check for specific VLAN attributes on incoming messages from the RADIUS server. Access-accept packets sent by the RADIUS server contain VLAN related attributes. The configured Name fields are checked against these attributes. If a configured Name field matches these attributes, the corresponding VLAN ID is added to packets sent from this user to the LAN.
Chapter 20 VLAN On an Ethernet switch, create a VLAN that has the same management VLAN ID as the NWA. The following figure has the NWA connected to port 2 and your computer connected to port 1. The management VLAN ID is 10. Figure 139 Management VLAN Configuration Example Perform the following steps in the switch web configurator: 1 Click VLAN under Advanced Application. 2 Click Static VLAN. 3 Select the ACTIVE check box. 4 Type a Name for the VLAN ID. 5 Type a VLAN Group ID.
Chapter 20 VLAN 8 Click Apply. The following screen displays. Figure 141 VLAN-Aware Switch 9 Click VLAN Status to display the following screen. Figure 142 VLAN-Aware Switch - VLAN Status Follow the instructions in the Quick Start Guide to set up your NWA for configuration. The NWA should be connected to the VLAN-aware switch. In the above example, the switch is using port 1 to connect to your computer and port 2 to connect to the NWA: Figure 139 on page 251.
Chapter 20 VLAN 3 Click Apply. Figure 143 VLAN Setup 4 The NWA attempts to connect with a VLAN-aware device. You can now access and mange the NWA though the Ethernet switch. Note: If you do not connect the NWA to a correctly configured VLAN-aware device, you will lock yourself out of the NWA. If this happens, you must reset the NWA to access it again. 20.3.3 Configuring Microsoft’s IAS Server Example Dynamic VLAN assignment can be used with the NWA.
Chapter 20 VLAN ZyXEL uses the following standard RADIUS attributes returned from Microsoft’s IAS RADIUS service to place the wireless station into the correct VLAN: Table 79 Standard RADIUS Attributes ATTRIBUTE NAME TYPE VALUE Tunnel-Type 064 13 (decimal) – VLAN Tunnel-Medium-Type 065 6 (decimal) – 802 Tunnel-PrivateGroup-ID 081 (string) – either the Name you enter in the NWA’s VLAN > RADIUS VLAN screen or the number. See Figure 155 on page 261.
Chapter 20 VLAN 1c Select the Security Group type parameter check box. 1d Click OK. Figure 144 New Global Security Group 2 In VLAN Group ID Properties, click the Members tab. Note: The IAS uses group memberships to determine which user accounts belong to which VLAN groups. Click the Add button and configure the VLAN group details. 3 Repeat the previous step to add each VLAN group required. Figure 145 Add Group Members 20.3.3.
Chapter 20 VLAN 1 Using the Remote Access Policy option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous section. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom.
Chapter 20 VLAN 3 In the Select Attribute screen, click Windows-Groups and the Add button. Figure 147 Specifying Windows-Group Condition 4 The Select Groups window displays. Select a remote access policy and click the Add button. The policy is added to the field below. Only one VLAN Group should be associated with each policy. 5 Click OK and Next in the next few screens to accept the group value.
Chapter 20 VLAN 6b Click the Edit Profile button. Figure 149 Granting Permissions and User Profile Screens 7 The Edit Dial-in Profile screen displays. Click the Authentication tab and select the Extensible Authentication Protocol check box. 7a Select an EAP type depending on your authentication needs from the dropdown list box. 7b Clear the check boxes for all other authentication types listed below the dropdown list box.
Chapter 20 VLAN 8 Click the Encryption tab. Select the Strongest encryption option. This step is not required for EAP-MD5, but is performed as a safeguard. Figure 151 Encryption Tab Settings 9 Click the IP tab and select the Client may request an IP address check box for DHCP support. 10 Click the Advanced tab. The current default parameters returned to the NWA should be Service-Type and Framed-Protocol. • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.
Chapter 20 VLAN 11 The RADIUS Attribute screen displays. From the list, three RADIUS attributes will be added: • Tunnel-Medium-Type • Tunnel-Pvt-Group-ID • Tunnel-Type 11a Click the Add button 11b Select Tunnel-Medium-Type 11c Click the Add button. Figure 153 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays. Select the 802 value from the Attribute value drop-down list box. Click OK.
