About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Syntax Conventions • The NWA-3500 may be referred to as the “ZyXEL Device”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device. ZyXEL Device Computer Notebook computer Server DSLAM Firewall Telephone Switch Router...
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. • The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors. This product is recyclable. Dispose of it properly. ZyXEL NWA-3500 User’s Guide...
Contents Overview Contents Overview Introduction ..........................31 Introducing the ZyXEL Device ....................33 Introducing the Web Configurator ....................43 Status Screens .......................... 47 Tutorial ............................51 The Web Configurator ......................79 System Screens ........................81 Wireless Configuration ......................87 Wireless Security Configuration ....................103 MBSSID and SSID ........................119...
1.2.5 Pre-Configured SSID Profiles ..................37 1.2.6 Configuring Dual WLAN Adaptors ................38 1.3 Ways to Manage the ZyXEL Device ..................38 1.4 Good Habits for Managing the ZyXEL Device ..............39 1.5 Hardware Connections ......................39 1.6 LEDs ............................ 40 Chapter 2 Introducing the Web Configurator ..................
Page 12
4.4.6 Checking your Settings and Testing the Configuration ..........76 4.4.6.1 Checking Settings ..................... 76 4.4.6.2 Testing the Configuration .................. 76 Part II: The Web Configurator ............... 79 Chapter 5 System Screens ........................81 5.1 System Overview ......................... 81 5.2 Configuring General Setup ....................81 ZyXEL NWA-3500 User’s Guide...
Page 16
15.2 Configuring Log Settings ....................182 15.3 Example Log Messages ....................184 15.4 Log Commands ....................... 185 15.4.1 Configuring What You Want the ZyXEL Device to Log .......... 185 15.4.2 Displaying Logs ...................... 186 15.5 Log Command Example ....................186 Chapter 16 VLAN ............................
Page 17
18.2 Accessing the SMT via the Console Port ................ 217 18.2.1 Initial Screen ......................217 18.2.2 Entering the Password ................... 218 18.3 Connect to your ZyXEL Device Using Telnet ..............219 18.4 Changing the System Password ..................219 18.5 SMT Menu Overview Example ..................220 18.6 Navigating the SMT Interface ..................
Page 19
Appendix F Pop-up Windows, JavaScripts and Java Permissions ........289 Appendix G IP Addresses and Subnetting ................295 Appendix H Text File Based Auto Configuration ..............303 Appendix I Legal Information....................311 Appendix J Customer Support ..................... 315 Index............................319 ZyXEL NWA-3500 User’s Guide...
Page 20
Table of Contents ZyXEL NWA-3500 User’s Guide...
Page 24
Figure 164 Menu 24 System Maintenance ................... 243 Figure 165 Valid CI Commands ......................244 Figure 166 Menu 24.10 System Maintenance: Time and Date Setting ..........245 Figure 167 Telnet Configuration on a TCP/IP Network ................. 247 ZyXEL NWA-3500 User’s Guide...
Page 25
Figure 201 WEP Configuration File Example ..................306 Figure 202 802.1X Configuration File Example ..................307 Figure 203 WPA-PSK Configuration File Example ................307 Figure 204 WPA Configuration File Example ..................308 Figure 205 Wlan Configuration File Example ..................309 ZyXEL NWA-3500 User’s Guide...
Page 26
List of Figures ZyXEL NWA-3500 User’s Guide...
Page 28
Table 76 Firmware Upload ........................209 Table 77 Restore Configuration ......................211 Table 78 SMT Menus Overview ......................220 Table 79 Main Menu Commands ......................221 Table 80 Main Menu Summary ......................222 Table 81 Menu 1 General Setup ......................223 ZyXEL NWA-3500 User’s Guide...
Page 29
Table 117 Manual Configuration ......................304 Table 118 Configuration via SNMP ...................... 304 Table 119 Displaying the File Version ....................305 Table 120 Displaying the File Version ....................305 Table 121 Displaying the Auto Configuration Status ................306 ZyXEL NWA-3500 User’s Guide...
Page 30
List of Tables ZyXEL NWA-3500 User’s Guide...
H A P T E R Introducing the ZyXEL Device This chapter introduces the main applications and features of the ZyXEL Device. It also introduces the ways you can manage the ZyXEL Device. 1.1 Introducing the ZyXEL Device Your ZyXEL Device extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.
1.2.1 Access Point The ZyXEL Device is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyXEL Device is shown as follows. Stations A, B and C can access the wired network through the ZyXEL Devices.
Chapter 1 Introducing the ZyXEL Device Figure 2 Bridge Application Figure 3 Repeater Application 1.2.3 AP + Bridge In AP+Bridge mode, the ZyXEL Device supports both AP and bridge connection at the same time. ZyXEL NWA-3500 User’s Guide...
In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode. When the ZyXEL Device is in AP + Bridge mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP.
Figure 5 Multiple BSSs 1.2.5 Pre-Configured SSID Profiles The ZyXEL Device has two pre-configured SSID profiles. 1 VoIP_SSID. This profile is intended for use by wireless clients requiring the highest QoS (Quality of Service) level for VoIP (Voice over IP) telephony and other applications requiring low latency.
The ZyXEL Device is equipped with dual wireless adaptors. This means you can configure two different wireless networks to operate simultaneously. In the following example, the ZyXEL Device (Z) uses WLAN1 in AP+Bridge mode to allow IEEE 802.11b/g APs and clients to communicate with the wired network, and WLAN2 in AP mode to allow IEEE 802.11a clients to access the wired network.
