Page 1 NWA-3500 802.11a/b/g Wireless Access Point User’s Guide Version 3.60 3/2007 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Syntax Conventions • The NWA-3500 may be referred to as the “ZyXEL Device”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device. ZyXEL Device Computer Notebook computer Server DSLAM Firewall Telephone Switch Router...
Page 6: Safety Warnings
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. • The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors. This product is recyclable. Dispose of it properly. ZyXEL NWA-3500 User’s Guide...
Page 7 Safety Warnings ZyXEL NWA-3500 User’s Guide...
Page 8 Safety Warnings ZyXEL NWA-3500 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................31 Introducing the ZyXEL Device ....................33 Introducing the Web Configurator ....................43 Status Screens .......................... 47 Tutorial ............................51 The Web Configurator ......................79 System Screens ........................81 Wireless Configuration ......................87 Wireless Security Configuration ....................103 MBSSID and SSID ........................119...
Page 10 Contents Overview ZyXEL NWA-3500 User’s Guide...
Page 11: Table Of Contents
1.2.5 Pre-Configured SSID Profiles ..................37 1.2.6 Configuring Dual WLAN Adaptors ................38 1.3 Ways to Manage the ZyXEL Device ..................38 1.4 Good Habits for Managing the ZyXEL Device ..............39 1.5 Hardware Connections ......................39 1.6 LEDs ............................ 40 Chapter 2 Introducing the Web Configurator ..................
Page 12 4.4.6 Checking your Settings and Testing the Configuration ..........76 4.4.6.1 Checking Settings ..................... 76 4.4.6.2 Testing the Configuration .................. 76 Part II: The Web Configurator ............... 79 Chapter 5 System Screens ........................81 5.1 System Overview ......................... 81 5.2 Configuring General Setup ....................81 ZyXEL NWA-3500 User’s Guide...
Page 13 Chapter 7 Wireless Security Configuration ..................103 7.1 Wireless Security Overview ....................103 7.1.1 Encryption ........................ 103 7.1.2 Restricted Access ....................103 7.1.3 Hide Identity ......................103 7.1.4 WEP Encryption ....................... 103 7.2 802.1x Overview ........................ 104 ZyXEL NWA-3500 User’s Guide...
Page 14 9.3.1.1 Layer-2 Isolation Example 1 ................131 9.3.1.2 Layer-2 Isolation Example 2 ................131 9.4 The MAC Filter Screen ...................... 132 9.4.1 Configuring MAC Filtering ..................133 9.5 Configuring Roaming ......................134 9.5.1 Requirements for Roaming ..................135 ZyXEL NWA-3500 User’s Guide...
Page 15 13.2 Internal RADIUS Server Setting ..................157 13.3 Trusted AP Overview ....................... 159 13.4 Configuring Trusted AP ....................160 13.5 Configuring Trusted Users ....................161 Chapter 14 Certificates ..........................163 14.1 Certificates Overview ....................... 163 14.1.1 Advantages of Certificates ..................164 ZyXEL NWA-3500 User’s Guide...
Page 16 15.2 Configuring Log Settings ....................182 15.3 Example Log Messages ....................184 15.4 Log Commands ....................... 185 15.4.1 Configuring What You Want the ZyXEL Device to Log .......... 185 15.4.2 Displaying Logs ...................... 186 15.5 Log Command Example ....................186 Chapter 16 VLAN ............................
Page 17 18.2 Accessing the SMT via the Console Port ................ 217 18.2.1 Initial Screen ......................217 18.2.2 Entering the Password ................... 218 18.3 Connect to your ZyXEL Device Using Telnet ..............219 18.4 Changing the System Password ..................219 18.5 SMT Menu Overview Example ..................220 18.6 Navigating the SMT Interface ..................
Page 18 25.3.4 Remote Management Setup .................. 247 25.3.5 Remote Management Limitations ................249 25.4 System Timeout ....................... 249 Chapter 26 Troubleshooting........................251 26.1 Power, Hardware Connections, and LEDs ..............251 26.2 ZyXEL Device Access and Login ..................251 ZyXEL NWA-3500 User’s Guide...
Page 19 Appendix F Pop-up Windows, JavaScripts and Java Permissions ........289 Appendix G IP Addresses and Subnetting ................295 Appendix H Text File Based Auto Configuration ..............303 Appendix I Legal Information....................311 Appendix J Customer Support ..................... 315 Index............................319 ZyXEL NWA-3500 User’s Guide...
Page 20 Table of Contents ZyXEL NWA-3500 User’s Guide...
Page 21: List Of Figures
Figure 34 Tutorial: Periodic Rogue AP Detection .................. 68 Figure 35 Tutorial: Log Settings ......................69 Figure 36 Tutorial: Example Network ..................... 71 Figure 37 Tutorial: SSID Profile ......................73 Figure 38 Tutorial: SSID Edit ........................74 ZyXEL NWA-3500 User’s Guide...
Page 22 Figure 76 WIRELESS > MAC Filter ...................... 132 Figure 77 MAC Address Filter ......................133 Figure 78 Roaming Example ........................ 135 Figure 79 Roaming ..........................136 Figure 80 IP Setup ..........................138 Figure 81 Rogue AP: Example ......................142 ZyXEL NWA-3500 User’s Guide...
Page 23 Figure 120 Authentication Tab Settings ....................198 Figure 121 Encryption Tab Settings ..................... 198 Figure 122 Connection Attributes Screen .................... 199 Figure 123 RADIUS Attribute Screen ....................199 Figure 124 802 Attribute Setting for Tunnel-Medium-Type ..............200 ZyXEL NWA-3500 User’s Guide...
Page 24 Figure 164 Menu 24 System Maintenance ................... 243 Figure 165 Valid CI Commands ......................244 Figure 166 Menu 24.10 System Maintenance: Time and Date Setting ..........245 Figure 167 Telnet Configuration on a TCP/IP Network ................. 247 ZyXEL NWA-3500 User’s Guide...
Page 25 Figure 201 WEP Configuration File Example ..................306 Figure 202 802.1X Configuration File Example ..................307 Figure 203 WPA-PSK Configuration File Example ................307 Figure 204 WPA Configuration File Example ..................308 Figure 205 Wlan Configuration File Example ..................309 ZyXEL NWA-3500 User’s Guide...
Page 26 List of Figures ZyXEL NWA-3500 User’s Guide...
Page 27: List Of Tables
Table 33 RADIUS ..........................116 Table 34 Wireless: Multiple BSS ......................121 Table 35 SSID ............................123 Table 36 Configuring SSID ........................124 Table 37 WIRELESS > Layer-2 Isolation ..................... 129 Table 38 WIRELESS > Layer-2 Isolation Configuration ..............130 ZyXEL NWA-3500 User’s Guide...
Page 28 Table 76 Firmware Upload ........................209 Table 77 Restore Configuration ......................211 Table 78 SMT Menus Overview ......................220 Table 79 Main Menu Commands ......................221 Table 80 Main Menu Summary ......................222 Table 81 Menu 1 General Setup ......................223 ZyXEL NWA-3500 User’s Guide...
Page 29 Table 117 Manual Configuration ......................304 Table 118 Configuration via SNMP ...................... 304 Table 119 Displaying the File Version ....................305 Table 120 Displaying the File Version ....................305 Table 121 Displaying the Auto Configuration Status ................306 ZyXEL NWA-3500 User’s Guide...
Page 30 List of Tables ZyXEL NWA-3500 User’s Guide...
Page 31: Introduction
Introduction Introducing the ZyXEL Device (33) Introducing the Web Configurator (43) Status Screens (47) Tutorial (51)
Page 33: Introducing The Zyxel Device
H A P T E R Introducing the ZyXEL Device This chapter introduces the main applications and features of the ZyXEL Device. It also introduces the ways you can manage the ZyXEL Device. 1.1 Introducing the ZyXEL Device Your ZyXEL Device extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.
Page 34: Access Point
1.2.1 Access Point The ZyXEL Device is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyXEL Device is shown as follows. Stations A, B and C can access the wired network through the ZyXEL Devices.