Chapter 20 VLAN 13 Return to the RADIUS Attribute Screen shown as Figure 153 on page 260. 13a Select Tunnel-Pvt-Group-ID. 13b Click Add. 14 The Attribute Information screen displays. 14a In the Enter the attribute value in: field select String and type a number in the range 1 to 4094 or a Name for this policy. This Name should match a name in the VLAN mapping table on the NWA. Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the NWA VLAN table.
Chapter 20 VLAN 16b Click OK. Figure 156 VLAN Attribute Setting for Tunnel-Type 17 Return to the RADIUS Attribute Screen shown as Figure 153 on page 260. 17a Click the Close button. 17b The completed Advanced tab configuration should resemble the following screen. Figure 157 Completed Advanced Tab Note: Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory.
Chapter 20 VLAN 20.3.4 Second Rx VLAN ID Example In this example, the NWA is configured to tag packets from SSID01 with VLAN ID 1 and tag packets from SSID02 with VLAN ID 2. VLAN 1 and VLAN 2 have access to a server, S, and the Internet, as shown in the following figure. Figure 158 Second Rx VLAN ID Example S Packets sent from the server S back to the switch are tagged with a VLAN ID (incoming VLAN ID). These incoming VLAN packets are forwarded to the NWA.
Chapter 20 VLAN 2 Click VLAN > Wireless VLAN. 3 If VLAN is not already enabled, click Enable Virtual LAN and set up the Management VLAN ID (see Section 20.3.2 on page 250). Note: If no devices are in the management VLAN, then no one will be able to access the NWA and you will have to restore the default configuration file. 4 Select the SSID profile you want to configure (SSID03 in this example), and enter the VLAN ID number (between 1 and 4094). 5 Enter a Second Rx VLAN ID.
CHAPTER 21 Load Balancing 21.1 Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Chapter 21 Load Balancing Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can’t possibly know how many connections his NWA will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows. This means anyone can connect to his wireless network as long as the NWA has the bandwidth to spare.
Chapter 21 Load Balancing The requirements for load balancing are fairly straight forward and should be met in order for a group of similar NWAs to take advantage of the feature: • They should all be within the same subnet. • They should all have the same SSID, radio mode, and security mode. • There should be a minimum of 2 NWAs within the same broadcast radius, or at the very least within an overlapping broadcast radius. 21.
Chapter 21 Load Balancing Table 80 Load Balancing FIELD DESCRIPTION Dissociate station when overloaded Select Enable to “kick” connections to the AP when it becomes overloaded. If you set this option to Disable, then the AP simply delays the connection until it can afford the bandwidth it requires, or it shunts the connection to another AP within its broadcast radius.
Chapter 21 Load Balancing can afford the bandwidth for it or the red laptop is picked up by a different AP that has bandwidth to spare. Figure 162 Delaying a Connection R The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment. Figure 163 Kicking a Connection R Connections are kicked based on either idle timeout or signal strength.
Chapter 21 Load Balancing 270 NWA-3160 Series User’s Guide
CHAPTER 22 Dynamic Channel Selection 22.1 Overview This chapter discusses how to configure dynamic channel selection on the NWA. Dynamic channel selection is a feature that allows your NWA to automatically select the radio channel upon which it broadcasts by scanning the area around and determining what channels are currently being used by other devices.
Chapter 22 Dynamic Channel Selection In this example, if the NWA attempts to broadcast on channels 1, 6, or 11 it is met with cross-channel interference from the other AP that shares the channel. This can result in noticeably slower data transfer rates, the dropping of the connection altogether, or even lost data packets. However, if the NWA broadcasts on the otherwise empty channel 4 then there will be minimal interference and a clearer connection to the network.
Chapter 22 Dynamic Channel Selection Table 81 DCS FIELD DESCRIPTION DCS Sensitivity Level Select the NWA’s sensitivity level toward other channels. Options are High, Medium, and Low. Generally, as long as the area in which your NWA is located has minimal interference from other devices you can set the DCS Sensitivity Level to Low. This means that the NWA has a very broad tolerance.