Chapter 1 Introducing the ZyXEL Device 1.4 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage it more effectively. • Change the password often. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
Chapter 1 Introducing the ZyXEL Device 1.6 LEDs Figure 7 LEDs Table 1 LEDs LABEL COLOR STATUS DESCRIPTION Green The wireless adaptor WLAN1 is active. Blinking The wireless adaptor WLAN1 is active, and transmitting or receiving data. The wireless adaptor WLAN1 is not active.
Page 41
Flashing The ZyXEL Device is starting up. Either • The ZyXEL Device is in Access Point or MBSSID mode and is functioning normally. • The ZyXEL Device is in AP+Bridge or Bridge/ Repeater mode and has not established a Wireless Distribution System (WDS) connection.
H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyXEL Device’s web configurator and provides an overview of its screens. 2.1 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).
Chapter 2 Introducing the Web Configurator Figure 8 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device’s MAC address that will be specific to this device. Figure 9 Replace Certificate Screen You should now see the Status screen.
Use the web configurator to restore defaults (refer to Chapter 17 on page 205). Transfer the configuration file to your ZyXEL Device using FTP. See the section on SMT configuration for more information. 2.3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen.
Page 46
Chapter 2 Introducing the Web Configurator Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware files. Maintenance features include Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart.
H A P T E R Status Screens The Status screen displays when you log into the ZyXEL Device, or click Status in the navigation menu. Use the Status screens to look at the current status of the device, system resources, interfaces and SSID status.
This field displays what percentage of the ZyXEL Device’s volatile memory is currently in use. The higher the memory usage, the more likely the ZyXEL Device is to slow down. Some memory is required just to start the ZyXEL Device and to run the web configurator.
Page 49
Click this to see which wireless channels are currently in use in the local area. See Section 17.4 on page 208. Logs Click this to see a list of logs produced by the ZyXEL Device. See Chapter 15 on page 181. Rogue AP Click this to see a list of unauthorized access points in the local area.
Page 50
Chapter 3 Status Screens ZyXEL NWA-3500 User’s Guide...
4.1 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the ZyXEL Device, and the steps you should take to set up the wireless LAN in each wireless mode. See Section 4.1.3 on page 54...
The following figure shows the steps you should take to configure the wireless settings according to the operating mode you select. Use the Web Configurator to set up your ZyXEL Device’s wireless network (see your Quick Start Guide for information on setting up your ZyXEL Device and accessing the Web Configurator).
4.2 How to Configure Multiple Wireless Networks In this example, you have been using your ZyXEL Device as an access point for your office network (See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode).
Section 2.1 on page 43). Click WIRELESS > Wireless. The Wireless screen appears. In this example, the ZyXEL Device is using WLAN adaptor 1 in Access Point operating mode, and is currently set to use the SSID04 profile. ZyXEL NWA-3500 User’s Guide...
This Select SSID Profile table allows you to activate or deactivate SSID profiles. Your wireless network was previously using the SSID04 profile, so select SSID04 in one of the Profile list boxes (number 3 in this example). ZyXEL NWA-3500 User’s Guide...
VoIP_SSID and Guest_SSID profiles you will need to set different security profiles. Figure 16 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit. The following screen displays. ZyXEL NWA-3500 User’s Guide...
• Leave all the other fields at their defaults and click Apply. 4.2.2.1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab. ZyXEL NWA-3500 User’s Guide...
PSK in the Security Mode field. WPA2-PSK provides strong security that anyone with a compatible wireless client can use, once they know the pre-shared key (PSK). Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is “ThisismyWPA2-PSKpre-sharedkey”. ZyXEL NWA-3500 User’s Guide...
127), and “intra-BSS traffic blocking” means that the client cannot access other clients on the same wireless network (see Section 6.1.1 on page 87). Click WIRELESS > SSID. Select Guest_SSID’s entry in the list and click Edit. The following screen appears. ZyXEL NWA-3500 User’s Guide...
You already chose to use the security03 profile for this network, so select security03’s entry in the list and click Edit. The following screen appears. Figure 23 Tutorial: Guest Security Profile Edit • Change the Name field to “Guest_Security” to make it easier to remember and identify. ZyXEL NWA-3500 User’s Guide...
Click WIRELESS > Layer-2 Isolation. The following screen appears. Figure 25 Tutorial: Layer 2 Isolation The Guest_SSID network uses the l2isolation01 profile by default, so select its entry and click Edit. The following screen displays. ZyXEL NWA-3500 User’s Guide...
Guest_SSID network, but not the VoIP_SSID network. If you can see the VoIP_SSID network, go to its SSID Edit screen and make sure Hide Name (SSID) is set to Enable. Whether or not you see the standard network’s SSID (SSID04) depends on whether “hide SSID” is enabled. ZyXEL NWA-3500 User’s Guide...
Device. A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network. The example also shows how to set the ZyXEL Device to send out e-mail alerts whenever it detects a rogue wireless access point. See...
This means that one or more of your APs can detect the AP (1) in the other wireless network. When configuring the rogue AP feature on your ZyXEL Devices in this example, you will need to use the information in the following table. You need the IP addresses of your APs to access their Web configurators, and you need the MAC address of each AP to configure the friendly AP list.
Chapter 4 Tutorial The ZyXEL Device can detect the MAC addresses of APs automatically. However, it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually. For example, an attacker’s AP mimicking the correct SSID could be placed on the friendly AP list by accident, if selected from the list of auto-detected APs.
3 Next, you will save the list of friendly APs in order to provide a backup and upload it to your other access points. Click the Configuration tab.The following screen appears. Figure 31 Tutorial: Configuration 4 Click Export. If a window similar to the following appears, click Save. ZyXEL NWA-3500 User’s Guide...
Figure 33 Tutorial: Save Friendly AP list 4.3.2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your ZyXEL Devices. 1 In the ROGUE AP > Configuration screen, select Yes from the Activate Rogue AP Period Detection field.