Page 35: Ap + Bridge
Chapter 1 Introducing the ZyXEL Device Figure 2 Bridge Application Figure 3 Repeater Application 1.2.3 AP + Bridge In AP+Bridge mode, the ZyXEL Device supports both AP and bridge connection at the same time. ZyXEL NWA-3500 User’s Guide...
Page 36: Mbssid
In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode. When the ZyXEL Device is in AP + Bridge mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP.
Page 37: Pre-Configured Ssid Profiles
Figure 5 Multiple BSSs 1.2.5 Pre-Configured SSID Profiles The ZyXEL Device has two pre-configured SSID profiles. 1 VoIP_SSID. This profile is intended for use by wireless clients requiring the highest QoS (Quality of Service) level for VoIP (Voice over IP) telephony and other applications requiring low latency.
Page 38: Configuring Dual Wlan Adaptors
The ZyXEL Device is equipped with dual wireless adaptors. This means you can configure two different wireless networks to operate simultaneously. In the following example, the ZyXEL Device (Z) uses WLAN1 in AP+Bridge mode to allow IEEE 802.11b/g APs and clients to communicate with the wired network, and WLAN2 in AP mode to allow IEEE 802.11a clients to access the wired network.
Page 39: Good Habits For Managing The Zyxel Device
Chapter 1 Introducing the ZyXEL Device 1.4 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage it more effectively. • Change the password often. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
Page 40: Leds
Chapter 1 Introducing the ZyXEL Device 1.6 LEDs Figure 7 LEDs Table 1 LEDs LABEL COLOR STATUS DESCRIPTION Green The wireless adaptor WLAN1 is active. Blinking The wireless adaptor WLAN1 is active, and transmitting or receiving data. The wireless adaptor WLAN1 is not active.
Page 41 Flashing The ZyXEL Device is starting up. Either • The ZyXEL Device is in Access Point or MBSSID mode and is functioning normally. • The ZyXEL Device is in AP+Bridge or Bridge/ Repeater mode and has not established a Wireless Distribution System (WDS) connection.
Page 42 Chapter 1 Introducing the ZyXEL Device ZyXEL NWA-3500 User’s Guide...
Page 43: Introducing The Web Configurator
H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyXEL Device’s web configurator and provides an overview of its screens. 2.1 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).
Page 44: Resetting The Zyxel Device
Chapter 2 Introducing the Web Configurator Figure 8 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device’s MAC address that will be specific to this device. Figure 9 Replace Certificate Screen You should now see the Status screen.
Page 45: Methods Of Restoring Factory-Defaults
Use the web configurator to restore defaults (refer to Chapter 17 on page 205). Transfer the configuration file to your ZyXEL Device using FTP. See the section on SMT configuration for more information. 2.3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen.
Page 46 Chapter 2 Introducing the Web Configurator Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware files. Maintenance features include Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart.
Page 47: Status Screens
H A P T E R Status Screens The Status screen displays when you log into the ZyXEL Device, or click Status in the navigation menu. Use the Status screens to look at the current status of the device, system resources, interfaces and SSID status.
Page 48: Table 2 The Status Screen
This field displays what percentage of the ZyXEL Device’s volatile memory is currently in use. The higher the memory usage, the more likely the ZyXEL Device is to slow down. Some memory is required just to start the ZyXEL Device and to run the web configurator.
Page 49 Click this to see which wireless channels are currently in use in the local area. See Section 17.4 on page 208. Logs Click this to see a list of logs produced by the ZyXEL Device. See Chapter 15 on page 181. Rogue AP Click this to see a list of unauthorized access points in the local area.
Page 50 Chapter 3 Status Screens ZyXEL NWA-3500 User’s Guide...
Page 51: Tutorial
4.1 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the ZyXEL Device, and the steps you should take to set up the wireless LAN in each wireless mode. See Section 4.1.3 on page 54...
Page 52: Wireless Lan Configuration Overview
The following figure shows the steps you should take to configure the wireless settings according to the operating mode you select. Use the Web Configurator to set up your ZyXEL Device’s wireless network (see your Quick Start Guide for information on setting up your ZyXEL Device and accessing the Web Configurator).
Page 53: Figure 12 Configuring Wireless Lan
Configure internal AUTH. SERVER (optional). Configure Layer 2 Configure Layer 2 Isolation (optional). Isolation (optional). Configure Layer 2 Isolation (optional). Configure MAC Filter (optional). Configure MAC Filter (optional). Configure MAC Filter (optional). Check your settings and test. ZyXEL NWA-3500 User’s Guide...
Page 54: Further Reading
4.2 How to Configure Multiple Wireless Networks In this example, you have been using your ZyXEL Device as an access point for your office network (See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode).
Page 55: Change The Operating Mode
Section 2.1 on page 43). Click WIRELESS > Wireless. The Wireless screen appears. In this example, the ZyXEL Device is using WLAN adaptor 1 in Access Point operating mode, and is currently set to use the SSID04 profile. ZyXEL NWA-3500 User’s Guide...
Page 56: Figure 14 Tutorial: Wireless Lan: Before
This Select SSID Profile table allows you to activate or deactivate SSID profiles. Your wireless network was previously using the SSID04 profile, so select SSID04 in one of the Profile list boxes (number 3 in this example). ZyXEL NWA-3500 User’s Guide...
Page 57: Configure The Voip Network
VoIP_SSID and Guest_SSID profiles you will need to set different security profiles. Figure 16 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit. The following screen displays. ZyXEL NWA-3500 User’s Guide...
Page 58: Set Up Security For The Voip Profile
• Leave all the other fields at their defaults and click Apply. 4.2.2.1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab. ZyXEL NWA-3500 User’s Guide...
Page 59: Figure 18 Tutorial: Voip Security
PSK in the Security Mode field. WPA2-PSK provides strong security that anyone with a compatible wireless client can use, once they know the pre-shared key (PSK). Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is “ThisismyWPA2-PSKpre-sharedkey”. ZyXEL NWA-3500 User’s Guide...
Page 60: Activate The Voip Profile
127), and “intra-BSS traffic blocking” means that the client cannot access other clients on the same wireless network (see Section 6.1.1 on page 87). Click WIRELESS > SSID. Select Guest_SSID’s entry in the list and click Edit. The following screen appears. ZyXEL NWA-3500 User’s Guide...
Page 61: Set Up Security For The Guest Profile
You already chose to use the security03 profile for this network, so select security03’s entry in the list and click Edit. The following screen appears. Figure 23 Tutorial: Guest Security Profile Edit • Change the Name field to “Guest_Security” to make it easier to remember and identify. ZyXEL NWA-3500 User’s Guide...
Page 62: Set Up Layer 2 Isolation
Click WIRELESS > Layer-2 Isolation. The following screen appears. Figure 25 Tutorial: Layer 2 Isolation The Guest_SSID network uses the l2isolation01 profile by default, so select its entry and click Edit. The following screen displays. ZyXEL NWA-3500 User’s Guide...
Page 63: Activate The Guest Profile
Guest_SSID network, but not the VoIP_SSID network. If you can see the VoIP_SSID network, go to its SSID Edit screen and make sure Hide Name (SSID) is set to Enable. Whether or not you see the standard network’s SSID (SSID04) depends on whether “hide SSID” is enabled. ZyXEL NWA-3500 User’s Guide...
Page 64: How To Set Up And Use Rogue Ap Detection
Device. A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network. The example also shows how to set the ZyXEL Device to send out e-mail alerts whenever it detects a rogue wireless access point. See...
Page 65: Figure 28 Tutorial: Wireless Network Example
This means that one or more of your APs can detect the AP (1) in the other wireless network. When configuring the rogue AP feature on your ZyXEL Devices in this example, you will need to use the information in the following table. You need the IP addresses of your APs to access their Web configurators, and you need the MAC address of each AP to configure the friendly AP list.
Page 66: Set Up And Save A Friendly Ap List
Chapter 4 Tutorial The ZyXEL Device can detect the MAC addresses of APs automatically. However, it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually. For example, an attacker’s AP mimicking the correct SSID could be placed on the friendly AP list by accident, if selected from the list of auto-detected APs.