Chapter 22 Dynamic Channel Selection 274 NWA-3160 Series User’s Guide
CHAPTER 23 Maintenance 23.1 Overview This chapter describes the maintenance screens. It discusses how you can view the association list and channel usage, upload new firmware, manage configuration and restart your NWA without turning it off and on. 23.2 What You Can Do in the Maintenance Screens The following is a list of the maintenance screens you can configure on the NWA. • Use the Status screen (Section 23.4 on page 276) to monitor your NWA.
Chapter 23 Maintenance Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See the Firmware and Configuration File Maintenance chapter for upgrading firmware using FTP/TFTP commands. 23.4 System Status Screen Use this screen to get a quick summary of the status of your NWA.
Chapter 23 Maintenance Note: The Poll Interval field is configurable. The fields in this screen vary according to the current wireless mode of each WLAN adaptor. Figure 167 Maintenance > System Status: Show Statistics The following table describes the labels in this screen. Table 83 Maintenance > System Status: Show Statistics LABEL DESCRIPTION Port This is the Ethernet port (LAN) or wireless LAN adaptor (WLAN1 or WLAN2).
Chapter 23 Maintenance Table 83 Maintenance > System Status: Show Statistics LABEL DESCRIPTION WLAN2 This section displays only when wireless LAN adaptor WLAN2 is in AP + Bridge or Bridge / Repeater mode. Bridge Link # This is the index number of the bridge connection. Active This shows whether the bridge connection is activated or not. Remote Bridge MAC This is the MAC address of the peer device in bridge mode.
Chapter 23 Maintenance Table 84 Association List LABEL DESCRIPTION Signal This field displays the RSSI (Received Signal Strength Indicator) of the wireless connection. WDS Link This section displays only when bridge mode is activated on one of the NWA’s WLAN adaptors. Link No This field displays the index number of a bridge connection on the WDS. MAC Address This field displays a remote bridge MAC address. Link Time This field displays the WDS link up-time.
Chapter 23 Maintenance The following table describes the labels in this screen. Table 85 Channel Usage LABEL DESCRIPTION SSID This is the Service Set IDentification name of the AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network. For our purposes, we define an Infrastructure network as a wireless network that uses an AP and an Ad-Hoc network (also known as Independent Basic Service Set (IBSS)) as one that doesn’t.
Chapter 23 Maintenance The following table describes the labels in this screen. Table 86 Maintenance > F/W Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
Chapter 23 Maintenance If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 173 Firmware Upload Error 23.8 Configuration Screen Use this screen backup or upload your NWA’s configuration file. You can also reset the configuration of your device in this screen. Click Maintenance > Configuration. The following figure displays. Figure 174 Maintenance > Configuration 23.8.
Chapter 23 Maintenance configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the NWA’s current configuration to your computer. 23.8.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your NWA.
Chapter 23 Maintenance address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer’s IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 177 Configuration Upload Error 23.8.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the NWA to its factory defaults as shown on the screen.
Chapter 23 Maintenance Click Maintenance > Restart. The following screen displays. Click Restart to have the NWA reboot. This does not affect the NWA's configuration.
Chapter 23 Maintenance 286 NWA-3500/NWA-3550 User’s Guide
P ART III Troubleshooting and Specifications Troubleshooting (289) Product Specifications (297) 287
CHAPTER 24 Troubleshooting 24.1 Overview This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • NWA Access and Login • AP Management Modes • Internet Access • Wireless Router/AP Troubleshooting 24.2 Power, Hardware Connections, and LEDs The NWA does not turn on. None of the LEDs turn on. • Make sure you are using the power adaptor or cord included with the NWA.
Chapter 24 Troubleshooting • Inspect your cables for damage. Contact the vendor to replace any damaged cables. • Disconnect and re-connect the power adaptor to the NWA. • If the problem continues, contact the vendor. 24.3 NWA Access and Login I forgot the IP address for the NWA. • The default IP address is 192.168.1.2. • If you changed the IP address and have forgotten it, you might get the IP address of the NWA by looking up the IP address of the default gateway for your computer.
Chapter 24 Troubleshooting • The default password is 1234. • If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 38. I cannot see or access the Login screen in the web configurator. • Make sure you are using the correct IP address. • The default IP address is 192.168.1.2. • If you changed the IP address, use the new IP address. • If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the NWA.