Chapter 4 Tutorial 2 In the Period (min.) field, enter how often you want the ZyXEL Device to scan for rogue APs. You can have the ZyXEL Device scan anywhere from once every ten minutes to once every hour. In this example, enter “10”.
AP alert, email alerts are correctly configured on that ZyXEL Device. • If you have another access point that is not used in your network, make a note of its MAC address and set it up next to each of your ZyXEL Devices in turn while the network is running.
1 (but should not access server 2) and wireless user “Bob” (B) needs to access server 2 (but should not access server 1). Your ZyXEL Device is marked Z. C is a workstation on your wired network, D is your main network switch, and E is the security gateway you use to connect to the Internet.
Chapter 4 Tutorial 4.4.3 Setup In this example, you have already set up the ZyXEL Device in MBSSID mode (see Chapter 8 on page 119). It uses two SSID profiles simultaneously. You have configured each SSID profile as shown in the following table.
Internet security gateway. Take the following steps to configure the SERVER_1 network. 1 Log into the ZyXEL Device’s Web Configurator and click WIRELESS > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 37 Tutorial: SSID Profile 2 Select SERVER_1’s entry and click Edit.
Enter the MAC address of the device Alice uses to connect to the network in Set 1’s MAC Address field and enter her name in the Description field, as shown in the following figure. Change the Profile Name to “MacFilter_SERVER_1”. Select Allow Association from the Filter Action field and click Apply. ZyXEL NWA-3500 User’s Guide...
Set 1 MAC Address: 77:66:55:44:33:22 Description: NET_ROUTER Set 2 MAC Address: 99:88:77:66:55:44 Description: SERVER_2 Set 3 MAC Address: 66:55:44:33:22:11 Description: GATEWAY MAC Filter (macfilter04) Edit Screen Profile Name MacFilter_SERVER_2 Set 1 MAC Address: 22:33:44:55:66:77 Description: Bob ZyXEL NWA-3500 User’s Guide...
Use the following sections to ensure that your wireless networks are set up correctly. 4.4.6.1 Checking Settings Take the following steps to check that the ZyXEL Device is using the correct SSIDs, MAC filters and layer-2 isolation profiles. 1 Click WIRELESS > Wireless. Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated, as shown in the following figure.
Page 77
If you cannot do something that you should be able to do, check the settings as described in Section 4.4.6.1 on page 76, and in the individual Security, layer-2 isolation and MAC filter profiles for the relevant network. If this does not help, see the Troubleshooting chapter in this User’s Guide. ZyXEL NWA-3500 User’s Guide...
DESCRIPTION General Setup System Name Type a descriptive name to identify the ZyXEL Device in the Ethernet network. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
It is strongly recommended that you change your ZyXEL Device’s password. Click SYSTEM > Password. The screen appears as shown. If you forget your ZyXEL Device’s password (or IP address), you will need to reset the device. See the section on resetting the ZyXEL Device for details Regardless of how you configure this screen, you still use the local system password to log in via the console port (not available on all models).
Enable Admin at Local Select this check box to have the device authenticate management logins to the device. Use old setting Select this to have the ZyXEL Device use the local management password already configured on the device (“1234” is the default). Use new setting Select this if you want to change the local management password.
5.4 Configuring Time Setting To change your ZyXEL Device’s time and date, click SYSTEM > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone. Figure 45 SYSTEM > Time Setting...
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specify below. Auto Select this to have the ZyXEL Device use the predefined list of time servers.
Click Reset to reload the previous configuration for this screen. 5.5 Pre-defined NTP Time Servers List When you turn on the ZyXEL Device for the first time, the date and time start at 2000-01-01 00:00:00. When you select Auto in the SYSTEM > Time Setting screen, the ZyXEL Device then attempts to synchronize with one of the following pre-defined list of NTP time servers.
H A P T E R Wireless Configuration This chapter discusses how to configure the Wireless screens on the ZyXEL Device. 6.1 Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios. 6.1.1 BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
See the Wireless LANs Appendix for information on the following: • Wireless LAN Topologies • Channel • RTS/CTS • Fragmentation Threshold • IEEE 802.1x • RADIUS • Types of Authentication • WPA • Security Parameters Summary ZyXEL NWA-3500 User’s Guide...
The ZyXEL Device uses WMM QoS to prioritize traffic streams according to the IEEE 802.1q or DSCP information in each packet’s header. The ZyXEL Device automatically determines the priority to use for an individual traffic stream.
WMM QoS settings. 6.3.3 ATC+WMM The ZyXEL Device can use a mapping mechanism to use both ATC and WMM QoS. The ATC+WMM function prioritizes all packets transmitted onto the wireless network using WMM QoS, and prioritizes all packets transmitted onto the wired network using ATC. See Section 8.2.2 on page 123...
Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on.
DSCP value in order to make the best use of WMM QoS. A Voice over IP (VoIP) device for example may allow you to define the DSCP value. The following table lists which WMM QoS priority level the ZyXEL Device uses for specific DSCP values.
BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. ZyXEL NWA-3500 User’s Guide...
6.6 Wireless Screen Overview The following is a list of the wireless screens you can configure on the ZyXEL Device. 1 Configure the ZyXEL Device to operate in AP, AP+Bridge, Bridge/Repeater or MBSSID mode in the Wireless screen. You can also select an SSID Profile in the Wireless screen.
Set the operating frequency/channel depending on your particular region. Channel ID To manually set the ZyXEL Device to use a channel, select a channel from the drop- down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
Page 96
256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum.
LAN 2. Figure 50 Bridging Example Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem: •...
Figure 52 Bridge Loop: Bridge Connected to Wired LAN To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN.