Page 67: Figure 30 Tutorial: Friendly Ap (After Data Entry)
3 Next, you will save the list of friendly APs in order to provide a backup and upload it to your other access points. Click the Configuration tab.The following screen appears. Figure 31 Tutorial: Configuration 4 Click Export. If a window similar to the following appears, click Save. ZyXEL NWA-3500 User’s Guide...
Page 68: Activate Periodic Rogue Ap Detection
Figure 33 Tutorial: Save Friendly AP list 4.3.2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your ZyXEL Devices. 1 In the ROGUE AP > Configuration screen, select Yes from the Activate Rogue AP Period Detection field.
Page 69: Set Up E-Mail Logs
Chapter 4 Tutorial 2 In the Period (min.) field, enter how often you want the ZyXEL Device to scan for rogue APs. You can have the ZyXEL Device scan anywhere from once every ten minutes to once every hour. In this example, enter “10”.
Page 70: Configure Your Other Access Points
AP alert, email alerts are correctly configured on that ZyXEL Device. • If you have another access point that is not used in your network, make a note of its MAC address and set it up next to each of your ZyXEL Devices in turn while the network is running.
Page 71: Using Multiple Mac Filters And L-2 Isolation Profiles
1 (but should not access server 2) and wireless user “Bob” (B) needs to access server 2 (but should not access server 1). Your ZyXEL Device is marked Z. C is a workstation on your wired network, D is your main network switch, and E is the security gateway you use to connect to the Internet.
Page 72: Setup
Chapter 4 Tutorial 4.4.3 Setup In this example, you have already set up the ZyXEL Device in MBSSID mode (see Chapter 8 on page 119). It uses two SSID profiles simultaneously. You have configured each SSID profile as shown in the following table.
Page 73: Configure The Server_1 Network
Internet security gateway. Take the following steps to configure the SERVER_1 network. 1 Log into the ZyXEL Device’s Web Configurator and click WIRELESS > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 37 Tutorial: SSID Profile 2 Select SERVER_1’s entry and click Edit.
Page 74: Figure 38 Tutorial: Ssid Edit
Enter the MAC address of the device Alice uses to connect to the network in Set 1’s MAC Address field and enter her name in the Description field, as shown in the following figure. Change the Profile Name to “MacFilter_SERVER_1”. Select Allow Association from the Filter Action field and click Apply. ZyXEL NWA-3500 User’s Guide...
Page 75: Configure The Server_2 Network
Set 1 MAC Address: 77:66:55:44:33:22 Description: NET_ROUTER Set 2 MAC Address: 99:88:77:66:55:44 Description: SERVER_2 Set 3 MAC Address: 66:55:44:33:22:11 Description: GATEWAY MAC Filter (macfilter04) Edit Screen Profile Name MacFilter_SERVER_2 Set 1 MAC Address: 22:33:44:55:66:77 Description: Bob ZyXEL NWA-3500 User’s Guide...
Page 76: Checking Your Settings And Testing The Configuration
Use the following sections to ensure that your wireless networks are set up correctly. 4.4.6.1 Checking Settings Take the following steps to check that the ZyXEL Device is using the correct SSIDs, MAC filters and layer-2 isolation profiles. 1 Click WIRELESS > Wireless. Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated, as shown in the following figure.
Page 77 If you cannot do something that you should be able to do, check the settings as described in Section 4.4.6.1 on page 76, and in the individual Security, layer-2 isolation and MAC filter profiles for the relevant network. If this does not help, see the Troubleshooting chapter in this User’s Guide. ZyXEL NWA-3500 User’s Guide...
Page 78 Chapter 4 Tutorial ZyXEL NWA-3500 User’s Guide...
Page 79: The Web Configurator
The Web Configurator System Screens (81) Wireless Configuration (87) Wireless Security Configuration (103) MBSSID and SSID (119) Other Wireless Configuration (127) IP Screen (137) Rogue AP (141) Remote Management Screens (147) Internal RADIUS Server (157) Certificates (163) Log Screens (181) VLAN (187) Maintenance (205)
Page 81: System Screens
DESCRIPTION General Setup System Name Type a descriptive name to identify the ZyXEL Device in the Ethernet network. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
Page 82: Administrator Authentication On Radius
It is strongly recommended that you change your ZyXEL Device’s password. Click SYSTEM > Password. The screen appears as shown. If you forget your ZyXEL Device’s password (or IP address), you will need to reset the device. See the section on resetting the ZyXEL Device for details Regardless of how you configure this screen, you still use the local system password to log in via the console port (not available on all models).
Page 83: Figure 44 System > Password
Enable Admin at Local Select this check box to have the device authenticate management logins to the device. Use old setting Select this to have the ZyXEL Device use the local management password already configured on the device (“1234” is the default). Use new setting Select this if you want to change the local management password.
Page 84: Configuring Time Setting
5.4 Configuring Time Setting To change your ZyXEL Device’s time and date, click SYSTEM > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone. Figure 45 SYSTEM > Time Setting...
Page 85: Table 12 System > Time Setting
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specify below. Auto Select this to have the ZyXEL Device use the predefined list of time servers.
Page 86: Pre-Defined Ntp Time Servers List
Click Reset to reload the previous configuration for this screen. 5.5 Pre-defined NTP Time Servers List When you turn on the ZyXEL Device for the first time, the date and time start at 2000-01-01 00:00:00. When you select Auto in the SYSTEM > Time Setting screen, the ZyXEL Device then attempts to synchronize with one of the following pre-defined list of NTP time servers.
Page 87: Wireless Configuration
H A P T E R Wireless Configuration This chapter discusses how to configure the Wireless screens on the ZyXEL Device. 6.1 Wireless LAN Overview This section introduces the wireless LAN (WLAN) and some basic scenarios. 6.1.1 BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Page 88: Ess
See the Wireless LANs Appendix for information on the following: • Wireless LAN Topologies • Channel • RTS/CTS • Fragmentation Threshold • IEEE 802.1x • RADIUS • Types of Authentication • WPA • Security Parameters Summary ZyXEL NWA-3500 User’s Guide...
Page 89: Quality Of Service
The ZyXEL Device uses WMM QoS to prioritize traffic streams according to the IEEE 802.1q or DSCP information in each packet’s header. The ZyXEL Device automatically determines the priority to use for an individual traffic stream.
Page 90: Atc+Wmm
WMM QoS settings. 6.3.3 ATC+WMM The ZyXEL Device can use a mapping mechanism to use both ATC and WMM QoS. The ATC+WMM function prioritizes all packets transmitted onto the wireless network using WMM QoS, and prioritizes all packets transmitted onto the wired network using ATC. See Section 8.2.2 on page 123...
Page 91: Atc+Wmm From Wlan To Lan
Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on.
Page 92: Tos (Type Of Service) And Wmm Qos
DSCP value in order to make the best use of WMM QoS. A Voice over IP (VoIP) device for example may allow you to define the DSCP value. The following table lists which WMM QoS priority level the ZyXEL Device uses for specific DSCP values.
Page 93: Stp Terminology
BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. ZyXEL NWA-3500 User’s Guide...
Page 94: Stp Port States
6.6 Wireless Screen Overview The following is a list of the wireless screens you can configure on the ZyXEL Device. 1 Configure the ZyXEL Device to operate in AP, AP+Bridge, Bridge/Repeater or MBSSID mode in the Wireless screen. You can also select an SSID Profile in the Wireless screen.
Page 95: Configuring Wireless Settings
Set the operating frequency/channel depending on your particular region. Channel ID To manually set the ZyXEL Device to use a channel, select a channel from the drop- down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
Page 96 256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum.
Page 97: Bridge/Repeater Mode
LAN 2. Figure 50 Bridging Example Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem: •...
Page 98: Figure 51 Bridge Loop: Two Bridges Connected To Hub
Figure 52 Bridge Loop: Bridge Connected to Wired LAN To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN.
Page 99: Figure 53 Wireless: Bridge/Repeater
Choose Channel ID Set the operating frequency/channel depending on your particular region. To manually set the ZyXEL Device to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
Page 100 256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs.
Page 101: Ap+Bridge Mode
6.7.3 AP+Bridge Mode Select AP+Bridge as the Operating Mode in the WIRELESS > Wireless screen to have the ZyXEL Device function as a bridge and access point simultaneously. See the section on applications for more information. Figure 54 Wireless: AP+Bridge See the tables describing the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.