Chapter 24 Troubleshooting • Disconnect and re-connect the power adaptor or cord to the NWA. • If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 38. I cannot access the NWA via the console port. • Check to see if the NWA is connected to your computer's console port. • Check to see if the communications program is configured correctly. The communications software should be configured as follows: • VT100 terminal emulation.
Chapter 24 Troubleshooting The secondary controller AP’s wireless profiles do not appear in my wireless network. In case you have both primary and secondary controller APs in the network, the secondary controller AP’s WLAN radio is turned off as long as the primary controller AP is turned on. Thus, you will not see any of the secondary controller AP’s wireless profiles in your wireless network. The controller AP cannot detect some of the APs in the network.
Chapter 24 Troubleshooting 24.5 Internet Access I cannot access the Internet. • Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 24.2 on page 289. • Make sure you entered your ISP account information correctly. These fields are case-sensitive, so make sure [Caps Lock] is not on. • If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the AP.
Chapter 24 Troubleshooting Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications. 24.6 Wireless Router/AP Troubleshooting I cannot access the NWA or ping any computer from the WLAN. • Make sure the wireless LAN is enabled on the NWA • Make sure the wireless adapter on the wireless station is working properly. • Make sure the wireless adapter (installed on your computer) is IEEE 802.
Chapter 24 Troubleshooting 296 NWA-3500/NWA-3550 User’s Guide
CHAPTER 25 Product Specifications The following tables summarize the NWA’s hardware and firmware features. Table 88 NWA-3550 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions 256 (W) x 246 (D) x 82 (H) mm Weight 2000 g Power PoE draw: 48V 20W at least Ethernet Port Auto-negotiating: 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode. Auto-crossover: Use either crossover or straight-through Ethernet cables. Power over Ethernet (PoE) IEEE 802.3af compliant.
Chapter 25 Product Specifications Antenna Specifications SMA antenna connectors, equipped by default with 2dBi omni antenna, 60° When facing the front of the NWA, the antenna on the right is used by wireless LAN adaptor WLAN1, and the antenna on the left is used by wireless LAN adaptor WLAN2. Output Power IEEE 802.11b/g: 17 dBm IEEE 802.
Chapter 25 Product Specifications SSL Passthrough SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The NWA allows SSL connections to take place through the NWA.
Chapter 25 Product Specifications Table 91 Other Specifications Approvals Radio • • • • • USA: FCC Part 15C 15.247 FCC Part 15E 15.407 FCC OET65 EU: ETSI EN 300 328 V1.7.1 ETSI EN 301 893 V1.2.3 Taiwan: DGT LP0002 Canada: Industry Canada RSS-210 Australia: AS/NZS 4268 EMC/ EMI • • • • USA: FCC Part 15 Subpart B EU: EN 301 489-17 V1.2.1: 08-2002 EN 55022:2006 Canada: ICES-003 Australia: AS/NZS CISPR22 EMC/ EMS • EU: EN 301 489-1 V1.5.
Chapter 25 Product Specifications Compatible ZyXEL Antennas At the time of writing, you can use the following antennas in your NWA. Table 92 NWA Compatible Antennas MODEL EXT-108 EXR-109 EXT-114 EXT-118 ANT2206 ANT3108 ANT3218 Frequency Band (MHz) 2400 ~ 2500 2400 ~ 2500 2400 ~ 2500 2400 ~ 2500 240 0~ 250 0 490 0~ 587 5 5150 ~ 5875 4900 ~ 5875 Gain (dBi) 8 9 14 18 6 8 8 18 Max. VSWR 2.0:1 1.5:1 1.5:1 1.5:1 2.0: 1 2.0: 1 2.0:1 2.
Chapter 25 Product Specifications Compatible ZyXEL Antenna Cables The following table shows you the cables you can use in the NWA to extend your connection to antennas at the time of writing.
P ART IV Appendices and Index Setting Up Your Computer’s IP Address (305) Wireless LANs (331) Pop-up Windows, JavaScripts and Java Permissions (347) Importing Certificates (355) IP Addresses and Subnetting (381) Text File Based Auto Configuration (391) Legal Information (399) Index (403) 303
APPENDIX A Setting Up Your Computer’s IP Address Note: Your specific ZyXEL device may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network.