Choose Channel ID Set the operating frequency/channel depending on your particular region. To manually set the ZyXEL Device to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
Page 100
256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs.
6.7.3 AP+Bridge Mode Select AP+Bridge as the Operating Mode in the WIRELESS > Wireless screen to have the ZyXEL Device function as a bridge and access point simultaneously. See the section on applications for more information. Figure 54 Wireless: AP+Bridge See the tables describing the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.
(Allow Association) or exclude them from accessing the AP (Deny Association). 7.1.3 Hide Identity If you hide the SSID, then the ZyXEL Device cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyXEL Device may be inconvenience for some valid WLAN clients.
Chapter 7 Wireless Security Configuration Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 152-bit WEP keys but only one key can be enabled at any one time. 7.2 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols). 2 The AP checks each wireless client's password and allows it to join the network only if the password matches. ZyXEL NWA-3500 User’s Guide...
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. ZyXEL NWA-3500 User’s Guide...
Select this to use either WPA2 or WPA depending on which security mode the wireless client uses. WPA2-PSK Select this to use WPA2 with a pre-shared key. WPA2-PSK-MIX Select this to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses. ZyXEL NWA-3500 User’s Guide...
Wi-Fi Protected Access (WPA) Most Secure WPA2 If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device within range. 7.9 Configuring Security The following screens are configurable only in Access Point, AP+Bridge and MBSSID operating modes only.
Select an entry from the list and click Edit to configure security settings for that profile. The next screen varies according to the Security Mode you select. 7.9.1 Security: WEP Select WEP in the Security Mode field to display the following screen. ZyXEL NWA-3500 User’s Guide...
Select this option to enter hexadecimal characters as the WEP keys. The preceding “0x” is entered automatically. Key 1 to The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Key 4 If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
These profiles can be assigned to an SSID profile in the SSID configuration screen To set up your ZyXEL Device’s RADIUS server settings, click WIRELESS > RADIUS. The screen appears as shown. Figure 65 RADIUS The following table describes the labels in this screen.
Page 117
ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network. This field is not available when you select Internal.
H A P T E R MBSSID and SSID This chapter describes how to configure and use your ZyXEL Device’s MBSSID mode and configure SSID profiles. 8.1 Wireless LAN Infrastructures See the Wireless LAN chapter for some basic WLAN scenarios and terminology.
Figure 66 Multiple BSS with VLAN Example 8.1.5 Configuring Multiple BSSs Click WIRELESS > Wireless and select MBSSID in the Operating Mode drop-down list box to display the screen as shown. Figure 67 Wireless: Multiple BSS ZyXEL NWA-3500 User’s Guide...
256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum.
The blue ZyAIR LED is on when the ZyXEL Device is on and blinks (or breathes) when data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL Device is on and data is being transmitted/received.
Index This field displays the index number of each SSID profile. Name This field displays the identification name of each SSID profile on the ZyXEL Device. SSID This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.
Hide Name (SSID) Select Disable if you want the ZyXEL Device to broadcast this SSID (a wireless client scanning for an AP will find this SSID). Alternatively, select Enable to have the ZyXEL Device hide this SSID (a wireless client scanning for an AP will not find this SSID).
Page 125
WMM_BACKGROUND, the ZyXEL Device applies that QoS setting to all of that SSID’s traffic. • If you select NONE, the ZyXEL Device applies no priority to traffic on this SSID. Note: When you configure an SSID profile’s QoS settings, the ZyXEL Device applies the same QoS setting to all of the profile’s traffic.
APs, computers or routers in a network. In the following example, layer-2 isolation is enabled on the ZyXEL Device (Z, in the figure) to allow a guest wireless client (A) to access the main network router (B). The router provides access to the Internet (C) and the network printer (D) while preventing the client from accessing other computers and servers on the network.
MAC addresses that are not listed in the Allow devices with these MAC addresses table are blocked from communicating with the ZyXEL Device’s wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP.
If layer-2 isolation is enabled, you need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the ZyXEL Device's wireless clients. ZyXEL NWA-3500 User’s Guide...
Type a name to identify this device. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 9.3.1 Layer-2 Isolation Examples The following section shows you example layer-2 isolation configurations on the ZyXEL Device (A). ZyXEL NWA-3500 User’s Guide...
In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3. • Enter the server’s and your ZyXEL Device’s MAC addresses in the MAC Address fields. Enter “File Server C” in C’s Description field, and enter “Access Point B” in B’s Description field.
Figure 75 Layer-2 Isolation Example 2 9.4 The MAC Filter Screen The MAC filter function allows you to configure the ZyXEL Device to give exclusive access to devices (Allow Association) or exclude devices from accessing the ZyXEL Device (Deny Association).
Select an entry from the list and click Edit to configure settings for that profile. 9.4.1 Configuring MAC Filtering To change your ZyXEL Device’s MAC filter settings, click WIRELESS > MAC Filter > Edit. The screen appears as shown. Figure 77 MAC Address Filter...
(bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate with other APs (Non-ZyXEL APs may not be able to perform this). 802.1x authentication information is not exchanged (at the time of writing).
5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment. To enable roaming on your ZyXEL Device, click WIRELESS > Wireless. The screen appears as shown.
IP Screen This chapter discusses how to configure IP on the ZyXEL Device. 10.1 Factory Ethernet Defaults The Ethernet parameters of the ZyXEL Device are preset in the factory with the following values: 1 IP address of 192.168.1.2 2 Subnet mask of 255.255.255.0 (24 bits) These parameters should work for the majority of installations.
ZyXEL Device (by the DHCP server) to access the ZyXEL Device again. Use fixed IP address Select this option if your ZyXEL Device is using a static IP address. When you select this option, fill in the fields below. IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation.