Page 102 Chapter 6 Wireless Configuration ZyXEL NWA-3500 User’s Guide...
Page 103: Wireless Security Configuration
(Allow Association) or exclude them from accessing the AP (Deny Association). 7.1.3 Hide Identity If you hide the SSID, then the ZyXEL Device cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyXEL Device may be inconvenience for some valid WLAN clients.
Page 104: Overview
Chapter 7 Wireless Security Configuration Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 152-bit WEP keys but only one key can be enabled at any one time. 7.2 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management.
Page 105: User Authentication
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols). 2 The AP checks each wireless client's password and allows it to join the network only if the password matches. ZyXEL NWA-3500 User’s Guide...
Page 106: Wpa(2) With External Radius Application Example
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. ZyXEL NWA-3500 User’s Guide...
Page 107: Security Modes
Select this to use either WPA2 or WPA depending on which security mode the wireless client uses. WPA2-PSK Select this to use WPA2 with a pre-shared key. WPA2-PSK-MIX Select this to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses. ZyXEL NWA-3500 User’s Guide...
Page 108: Wireless Client Wpa Supplicants
Wi-Fi Protected Access (WPA) Most Secure WPA2 If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device within range. 7.9 Configuring Security The following screens are configurable only in Access Point, AP+Bridge and MBSSID operating modes only.
Page 109: Security: Wep
Select an entry from the list and click Edit to configure security settings for that profile. The next screen varies according to the Security Mode you select. 7.9.1 Security: WEP Select WEP in the Security Mode field to display the following screen. ZyXEL NWA-3500 User’s Guide...
Page 110: Security: 802.1X Only
Select this option to enter hexadecimal characters as the WEP keys. The preceding “0x” is entered automatically. Key 1 to The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Key 4 If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
Page 111: Security: 802.1X Static 64-Bit, 802.1X Static 128-Bit
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
Page 112: Figure 61 Security: 802.1X Static 64-Bit, 802.1X Static 128-Bit
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
Page 113: Security: Wpa
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
Page 114: Figure 63 Security:wpa2 Or Wpa2-Mix
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 115: Security: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 116: Introduction To Radius
These profiles can be assigned to an SSID profile in the SSID configuration screen To set up your ZyXEL Device’s RADIUS server settings, click WIRELESS > RADIUS. The screen appears as shown. Figure 65 RADIUS The following table describes the labels in this screen.
Page 117 ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network. This field is not available when you select Internal.
Page 118 Chapter 7 Wireless Security Configuration ZyXEL NWA-3500 User’s Guide...
Page 119: Mbssid And Ssid
H A P T E R MBSSID and SSID This chapter describes how to configure and use your ZyXEL Device’s MBSSID mode and configure SSID profiles. 8.1 Wireless LAN Infrastructures See the Wireless LAN chapter for some basic WLAN scenarios and terminology.
Page 120: Configuring Multiple Bsss
Figure 66 Multiple BSS with VLAN Example 8.1.5 Configuring Multiple BSSs Click WIRELESS > Wireless and select MBSSID in the Operating Mode drop-down list box to display the screen as shown. Figure 67 Wireless: Multiple BSS ZyXEL NWA-3500 User’s Guide...
Page 121: Table 34 Wireless: Multiple Bss
256 and 2346. Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum.
Page 122: Ssid
The blue ZyAIR LED is on when the ZyXEL Device is on and blinks (or breathes) when data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL Device is on and data is being transmitted/received.
Page 123: Configuring Ssid
Index This field displays the index number of each SSID profile. Name This field displays the identification name of each SSID profile on the ZyXEL Device. SSID This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.
Page 124: Figure 69 Configuring Ssid
Hide Name (SSID) Select Disable if you want the ZyXEL Device to broadcast this SSID (a wireless client scanning for an AP will find this SSID). Alternatively, select Enable to have the ZyXEL Device hide this SSID (a wireless client scanning for an AP will not find this SSID).
Page 125 WMM_BACKGROUND, the ZyXEL Device applies that QoS setting to all of that SSID’s traffic. • If you select NONE, the ZyXEL Device applies no priority to traffic on this SSID. Note: When you configure an SSID profile’s QoS settings, the ZyXEL Device applies the same QoS setting to all of the profile’s traffic.
Page 126 Chapter 8 MBSSID and SSID ZyXEL NWA-3500 User’s Guide...
Page 127: Other Wireless Configuration
APs, computers or routers in a network. In the following example, layer-2 isolation is enabled on the ZyXEL Device (Z, in the figure) to allow a guest wireless client (A) to access the main network router (B). The router provides access to the Internet (C) and the network printer (D) while preventing the client from accessing other computers and servers on the network.
Page 128: The Layer-2 Isolation Screen
MAC addresses that are not listed in the Allow devices with these MAC addresses table are blocked from communicating with the ZyXEL Device’s wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP.
Page 129: Configuring Layer-2 Isolation
If layer-2 isolation is enabled, you need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the ZyXEL Device's wireless clients. ZyXEL NWA-3500 User’s Guide...
Page 130: Layer-2 Isolation Examples
Type a name to identify this device. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 9.3.1 Layer-2 Isolation Examples The following section shows you example layer-2 isolation configurations on the ZyXEL Device (A). ZyXEL NWA-3500 User’s Guide...
Page 131: Layer-2 Isolation Example 1
In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3. • Enter the server’s and your ZyXEL Device’s MAC addresses in the MAC Address fields. Enter “File Server C” in C’s Description field, and enter “Access Point B” in B’s Description field.
Page 132: The Mac Filter Screen
Figure 75 Layer-2 Isolation Example 2 9.4 The MAC Filter Screen The MAC filter function allows you to configure the ZyXEL Device to give exclusive access to devices (Allow Association) or exclude devices from accessing the ZyXEL Device (Deny Association).
Page 133: Configuring Mac Filtering
Select an entry from the list and click Edit to configure settings for that profile. 9.4.1 Configuring MAC Filtering To change your ZyXEL Device’s MAC filter settings, click WIRELESS > MAC Filter > Edit. The screen appears as shown. Figure 77 MAC Address Filter...
Page 134: Configuring Roaming
(bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate with other APs (Non-ZyXEL APs may not be able to perform this). 802.1x authentication information is not exchanged (at the time of writing).
Page 135: Requirements For Roaming
5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment. To enable roaming on your ZyXEL Device, click WIRELESS > Wireless. The screen appears as shown.
Page 136: Figure 79 Roaming
Chapter 9 Other Wireless Configuration Figure 79 Roaming Select the Roaming Active check box and click Apply. ZyXEL NWA-3500 User’s Guide...
Page 137: Ip Screen
IP Screen This chapter discusses how to configure IP on the ZyXEL Device. 10.1 Factory Ethernet Defaults The Ethernet parameters of the ZyXEL Device are preset in the factory with the following values: 1 IP address of 192.168.1.2 2 Subnet mask of 255.255.255.0 (24 bits) These parameters should work for the majority of installations.
Page 138: Configuring Ip
ZyXEL Device (by the DHCP server) to access the ZyXEL Device again. Use fixed IP address Select this option if your ZyXEL Device is using a static IP address. When you select this option, fill in the fields below. IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation.
Page 139 Chapter 10 IP Screen Table 42 IP Setup LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
Page 140 Chapter 10 IP Screen ZyXEL NWA-3500 User’s Guide...
Page 141: Rogue Ap
H A P T E R Rogue AP This chapter discusses rogue wireless access points (APs) and how to configure the ZyXEL Device’s rogue AP detection feature. 11.1 Rogue AP Introduction A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network.
Page 142: Honeypot" Attack
This scenario can also be part of a wireless denial of service (DoS) attack, in which associated wireless clients are deprived of network access. Other opportunities for the attacker include the introduction of malware (malicious software) into the network. ZyXEL NWA-3500 User’s Guide...
Page 143: Configuring Rogue Ap Detection
You can choose to scan for rogue APs manually, or to have the ZyXEL Device scan automatically at pre-defined intervals. You can also set the ZyXEL Device to email you immediately when a rogue AP is detected (see Chapter 15 on page 181 for information on how to set up email logs).