Appendix A Setting Up Your Computer’s IP Address 1 Click Start > Control Panel. Figure 180 Windows XP: Start Menu 2 In the Control Panel, click the Network Connections icon.
Appendix A Setting Up Your Computer’s IP Address 3 Right-click Local Area Connection and then select Properties. Figure 182 Windows XP: Control Panel > Network Connections > Properties 4 On the General tab, select Internet Protocol (TCP/IP) and then click Properties.
Appendix A Setting Up Your Computer’s IP Address 5 The Internet Protocol TCP/IP Properties window opens. Figure 184 Windows XP: Internet Protocol (TCP/IP) Properties 6 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP.
Appendix A Setting Up Your Computer’s IP Address Windows Vista This section shows screens from Windows Vista Professional. 1 Click Start > Control Panel. Figure 185 Windows Vista: Start Menu 2 In the Control Panel, click the Network and Internet icon. Figure 186 Windows Vista: Control Panel 3 Click the Network and Sharing Center icon.
Appendix A Setting Up Your Computer’s IP Address 4 Click Manage network connections. Figure 188 Windows Vista: Network and Sharing Center 5 Right-click Local Area Connection and then select Properties. Figure 189 Windows Vista: Network and Sharing Center Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.
Appendix A Setting Up Your Computer’s IP Address 6 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties.
Appendix A Setting Up Your Computer’s IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. Figure 191 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically.
Appendix A Setting Up Your Computer’s IP Address Mac OS X: 10.3 and 10.4 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. 1 Click Apple > System Preferences. Figure 192 Mac OS X 10.4: Apple Menu 2 In the System Preferences window, click the Network icon. Figure 193 Mac OS X 10.
Appendix A Setting Up Your Computer’s IP Address 3 When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. Figure 194 Mac OS X 10.4: Network Preferences 4 For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Figure 195 Mac OS X 10.4: Network Preferences > TCP/IP Tab.
Appendix A Setting Up Your Computer’s IP Address 5 For statically assigned settings, do the following: • From the Configure IPv4 list, select Manually. • In the IP Address field, type your IP address. • In the Subnet Mask field, type your subnet mask. • In the Router field, type the IP address of your device. Figure 196 Mac OS X 10.
Appendix A Setting Up Your Computer’s IP Address Click Apply Now and close the window.Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Figure 197 Mac OS X 10.4: Network Utility Mac OS X: 10.5 The screens in this section are from Mac OS X 10.5. 1 Click Apple > System Preferences. Figure 198 Mac OS X 10.
Appendix A Setting Up Your Computer’s IP Address 2 In System Preferences, click the Network icon. Figure 199 Mac OS X 10.
Appendix A Setting Up Your Computer’s IP Address 3 When the Network preferences pane opens, select Ethernet from the list of available connection types. Figure 200 Mac OS X 10.5: Network Preferences > Ethernet 4 From the Configure list, select Using DHCP for dynamically assigned settings. 5 For statically assigned settings, do the following: • From the Configure list, select Manually. • In the IP Address field, enter your IP address. • In the Subnet Mask field, enter your subnet mask.
Appendix A Setting Up Your Computer’s IP Address • In the Router field, enter the IP address of your NWA. Figure 201 Mac OS X 10.5: Network Preferences > Ethernet 6 Click Apply and close the window.
Appendix A Setting Up Your Computer’s IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Figure 202 Mac OS X 10.5: Network Utility Linux: Ubuntu 8 (GNOME) This section shows you how to configure your computer’s TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution.
Appendix A Setting Up Your Computer’s IP Address 1 Click System > Administration > Network. Figure 203 Ubuntu 8: System > Administration Menu 2 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password.
Appendix A Setting Up Your Computer’s IP Address 3 In the Authenticate window, enter your admin account name and password then click the Authenticate button. Figure 205 Ubuntu 8: Administrator Account Authentication 4 In the Network Settings window, select the connection that you want to configure, then click Properties.
Appendix A Setting Up Your Computer’s IP Address 5 The Properties dialog box opens. Figure 207 Ubuntu 8: Network Settings > Properties • In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address. • In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen.