Page 139
Chapter 10 IP Screen Table 42 IP Setup LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
Page 140
Chapter 10 IP Screen ZyXEL NWA-3500 User’s Guide...
H A P T E R Rogue AP This chapter discusses rogue wireless access points (APs) and how to configure the ZyXEL Device’s rogue AP detection feature. 11.1 Rogue AP Introduction A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network.
This scenario can also be part of a wireless denial of service (DoS) attack, in which associated wireless clients are deprived of network access. Other opportunities for the attacker include the introduction of malware (malicious software) into the network. ZyXEL NWA-3500 User’s Guide...
You can choose to scan for rogue APs manually, or to have the ZyXEL Device scan automatically at pre-defined intervals. You can also set the ZyXEL Device to email you immediately when a rogue AP is detected (see Chapter 15 on page 181 for information on how to set up email logs).
Select No to turn rogue AP detection off. Period (min.) Enter the period you want the ZyXEL Device to wait between scanning for rogue APs (between 10 and 60 minutes). You must also select Yes in the Active Rogue AP Period Detection field.
Device’s coverage area, except for the ZyXEL Device itself and the access points included in the friendly AP list (see Section 11.3.2 on page 144). You can set how often you want the ZyXEL Device to scan for rogue APs in the ROGUE AP > Configuration screen (see Section 11.3.1 on page 143).
Table 45 ROGUE AP > Rogue AP LABEL DESCRIPTION Rogue AP List This displays details of access points in the ZyXEL Device’s coverage area that are not listed in the friendly AP list (see Section 11.3.2 on page 144) Refresh Click this button to have the ZyXEL Device scan for rogue APs.
To disable remote management of a service, select Disable in the corresponding Server Access field. You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.
12.2 Configuring Telnet You can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device. Figure 86 Telnet Configuration on a TCP/IP Network Click REMOTE MGNT tab to display the TELNET screen as shown.
ZyXEL Device using this service. Address Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
ZyXEL Device by sending the ZyXEL Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device (see the appendix on importing certificates for details).
The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the ZyXEL Device, for example 8443, then you must notify people who need to access the ZyXEL Device web configurator to use "https://ZyXEL Device IP Address:8443"...
• Trap - Used by the agent to inform the manager of some events. 12.5.1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215 as well as the proprietary ZyXEL private MIB. The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance.
Chapter 12 Remote Management Screens 12.5.2 SNMP Traps The ZyXEL Device can send the following traps to the SNMP manager. Table 50 SNMP Traps OBJECT IDENTIFIER # TRAP NAME DESCRIPTION (OID) Generic Traps coldStart 1.3.6.1.6.3.1.1.5.1 This trap is sent after booting (power on). This trap is defined in RFC-1215.
Address ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 155
Chapter 12 Remote Management Screens Table 52 Remote Management: SNMP LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
The ZyXEL Device has a built-in RADIUS server that can authenticate wireless clients or other trusted APs. The ZyXEL Device can function as an AP and as a RADIUS server at the same time. PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection.
LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device use its internal RADIUS server to authenticate wireless clients or other APs. This field displays the certificate index number. The certificates are listed in alphabetical order. Use the CERTIFICATES screens to manage certificates. The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client.
Click Reset to start configuring this screen afresh. 13.3 Trusted AP Overview A trusted AP is an AP that uses the ZyXEL Device’s internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the AUTH.
2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the ZyXEL Device’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the ZyXEL Device’s internal RADIUS server.
AP and the ZyXEL Device. The key is not sent over the network. This key must be the same on the AP and the ZyXEL Device. Both the ZyXEL Device’s IP address and this shared secret must also be configured in the “external RADIUS”...
The password on the wireless client’s utility must be the same as this password. Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked.
14.2 Self-signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates. 14.3 Verifying a Certificate Before you import a trusted CA certificate into the ZyXEL Device, you should verify that you have the actual certificate.
Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Devices’ CA-signed certificates. Use the Trusted CA screens to save CA certificates to the ZyXEL Device. 14.5 My Certificates Click CERTIFICATES > My Certificates to open the ZyXEL Device’s summary list of certificates and certification requests.
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request. Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL Device.
Import screen. Follow the instructions in this screen to save an existing certificate to the ZyXEL Device. You can import only a certificate that matches a corresponding certification request that was generated by the ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen.
Click CERTIFICATES > My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.
Page 170
Select Create a certification request and save it locally for later manual request and save it enrollment to have the ZyXEL Device generate and store a request for a locally for later certificate. Use the My Certificate Details screen to view the certification manual enrollment request and copy it to send to the certification authority.
In the case of a self-signed certificate, you can set it to be the one that the ZyXEL Device uses to sign the trusted remote host certificates that you import to the ZyXEL Device.
31 characters to identify this certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL Device use this certificate to sign the Default self-signed trusted remote host certificates that you import to the ZyXEL Device. This check certificate which box is only available with self-signed certificates.
Page 173
If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL Device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.
ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities.
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyXEL Device to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
31 characters to identify this key certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL Device check incoming certificates that Check incoming are issued by this certification authority against a Certificate Revocation List certificates issued (CRL).
Page 178
Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS)
Page 179
Apply Click Apply to save your changes. You can only change the name and/or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.
15.1 Configuring View Log The web configurator allows you to look at all of the ZyXEL Device’s logs in one location. Click LOGS > View Log. Use the View Log screen to see the logs for the categories that you...
To change your ZyXEL Device’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where and when the ZyXEL Device is to send the logs and which logs and/or immediate alerts it is to send.
Select the categories of logs that you want to record. Send Immediate Select the categories of alerts for which you want the ZyXEL Device to Alert immediately send e-mail alerts. Apply Click Apply to save your customized settings and exit this screen.
Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host ZyXEL NWA-3500 User’s Guide...
Use the sys logs clear command to erase all of the ZyXEL Device’s logs. 15.5 Log Command Example This example shows how to set the ZyXEL Device to record the error logs and alerts and then view the results. ras> sys logs load ras>...
The Management VLAN ID identifies the “management VLAN”. A device must be a member of this “management VLAN” in order to access and manage the ZyXEL Device. If a device is not a member of this VLAN, then that device cannot manage the ZyXEL Device.
The ZyXEL Device allows you to configure VLAN based on SSID profile (wireless VLAN), and / or based on your RADIUS server (RADIUS VLAN). • When you use wireless VLAN, the ZyXEL Device tags all packets from an SSID with the VLAN ID you set in the Wireless VLAN screen.
Section 16.2.3 on page 191 for more information. VLAN Mapping Table Use this table to have the ZyXEL Device assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the ZyXEL Device. Index This is the index number of the SSID profile.
Enter a VLAN ID number from 1 to 4094. Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the ZyXEL Device. Different SSID profiles can use the same or different VLAN IDs. This allows you to split wireless stations into groups using similar VLAN IDs.
This section shows you how to create a VLAN on an Ethernet switch. By default, the port on the ZyXEL Device is a member of the management VLAN (VLAN ID 1). The following procedure shows you how to configure a tagged VLAN.
5 Type a VLAN Group ID. This should be the same as the management VLAN ID on the ZyXEL Device. 6 Enable Tx Tagging on the port which you want to connect to the ZyXEL Device. Disable Tx Tagging on the port you are using to connect to your computer.
Chapter 16 VLAN Figure 112 VLAN-Aware Switch - VLAN Status Follow the instructions in the Quick Start Guide to set up your ZyXEL Device for configuration. The ZyXEL Device should be connected to the VLAN-aware switch. In the above example, the switch is using port 1 to connect to your computer and port 2 to connect to...
ID (Name:string) is between 1 and 4094. 4c If a or b are not matched, the ZyXEL Device uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station. This VLAN ID is independent and hence different to the ID in the VLAN screen.
For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence. • Right click Remote Access Policy and select New Remote Access Policy. ZyXEL NWA-3500 User’s Guide...
4 The Select Groups window displays. Select a remote access policy and click the Add button. The policy is added to the field below. Only one VLAN Group should be associated with each policy. 5 Click OK and Next in the next few screens to accept the group value. ZyXEL NWA-3500 User’s Guide...
Extensible Authentication Protocol check box. • Select an EAP type depending on your authentication needs from the drop-down list box. • Clear the check boxes for all other authentication types listed below the drop-down list box. ZyXEL NWA-3500 User’s Guide...
9 Click the IP tab and select the Client may request an IP address check box for DHCP support. 10 Click the Advanced tab. The current default parameters returned to the ZyXEL Device should be Service-Type and Framed-Protocol. • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment.
• Click the Add button • Select Tunnel-Medium-Type • Click the Add button. Figure 123 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays. Select the 802 value from the Attribute value drop-down list box. • Click OK. ZyXEL NWA-3500 User’s Guide...
4094 or a Name for this policy. This Name should match a name in the VLAN mapping table on the ZyXEL Device. Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the ZyXEL Device VLAN table.
Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. ZyXEL NWA-3500 User’s Guide...
Rx VLAN ID configured, and the ZyXEL Device forwards only packets tagged with VLAN ID 2 to it. 16.2.5.1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the ZyXEL Device. 1 Log into the Web Configurator. 2 Click VLAN > Wireless VLAN.
6 Click Apply to save these settings. Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3, and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03. ZyXEL NWA-3500 User’s Guide...
17.2 System Status Screen Click MAINTENANCE to open the System Status screen, where you can use to monitor your ZyXEL Device. Note that these labels are READ-ONLY and are meant to be used for diagnostic purposes. Figure 130 System Status The following table describes the labels in this screen.
This is the number of transmitted packets on this port. RxPkts This is the number of received packets on this port. Collisions This is the number of collisions on this port. Tx B/s This shows the transmission speed in bytes per second on this port. ZyXEL NWA-3500 User’s Guide...
Stop Click this button to stop refreshing statistics. 17.3 Association List View the wireless stations that are currently associated with the ZyXEL Device in the Association List screen. Click MAINTENANCE > Association List to display the screen as shown next.
Chapter 17 Maintenance Table 74 Association List LABEL DESCRIPTION Association Time This field displays the time a wireless station first associated with the ZyXEL Device. Name (SSID) This field displays the SSID to which the wireless station is associated. Signal Lv.
Click Refresh to reload the screen. 17.5 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "NWA-3100.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
ZyXEL Device again. Figure 135 Firmware Upload In Process The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 136 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen.
Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer’s IP address.
Chapter 17 Maintenance Figure 142 Reset Warning Message You can also press the RESET button to reset your ZyXEL Device to its factory default settings. Refer to Section 2.2 on page 44 for more information. 17.7 Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off.
SMT and Troubleshooting Introducing the SMT (217) General Setup (223) LAN Setup (225) SNMP Configuration (227) System Password (229) System Information and Diagnosis (231) Firmware and Configuration File Maintenance (237) System Maintenance and Information (243) Troubleshooting (251)
• No parity, 8 data bits, 1 stop bit, flow control set to none. 18.2.1 Initial Screen When you turn on your ZyXEL Device, it performs several internal tests. After the tests, the ZyXEL Device asks you to press [ENTER] to continue, as shown next. ZyXEL NWA-3500 User’s Guide...
Please note that if there is no activity for longer than five minutes after you log in, your ZyXEL Device will automatically log you out and display a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again.