Page 144: Rogue Ap: Friendly Ap
Select No to turn rogue AP detection off. Period (min.) Enter the period you want the ZyXEL Device to wait between scanning for rogue APs (between 10 and 60 minutes). You must also select Yes in the Active Rogue AP Period Detection field.
Page 145: Rogue Ap List
Device’s coverage area, except for the ZyXEL Device itself and the access points included in the friendly AP list (see Section 11.3.2 on page 144). You can set how often you want the ZyXEL Device to scan for rogue APs in the ROGUE AP > Configuration screen (see Section 11.3.1 on page 143).
Page 146: Figure 85 Rogue Ap > Rogue Ap
Table 45 ROGUE AP > Rogue AP LABEL DESCRIPTION Rogue AP List This displays details of access points in the ZyXEL Device’s coverage area that are not listed in the friendly AP list (see Section 11.3.2 on page 144) Refresh Click this button to have the ZyXEL Device scan for rogue APs.
Page 147: Remote Management Screens
To disable remote management of a service, select Disable in the corresponding Server Access field. You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.
Page 148: Configuring Telnet
12.2 Configuring Telnet You can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device. Figure 86 Telnet Configuration on a TCP/IP Network Click REMOTE MGNT tab to display the TELNET screen as shown.
Page 149: Configuring Ftp
ZyXEL Device using this service. Address Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 150: Configuring Www
ZyXEL Device by sending the ZyXEL Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device (see the appendix on importing certificates for details).
Page 151: Snmp
The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the ZyXEL Device, for example 8443, then you must notify people who need to access the ZyXEL Device web configurator to use "https://ZyXEL Device IP Address:8443"...
Page 152: Supported Mibs
• Trap - Used by the agent to inform the manager of some events. 12.5.1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215 as well as the proprietary ZyXEL private MIB. The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 153: Snmp Traps
Chapter 12 Remote Management Screens 12.5.2 SNMP Traps The ZyXEL Device can send the following traps to the SNMP manager. Table 50 SNMP Traps OBJECT IDENTIFIER # TRAP NAME DESCRIPTION (OID) Generic Traps coldStart 1.3.6.1.6.3.1.1.5.1 This trap is sent after booting (power on). This trap is defined in RFC-1215.
Page 154: Configuring Snmp
Address ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 155 Chapter 12 Remote Management Screens Table 52 Remote Management: SNMP LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
Page 156 Chapter 12 Remote Management Screens ZyXEL NWA-3500 User’s Guide...
Page 157: Internal Radius Server
The ZyXEL Device has a built-in RADIUS server that can authenticate wireless clients or other trusted APs. The ZyXEL Device can function as an AP and as a RADIUS server at the same time. PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection.
Page 158: Figure 92 Internal Radius Server Setting Screen
LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device use its internal RADIUS server to authenticate wireless clients or other APs. This field displays the certificate index number. The certificates are listed in alphabetical order. Use the CERTIFICATES screens to manage certificates. The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client.
Page 159: Trusted Ap Overview
Click Reset to start configuring this screen afresh. 13.3 Trusted AP Overview A trusted AP is an AP that uses the ZyXEL Device’s internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the AUTH.
Page 160: Configuring Trusted Ap
2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the ZyXEL Device’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the ZyXEL Device’s internal RADIUS server.
Page 161: Configuring Trusted Users
AP and the ZyXEL Device. The key is not sent over the network. This key must be the same on the AP and the ZyXEL Device. Both the ZyXEL Device’s IP address and this shared secret must also be configured in the “external RADIUS”...
Page 162: Figure 95 Trusted Users Screen
The password on the wireless client’s utility must be the same as this password. Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. ZyXEL NWA-3500 User’s Guide...
Page 163: Certificates
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked.
Page 164: Advantages Of Certificates
14.2 Self-signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates. 14.3 Verifying a Certificate Before you import a trusted CA certificate into the ZyXEL Device, you should verify that you have the actual certificate.
Page 165: Configuration Summary
Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Devices’ CA-signed certificates. Use the Trusted CA screens to save CA certificates to the ZyXEL Device. 14.5 My Certificates Click CERTIFICATES > My Certificates to open the ZyXEL Device’s summary list of certificates and certification requests.
Page 166: Figure 98 My Certificates
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 167: Certificate File Formats
Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request. Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL Device.
Page 168: Importing A Certificate
Import screen. Follow the instructions in this screen to save an existing certificate to the ZyXEL Device. You can import only a certificate that matches a corresponding certification request that was generated by the ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen.
Page 169: Creating A Certificate
Click CERTIFICATES > My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.
Page 170 Select Create a certification request and save it locally for later manual request and save it enrollment to have the ZyXEL Device generate and store a request for a locally for later certificate. Use the My Certificate Details screen to view the certification manual enrollment request and copy it to send to the certification authority.
Page 171: My Certificate Details
In the case of a self-signed certificate, you can set it to be the one that the ZyXEL Device uses to sign the trusted remote host certificates that you import to the ZyXEL Device.
Page 172: Figure 101 My Certificate Details
31 characters to identify this certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL Device use this certificate to sign the Default self-signed trusted remote host certificates that you import to the ZyXEL Device. This check certificate which box is only available with self-signed certificates.
Page 173 If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL Device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.
Page 174: Trusted Cas
ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities.
Page 175: Importing A Trusted Ca's Certificate
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL Device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 176: Trusted Ca Certificate Details
Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyXEL Device to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Page 177: Figure 104 Trusted Ca Details
31 characters to identify this key certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL Device check incoming certificates that Check incoming are issued by this certification authority against a Certificate Revocation List certificates issued (CRL).
Page 178 Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS)
Page 179 Apply Click Apply to save your changes. You can only change the name and/or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.
Page 180 Chapter 14 Certificates ZyXEL NWA-3500 User’s Guide...
Page 181: Log Screens
15.1 Configuring View Log The web configurator allows you to look at all of the ZyXEL Device’s logs in one location. Click LOGS > View Log. Use the View Log screen to see the logs for the categories that you...
Page 182: Configuring Log Settings
To change your ZyXEL Device’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where and when the ZyXEL Device is to send the logs and which logs and/or immediate alerts it is to send.
Page 183: Table 64 Log Settings
Select the categories of logs that you want to record. Send Immediate Select the categories of alerts for which you want the ZyXEL Device to Alert immediately send e-mail alerts. Apply Click Apply to save your customized settings and exit this screen.
Page 184: Example Log Messages
Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host ZyXEL NWA-3500 User’s Guide...
Page 185: Log Commands
Use the sys logs save command to store the settings in the ZyXEL Device (you must do this in order to record logs). ZyXEL NWA-3500 User’s Guide...
Page 186: Displaying Logs
Use the sys logs clear command to erase all of the ZyXEL Device’s logs. 15.5 Log Command Example This example shows how to set the ZyXEL Device to record the error logs and alerts and then view the results. ras> sys logs load ras>...
Page 187: Vlan
The Management VLAN ID identifies the “management VLAN”. A device must be a member of this “management VLAN” in order to access and manage the ZyXEL Device. If a device is not a member of this VLAN, then that device cannot manage the ZyXEL Device.
Page 188: Configuring Vlan
The ZyXEL Device allows you to configure VLAN based on SSID profile (wireless VLAN), and / or based on your RADIUS server (RADIUS VLAN). • When you use wireless VLAN, the ZyXEL Device tags all packets from an SSID with the VLAN ID you set in the Wireless VLAN screen.
Page 189: Figure 107 Wireless Vlan
Section 16.2.3 on page 191 for more information. VLAN Mapping Table Use this table to have the ZyXEL Device assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the ZyXEL Device. Index This is the index number of the SSID profile.
Page 190: Radius Vlan
Enter a VLAN ID number from 1 to 4094. Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the ZyXEL Device. Different SSID profiles can use the same or different VLAN IDs. This allows you to split wireless stations into groups using similar VLAN IDs.
Page 191: Configuring Management Vlan Example
This section shows you how to create a VLAN on an Ethernet switch. By default, the port on the ZyXEL Device is a member of the management VLAN (VLAN ID 1). The following procedure shows you how to configure a tagged VLAN.