Appendix A Setting Up Your Computer’s IP Address 7 If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 208 Ubuntu 8: Network Settings > DNS 8 Click the Close button to apply the changes.
Appendix A Setting Up Your Computer’s IP Address tab. The Interface Statistics column shows data if your connection is working properly. Figure 209 Ubuntu 8: Network Tools Linux: openSUSE 10.3 (KDE) This section shows you how to configure your computer’s TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration.
Appendix A Setting Up Your Computer’s IP Address 1 Click K Menu > Computer > Administrator Settings (YaST). Figure 210 openSUSE 10.3: K Menu > Computer Menu 2 When the Run as Root - KDE su dialog opens, enter the admin password and click OK. Figure 211 openSUSE 10.
Appendix A Setting Up Your Computer’s IP Address 3 When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Figure 212 openSUSE 10.3: YaST Control Center 4 When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 213 openSUSE 10.
Appendix A Setting Up Your Computer’s IP Address 5 When the Network Card Setup window opens, click the Address tab Figure 214 openSUSE 10.3: Network Card Setup 6 Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. 7 328 Click Next to save the changes and close the Network Card Setup window.
Appendix A Setting Up Your Computer’s IP Address 8 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Figure 215 openSUSE 10.3: Network Settings 9 Click Finish to save your settings and close the window.
Appendix A Setting Up Your Computer’s IP Address Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Figure 216 openSUSE 10.3: KNetwork Manager When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly.
APPENDIX B Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix B Wireless LANs with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 219 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Appendix B Wireless LANs An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 220 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area.
Appendix B Wireless LANs wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 221 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel.
Appendix B Wireless LANs Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.
Appendix B Wireless LANs several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows: Table 96 IEEE 802.11g DATA RATE (MBPS) MODULATION 1 DBPSK (Differential Binary Phase Shift Keyed) 2 DQPSK (Differential Quadrature Phase Shift Keying) 5.
Appendix B Wireless LANs IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming.
Appendix B Wireless LANs • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting.
Appendix B Wireless LANs However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key.
Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.
Appendix B Wireless LANs If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x.
Appendix B Wireless LANs keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network.
Appendix B Wireless LANs 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 222 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows.
Appendix B Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them. Figure 223 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.
Appendix B Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b) or 5GHz(IEEE 802.
Appendix B Wireless LANs • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb.
APPENDIX C Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 225 Internet Options: Privacy 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 2 Select Settings…to open the Pop-up Blocker Settings screen. Figure 226 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 227 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 228 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Appendix C Pop-up Windows, JavaScripts and Java Permissions 6 Click OK to close the window. Figure 229 Security Settings - Java Scripting Java Permissions 352 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click OK to close the window. Figure 230 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for
Appendix C Pop-up Windows, JavaScripts and Java Permissions 3 Click OK to close the window.
APPENDIX D Importing Certificates This appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar.
Appendix D Importing Certificates 1 If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 232 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 233 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates.
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 235 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next.
Appendix D Importing Certificates 6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 237 Internet Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse.
Appendix D Importing Certificates 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 239 Internet Explorer 7: Select Certificate Store 9 In the Completing the Certificate Import Wizard screen, click Finish.
Appendix D Importing Certificates 10 If you are presented with another Security Warning, click Yes. Figure 241 Internet Explorer 7: Security Warning 11 Finally, click OK when presented with the successful certificate installation message. Figure 242 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL web configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 244 Internet Explorer 7: Public Key Certificate File 2 In the security warning dialog box, click Open.
Appendix D Importing Certificates 1 Open Internet Explorer and click Tools > Internet Options. Figure 246 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates.
Appendix D Importing Certificates 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 248 Internet Explorer 7: Certificates 4 In the Certificates confirmation, click Yes. Figure 249 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes.
Appendix D Importing Certificates 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms. 1 If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
Appendix D Importing Certificates 3 The certificate is stored and you can now connect securely to the web configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information.
Appendix D Importing Certificates 1 Open Firefox and click Tools > Options. Figure 253 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix D Importing Certificates 3 In the Certificate Manager dialog box, click Web Sites > Import. Figure 255 4 Use the Select File dialog box to locate the certificate and then click Open. Figure 256 5 Firefox 2: Certificate Manager Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information.