Note that as you type a password, the screen displays an asterisk “*” for each character you type. 18.5 SMT Menu Overview Example The following table gives you an overview of your ZyXEL Device’s various SMT menus. Table 78 SMT Menus Overview MENUS...
[ENTER]. exit the SMT interface. After you enter the password, the SMT displays the main menu, as shown next. Figure 148 SMT Main Menu Copyright (c) 1994 - 2006 ZyXEL Communications Corp. NWA-3500 Main Menu Getting Started Advanced Management 1.
Use this menu to set up SNMP related parameters. System Password Use this menu to change your password. System Maintenance This menu provides system status, diagnostics, software upload, etc. Exit Use this to exit the SMT. ZyXEL NWA-3500 User’s Guide...
The Domain Name entry is what is propagated to the DHCP clients on the LAN. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the ZyXEL Device via DHCP. 19.1.1 Procedure To Configure Menu 1 Enter “1”...
Page 224
User-Defined in the field above. ENTER When you have completed this menu, press [ ] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ ] at any time to cancel. ZyXEL NWA-3500 User’s Guide...
H A P T E R LAN Setup This chapter shows you how to configure the LAN on your ZyXEL Device. 20.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 – LAN Setup. From the main menu, enter “3”...
ZyXEL Device (by the DHCP server) to access the ZyXEL Device again. Select Static to give the ZyXEL Device a fixed, unique IP address. Enter a subnet mask appropriate to your network and the gateway IP address if applicable.
Trusted Host If you enter a trusted host, your ZyXEL Device will only respond to SNMP messages from this address. A blank (default) field means your ZyXEL Device will respond to all SNMP messages it receives, regardless of source.
Page 228
Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. ZyXEL NWA-3500 User’s Guide...
H A P T E R System Password This chapter describes how to configure the ZyXEL Device’s system password. 22.1 System Password You can configure the system password in this menu. Figure 153 Menu 23 System Security Menu 23 - System Security 1.
Page 230
Chapter 22 System Password ZyXEL NWA-3500 User’s Guide...
The first selection, System Status gives you information on the status and statistics of the ports, as shown next. System Status is a tool that can be used to monitor your ZyXEL Device. Specifically, it gives you information on your Ethernet and Wireless LAN status, and the number of packets sent and received.
This shows the DHCP setting (None or Client) for the port. System Up Time This is the time the ZyXEL Device is up and running from the last reboot. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation.
1. System Information 2. Console Port Speed Please enter selection: The ZyXEL Device also has an internal console port for support personnel only. Do not open the ZyXEL Device as it will void your warranty. 23.2.1 System Information Enter “1” in menu 24.2 to display the screen shown next.
Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: After you changed your ZyXEL Device’s console port speed, you must also make the same change to the console port speed parameter of your communication software. 23.3 Log and Trace Your ZyXEL Device provides error logs and trace records that are stored locally.
3 Enter 1 from Menu 24.3 – System Maintenance – Log and Trace and press [ENTER] twice to display the error log in the system. After the ZyXEL Device finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Chapter 23 System Information and Diagnosis The following table describes the diagnostic tests available in menu 24.4 for your ZyXEL Device and the connections. Table 86 Menu 24.4 System Maintenance Menu: Diagnostic FIELD DESCRIPTION Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working.
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password and TCP/IP Setup, etc. It arrives from ZyXEL with a rom filename extension. Once you have customized the ZyXEL Device's settings, they can be saved back to your computer under a filename of your choosing.
The following table is a summary. Please note that the internal filename refers to the filename on the ZyXEL Device and the external filename refers to the filename not on the ZyXEL Device, that is, on your computer, local network or FTP site and so the name (but not the extension) will vary.
To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next: 1 Use telnet from your computer to connect to the ZyXEL Device and log in. Because TFTP does not have any security checks, the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address.
“i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyXEL Device IP address, “get” transfers the file source on the ZyXEL Device (rom-0 name of the configuration file on the ZyXEL Device) to the file destination on the computer and renames it config.rom.
4 Enter “root” and your SMT password as requested. The default is 1234. 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyXEL Device for example “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyXEL Device and renames it “ras”.
TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyXEL Device to the computer, “put” the other way around, and “binary” to set binary transfer mode.
Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands. Enter 8 from Menu 24 – System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt.
25.2 Time and Date Setting The ZyXEL Device keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyXEL Device.
The ZyXEL Device resets the time in three instances: 1 On leaving menu 24.10 after making changes. 2 When the ZyXEL Device starts up, if there is a timeserver configured in menu 24.10. 3 24-hour intervals after starting. 25.3 Remote Management Setup 25.3.1 Telnet...
Chapter 25 System Maintenance and Information Figure 167 Telnet Configuration on a TCP/IP Network 25.3.2 FTP You can upload and download ZyXEL Device firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 25.3.3 Web You can use the ZyXEL Device’s embedded web configurator for configuration and file...
LAN only, WAN only, All or Disable. The default is LAN only. Secured Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the ZyXEL Device. Enter an IP address to restrict access to a client with a matching IP address. Certificate This field displays the name used to identify this certificate.
There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your ZyXEL Device will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 250
Chapter 25 System Maintenance and Information ZyXEL NWA-3500 User’s Guide...
1 Make sure you are using the power adaptor or cord included with the ZyXEL Device. 2 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on.
Page 252
Section 26.1 on page 251. 4 Make sure your computer is in the same subnet as the ZyXEL Device. (If you know that there are routers between your computer and the ZyXEL Device, skip this step.) • If there is no DHCP server on your network, make sure your computer’s IP address is in the same subnet as the ZyXEL Device.