Page 192: Figure 109 Management Vlan Configuration Example
5 Type a VLAN Group ID. This should be the same as the management VLAN ID on the ZyXEL Device. 6 Enable Tx Tagging on the port which you want to connect to the ZyXEL Device. Disable Tx Tagging on the port you are using to connect to your computer.
Page 193: Figure 112 Vlan-Aware Switch - Vlan Status
Chapter 16 VLAN Figure 112 VLAN-Aware Switch - VLAN Status Follow the instructions in the Quick Start Guide to set up your ZyXEL Device for configuration. The ZyXEL Device should be connected to the VLAN-aware switch. In the above example, the switch is using port 1 to connect to your computer and port 2 to connect to...
Page 194: Configuring Microsoft's Ias Server Example
ID (Name:string) is between 1 and 4094. 4c If a or b are not matched, the ZyXEL Device uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station. This VLAN ID is independent and hence different to the ID in the VLAN screen.
Page 195: Configuring Remote Access Policies
For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence. • Right click Remote Access Policy and select New Remote Access Policy. ZyXEL NWA-3500 User’s Guide...
Page 196: Figure 116 New Remote Access Policy For Vlan Group
4 The Select Groups window displays. Select a remote access policy and click the Add button. The policy is added to the field below. Only one VLAN Group should be associated with each policy. 5 Click OK and Next in the next few screens to accept the group value. ZyXEL NWA-3500 User’s Guide...
Page 197: Figure 118 Adding Vlan Group
Extensible Authentication Protocol check box. • Select an EAP type depending on your authentication needs from the drop-down list box. • Clear the check boxes for all other authentication types listed below the drop-down list box. ZyXEL NWA-3500 User’s Guide...
Page 198: Figure 120 Authentication Tab Settings
9 Click the IP tab and select the Client may request an IP address check box for DHCP support. 10 Click the Advanced tab. The current default parameters returned to the ZyXEL Device should be Service-Type and Framed-Protocol. • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment.
Page 199: Figure 122 Connection Attributes Screen
• Click the Add button • Select Tunnel-Medium-Type • Click the Add button. Figure 123 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays. Select the 802 value from the Attribute value drop-down list box. • Click OK. ZyXEL NWA-3500 User’s Guide...
Page 200: Figure 124 802 Attribute Setting For Tunnel-Medium-Type
4094 or a Name for this policy. This Name should match a name in the VLAN mapping table on the ZyXEL Device. Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the ZyXEL Device VLAN table.
Page 201: Figure 126 Vlan Attribute Setting For Tunnel-Type
Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. ZyXEL NWA-3500 User’s Guide...
Page 202: Second Rx Vlan Id Example
Rx VLAN ID configured, and the ZyXEL Device forwards only packets tagged with VLAN ID 2 to it. 16.2.5.1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the ZyXEL Device. 1 Log into the Web Configurator. 2 Click VLAN > Wireless VLAN.
Page 203: Figure 129 Configuring Ssid: Second Rx Vlan Id Example
6 Click Apply to save these settings. Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3, and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03. ZyXEL NWA-3500 User’s Guide...
Page 204 Chapter 16 VLAN ZyXEL NWA-3500 User’s Guide...
Page 205: Maintenance
17.2 System Status Screen Click MAINTENANCE to open the System Status screen, where you can use to monitor your ZyXEL Device. Note that these labels are READ-ONLY and are meant to be used for diagnostic purposes. Figure 130 System Status The following table describes the labels in this screen.
Page 206: System Statistics
This is the number of transmitted packets on this port. RxPkts This is the number of received packets on this port. Collisions This is the number of collisions on this port. Tx B/s This shows the transmission speed in bytes per second on this port. ZyXEL NWA-3500 User’s Guide...
Page 207: Association List
Stop Click this button to stop refreshing statistics. 17.3 Association List View the wireless stations that are currently associated with the ZyXEL Device in the Association List screen. Click MAINTENANCE > Association List to display the screen as shown next.
Page 208: Channel Usage
Chapter 17 Maintenance Table 74 Association List LABEL DESCRIPTION Association Time This field displays the time a wireless station first associated with the ZyXEL Device. Name (SSID) This field displays the SSID to which the wireless station is associated. Signal Lv.
Page 209: F/W Upload Screen
Click Refresh to reload the screen. 17.5 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "NWA-3100.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 210: Configuration Screen
ZyXEL Device again. Figure 135 Firmware Upload In Process The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 136 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen.
Page 211: Backup Configuration
Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 212: Back To Factory Defaults
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer’s IP address.
Page 213: Restart Screen
Chapter 17 Maintenance Figure 142 Reset Warning Message You can also press the RESET button to reset your ZyXEL Device to its factory default settings. Refer to Section 2.2 on page 44 for more information. 17.7 Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off.
Page 214 Chapter 17 Maintenance ZyXEL NWA-3500 User’s Guide...
Page 215: Smt And Troubleshooting
SMT and Troubleshooting Introducing the SMT (217) General Setup (223) LAN Setup (225) SNMP Configuration (227) System Password (229) System Information and Diagnosis (231) Firmware and Configuration File Maintenance (237) System Maintenance and Information (243) Troubleshooting (251)
Page 217: Introducing The Smt
• No parity, 8 data bits, 1 stop bit, flow control set to none. 18.2.1 Initial Screen When you turn on your ZyXEL Device, it performs several internal tests. After the tests, the ZyXEL Device asks you to press [ENTER] to continue, as shown next. ZyXEL NWA-3500 User’s Guide...
Page 218: Entering The Password
(Compressed) Version: NWA-3500, start: 50119030 Length: 567CE8, Checksum: 1CE8 Compressed Length: 19F9EF, Checksum: C7A7 Copyright (c) 1994 - 2006 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:13:49:DF:42:A8 initialize ch =1, ethernet address: 00:13:49:DF:42:A8 initialize ch =2, ethernet address: 00:13:49:DF:42:A9...
Page 219: Connect To Your Zyxel Device Using Telnet
Please note that if there is no activity for longer than five minutes after you log in, your ZyXEL Device will automatically log you out and display a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again.
Page 220: Smt Menu Overview Example
Note that as you type a password, the screen displays an asterisk “*” for each character you type. 18.5 SMT Menu Overview Example The following table gives you an overview of your ZyXEL Device’s various SMT menus. Table 78 SMT Menus Overview MENUS...
Page 221: Figure 148 Smt Main Menu
[ENTER]. exit the SMT interface. After you enter the password, the SMT displays the main menu, as shown next. Figure 148 SMT Main Menu Copyright (c) 1994 - 2006 ZyXEL Communications Corp. NWA-3500 Main Menu Getting Started Advanced Management 1.
Page 222: System Management Terminal Interface Summary
Use this menu to set up SNMP related parameters. System Password Use this menu to change your password. System Maintenance This menu provides system status, diagnostics, software upload, etc. Exit Use this to exit the SMT. ZyXEL NWA-3500 User’s Guide...
Page 223: General Setup
The Domain Name entry is what is propagated to the DHCP clients on the LAN. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the ZyXEL Device via DHCP. 19.1.1 Procedure To Configure Menu 1 Enter “1”...
Page 224 User-Defined in the field above. ENTER When you have completed this menu, press [ ] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ ] at any time to cancel. ZyXEL NWA-3500 User’s Guide...
Page 225: Lan Setup
H A P T E R LAN Setup This chapter shows you how to configure the LAN on your ZyXEL Device. 20.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 – LAN Setup. From the main menu, enter “3”...
Page 226: Table 82 Menu 3.2 Tcp/Ip Setup
ZyXEL Device (by the DHCP server) to access the ZyXEL Device again. Select Static to give the ZyXEL Device a fixed, unique IP address. Enter a subnet mask appropriate to your network and the gateway IP address if applicable.
Page 227: Snmp Configuration
Trusted Host If you enter a trusted host, your ZyXEL Device will only respond to SNMP messages from this address. A blank (default) field means your ZyXEL Device will respond to all SNMP messages it receives, regardless of source.
Page 228 Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. ZyXEL NWA-3500 User’s Guide...