Appendix D Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 257 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix D Importing Certificates 3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 259 4 Firefox 2: Certificate Manager In the Delete Web Site Certificates dialog box, click OK. Figure 260 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix D Importing Certificates 1 If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 2 Click Install to accept the certificate. Figure 261 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Opera and click Tools > Preferences.
Appendix D Importing Certificates 2 In Preferences, click Advanced > Security > Manage certificates.
Appendix D Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 265 4 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open.
Appendix D Importing Certificates 5 In the Install authority certificate dialog box, click Install. Figure 267 6 Next, click OK. Figure 268 7 Opera 9: Install authority certificate Opera 9: Install authority certificate The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9.
Appendix D Importing Certificates 1 Open Opera and click Tools > Preferences. Figure 269 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates.
Appendix D Importing Certificates 3 In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 271 4 Opera 9: Certificate manager The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix D Importing Certificates 2 Click Continue. Figure 272 Konqueror 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 273 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 274 Konqueror 3.
Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 275 Konqueror 3.5: Public Key Certificate File 2 In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 276 Konqueror 3.
Appendix D Importing Certificates 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3.5. 1 Open Konqueror and click Settings > Configure Konqueror. Figure 278 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto.
Appendix D Importing Certificates 4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button.
APPENDIX E IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.
Appendix E IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 280 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask.
Appendix E IP Addresses and Subnetting Table 100 Subnet Masks Network Number 1ST OCTET: 2ND OCTET: 3RD OCTET: 4TH OCTET (192) (168) (1) (2) 11000000 10101000 00000001 Host ID 00000010 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Subnet masks can be referred to by the size of the network number part (the bits with a “1” value).
Appendix E IP Addresses and Subnetting As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows: Table 102 Maximum Host Numbers SUBNET MASK HOST ID SIZE 8 bits 24 bits 255.0.0.0 16 bits 255.255.0.0 24 bits 255.255.255.0 29 bits 255.255.255.
Appendix E IP Addresses and Subnetting Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.
Appendix E IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Figure 282 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.
Appendix E IP Addresses and Subnetting Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet’s broadcast address). Table 104 Subnet 1 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address (Decimal) 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.
Appendix E IP Addresses and Subnetting Table 107 Subnet 4 (continued) LAST OCTET BIT VALUE IP/SUBNET MASK NETWORK NUMBER Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet.
Appendix E IP Addresses and Subnetting The following table is a summary for subnet planning on a network with a 16-bit network number. Table 110 16-bit Network Number Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.128.0 (/17) 2 32766 2 255.255.192.0 (/18) 4 16382 3 255.255.224.0 (/19) 8 8190 4 255.255.240.0 (/20) 16 4094 5 255.255.248.0 (/21) 32 2046 6 255.255.252.0 (/22) 64 1022 7 255.255.254.0 (/23) 128 510 8 255.255.255.
Appendix E IP Addresses and Subnetting you entered. You don't need to change the subnet mask computed by the NWA unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems.
APPENDIX F Text File Based Auto Configuration This chapter describes how administrators can use text configuration files to configure the wireless LAN settings for multiple APs. Text File Based Auto Configuration Overview You can use plain text configuration files to configure the wireless LAN settings on multiple APs. The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information.
Appendix F Text File Based Auto Configuration You can have a different configuration file for each AP. You can also have multiple APs use the same configuration file. Note: If adjacent APs use the same configuration file, you should leave out the channel setting since they could interfere with each other’s wireless traffic. Auto Configuration by DHCP A DHCP response can use options 66 and 67 to assign a TFTP server IP address and a filename.
Appendix F Text File Based Auto Configuration Use the following procedure to have the AP download the configuration file. Table 113 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt. Step 3 pwTftpFileType Set to 3 (text configuration file). Step 4 pwTftpOpCommand Set to 2 (download).
Appendix F Text File Based Auto Configuration The second line must specify the file version. The AP compares the file version with the version of the last configuration file that it downloaded. If the version of the downloaded file is the same or smaller (older), the AP ignores the file. If the version of the downloaded file is larger (newer), the AP uses the file. Configuration File Rules You can only use the wlan and wcfg commands in the configuration file.