Page 253
2 You cannot log in to the web configurator while someone is using the SMT or Telnet to access the ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person who is logged in to log out.
Internet, especially peer-to-peer applications. 2 Check the signal strength. If the signal is weak, try moving the ZyXEL Device closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on).
Appendices and Index Product Specifications (257) Power over Ethernet (PoE) Specifications (259) Power Adaptor Specifications (261) Setting up Your Computer’s IP Address (263) Wireless LANs (275) Pop-up Windows, JavaScripts and Java Permissions (289) IP Addresses and Subnetting (295) Text File Based Auto Configuration (303) Legal Information (311) Customer Support (315) Index (319)
SMA antenna connectors, equipped by default with 2dBi omni antenna, 60° When facing the front of the ZyXEL Device, the antenna on the right is used by wireless LAN adaptor WLAN1, and the antenna on the left is used by wireless LAN adaptor WLAN2.
Page 258
Appendix A Product Specifications Table 94 Firmware Specifications Multiple BSSID (MBSSID) MBSSID mode allows the ZyXEL Device to operate up to 8 different wireless networks (BSSs) simultaneously, each with independently- configurable wireless and security settings. Rogue AP detection Rogue AP detection detects and logs unknown access points (APs) operating in the area.
Table 96 Power over Ethernet Injector RJ-45 Port Pin Assignments RJ-45 SIGNAL PIN NO ASSIGNMENT Output Transmit Data + Output Transmit Data - 1 2 3 4 5 6 7 8 Receive Data + Power + Power + Receive Data - Power - Power - ZyXEL NWA-3500 User’s Guide...
Page 260
Appendix B Power over Ethernet (PoE) Specifications ZyXEL NWA-3500 User’s Guide...
AC Power Adaptor Model ADS6818-1812-A 1215 Input Power 100~240 Volts AC, 50~60 Hz, 0.5 A Output Power 12 Volts DC, 1.5 A, 18 W Power Consumption 6 W Max Safety Standards DOFT (AS/NZS 60950, AS/NZSB 3112:1-2) ZyXEL NWA-3500 User’s Guide...
Page 262
Appendix C Power Adaptor Specifications ZyXEL NWA-3500 User’s Guide...
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me...
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. ZyXEL NWA-3500 User’s Guide...
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyXEL NWA-3500 User’s Guide...
5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.
Figure 172 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 173 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyXEL NWA-3500 User’s Guide...
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. ZyXEL NWA-3500 User’s Guide...
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. ZyXEL NWA-3500 User’s Guide...
8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. 10 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.
2 Select Ethernet built-in from the Connect via list. Figure 179 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. ZyXEL NWA-3500 User’s Guide...
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel.
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window.
Page 274
Appendix D Setting up Your Computer’s IP Address ZyXEL NWA-3500 User’s Guide...
A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyXEL NWA-3500 User’s Guide...
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. ZyXEL NWA-3500 User’s Guide...
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. ZyXEL NWA-3500 User’s Guide...
AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. ZyXEL NWA-3500 User’s Guide...
5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. ZyXEL NWA-3500 User’s Guide...
Appendix E Wireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.
EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . ZyXEL NWA-3500 User’s Guide...
Page 282
However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. ZyXEL NWA-3500 User’s Guide...
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. ZyXEL NWA-3500 User’s Guide...
Page 284
AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. ZyXEL NWA-3500 User’s Guide...
2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches. 3 The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key). ZyXEL NWA-3500 User’s Guide...
An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. ZyXEL NWA-3500 User’s Guide...
In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. ZyXEL NWA-3500 User’s Guide...
Page 288
For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyXEL NWA-3500 User’s Guide...
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 188 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyXEL NWA-3500 User’s Guide...
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. ZyXEL NWA-3500 User’s Guide...
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 191 Pop-up Blocker Settings ZyXEL NWA-3500 User’s Guide...
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. ZyXEL NWA-3500 User’s Guide...
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 194 Security Settings - Java ZyXEL NWA-3500 User’s Guide...
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 195 Java (Sun) ZyXEL NWA-3500 User’s Guide...
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyXEL NWA-3500 User’s Guide...
Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. ZyXEL NWA-3500 User’s Guide...
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 108 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 ZyXEL NWA-3500 User’s Guide...
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. ZyXEL NWA-3500 User’s Guide...
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 113 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS ZyXEL NWA-3500 User’s Guide...
You must also enable Network Address Translation (NAT) on the ZyXEL Device. Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.
You can have a different configuration file for each AP. You can also have multiple APs use the same configuration file. ZyXEL NWA-3500 User’s Guide...
Use the following procedure to have the AP download the configuration file. Table 118 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt. ZyXEL NWA-3500 User’s Guide...
You can only use the commands in the configuration file. The AP ignores wlan wcfg other ZyNOS commands but continues to check the next command. The AP ignores any improperly formatted commands and continues to check the next line. ZyXEL NWA-3500 User’s Guide...
Remember that the commands are applied in order. So for example, you would place the commands that create security and SSID profiles before the commands that tell the AP to use those profiles. ZyXEL NWA-3500 User’s Guide...
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 312
This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. ZyXEL NWA-3500 User’s Guide...
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 314
Appendix I Legal Information ZyXEL NWA-3500 User’s Guide...
Page 322
VLAN diagnostic VoIP 33, 37, 125 log and trace VoIP SSID system information VT100 system status time and date system information system information & diagnosis system maintenance 231, 233, 239, 241, 243, 245 system name ZyXEL NWA-3500 User’s Guide...
Page 323
RADIUS application example WPA with RADIUS application WPA2 33, 283 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 283, 284 application example WPA-PSK 283, 284 application example ZyNOS ZyNOS F/W version ZyXEL NWA-3500 User’s Guide...