Page 229: System Password
H A P T E R System Password This chapter describes how to configure the ZyXEL Device’s system password. 22.1 System Password You can configure the system password in this menu. Figure 153 Menu 23 System Security Menu 23 - System Security 1.
Page 230 Chapter 22 System Password ZyXEL NWA-3500 User’s Guide...
Page 231: System Information And Diagnosis
The first selection, System Status gives you information on the status and statistics of the ports, as shown next. System Status is a tool that can be used to monitor your ZyXEL Device. Specifically, it gives you information on your Ethernet and Wireless LAN status, and the number of packets sent and received.
Page 232: Figure 155 Menu 24.1 System Maintenance: Status
This shows the DHCP setting (None or Client) for the port. System Up Time This is the time the ZyXEL Device is up and running from the last reboot. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation.
Page 233: System Information
1. System Information 2. Console Port Speed Please enter selection: The ZyXEL Device also has an internal console port for support personnel only. Do not open the ZyXEL Device as it will void your warranty. 23.2.1 System Information Enter “1” in menu 24.2 to display the screen shown next.
Page 234: Console Port Speed
Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: After you changed your ZyXEL Device’s console port speed, you must also make the same change to the console port speed parameter of your communication software. 23.3 Log and Trace Your ZyXEL Device provides error logs and trace records that are stored locally.
Page 235: Diagnostic
3 Enter 1 from Menu 24.3 – System Maintenance – Log and Trace and press [ENTER] twice to display the error log in the system. After the ZyXEL Device finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Page 236: Table 86 Menu 24.4 System Maintenance Menu: Diagnostic
Chapter 23 System Information and Diagnosis The following table describes the diagnostic tests available in menu 24.4 for your ZyXEL Device and the connections. Table 86 Menu 24.4 System Maintenance Menu: Diagnostic FIELD DESCRIPTION Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working.
Page 237: Firmware And Configuration File Maintenance
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password and TCP/IP Setup, etc. It arrives from ZyXEL with a rom filename extension. Once you have customized the ZyXEL Device's settings, they can be saved back to your computer under a filename of your choosing.
Page 238: Backup Configuration
The following table is a summary. Please note that the internal filename refers to the filename on the ZyXEL Device and the external filename refers to the filename not on the ZyXEL Device, that is, on your computer, local network or FTP site and so the name (but not the extension) will vary.
Page 239: Backup Configuration Using Tftp
To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next: 1 Use telnet from your computer to connect to the ZyXEL Device and log in. Because TFTP does not have any security checks, the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 240: Example: Tftp Command
“i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the ZyXEL Device IP address, “get” transfers the file source on the ZyXEL Device (rom-0 name of the configuration file on the ZyXEL Device) to the file destination on the computer and renames it config.rom.
Page 241: Tftp File Upload
4 Enter “root” and your SMT password as requested. The default is 1234. 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyXEL Device for example “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyXEL Device and renames it “ras”.
Page 242: Example: Tftp Command
TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyXEL Device to the computer, “put” the other way around, and “binary” to set binary transfer mode.
Page 243: System Maintenance And Information
Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands. Enter 8 from Menu 24 – System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt.
Page 244: Command Syntax
Chapter 25 System Maintenance and Information Figure 165 Valid CI Commands Copyright (c) 1994 - 2005 ZyXEL Communications Corp. NWA-3500> ? Valid commands are: exit device ether config wlan bridge hdap certificates radius 8021x wcfg rogueAP NWA-3500> 25.1.1 Command Syntax •...
Page 245: Time And Date Setting
25.2 Time and Date Setting The ZyXEL Device keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyXEL Device.
Page 246: Resetting The Time
The ZyXEL Device resets the time in three instances: 1 On leaving menu 24.10 after making changes. 2 When the ZyXEL Device starts up, if there is a timeserver configured in menu 24.10. 3 24-hour intervals after starting. 25.3 Remote Management Setup 25.3.1 Telnet...
Page 247: Ftp
Chapter 25 System Maintenance and Information Figure 167 Telnet Configuration on a TCP/IP Network 25.3.2 FTP You can upload and download ZyXEL Device firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 25.3.3 Web You can use the ZyXEL Device’s embedded web configurator for configuration and file...
Page 248: Figure 168 Menu 24.11 Remote Management Control
LAN only, WAN only, All or Disable. The default is LAN only. Secured Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the ZyXEL Device. Enter an IP address to restrict access to a client with a matching IP address. Certificate This field displays the name used to identify this certificate.
Page 249: Remote Management Limitations
There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your ZyXEL Device will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 250 Chapter 25 System Maintenance and Information ZyXEL NWA-3500 User’s Guide...
Page 251: Troubleshooting
1 Make sure you are using the power adaptor or cord included with the ZyXEL Device. 2 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on.
Page 252 Section 26.1 on page 251. 4 Make sure your computer is in the same subnet as the ZyXEL Device. (If you know that there are routers between your computer and the ZyXEL Device, skip this step.) • If there is no DHCP server on your network, make sure your computer’s IP address is in the same subnet as the ZyXEL Device.
Page 253 2 You cannot log in to the web configurator while someone is using the SMT or Telnet to access the ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person who is logged in to log out.
Page 254: Internet Access
Internet, especially peer-to-peer applications. 2 Check the signal strength. If the signal is weak, try moving the ZyXEL Device closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on).
Page 255: Appendices And Index
Appendices and Index Product Specifications (257) Power over Ethernet (PoE) Specifications (259) Power Adaptor Specifications (261) Setting up Your Computer’s IP Address (263) Wireless LANs (275) Pop-up Windows, JavaScripts and Java Permissions (289) IP Addresses and Subnetting (295) Text File Based Auto Configuration (303) Legal Information (311) Customer Support (315) Index (319)
Page 257: Appendix A Product Specifications
SMA antenna connectors, equipped by default with 2dBi omni antenna, 60° When facing the front of the ZyXEL Device, the antenna on the right is used by wireless LAN adaptor WLAN1, and the antenna on the left is used by wireless LAN adaptor WLAN2.
Page 258 Appendix A Product Specifications Table 94 Firmware Specifications Multiple BSSID (MBSSID) MBSSID mode allows the ZyXEL Device to operate up to 8 different wireless networks (BSSs) simultaneously, each with independently- configurable wireless and security settings. Rogue AP detection Rogue AP detection detects and logs unknown access points (APs) operating in the area.
Page 259: Appendix B Power Over Ethernet (Poe) Specifications
Table 96 Power over Ethernet Injector RJ-45 Port Pin Assignments RJ-45 SIGNAL PIN NO ASSIGNMENT Output Transmit Data + Output Transmit Data - 1 2 3 4 5 6 7 8 Receive Data + Power + Power + Receive Data - Power - Power - ZyXEL NWA-3500 User’s Guide...
Page 260 Appendix B Power over Ethernet (PoE) Specifications ZyXEL NWA-3500 User’s Guide...
Page 261: Appendix C Power Adaptor Specifications
AC Power Adaptor Model ADS6818-1812-A 1215 Input Power 100~240 Volts AC, 50~60 Hz, 0.5 A Output Power 12 Volts DC, 1.5 A, 18 W Power Consumption 6 W Max Safety Standards DOFT (AS/NZS 60950, AS/NZSB 3112:1-2) ZyXEL NWA-3500 User’s Guide...
Page 262 Appendix C Power Adaptor Specifications ZyXEL NWA-3500 User’s Guide...
Page 263: Appendix D Setting Up Your Computer's Ip Address
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me...
Page 264: Figure 169 Windows 95/98/Me: Network: Configuration
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. ZyXEL NWA-3500 User’s Guide...
Page 265: Figure 170 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyXEL NWA-3500 User’s Guide...
Page 266: Figure 171 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.
Page 267: Figure 172 Windows Xp: Start Menu
Figure 172 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 173 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyXEL NWA-3500 User’s Guide...
Page 268: Figure 174 Windows Xp: Control Panel: Network Connections: Properties
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. ZyXEL NWA-3500 User’s Guide...
Page 269: Figure 176 Windows Xp: Advanced Tcp/Ip Settings
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. ZyXEL NWA-3500 User’s Guide...
Page 270: Figure 177 Windows Xp: Internet Protocol (Tcp/Ip) Properties
8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. 10 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.