Appendix F Text File Based Auto Configuration Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles.
Appendix F Text File Based Auto Configuration Figure 287 WPA-PSK Configuration File Example !#ZYXEL PROWLAN !#VERSION 13 wcfg security 3 name Test-wpapsk wcfg security 3 mode wpapsk wcfg security 3 passphrase qwertyuiop wcfg security 3 reauthtime 1800 wcfg security 3 idletime 3600 wcfg security 3 groupkeytime 1800 wcfg security save wcfg ssid 3 name ssid-wpapsk wcfg ssid 3 security Test-wpapsk wcfg ssid 3 qos 4 wcfg ssid 3 l2siolation disable wcfg ssid 3 macfilter disable wcfg ssid save Figure 288 WPA Con
Appendix F Text File Based Auto Configuration commands that create security and SSID profiles before the commands that tell the AP to use those profiles.
Appendix F Text File Based Auto Configuration 398 NWA-3500/NWA-3550 User’s Guide
APPENDIX G Legal Information Copyright Copyright © 2009 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix G Legal Information • This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Appendix G Legal Information 前項合法通信,指依電信規定作業之無線電信。低功率射頻電機須忍 受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。 在 5250MHz~5350MHz 頻帶內操作之無線資訊傳輸設備,限於室內使用。 本機限在不干擾合法電臺與不受被干擾保障條件下於室內使用。 Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France.
Appendix G Legal Information Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor.
Index Index A bridge 25, 28 access 24 Bridge/Repeater 24, 25 access point 24 BSS 28, 29, 331 access privileges 29 BSSID 23 Bridge Protocol Data Units (BPDUs) 140 address 110 address assignment 110, 185 address filtering 23 C administrator authentication on RADIUS 117 Advanced Encryption Standard See AES. CA 233, 339 AES 341 Certificate Authority See CA.
Index D G default 284 general setup 111 DFS 141 guest SSID 30 Differentiated Services 153 DiffServ 152 DiffServ Code Point (DSCP) 153 DiffServ Code Points 153 H DiffServ marking rule 153 hidden node 333 dimensions 297 honeypot attack 189 disclaimer 399 host 113 Distribution System 120 host ID 110 DS field 153 humidity 297, 298 DSCPs 153 DTLS 31, 87 dual wireless modules 23 Dynamic Frequency Selection 141 dynamic WEP key exchange 340 I IANA 110, 390 IBSS 331 IEEE 802.11g 335 E IEEE 802.
Index logs 235 O operating mode 24 M out-of-band management 250 MAC address 23, 174, 179 MAC address filter action 181 MAC filter 30 P MAC filtering 299 Pairwise Master Key (PMK) 341, 343 maintenance 23 password 298 management 23 path cost 140 Management Information Base (MIB) 207 Per-Hop Behavior 153 Management Mode CAPWAP and DHCP 88 CAPWAP and IP Subnets 88 managed AP 88 standalone mode 87 PHB (Per-Hop Behavior) 153 management VLAN 250 managing the device good habits 32 using FTP.
Index related documentation 3 remote management limitations 196 T repeater 25 tagged VLAN example 250 reset button 297 telnet 198 restore 283 temperature 297, 298 RF interference 24 Temporal Key Integrity Protocol (TKIP) 341 roaming 141 requirements 143 text file based auto configuration 299, 391 rogue AP 23, 189, 190, 191 time-sensitive 23 root bridge 140 ToS 152 RTS (Request To Send) 334 threshold 333, 334 trademarks 399 TFTP restrictions 197 traffic security 23 Type of Service 152 S s
Index wireless Internet connection 24 wireless LAN 295 wireless modules (dual) 23 wireless security 29, 155, 295, 336 WLAN interference 333 security parameters 344 WLAN interface 24 WMM 149 WPA 23, 340 key caching 342 pre-authentication 342 user authentication 342 vs WPA-PSK 341 wireless client supplicant 342 with RADIUS application example 342 WPA2 23, 340 user authentication 342 vs WPA2-PSK 341 wireless client supplicant 342 with RADIUS application example 342 WPA2-Pre-Shared Key 340 WPA2-PSK 340, 341 app
Index 408 NWA-3500/NWA-3550 User’s Guide