Page 271: Figure 178 Macintosh Os 8/9: Apple Menu
2 Select Ethernet built-in from the Connect via list. Figure 179 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. ZyXEL NWA-3500 User’s Guide...
Page 272: Figure 180 Macintosh Os X: Apple Menu
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel.
Page 273: Figure 181 Macintosh Os X: Network
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window.
Page 274 Appendix D Setting up Your Computer’s IP Address ZyXEL NWA-3500 User’s Guide...
Page 275: Appendix E Wireless Lans
A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. ZyXEL NWA-3500 User’s Guide...
Page 276: Figure 183 Basic Service Set
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. ZyXEL NWA-3500 User’s Guide...
Page 277: Figure 184 Infrastructure Wlan
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. ZyXEL NWA-3500 User’s Guide...
Page 278: Figure 185 Rts/Cts
AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. ZyXEL NWA-3500 User’s Guide...
Page 279: Table 101 Ieee 802.11G
5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. ZyXEL NWA-3500 User’s Guide...
Page 280: Table 102 Wireless Security Levels
Appendix E Wireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.
Page 281: Types Of Radius Messages
EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . ZyXEL NWA-3500 User’s Guide...
Page 282 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. ZyXEL NWA-3500 User’s Guide...
Page 283: Table 103 Comparison Of Eap Authentication Types
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. ZyXEL NWA-3500 User’s Guide...
Page 284 AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. ZyXEL NWA-3500 User’s Guide...
Page 285: Figure 186 Wpa(2) With Radius Application Example
2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches. 3 The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key). ZyXEL NWA-3500 User’s Guide...
Page 286: Figure 187 Wpa(2)-Psk Authentication
An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. ZyXEL NWA-3500 User’s Guide...
Page 287: Antenna Characteristics
In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. ZyXEL NWA-3500 User’s Guide...
Page 288 For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. ZyXEL NWA-3500 User’s Guide...
Page 289: Appendix F Pop-Up Windows, Javascripts And Java Permissions
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 188 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyXEL NWA-3500 User’s Guide...
Page 290: Figure 189 Internet Options: Privacy
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. ZyXEL NWA-3500 User’s Guide...
Page 291: Figure 190 Internet Options: Privacy
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 191 Pop-up Blocker Settings ZyXEL NWA-3500 User’s Guide...
Page 292: Figure 192 Internet Options: Security
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. ZyXEL NWA-3500 User’s Guide...
Page 293: Figure 193 Security Settings - Java Scripting
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 194 Security Settings - Java ZyXEL NWA-3500 User’s Guide...
Page 294: Figure 195 Java (Sun)
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 195 Java (Sun) ZyXEL NWA-3500 User’s Guide...
Page 295: Appendix G Ip Addresses And Subnetting
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyXEL NWA-3500 User’s Guide...
Page 296: Figure 196 Network Number And Host Id
Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. ZyXEL NWA-3500 User’s Guide...
Page 297: Table 106 Subnet Masks
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 108 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 ZyXEL NWA-3500 User’s Guide...
Page 298: Figure 197 Subnetting Example: Before Subnetting
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. ZyXEL NWA-3500 User’s Guide...
Page 299: Figure 198 Subnetting Example: After Subnetting
LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.1 192.168.1.0 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 ZyXEL NWA-3500 User’s Guide...
Page 300: Table 110 Subnet 2
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 113 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS ZyXEL NWA-3500 User’s Guide...
Page 301: Table 114 24-Bit Network Number Subnet Planning
255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 ZyXEL NWA-3500 User’s Guide...
Page 302: Private Ip Addresses
You must also enable Network Address Translation (NAT) on the ZyXEL Device. Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.
Page 303: Appendix H Text File Based Auto Configuration
You can have a different configuration file for each AP. You can also have multiple APs use the same configuration file. ZyXEL NWA-3500 User’s Guide...
Page 304: Table 116 Auto Configuration By Dhcp
Use the following procedure to have the AP download the configuration file. Table 118 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt. ZyXEL NWA-3500 User’s Guide...
Page 305: Figure 200 Configuration File Format
You can only use the commands in the configuration file. The AP ignores wlan wcfg other ZyNOS commands but continues to check the next command. The AP ignores any improperly formatted commands and continues to check the next line. ZyXEL NWA-3500 User’s Guide...
Page 306: Figure 201 Wep Configuration File Example
1 wep key4 defgh wcfg security 1 wep keyindex 1 wcfg security save wcfg ssid 1 name ssid-wep wcfg ssid 1 security Test-wep wcfg ssid 1 l2iolation disable wcfg ssid 1 macfilter disable wcfg ssid save ZyXEL NWA-3500 User’s Guide...
Page 307: Figure 202 802.1X Configuration File Example
3 groupkeytime 1800 wcfg security save wcfg ssid 3 name ssid-wpapsk wcfg ssid 3 security Test-wpapsk wcfg ssid 3 qos 4 wcfg ssid 3 l2siolation disable wcfg ssid 3 macfilter disable wcfg ssid save ZyXEL NWA-3500 User’s Guide...
Page 308: Figure 204 Wpa Configuration File Example
Remember that the commands are applied in order. So for example, you would place the commands that create security and SSID profiles before the commands that tell the AP to use those profiles. ZyXEL NWA-3500 User’s Guide...
Page 309: Figure 205 Wlan Configuration File Example
0 wlan ssidprofile ssid-wep !change operating mode -> MBSSID mode, !then select ssid-wpapsk, ssid-wpa2psk as running WLAN profiles wlan opmode 3 wlan ssidprofile ssid-wpapsk ssid-wpa2psk ! set output power level to 50% wlan output power 2 ZyXEL NWA-3500 User’s Guide...
Page 310 Appendix H Text File Based Auto Configuration ZyXEL NWA-3500 User’s Guide...
Page 311: Appendix I Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 312 This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. ZyXEL NWA-3500 User’s Guide...
Page 313: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 314 Appendix I Legal Information ZyXEL NWA-3500 User’s Guide...
Page 315: Appendix J Customer Support
• Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 316 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-69 •...
Page 317 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 318 Appendix J Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
Page 319: Index
DHCP Basic Service Set see BSS diagnostic bridge 34, 35 diagnostic tools Bridge Protocol Data Units (BPDUs) Differentiated Services Bridge/Repeater 33, 34 DiffServ 36, 87, 275 DiffServ Code Point (DSCP) BSSID DiffServ Code Points ZyXEL NWA-3500 User’s Guide...
Page 320 AP list layer-2 isolation 33, 37 38, 147, 149, 249 LEDs restrictions 147, 249 link type log and trace log descriptions login screen logs general setup 81, 223 guest SSID ZyXEL NWA-3500 User’s Guide...
Page 321 RF interference roaming packets requirements Pairwise Master Key (PMK) 284, 285 rogue AP 33, 141, 142, 143, 144, 145 password 82, 218, 219, 227, 257 rogue AP list path cost root bridge Per-Hop Behavior ZyXEL NWA-3500 User’s Guide...
Page 322 VLAN diagnostic VoIP 33, 37, 125 log and trace VoIP SSID system information VT100 system status time and date system information system information & diagnosis system maintenance 231, 233, 239, 241, 243, 245 system name ZyXEL NWA-3500 User’s Guide...
Page 323 RADIUS application example WPA with RADIUS application WPA2 33, 283 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 283, 284 application example WPA-PSK 283, 284 application example ZyNOS ZyNOS F/W version ZyXEL NWA-3500 User’s Guide...
Page 324 Index ZyXEL NWA-3500 User’s Guide...

ZyXEL Communications NWA-3500 User Manual

Chapter 1 Introducing the Zyxel Device

Chapter 2 Introducing the Web Configurator

Chapter 3 Status Screens

Chapter 4 Tutorial

Chapter 5 System Screens

Chapter 6 Wireless Configuration

Chapter 7 Wireless Security Configuration

Chapter 8 MBSSID and SSID

Chapter 9 Other Wireless Configuration

Chapter 10 IP Screen

Chapter 11 Rogue AP

Chapter 12 Remote Management Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications NWA-3500

Summary of Contents for ZyXEL Communications NWA-3500